FF still vulnerable!

[polonus]

Hi malware fighters,

The users of Firefox latest version 1.5.0.4 are still vulnerable to some form of "file stealing by changing input type variant-exploit", so to be protected against this exploit, have NoScript add-on activated until this exploit has been patched.
This exploit has been patched in previous versions, but a new variant has been demonstrated to work. Your whole computer lays open to attackers, and there is an upload version of the attack too. Use of in-browser protection is inevitable, says,

polonus

[SpeedyPC]

Yep nasty people out there in the real world knows how to break down Firefox, just the same way they did to MS IE.

It just a matter of time to make Firefox web browser weaker and weaker and weaker until the new patch fixes comes.

Maybe someone might start using Opera...........I have no problems with Opera v8.54 and their were some minor bug problem to the final version of Opera 9.0 when it came out.

So I believe I am reasonably safe with Opera.............poor Firefox might end up like MS IE nightmare.

SpeedyPC

[bob3160]

poor Firefox might end up like MS IE nightmare.

IE7 and safe browsing habits work well for me. 

[cclkfc]

poor Firefox might end up like MS IE nightmare.

IE7 and safe browsing habits work well for me. 

I use IE6 and it works fine as well.

[.: Mac :.]

if you are going to use IE update to version 7 like Bob(you can learn a lot from him). There are lots of security fixes included in the new version.

[cclkfc]

I'll give it a try, thanks.

[cclkfc]

I just installed IE 7 and it's awful. It crashed windows three times. So I uninstalled it and I guess I'm sticking with IE 6.

[DavidR]

No one is ever stuck with IE6 it is a choice, personally I suggest firefox even with this alleged vulnerability (which if correct will be fixed, hopefully as quickly as previous ones), it is still more secure than IE6 and has much fewer and less serious unpatched security issues.

IE6 http://secunia.com/product/11/
Firefox http://secunia.com/product/4227/

You could also try Opera which is also more secure than IE6, as both it and firefox don't have activeX, BHOs and aren't integrated into the operating system.

[bob3160]

I just installed IE 7 and it's awful.

You're entitled to your opinion.
There are however many who would disagree with you.
It is definitely more secure that IE6 which like swiss cheese, has many many holes....

[polonus]

Hi bob3160,

What is the dangerous bit of these browser vulnerabilities, because there are many variations on a theme for the Mozarts of Malware is that these "still unpatched" vulnerabilities can be put into action with just a browser and ten fingers.
The majority of the vulnerabilities are considered critical, which Mozilla defines as vulnerabilities that "can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."

Mozilla's update addresses the following problems:

Critical-Risk Vulnerabilities

    * Security check of js_ValueToFunctionObject() can be    circumvented
    * Privilege escalation through Print Preview
    * Privilege escalation using crypto.generateCRMFRequest
    * CSS Letter-Spacing Heap Overflow Vulnerability
    * Crashes with evidence of memory corruption (rv:1.8.0.2)
    * Accessing XBL compilation scope via valueOf.call()
    * Privilege escalation using a JavaScript function's cloned parent
    * Mozilla Firefox Tag Order Vulnerability
    * Privilege escalation via XBL.method.eval
    * Crashes with evidence of memory corruption (rv:1.
    * JavaScript garbage-collection hazard audit

But Privilege Escalation using add selection listener, File stealing by changing input (the one I went on about), HTTP response smuggling and a few others are still there.

Keep scripts at bay, and you browse more secure!


polonus

[dk70]

Is your list not very outdated? http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox notice "Fixed"!

Good thing to give some sources to these warnings. Every new version of every browser will have security fixes so nothing new. Also not new that most of them have little to do with normal use - technical if and if... All this is documented, at least if browser is Firefox. Ive not seen any sign that it make sense to hide under a tree or change browser because of "risks". Define and make them relevant to everyday use then we see. Rarely you will find reason to go red alert but of course be suspicious the day you see no security fixes - will likely never happen.

At Secunia try check XP, go ABC instead of BCA or just unplug computer A little safe computing render most of these flaws and bugs just something to live with. IE6 engine based browsing and XP can be good match dispite what Secunia lists. Even with IE6 you still have a lot of if and if.

About Firefox Im interested in seeing some real life experiences from Firefox "malware". From browsing Mozillazine forums it seems to pop up now and again but usually a misunderstanding on user side - still seems like a theory that the more popular it gets the more haunted it will be. I mean in real world not in testing lab where if and if are being "fixed". So Noscript and similar "disable all you can" type of "protection" I dont see much use of. More than a "feeling" than need I think.

[polonus]

Hi dk70,

The lsit is about this. It is outdated all-right, just for reference and the firstmentioned in the list are all  long fixed, but some in the current version of FF are still critical and still far from  fixed, and that is what I refer to.
What I am on about is not the flaw that every browser has, that is inevitable, my worry is about inherent flaws that come with that particular build, because the browser was coded that way. The holes that come because the browser was designed that way, and are almost impossible to remove.
If you don't want to know about these things, you can go about it like M$ and call a critical bug a "feature", and hope for security through obscurity. Nobody needs those kind of  features, because it can turn a person with a browser and ten fingers into a very dangerous entity.

polonus

[dk70]

Yes but such worldwide disasters you dont get thanks to lack of security in Firefox. You know Firefox project would be over and out in a flash should they note be very much aware of these things - like keeping Secunia at "less critical" level, if they insist... High risk would mean fast release of patch and whole process would be documented on Bugzilla, Mozillazine etc. Firefox will get even more sensitive to bad reporting when IE7 gets popular. The (very) old reasoning for avoiding IE at all cost is fading or on a level where Linux is only secure computing and XP asking for trouble. Some take it seriously, most shake head.

The "need" for protection like antiphishing is not crappy browser coding but bad pilots Some still install more or less obviously spyware infected software etc. I think those, for the most part, very theoritical browser bugs (which you know will be fixed with Firefox) are minor problems in comparison. What matters with those unavoidable problems is how they are approached and I cant see Firefox project has failed yet. Would you rather they closed door and didnt allow anyone to peek? You get problems delivered on a plate and so the "security" issue seems like a disaster - have you not noticed the many web articles about Firefox problems just after every new release? Also major sites follow that trend. Lazy authors and copycats can spin a story easy and subject is always popular

If you want to follow remaining flaws in 1.5.0.4 look them up at Bugzilla but best to just use 2.0B1. If flaw/bug is insignificant/low priority it might not get to 1.5x series ever. Tons of more relevant browser bugs are already for 2.0 only. 2.0 and whatever is next will continue to have a critical now and again but nothing to do. Change to IE or Opera if you feel at risk with Firefox. Document and make "flaw" relevant to real life first though. I dont know current Opera or IE situation but will bet you can dig up some unsecure potential there as well. Still only a browser...