Gaping Holes In Fully Patched IE7, Firefox 2

Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.

Ah well

[GFree]

Gaping Holes In Fully Patched IE7, Firefox 2

In other words, it doesn't matter which browser you use, you're gonna get F'd in the A regardless? Sounds painful.

Re:Ah well

[rts008]

RTFA...Try the demo's...It will reduce the FUD.

I tried the demo page/file and got no response whatever.

"2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
      Impact : keyboard snooping, content spoofing, etc
      Demo : http://lcamtuf.coredump.cx/ifsnatch/ [coredump.cx]
      Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=38268 6 [mozilla.org] [May 30]"
from:(http://lcamtuf.coredump.cx/ifsnatch/) which is from:2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
      Impact : keyboard snooping, content spoofing, etc
      Demo : http://lcamtuf.coredump.cx/ifsnatch/ [coredump.cx]
      Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=38268 6 [mozilla.org] [May 30]"

and this:"3) Title : Firefox file prompt delay bypass (MEDIUM)
      Impact : non-consentual download or execution of files
      Demo : http://lcamtuf.coredump.cx/ffclick2/ [coredump.cx]
      Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=37647 3 [mozilla.org] [Apr 04]"

I tried both link's test button and got no response whatever.

IMHO, this must be something related to running Windows, as my Kubuntu 7.04 Feisty w/ Firefox 2.0.04 (with NoScript, Adblock, Adblock Filterset, and Flashblock) just does not act on this.

I guess I need to install some version of Windows to experience this...I feel deprived and left out!

Does this work with Firefox w/ NoScript on Windows?

From past experience, I have no doubts that it works with any version of IE on any Windows platform.

Re:

[Sizzlebeast]

Firefox 2.0.0.4 w/ NoScript and it won't work on windows either. I guess i have to allow it...not gonna happen :) I guess I'm safe

Re:

[rts008]

Thanks for the info! :-)

I can't convince my wife to switch to *nix/BSD, she is used to WinXP and IE 7 from work, and doesn't want to change. :-(

I might be able to sneak Firefox in on her with some creative registry hacks, and some install/configure obfustications. We'll see.

Re:Ah well

[jez9999]

I might be able to sneak Firefox in on her with some creative registry hacks, and some install/configure obfustications. We'll see.

I'm glad to see the art of practicing trust in marriage is alive and well!

Re:

[MrSenile]

New to marrage, are we? :)

probably NoScript

[r00t]

You're a rare weirdo. Much of the web won't work without scripting, or at least won't work well.

You're missing out on the nicer wiki/blog editors, live updates to the price of a computer purchase as you add/remove components, tolerable web mail interfaces, and (if your CPU is fast) the experimental slashdot interface.

Those are just the nerd things. I'm told there are numerous non-nerd things on the web as well, with far more scripting.

Re:

[MightyYar]

But you can use NoScript and still allow useful scripts... that's the whole point! The whole advantage of NoScript is that you can click on any shady site that you wish with little-to-no chance of compromising your machine. Presumably, you won't allow scripts from said shady site... when you get to YouTube and the videos won't play, then you enable scripting.

Re:probably NoScript

[Barny]

Yup, noscript doesn't let such nasties run, unless you give them permission, which seems to be half the problem for most internet users.

As for the person saying noscript is hard to use, its usually a matter of just clicking the script item (like a youtube vid that is being blocked) and it allows it to run temporarily, should be built in standard imho.

Combine it with a nice ad server blocker (kerio personal firewall for instance) and the web just suddenly starts working as it was meant to :)

Re:

[MightyYar]

...which seems to be half the problem for most internet users.

Yeah, I really don't see any software product that will solve social engineering tactics.

Re:

[TheSeer2]

NoScript blocks certain activities by default without any option of re-enabling them. I used to use NoScript but after it interfered with a website I used regularly (this was on my NoScript allow list) I had to abandon it.

Re:

[Doctor_Jest]

I'd rather decide which scripts run, and which do not. Noscript does that and does that well. I won't install Firefox without it. :)

Making Scripts Optional

[IBitOBear]

I use NoScript all the time. If I get to a page who's scripts I _want_ I allow them, or temporarily allow them.

I don't miss much except for the bullcrap. Yea, it takes all of a keystroke or a context menu selection whenever I decided I want "the full web experience".

