Another Zero-Day IE Scripting Exploit 696
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
BugTraq (Score:5, Informative)
Here is the BugTraq Archive [securityfocus.com] link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.
Re:BugTraq (Score:5, Funny)
Re:BugTraq (Score:5, Funny)
It is a virus used by terrorists. It stands for "Internet Exploder".
Re:It's a virus (Score:4, Funny)
Re:BugTraq (Score:5, Funny)
Re:BugTraq (Score:5, Funny)
Since IE requires the local user to be actively browsing the web in order to provide RPC service MS is working on an extension of the RPC concept to allow for asynchrone/sheduled remote code execution. Early beta-versions of the latter software (Project name Outlook) are included for evaluation with MS Office 2000/XP which can be purchased for a modest fee at your local MS retailer.
MS Outlook supports the robust SMTP protocol for remote access so it may be considered the most reliable RPC-interface available for MS windows to date.
Re:BugTraq (Score:5, Funny)
Nah if you were stupid you'd be using it
Re:BugTraq (Score:5, Funny)
The Wielder of Windows has spoken, fear is not permissable, only awe. That is all.
Re:BugTraq (Score:5, Informative)
Vint Cerf responded to MSNBC
From http://www.msnbc.com:80/news/249325.asp (which has apparently subsequently timed out). See also ``Revisionist Internet History.'' --jsq
Vint Cerf responded to MSNBC's questions about the Net's origins with this e-mail:
VP Gore was the first or surely among the first of the members of Congress to become a strong supporter of advanced networking while he served as Senator. As far back as 1986, he was holding hearings on this subject (supercomputing, fiber networks...) and asking about their promise and what could be done to realize them. Bob Kahn, with whom I worked to develop the Internet design in 1973, participated in several hearings held by then-Senator Gore and I recall that Bob introduced the term ``information infrastructure'' in one hearing in 1986. It was clear that as a Senator and now as Vice President, Gore has made it a point to be as well-informed as possible on technology and issues that surround it.
As Senator, VP Gore was highly supportive of the research community's efforts to explore new networking capabilities and to extend access to supercomputers by way of NSFNET and its successors, the High Performance Computing and Communication program (which included the National Research and Education Network initiative), and as Vice President, he has been very responsive to recommendations made, for example, by the President's Information Technology Advisory Committee that endorsed additional research funding for next generation fundamental research in software and related topics. If you look at the last 30-35 years of network development, you'll find many people who have made major contributions without which the Internet would not be the vibrant, growing and exciting thing it is today. The creation of a new information infrastructure requires the willing efforts of thousands if not millions of participants and we've seen leadership from many quarters, all of it needed, to move the Internet towards increased availability and utility around the world.
While it is not accurate to say that VP Gore invented Internet, he has played a powerful role in policy terms that has supported its continued growth and application, for which we should be thankful.
We're fortunate to have senior level members of Congress and the Administration who embrace new technology and have the vision to see how it can be put to work for national and global benefit.
Kudos to Norton (Score:5, Informative)
Re:Kudos to Norton (Score:5, Informative)
But after reading the article, I tried the real installer URL, and, surprise, with Norton Antivirus (fully updated) the ad-bar WAS installed.
As said in the article, due to various layers of encoding the javascript, detection is avoided.
Ad-Aware luckely recognized all 34 (!!) regkeys, dll's etc.
Fix now available (Score:5, Funny)
Not everyone can use Mozilla... (Score:5, Informative)
Re:Not everyone can use Mozilla... (Score:5, Insightful)
Re:Not everyone can use Mozilla... (Score:3, Informative)
Idealism must mesh with reality... (Score:5, Interesting)
However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example--within some of their "Premier" stores, they have a series of nested menus that are built around ActiveX controls. Thus, they only work with Internet Explorer. Try it with another browser, and duh, um, um, um, I'm clicking, I'm clicking, but nothing is happening.
Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead. Unfortunately, they would rather write a website that works for 95% of the population.
As an end user, there is pretty much nothing I can do about this. Yes, I did my part by writing them, but unless a significant portion of their customer base does the same thing, they will not change.
Re:Idealism must mesh with reality... (Score:4, Insightful)
As an end user, there is pretty much nothing I can do about this.
Yes, there is. Don't visit those sites and do not buy their products. If you just shrug your shoulders, fire up IE, and browse their site and/or buy their products anyway, why should they change it?
