| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Firefox hit by multiple drive-by download flaws | |
|
||
| Time: 20:08 EST/01:08 GMT | News Source: ZDNet | Posted By: Robert Stein | ||
|
Mozilla’s flagship Firefox browser is vulnerable to at least 11 “critical” vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing. The open-source group shipped Firefox 3.5.4 with patches for the vulnerabilities, which range from code execution risk to the theft of information in the browser’s form history. One of the critical issues affect media libraries introduced in Firefox 3.5 when audio and video capabilities were added. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 162 Last | Next |
The time now is
8:06:31 AM
ET.
Any comment problems? E-mail us |
| #1 By 16797 (65.93.148.236) at 10/28/2009 8:53:25 PM |
|
Why can't Firefox run under "protected mode", just like IE8?
That would be win-win.. |
| #2 By 15406 (99.240.77.173) at 10/28/2009 9:04:44 PM |
| I've never found a satisfactory answer as to why FF doesn't use protected mode. It could be for a number of reasons, anything from MS patents to maintaining cross-platform compliance, or even a basic incompatibility with FF and protected mode. I'm not a browser developer so I couldn't begin to think up probable reasons, and I've never found an explanation online. |
| #3 By 23275 (68.117.163.128) at 10/28/2009 9:27:56 PM |
|
Securable Objects, http://msdn.microsoft.com/en-us/library/aa379557(VS.85).aspx
SendMessage Function, http://msdn.microsoft.com/en-us/library/ms644950(VS.85).aspx which is the technology behind the User Interface Privilege Isolation (UIPI) - a brokering agent. Understanding and Working in Protected Mode Internet Explorer , http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx Microsoft has a recorded and longer than you'd think, history of inviting FF/Moz engineers to Redmond - specifically, as Vista was being developed and often since and for the purposes of freely offering up the technologies and documentation as listed above and to enable PM for FF. The Microsoft Readiness Team has repeatedly invited them and hosted them and many others in an effort to set aside differences and simply work to make things better and safer for users of all software, http://www.itnews.com.au/Tools/Print.aspx?CIID=58714 http://notepad.patheticcockroach.com/75/the-firefox-development-team-returns-from-redmond/ http://blogs.msdn.com/peterlau/archive/2007/03/29/microsoft-technology-summit-2007-re-cap.aspx I could go on and on with link after link and we could talk about the liberal extensions of free software provided to Moz by MS under the campus agreements, which support Moz ORG with no less support than has been provided to many other non, or not for profit organizations. I think it is true that Microsoft has done some things in the past that were not good for the market and very harmful to some vendors. I do not think they set out like some evil empire to harm anyone and since having been checked on all that, I really do think they have worked to operate in a way that is better for all. I assess that FF/Moz need to set aside differences and take advantage of what Microsoft has to offer in this very important context (browser security) - just as Google did with Chrome (who stated clearly and often that Chrome has no special security secret and it only used what was available in Windows Vista and Windows 7). In the interest of their users, FF/Moz needs to do the same and in the same interst, Microsoft needs to pull out all stops to help them. Finally, as the tools above reflect, ANY developer may make use of securable objects and the UIPI. They are there for all. This post was edited by lketchum on Wednesday, October 28, 2009 at 21:29. |
| #4 By 13997 (68.118.60.164) at 10/28/2009 11:51:30 PM |
|
#1 There is none, obviously, see #3...
