In a recent blog entry, my companion in the hunt for technology truth, Larry Seltzer, points out that you really, really have to try hard to screw up hard to mess up your Windows PCs copy of Internet Explorer with a Java applet that can run via Firefox, and some other non-Internet Explorer browsers.
I mean the spyware-bearing applet on Firefox does everything except scream at you that installing it is a bad idea.
People being people, I understand that its spreading rapidly.
Maybe we should have a gate on the Internet saying "you must be at least this smart to ride on this network."
While this particular bug requires stupidity above and beyond the call of idiocy to get, it does point out a problem thats peculiar in modern operating systems to the Windows desktop.
Windows—be it 3.1, the first usable version, or XP Pro—was designed to be a single-user, stand-alone PC operating system.
Because of that design, Microsoft made what seemed like a good move at the time. The boys from Redmond made its IPC (interprocess communications), like ActiveX, DLLs (Dynamic Link Libraries) and OCX (OLE Control Extension), extremely powerful and without any real security.
Remember, they were thinking single-user, non-networked computer.
In turn, Microsoft designed its most important applications - IE, Microsoft Office, and Outlook - to not only use, but depend, on these IPC mechanisms. The problem, of course, is that Windows PCs dont exist as stand-alone machines.
Microsofts one seamless whole has become one giant security hole.
Thus, this latest security problem really isnt an alternative browser problem. Its a platform problem.
Its also an old platform problem. I first pointed it out in 1992 in Windows for Workgroups, Microsofts first Windows-based LAN product.
Then, I was able to use Excel and DDE (Dynamic Data Exchange, another IPC), to pull data out of a "secured" payroll XLS file.
I was able to do this not because Im some technical whiz. I just looked at the specs, thought about it for a minute, and about 10 minutes of Excel macro-programming later, I was in.
Things havent changed that much in the last 13 years.
This first example of someone abusing this kind of vulnerability through an alternative browser and Suns JRE (Java Runtime Environment) requires stupidity to get.
It wont be the last. Just as an endless series of worms have relied upon it to attack Windows system via Outlook, we can now expect more attacks of this kind.
Dont expect Internet Explorer 7 to solve your problems. Its security improvements—like reduced-privilege mode becomes the default and no cross-domain scripting—are flimsy fixes.
The real problem, Windows inherently insecure nature, requires major surgery.
The name of that "operation" is Longhorn, but God alone knows when Longhorn will finally show up—2010!?
But will that solve Windows problems? I doubt it.