The truth is, most of the time, nobody _wants_ "the full web experience."

Live and Learn... give it a try for a while and you will get hooked (unless you are incredibly lazy, which I am also, sometimes. 8-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[rts008]

Thanks for the reply.

Was the NoScript extension running?

Re:

[egr]

first two works on my Fedora 7 (Firefox 2.0.0.4 without NoScript), NoScript is not a part of Firefox so I think it should be really tested without it, however the last one didn't work, instead it asked me to download html page with download manager

Re:

[eli pabst]

It says in the advisory that javascript is used to inject the exploit. Disabling javascript, whether manually or through NoScript is obviously going to cause the demo to fail. That doesn't mean that your version of Firefox is not vulnerable though, it just means javascript is required to exploit the vulnerability.

Re:

[rts008]

Thanks for the reply!

You make an excellent point.

Also, thanks for the clarification. What this means to me is that I can go into the settings in IE 7 on my wife's PC (WinXP Pro SP2...so far I cannot get her to switch to Linux) and discourage this crap.

Anymore, just connecting to the internet is like fighting the Borg...they always adapt to the frequencies and continue to try to assimilate all.

Re:

[Virtual_Raider]

You can also install Firefox and use one of the IE-look-alike themes. I have one for Luna at home (the XP Fisher-Price interface) and one for Vista at work, and suddenly Firefox behaves a lot like IE. You can also set IE Tabs and have it open IE-only sites on an IE tab by default, this requires nothing more than two mouse clicks. Obviously, you need to get IE patched up if you are going to use IE tabs =)

Then you can slowly add nifty FF extensions and slowly win her over to the Dark Side, bwahahaha... er, t

Re:

[TheRealMindChild]

Im not sure these even worked on me... sure, I still use Firefox 1.5.0.8. Haven't had a reason to upgrade. Maybe I still shouldn't.

Re:

[SleepyHappyDoc]

The test cases linked to on Bugzilla require scripting. I'd link you to the document, but that wouldn't work from here, so you'll have to dig them out of Bugzilla yourself. They're on the non-duplicate bug page, the one from the middle of May.

Re:

[QuoteMstr]

You couldn't be more wrong, sir. Error handling in CSS is defined in great detail in the CSS spec, and it's important that browsers handle it properly so that future CSS revisions can provide new properties and syntax without breaking old clients. ACID2 ensures that browsers are forward-compatible with future versions of CSS.

Psst... Hey AC, your bias is showing

[aussie_a]

If we're going to require that the most secure OS for IE7 be used to test it, shouldn't we use the most secure OS for Firefox 2.0 be used to test it? If so then a Linux distro is required for Firefox and none of these holes work (or so people here claim, if you've got evidence to the contrary I'd be interested to hear it). Or we could simply use the most common OS that IE7 and Firefox is used in, which would be XP. Your choice.

Re:Ah well

[Kelson]

I use wget.

You have not truly experienced the web until you have experienced it using telnet to port 80.

Woot!

[Anonymous Coward]

Wow, I'm so glad I installed Firefox so I'm immune to all of these IE bugs!

Oh, wait, what did that say?

-AC

Re:Woot!

[Mark_in_Brazil]

Wow, I'm so glad I installed Firefox so I'm immune to all of these IE bugs!

Oh, wait, what did that say?

It said the only critical flaw in the bunch is in MSIE 6 only.

This has been another edition of Easy Answers to Stupid Astroturfer Questions.

Victim Statistics?

[Anonymous Coward]

Perhaps I'm ignorant, but does anyone ever find themselves a victim of these "gaping holes"? I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses. Is there a site/blog that reports such statistics?

Re:

[eli pabst]

There are a shitload of sites that host malicious code to intentionally infect vulnerable browsers. Even regular sites are occasionally hacked to host malicious code. The most recent big name one I can think of is the Miami Dolphins football team website during the last superbowl. A few years back a number of sites that produce banner advertisements were hacked, which resulted in widespread malicious banners getting hosted on tons of otherwise secure sites. I don't know of any database of malicious webs

Are you sure?

[kybred]

I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses that I know of.

There, fixed that for you.

