Author Topic: Serious Flash vulns menace tens of thousands websites (Read 9802 times)

bob3160 · « **Reply #15 on:** December 23, 2007, 12:26:50 AM »

Quote

2) Use one browser (say firefox) for normal browsing, use another (say IE) for sensitive stuff only.

Use the safer browser for the less sensitive browsing

How does that make you more secure

polonus · « **Reply #16 on:** December 23, 2007, 12:42:40 AM »

Hi bob3160,

Yes all these vulnerabilities, and with that Flash one this is the second serious flaw within some weeks, and it is far from being patched, means that there is something fundamentally wrong with the protocols we are using. This thing needs a complete overhaul. You and I know the way Internet was set up was never meant to escape the Academic world as it did. When it escaped this "bottle" all these things were meant to happen. Now it is just a matter of being patient and wait to a point where the situation has run out of hand that big time to a point of no return and the need is commonly felt to bring Inernet2 in. That will mean strict authorization and making sure the abuse of to-day is not possible any longer. I predict it will come that way, how or via a two lane system, I do not know, but it is just around the corner,

polonus

Lusher · « **Reply #17 on:** December 23, 2007, 08:50:28 AM »

Quote from: bob3160 on December 23, 2007, 12:26:50 AM

Quote
2) Use one browser (say firefox) for normal browsing, use another (say IE) for sensitive stuff only.

Use the safer browser for the less sensitive browsing How does that make you more secure

You can of course reverse it. The idea here is to seperate the two types of sessions.

But here I'm following the advise of "Joanna Rutkowska" , she of "blue pill" fame.

Here's what she wrote

"So, for example, I use IE to do all my sensitive browsing (e.g. online banking, blogger access, etc), while Firefox to do all the casual browsing, which includes morning press reading, google searching, etc. The reason I use Firefox for non-sensitive browsing doesn’t come from the fact that I think it’s more secure (or better written) then IE, but because I like using NoScript and there is no similar plugin for IE.."

http://theinvisiblethings.blogspot.com/

Of course she doesn't believe Firefox is more secure, but it kinda of makes sense, even if you think firefox is more secure, you are going to spend most of your time doing casual surfing , going into god knows what sites , so perhaps it makes more sense to browse using the more secure browser? IE might be less secure, but if you are using it only to visit known safe sites, it doesn't matter if it is less secure, since you will not expose it to dangerous sites anyway.

As for the statement that firefox is more secure, see this.

Okay no doubt the firefox fanboys are going to kill me for this, but that me state for the record I'm not quite certain if firefox is more secure or not.(It *feels* more secure for me).. I'm just reporting facts. Okay?

And as always, according to you guys I'm just disagreeing for the sake of disagreeing, I have no real arguments etc etc

FreewheelinFrank · « **Reply #18 on:** December 23, 2007, 09:15:27 AM »

Quote

As for the statement that firefox is more secure, see this.

You're linking to Jeff Jones' much ridiculed (

) analysis.

http://blogs.zdnet.com/security/?p=703

Some objections to the analysis are: it's written by an MS employee, it compares a company which openly discloses all vulnerabilities to one which does not, and it totally ignores issues of in-the-wild exploits remaining unpatched for weeks in IE6.

Even George Ou limited himself to comparing IE7 and Firefox to avoid the ridicule of implying IE6 was more secure:

http://blogs.zdnet.com/Ou/?p=915&page=2

Lusher · « **Reply #19 on:** December 23, 2007, 09:51:47 AM »

Quote from: FreewheelinFrank on December 23, 2007, 09:15:27 AM

Quote
As for the statement that firefox is more secure, see this.

You're linking to Jeff Jones' much ridiculed ( ) analysis.

http://blogs.zdnet.com/security/?p=703

Some objections to the analysis are: it's written by an MS employee,

Yes, i noticed that, but that's an ad hominem argument, you should lead with a stronger argument.

Quote

it compares a company which openly discloses all vulnerabilities to one which does not,

Firefox openly discloses all vulnerabilities? Only after they are patched.

Quote

and it totally ignores issues of in-the-wild exploits remaining unpatched for weeks in IE6.

This is the biggie. I agree. For the average user, all this counting of vulnerabilities is not very important compared to what is actually targeted and response time (but is it me or did some AV company release some stats that show the opposite). IE could have only one vulnerability, and firefox a dozen, and it wouldn't matter as much to average users if the former is the one being targeted on a wide scale. And like it or not, Internet explorer is still the one that is being targeted because of it's dominance.

But I think he has a point in that the claim that firefox is inherently more secure than IE because it isn't integrated with windows doesn't hold up. Firefox might be faster in patching, it might be less targeted , but it doesn't seem to be any less bug free than IE.

Disclosure, I use firefox and opera mostly.

FreewheelinFrank · « **Reply #20 on:** December 23, 2007, 11:15:23 AM »

You are taking the thread off-topic here, but I'll respond to a couple of points.

Quote

Yes, i noticed that, but that's an ad hominem argument, you should lead with a stronger argument.

In your previous post, you stated:

Quote

I'm just reporting facts. Okay?

I would contend that linking to that particular analysis is not 'reporting facts' but reporting facts as presented (and interpreted) by one competitor in the browser market. Let's make that clear and leave readers to decide upon whether or not Jeff Jones has let loyalty to his company lead to massaging the figures to make IE look better than it really was.

Quote

Firefox openly discloses all vulnerabilities? Only after they are patched.

