I picked up this link from slashdot.

As many people have been saying, IE is actually not quite so bad in the broken code dept. Many other browsers are broken too but no one finds or exploits the holes as often because they are not as widespread in use as IE and they are not made by the OSS/Linux communities favorite target MS.

http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0

Malformed HTML... yeah... I would expect IE to survive, since it was designed to take into account malformed HTML.

;)

Malformed HTML... yeah... I would expect IE to survive, since it was designed to take into account malformed HTML.

;)
Or it could be argued that IE was designed AROUND malformed HTML.

Malformed HTML... yeah... I would expect IE to survive, since it was designed to take into account malformed HTML.

;)


Doesn't matter what it is. Net result is a bug and any bug can be exploited. The recent mozilla bug that could delete everyfile on your desktop had nothing to do with malformed html but it certainly could be touched off by a bad html page and a typical, uninformed, user.

Programmers are far from perfect and its always been kinda funny to me that people don't realize that. Even QA processes don't catch everything. Articles like this just illustrate that open source programmers are not some sort of god like exception to the rule that humans make mistakes.

Articles like this just illustrate that open source programmers are not some sort of god like exception to the rule that humans make mistakes.

The difference, of course, is that bugs tend to be found and dealt with far more quickly in an open-source environment.

The difference, of course, is that bugs tend to be found and dealt with far more quickly in an open-source environment.

I would love to see proof that backs this up on any major open source project. There are known bugs in many of the larger projects that have taken quite some time to patch.

As a matter of fact, there was a blog that talked about the mozilla bug I mentioned and the shortcomings of bug reporting, tracking, and resolution in open source projects.

Don't give me the "you could fix the code yourself with open source" answer. For any product of a significant size that you wouldn't write in house, there is no way a less than an expert programmer would have any significant chance of quickly fixing a bug in someone elses ten or even hundreds of thousands of lines off code. Most bug fixes come from a core team of developers that work on the project.

The time to fix a bug is sometimes necessarily long because it is development and bug fixes follow a life cycle just like everything else in software dev. If you rush out a bug fix, you could introduce more bugs and wind up with even more egg on your face.

---------------------------------

I should add, I am not defending MS. I am only pointing out that OSS is not the magic bug free, cost free, super secure product its many zealots advertise it to be. Hows the saying go "I love Linux. Its fan club is what I have a problem with."

yeah, gotta agree with tony there. just from applications we build in house, sometimes you'll find a bug, that although appearing minor, may be hard to fix depending on how the code was structured and other related items in the application. it is definitely not all that easy sometimes to make a "quick" change.

as for IE being design around "malformed" code or just dealing with it well, who knows. one thing i do know is that the browsers that force strict W3C standards implementation and XHTML support etc. will loose the browser war if they enforce those things too soon. the Web is comprised of far too many little personal sites and poorly coded sites for that to be the standard. that already is probably a large factor (besides IE being a microsoft product and being installed with your OS) as to why IE is the most popular since netscape, for example, can seriously butcher the rendering of a page if the code hasn't been done well. the general public outside of the development world doesn't really care about the details, just that the page renders ok. the wyswyg editors will have to get much better at creating code before the browsers can get much more strict.

I would love to see proof that backs this up on any major open source project. There are known bugs in many of the larger projects that have taken quite some time to patch.

Would you settle for a paper on the subject (http://arxiv.org/abs/cond-mat/0306511)?

Gee guys, I'd chime in but they don't make IE for the Mac any more. But safari has come a long way :)

as for IE being design around "malformed" code or just dealing with it well, who knows. one thing i do know is that the browsers that force strict W3C standards implementation and XHTML support etc. will loose the browser war if they enforce those things too soon. the Web is comprised of far too many little personal sites and poorly coded sites for that to be the standard.

The Browser War? Wow, flashback to the 90's. heh.
Regardless, it is not up to the browsers to be a crutch for lazy developers.
Browsers should render strictly according to the standard(inasmuch as that is possible, since the specs can be ....let's be polite and say "vague", heh.)
If developers want their pages to work, they can either conform to the standard or die off.
Personally, I'd hope they die off, but hey, if they want to adapt, that'd be ok, as well.

-ajb

Gee guys, I'd chime in but they don't make IE for the Mac any more. But safari has come a long way :)
But when they did, it rocked.
heh.
-ajb

I should add, I am not defending MS. I am only pointing out that OSS is not the magic bug free, cost free, super secure product its many zealots advertise it to be. Hows the saying go "I love Linux. Its fan club is what I have a problem with."
Zealots of any kind are annoying.
I prefer evangelists.
-ajb

Anyone who says open-source is more secure or costs less than closed-source is delusional.

Open-source tends to be more secure these days through obscurity. Once Firefox has a substantial userbase, watch as the exploits begin to fly. But I do agree with the paper concerning the resolution of bugs. The difference is that with closed-source, the need to resolve all bugs in a timely manner is not critical. Only bugs that cause a loss of revenue are important, the rest can be ignored.

But when they did, it rocked.
heh.
-ajb

By far the best.

But that was then...

Open sore is good in theory. Time will tell.

Call me an optimist but I hope it works out.

By far the best.

But that was then...

Open sore is good in theory. Time will tell.

Call me an optimist but I hope it works out.

Like all things, pick the one that best fits your business case.
Be it Free, commercial, BSD licensed, whatever.

-ajb

The latest builds of Firefox have fixed the malformed HTML crash bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=264956

I picked up this link from slashdot.

As many people have been saying, IE is actually not quite so bad in the broken code dept. Many other browsers are broken too but no one finds or exploits the holes as often because they are not as widespread in use as IE and they are not made by the OSS/Linux communities favorite target MS.

http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0

:confused: :english: haha im so do not know computers

Hey look, a bug fix for Firefox.

Give it its due.

Hey look, a bug fix for Firefox.

Give it its due.
Hey ... it only took days and not months. :p