I think, though, we are comparing apples to oranges in terms of general usage. While you make reference to "hardened" IE configurations, I can argue you could go to the same extent with any browser.. or moreso, but it's largely irrelevent as the goal is to make the browser "out of the box" better then it's competitor, as that's the way 99% of people will leave it.
This is the great misnomer.. the assumption that IE is better because you can trick it out to make it better.. something I will not deny. But it's somewhat like me saying a Honda Civic is the greatest drag car ever because tricked out, it stomps. That doesn't mean that the floor model is the same thing. That's the whole point. Firefox, out of the box, with default configurations, I would trust more then IE, out of the box, default configurations. But if you spend your time hunting for Pr0n or WaReZ, then you pretty much get what you 've got coming ;) CW -----Original message----- From: Carroll Kong [EMAIL PROTECTED] Date: Mon, 14 Mar 2005 15:55:36 -0600 To: The Hardware List [email protected] Subject: Re: [H] Another FF vulnerability? > Brian Weeden wrote: > > Once again it's an exploit that requires the user to say yes to an > > install for it to work. Not great but not as bad the multitude of IE > > attacks that happen automatically without the user even knowing they > > occur. The dialog box has three (count them - 1, 2, 3) exclamation > > icons, has a title that says "Warning - Security", explicitly states > > that the certificate is invalid and issued by an untrusted company, > > and has "No" as the default selected button. I know users are dumb > > but give the browser a damn break - here the browser is doing EXACTLY > > what it is supposed to by warning the user that this is not a good > > idea. > > Not all of the exploits are going to prompt you. > > > Also interesting is that Sun's Java is the means of the exploit and it > > won't work with M$'s Java. Weird - isn't Sun supposed to be the good > > guy? And this exploit works with Firefox, Mozilla, and Opera. So why > > is this posting entitled "Another FF vulnerability" and not what it > > should be, "Sun Java can be used to infect IE through Mozilla, Opera, > > and Firefox". And here is the really interesting part - there isn't > > actually any infection in FF/Opera/Mozzy! It all happens in IE. So > > in my case, since I use FF 100% of the time, if I were stupid enough > > to click yes to this box I wouldn't even notice it since all the > > adware crap hits IE. > > Sun software has probably had quite a few embarassing exploits > themselves (instant root with telnetd included). They are big fans of > RPC; they are not the good guy. However, IE can be configured to > securely deflect attacks. The "other browsers" in this case bypass IE > security controls completely, thus decreasing security greatly. > > It is not a "false alarm", I think warpmedia was the first member here > who mentioned his machine was completely hosed when he used Firefox > exclusively and it illegally called up IE without warning. Ironically, > if warpmedia used his hardened IE setup (I have a similar setup as > well), then he would not have been vulnerable at all! A lot of members > thought warpmedia was nuts since he did not have the original URL > anymore and the attack vector was unknown. Thane's URL confirms > warmedia was not hallucinating. > > > I agree that FF, Opera, and Mozilla will see an increase in exploits > > and bugs designed for them over the next few years and months but that > > is to be expected with ANY new piece of internet software as it gains > > popularity. What I don't understand is why a few members on this list > > continue to harp on each next "exploit" as the end of the world and a > > reason why we should all dump this OSS browser business and go back to > > IE. > > Actually, the point is that IE has granular up front security toggles. > FF, Opera, and Mozilla do NOT. They also did not include them by > design, whereas IE had it in 5.5. Hopefully they will include them in > the future but it is disappointing that the "other browser" vendors had > the hubris to believe they could be "better" than Microsoft with regards > to security. > > What is my take on it? Trust no one. I run as a normal user, I use IE, > Opera, Mozilla, and Firefox. I do not really trust any of them. Why > should I? Being that I have done some coding and do security for a > living, I have never seen a complex, featureful software been "secure". > (Note, it's trivial to write secure simple software). > > > To the best of my memory, every FF exploit that has been discovered so > > far has been patched very quickly (instead of M$ taking months and > > years to patch IE, it at all). I am not so optimistic to think that > > FF is the best thing ever and will never be a problem but I still love > > it. I have installed it on many of my friend's machines and been > > using it myself for several months and NOONE I know has been hit by > > spyware/adware/malware, even with most of those installs being > > straight out-of-the-box. > > > > I appreciate the heads up on new exploits on this list but please tone > > down the anti-FF slant. Or at least reserve it for a time when it is > > actually needed. > > The heads up is a very good warning to realize your true security risk. > Knowing where you stand is a lot better than believing vendor X that > you are safe and secure. > > So the common security model goes like this. > > IE is insecure, Firefox is "secure". If I use Firefox I am A-OK! Not > true of course once other javascript and java based attacks come in. > Firefox needs to add a granular security model which lets me turn off > javascript or java PER site. > > Okay, so I run Internet Explorer as a "normal" user with > "dropmyprivileges" and run Firefox as a normal user. Whoops, you are > not longer secure since Firefox will launch the attack as the admin via IE. > > Run both of them as a normal user then? Okay, just make sure you do not > use Outlook or another program that might call up another application > later on. A common attack was to send people some virus attachment in a > common download folder (for Eudora, some Attach folder) so they could > hide a reference to it in their next email to have you run it as a > privileged user. > > Running as a normal user for all your normal activities is a good way to > go about it. But is it 100% secure? Nope. Go to one bad trusted site, > or run one bad trojan as an administrator (you got fooled into > installing it), and it can do some keyboard captures to get your passwords. > > Awareness is a good thing. Just be more careful when surfing and > realize the potential risks involved. Hopefully a nice, more secure > solution is on the horizon. > > > > -- > > - Carroll Kong L
