 |  |  |  |  |  |  |  |
Microsoftzilla
A browser with vulnerabilities that could lead to arbitrary code execution and cross-site scripting attacks. An urgent automatic update to patch eight such vulnerabilities, five of which are rated as critical and the complete set as ‘highly critical’ by security exploits tracker Secunia. And even then missing a password management vulnerability that has been known about since November which can exploit a reverse cross-site request to expose logins. The browser security supremo spinning the whole episode as ‘definitely a good thing’ proving that the client is ‘more secure.’
You might be forgiven for thinking it is the same old same old from Microsoft.
However, this is Mozilla Firefox we are talking about.
The eight vulnerabilities concerned are:
Continuing in the Mozilla becomes Microsoft mode, it’s also interesting to note that it has confirmed the rumors that official support for Firefox 1.5 will be discontinued as from 24th April 2007, or six months after the release of Firefox 2. If you have been slow in upgrading, at least you will now get a much more secure client than those of us who fall into the early adopter category. The trouble is, as with Microsoft applications, there will be less and less of us as the ripple effect of these security scares is felt.
Once upon a time Mozilla had a reputation for being the most secure of developers, with clients that had been properly tested and were solid on release. Unfortunately, I no longer feel confident that this remains the case. Certainly I would advise my consultancy clients not to upgrade for 3 months to give Mozilla a chance to iron out the vulnerabilities and patch the client to an acceptably safe standard.
Perhaps inevitably, methinks the Firefox fairytale does not have a happy ending...
You might be forgiven for thinking it is the same old same old from Microsoft.
However, this is Mozilla Firefox we are talking about.
The eight vulnerabilities concerned are:
- MFSA 2006-76 XSS using outer window's Function object
- MFSA 2006-75 RSS Feed-preview referrer leak
- MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
- MFSA 2006-72 XSS by setting img.src to javascript: URI
- MFSA 2006-71 LiveConnect crash finalizing JS objects
- MFSA 2006-70 Privilege escalation using watch point
- MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
- MFSA 2006-68 Crashes with evidence of memory corruption
Continuing in the Mozilla becomes Microsoft mode, it’s also interesting to note that it has confirmed the rumors that official support for Firefox 1.5 will be discontinued as from 24th April 2007, or six months after the release of Firefox 2. If you have been slow in upgrading, at least you will now get a much more secure client than those of us who fall into the early adopter category. The trouble is, as with Microsoft applications, there will be less and less of us as the ripple effect of these security scares is felt.
Once upon a time Mozilla had a reputation for being the most secure of developers, with clients that had been properly tested and were solid on release. Unfortunately, I no longer feel confident that this remains the case. Certainly I would advise my consultancy clients not to upgrade for 3 months to give Mozilla a chance to iron out the vulnerabilities and patch the client to an acceptably safe standard.
Perhaps inevitably, methinks the Firefox fairytale does not have a happy ending...
0
•
•
•
•
Yes, quite worrying for sure. My advice to those wanting a decent browser is: dump IE and Firefox and use Opera. Don't tend to hear much talk about security holes in that do you?
0
•
•
•
•
they may have had the reputation but that reputation was never backed up by facts.
As to Opera, as with Mozilla in the past you hear little about it because so few people use it.
As a result few exploits are ever attempted against it and thus it doesn't make headlines.
They don't AFAIK publish any data on holes they discover themselves, so that can't be used as a criterion either.
As to Opera, as with Mozilla in the past you hear little about it because so few people use it.
As a result few exploits are ever attempted against it and thus it doesn't make headlines.
They don't AFAIK publish any data on holes they discover themselves, so that can't be used as a criterion either.
0
•
•
•
•
I never saw Firefox as 'secure', Just different. The more popular something is the less secure it is, and if it can be made, it can be compromised.
If you want extreme security, disable all cookies, disable all Javascript, stay out of forums and places where 'members' can post images and links, set a spam filter to redirect ALL mail to trash, and then tie both your arms behind your back.
If you want extreme security, disable all cookies, disable all Javascript, stay out of forums and places where 'members' can post images and links, set a spam filter to redirect ALL mail to trash, and then tie both your arms behind your back.
0
•
•
•
•
hmm, could be overkill. Easier to encase the thing in a block of steel reinforced concrete with a meter's worth of concrete on all sides, lock that in a watertight steel chamber with walls 20cm thick, and sink the thing into an ocean trench.
0
•
•
•
•
is that the house or the computer? O_O
but seriously... the only time my computer's ever been 'compromised' is where i've been in unsanitary places : the only viriiI i've ever got have been from P2Ps and crack downloads. I dunno whos watching me, and I'm not really that bothered. I'm poor and generally law-abiding.
