how closely tied to the OS is IE??

[groovin]

ok, with the latest FF crash bug (which is a different topic entirely) lots of people are saying that its not that bad considering your FF browser just closes and nothing else is affected. Ok that doesnt seem too bad, but then other are saying that IE is so closely tied to the OS that similar types of attacks cause other parts of the OS to crash as well...

to me, thats believalbe just because when i used IE, there many times were a web page would lock up my fully patched win2k/IE6 box.

but IE/MS guys are arguing that IE isnt that close to the OS and that this is untrue... but IIRC, MS defense at one of its anti monopoly hearings was that IE was an integral part of the OS, so thats how they can justify its inclusion with windows...

so what's the real truth here?

 

[MrChad]

Explorer, IE and Help files all share the same HTML rendering components. When you view the contents of a folder, the display of files and subfolders is rendered in HTML. That's why you can type a web address in the address bar of an Explorer window, and it will work the same way as if you typed it in an Internet Explorer window.

Microsoft set up zone-based security to grant or deny access to certain kernel functions depending on where a component is being called from (i.e. IE calling functions to render a web page should have much less access than Explorer rendering the "My Computer" page). Many of the critical exploits for IE involved breaking these zone barriers.

That said, if a web page locks up your box, it usually has more to do with a faulty/buggy plug-in or poorly-programmed JavaScript that the web page invokes rather than a browser bug.

 

[Smilin]

There are portions IE that are part of the OS. Why rewrite a bunch of code pull things from the network and display them on a screen? Just use the portions of the OS that already do this.

FireFox does this as well via APIs.

IE should not be able to lockup your box. If some kernel mode portion of the OS fails you should get a bugcheck. If a user portion fails you should get a Dr. Watson (Error report). Most problems with IE are due to 3rd party add ons to either the browser or the OS. Not sure about w2k, but on XP sp2 you can easily check on this crap via Internet Options | Programs Tab | Manage Add-ons button. Most lockups without dumps or events are cause by hardware problems.

This all sounds like extracts from a FF vs IE FUD war.

As for IE causing a box to crash because it's "so closely tied to the OS"... bunch of BS. Does your OS crash everytime IE does? Didn't think so.

"The real truth" you are seeking is a case by case basis. What was the cause of "THE" crash? I see speculation but no facts. No memory dumps, no logs.

 

[groovin]

whoa smilin

i didnt make a statement. i asked a question. big difference between the two. I didnt say "IE caused my box to crash because its so tight with the OS". im not some FF fanboy trying to flame on IE, sorry if i came off that way. i just thought id get some opinions on those who know IE better than I do about how IE/OS works.

 

[Hyperblaze]

In my own personal experience I've seen machines (when employing the explorer file manager) completely lock up the machine. It was only after running ad-aware and removed a bunch of spyware that the machine became usuable again. This spyware was brought in through IE (the only browser they had). If I had been allowed to, I would of highly recommended linux on the client's machine just because I felt so bad leaving her with a machine with I wouldn't even consider stable.
I opt to highly HIGHLY recommend them firefox instead for safer web surfing.

 

[spyordie007]

There are a lot of people who do belive that one of FF's strong points is that it's not using OS APIs for rendering. As Smilin pointed out this is really not the case as the IE process is independant of any Kernel (or other OS related) processes, besides FF does call some of the OS APIs...

As I've mentioned before from a security perspective what privilages the process (ie or ff) have is much more important than what APIs they decide to call. This is a very good reason to NOT run a web browser under administrative context.

But anyway back to your OP FF is much more "Windows Independant" than IE. IE uses a lot of OS APIs for rendering pages, etc. IE in-and-of itself is nothing without the code and APIs that exist in Windows. That said if you are going to have the OS with those APIs available why not package a browser that can make use of the components? This does give IE a potential performance advantage to other browsers in that they have to have a much larger codebase to support the basic functionality.

The "real" truth in regard to your question of causes for the OS to crash is that it's very unlikely for either FF or IE to pull down the system. If it does pull down the system it means:
a. You ran it with higher privilages that you should have and it's performed an operation that it shouldnt have. Both browsers face this issue.
b. There is a bug in the browser that causes it to do something it should not have and it is eating up system resources. Both browsers face this issue.
c. There is a serious bug in the API (while possible this is not a likely scenario). More of an IE specific thing, however it's likely possible for FF (or a FF extention) to call the same API on the Windows platform so it could still effect both browsers.

