Hackers are hitting paydirt in their search for browser bugs. According to Symantec’s twice-yearly Internet Security Threat Report, hackers found 47 bugs in Mozilla’s open-source browsers and 38 bugs in Internet Explorer during the first six months of this year. That’s up significantly from the 17 Mozilla and 25 IE bugs found in the previous six months. Even Apple’s Safari browser saw its bugs double, jumping from six in the last half of 2005 to 12 in the first half of 2006. Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much. Opera bugs dropped from nine to seven during the period.
And we all know Symantec Corporation is the pinnacle of objective reporting.
/sarcasm.
I was about to say that Lynx is pretty secure, but it too seems to have had two reported vulnerabilities in the last three years:
http://secunia.com/product/5883/?task=advisories
Not as much as the “major browsers”, but then again, you simply cannot run JavaScript, Flash, Java, or other harmful technologies!
I was thinking much the same for my favorite browser for viewing text only pages and for fast downloads.
NetPositive is fast, simple and without all those flashly (pun intended) techs that seem to get in the way of getting at the raw info you want. I am sure a hacker can crash the browser, crashing the stack is meaningless as I can restart it with two mouseclicks. Running a zombie program thru NetPositive – not going to happen.
Fewest bugs, very quick response when it comes to patching, it’s Opera for me. (Except for right now, when circumstances force me use Firefox.)
It’s obvious that there will be more bugs found in an open source browser like Firefox, because the source is available for everyone to analyze. But that doesn’t make it the most vulnerable. There are certainly lots of bugs to be found in IE, and that those vulnerabilities aren’t published doesn’t mean they aren’t there. Some cracker may already know about undiscovered (by security reearchers) bugs and plan to use (or is already using) them for his own benefit.
Enter Symantec. They provide security software for all of us intrepid web surfers. If we use a rather secure browser, we don’t need Symantec products (other free products may suffice). So they will tell you all browsers are insecure and you need antivirus & antispyware, even if you don’t. Because if you use Firefox and with time it gets secure enough, why would you use their antivirus? Most web shit gets in your pc by way of IE and OE. With Firefox and Thunderbird you are more secure than before, and with a little care you don’t need an antivirus.
When I read about the European Comission(?) warning Microsoft to not block these anti-ms-bugs firms out, I got puzzled. If Microsoft was able to produce a secure OS, what would they do? What if Windows got rid of virus and their firewall (or services disabled) worked as it should (and all the ports were documented)?
They created the business for these companies, what now? Aren’t they cornered?
Edited 2006-09-25 16:27
They could prevent the flaws in code before it gets to the wild, and they can offer patches through Windows Update, without adding a new UI blatantly designed to compete against these other companies.
Which are probably a sore-point for MS, in that they even exist, in the first place. Companies who exist for no other reason than your product is flawed. :S
If you’re on a Windows box and have an active connection to the Internet, you need some form of active AV. Period.
The question is, signatures on the AV are added _after_ the virus is spread, what is an AV worth by then?
That’s why I can’t understand how users permited MS to get here… Marketing throwing sand on people’s eyes…
Same thing its always been worth. Namely reducing your risk of being screwed over if you weren’t one of the people initially infected and, more importantly from where I’m sitting, making you less of a liability to the rest of the net.
If you’re not going to get laid, why bother buying condoms? I don’t understand this…if I’m never going to drive in the snow, should I get snow tires anyway?
i think the grandpa post talked about a active internet connection. so if your never going to connect said computer to the net (ie, never get laid) dont bother with the AV
Dude! Don’t you know? There is no safe condom! Security is an illusion, but death is certain. Sorry to be the bearer of bad news, but IMHO your condom analogy was in poor taste. There’s been too many victims to the HIV epidimic who had condoms fail them. I can’t have it on my conscious, that I didn’t stop to warn you. In life, numbers do count.
Being in a committed relationship for 4 years, I have no concern about it. Maybe in the future, but I won’t be concerned until I am in a situation where I actually have to worry about STDs.
My point was not in poor taste. I wasn’t even referring to the “viral” nature of sex, but that if you are not having sex, then condoms really aren’t necessary. I can see where, in hindsight, it was probably a poor choice. I apologize.
If you’re on a Windows box and have an active connection to the Internet, you need some form of active AV. Period.
This is BS. Virus’s don’t just hop onto your machine at random over the internet. With a hardware firewall and safe browsing habits you can reduce your virus infection risk to near zero. If you have a teenager clicking on every link on everyone’s myspace crapsite however.. no amount of AV software is too much.
AV software slows machines and makes them buggy and prone to crashing. For a lot of people the solution is worse than the problem.
Yes, because we all know exploits that require no user interaction to do their damage simply do not exist. Certainly not in applications that you would allow through your firewall.
What is it with people and bitter sarcasm lately? I need to find an internet that doesn’t let obnoxious kids on.
My point is this… those exploits that require user interaction.. they require the user to interact with them. Don’t. Avoid risky browsing, especially with IE. Most of the people I know can manage to do it. If you can’t, go ahead and load your machine up wiht AV software and cross your fingers and hope that it works.
