For FireFox Fans
-
Security Advisory[^] Gary Dilbert's Words of Wisdom: Am I getting smart with you? How would you know?
It's not as bad as it seems. If you disallow some of JavaScript's annoying features, then the spoofing attempt gets quite obvious: Click on the button labelled "Advanced..." in the "web features" setup dialogue and remove checkmarks from all but the last checkboxes (which ought to be named "modify graphics" or something similar). This sensible setting ought to be the standard. Thus even this vulnerability shrinks in comparison to any of IE's vulnerabilites. BTW: Did you know that due to an advanced compression algorithm Microsoft successfully implemented more than one security hole per byte of IE's compiled binary code?
-
It's not as bad as it seems. If you disallow some of JavaScript's annoying features, then the spoofing attempt gets quite obvious: Click on the button labelled "Advanced..." in the "web features" setup dialogue and remove checkmarks from all but the last checkboxes (which ought to be named "modify graphics" or something similar). This sensible setting ought to be the standard. Thus even this vulnerability shrinks in comparison to any of IE's vulnerabilites. BTW: Did you know that due to an advanced compression algorithm Microsoft successfully implemented more than one security hole per byte of IE's compiled binary code?
I think you're trying to downplay a very serious security hole. Did you know Mozilla developers have known about this for about 5 years? They even classified it as a "confidential" bug for about 4 years (security through obscurity?). It's a nice distraction to say this vulnerablility pales in comparison with some IE bugs, which as trus as that is, it's nothing more than a red herring to point out the poor security history of IE when bugs like these are found in FireFox. It's only a matter of time, IMO, before more bugs like these are found in FireFox as its user base grows and becomes the target of more attacks. Hopefully the future security holes found in Firefox will get a better response than "oh it doesn't matter because IE is way worse". #include "witty_sig.h"
-
I think you're trying to downplay a very serious security hole. Did you know Mozilla developers have known about this for about 5 years? They even classified it as a "confidential" bug for about 4 years (security through obscurity?). It's a nice distraction to say this vulnerablility pales in comparison with some IE bugs, which as trus as that is, it's nothing more than a red herring to point out the poor security history of IE when bugs like these are found in FireFox. It's only a matter of time, IMO, before more bugs like these are found in FireFox as its user base grows and becomes the target of more attacks. Hopefully the future security holes found in Firefox will get a better response than "oh it doesn't matter because IE is way worse". #include "witty_sig.h"
You did read what I wrote? The complete posting? The security hole that Firefox has can be actively disabled with five mouse clicks. Then sites attempting to use the security hole display two simultaneous status bars, which ought to tell the user that there's something strange happening. Using some more advanced about:config settings, you can even disallow programmatic removal of the menu and tool bars, thus rendering attempts to "recreate" them using the security hole quite laughable. No, the flaw is that - these settings are not default settings - the advanced about:config settings are not represented in the user interface of the configurations dialogue. This is a flaw, but a flaw that diminishes with Microsoft's attempts. Using IE, is it possible to disallow JScript content to manipulate/disable the status bar? When comparing security flaws, we'd have to compare their respective severity. The spoofing problem can be solved by about five mouseclicks by even a standard user; the same problem on IE - can be solved by Microsoft's developers only. I'd say that that is a difference.
-
You did read what I wrote? The complete posting? The security hole that Firefox has can be actively disabled with five mouse clicks. Then sites attempting to use the security hole display two simultaneous status bars, which ought to tell the user that there's something strange happening. Using some more advanced about:config settings, you can even disallow programmatic removal of the menu and tool bars, thus rendering attempts to "recreate" them using the security hole quite laughable. No, the flaw is that - these settings are not default settings - the advanced about:config settings are not represented in the user interface of the configurations dialogue. This is a flaw, but a flaw that diminishes with Microsoft's attempts. Using IE, is it possible to disallow JScript content to manipulate/disable the status bar? When comparing security flaws, we'd have to compare their respective severity. The spoofing problem can be solved by about five mouseclicks by even a standard user; the same problem on IE - can be solved by Microsoft's developers only. I'd say that that is a difference.
