Hackers are hitting paydirt in their search for browser bugs. According to Symantec's twice-yearly Internet Security Threat Report, hackers found 47 bugs in Mozilla's open-source browsers and 38 bugs in Internet Explorer during the first six months of this year. That's up significantly from the 17 Mozilla and 25 IE bugs found in the previous six months. Even Apple's Safari browser saw its bugs double, jumping from six in the last half of 2005 to 12 in the first half of 2006. Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much. Opera bugs dropped from nine to seven during the period.
Post a Comment
Member since:
2005-07-06
Member since:
2005-08-21
I was about to say that Lynx is pretty secure, but it too seems to have had two reported vulnerabilities in the last three years:
http://secunia.com/product/5883/?task=advisories
Not as much as the "major browsers", but then again, you simply cannot run JavaScript, Flash, Java, or other harmful technologies!
Member since:2005-07-06
I was thinking much the same for my favorite browser for viewing text only pages and for fast downloads.
NetPositive is fast, simple and without all those flashly (pun intended) techs that seem to get in the way of getting at the raw info you want. I am sure a hacker can crash the browser, crashing the stack is meaningless as I can restart it with two mouseclicks. Running a zombie program thru NetPositive - not going to happen.
Member since:
2005-08-02
Member since:
2005-07-22
It's obvious that there will be more bugs found in an open source browser like Firefox, because the source is available for everyone to analyze. But that doesn't make it the most vulnerable. There are certainly lots of bugs to be found in IE, and that those vulnerabilities aren't published doesn't mean they aren't there. Some cracker may already know about undiscovered (by security reearchers) bugs and plan to use (or is already using) them for his own benefit.
Enter Symantec. They provide security software for all of us intrepid web surfers. If we use a rather secure browser, we don't need Symantec products (other free products may suffice). So they will tell you all browsers are insecure and you need antivirus & antispyware, even if you don't. Because if you use Firefox and with time it gets secure enough, why would you use their antivirus? Most web shit gets in your pc by way of IE and OE. With Firefox and Thunderbird you are more secure than before, and with a little care you don't need an antivirus.
Member since:2006-01-08
When I read about the European Comission(?) warning Microsoft to not block these anti-ms-bugs firms out, I got puzzled. If Microsoft was able to produce a secure OS, what would they do? What if Windows got rid of virus and their firewall (or services disabled) worked as it should (and all the ports were documented)?
They created the business for these companies, what now? Aren't they cornered?
Edited 2006-09-25 16:27
Member since:2006-09-26
They could prevent the flaws in code before it gets to the wild, and they can offer patches through Windows Update, without adding a new UI blatantly designed to compete against these other companies.
Which are probably a sore-point for MS, in that they even exist, in the first place. Companies who exist for no other reason than your product is flawed. :S
Member since:2005-07-06
Member since:2006-01-08
Member since:2005-07-06
Member since:2005-06-29
Member since:2005-07-06
Member since:2006-02-05
Dude! Don't you know? There is no safe condom! Security is an illusion, but death is certain. Sorry to be the bearer of bad news, but IMHO your condom analogy was in poor taste. There's been too many victims to the HIV epidimic who had condoms fail them. I can't have it on my conscious, that I didn't stop to warn you. In life, numbers do count.
Member since:2005-06-29
Being in a committed relationship for 4 years, I have no concern about it. Maybe in the future, but I won't be concerned until I am in a situation where I actually have to worry about STDs.
My point was not in poor taste. I wasn't even referring to the "viral" nature of sex, but that if you are not having sex, then condoms really aren't necessary. I can see where, in hindsight, it was probably a poor choice. I apologize.
Member since:2005-08-05
If you're on a Windows box and have an active connection to the Internet, you need some form of active AV. Period.
This is BS. Virus's don't just hop onto your machine at random over the internet. With a hardware firewall and safe browsing habits you can reduce your virus infection risk to near zero. If you have a teenager clicking on every link on everyone's myspace crapsite however.. no amount of AV software is too much.
AV software slows machines and makes them buggy and prone to crashing. For a lot of people the solution is worse than the problem.
