Browser differences
2002-03-21 17:26:23+00 by Dan Lyke 24 comments
2002-03-21 17:26:23+00 by Dan Lyke 24 comments
comments in ascending chronological order (reverse):
#Comment made: 2002-03-21 17:36:33+00 by: TheSHAD0W
Interesting. I'm using Mozilla, and I see the elephant.
#Comment made: 2002-03-21 18:08:43+00 by: Dan Lyke
You can view the image to see what they're doing, and it's just a matter of whether a 50% scale gets the odd or even rows. It kind of blows me away that every browser is using point sampling, and not even doing linear interpolation on the scaling, but I suppose there's no real reason to make that code work really well 'cause asking a browser to scale an image is kind of a silly idea anyway.
#Comment made: 2002-03-21 18:14:37+00 by: Shawn
Same here. I'm using Mozilla 0.9.9 and I'm seeing half cow, half elephant. The image is split right down the center.
#Comment made: 2002-03-21 18:17:10+00 by: Shawn
well 'cause asking a browser to scale an image is kind of a silly idea anyway.
Well... um... yeah. I've never allowed the browser to scale images on it's own for my web pages. It'll display the image in the size I give it, by golly. (Letting the browser do it is just plain sloppy.)
#Comment made: 2002-03-21 18:55:36+00 by: Jerry Kindall
That cow/elephant one looks really weird in IE/Mac.
#Comment made: 2002-03-21 19:24:59+00 by: other_todd
I am more annoyed by the second example. Differences between IE and Netscape in table handling are one of my betes noires. Nobody in their right mind lets the browser scale images anyway, as has been already pointed out.
#Comment made: 2002-03-21 22:22:38+00 by: Shawn
Huh? What does the table have to do with anything [in the second example]?
#Comment made: 2002-03-21 22:31:58+00 by: Dan Lyke
Yeah, both of those are strictly based on image resampling techniques. It's cool to hear that later versions of Mozilla (and maybe IE/Mac?) are actually doing some more intelligent image scaling.
#Comment made: 2002-03-21 22:51:43+00 by: Shawn
What's scaring me most is the second link you provided, Dan. At first, I thought it was broken because nothing came up when I tried to open it in Mozilla under Linux. But now that I've tried it in IE...
Right now my boss is calling his buddies at MS to say "um, what the hell...?!" (He worked on the NT debugger team for about 7 years.)
#Comment made: 2002-03-21 23:04:51+00 by: Dan Lyke
That was first provided to me with C:\WINDOWS\UNINST.EXE in the appropriate place. What's also scary about that is the problem we've seen manifested at so many web sites: That IE ignores (or at least plays fast and loose with) Content-Type. It just floors me that this far into the 'net age, after this many generations of Windows, those sorts of security holes are still around. Of course given that web services run over HTTP because "other ports are often firewalled" I guess we can expect no more.
#Comment made: 2002-03-21 23:25:13+00 by: Shawn
My boss is frequently telling me how F*'d up the MSN/IE people were/are. He says those groups are full of too many y'know-what-would-be-really-cool and marketing gee-whiz types, and not enough people who think things through.
#Comment made: 2002-03-21 23:39:44+00 by: Shawn [edit history]
Y'know, on closer inspection this (calc.jpg) looks to be two completely unrelated - and independent - exploits. The link doesn't have to be a JPG - it could just as easily be a regular HTML file (which is, in fact, what it is - no hiding). And the Content-Type issue should allow me to execute files from remote locations (as opposed to just on the local client).
Hmmm... I think I may have to engage in some proof-of-concept experiments...
Internally, of course.
#Comment made: 2002-03-21 23:39:58+00 by: Dori
Using IE 5.1.3/Mac OS X, the first link showed a jumbled image, and the second link gave me a broken image icon.
Using IE 6/Windows, the first link showed me a dead elephant, and the second link popped up the calculator.
Conclusion: the problem isn't MS or IE, the problem is choosing a monoculture. Don't use a browser shipped by the same folks that produce your OS. It's the best way to avoid email virii, too.
