On Wed, 27 Oct 2004 06:32:07 -0700, you wrote: <snip> >I write comms code - client- and server-side middleware. I wouldn't dream >of implementing a protocol with code that didn't sanity-check the data it >gets off the wire. What's your point? That you don't believe IE has any sanity checks? More likely, this bug lies IN one of the sanity checks. No system is 100% secure. Fact. Every single software system on the planet, at least anything complex enough to justify the name "system", DOES HAVE security flaws. They may not be easy to find, but they're there. Anyone who believes otherwise either has access to technology FAR in advance of the rest of us here on earth, or is a fool. As proof of this, how about releasing some of *your* code? You believe that it is possible to write code that is completely secure, ie completely free of all security holes, both known and unknown, by strictly adhering to and enforcing every single aspect of the protocol it is designed to handle. I say that's not true - and I challenge you to prove me otherwise. Doesn't have to be a full application; a network protocol handler will be sufficient; doesn't even need to be from a commercial app. Just enough to demonstrate that you *are* telling the truth - either your code will stand up, in which case most developers can learn a few things by using your code as an example, or a flaw will be found to prove the case that 100% security can never be acheived, regardless of how well you believe you have validated your input. How about it? Prove your case? Chris -- Chris Paget ivegotta@xxxxxxxxxxxx
