ActiveMac - The Most Activated mac Resource

ActiveMac

User Controls

New User

Edit/View My Profile

ActiveMac

Articles

Forums

Links

News

News Search

Reviews

News Centers

Windows/Microsoft

DVD

ActiveHardware

Xbox

MaINTosh

News Search

ANet Chats

The Lobby

Special Events Room

Developer's Lounge

XBox Chat

FAQ's

Windows 98/98 SE

Windows 2000

Windows Me

Windows "Whistler" XP

Windows CE

Internet Explorer 6

Internet Explorer 5

Xbox

DirectX

DVD's

TopTechTips

Registry Tips

Windows 95/98

Windows 2000

Internet Explorer 4

Internet Explorer 5

Windows NT Tips

Program Tips

Easter Eggs

Hardware

DVD

Latest Reviews

Applications

Microsoft Windows XP Professional

Norton SystemWorks 2002

Hardware

Intel Personal Audio Player 3000

Microsoft Wireless IntelliMouse Explorer

Site News/Info

About This Site

Affiliates

ANet Forums

Default Home Page

Link To Us

Links

Member Pages

Site Search

Awards

Credits
�1997/2004, Active Network. All Rights Reserved.
Layout & Design by Designer Dream. Content written by the Active Network team. Please click here for full terms of use and restrictions or read our Privacy Statement.

Microsoft's Peter Torr Attacks Mozilla Firefox Security

Time: 09:47 EST/14:47 GMT | News Source: E-Mail | Posted By: Brian Kvalheim

A Microsoft Program Manager by the name of Peter Torr has posted a weblog entry about potential problems with security in Mozilla Firefox. Specifically, he singles out the fact that neither the Firefox installer nor most of the available extensions are digitally signed. By contrast, he notes, Microsoft Internet Explorer 6 Service Pack 2 will not install unsigned ActiveX by default. While many will immediately cry, "FUD!", he's actually right. Though the infrastructure is there, the lack of code signing in the vast majority of Firefox extensions has led to an environment in which many users simply install extensions without really knowing if they can trust the people behind them.

Write Comment
Return to News

Displaying 1 through 25 of 434
Last | Next

The time now is 11:38:06 AM ET.
Any comment problems? E-mail us

#1 By 13030 (198.22.121.120) at 12/22/2004 10:26:24 AM

FUD!

#2 By 37 (67.37.29.142) at 12/22/2004 10:47:13 AM

"#1 By ch (108 Posts) at 12/22/2004 10:26:24 AM
FUD! "

But factual.

#3 By 3653 (63.162.177.143) at 12/22/2004 11:00:25 AM

Care to be more specific ch? Or did you even bother to read the analysis?

#4 By 7797 (63.76.44.6) at 12/22/2004 11:01:37 AM

He makes some valid points. I hope Firefox developers will use the criticism to improve the product.

This post was edited by tgnb on Wednesday, December 22, 2004 at 11:02.

#5 By 8556 (12.217.173.227) at 12/22/2004 11:43:58 AM

It is very thoughful of Microsoft to assist its competitors by telling them what needs to be improved.

#6 By 415 (199.8.64.95) at 12/22/2004 11:59:52 AM

yeah, bobsirena, that's what I was thinking. Careful who or what you criticize because it may backfire on you.

We all know IE is better from a technical point of view, but Microsoft needs to be focusing on what the average Joe is looking for out of a browser. Frankly they could give a rats ass about code signing.

#7 By 7797 (63.76.44.6) at 12/22/2004 12:16:12 PM

"We all know IE is better from a technical point of view"

Do we?

#8 By 37 (67.37.29.142) at 12/22/2004 12:40:54 PM

I noticed a large number of posts disagreed with him once his blog hit the web and google on this.

#9 By 13030 (198.22.121.120) at 12/22/2004 2:27:41 PM

#2: But factual.

Factual? FUD much better describes what he said since the point is not to establish facts across the board, but to demonstrate how only the latest Windows XP version of IE (my emphasis is critical since MS apologists downplay non-XP use) finally corrects a huge problem for a minority portion of the entire established Windows install base. Classic MS tactic of diverting attention by down-playing their weakness while over-inflating their competition's weakness. FUD.

#3: Or did you even bother to read the analysis?

Typed in the nerdiest of voices, I'm sure. Yes, I read the analysis and many of the responses.

#5, #6: very thoughful of Microsoft to assist its competitors

Further proof of my FUD designation. Why would MS offer free product improvement advice? Looks like a very poorly disguised back-handed suggestion to me.

#6: Frankly they [average Joe] could give a rats ass about code signing.

So true.

