Once again it's an exploit that requires the user to say yes to an install for it to work. Not great but not as bad the multitude of IE attacks that happen automatically without the user even knowing they occur. The dialog box has three (count them - 1, 2, 3) exclamation icons, has a title that says "Warning - Security", explicitly states that the certificate is invalid and issued by an untrusted company, and has "No" as the default selected button. I know users are dumb but give the browser a damn break - here the browser is doing EXACTLY what it is supposed to by warning the user that this is not a good idea.
Also interesting is that Sun's Java is the means of the exploit and it won't work with M$'s Java. Weird - isn't Sun supposed to be the good guy? And this exploit works with Firefox, Mozilla, and Opera. So why is this posting entitled "Another FF vulnerability" and not what it should be, "Sun Java can be used to infect IE through Mozilla, Opera, and Firefox". And here is the really interesting part - there isn't actually any infection in FF/Opera/Mozzy! It all happens in IE. So in my case, since I use FF 100% of the time, if I were stupid enough to click yes to this box I wouldn't even notice it since all the adware crap hits IE. I agree that FF, Opera, and Mozilla will see an increase in exploits and bugs designed for them over the next few years and months but that is to be expected with ANY new piece of internet software as it gains popularity. What I don't understand is why a few members on this list continue to harp on each next "exploit" as the end of the world and a reason why we should all dump this OSS browser business and go back to IE. To the best of my memory, every FF exploit that has been discovered so far has been patched very quickly (instead of M$ taking months and years to patch IE, it at all). I am not so optimistic to think that FF is the best thing ever and will never be a problem but I still love it. I have installed it on many of my friend's machines and been using it myself for several months and NOONE I know has been hit by spyware/adware/malware, even with most of those installs being straight out-of-the-box. I appreciate the heads up on new exploits on this list but please tone down the anti-FF slant. Or at least reserve it for a time when it is actually needed. -- Brian