The hard thing about NoScript

[ukemike]

The hard thing about NoScript is when a page totally fails to load anything useful and you have to decide to allow one or more of three scripts each from different domain. Often it is easy, you're on yahoo so you allow yahoo. Sometimes it is far from obvious. To get some yahoo pages to work you have to allow yming.com to run scripts, and you have to pick that one from a list including several cryptically named advertiser sites. I don't mind this extra step, and with the current web model I don't see ano

Gaping holes?

[Paktu]

Article tagged as goatse.

Re:Gaping holes?

[evanbd]

Is it just me, or are the more humorous / inane tags showing up less? "duh" "haha" "itsatrap" and friends. Is this because the slashdot editors changed something, or because people are using them less?

Re:

[Nimey]

Do you really think *this* crowd would use those tags less? Or any established Internet forum?

Taco changed the code; I'm guessing to disallow the stupid tags that got put on almost every story, like those you mentioned. Maybe to greylist those who kept tagging that way, too.

Taco, got anything to say?

Re:Gaping holes?

[dkf]

Taco changed the code; I'm guessing to disallow the stupid tags that got put on almost every story, like those you mentioned. Maybe to greylist those who kept tagging that way, too.

I think there's a list of tags that are permitted (blacklisting tags would be easier to route around by finding alternate things that mean the same thing) but as far as I can see, there's no downside to using a non-blessed tag; it just gets dropped on the floor.

I think it's a shame though; the old tagging system added a good bit of fun to the site, and the "joke" tags were sometimes very appropriate indeed. The new system is just boring crap that reproduces what is already in there from the article categories or a simple search of the part of the story on the front page; a search engine could do those tags, or even plain old grep, and so they add nothing of value. The old system was better because it provided a snapshot of what people thought about the story, despite being much more open to abuse.

Bring back the open tags! Please!

Using them less?

[Kelson]

Is it just me, or are the more humorous / inane tags showing up less? "duh" "haha" "itsatrap" and friends. Is this because the slashdot editors changed something, or because people are using them less?

My first reaction was that people had gotten bored with the joke tags. This is the internet, after all, and internet fads fade with time just as the real-world ones do -- faster, even.

Then I remembered that a few days ago I saw people commenting on pouring hot grits down pants, and petrified Natalie Portm

Re:

[Adambomb]

and internet fads fade with time

Really? I [hampsterdance.com] am [allyourbas...ngtous.com] not [badgerbadgerbadger.com] sure [facebook.com] I [myspace.com] agree. [slashdot.org]

Re:

[sr180]

Possibly like how the dupe tag doesnt work anymore.

But in order to be affected...

[DaveWick79]

In order to be affected, doesn't one first have to go to the shady site that has this stuff scripted in the page? Yes, this may be a bug, but like a web page-bound virus, is one that the user has to inflict upon himself by going to a site he probably shouldn't be going to in the first place.

Re:

[afidel]

Hacker hijacks web server of popular site, but instead of simply defacing the front page the slip in a little bit of code to release a botnet installer or adware installer based on this type of vulnerability. It happens all the time.

Re:But in order to be affected...

[snowraver1]

It's called a Man-in-the-middle attack. Say you go to google.ca (I'm Canadian) It goes something like this:

You> Yo DNS server, I wanna Talk to google.

DNS> Roger that! Go to 72.14.253.103.

You> Yo 72.14.253.103 Whacha got?

72.14.253.103>Index.html

You> Looks like Index.html says I need the google picture.

Eve (Eve is sitting at the same coffee shop as you. Eve is bad)> Ahem, err, sir, I have this envelope for you. It's from google. It contains your picture. *Sniker*. (You don't notice the snicker)

You> OH N0E$! TH3 P1CtUr3 us3d a buff3r ov3rflow vuln3rab1lity and n0w you have a virus that mak3s you typ3 lik3 a n00b!

For more information look here: http://en.wikipedia.org/wiki/Man_in_the_middle_att ack [wikipedia.org]

Re:

[I'm Don Giovanni]

Two problems with your theory:
1. Hackers can post to message boards messages containing innocent-looking links to "bad" sites. This happened to me years ago at IGN's boards, before I started checking the status bar to see what the actual URL of a link was before clicking it.

2. Hackers sometimes hack legit sites and inject script code into them (normally at the end of the page), so that visiting a legit sites runs mal-script.