Member since:2005-07-06
Member since:2005-08-05
What is it with people and bitter sarcasm lately? I need to find an internet that doesn't let obnoxious kids on.
My point is this... those exploits that require user interaction.. they require the user to interact with them. Don't. Avoid risky browsing, especially with IE. Most of the people I know can manage to do it. If you can't, go ahead and load your machine up wiht AV software and cross your fingers and hope that it works.
Don't fool yourself into thinking that without AV you aren't safe and that with AV you are. Anit-Virus software doesn't make you safe it just makes risky behavior less risky. It's like having a parachute when you are flying.. it's only useful if you plan to jump out of the plane and it doesn't make jumping out safe, just safer.
If your computer's security involves detecting when your computer gets infected and reacting to it.. it's not really secure is it.
Edited 2006-09-25 18:13
Member since:2005-07-06
Member since:2006-01-26
Wow, I guess all my windows boxes must be infected with loads and loads of malware, virii, and worms by now... considering how many years they've been running 24x7 (with many many reboots of course) on an "active" internet connection with absolutely NO "active" AV software running...
yes, I occasionally scan them using something like BitDefender - and anti-spyware programs like Spybot S&D or AdAware - but I pretty much NEVER find anything... as I would expect.
I will point out that prior to switching to Firefox, I found that my wife and relatives that came to my house and used my computer tended to install a LOT more crapware "activex" controls (mostly commercial garbage) than they do now... I feel a lot safer leaving my machines "at the mercy of my family" than I ever did before.
I despise commercial "security software" as it is truly the worst thing that happens to new store-bought computers as soon as they're turned on for the first time.
Member since:2005-11-11
I will point out that prior to switching to Firefox, I found that my wife and relatives that came to my house and used my computer tended to install a LOT more crapware "activex" controls (mostly commercial garbage) than they do now... I feel a lot safer leaving my machines "at the mercy of my family" than I ever did before.
Give them user accounts. Don't run as admin. Then the worst they can do is muck up their user accounts which you can just delete. Then you can scold them about not being morons and give them a new fresh account to try again.
Futhermore they are less likely to even muck up their user account because most malware and unnecessary installations will stop dead in their tracks when they can't write to any system directories.
Member since:2005-07-06
I am not sure that is true. Even Windows can be set up that it automaticly restores from a protected image of the working hard drive. In that case no virus can damage the system.
And what about a Windows CE system with all the software in ROM? You probably could mess up some data files, but active virus will not survive a power cycle.
Member since:
2006-03-12
here is one way to measure the "security" of a browser:
unpatched vulnerailities/day
FireFox: 45 x 1 = 45
Opera: 7 x ? = ?
Safari: 12 x 5 = 60
IE: 38 x 9 = 342
Numbers and statistics only show what people want to see.
IE seems to have its bugs fixed much faster (probably an effect of all the bad PR) but still a Good Thing (TM)
Member since:2005-10-02
Member since:2005-06-29
Member since:2005-08-02
Member since:
2005-11-05
Nothing in this life is "safe". You can only get "as safe as can be". Even then, you'd better watch out for grave-robbers after you're gone. Linux + Privoxy + Firefox + NoScript extensions is safe as can be for me.
Article doesn't point out that since IE has a market share north of 80 per cent or so, even a single bug in software with a market this big will have an effect that's likely to be larger than all the bugs in all the other browsers combined. That's why MS needs to be judged by stricter standards than others, imho. After all, they have more money to devote to bug-squashing than all the others combined, too, and yet their patch times are slower than some comparative minnows.
Member since:
2006-02-04
Member since:2005-08-18
Member since:
2005-07-12
The more people use the least secure browser, the more business opportunity for Symantec's anti-virus.
And, by nature of design and how it's implemented (integrated into the OS), Internet Explorer is the least secure browser.
They also want to make sure nobody feels secure using any browser.
Thus, just take what they say with a grain of salt.
Member since:
2005-12-18
[quote]
Microsoft may lag as a browser patcher, but when it comes to operating systems, the company leads the pack, according to Symantec. The slowest? Sun Microsystems.
