[funsec] Texas Bank Dumps Antivirus for Whitelisting

[Richard M. Smith]

The reason that companies use IE for system utilities like Windows Update,
is that HTML is relatively easy way to build a user interface for these
kinds of applications.  

 

It's unfortunately that Microsoft didn't provide an HTML engine for these
applications which wasn't a full blown Web browser.   Add/remove programs in
Windows is an example of building an application using HTML, CSS,
Javascript, and ActiveX controls which hasn't introduced security problems
in IE.  

 

JavaScript, plugins, and file associations have their place on the Web.
Without them, we wouldn't have things like Acrobat reader, Web-based email
clients, Google Maps, YouTube, etc.

 

Richard

 

From: Jeff Kell [mailto:jeff-kell at utc.edu] 
Sent: Thursday, July 17, 2008 7:02 PM
To: Richard M. Smith
Cc: funsec at linuxbox.org
Subject: Re: [funsec] Texas Bank Dumps Antivirus for Whitelisting

 

Richard M. Smith wrote: 

So under HA, a Web browser can only show ASCII text files.  After all, HTML
itself is a programming language with intermingled code (ie., HTML tags) and
data ("text").


Well, it's not *that* bad.  HTML tags and other markup that affects the
layout is fine.  Tables, forms, queries, etc are all fine.  That just
affects what goes into the browser window.

It's not the browser itself that broke things, it was Javascript, plugins,
and automatically executed externals (file associations).  

The abomination from hell is IE, where you use your browser to *UPDATE YOUR
OPERATING SYSTEM*.


Jeff 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20080717/ad0e8025/attachment.htm