As for the whole anti-monopolistic question I think it's been played up. My thoughts here are that you need to have the APIs and IE codebase, not because Windows cannot exist without IE but simply because there are a lot of applications that use both the APIs and the IE codebase to do their rendering; if you were to pull that code than it would break those applications. Oh yeah also AFAIK they got nailed as a monopoly because of JAVA not because of the browser

-Erik

 

[spyordie007]

I opt to highly HIGHLY recommend them firefox instead for safer web surfing.

I disagree. The only real reason FF is any "safer" is simply because malware authors have targeted IE due to its large userbase. As soon as they target FF (and some have) this arguement is moot.

In IE you have active-x and in FF you have extensions; both make the browsers capable, powerful and extendable and (if allowed to run "bad" code) both can hurt you.

This is a good argument to keep your browser patched, but this holds true for any browser.

 

[drag]

Originally posted by: spyordie007

I opt to highly HIGHLY recommend them firefox instead for safer web surfing.

I disagree. The only real reason FF is any "safer" is simply because malware authors have targeted IE due to its large userbase. As soon as they target FF (and some have) this arguement is moot.

Just because IE and Firefox are both browsers, it doesn't automaticly make them equivelent in the way that your speaking.

Anyways currently, according to secunia, firefox has 3 unpatched vunerabilities and 3 that have only partial work arounds. IE has over 20 that you have to watch out for... And of a VERY much more serious nature.

Irregardless of whatever theoretical model that you may have on software vunerabilities based soly on that software's general popularity at the current time a average person is much better off using Firefox by any stretch of the imagination... especially if they are using anything other then Windows XP SP2.

In IE you have active-x and in FF you have extensions; both make the browsers capable, powerful and extendable and (if allowed to run "bad" code) both can hurt you.

Firefox extensions are hardly the unholy and complete utter disaster that ActiveX is in terms of security. By it's nature ActiveX is almost impossible to patch, runs automaticly unless the user takes extra steps to disable ActiveX extensions. In comparision extensions in firefox are subjected to whitelists and the users have to go thru several steps, each with warnings displayed, before they get one installed on their computer.

This is a good argument to keep your browser patched, but this holds true for any browser.

Definately. Any peice of software needs to be kept up to date.

 

[spyordie007]

... especially if they are using anything other then Windows XP SP2.

Firefox extensions are hardly the unholy and complete utter disaster that ActiveX is in terms of security. By it's nature ActiveX is almost impossible to patch, runs automaticly unless the user takes extra steps to disable ActiveX extensions. In comparision extensions in firefox are subjected to whitelists and the users have to go thru several steps, each with warnings displayed, before they get one installed on their computer.

Good point better clarify here. I was specifically refering to current releases (XP SP2 and FF 1.0.7); with older version of either there are a lot more issues.

ActiveX is much better in XP SP2. Nothing runs automatically without the several warning screens (similar to FF). There were definetly some big issues with "drive-by installs" in older versions.

 

[xtknight]

Internet Explorer is a separate process from Explorer.exe. When IE crashes, Explorer does not crash, and I don't know where people get that from. However, if you do navigate to a website within an explorer.exe process (using address bar in Windows Explorer), the whole task bar and desktop will crash if 'start in separate process' in Folder Options is not selected. Just use start in separate process in Folder Options and you can terminate folders as well. This is not the same as 'open in separate window'.

There are ways to remove Internet Explorer from the system without screwing everything else up. Your system will have no problems if you delete c:\program files\internet explorer and all the shortcuts to IE. No problems at all. Many people confuse Internet Explorer with the Shell. IE isn't inseparably close to Windows, however the Shell is. The Shell is comprised of libraries such as shdocvw.dll (Shell document viewer, which also renders web pages for IE), and shdoclc.dll (contains some error pages).

I would not even consider the page-rendering DLLs part of Internet Explorer at all. Those are part of the Shell, because almost every aspect of Windows Explorer and the Desktop uses these DLLs. IE happens to use them too.

