[funsec] Microsoft issues IE update to get around the Eolas patent

Matthew Murphy mattmurphy at kc.rr.com
Wed Mar 1 03:24:10 CST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Nick FitzGerald wrote:
> Dude VanWinkle to Richard M. Smith:
> 
>>> I wonder how many Web sites this Microsoft patch will break.......
> 
> Well, they don't outright break -- unless I misunderstood something, 
> the user simply has to click the control an extra time before they can 
> _directly interact_ (including via script embedded in the page) with 
> the control, but (initial) dynamic content played or displayed by the 
> control will still activate.

Script embedded with the web page still works.  The only combination of
things that breaks is:

1. A control that requires explicit *USER* action (i.e. keyboard/mouse
input).

2. Said control is instantiated directly from page content (APPLET,
EMBED, OBJECT, etc.)

>>> After you install this update, you cannot interact with ActiveX controls
>>> from certain Web pages until these controls are enabled. To enable an
>>> ActiveX control, manually click the control.
>> I wonder how much spyware this will prevent from being installed?
> 
> It will have the _opposite_ effect.

I agree, but for a different reason.

> To get around the user having to manually "activate" the control by 
> clicking it, web author's can ensure that the control is "dynamically 
> instantiated" (my term), and thus immediately activated, via script, 
> rather than being "passively" instantiated the old (aka "infringeing") 
> way (i.e. via APPLET, EMBED or OBJECT tags in the main page -- this is 
> effectively what the patent rules out), thus requiring "activation".
> 
> What all that means is that web authors will, and rather quickly I 
> suspect, move to this new construction to get their ActiveX controls 
> enabled and so the pressure on browser users to move back to having 
> MORE script-enabled sites or even more script-enabled security domains 
> in IE will increase, so we will see MORE script-based silliness, 
> including compromises and the like.

Not really true.  Most users who have active script disabled also
disable or severely cripple ActiveX.  Also, many uses of
ActiveX/Java/plug-ins/etc. require script to function in the first
place.  A world without script is a world without (much) ActiveX.  This
will only further cement that.

The only thing I see happening is that this becomes yet another reason
why IE users have to click through something and becomes one more
desensitization to security-related prompting.

> This move is even more reason to abandon IE totally.

I wholly disagree.  You won't hear me support Microsoft very often, but
I think it has every right to develop the technology and that Eolas has
no claim to it, what-so-ever.  I think this case illustrates why
software patents are a horrible concept and should be done away with.

> MS should have taken its loss in the Eolas patent case, combined it 
> with Billy Boy's previous, well-publicized insistence that security is 
> now really more important than functionality, and used that as the 
> raison d'etre for finally killing its shitty pile of security holes 
> that passes with some as a miserable excuse for a web browser.

I'm sorry... but that's ridiculous.

*Every major browser on the planet* infringes upon this patent.
Firefox, Mozilla, Netscape, Opera, IE, Safari... all infringe on this
patent.  Why?  Because they use the same plug-in loading technology in
some form or another.

Java applets are an example of that which is fairly portable across
browsers and other examples include media handling plug-ins for
Quicktime, Windows Media, etc.

The only reason Microsoft is dodging this patent is because the patent
holder has a personal grudge against the *big bad monopoly* at Microsoft
and decided to only sue Microsoft.  According to other reports, Eolas
lawyers are also harassing other browser developers about licensing
after the Microsoft verdict.

For the survivability of the web, this patent NEEDS to be shot down as
the invalid claim that it is.

> It didn't, so we have yet more evidence that, despite Billy Boy's 
> publicly released memo, security is really only more important at MS 
> now if it's _wholly convenient_ for it to be more important.  In other 
> words, despite all the grandstanding in the media, actually very little 
> has changed at MS viz security...

I agree with your assessment of security at MS (it's still on a
convenience only basis) but I don't see how this example illustrates that.

More security is only meaningful if people will use it.  Voluntarily
wiping out plug-in functionality would be a suicidal effort and a total
failure that would not accomplish anything on the security front.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEBWg6fp4vUrVETTgRAxCuAJ9uBrlcyT3zup8+NKSl+tECYN7rEQCfUzRv
4DOW1iLYPoMcBvlmlgC5FkA=
=fUdm
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://linuxbox.org/pipermail/funsec/attachments/20060301/35747be7/smime-0001.bin


More information about the funsec mailing list