On Wed, Jun 4, 2008 at 6:57 PM, Ed Leafe <[EMAIL PROTECTED]> wrote: > > I don't see anything here that is any different than the browsers > themselves, or most any other software, for that matter. >
Interesting that you don't. I think the browser runtime rendering engine is pretty well-known and pretty documented. The folks who designed Java thought long and hard about how to keep it in a sandbox. The other runtimes and scripting languages: Flash, Flex, Javascript and probably the Microsoft ones, too have not yet proven to be as well thought-out. So, I'm not inclined to download executables if I can't know what they're doing. It's not the Flash player I'm as worried about, as the content that runs within it. I run Flash when the source is more trustworthy. I disable it for untrusted pages and nearly always for ad networks. When I download an app from a well-known, well-reputed source, I have some confidence that it's been reviewed and does what it's intended to do. That's not the same thing as letting random videos starting playing on a web site I'm visiting when I can't determine if their payload also includes some scripts. Documents with scripts are less easy to trust, whether that's Word documents with macros or HTML Help files or PDFs with embedded Javascript. > So that I'm clear on what you're saying: whenever an exploit is > found, you refuse to ever use that product? Well, that would pretty much elminiate computing from my life, wouldn't it? No reductio ad absurdum here. All products have flaws, and security is a risk management process, not a black-and-white feature. I minimize my use and exercise caution in using products that may be more harmful than the typical ones: no Vista, minimal Windows, NoScript plugin in FireFox, etc. You wouldn't consider running an .exe in Windows sent to you by a stranger. Why should it be any different because it claims to be a media file? -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[EMAIL PROTECTED] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