You can even start Internet Explorer without iexplore.exe or the whole Internet Explorer directory with a COM object called InternetExplorer.Application. All iexplore.exe does is invoke this object. IE contains a connection wizard and a wrapper to the InternetExplorer object. While this component is in the Shell DLLs, AFAIK it is not needed. WebBrowser is a more general purpose page-rendering control, which the Desktop/Active Desktop uses.

Because the Shell is well-tied into Windows is not the reason it has a lot of holes. It is the reason why Windows shares a lot of holes the Shell object does however.

Most of the IE exploits comprise of buffer overflows in tags, security zone holes (or more appropriately, work-arounds), and ActiveX handling. There are really not that many bugs in IE. Most of this stuff was intended to be so. ActiveX is there so that people can interact with web pages. Unfortunately, many people take advantage of ActiveX with a little bit of social engineering. However this does not mean it's a bug. A bug is something like a buffer overflow, of which IE has a little bit of, but I would not say that is the majority of IE's exploits.

If you want a secure browser, use Opera. It has less total exploits than Firefox (according to Secunia), and zero unpatched vs. Firefox which has at least a couple.

 

[singh]

Internet Explorer, the browser-shell or the component DLLs are not part of what is traditionally considered the Operating System. The IE components are used by the Shell, which itself may or may not be considered part of the OS, depending on your definition of modern Operating Systems.

 

[Bozo]

I've used this software to completely remove IE from XP. Xp still runs fine. Does that answer your question?

http://www.litepc.com/


Bozo

 

[bendixG15]

Originally posted by: Bozo
I've used this software to completely remove IE from XP. Xp still runs fine. Does that answer your question?

http://www.litepc.com/


Bozo

Wow, I used those guys years ago on Win98, (took a while, but it worked)
Didn't know they were still around

 

[smack Down]

Originally posted by: Bozo
I've used this software to completely remove IE from XP. Xp still runs fine. Does that answer your question?

http://www.litepc.com/


Bozo

Does it just delete the IE icons and .exe? If so it isn't really removed there are all the special hooks into the shell that IE used left over.

 

[xtknight]

Originally posted by: smack Down
Does it just delete the IE icons and .exe? If so it isn't really removed there are all the special hooks into the shell that IE used left over.

Yeah, basically, but what is the point of ripping out the innards of your operating system? Microsoft is not preventing you from using any other browser. Just because IE is there does not mean you have to use it. Just delete the shorcuts and shell associations with it and you'll never see it again.

 

[hooflung]

IE is very much an integral part of the operating system in Microsoft's view of an operating system and the status quo view of an operating system. It is NOT part of the kernel but Microsoft seems bent on mixing kernel and userspace in an insecure fashion thus we get active-x descructo bots and scripts. Service Pack 2 safeguards are no excuse for years of blatent disregard for security and Windows in general is the poster child for "Just Get it to work" development.

To unclutter what some have said about FF using OS APIs :

Ofcourse every operating system has a set of APIs that come with it to give a library to programmers to build on. Firefox use Win32 APIs just like any other GUI application. That pointing out that it too does use Win32 APIs is FUD spam. IE uses userspace dlls that directly affect the kernel at a very intimate level through active-x. Firefox does NOT use active-x and there for does NOT use the most severe APIs Microsoft ever implemented for abuse. You reap what you sew and Microsoft sewed an illegal distribution method and now they are reaping security hazzards at every step. Firefox is a breath of air for internet surfers. Opera 8.5 is too once you get over the wild interface.

 

[Rilex]

Firefox extensions are hardly the unholy and complete utter disaster that ActiveX is in terms of security.

Remember Greasemonkey? And this one ?http://www.frsirt.com/english/advisories/2005/0493

By it's nature ActiveX is almost impossible to patch

How is that?

It is NOT part of the kernel but Microsoft seems bent on mixing kernel and userspace in an insecure fashion thus we get active-x descructo bots and scripts.

There is one component of Windows that mixes kernel and userspace. It is not ActiveX.

IE uses userspace dlls that directly affect the kernel at a very intimate level through active-x.

ActiveX is not a kernel-level component (nor is COM, for that matter).