On 12/4/2016 6:48 AM, TCW wrote:
On Sun, 04 Dec 2016 03:29:14 -1000, Desiree <[email protected]>
wrote:
On 12/3/2016 3:30 AM, TCW wrote:
On Fri, 2 Dec 2016 15:30:53 -0700, NFN Smith <[email protected]>
wrote:
I'm watching discussions relating to the SVG exploit, and am a little
confused about what steps I should take.
I'm one of the users that has stayed with 2.40, and for the most part,
I'm content to wait until a new release comes through the normal update
channel, although I am concerned about the number of security fixes
accumulating, that have been applied to Firefox and Thunderbird.
Right now, the primary question would is whether there will be an update
to 2.40 to address the SVG exploit, or if it's going to take moving to
one of the later builds, to get that.
I've seen ewong's notes about what's happening with 2.46, 2.47, etc.,
and I hope he's able to get a breakthrough soon. (Personally, I'm OK
with dropping both Chatzilla and DOM). But it appears that nothing is
going to be coming down the official pipeline for a while.
Assuming that, what are the options?
- Stay with 2.40, and hope that most of the risk can be offset by use of
NoScript, as suggested by Frank-Rainer Grahl? I already run NoScript, so
I'm used to how that behaves.
- Use one of Adrian Kalla's unofficial builds? If so, which build, and
what potential problems are there?
- Something else?
Our organization uses mostly Firefox and Thunderbird, as preferred
clients. (I'm actually one of only a couple that use Seamonkey). We have
a fairly aggressive policy stance about requiring our users to apply
security updates promptly. I know that the last time there was a break
in Seamonkey development, one of our admins was questioning me about
whether Seamonkey is still supported -- at that time, I was running the
most current version, but it was already behind Firefox development, and
the current gap between releases is even larger. For me, a temporary
move from Seamonkey to Firefox isn't a huge thing, but having to
relocate my mail to Thunderbird is more painful, as I still do nearly
everything through POP.
Smith
Use the Adrian Kalla build. Seriously, it doesn't look like EWong's
going to fix the problem he's facing any time soon. No sense running
unsecure. Likely the only thing you'd need to worry about are some
add-ons not working but you can always check those before installing
for compatibility. And if not, you can use the add-on converter
(http://addonconverter.fotokraina.com) if there's a Firefox
equivalent. It's worked well for me with, for example, Privacy Badger.
I disagree. If one practices safe hex at all times there is no need to
be afraid. There are things worse than security issues. Fx 45.5.1 ESR
is unusable. I should never have upgraded even to Fx 45 ESR but it was
this last update that was the nail in the coffin. I recently upgraded
Pale Moon 25.8 to 26.0 it also has become unusable after the move from
gecko engine to goanna engine. I still use Thunderbird 24.7 and will
not upgrade. Of all my many browsers, the ONLY one that is completely
reliable for everything is the final version of the original Opera
(12.18). SeaMonkey 2.40 works well also so I will not upgrade it until
there is an OFFICIAL version available via internal push and I may not
upgrade even then because it may be the same disaster that Fx 45.5.1
ESR is currently. The last good Fx was version 43 and that is what
SeaMonkey 2.40 is based on.
This is tantamount to driving without insurance. Safe hex is about as
relevant as "if it ain't broke, don't fix it." Bad advice. Complex
software *always* has as yet undiscovered bugs and security problems
as we've just seen by the SVG bug that can pwn your machine by simply
visiting a site with certain Javascript code. A bug that was thought
to have been fixed since 2013. No amount of safe hex, anti-malware,
anti-virus can protect you from vulnerability no one knows about. We
live in a world were actors use these unknown exploits to snoop,
steal, spy or do other bad things. How much you want to bet in a few
years another javascript exploit based almost exactly on this code
will get 0-dayed? This same exploit code got changed slightly as
compared to the 2013 code and it *still* works! Security vendors
cannot keep up with the changes and no developer will find every
exploitable bug. I don't practice safe hex, I practice proactive
defense.
If you chose to use old versions because you like the way they work,
fine. Don't act surprised when your bank account is emptied.
Why do you assume I do banking on the internet? I don't think you or
anyone else in this thread has the slightest idea what "safe hex" means.
As for allowing any browser to update automatically who in their right
mind would do that? Windows 10 users are the only ones that naive.
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
