A big “d’oh,” maybe

It seems like only last week that I was whining that browsers were disintegrating like so many smashed plates at a Greek wedding. Oh yes, it was only last week.

Well it looks as if some of this may not be a unique personal experience but is caused by a vulnerability in IE. Microsoft’s Security Advisory describes the flaw they’ve just found. The way it seems to operate sounds uncannily like what’s happened to my browser in IE.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable. (from Microsoft’s Technet)

“invalid pointer reference in the data binding function.” I understand all the words individually but I got lost as soon as I tried to understand them when they are linked together.

But, causing IE to “exit unexpectedly”. That sounds like what IE has been doing randomly for weeks. Often failing to release the memory that it was using – which I don’t find out until too late. I didn’t really consider that it might be a new form of browser attack. How naive is that? D’oh.

Not that’s any excuse for Firefox. But I’m not convinced that FF is so magically free from being affected by the same attack attempts, that it won’t crash and die when it bumps into them, even if it doesn’t let an intruder in. In any case, I only ever use IE when Firefox has decided to commit suicide a few times.

I know that using Linux would mean that attacks like this would never work but it’s not completely intrusion-proof. This PC is pretty well on its last legs, as it is. It’s a few more bad reads away from hard disk failure, anyway. (And that’s in the not-completely “legacy” disk drive, not the really old disks that are also still in it.) The graphics card should be in the “Museum of graphics cards that were state of the art in 2003” If I change its OS, my software won’t work, I’ll lose all my passwords, the cable connections will have to be reset and so on. When I’m forced to get a new PC, it will use Linux, but until then, no.

Microsoft Technet page warns site owners that SQL injection attacks might turn their sites into unwitting distributors for the malcode and directs worried site owners to a scrawlr, a free HP tool that is supposed to check your site for SQL injection code. Every site that uses something like php is fair game for that.

So it sounds like a plan and the scrawlr page has a good cartoon. But I end up far from convinced there’s any value in downloading scrawlr, after reading the comments. Like this one from leon:

The comic is xkcd
The tool is useless, scrawl is entirely unable to detect even the simplest vulnerabilities, i went as far as pasting an example injection into the url bar and it okayed that!!! I also have an intentionally vulnerable site with local only access that we are using to configure our new IDS and it didn’t find a thing… seriously, if you take anything away from this, let it be the comic.

(That link is to the comic, in general. The scrawlr page has the relevant cartoon.)
MarkH says:

Doesnt’ support POST forms or Javascript. In other words, this demo tool can’t actually test anything that any web developer would have written since, oh, say 2001.
Epic fail.

Doesn’t let you check POST forms? 🙂 I think I’ll pass, then.

A report on the BBC’s tech page had a “security expert” saying “don’t use IE ” and Microsoft – unsurprisingly – warning against that particular course of action. 🙂

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.
“What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals,” he said. “It’s just a question of modifying the payload the trojan installs.” (from the BBC)

As soon as “security experts” start talking up threats, I tend not to believe them. 10,000 websites sounds as unconvincing as the UK government’s “30 terror plots.” And so far the exploit has stolen game passwords. Hmm. Hardly a cause to panic about your e-bay sales or your online banking, then. Do you care if you find yourself playing World of Warcraft alongside an unaccredited troll?

Still, Microsoft’s idea of advice doesn’t inspire much confidence, either.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

How exactly am I supposed to be vigilant? I could try to check every invalid pointer reference in the data binding function, could I? Even if this wasn’t so far over my head that I could call it an “umbrella”, IE would have to become Open Source before I could even hope to identify the databinding function.

I thought I’d already pushed the intrusion detection boat out by running Ethereal and Snort whenever I feel mildly obsessive. (And they piss me off because half the transactions that my computer indulges in can’t be fathomed anyway. So I stick to using them for purposes like getting my passwords off the traffic stream, in plain text, which is surprisingly helpful when I’ve forgotten them but annoys me all the same Why on earth have passwords that are hidden from the bloody user by asterisks but easily readable by anyone with a packet-sniffer? Cue another rant.)

This “data-binding function” of IE needs a whole new set of skills that I really don’t believe would hold much entertainment value. So I don’t intend to get them. And “invalid pointers”? Can Microsoft or someone direct me to the Girl’s Big Book of Valid Pointers so I can be properly “vigilant”?

Browsers found to be made from china

A suspicion has arisen that all standard browsers are made of china*. Bone china. I.e. as fragile as Wedgwood tea service.

The evidence is that it seems impossible to click on any given link without one browser or another falling over.

