On 12/29/05, Bill McGonigle <[EMAIL PROTECTED]> wrote:
catastrophic bug. Guess which one has a zero-day exploit today for the
same thing that was supposedly patched in the past few months?
Oh! Oh! I Know! FIREFOX!
... < Insert list here > ...
Exploits are going to happen. They're in the nature of C and C++. Anytime you have data intermingled with executable code, it can and will happen. And untill someone redesigns compilers, and it manages to get it accepted by the masses, they will be around. Having the source makes it easier to *FIX* the obscure exploits. Over the years, I've come to the belief that the argument that it's more secure becouse more eyes can look at it is utter poo, becouse the software changes over time. People DON'T spend their time going to a several month audit, and find each and every exploit. They find the ones that cause them problems in the manner that they use the software. Not many actually sit back and say 'Well, what happens in my URL is a BEEEEEELion characters long? Ok, it's fine with that many. OH SHEEEET! Someone used a BEEEEEEEELION and *ONE*!??!?!! Poo!' I'm not saying no one cares, I'm saying, software, becouse of the way all of this evolved, is going to have exploits. Period. OPen source has the advantage that ANYONE can fix it. But saying that the exploit just doesnt happen becouse it's open source is just silly.
And then we have the Mozilla/VMWare Browser Appliance, a totally
tangential approach:
http://blog.bfccomputing.com/index.php?p=100
Man that seems like overkill. It's a hell of alot safer then driving with no underwear, but the overhead of an entire virtual machine seems.. Well, if the steel underpants weigh 50 pounds, I'm thinkin maybee it IS safe enough to just wear tighty whiteys and risk getting shot in the ass.. ;-)
Thomas