#3 The documents you pull up remind me of the old memos I use to have from the Win 3.0 timeframe, when Microsoft not only shared tons of information with Wordperfect and Lotus, but literally BEGGED them to make a Windows version, even offering free developer time to help write the software. Lotus and Wordpefect gave Microsoft the Finger, and two years later were suing MS because MS Word and Excel were killing them. (Microsoft always has tried to play nice with others more than people realize, even Netscape was the target of lots of help and money to make the HTML engine for Windows long before IE.) Anyway... Even if the FF team didn't want to implement 'Protected Mode' in the same way IE does, with the same mechanisms, they could very easily do their own thing that maybe would be more cross platform. Basically it is all about running at reduced security privledges with a simple mechanism/broker to allow the browser to do things like save bookmarks and write cache content. It really is just that simple, and I would argue this is easier to do on the NT architecture with its object based security, but is still easily obtainable in some fashion on any OS that has restricted levels of security and any form of ACLs. IE7 was brilliant about protected mode on Vista, and there is NO reason the industry didn't go, oh, that is a good idea, let's do that in addition to our security. I guess instead of making fun of Vista for two years, maybe some of these fools should have paid attention to what it did right. |
| #5 By 23275 (68.117.163.128) at 10/29/2009 12:37:34 AM |
|
#4, The exact same thing is going on again with Rich Internet Applications (RIA) and WPFe and Silverlight 3 development.
Microsoft is reaching out to developers and companies with free tools, help and development to help them move RIA's into the main stream and off the desktop and into the cloud services+software model (yes, I continue to intentionally invert services and software). We are preparing to invest even more in moving our Sovereign eneterprise suite out of the browser and WFC based client and into a RIA with new workflows and extend the already great visual clarity it has to entirely new ways of transforming data into visual information products from which one may make more effective decisions. We're not sure yet whether we'll embrace MS's direct support, but we are certain we'll be using the tools they provide - even as we compete with many of their products. We're convinced we can succeed against their best, but we're not so foolish as to think that we can do it without the tools and methods developed by them. To do that we've stuck firm to our belief that the technology really does not matter and that what people do with it matters most. This is no less true of the technologies people like us use to create and in this case, secure our customers' information. |
| #6 By 17855 (205.167.180.131) at 10/29/2009 7:34:30 AM |
|
It's interesting that other organizations have tried to help Firefox as well. HP offers a "Firefox - HP Virtual Browser Edition". It was created by Symantec and crosses Firefox with SVS, a Virtual application layer. Interesting stuff, used it once and found it to be very cumbersome. IE8 in comparison feels light years ahead in usability.
http://www.symantec.com/virtualfirefox/welcome.jsp |
| #7 By 7711 (199.191.105.242) at 10/29/2009 7:42:50 AM |
|
Not to start a flame war but....
whatever happened to the recommendation that everyone use FF instead of IE because FF is SOOOOOOOOOOOOO much more secure? |
| #8 By 23275 (68.117.163.128) at 10/29/2009 9:00:08 AM |
|
#7, Oh yes.. headlines all around the world, and some of them were even accurate.
The scary part? All the holes that are in FF/Moz were there back then - just no one was looking, or those that were looking weren't reporting (like real bad people that were all too happy to see users move from IE to FF/Moz). Interesting how, when the reality no longer matches up with their point of view, that you don't hear a peep out of them, much less read where they have retracted what they had reported earlier. Instead you'll hear things like this (placing today's Internet Explorer in the context of yesterday's headlines): "IE has a long and well known history of (fill in your own alarmist blank)...." This is the sort of thing that does no one any service at all. The world has been like this for a good long while, and the difference is that today, rather than being in the tiny few, "reporters" that pull this kind of stuff number in the majority - about 90%. They are the same sort that have proven to be so subjective about any other matter. |
| #9 By 2960 (68.100.201.101) at 10/29/2009 10:24:29 AM |
|
First, out of nearly 1000 virus/spyware infection calls I've had in the last 5 years, not a single one was due to FireFox. All were caught with IE.
And at least Mozilla is actively fixing them. These same issues STILL exist in IE to this day. |
| #10 By 2960 (68.100.201.101) at 10/29/2009 10:41:05 AM |
|
BTW... I'm not trying to prance around FireFox here. It's just the way it is guys.
