Crusher said:
So does Windows Media player, but if there's a bug or security hole in that, it's still rediculous to blame the operating system for the application's fault.
Media player isn't integrated into the OS, where as Internet Explorer is. When you browse files via 'My Computer' you are using an IE shell to do so, when you hit F1 for help the chances are you are using an IE shell to do so etc. etc. If Microsoft can argue in court that they should be allowed to bundle IE with Windows because it's an essential part of the OS then surely they should also take responsibility for it, too?
JScript is hardly restricted to web browser use, and you can freely use it on your computer along with the Windows Scripting Host to run any kind of arbitrary code you wish.
JScript run via the WSH has different permissions than when run within a browser in the same way that a Java Applet has restricted permissions compared to a full Java app. What it can do outside of the sandbox is irrelevent to this discussion, the problem is what happens within IE.
It's under the custom level security settings in the internet options, I'm not sure how much more straightfoward it can be. Considering it's a security setting, and disabling it is a custom option (not default), and it's an internet option, it seems to me like a perfectly logical place to put it. Perhaps you would rather have a big shiny candy apple red button on the toolbar?
Don't try and patronise me. My point is
most users do not have a clue where it is - I know this from experience given as I work as a web developer and have yet to meet a single client who knows where to start looking if you ask them to disable JavaScript.
Let's look at the actual steps needed in IE to disable scripting:
Go to the Tools menu then select Internet Options
Then select the Security tab
Then click Custom Level
Then scroll down past tons of options until you find something called 'active scripting' (no mention of JavaScript, which is what most people would be looking for) and then check a radio button.
You call that intuitive UI design? I can do the same thing in Opera by pressing F12 and ticking a box (hell, in Opera I
can make a big red shiny button to do it, too, if I want).
Good websites do not require it for functionality, and offer safe (if somewhat less convenient) alternatives.
That may well be true but the actual reality is that majority of dynamic websites actually require JavaScript for some or all of their functionality. Sticking your head in the sand won't make it not true. Having to manually go through the steps listed above for every website you visit, on a case by case basis, is a ridiculous thing to expect a user to do simply because there are security wholes in your product!
And if you want to run IE and browse websites with security exploits you have to actively launch the program and navigate to those sites. I don't think there's a huge difference in effort here on the part of the user, nor is there any less blame you can attribute to them. Using IE is a choice, not a mandatory sentence.
Again you ignore reality where 90+% of people who use Windows will use IE because it's there already. A large percentage don't even know that there are other products available. You can blame consumer ignorance if you like but this is a situation actively sort after by Microsoft when they decided to use "brute force" to "win" the browser wars. They therefore have a duty to protect people who use the product they pushed so effectively.
First, the ECMAScript specification does not in any way prevent buffer overrun exploits in an implementation.
I'm sure the implementation doesn't encourage it, either. If a buffer overflow prevents a core feature from working then the particular implementation of the language is, by default, broken.
Second, IE and Windows do not (natively) support ECMAScript, they support JScript, which is not ECMAScript compliant.
FireFox doesn't support ECMAscipt, either. It implements a proprietry version of JavaScript that is, more-or-less, ECMA compliant.
I stopped using IE regularly a long time ago, and I never have any issues with the security holes in it, yet I still use Windows. If this was an OS issue, would I not be experiencing some of the effects of all these IE exploits?
Whether you get 'hit' by a security issue is dependent on your usage of the OS. There may be an exploit if you use, for example, print services. However, if you never use a printer then you won't get hit by it. That doesn't mean the exploit isn't there.