#10 By 37 (67.37.29.142) at 12/22/2004 2:46:05 PM

No, factual ch. He has provided facts. Facts that I can reproduce with my version of FF.

#11 By 37 (67.37.29.142) at 12/22/2004 3:57:13 PM

"I don't think so."

Well, you should try it. I know so.

"Perhaps SP2 introduces features to deal with this, but Microsoft's browser definitely isn't improved as far as running unauthorized code"

It sure is improved...in leaps and bounds, and exceeds Firefox.

"this is probably its worst flaw that has led to many spyware installations over the years."

Correct, in IE6 SP1 and older. Not the latest version though.

"Perhaps MS is realizing this now and trying to clean up their image, acting like they had this in mind all along?"

I don't think they act like they had this in mind all along. In fact they have never said that. IN FACT they have said just the opposite. They said they need to focus on SECURITY finally after all these years. SP2 was ALL about security and stability, not about adding useless features. They even promote their "Security Initiative". They already know that Windows ME/98 and older are inherently insecure and are no longer supporting them or offering improved security features for them. That would just be a bandaid on top of those old 9x kernels. Windows 2000 and more so Windows 2003/XP were designed with security in mind, and now the addition of IE 6 SP2 focuses even more on security. The two main components IE and OE both have been secured by default and the Windows OS is now preventing you from executing files in error that could be harmful.

The anti-MS/OSS zealots cry about the security of MS apps. Microsoft reacts, then they do something about them. Then when they release an excellent security update that is downloaded at the rate of 10 million a month (and installed by default on all new OEM systems) and still get attacked because "they waited to long" or "it wasn't secure until SP2" BS, they turn around and attack the attackers, the zealots still go up in arms.

No matter what you say Hal, Peter provided facts in his blog which can be reproduced, and are admittedly flaws even noted by the mozilla.org page!

"And whose every solution involves Microsoft on some level approving what can/can't run on the PC"

More people trust MS for the decisions made for an OS designed by MS than probably anyone else.

#12 By 37 (24.183.41.60) at 12/22/2004 7:55:58 PM

Sorry Hal, but if you indeed look at the Help > About in IE, SP2 is listed as the version of IE 6.

#13 By 37 (24.183.41.60) at 12/22/2004 8:49:17 PM

I assumed you were aware that IE 6 SP2 was only available with Windows XP and it is included with the Windows XP SP2 download?

#14 By 37 (24.183.41.60) at 12/22/2004 9:17:43 PM

Microsoft is still release security updates for IE6. However, if you change the security settings in Windows 2000 you will be able to avoid malware/spyware just by enabling the highest security level, diabling Active X or going with a custom security level.

#15 By 37 (24.183.41.60) at 12/22/2004 9:35:30 PM

And I do that on Microsoft Windows using 1st party software for my actual browsing on an MS OS where I don't worry about these problems either. So what was your point?

#16 By 12071 (203.185.215.149) at 12/22/2004 11:05:28 PM

You should have linked directly to the MS Blog: http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

Where the general consensus seems to be, some valid points, pity about focusing so much on Digital Signatures, which are not the be all and end all of security. After all, how much software that you can currently download is digitally signed? Less than 1%? And how does a digital signature protect the end user any better than SHA-1? The end-user doesn't understand much if anything about either. What happens when all the adware spamware etc companies start digitally signing their crap. Isn't trusting a digitial sigature leading users into a false sense of security? "Oooh! This BonziBuddy application is signed... must be ok for me to run!"

#17 By 23275 (68.17.42.38) at 12/22/2004 11:42:02 PM

Why oh why oh why.... do you OSS fans continue to mis-represent ActiveX?

It is a COM Client. It is not the only one and many other forms exist and are in use by other browsers and operating systems. ActiveX has better development tools, and was designed to support authentication and signing.

Other COM Clients are often used and frankly are most often used over ActiveX. CORBA, Java RMI, DCOM, Flash Remoting - they all are used to cause remote code execution.

"Dear Santa, please make them stop with this BS." You think FF has no vulnerabilities? You had better think again and real hard.

I could just Gak reading this stuff. FF is Moz Org's newest. XP SP2 is MS's. MS's new API's for both firewalls and AV/Anti-Malware simply rock and so does IE's new means of "handling" COM Clients, including ActiveX. Just stop it already and address the science. FF, as much admiration as its developers rightly deserve, it is no where near what IE in XP SP2 is.

And Hal, "Upgrade" your OS to XP SP2. Run the system as a restricted user and then make your comparisons - newest version against newest version...

BTW, there are those that could tank FF any time they wish to.

And one last clue....Buy <pay for> your software - all of it. It fuels companies and good secure code. It drives innovation. Better still, build some worthy of commercial viability.