It's like those that say MacOS X is less secure than Windows. That may be true, but the reality is the infections just aren't there. |
| #11 By 15406 (216.191.227.68) at 10/29/2009 11:41:41 AM |
|
#7: whatever happened to the recommendation that everyone use FF instead of IE because FF is SOOOOOOOOOOOOO much more secure?
It didn't go anywhere, jim. Objective security researchers and orgs still recommend FF over IE. Why do you ask? I mean, IE has had a million driveby download security bugs yet you still use it (I assume), so obviously such a thing is not important to you. Or are you making the argument that all browsers are equivalent from a security context if they have >0 reported bugs? #8: Please. I knew you would be all over this thread. Strangely, I didn't hear a peep out of you two weeks ago when MS had their biggest Patch Tuesday ever, with a pantload of critical bugs in practically everything they make. While it is well-known and generally accepted that FF is safer and more secure than IE, some Microsoft supporters seem to make a habit of pointing out the odd FF flaw as if it somehow creates equivalence with IE. It doesn't, and it's a flawed argument to make -- one of the many logical fallacies that microbots routinely make. Nothing is perfect, but I'll take the browser that punches me in the arm once a year to the one that kicks me in the balls once a month. #10: Shhhh! You'll spoil the kool-aid party! |
| #12 By 7711 (199.191.105.242) at 10/29/2009 1:01:36 PM |
| I use IE, FF and Safari (1st two on a PC, the other on a macbook)....been using computers on the internet for at least 10 years....never got a virus or any other kind of drive-by exploit...maybe it's the websites I go to? And maybe the drive-by infections are at least as much of the blame of the type of site visited (wink, wink, nudge, nudge, say no more...) as the browser? |
| #13 By 89249 (64.207.240.90) at 10/29/2009 2:05:53 PM |
| #9 TL I know this isn't the first time I've said that. Don't blame the browser for your users being too dumb to not run as admins. On top of that if you are responsible for these networks you should be lumped in with all of the other idiotic admins who still allow your users install rights on their machines. If a user chooses to install anything it's the users fault not the software that offered them the option. |
| #14 By 15406 (216.191.227.68) at 10/29/2009 2:22:37 PM |
|
#12: Why would you use two browsers? Unless you're a web dev that needs to test in all major browsers, having more than one seems counter-productive.
And maybe the drive-by infections are at least as much of the blame of the type of site visited (wink, wink, nudge, nudge, say no more...) as the browser? Oh geez. That sounds like "She deserved to get raped because of what she wore" line... Perhaps you're unaware, but many mainstream websites have been hacked over the years and malicious code injected into their pages. Just last week it was Gizmodo. They were showing ads that had malicious javascript embedded in them. If hackers can infiltrate an ad network, tons of top sites are at risk and their users as well. #13: I think you're putting too high of an expectation on the average user. When they don't see a problem with driving while eating, talking on their phone and applying makeup, you think they're going to wise up when it comes to PC security? Very wishful thinking indeed. |
| #15 By 89249 (64.207.240.90) at 10/29/2009 3:16:25 PM |
|
So if while driving and eating, if a window popped up and stopped space time and verified you wanted to take such a risky activity ppl would just blissfully click ok? I'd take a RL UAC anyday of the week.
Too be honest any and all users I've ever talked to instantly create a user called "install" on their machine with the "man of the house" being the only one with the password. Funny enough, and trust me I've talked with plenty who think this way, most admins think their users are too dumb (you think they're going to wise up when it comes to PC security?) to understand what you are explaining to them. I'd say I help out at least 20 households with their computers personally. Every... Single... One... has that user setup. They all know why. They all have 0 infections. Funny enough lets equate this to the usual Firefox/IE debate from the FF side. "Users just haven't been enlightened to the advantages of using Firefox over IE. Everytime I talk to someone about it they switch" Take that same patience and sense of responsibility as the neighborhood computer geek when it comes to computer use. I'm doing my part, are you? Now when it comes to computers I have authority over... not a single person, not even me, operates as an admin no matter what the circumstance. I don't even use the "omg their software writes to crazy directories" excuse I hear so often. Spend an afternoon adjusting security for this horribly programmed software... Do it for each machine that has this horrible software. Save yourself days of downtime. I've converted at least 6-7 admins to do this and they went from spending all their time cleaning infections to actually improving the productivity of their businesses. |
| #16 By 23275 (172.16.10.31) at 10/29/2009 4:22:41 PM |
|
#11, Latch, you cannot continue to assess and present modern versions of IE on Vista and Windows 7 in the context of IE 6 on Windows XP. It is time to move on and the old and more than tired mantra is dated, irrelevant and way out of any modern context.