[/quote]
What was that comment about Microsoft? So when there's a negative point about Microsoft writers have to balance it somehow with a good point????
Member since:
2006-09-01
how long it takes to patch those vulnerabilities, and Firefox / Opera kick MS' butt when it comes to that.
Speaking of open source vs. proprietary products, why does anyone need Symantec when there are plenty of free products that do the same thing for Windows users? No stupid yearly fee for updates or anything. FreeAVG is a great AV product, if you don't mind one pop-up every few days. I use ClamWin on my girlfriend's computer and do a nightly scan at 3:30am in the morning every night, and so far her machine is completely virus-free when used in conjunction with the free firewall software (PrevX).
Member since:
2005-08-12
True, no browser or OS is safe or from hackers.
But look who is talking. Symantec is filing anti-trust lawsuit because Vista have in-built security features? Should MS or IE or FF make deliberately unsecure programs, so that parasites like symantec or macfaee or nortron make millions??
On my XP/debian/PCLOS system, I use FF with following options-->>don't save passwords--dont save forms--clear cache each exit--dont save cookies--no disk cache--no clicks on links in email--no history--no bookmarks
Add to this zonealarm, TOR, avast, adwareSE, spywareblaster, prevex (ALL FREE)and it makes reasonabally secured system
Edited 2006-09-25 17:30
Member since:2005-10-02
It's a bit bloated. All the applications together could easily collide 
I stick with Antivir and Sygate (no longer in development it appears - taken over by Symantec 
) - and AdAwareSE Personal...
3 apps - that ought to do it in conjuction with K-Meleon or other Gecko-browsers.
Member since:2006-09-15
Symantic are like current Governments, they see they irrelevance and thus are spreading FUD to support their existance.
I would have to say that Symantic is one company with IT products I personally shy away from and advise all other people in my business to do as well. I have never seen a network get so easily owned by a trojen as with one that is suposedly "protected" by Symantic products. The only things they have made that are of use to the IT world are SpeedDisk, Ghost, and WinDoctor which when used in combination with another reg cleaning tool can be quite effective.
Their Security Products BLOW.
Member since:2005-10-02
Member since:2005-11-11
//I stick with Antivir and Sygate (no longer in development it appears - taken over by Symantec ) - and AdAwareSE Personal... //
Not good enough. The computer that my son uses has Windows, Antivir, AdAwareSE Personal and a separate hardware firewall built in to the router, and yet still the machine picked up an infection.
I have advised him to use the dual-boot and run Firefox under Linux to use the Internet.
When the machines boot to Linux, I assign them a different fixed IP to when they boot into Windows. Shortly, I will set filtering rules in the router so that when the machines boot to Windows they have no access to the Internet. That way, my son will only be able to browse the Internet if he boots the machine to Linux.
That will save me a lot of hours from cleaning the Windows machines of infections.
Edited 2006-09-26 01:12
Member since:2005-10-02
Didn't Antivir immediately discover the infection?
I've had 1(!) infection in two years, and that one was immediately discovered and promptly removed - and it took only a few minutes to ensure that everything was okay. Of course it helps that I use Thunderbird for mails, and only on Linux.
But usually you won't be infected by viruses unless you use warez. Then of course you must expect to be hit quite often (according to information from secunia and other security related companies).
In your case I assume we're talking about an Error 40
Edited 2006-09-26 01:22
Member since:2005-11-11
//Didn't Antivir immediately discover the infection? //
No.
My son reported that every few minutes the browser would open a site that he hadn't asked for. Unsolicited advertising.
I ran Adaware. It told me there was an installation of Look4me on the system. I told Adaware to remove it. Adaware said it had done so. I re-booted.
... Infection still there. Ran Adaware again. Detected again. Removed again, rebooted again ... still there.
Ran Adaware again. Detected again. Removed again, rebooted again ... still there.
That was enough times. I googled Look4me.
http://www.google.com.au/search?q=look4me+virus&start=0&ie=utf-8&oe...
... and found a way to remove it.
The long and the short of it was, the machine got infected, despite the protections I had in place.
It got infected because it was a Windows machine.