Re:But in order to be affected...

[Bob of Dole]

Don't be so sure that avoiding "shady" sites will protect you.
I run a few perfectly un-shady sites (an imageboard, a specialized search engine, and a funny images repository), but recently some users started complaining about the popups that were trying to install spyware.
I don't have any popups on my sites! (I don't even use target="_new"!) but still users were getting spyware popups. The popups were so evil that the only way to avoid getting redirected to the spyware site was to disable javascript (Even in firefox. in IE it just installed the spyware automatically, but firefox at least you had to click "download". Still, it made my site unusable)

I went into my advertisers control panel, checked for anything remotely shady. Nothing. I tried turning off all third party advertisers (like doubleclick), figuring maybe one of them was redirecting users. Nope, some users still got popups. Worst of all, I NEVER got the popup, no matter what browser I was using.

It turns out it's cause I'm an American. The advertiser had specified that the advert with the embedded redirect only show up in every country except America. That stopped me from seeing it on the site, but what about the control panel? I could see all the ads there, even the ones not targeted at my location. Here's what they did in actionscript: (pseudocode)

if getTimeZone() in EUROPE_TIMEZONES:
    redirectToSpyware()
else:
    displayHarmlessAdvert()

So even when I checked the ads in the control panel they looked fine.

My point is, don't think there's a scary corner of the internet where all the spyware/exploits hang out. The bastards making this crap know that most people don't go to those kinds of places, so they'll do anything they can to sneak their crap onto legitimate sites. (MySpace got hit with one of these a few months back, I think)

Re:But in order to be affected...

[beyondkaoru]

ok, i'm not a web developer so i wouldn't know, but is there any way to force your advertisers (malicious or otherwise) to not use javascript/flash/whatever? since it's essentially running code we don't trust on the client's computer...

essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.

Brilliant

[zCyl]

ok, i'm not a web developer so i wouldn't know, but is there any way to force your advertisers (malicious or otherwise) to not use javascript/flash/whatever? since it's essentially running code we don't trust on the client's computer...

essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.

That's the most brilliant idea I've seen in this entire thread so far. We need a <noscript>, or perhaps a <sandbox></sandbox> tag which allows us to specify what can be done inside of a frame, embedded object, or anything else linked to from a remote site.

That would make a huge difference.

I've had something similar with nedstat ...

[freaker_TuC]

I've been using their "free" basic service for years; it was always their small little 16x16/32x32 icon; not really intrusive.

Then suddenly my pages using their stats service had a nasty pop-under. I've seen this at other sites too and found out the "new" advertisement ways after a few weeks when I started getting bothered seeing the same pop-unders over and over while I wasn't even on any other sites.

These pop-unders were all activated under Firefox and it's clearly in their TOS they can advertise on websi

Re:

[TheLink]

From the perspective of a web application programmer and security consultant, I think it would be very useful to have HTML tags to mark HTML
sections where active content should be disabled, possibly selected active content.

Right now the HTML environment with respect to potentially dangerous
content is:
In order to stop, you must make sure that none of the 1001 GO buttons were
pressed before. There is no STOP button. No Big Red Emergency Stop button.

This seems to be a disaster prone situation. Like driving a ca

Re:

[shadowmas]

unless because he went to the site by accident by typo error like www.goggle.com. i don't know but you but i've made plenty of typos while typing web addresses.

Didn't learn lesson from javascript

[mrcaseyj]

They said they could make javascript secure but it's still a huge source of holes. Instead of learning our lesson, Flash, another executable web format is taking over. Don't use flash because it's cool. Only use it if you really need it for your web page.

And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.

Me too: Javascript is evil

[Charles Dodgeson]

I don't know if anyone has done a count, but it seems like every time I look at a report of a major security problem in some browser it is Javascript or ActiveX or something similar where the browser locally executes code served up by the server.

We all knew back in the early days of Javascript that it would be a security nightmare. But we (collectively) went ahead with it. We put together web pages that depended on it, so browsers had to support it and users had to enable it. Now we've waited so long

Re:

[foniksonik]

When the browsers provide support for seamless SVG that gets push data from a socket connection I'll stop using Flash. When browsers provide seamless client side data validation and inline error prompting for forms, I'll stop using Javascript.