Each browser self-destructs in its own way. Each has its own list of unfavourites, with its own set of rules about the sticking point at which it will no longer follow a hyperlink.

I must have misunderstood Tim Berners-Lee’s original scheme, but I had the idea that displaying pages and following hyperlinks to open URLs were the whole points of a browser. I don’t care what else they can do. Using Netscape 0.0001 (or something like that) on dial-up would be more effective than using FF (latest update), IE (I admit to still having IE6), Chrome and Opera.

FF swallows memory as if it is running the space shuttle on the side. Ok, I had a few plugins but I’ve disabled them all and it’s actually got markedly touchier rather than more accommodating. It will die instantly if it doesn’t like a page. It makes sure it takes every open tab with it. At its most petulant, it takes the whole operating system. It then offers to reopen the tabs when you try to restart it. Naturally, it tries to open the murderous tab and dies again.

IE6 doesn’t top itself as readily but it can barely display any sites without spilling the main content down to its own new div at the bottom of the page. It has a highly developed aesthetic sense and often decides that some stylesheets are just too ugly, so it just won’t use them. It has serious attachment issues – it will often refuse to release memory, no matter how impeccable the shut down process has been.

Installing Chrome was shooting myself in the foot, in browser format. I stupidly let it nominate itself as default. That means, any link I click on opens Chrome. I don’t like its hairtrigger nature. A millisecond pause as the mouse passes over a hyperlink and its opened the page. I don’t like the open and close tabs buttons. I have yet to close a tab without accidentally opening half a dozen tabs each offering a “Most visited” that shows mini screenshots of sites that I have visited once – by accident (ref: the hair trigger bit, above) and which come back to haunt me forever.

Opera is the Gap browser (reference to Piers Anthony.) I forget its existence until I’ve already got frustrated enough to do impromptu impressions of someone with a terminal case of Tourette’s. (Terminal, geddit… Sorry) Then I have no passwords stored anywhere so I can’t actually get into anything I have any login privileges to. So I might as well not bother.

These browsers are studded with so many updates, extra features and dial-home-devices that I am seemingly operating an unpaid outpost of Mozilla, Google and Microsoft. And running the space shuttle.

Right, browsers, pay attention. I’ve had it up to here with you. Just open links when i click on them. Is that too much to ask?

*(That’s made “of” china, not made “in” China. I wasn’t suggesting that browsers might be forged or contaminated with melamine.)

Firefox Memory Hog

Now, for almost as long as I can remember (yes, I have a short memory), I have been a big fan of Firefox. I work on web applications so I have quite a few browsers installed, but generally I stick to Firefox for most browsing, with IE as a “backup” for those odd little sites which are cabbaged in other browsers. Opera is installed, but it doesn’t get used as often as the “big two” and the Seamonkey / Mozila etc browsers are hardly touched (anyone use Amaya for browsing?).

Recently, Firefox informed me that it had been updated and needed a restart. I dutifully complied and everything seemed to run fine.

As the hours and days passed, I noticed that my system was becoming slower and slower – web pages were taking an eternity to open and when I was running Photoshop or other system intensive applications everything really was starting to slow down. For reference, my system is an Athlon 64 x2 3800+ (Dual processor) with 1gb of ram. You would hope, that it would be fast at web browsing and basic office applications. It was, until recently…

Some initial research revealed that crap-shop-crap-ISP Pipex was providing me with a fraction of the broadband service they claimed, which explains the slow web pages (somewhat), but the problem remains in locally hosted pages. Despite my disgust with Pipex, they can’t really be blamed for everything else slowing down either.

Eventually, I cracked and bothered myself to look into this. Opening task manager reveals a possible cause of the problems. Firefox is a massive memory hog. I mean massive.

An example I had Firefox open with nothing other than this blog displayed. IE was running with this blog, Flickr, eBay and gmail tabs open.

Firefox was using 164mb of RAM vs IE which was using 98mb. IE had more tabs open and the tabs had more data-heavy pages.

What on Earth has the world come to. I tried opera with the blog page and flickr open and it hardly registered a byte. Blimey.

It seems that firefox, at least with this current “Upgrade” has become a worse memory hog than IE. Opera is like lightning in comparison to Firefox, but it always has been – seeing IE more responsive and less memory intensive is pretty shocking. I am going to look into this a bit more, but I would be interesting in hearing any other experiences on this subject.

[tags]Firefox, Mozilla,Internet Explorer, Opera, IE, Technology, Web Browsers, RAM, Memory, System Resources, Computers, Computing, Software, Problems, IT, Upgrade, Pipex, ISP, Amaya, Internet[/tags]