I was reading the article, Security Holes Sinking IE, in hardcopy last night and had to laugh at some of the comments from Microsoft:
Gary Schare, director of Windows security product management at Microsoft:
"In the end, it's up to the customer to not install any ActiveX control that they come across. [IE] does a good job of warning users,"
If it does such a good job, why do people end up with all this spyware on their machine? I recently saw a laptop with over 900 hits on a spyware/adware removal program. These did not come from software they just installed. Come on now.
Also from Mr. Schare:
"Where you run into problems is with sites accessing controls and using them in ways they weren't designed to be used."
I almost fell off my bed laughing at that one. Well, DUH! That is why when you write code, you put in checks to make sure that the functions ARE being used for what they are supposed to be being used for.
It's funny. In my previous job, I wrote ALOT of code. Mostly web applications with database backends, etc. Well, I never did checks on the data coming in and it caused all sorts of issues. Finally, we got a QA team (this was all internal apps, not something we were selling, so we didn't need a QA team at first). And the QA folks started doing things they weren't supposed to and would put in bugs. I would say, you aren't supposed to do that, so it's not a bug. But really, it is. If you aren't doing checks on the data coming in and how things are being used, you never know what can happen. So, I started putting checks on data. And have ever since. It makes programming much less of a nightmare.
So, why am I saying this? Well, at the time I was doing all that bad programming, I was about a year past my first program. And once I learned my lesson, I stuck to it ever since. Well, don't you think pretty much EVERY programmer at MS has more than a year of coding experience? If so, shouldn't they have figured this out by now?