I think alot of the security hype is to sell third party firewalls and scanners and detectors..
The problem with anything third party is just that. It's effectively acting on the same level as a virus would; I would welcome Microsoft integrating fast good security at a very low level in Windows (even a 'real' administrator/user priviledge setup would be nice). Any "secure" browser or protective measure on Windows is like putting a deadlocked steel door on a cardboard box...
but seriously... the only time my computer's ever been 'compromised' is where i've been in unsanitary places : the only viriiI i've ever got have been from P2Ps and crack downloads. I dunno whos watching me, and I'm not really that bothered. I'm poor and generally law-abiding.
I think alot of the security hype is to sell third party firewalls and scanners and detectors..
The problem with anything third party is just that. It's effectively acting on the same level as a virus would; I would welcome Microsoft integrating fast good security at a very low level in Windows (even a 'real' administrator/user priviledge setup would be nice). Any "secure" browser or protective measure on Windows is like putting a deadlocked steel door on a cardboard box...
0
•
•
•
•
Not really. Any OS has holes which can be exploited if you know how and care to.
Singling out Windows is not only unfair, it's dangerous as people start to think that the very act of installing something else will suddenly give them a completely secure system.
Any security though starts at the front door. If you install a decent firewall you keep most of the crap out the door (attacks trying to find open ports for example) and prevent most of the rest from dialing out if it does get in.
Instead of your analogy of a deadlocked foor on a cardboard box a better analogy would be that NOT having your system secured by firewalls and AV software is like having a jewelry store and leaving the doors and windows wide open when you leave at night and refusing to invest in alarm systems and guards because you believe in the general goodness of people and don't think anyone will ever steal from you.
Singling out Windows is not only unfair, it's dangerous as people start to think that the very act of installing something else will suddenly give them a completely secure system.
Any security though starts at the front door. If you install a decent firewall you keep most of the crap out the door (attacks trying to find open ports for example) and prevent most of the rest from dialing out if it does get in.
Instead of your analogy of a deadlocked foor on a cardboard box a better analogy would be that NOT having your system secured by firewalls and AV software is like having a jewelry store and leaving the doors and windows wide open when you leave at night and refusing to invest in alarm systems and guards because you believe in the general goodness of people and don't think anyone will ever steal from you.
0
•
•
•
•
hmm... well my pc is definately more reminiscent of a cardboard box than a jewelry store.
if I worked on top secret technology, if i was a hacker myself, or if I'm talking about corporate computer systems, my views wouldn't be the same.
but, as I use my personal computers for developing open-source software, listening to music, and chatting on forums, and I DO believe in the general goodness of people... I'm not all that concerned.
the average home user has security software shoved down their throat when buying a new PC... it has its place, for sure; but bullet-proof software is less important than making the right decisions in how you use it.
Windows home versions are pretty terrible in that any user has pretty much got permission to access and modify everything on the system. It doesn't matter if a browser object escapes its confines if it can't do anything.
No browser can protect against certain cross-site attacks.. and it's not the responsibility of browser vendors.
I think in general, Firefox is more secure than most. I feel 'safer' using Firefox than IE for sure. But then, I feel safer using Linux than Windows, and even safer just using a Gameboy instead.
if I worked on top secret technology, if i was a hacker myself, or if I'm talking about corporate computer systems, my views wouldn't be the same.
but, as I use my personal computers for developing open-source software, listening to music, and chatting on forums, and I DO believe in the general goodness of people... I'm not all that concerned.
the average home user has security software shoved down their throat when buying a new PC... it has its place, for sure; but bullet-proof software is less important than making the right decisions in how you use it.
Windows home versions are pretty terrible in that any user has pretty much got permission to access and modify everything on the system. It doesn't matter if a browser object escapes its confines if it can't do anything.
No browser can protect against certain cross-site attacks.. and it's not the responsibility of browser vendors.
I think in general, Firefox is more secure than most. I feel 'safer' using Firefox than IE for sure. But then, I feel safer using Linux than Windows, and even safer just using a Gameboy instead.
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Web Browsers Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
advertising age amd android apple avatar ballmer bluegene botnet browser business cellphone china chips crime data database development dos downloads economy email encryption energy enterprise europe facebook firefox games gaming google government hacking hardware ibm ibm.news intel intelibm internet iphone ipod itunes law linux mac malware marketing medicine memory microsoft mobile mozilla music news nintendo novell office openoffice opensource os pc piracy porn privacy programming ps3 recession redhat research russia search security sex socialnetworking software spam sun supercomputer supercomputing survey technology trends trojan twitter ubuntu uk video virtualization virus vista web wii windows windows7 working x86 xbox xp yahoo youtube