Re:Idealism must mesh with reality... (Score:5, Funny)
Re:Idealism must mesh with reality... (Score:5, Insightful)
I'm guessing that you carefully explained to them why it wasn't working for you, and what they could do about it. That was kind and well-intentioned; you did most of the initial work for them. I'm sure that whoever read your emails realized that you were another of those linuks kooks that have been pestering them, and trashed your email.
If you had written a snail-mail letter to the president of the company, saying something like:
You would have been recognized as part of their target demographic (unsophisticated, has money), and they would have seen a need for action. There would have been a memo from on high saying: ``Find out what happened, and make sure it never happens again.''Re:Idealism must mesh with reality... (Score:4, Insightful)
Re:Idealism must mesh with reality... (Score:4, Informative)
I've not used IE in at lear a year, and I regularly buy things from Dell.com at work. Once, they did a boneheaded thing that was IE-specific and interfered with navigation of their site. I emailed their webmaster, and called Dell. I also told their sales staff that I was unable to complete my purchases online because their site was broken. And you know what? They fixed it!
If a vendor's website doesn't work for you, call them and make them sell to you over the phone. They'll get the picture.
Re:Not everyone can use Mozilla... (Score:5, Informative)
Because many web based applications require it. Our SAP system for procurement for instance requires IE 6 on a Windows box. Our Mac users must use a Citrix server to access Windows to access the system. It's very stupid to come up with such a broken system, but that's the way the cookie crumbles.
Our time card program is another app that simply doesn't work on anything other than IE 6 on Windows.
Re:Not everyone can use Mozilla... (Score:5, Insightful)
"Because many web based applications require it. Our SAP system for procurement for instance requires IE 6 on a Windows box."
Why use IE for all, potentially harmful web access when it's only needed for a couple applications? You could restrict IE to only work for certain sites, and make your users use Mozilla/Firefox/Opera/etc for the rest of their web. Put IE in it's place, only where it's needed, and use something better for the rest!
Re:Not everyone can use Mozilla... (Score:5, Interesting)
I understand where you are coming from. I had to fight for my netscape/mozille installation while working for a military installation as a contractor. The attitude of "One Military One Operating System" still rings through those halls. Pretty stupid attitude IMO. I would respond "One Military One Missle System". Needless to say, they didn't laugh
Basically whenever a new worm or virus came out they were VERY busy. I was responsible for the Solaris and Linux servers and was quite amused. Occasionally I pointed out how calm my life was compared to their frantic patching sessions. Sure I had patching that was needed now and then. Certainly was nothing like their experiences
Re:Not everyone can use Mozilla... (Score:3, Insightful)
Re:Not everyone can use Mozilla... (Score:5, Funny)
Re:Not everyone can use Mozilla... (Score:4, Funny)
go! click on the link! for liberty and freedom!
Re:Not everyone can use Mozilla... (Score:5, Informative)
Here is the path for the latest release candidate of Mozilla just unzip and run mozilla.exe:
http://ftp.mozilla.org/pub/mozilla.org/mozilla/re
Have Fun!
Re:What keeps you on Windoze? (Score:4, Informative)
More than can be provided under Linux at the moment. Trust me, if I could have rolled out Linux desktops, I would have done so long ago.
I'd rather have a KDE desktop that I can plug my camera and PDA into.
I'm sure you would. Equally, it's my job to ensure that you can't :-) It's a vector for introducing
unauthorised and potentially harmful
files onto our corporate network. No thank you.
You must have some nasty DOS thing holding you back.
No, but there's a lot more to running a standard office than just Word, Excel, mail and web browsing. The call centre need integration with the phone system, for example. Various people need MS Project or Visio. Finance need SAP. Marketing and analytics need SAS. The creative team use Photoshop, Illustrator, etc. Yes, a lot of people could get 90% of their job done with a Unix desktop. But that remaining 10% is important, and the missing 10% is different for each department.
Re:Fix now available (Score:5, Interesting)
Or here [opera.com], for that matter. But seriously, when I started running Opera at work a couple of years ago, people would see me using something other than IE and they'd just shake their heads. Why would anyone want to use a "non-standard" browser?
Yesterday, I had to download some MS software, and my co-worker still laughed a bit when I had to copy the URL out of Opera to IE. But there's definitely more respect now... especially since the Data Security folks just sent a company-wide email telling us to high-tail it to windowsupdate.com... again...
Re:Fix now available (Score:3, Insightful)
Maybe for the same reason they'd use a non-standards-compliant browser.
Re:Fix now available (Score:5, Insightful)
First you should read this [mozilla.org] (which is known to be incomplete), and this [mozilla.org], a rather strange policy.