Any web page that can't benefit from the above uses of the technology probably isn't all that more informative than an email would be.

Static information is useful but stateless information is becoming useless. This is interactive media... not a book that you can access

Re:

[mrcaseyj]

Yeah!! DOWN with teh flash and javascript! Time to move on to something better. Silverlight, here I come!!!11!one :D.

OK Crazy Taco, to even suggest something like Silverlight, proves that the excess hot sauce has gotten to your brain. We're your friends and we're here to help. Slowly step away from the keyboard.

alternatives

[sudo]

Well there's always Opera?

Lynx

[Anonymous Coward]

I use Lynx, you insolent clod! Get off my lawn!

Re:

[rustalot42684]

If you can't do it from the command line, you shouldn't do it at all! Who needs pictures, anyways?

Command line? Hah!

[spun]

You young whippersnappers and your fancy shell doo-dads. In my day, we had to lick a live 10Base5 cable to browse gopher and that's the way we liked it!

Re:

[technopinion]

Lynx is for Lusers. The cool kids are all using telnet these days.

One of the demos on Firefox doesn't work

[ericferris]

I am using the latest Firefox 1.5. I went to the demo page : http://lcamtuf.coredump.cx/ifsnatch/ [coredump.cx] . The first test shows that it is possible to rewrite the content of an iframe. That is rather dangerous in situations involving trusted messages.

The 2nd demo was supposed to snoop on the keyboad, but it invoked a pop-up, which was immediately blocked by the pop-up blocker. So unconfimed as far as I know. However, the demo page did open a CNN.com page.

Anyone has better "luck" to demo the keyboard snooping?

Sounds like Terrorist to me.

[3seas]

cookie STEALING, page HIJACKING, memory CORRUPTION, code EXECUTION, and URL bar spoofing ATTACKS.

So where the fuck is home land security when you need them.

Re:Sounds like Terrorist to me.

[Anonymous Coward]

what's so terrible about urls?

You mean "Home Page" security

[giafly]

homeland security [newsday.com] is a fairy tale.

Go old NoScript

[Nutsquasher]

Keeps all of that Firefox JavaScript nastiness at bay, plus flash ads to boot. :)

Re:

[Bender0x7D1]

Yes, that is a solution, but it isn't a good solution.

If we continue down that line of thought we end up at the point where we just go back to static pages with no scripting. Now, in general, I prefer static pages without all the extra "eye-candy", but I also understand the benefits of having scripting, (and even flash) running. By even having a preference for static pages, I think I am in the minority of people on the Internet. Let's face it, the average person likes all of the "extras" that come with

Re:Go old NoScript

[MLease]

When I want to allow flash or a script to run, it's easy enough to do. The point of NoScript is that nothing runs without my explicit consent, just because I happened to visit a website. If I allow something malicious to run, it's my own fault.

-Mike

Re:

[Matt Perry]

It is an excellent solution. Your post leaves me with the impression that you don't know what NoScript [noscript.net] is. NoScript is a Firefox extension that allows a user to selectively enable JavaScript for web sites.

If we continue down that line of thought we end up at the point where we just go back to static pages with no scripting.

I already do that. I only have JavaScript enabled for about 20 web sites. I've found out that I'm not missing anything as most web sites function perfectly without JavaScript enabled.

Re:Go old NoScript

[tomhudson]

"When are people going to wake-up to this bullshit? "Web apps" give you all the performance of regular apps running on an old 286, with half the features. Wow!"

Hey, I'm running this on a 286, you insensitive clod!

Re:

[Kelson]

When are people going to wake-up to this bullshit? "Web apps" give you all the performance of regular apps running on an old 286, with half the features. Wow!

The point of web applications isn't performance, it's ubiquity. Hotmail (and remember, it was one of the first big web apps, even before Microsoft bought it) didn't take off because it performed better or had more features than Eudora, Outlook, Netscape or Pegasus -- it took off because you didn't need to install it and you could access it from any

Does this require javascript to work?

[sycomonkey]

I'm not familiar with iframes, but would not running javascript on untrusted webpages protect from this?

First to fix?

[doctor_nation]

Anyone want to wager on who has this hole fixed first, IE or Firefox?