Why should you be comparing security flaws at all? When there is a security hole in your app it doesn't matter if there is an application with more flaws, there is still a hole in the your application! James
-
Why should you be comparing security flaws at all? When there is a security hole in your app it doesn't matter if there is an application with more flaws, there is still a hole in the your application! James
Well, this is not _my_ app but an app I have to use. Since apparently _every*_ internet browser available has security holes, I have to choose one with less severe security holes. Because of that it is _necessary_ to compare flaws. And yes, I'm happy using the _more secure_ product. When installing a front door lock, I'll also choose the one which is more secure. *) didn't check lynx for a while.
-
Well, this is not _my_ app but an app I have to use. Since apparently _every*_ internet browser available has security holes, I have to choose one with less severe security holes. Because of that it is _necessary_ to compare flaws. And yes, I'm happy using the _more secure_ product. When installing a front door lock, I'll also choose the one which is more secure. *) didn't check lynx for a while.
You are right, which is why I am using FireFox 0.9.1 to type this as we speak. However, that doesn't take away from the fact this is a serious security hole that needs to be addressed by the developers. Judah Himango
-
You did read what I wrote? The complete posting? The security hole that Firefox has can be actively disabled with five mouse clicks. Then sites attempting to use the security hole display two simultaneous status bars, which ought to tell the user that there's something strange happening. Using some more advanced about:config settings, you can even disallow programmatic removal of the menu and tool bars, thus rendering attempts to "recreate" them using the security hole quite laughable. No, the flaw is that - these settings are not default settings - the advanced about:config settings are not represented in the user interface of the configurations dialogue. This is a flaw, but a flaw that diminishes with Microsoft's attempts. Using IE, is it possible to disallow JScript content to manipulate/disable the status bar? When comparing security flaws, we'd have to compare their respective severity. The spoofing problem can be solved by about five mouseclicks by even a standard user; the same problem on IE - can be solved by Microsoft's developers only. I'd say that that is a difference.
The security hole that Firefox has can be actively disabled with five mouse clicks. Yes, and many of the holes in IE can be fixed simply by disabling Java applets, JavaScript, or ActiveX controls. The point I'm giving is that this is a real security problem and ought not be addressed by pointing out IEs flaws. I agree that FireFox is a more secure browser; it's not targeted (yet) by hackers and malicious code writers, and it doesn't support ActiveX, blocks pop ups, prevents users from running exe downloads, etc. which is why I'm typing this in FireFox 0.9.1 as we speak. But the point remains this is a security flaw and needs to be addressed. Using IE, is it possible to disallow JScript content to manipulate/disable the status bar? This 'pretend browser' exploit has been disabled since IE 6.01, in which pages aren't allowed to launch fullscreen without title, tool, and status bars. This exploit is actually making heavy use of XUL, which is natively supported in FireFox. The same exploit does not work in IE. Judah Himango
-
You did read what I wrote? The complete posting? The security hole that Firefox has can be actively disabled with five mouse clicks. Then sites attempting to use the security hole display two simultaneous status bars, which ought to tell the user that there's something strange happening. Using some more advanced about:config settings, you can even disallow programmatic removal of the menu and tool bars, thus rendering attempts to "recreate" them using the security hole quite laughable. No, the flaw is that - these settings are not default settings - the advanced about:config settings are not represented in the user interface of the configurations dialogue. This is a flaw, but a flaw that diminishes with Microsoft's attempts. Using IE, is it possible to disallow JScript content to manipulate/disable the status bar? When comparing security flaws, we'd have to compare their respective severity. The spoofing problem can be solved by about five mouseclicks by even a standard user; the same problem on IE - can be solved by Microsoft's developers only. I'd say that that is a difference.
You can at least have piece of mind that Microsoft is commited to fixing their security holes and not just passing them off hoping that noone will find them. Ant. I'm hard, yet soft.
I'm coloured, yet clear.
I'm fruity and sweet.
I'm jelly, what am I? Muse on it further, I shall return! - David Williams (Little Britain) -
It's not as bad as it seems. If you disallow some of JavaScript's annoying features, then the spoofing attempt gets quite obvious: Click on the button labelled "Advanced..." in the "web features" setup dialogue and remove checkmarks from all but the last checkboxes (which ought to be named "modify graphics" or something similar). This sensible setting ought to be the standard. Thus even this vulnerability shrinks in comparison to any of IE's vulnerabilites. BTW: Did you know that due to an advanced compression algorithm Microsoft successfully implemented more than one security hole per byte of IE's compiled binary code?