That is entirely the point: Mozilla doesn't do silent patches- all patches are documented after they are fixed, so they can be counted. There is no way of knowing how many silent patches MS does- except by asking the hackers who try to find them so they can develop exploits.

I don't buy the 'IE could have one flaw and Firefox a dozen and IE would still be targeted more': if one browser has one readily exploitable flaw and doesn't patch it, and another has a dozen flaws which are never exploited or patched before they become public knowledge, them I'm pretty sure it's nothing to do with usage which one gets hacked.

That's all from me on browser security. As George Ou put it 'Firefox vs. Internet Explorer: No real security winner'. (If there had been a pro-MS argument to be made from the numbers, George would have made it!) IE7, Firefox and Opera have all patched security vulnerabilities, and assessing security by a simple count of numbers is a poor measure of security, even if you can know for sure how many vulnerabilities were patched.

Lusher · « **Reply #21 on:** December 23, 2007, 11:46:00 AM »

Quote from: FreewheelinFrank on December 23, 2007, 11:15:23 AM

You are taking the thread off-topic here, but I'll respond to a couple of points.

I think all of us share that responsibility for bringing it off topic....

Quote

In your previous post, you stated:

Quote
I'm just reporting facts. Okay?

I would contend that linking to that particular analysis is not 'reporting facts' but reporting facts as presented (and interpreted) by one competitor in the browser market.

Well in the end all "facts" are interpreted and reported by *someone*. Only someone who lacks the ability to judge arguments and facts on their own merit would place great weight on who the speaker is, particularly since we are talking about verifiable facts.

For example, when i write something on castlecops wiki it is treated with great respect, compared to me saying the very same thing on a forum...

Quote

That is entirely the point: Mozilla doesn't do silent patches- all patches are documented after they are fixed, so they can be counted. There is no way of knowing how many silent patches MS does- except by asking the hackers who try to find them so they can develop exploits.

Fair enough. Though I suspect there are certain selection effects involved with the reporting of vulnerabilities.

Quote

I don't buy the 'IE could have one flaw and Firefox a dozen and IE would still be targeted more': if one browser has one readily exploitable flaw and doesn't patch it, and another has a dozen flaws which are never exploited or patched before they become public knowledge, them I'm pretty sure it's nothing to do with usage which one gets hacked.

I'm not clear here if you are talking about vulnerabilities that are announced publicly or those that isn't.
Usually when people talk about vulnerabilites time to patch they are talking about the former.

Quote

That's all from me on browser security. As George Ou put it 'Firefox vs. Internet Explorer: No real security winner'.

Strangely that is my current belief as well. They are roughly on par.

Quote

(If there had been a pro-MS argument to be made from the numbers, George would have made it!)

Sigh here we go again, making arguments based not on facts but on character assassination (someone who doesn't say Firefox is safer must be Pro-MS).... The problem with such arguments is that if you look hard enough you can find or imagine motivations for any speaker. Yes, even firefox supporters who might have reason to hate MS etc etc...

Me, I prefer just to avoid all this second guessing and just try to evaluate the arguments on their own merit..

galooma · « **Reply #22 on:** December 23, 2007, 12:20:58 PM »

Correct me if im wrong but wouldnt the majority of flash content that might be compromised on a trusted site be more likely to be in the form of advertising space farmed out to less reputable people than the banks themselves .
If this were the case then wouldnt ABP be of some advantage alongside No Script in such a situation cos I dont see the day when IE will ever include something along those lines.

Lusher · « **Reply #23 on:** December 23, 2007, 12:43:02 PM »

Is there anything free along the lines of Adblock for IE? Is IE7pro freeware?

FreewheelinFrank · « **Reply #24 on:** December 23, 2007, 12:57:55 PM »

Quote

Sigh here we go again, making arguments based not on facts but on character assassination (someone who doesn't say Firefox is safer must be Pro-MS).... The problem with such arguments is that if you look hard enough you can find or imagine motivations for any speaker. Yes, even firefox supporters who might have reason to hate MS etc etc...

Believe it or not, I implied George Ou is biased because I find his writing prejudiced towards one particular side of any story involving a certain software company, not because he doesn't favour a product I like.

I've criticised him for an anti-Mac bias and I don't even own a Mac.

http://forum.avast.com/index.php?topic=19387.msg268571#msg268571

It is possible to question motivations without being an 'MS hater' or 'Firefox supporter'.

Cloussau,

I took "marketing graphics" to mean the banks own graphics, and in a quick look at a few bank sites, they don't seem to carry third-party adds.

ABP does seem to block Flash ""marketing graphics", so maybe it would foil this phis:

Author Topic: Serious Flash vulns menace tens of thousands websites (Read 9802 times)

bob3160

Re: Serious Flash vulns menace tens of thousands websites

polonus

Re: Serious Flash vulns menace tens of thousands websites

Lusher

Re: Serious Flash vulns menace tens of thousands websites

FreewheelinFrank

Re: Serious Flash vulns menace tens of thousands websites

Lusher

Re: Serious Flash vulns menace tens of thousands websites

FreewheelinFrank

Re: Serious Flash vulns menace tens of thousands websites

Lusher

Re: Serious Flash vulns menace tens of thousands websites

galooma

Re: Serious Flash vulns menace tens of thousands websites

Lusher

Re: Serious Flash vulns menace tens of thousands websites

FreewheelinFrank

Re: Serious Flash vulns menace tens of thousands websites