Re:

[KarmaMB84]

Microsoft has to be a lot more careful about breaking third party crap with a browser fix so obviously Firefox will get patched first.

Slashdot responses

[Frankie70]

1) If Article Posted about IE security bugs
    - Regular mudfest, everyone throwing mud on Microsoft
& IE. Everyone saying I have FF/Linux/Safari whatever,
so I am safe. Nobody talks about changing settings,
disabling javascript or Activex as a good workaround.

2) If Article Posted about FF security bugs
    - Lot of workarounds posted - disable Javascript,
get some plugin, change some settings, don't go to
the website etc. How great that the it is open source,
someone will fix the bug in one hour & release patch.
Bugs are avenues to show how great open source is.

Now both are posted together, let's collate responses
at the end of the day

Well...

[mattgreen]

I run Microsoft Windows XP SP2, so I am safe. IE users can simply disable JavaScript in the control panel - any user of closed source knows how to do that! Plus, they don't even have to go to the web site. Microsoft will fix the bug by the next Tuesday of the next month, which is an AMAZING response time, don't you think! The best thing about closed source is you don't have hackers accessing it!

Now, as far as Firefox, that STUPID Mozilla Foundation makes some of the most amateur mistakes! They can't even fo

Re:

[jez9999]

I run Microsoft Windows 95 unpatched, so I am safe. No-one targets this old piece of crap anymore!

Another Firefox vulnerability posted today

[whitehatlurker]

Thor Larholm also announced a Firefox hole [larholm.com] today. Wasn't completely patched in the last release.

CrashZilla

[EEPROMS]

Ive renamed Firefox "CrashZilla", it would be nice to browse the web for more than 1 hour without it freezing up or crashing. Yes I have the latest version and all the latest plugins. I have no issues with Konqueror on KDE 3.5.7 (using the same plugins) and Firefox 1.5.* ran for days without crashes.

Re:

[laffer1]

Yes, the newer versions of Firefox seem to crash often. I've had 2.0.0.4 crash on me 4 times today in Vista and it crashes on OS X and MidnightBSD as well. (MBSD is using the linux version) It tends to happen on sites that use plugins. I've seen it with Flash sites, and anything loading quicktime. The linux version crashed on JavaScript heavy sites. I have absolutely no plugins or extensions installed in that version. My OS X version also does not use any extensions.

Safari is crashing in OS X after t

Re:

[Kelson]

I haven't looked at the exploits, but considering both browsers are affected, it makes me wonder if there is a common behavior or something implied in various web standards which led to this problem.

Nope. The exploits in Firefox and IE are completely separate -- just announced at the same time.

Re:

[dvice_null]

You probably have a corrupted profile. Try with a new profile. That usually fixes crashes like that.

WoW password stealer

[Myria]

Cue website installing a WoW password stealer in 3, 2, 1 ...

Doesn't seem to bother us

[myxiplx]

Here at work we use IE6 on XP SP2 workstations and not a single one of those vulnerabilities affects us.

Why? Because we don't let IE run scripts of any kind unless it's from a site we trust. IE has had security zones for years yet hardly anyone uses them. A single group policy object enforces our list of trusted sites, nobody's computer can run javascript on any site we've not already decided is safe.

Ok, there's a small risk of someone hacking one of our trusted sites, but I can live with that.

So far we've had 2 years of uninterrupted browsing, with nobody at our company getting a single piece of malware on their machine.

And the best bit: It's surprisingly low maintenance. We get maybe one request a month now to add a new site to the list.

Re:And Opera

[WilliamSChips]

Naw, Opera just randomly crashes and then has a default behavior of restarting the site that causes it to randomly crash.

Re:

[MyLongNickName]

What version are you using? I haven't noticed this behavior.

I have, however, noticed Firefox 2 crashing a lot more than it used to.

Re:

[Xeriar]

Quicktime's FF plugin seems to be insanely unstable. I can only play a few files before it crashes Firefox. Otherwise it's been rock solid (aside from this exploit deal).

Re:

[lastchance_000]

That's because it's Insanely Grrrrreat!

Re:And Opera

[Lisandro]

I had Opera crashing on me on, say, 50-60 times in the past 5 years i've been using it (back from version 6). Of those, 60% were issues with that piece of shit Flash plugin for Linux, and even that got much better. Opera crashed? No problem, just hit "resume" when you restart.