Mozilla is a very nice browser, but it's not the kind of fortress most users think it is.
Nothing is (Score:4, Insightful)
Give Mozilla the widespread usage (which is like industrial-strength beta-testing) that Internet Explorer has and see how many holes are blown open in it. Nothing is perfect, and it's silly and arrogant to pretend one project is a perfect solution above all others. This goes for anything, from operating systems to web browsers.
I'm an Opera user through and through, but most of my friends use MyIE, which gives them tabbed browsing, pop-up blocking, and more, but using IE's system libraries to render pages. It's their choice.
Re:Fix now available (Score:3, Interesting)
Comment removed (Score:4, Insightful)
Comment removed (Score:5, Informative)
100% Safe IE (Score:5, Funny)
MOD PARENT UP (Score:4, Informative)
Reference to Microsoft advice [slashdot.org] (he was trying to be funny, you insensive clod.)
.Re:100% Safe IE (Score:5, Informative)
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
linky [microsoft.com]
This was for a previous IE link related exploit. When MS is telling not to use their product in the most basic manner expected of the product then it should be painfully obvious that the product is broken.
Yet again... (Score:5, Insightful)
It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.
I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE...
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
Re:Yet again... (Score:5, Insightful)
It's because they don't care. IE generates no revenue for MS and since people are willing to use it regardless of the holes, there's no incentive for them to overhaul it beyond the occasional patch.
Re:Yet again... (Score:4, Insightful)
Re:Yet again... (Score:3, Interesting)
But why are MS always trying to put all the other browsers out of business for something they get nothing back from?
Re:Yet again... (Score:5, Informative)
Re:Yet again... (Score:3, Funny)
The Salad Dressing theory (Score:5, Funny)
You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.
Now, shake up the bottle. That is what Microsoft software looks like.
Re:Yet again... (Score:3, Informative)
Ok I am in a sarcastic mood (Score:4, Funny)
Off to check for updates.
Re:Ok I am in a sarcastic mood (Score:4, Funny)
You have to buy them dinner, and take them to a movie, then they screw you.
For something more along the lines of a nice fast, stress-free relationship, try Linux.
Re:Ok I am in a sarcastic mood (Score:4, Funny)
No need for a movie or dinner. She'll just screw you for money. Actually, she'll let you screw her for nothing, in the hope that you will pay in the future once you get "comfortable" with her, hummm, services.
Dang, what a surprize! (Score:5, Insightful)
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Re:Dang, what a surprize! (Score:3, Interesting)
Re:Dang, what a surprize! (Score:4, Interesting)
My Favorite quote was at the end:
Even though I like Unix, suffer through Linux, and use Mozilla for mail, I prefer Explorer. Despite that preference, though, I use Opera now 80% of the time for exactly the reason of this parent article. I have other things to do than keep abreast of the latest hole M$ has been ignoring or constantly patching.javascript (Score:5, Insightful)
Re:javascript (Score:4, Funny)
Fortunately my optimism filter translated your statement
I'm sorry... java is a requirement on the modern web. If you are afraid to drink it, you might want to look into switching liquid diets. Next you'll tell us cookies are "yummy" and you should visit the vending machine as well.
Unfortunately, it's playing heck with my diet.
-Adam
Re:javascript (Score:5, Informative)
I used to enable and disable Javascript a lot to deal with this problem, but then I swiched to Mozilla and just left it on. It hasn't been a problem for me yet.
Re:javascript (Score:5, Insightful)
Re:javascript (Score:4, Insightful)
Just because a page uses Javascript, it doesn't mean that it depends upon Javascript to be rendered correctly. You mention Slashdot uses Javascript, but if you switch Javascript off, you will find that it renders just fine. This is the way Javascript is supposed to be applied. Perhaps you should learn a little more about it before calling somebody else lame.
Re:javascript (Score:3, Insightful)
Explain to me how HTTP can be used to offload processing to the client. For example, how you would write something simple like a rate calculator that didn't take multiple round-trips to the server using only HTTP.
Time to get JavaScript off your site (Score:4, Interesting)
Turn off JavaScript and try to buy something from your site. If you can't, you have a problem. Yes, you. Not your customer. You, the web designer.
Re:Time to get JavaScript off your site (Score:4, Interesting)
Re:Time to get JavaScript off your site (Score:3, Insightful)
You have to measure the customers you get through faster, or better, vs the ones you lose. Considering most people.. and most meaning everyone minus a tiny percentage.. have js enabled, either 'cause they are clueless or understand it, you aren't losing much.
