Hackers are hitting paydirt in their search for browser bugs. According to Symantec's twice-yearly Internet Security Threat Report, hackers found 47 bugs in Mozilla's open-source browsers and 38 bugs in Internet Explorer during the first six months of this year. That's up significantly from the 17 Mozilla and 25 IE bugs found in the previous six months. Even Apple's Safari browser saw its bugs double, jumping from six in the last half of 2005 to 12 in the first half of 2006. Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much. Opera bugs dropped from nine to seven during the period.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-11-11
//Yes I did. End of conversation.//
Pfft. No you didn't. You are like the ostritch with your head in the sand.
Here, try a little experiment for me. Start Windows with no other applications running.
Double click on "My Computer". In the address bar, type in "C:" ... OK? Leave that window open.
Now open up IE. In the address bar, type in "C:" ... OK? Wow, are we seeing double, or what?
Conclusion: IE is embedded into the core of the Windows OS.
Further to that - most vulnerabilities to IE are exposed to attack merely through running the Windows OS. If you are running a browser on Windows (any browser at all) and are accepting data from the web, then you are exposed to vulnerabilities.
Member since:2005-07-06
First, all that illustrates is that Explorer and IE share some components. What does the "core" mean anyways?
Since you are so dense, let me try to explain it to you in more detail.
Point 1: Read the article. A quote from a security expert on the exploit: "He said the exploit can be mitigated by turning off JavaScript in the browser." This illustrates that the exploit is somewhere within the javascript component of IE. JS is available in windows via the Windows Scripting Host (WSH), which a program has to actively implement to use.
Point 2: IE has components which are included in windows and usable by third party applications. This includes the rendering engine (mshtml.dll/shdocvw.dll), certain "shell" APIs, the Windows Scripting Host, etc. You must EXPLICITILY include these in your application to be vulnerable to any exploits contained within them.
Point 3: Opera is cross-platform and thus uses only what it needs on the host OS. In the case of Windows, they use very few of these components. I'm pretty sure they use some of the "Shell" APIs (which is a misleading name, because a some of the functions are simply file functions).
Point 4: Opera does NOT make use of the Windows Scripting Host (this can be verified through a number of programs such as Dependency Walker), which is the where the exploit you linked is contained. It is not implicitily included either. Therefore, simply using Opera does not expose you to this vulnerability.
Do you understand this or should I go into further detail?
Member since:
2005-07-06
No. You have not pointed out any such a thing.
Yes I did. End of conversation.