inline:
Carroll Kong wrote:
Brian Weeden wrote:
Once again it's an exploit that requires the user to say yes to an install for it to work. Not great but not as bad the multitude of IE attacks that happen automatically without the user even knowing they occur. The dialog box has three (count them - 1, 2, 3) exclamation icons, has a title that says "Warning - Security", explicitly states that the certificate is invalid and issued by an untrusted company, and has "No" as the default selected button. I know users are dumb but give the browser a damn break - here the browser is doing EXACTLY what it is supposed to by warning the user that this is not a good idea.
Not all of the exploits are going to prompt you.
I never got prompts in either case, only my deciding to chose open & close program sounds alerted me the 1st time. The second time only a spybot scan told me after the fact.
My chicken little routine when I got hit twice over a 3 month period is certainly vindicated & warranted. I've been saying no matter what browser you add, IE is still there to cause problems.
All browsers need to add a security zone model so one can browse in dumb mode until a feature is needed, & then make damn sure it works as advertised (M$ has come a long way with the XP SP2 version). Sun Java certainly has problems.
Also interesting is that Sun's Java is the means of the exploit and it won't work with M$'s Java. Weird - isn't Sun supposed to be the good guy? And this exploit works with Firefox, Mozilla, and Opera. So why is this posting entitled "Another FF vulnerability" and not what it should be, "Sun Java can be used to infect IE through Mozilla, Opera, and Firefox". And here is the really interesting part - there isn't actually any infection in FF/Opera/Mozzy! It all happens in IE. So in my case, since I use FF 100% of the time, if I were stupid enough to click yes to this box I wouldn't even notice it since all the adware crap hits IE.
Sun software has probably had quite a few embarassing exploits themselves (instant root with telnetd included). They are big fans of RPC; they are not the good guy. However, IE can be configured to securely deflect attacks. The "other browsers" in this case bypass IE security controls completely, thus decreasing security greatly.
The crap I got certainly was running as a process on my machine, so use of IE had not come into the picture. The ability to disable Java by default would go a along way to solving this. Whitelist/Blacklist or some sort of security model would make this possible in both browser & Java. initially less functional not more is the smart move in this day & age. If avg joe can't figure out how to get more, then tough shit, they had to learn to drive a car too.
It is not a "false alarm", I think warpmedia was the first member here who mentioned his machine was completely hosed when he used Firefox exclusively and it illegally called up IE without warning. Ironically, if warpmedia used his hardened IE setup (I have a similar setup as well), then he would not have been vulnerable at all! A lot of members thought warpmedia was nuts since he did not have the original URL anymore and the attack vector was unknown. Thane's URL confirms warmedia was not hallucinating.
Not so much "hosed" as "with enemy child". Hopefully the abortion was a successful operation. I try only to trip when watching screen savers, not while browsing.
I agree that FF, Opera, and Mozilla will see an increase in exploits and bugs designed for them over the next few years and months but that is to be expected with ANY new piece of internet software as it gains popularity. What I don't understand is why a few members on this list continue to harp on each next "exploit" as the end of the world and a reason why we should all dump this OSS browser business and go back to IE.
Actually, the point is that IE has granular up front security toggles. FF, Opera, and Mozilla do NOT. They also did not include them by design, whereas IE had it in 5.5. Hopefully they will include them in the future but it is disappointing that the "other browser" vendors had the hubris to believe they could be "better" than Microsoft with regards to security.
So if Mozzy learns & adds proper per site lockdowns, it's a step in the right direction. As of now they're doing an M$ head-in-the-sand about the real problem. Hence the bad venom coming out of my mouth about them.
What is my take on it? Trust no one. I run as a normal user, I use IE, Opera, Mozilla, and Firefox. I do not really trust any of them. Why should I? Being that I have done some coding and do security for a living, I have never seen a complex, featureful software been "secure". (Note, it's trivial to write secure simple software).
To the best of my memory, every FF exploit that has been discovered so far has been patched very quickly (instead of M$ taking months and years to patch IE, it at all). I am not so optimistic to think that
Bullshit, unless you are compiling your own, it took them 3 months to update & STILL there's exploits because their MODEL is flawed.
FF is the best thing ever and will never be a problem but I still love it. I have installed it on many of my friend's machines and been using it myself for several months and NOONE I know has been hit by spyware/adware/malware, even with most of those installs being straight out-of-the-box.
I appreciate the heads up on new exploits on this list but please tone down the anti-FF slant. Or at least reserve it for a time when it is actually needed.
The heads up is a very good warning to realize your true security risk. Knowing where you stand is a lot better than believing vendor X that you are safe and secure.
Lastly it seems there's a lot of FF apologists around who would bash M$ in a second for such problems but are just as quick to go easy on their new buddy mozilla.