Re:Time to get JavaScript off your site (Score:5, Insightful)
You're wrong. Javascript doesn't need to be avoided, it needs to be used sensibly. When it's used in the right way, it can improve the usability of a website.
Just because a website uses Javascript, it doesn't mean that it locks out those who have switched it off. The key is to educate the clueless Javascript abusers that do things like <a href="javascript:... or <a href="#" onclick... so that they don't lock people out.
Re:Time to get JavaScript off your site (Score:5, Insightful)
While we're dealing with the extra load processing validations that used to be client side (you know, the extra load only a few hundred thousand users visiting every day can generate), maybe then we can start explaining to the people that actually make the decisions why doing all of the above made our site more inconvenient, not less.
Or maybe a certain large company can actually take some responsbility and help make more secure the tools that we need for our business to work effectively.
Disclaimer: usually, the people that know how to turn off Javascript are the ones that are capable of inputting data into a form the right way the first time, so we don't have a big problem with that.
Re:Time to get JavaScript off your site (Score:5, Informative)
Yes, because you can't trust the client! You can't trust that the client has javascript turned on. You can't even trust that he is running a web browser. He may be running some cool scripts an POSTing whatever malicious data he thinks would be fun to try.
Really, if it is important to validate your data you need to do it on the server!
Re:Time to get JavaScript off your site (Score:5, Insightful)
Re:Time to get JavaScript off your site (Score:4, Insightful)
If you're not validating data server-side then you are asking for trouble - Client side validation makes things nicer for the end user since they are told about invalid data sooner, server-side validation stops someone (intentionally or unintentionally) entering junk into your systems. And remember that allowing a user to enter junk is potentially destructive to your systems. You should really be doing both client side and server side validation - the client is untrusted so never trust that the data coming from the client is valid, even if you _think_ it probably went through a validator on their end.
Troubling... (Score:4, Informative)
Exploits like these, on the other hand, are akin to a passive attack from the inside (like an infected laptop connected from inside the firewall) but are even more serious, because very little action is required on part of the user to affect the attack and *very* difficult to monitor and contain.
Not another one. (Score:4, Funny)
Turn off javascript? (Score:4, Interesting)
I'd *love* to turn off Javascript, but there's so many idiots that use it in their webpages these days that using a large proportion of the web would be impossible.
Not that this currect problem affects me, since I use Galeon, but still, I'd love to see the end of Javascript...
Symantec (Score:5, Informative)
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Trojan
File: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\67HK1KWV\installer[1].html
Loc
Computer: Computer
User: User
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, June 09, 2004 11:56:26 AM
Most corporations should have little to worry about.
Re:Symantec (Score:3, Funny)
User: User
Boy, that's useful information there ...
Another occurance (Score:5, Funny)
This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.
What do you mean "zero-day"? (Score:3, Informative)
Re:What do you mean "zero-day"? (Score:5, Informative)
Usually, people that find a security hole will kepp it to themselves and alert the vendor about it. Then, giving them substantial time (in Microsoft's case) to fix the hole, you can release the hole and how it was exploited. When a hole is released in the wild without the vendor knowing about it, it's called 0-day.
Re:What do you mean "zero-day"? (Score:4, Informative)
eggs in one basket (Score:4, Insightful)
I think something like that would knock out most of the vulnerable sales people, secretaries, and executatives in the business world.
And the pain continues (Score:5, Informative)
Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.
It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.
Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.
Whats funny about this.. (Score:5, Interesting)
http://www.i-lookup.com
If you go to that page, what is the top search.
Uninstall spyware.
People get infected and use there own search to find a product to fix the problem.
Anyway, enough with the fun stuff, How about someone, the FBI or some agency go after who ever owns www.i-lookup.com.
i-lookup.com
production
Aztec Marketing S.A.
aztecmanager@hotmail.com
Sabana sur
Supermercado AM PM
San Jose
Costa Rica
ns1.dnsoutofcountry.com
ns2.dnsoutofcountr
Come on, we helped raid drug lords in columbia, we feret out saddam and are still chasing bin laden.
Why not us the long arm of the law to give this ahole a major smack down!!!
Getting the word out is hard (Score:5, Interesting)
Most people, of course, have never heard of Firefox.
Why don't the "responsible" PC magazines who complain about all these security issues push Firefox? Are they worried about their advertising revenues? Maybe they just don't know any better.