Claudius Mokler wrote: BTW: Did you know that due to an advanced compression algorithm Microsoft successfully implemented more than one security hole per byte of IE's compiled binary code? [satire]Oooh nifty! New math[/satire]
The only way of discovering the limits of the possible is to venture a little past them into the impossible.--Arthur C. Clark
-
It's not as bad as it seems. If you disallow some of JavaScript's annoying features, then the spoofing attempt gets quite obvious: Click on the button labelled "Advanced..." in the "web features" setup dialogue and remove checkmarks from all but the last checkboxes (which ought to be named "modify graphics" or something similar). This sensible setting ought to be the standard. Thus even this vulnerability shrinks in comparison to any of IE's vulnerabilites. BTW: Did you know that due to an advanced compression algorithm Microsoft successfully implemented more than one security hole per byte of IE's compiled binary code?
None of that is simple for normal folk and normal folk are the ones hit hard by this spoof. I agree, make it the default settings. I disagree, don't downplay this problem because a: it is "easy" for nerds to change and b: pales in comparison to IE's problems. regards, Paul Watson Bluegrass South Africa Ian Darling wrote: "and our loonies usually end up doing things like Monty Python." Crikey! ain't life grand?
-
Well, this is not _my_ app but an app I have to use. Since apparently _every*_ internet browser available has security holes, I have to choose one with less severe security holes. Because of that it is _necessary_ to compare flaws. And yes, I'm happy using the _more secure_ product. When installing a front door lock, I'll also choose the one which is more secure. *) didn't check lynx for a while.
In that case comparing them is appropriate, but the tone I was getting from your post was that we shouldn't be concerned about this flaw because IE has/has had much worse...If you view your post in this light I think my previous comment makes sense. I should have also noted that I am using FireFox as well (0.9.2), part of it was because of the security problems but most of it was because I felt IE was becoming stagnant. James
-
You are right, which is why I am using FireFox 0.9.1 to type this as we speak. However, that doesn't take away from the fact this is a serious security hole that needs to be addressed by the developers. Judah Himango
Is there any reason you haven't upgrade to 0.9.2? It addressed some flaw in the Windows version, I can't remember if it was a security flaw or something else though. James
-
Security Advisory[^] Gary Dilbert's Words of Wisdom: Am I getting smart with you? How would you know?
-
I think you're trying to downplay a very serious security hole. Did you know Mozilla developers have known about this for about 5 years? They even classified it as a "confidential" bug for about 4 years (security through obscurity?). It's a nice distraction to say this vulnerablility pales in comparison with some IE bugs, which as trus as that is, it's nothing more than a red herring to point out the poor security history of IE when bugs like these are found in FireFox. It's only a matter of time, IMO, before more bugs like these are found in FireFox as its user base grows and becomes the target of more attacks. Hopefully the future security holes found in Firefox will get a better response than "oh it doesn't matter because IE is way worse". #include "witty_sig.h"
Judah Himango wrote: security through obscurity? Whatever works :) How do I print my voice mail?
-
Why should you be comparing security flaws at all? When there is a security hole in your app it doesn't matter if there is an application with more flaws, there is still a hole in the your application! James
-
Anytime you see something magically happen like that you know that it will sooner or later bite you in the butt. Then again, there is nothing that will ever protect people from installing software "from the wild". You could have a rogue program called "SpammerService" appearing in peoples task manager and they still wouldn't see it. *sigh* Tim Smith I'm going to patent thought. I have yet to see any prior art.
-
Well, this is not _my_ app but an app I have to use. Since apparently _every*_ internet browser available has security holes, I have to choose one with less severe security holes. Because of that it is _necessary_ to compare flaws. And yes, I'm happy using the _more secure_ product. When installing a front door lock, I'll also choose the one which is more secure. *) didn't check lynx for a while.
Hi Claudius, Mitja here from the days before browsers. You helped me get a ZX80 system going. Would be glad to hear from you. Please contact me. Yours, Mitja