Therefore, the cure is, don't use a Windows machine. (That is my own policy anyway, certainly for uses such as Internet banking, but I suppose it isn't as important for a homework and games machine).
PS: there is no warez on the machine.
Edited 2006-09-26 01:50
Member since:2006-01-01
Member since:2005-11-11
//This seems like a terrible bandaid to a much bigger problem.//
Au contraire, it is a wonderful fix to the problem. All of the problems, annoyances and costs of Windows disappear. It saves heaps of my time, as well.
//Why not teach the kid how to use the internet properly? Why not teach him how to scan for virus' himself?//
He does use it properly ... in the sense that he uses the machine for what it is intended, in the correct manner. He is not doing a single thing wrong that an ordinary Windows user is not supposed to be doing.
In order to keep my machine clean and working correctly, the thing I have to cure him of is using Windows, not of using the internet. (It turns out in our case, going against the commonly accepted stereotypes, that the father in our case is the savvy PC geek and the kid is the one who asks "how do I use this?").
As Symantec will happily tell you, and to show that I am on topic: "Symantec: 'There Is No Safe Browser'".
http://www.osnews.com/story.php/15965/Symantec-There-Is-No-Safe-Bro...
What they actually mean, of course, (and what they somehow fail to mention) is that the there is no safe browser on Windows.
Edited 2006-09-26 06:01
Member since:
2005-07-09
Unfortunately it's not the number of holes but the,
a) size, (how easy is this to exploit).
b) time, number of days until everybody knows how.
c) vulnerability, how much damage can they do with it.
d) exposure, (rely on the user to do something stupid or is just looking at a page enough).
Member since:
2006-02-11
Member since:
2005-07-07
Member since:
2006-02-04
Member since:2005-07-06
Member since:2005-11-11
//Any browser on windows, run under admin, has "root" access. This includes Firefox.//
Agreed. The real problem is Windows.
//What's that have to do with IE?//
IE is part of Windows. IE is therefore part of the real problem.
To be secure on the web, one solution is to run Firefox under Linux.
Edited 2006-09-26 01:12
Member since:2005-07-06
Member since:2005-11-11
//No, it has nothing to do with IE.
I use Opera on Windows and I'm just fine.//
The point is, most users are not fine. With every "protection" there is available, Windows still gets infected.
Most of the so-called "protection" available isn't really protection at all ... it is merely detection of infections after the event.
Microsoft have consistently refused to fix the real problem - that being that Windows will execute stuff that it has no idea about where it came from, and that has not been given permissions to execute by any local user of the machine at all (let alone an admin).
That is why using Windows is a risk of infection. Using Opera won't save you.
For example, this one:
http://www.eweek.com/article2/0,1895,2017620,00.asp
... is a very recent malware attack on a zero-day exploit in VML on Windows.
Being fully patched and firewalled won't save you.
Not using Windows will save you, however.
Edited 2006-09-26 03:12
Member since:2005-07-06
Member since:2005-11-11
//.. How exactly am I vulnerable to an IE EXPLOIT while using Opera? //
That particular exploit may not affect you. There are many that will.
As said by another poster: "The sheer amount of viruses in the wild means that, no matter how careful your are or how much you think you know, at some point you're going to receive one in an email or a drive-by download on a website."
... or even on a CD you purchased from a reputable company.
... and Windows will happily execute it for you without question.
//Also, not usingWindows won't "save" you. At most, it'll decrease risk.//
There are no known active self-propogating malware programs out there, in the wild, ever detected for my particular combination of Firefox running under Linux. Especially since I install on this system only software from open-source repositories.
At this time, not using Windows in this particular way reduces the known risk to zero.
Edited 2006-09-26 04:29
Member since:2005-07-06
"That particular exploit may not affect you. There are many that will."
Then don't say the below, ffs:
"Using Opera won't save you.
For example, this one:
http://www.eweek.com/article2/0,1895,2017620,00.asp
... is a very recent malware attack on a zero-day exploit in VML on Windows.
Being fully patched and firewalled won't save you."
Edited 2006-09-26 04:43
Member since:
2005-06-29
Member since:
2005-07-06
[quote]
Microsoft may lag as a browser patcher, but when it comes to operating systems, the company leads the pack, according to Symantec. The slowest? Sun Microsystems.