The guys in Redmond have to just weep reading such bunk all the time - at least they care about getting it done right, rather than just being right.

#18 By 23275 (68.17.42.38) at 12/23/2004 10:15:59 AM

Hal, "you" in my post made use of the transparent English accusative case � I should have stated �one� should pay for all software. Send me an address via my email and I'll FedEx a boxed retail copy to you in time for Christmas - Merry Christmas to all, by the way!

Not running anything absolutely not needed on a server is wise - especially in the case of a *nix, and "one" would be wise to use the most restrictive station to station to host firewall policies [ACLS] possible. It'll be owned otherwise. I'll tell you this though, we embrace dozens of very penetrating audits each year by security teams from the major card issuers and retailers. It is rough and their requirements are very costly to address favorably. What many people do not consider is that most companies using OSS - the most likely to get all gooey over FF, also run compilers on their production systems - that is just insane - because most also run SSH - the holes in SSH allow for very easy escalation of rights in so many cases that it is truly scary. The same kind of thinking treats FF as the second coming and that is even worse. Now, people do read these things...cringe, weep and occasionally, laugh about it, but the truth is, it isn't out of pride - it is out of concern. How can so many people believe or be influenced by pure bunk.

It's ok to be hopeful and admire the developers of FF - they deserve it and a relatively small group of people do some amazing things - but to make such comparisons while ignoring the underlying science is just wrong. Individually, it's fine, but to share that in an article as though it were fact is just not right. People are confused enough.

By contrast, W2K3 server's browser comes locked down tight as a tick.

#19 By 225913 (212.235.92.138) at 5/19/2009 9:26:06 AM

Who is the new hot brunnete on stargate universe? Please let me know!!!

http://www.koldcast.tv/video/2384

#20 By 225913 (212.235.92.138) at 5/20/2009 12:28:48 PM

Who is the new hot brunnete on stargate universe? Please let me know!!!

http://www.koldcast.tv/video/2384

#21 By 226583 (212.235.92.138) at 5/27/2009 4:41:04 AM

�� , �� :
��

(�� !: <a href=http://www.tvbn.co.il>��</a> �� , ��

�� : <a href=http://tvbn.co.il>��</a>
�� C �� 29.90�� 100 ��, �� 79.90 500 ��

#22 By 226583 (212.235.92.138) at 5/27/2009 1:45:26 PM

�� , �� :
��

(�� !: <a href=http://www.tvbn.co.il>��</a> �� , ��, ��, �� ,��

�� : <a href=http://tvbn.co.il>��</a>
�� C �� 29.90�� 100 ��, �� 79.90 500 ��

#23 By 246903 (212.235.107.53) at 12/8/2009 1:46:51 PM

Found this great Christmas site and want to share it with you... has recipes, videos of christmas houses and lights, cooking how to videos for the holidays and a great selection of Christmas decorations and gifts for everyone.

The place is <a href=>"http://www.christmas2you.com"</a>

Again that address is www.christmas2you.com

I hope you enjoy it as much as I did... got most of my shopping knocked out in one night this year.

#24 By 310779 (212.235.107.34) at 1/29/2010 8:51:08 AM

Hi
My name is Carl
I've been browsing these forums for a long time now, and I finally found something worth writing here:
I bought my wife a handbag, renovated our master bedroom |,but the thing that stirred her the most was without a doubt my intention to<a href=http://www.verifiedbuy.com>Buy Loose Diamonds</a> for our gold wedding anniversary.
These <a href=http://www.verifiedbuy.com>Loose diamonds</a> are Cushion diamonds,and are irresistible
�The Diamond has reached to our home via messanger.
<a href=http://verifiedbuy.com><img>http://www.awdiamonds.com/images/loose-diamonds-m.jpg</img></a>�
Hope you like em' as much as I do!

cheers

#25 By 314181 (221.238.17.245) at 4/2/2010 3:33:21 AM

Infatuation casinos? distend over and above and above this advanced <a href=http://www.realcazinoz.com>casino</a> circumvent and hit online casino games like slots, blackjack, roulette, baccarat and more at www.realcazinoz.com .
you can also end our nameless <a href=http://freecasinogames2010.webs.com>casino</a> pass on uppermost of something at http://freecasinogames2010.webs.com and grasp unswerving to memoirs tiring currency !
another late-model <a href=http://www.ttittancasino.com>casino spiele</a> vicinage is www.ttittancasino.com , in the carry of german gamblers, stem in unrestrained <a href=http://www.realcazinoz.com>online casino</a> bonus.

Write Comment
Return to News

Displaying 1 through 25 of 434
Last | Next

The time now is 11:38:06 AM ET.
Any comment problems? E-mail us