Opera is as stable as FF (and way more stable than IE) with a fraction of the system requirements - and faster than both. Try an up to date version, you'll be surprised.

crashes: probably exploitable

[r00t]

A damn lot of crashes are exploitable.

Even something as harmless-looking as a NULL pointer read can indicate an exploitable crash. It may mean a stack overflow. It may just be a NULL pointer read, which is (almost unbelivably) exploitable on Windows because of the way plug-ins and exception handlers work.

Re:crashes: probably exploitable

[Lisandro]

On my experience, most of the crashes are plugin related. I was conservative with the (pulled off my ass :) 60% figure - Flash, until recent versions, was a guaranteed way of hanging your browser. I had some memory leaks back with version 7, which were promptly fixed in an update, and a crash when you opened and closed tabs in a certain way, which was also fixed quickly.

Other than that, i can't honestly recall major problems with Opera. Not that i had a lot of issues with Firefox either (outside Flash, that is), but it does run much faster and with less memory requirements.

Re:

[Kelson]

I've actually found Flash to be less stable lately. It's not uncommon for a couple of Flash ads to start chewing up all my CPU until I have a chance to close the tab.

I'm seriously considering backing down to Flash 7, despite the horrible audio sync problems with the Linux version.

Re:

[TitusC3v5]

I would be more inclined to use it if the default QT appearance for Opera didn't look like ass when running under non-KDE environments.

Re:

[Lisandro]

It looks allright [homelinux.org] (using the static QT version) under XFCE, which happens to be a pure GTK+ desktop enviroment. Stock configuration - i only adjust toolbars and such.

Re:

[QuietLagoon]

Opera just randomly crashes and then has a default behavior of restarting the site that causes it to randomly crash.

More than likely, Opera restarts with the site before the one that caused the crash.

Unfortunately for Opera, most sites are written according to IE's buggy standards. While Opera does try to accomodate the poor HTML written by web programmers who think the Internet is viewed only through IE-colored glasses, sometimes it is difficult to accomodate to flagrant stupidily that is IE's render

And Elinks

[gumpish]

No holes for elinks? Oh well...

(sits back in corner with large grin on face)

AND LYNX!

[Anonymous Coward]

No holes for Lynx? Oh well...
(sits back with biggest grin on face)

Re:

[Kelson]

It's a bit simplistic to assume that $browser will always keep you safe. On the other hand, it's important to remember that there are many alternatives [alternativ...liance.com] available. The good thing about this is that each engine has its own vulnerabilities, so for the same malware to target Firefox, IE, Opera and Safari, it would have to target four different exploits. At least with intended behavior of HTML/DOM/CSS, Gecko, Trident, etc. are (ostensibly) aiming at the same target.

Ever notice that the only vulnerabilities wh

No holes?

[Kelson]

No holes for Opera?

Are you serious? Have you looked at that icon? There's a huge hole right in the middle, and no one seems to acknowledge it!

read b4 clicking, warning , danger !

[weighn]

http://impoll.net/cgi-bin/v.cgi?p=1585&r=0 [impoll.net]
http://impoll.net/cgi-bin/v.cgi?p=1585&r=1 [impoll.net]

following could cause cookie stealing, page hijacking, memory corruption, code execution or URL bar spoofing attacks !!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bunratty]

2.0 has been out since November. I reported one problem in it (actually a problem that was worse in 1.5 and partially fixed in 2.0) and the problem was fully fixed in 2.0.0.1. It's been working great for me. In what way isn't it "really ready yet"?

Re:

[vanyel]

See parent article.

Re:

[dn15]

I'm in no hurry to test the exploits but I suspect they'd work in Flock as well -- after all, Flock is essentially Firefox with a new theme and a few extra extensions bundled in.

Re:

[Kelson]

You can assume that any vulnerability in Firefox that's in the rendering engine will also work in any other browser built with that version of Gecko. That includes corresponding versions of Flock, SeaMonkey, and probably even K-Meleon and Camino (depending on the original platform). You may have noticed a lot of Flock point releases include things like, "The 0.7.14 Flock Maintenance patch incorporates Mozilla's patch 1.5.0.12."

Now, vulnerabilities in the UI -- say the pop-up blocking system -- could be sp