[/quote]
What was that comment about Microsoft? So when there's a negative point about Microsoft writers have to balance it somehow with a good point????
I don’t think that is the case. There are many in the IT security industries who praise the use of alternatives because of the problems Microsoft has with their products. I think, in this situation, Symantec simply wanted to show that while Microsoft may slack in they Internet Explorer area, they at least attempt to patch problems in Windows. That’s that I got out of that statement.
Concerning the subject line; I, personally, do care about Microsoft’s good points. It shows that they are a corporation that takes, some, accountability for their products.
By the way, that was an awfully loaded statement.
Member since:
2006-09-20
Perfectly simple for me-i run Firefox as an ordinary user under Linux for all my important browsing (internet banking etc). Even if there is a vulnerability it wont go far. And i know exactly whats running on my system and being Linux theres no spyware,trojans. I also sit behind a ADSL router. Symantec are just scare mongering.
Member since:
2005-07-13
Sigh. Too many posts to reply to.
* No browser is secure. If you're exchanging data with a server on the internet you're at risk. There's a reason the term "zero-day exploit" exists. It's basically a reference to the people who think their balls are big enough to run on an unsecured internet connection without any precautions, because they "know what they're doing". It's a similar argument to the people who drive without a seatbelt because they consider themselves to be a safe driver.
* People who think they are secure because they don't have open ports on their firewall need to backtrack and notice that sign on the wall that said "Welcome to the 21st century". Obviously they missed it. Vulnerabilities are a little more sophisticated now than script kiddies trying to ping your open ports.
* Anti-virus software is obsolete and ineffective, but it's still reckless to run a Windows system without it (whether on the client or the gateway). The sheer amount of viruses in the wild means that, no matter how careful your are or how much you think you know, at some point you're going to receive one in an email or a drive-by download on a website. Why play the odds?
* *nix and OS X users think they're immune to viruses, and they're right, only in the sense that none exist in significant volumes yet. But their day will come.
* Symantec Anti-Virus is malicious software. It embeds itself in your system, it uses undocumented hooks that cause incompatibility with other applications, causes system instability, it extorts money out of you and it very often requires a utility to properly remove. It sucks and I consider the fact that HP and Dell preinstall it on new systems to have far more of a damaging effect on consumers than anything MS ever did with IE.
* XP is a reasonably secure OS as long as you keep up with the updates, but IE6 is a black hole at this point. I've been running the IE7 beta on all of the Win systems I have to use, and it's not bad. It's actually interfered with things I take for granted in the name of security, like using intranet services or ssl for my local firewall appliance. I consider that a good thing.
Member since:2005-11-11
//* *nix and OS X users think they're immune to viruses, and they're right, only in the sense that none exist in significant volumes yet. But their day will come. //
Debatable. Very, very debatable.
How is a virus going to propogate past the "execute permissions" roadblock? People have been trying for years to design a virus to get past that, and their success is measured by the fact that none exist in the wild.
Also, how is malware going to "trojan" its way on to a system where the policy is "install only from open source repositories"?
There is a strong case to be made for a claim that the virus and malware situation with Linux and OSX will never ever get anywhere near the plague proportions it is on Windows, regardless of how popular either of those operating systems eventually become.
Member since:2005-07-06
* *nix and OS X users think they're immune to viruses, and they're right, only in the sense that none exist in significant volumes yet. But their day will come.
Exept that on *nix file suffixes don't mean anything.You have to specifically chmod + <..>.
Execpt that with linux it's possible to make a SELinux policy for firefox or to simply add a AppArmor policy or patch the kernel with exec-shield,grsecurity,PAX,RSBAC,etc
Can you harden and compile your windows kernel?
Member since:
2005-07-13
the only safe browser is one installed on a computer that has no internet connection. once u log into the net u expose yourself to the unknown and thus reliquish your complete control of your system. coders and hackers are good, when they want to find a bug a whole they can and they will. untill u unplug the cord. the safest browser is not a specific on. it is one that a user has been porperly trained on responsible web browsing.