Re:Getting the word out is hard (Score:3, Interesting)
Because the second you go from reporting security holes to advocating one product over another, you are vulnerable to being labelled biased.
If the article is a review of what browsers are available, then sure, you have the freedom of putting your opinion across. But that doesn't mean that you have the leeway to push one product over another every time the topic comes up.
Re:Getting the word out is hard (Score:3, Interesting)
And a few who have heard of it don't use it. Case in point: My father complained of popups and spyware. I used AdAware and installed Firefox for him. After a few weeks, he said he didn't want to use it because pages "didn't work." (Provided no examples of what didn't work, probably ActiveX exploits.) He tried to remove AOL because he got broadband, and this broke IE. I tried to fix it, but that didn't work. So now he is paying $25/month for AOL just becau
"Single click" (Score:5, Insightful)
And worse, that happens in every IE descendant? There are a lot of "alternative" browsers that are uses IE engine to render html, sites, help files, whatever to show their content, including specially outlook (and that probably will mean a new mail worm in the next few days).
Why on earth... (Score:3, Insightful)
SP2 is not beta (Score:5, Informative)
Re:SP2 is not beta (Score:5, Funny)
RC1 = Alpha
Release = Beta
Release + many patches later = Release
Re:SP2 is not beta (Score:4, Funny)
RC1 = pre-alpha with new name
RC2 = alpha
Release = RC2 with new name.
Totally renamed product rewritten from the ground up = Release
Exploit analysis (Score:5, Informative)
As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.
IE never gives me problems (Score:5, Insightful)
I clicked on the link... what's the big deal? (Score:3, Funny)
Nothing installed, my system didn't crash. There were no apparent ill effects to clicking on that.
So why is everyone so worked up? I use Windows XP every day for some of my work, and haven't had a problem with malicious web pages in over a year.
I've been using FireFox for over a year, but that's probably just a cooincidence.
It's getting to be more than just a nuisance (Score:5, Insightful)
The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.
On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.
Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:
If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.
extremely sophisticated use of encrypted code (Score:5, Informative)
Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.
Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program [virtualconspiracy.com] to Decode [virtualconspiracy.com] the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here [virtualconspiracy.com])
This is NOT a zero-day hack. (Score:3, Insightful)
0-day hacks by definition are generally unknown. They may have been newly discovered, they may have been discovered by someone ages ago. The key is that they are generally unknown, and therefor can be used as a sort of currency (having discovered or access to an 0-day can get you into groups that trade in such things), or can be utilized as a last ditch approach at comprimising a machine you absolutely need to compromise (actually using an 0-day for something mundane would be a tremendous waste of a valuable resource).
This is just another publicly visible hack of IE. And thinking about it, go ahead and call them 0-day's, those in the know, know better, those that don't... Well who cares.
Disable Javascript? (Score:4, Insightful)
Ok enough is enough. (Score:5, Insightful)
If your a network administrator and there are certain websites that are needed for work and require IE, that's simple enough to solve.
Install a proxy, set IE to use that proxy and have the proxy only allow those websites to load. Then pre-load IE with those favorites. Finally have every user send each company an email a day bitching about their broken software.
The additional cost of the IE proxy, well simply explain to management that is part of the overhead of using windows and IE. Further explain that website X, X, X, X are security holes and that for now you've got to do the best you can to get around it. When they balk at the security thing, explain that at least weekly for the past couple years there has been a vulnerability in IE which could have given complete access to accounting.
That puts things in perspective. Now you can use Mozilla/Firebird, users can still browse those sites they need for work that are IE only. And the boss is aware that Microsoft = serious security risk, one that would allow someone else to take their money and devalue the company stock.
There's nothing wrong with Javascript (Score:5, Insightful)
What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
(Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).
Re:don't blame IE too much (Score:4, Insightful)
Sure, don't blame X for being buggy, it's bugginess is result of braindead design.
Don't blame me for setting your house on fire, I'm a habitual smoker and can't stand a hour without a smoke.
Integration with OS was a conscious and completely wrong move and nobody else is to be blamed for that than Microsoft!
Re:don't blame IE too much (Score:3, Insightful)
Re:don't blame IE too much (Score:4, Insightful)
"The only reason there are so many of them [ security vulnerabilities] in IE is that its integrated well with OS."
Actually it's the exact opposite: It's integrated so piss-poorly with Windows, with no regard for security implications of the design. MS could have easily set up IE to play nicely in its own application space, rather than weaving it deep into the OS like a brain cancer.
Re:don't blame IE too much (Score:4, Insightful)