Thomas Jefferson is studied as a person of history, because he helped found a nation - not because he may have had relations with a young woman. Christopher Columbus is studied and celebrated not because he may have done some things that are now viewed as being inappropriate, but because he came back - to the new world that up until that point, did not exist in the minds of those creating and maintaining records. The same is now true of modern browsers and IE 7/8 on Vista and Windows 7 are not less secure, because IE 6 once was. |
| #17 By 241766 (216.191.227.68) at 10/30/2009 8:11:53 AM |
|
#8: "All the holes that are in FF/Moz were there back then - just no one was looking, or those that were looking weren't reporting (like real bad people that were all too happy to see users move from IE to FF/Moz)."
A bold statement. Can you prove this assertion? Please provide links to any reputable source that proves that this is a true statement. |
| #18 By 15406 (216.191.227.68) at 10/30/2009 8:27:47 AM |
|
#15: Truth is stranger than fiction. First I learn that Ketchum lives in a town where nobody has an iPod and everyone has a Zune, and now I learn that every computer user you know has an 'install' account and none of them run Windows with the default user account. Impressive. You're surrounded by people who use their computers differently than 99.999% of the general population.
#16: I keep bringing up IE's long & horrible track record because I believe it's hypocritical of MS supporters to carp on the security problems of other software when MS has been guilty of far worse for far longer. Glass houses, pots & kettles and all that, you know? I hadn't even mentioned IE until someone had to crow about this FF bug, and you piggybacked right along with them. Plus, I've been here jousting with you for many years now. Back then, you were still championing IE6 on XP. How times change. Now you're happy to admit IE6 was rubbish. I wish I could take you back in time and watch you argue with yourself. |
| #19 By 23275 (68.117.163.128) at 10/30/2009 9:44:41 AM |
|
Latch, as Mr. Humpty does, and as I have recommended here countless times, and reported how I myself run, increasingly, people are running their Windows Vista and Windows 7 computers as non-admin approval mode standard users.
He uses an admin-approval-mode acocunt called "Install" I use "Machine Admin" - the results are the same. Noi user in my home may may any system change or install any software without the admin-approval-mode credentials. Once more, so you cannot ignore it in this thread, on Windows Vista and Windows 7, ALL users are standard users. The ROOT level Admin account is disabled by default. UAC opposite admin-approval-mode accounts allow authorized users to install software and change settings as appropriate for supported users, or themselves. I have never asserted that any piece of software is "secure" - I have maintained that any computer can be operated "more securely" and those included Windows XP and IE 6 - when they were operated as restricted users (using "Run As" where appropriate). In this configuration, any version of Windows based upon NT could be made to run more securely. Finally, is it/was it hypocritical of MS and people who build solutions based upon their software to have recognized in Jan 2000 that there was a growing issue around security and at that time begin the process of building the means to create more secure software? Is it not clear to you that things like UAC were the result - and are there precisely to allow devs to continue to get things wrong, yet still provide protection to users - and your answer is to dump on guys like Mr. Humpty that are working to educate and support users in more effective ways? How are you serving your cause at all by doing that? |
|
Write Comment
Return to News |
Displaying 1 through 25 of 162 Last | Next |
The time now is
8:06:31 AM
ET.
Any comment problems? E-mail us |