#Comment made: 2002-03-21 23:42:29+00 by: Shawn
The problem is still MS/IE. One shouldn't be forced to choose an alternate product in order to be safe. You can still choose alternate products, but you shouldn't have to.
#Comment made: 2002-03-22 00:49:35+00 by: Dan Lyke
There is some truth to the monoculture argument. The Morris worm was a classic case of monoculture. But Microsoft does deserve particular brickbats for the notion of Active-X, which has at its core a notion of inherently flawed security. It's one thing to have a pickable lock, it's quite another to put a good deadbolt on the screen door.
So, yeah, pick one of the non-market leaders wherever possible. This encourages diversity (perhaps the most important) and protects you from the big exploits. But don't accept monoculture as an excuse for stupidity.
#Comment made: 2002-03-22 02:25:53+00 by: concept14
For what it's worth, Opera 4 in Windows shows the elephant -- same as IE!
#Comment made: 2002-03-22 10:22:52+00 by: canis
The exploit in the 2nd example has been doing the rounds for a while, I believe (a cursory glance at the source looked very similar to the one I saw previously, but it might be using some subtle variation). I'll try and remember to dig out the original URL later, with full explanation.While it certainly has the potential to be annoying, I don't think it's particularly dangerous, because there doesn't seem to be a way to include command-line parameters, and you can't arrange for an executable of your own to be in a known place on their machine either (it's easy enough to get one on their machine -- img src=blah.exe -- but the cache isn't a normal/predictable part of the file system so you can't point the exploit at it). So unless there's a particularly dangerous program already on user's drives at a known location that doesn't require any command-line parameters or user confirmation it's limited to just popping up lots of desktop apps. Which is still breathtakingly moronic, but hey, as Dan points out: ActiveX! Duh!
#Comment made: 2002-03-22 10:25:58+00 by: canis
Oh! And I forgot to mention, you can embed it in email messages; I sent a test mail to my work account (Outlook, *ugh*) from my home account (pine) and opening the email launched the app I'd specified. That's special.#Comment made: 2002-03-22 17:03:57+00 by: other_todd
Shawn, Dan: I goofed; for the second browser difference example I saw those two images side by side in a table and I didn't bother to read the source closely - or examine the image alone, like I immediately did for the first example. I jumped to conclusions because I have been burned so many times in trying to get tables to lay out multiple images in even remotely similar ways between Netscape and IE. Sorry about that.
#Comment made: 2002-03-22 17:05:25+00 by: TheSHAD0W
> I don't think it's particularly dangerous, because there doesn't seem to be > a way to include command-line parameters, and you can't arrange for an > executable of your own to be in a known place on their machine either
Heh. What about, say, IIS?
#Comment made: 2002-03-22 17:09:56+00 by: other_todd
By the by, this Magnus Bodin fellow has a number of very interesting ways to waste time. (This is generally true of people who know about Raymond Queneau.)
#Comment made: 2002-03-22 18:12:13+00 by: Shawn
canis, my boss and I have been experimenting with this and you appear to be correct - we haven't found a way to pass parameters. I've got to believe that there is a way though - somehow. And if there is, then you can use the client's own ftp program to place your own exe on the machine. I know some guys at my last job who were experimenting with this angle using unsecured MS SQL Servers (which apparently can be found on a lot of tech professionals' personal machines. Our own network administrator, for example, had a SQL Server running on his desktop with the default administrator password still in place - and his was the machine they were using to conduct their experiments ;-).
#Comment made: 2002-03-23 00:03:26+00 by: Dori
Re ActiveX: it's the same monoculture thing. To the best of my knowledge, you only have to deal with ActiveX if you're talking about a MS browser on an MS OS.
Stop using apps from your OS vendor, and ActiveX is no longer an issue.
#Comment made: 2002-03-23 00:41:58+00 by: Larry Burton
Dori, you know that and I know that and probably everyone that reads and comments on Flutterby knows that but if I try to explain that to any of my customers one of their managers will whip out a PowerPoint presentation after I'm gone explaining the strategic business advantage of using a common vendor who is uniquely qualified to tightly integrate their desktop products with the OS.