Gaping Holes In Fully Patched IE7, Firefox 2 303
Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.
Victim Statistics? (Score:5, Insightful)
Didn't learn lesson from javascript (Score:5, Insightful)
And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.
alternatives (Score:5, Insightful)
Go old NoScript (Score:5, Insightful)
Re:But in order to be affected... (Score:3, Insightful)
First to fix? (Score:2, Insightful)
Re:Go old NoScript (Score:3, Insightful)
Yes, that is a solution, but it isn't a good solution.
If we continue down that line of thought we end up at the point where we just go back to static pages with no scripting. Now, in general, I prefer static pages without all the extra "eye-candy", but I also understand the benefits of having scripting, (and even flash) running. By even having a preference for static pages, I think I am in the minority of people on the Internet. Let's face it, the average person likes all of the "extras" that come with scripting.
With this preference for synamic content, we also have to accept that there are going to be some security problems. We can blame Microsoft. We can blame the users. We can blame the Flying Spaghetti Monster for forsaking us. We can blame the hackers who produce the infectious content. However, what matters is that with new things on the web appearing so quickly, there hasn't been time to stop, take a deep breath and look for the security holes that exist. This means that the bad guys have the advantage and we have problems. If you don't like it, use Lynx and practice safe hex.
Slashdot responses (Score:5, Insightful)
- Regular mudfest, everyone throwing mud on Microsoft
& IE. Everyone saying I have FF/Linux/Safari whatever,
so I am safe. Nobody talks about changing settings,
disabling javascript or Activex as a good workaround.
2) If Article Posted about FF security bugs
- Lot of workarounds posted - disable Javascript,
get some plugin, change some settings, don't go to
the website etc. How great that the it is open source,
someone will fix the bug in one hour & release patch.
Bugs are avenues to show how great open source is.
Now both are posted together, let's collate responses
at the end of the day
Re:Go old NoScript (Score:4, Insightful)
-Mike
Re:And Opera (Score:3, Insightful)
More than likely, Opera restarts with the site before the one that caused the crash.
Unfortunately for Opera, most sites are written according to IE's buggy standards. While Opera does try to accomodate the poor HTML written by web programmers who think the Internet is viewed only through IE-colored glasses, sometimes it is difficult to accomodate to flagrant stupidily that is IE's rendering engine.
probably NoScript (Score:3, Insightful)
You're missing out on the nicer wiki/blog editors, live updates to the price of a computer purchase as you add/remove components, tolerable web mail interfaces, and (if your CPU is fast) the experimental slashdot interface.
Those are just the nerd things. I'm told there are numerous non-nerd things on the web as well, with far more scripting.
Are you sure? (Score:5, Insightful)
There, fixed that for you.
Re:And Opera (Score:3, Insightful)
Ever notice that the only vulnerabilities which are really cross-browser tend to be misuse of functionality (like the Unicode domain spoofing attacks a few years back), rather than exploits of bugs?
Re:Go old NoScript (Score:3, Insightful)
The point of web applications isn't performance, it's ubiquity. Hotmail (and remember, it was one of the first big web apps, even before Microsoft bought it) didn't take off because it performed better or had more features than Eudora, Outlook, Netscape or Pegasus -- it took off because you didn't need to install it and you could access it from any computer with an Internet connection and a web browser.
But you knew that, didn't you?
Re:But in order to be affected... (Score:5, Insightful)
essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.
Doesn't seem to bother us (Score:4, Insightful)
Why? Because we don't let IE run scripts of any kind unless it's from a site we trust. IE has had security zones for years yet hardly anyone uses them. A single group policy object enforces our list of trusted sites, nobody's computer can run javascript on any site we've not already decided is safe.
Ok, there's a small risk of someone hacking one of our trusted sites, but I can live with that.
So far we've had 2 years of uninterrupted browsing, with nobody at our company getting a single piece of malware on their machine.
And the best bit: It's surprisingly low maintenance. We get maybe one request a month now to add a new site to the list.
Re: NoScript is a ridiculous measure (Score:2, Insightful)
I don't care what you think, nobody is going to use that extension by default and it will never be enabled by default. Your attempt to make measurements of Firefox security with it enabled are reminiscent of Microsoft's attempts to get C2 certification for Windows NT when it wasn't connected to a network.
The most meaningful measurement of security for an application is looking at the default installation. Most people will never get beyond that.
Odd double standard (Score:2, Insightful)
The hard thing about NoScript (Score:3, Insightful)