Once again it's an exploit that requires the user to say yes to an install for it to work. Not great but not as bad the multitude of IE attacks that happen automatically without the user even knowing they occur. The dialog box has three (count them - 1, 2, 3) exclamation icons, has a title that says "Warning - Security", explicitly states that the certificate is invalid and issued by an untrusted company, and has "No" as the default selected button. I know users are dumb but give the browser a damn break - here the browser is doing EXACTLY what it is supposed to by warning the user that this is not a good idea.
Not all of the exploits are going to prompt you.
Also interesting is that Sun's Java is the means of the exploit and it won't work with M$'s Java. Weird - isn't Sun supposed to be the good guy? And this exploit works with Firefox, Mozilla, and Opera. So why is this posting entitled "Another FF vulnerability" and not what it should be, "Sun Java can be used to infect IE through Mozilla, Opera, and Firefox". And here is the really interesting part - there isn't actually any infection in FF/Opera/Mozzy! It all happens in IE. So in my case, since I use FF 100% of the time, if I were stupid enough to click yes to this box I wouldn't even notice it since all the adware crap hits IE.
Sun software has probably had quite a few embarassing exploits themselves (instant root with telnetd included). They are big fans of RPC; they are not the good guy. However, IE can be configured to securely deflect attacks. The "other browsers" in this case bypass IE security controls completely, thus decreasing security greatly.
It is not a "false alarm", I think warpmedia was the first member here who mentioned his machine was completely hosed when he used Firefox exclusively and it illegally called up IE without warning. Ironically, if warpmedia used his hardened IE setup (I have a similar setup as well), then he would not have been vulnerable at all! A lot of members thought warpmedia was nuts since he did not have the original URL anymore and the attack vector was unknown. Thane's URL confirms warmedia was not hallucinating.
I agree that FF, Opera, and Mozilla will see an increase in exploits and bugs designed for them over the next few years and months but that is to be expected with ANY new piece of internet software as it gains popularity. What I don't understand is why a few members on this list continue to harp on each next "exploit" as the end of the world and a reason why we should all dump this OSS browser business and go back to IE.
Actually, the point is that IE has granular up front security toggles. FF, Opera, and Mozilla do NOT. They also did not include them by design, whereas IE had it in 5.5. Hopefully they will include them in the future but it is disappointing that the "other browser" vendors had the hubris to believe they could be "better" than Microsoft with regards to security.
What is my take on it? Trust no one. I run as a normal user, I use IE, Opera, Mozilla, and Firefox. I do not really trust any of them. Why should I? Being that I have done some coding and do security for a living, I have never seen a complex, featureful software been "secure". (Note, it's trivial to write secure simple software).
To the best of my memory, every FF exploit that has been discovered so far has been patched very quickly (instead of M$ taking months and years to patch IE, it at all). I am not so optimistic to think that FF is the best thing ever and will never be a problem but I still love it. I have installed it on many of my friend's machines and been using it myself for several months and NOONE I know has been hit by spyware/adware/malware, even with most of those installs being straight out-of-the-box.
I appreciate the heads up on new exploits on this list but please tone down the anti-FF slant. Or at least reserve it for a time when it is actually needed.
The heads up is a very good warning to realize your true security risk. Knowing where you stand is a lot better than believing vendor X that you are safe and secure.
So the common security model goes like this.
IE is insecure, Firefox is "secure". If I use Firefox I am A-OK! Not true of course once other javascript and java based attacks come in. Firefox needs to add a granular security model which lets me turn off javascript or java PER site.
Okay, so I run Internet Explorer as a "normal" user with "dropmyprivileges" and run Firefox as a normal user. Whoops, you are not longer secure since Firefox will launch the attack as the admin via IE.
Run both of them as a normal user then? Okay, just make sure you do not use Outlook or another program that might call up another application later on. A common attack was to send people some virus attachment in a common download folder (for Eudora, some Attach folder) so they could hide a reference to it in their next email to have you run it as a privileged user.
Running as a normal user for all your normal activities is a good way to go about it. But is it 100% secure? Nope. Go to one bad trusted site, or run one bad trojan as an administrator (you got fooled into installing it), and it can do some keyboard captures to get your passwords.
Awareness is a good thing. Just be more careful when surfing and realize the potential risks involved. Hopefully a nice, more secure solution is on the horizon.
--
- Carroll Kong