Don’t fool yourself into thinking that without AV you aren’t safe and that with AV you are. Anit-Virus software doesn’t make you safe it just makes risky behavior less risky. It’s like having a parachute when you are flying.. it’s only useful if you plan to jump out of the plane and it doesn’t make jumping out safe, just safer.
If your computer’s security involves detecting when your computer gets infected and reacting to it.. it’s not really secure is it.
Edited 2006-09-25 18:13
Valid points.
I’ll agree AV shouldn’t be your only line of defense, not by a long shot. That said, not engaging in known risky behavior isn’t much of an excuse for not keeping prophylactic measures around just in case.
Wow, I guess all my windows boxes must be infected with loads and loads of malware, virii, and worms by now… considering how many years they’ve been running 24×7 (with many many reboots of course) on an “active” internet connection with absolutely NO “active” AV software running…
yes, I occasionally scan them using something like BitDefender – and anti-spyware programs like Spybot S&D or AdAware – but I pretty much NEVER find anything… as I would expect.
I will point out that prior to switching to Firefox, I found that my wife and relatives that came to my house and used my computer tended to install a LOT more crapware “activex” controls (mostly commercial garbage) than they do now… I feel a lot safer leaving my machines “at the mercy of my family” than I ever did before.
I despise commercial “security software” as it is truly the worst thing that happens to new store-bought computers as soon as they’re turned on for the first time.
I will point out that prior to switching to Firefox, I found that my wife and relatives that came to my house and used my computer tended to install a LOT more crapware “activex” controls (mostly commercial garbage) than they do now… I feel a lot safer leaving my machines “at the mercy of my family” than I ever did before.
Give them user accounts. Don’t run as admin. Then the worst they can do is muck up their user accounts which you can just delete. Then you can scold them about not being morons and give them a new fresh account to try again.
Futhermore they are less likely to even muck up their user account because most malware and unnecessary installations will stop dead in their tracks when they can’t write to any system directories.
I am not sure that is true. Even Windows can be set up that it automaticly restores from a protected image of the working hard drive. In that case no virus can damage the system.
And what about a Windows CE system with all the software in ROM? You probably could mess up some data files, but active virus will not survive a power cycle.
here is one way to measure the “security” of a browser:
unpatched vulnerailities/day
FireFox: 45 x 1 = 45
Opera: 7 x ? = ?
Safari: 12 x 5 = 60
IE: 38 x 9 = 342
Numbers and statistics only show what people want to see.
IE seems to have its bugs fixed much faster (probably an effect of all the bad PR) but still a Good Thing (TM)
A bit rough, though…
But nice calculations… But each bug should probably be weighed.
Time should probably be exponential too. One day isn’t a big deal, but as the days pile on the threat for the problem to be pandemic increases, I think, exponentially.
Anyone want to propose something else? I just don’t think it should be linear.
FireFox: 45 x 1 = 45
Opera: 7 x ? = ?
Safari: 12 x 5 = 60
IE: 38 x 9 = 342
According to the article, Opera got to the bugs within 2 days.
So 7 x 2 = 14.
Nothing in this life is “safe”. You can only get “as safe as can be”. Even then, you’d better watch out for grave-robbers after you’re gone. Linux + Privoxy + Firefox + NoScript extensions is safe as can be for me.
Article doesn’t point out that since IE has a market share north of 80 per cent or so, even a single bug in software with a market this big will have an effect that’s likely to be larger than all the bugs in all the other browsers combined. That’s why MS needs to be judged by stricter standards than others, imho. After all, they have more money to devote to bug-squashing than all the others combined, too, and yet their patch times are slower than some comparative minnows.
There are no secure browsers and no secure operating systems. Smash your NIC quick!
How about a report of bugs in Symantec’s software offerings?
“How about a report of bugs in Symantec’s software offerings?”
There are no computers able to count that high.
The more people use the least secure browser, the more business opportunity for Symantec’s anti-virus.
And, by nature of design and how it’s implemented (integrated into the OS), Internet Explorer is the least secure browser.
They also want to make sure nobody feels secure using any browser.
Thus, just take what they say with a grain of salt.
[quote]
Microsoft may lag as a browser patcher, but when it comes to operating systems, the company leads the pack, according to Symantec. The slowest? Sun Microsystems.
[/quote]
What was that comment about Microsoft? So when there’s a negative point about Microsoft writers have to balance it somehow with a good point????
how long it takes to patch those vulnerabilities, and Firefox / Opera kick MS’ butt when it comes to that.
Speaking of open source vs. proprietary products, why does anyone need Symantec when there are plenty of free products that do the same thing for Windows users? No stupid yearly fee for updates or anything. FreeAVG is a great AV product, if you don’t mind one pop-up every few days. I use ClamWin on my girlfriend’s computer and do a nightly scan at 3:30am in the morning every night, and so far her machine is completely virus-free when used in conjunction with the free firewall software (PrevX).
True, no browser or OS is safe or from hackers.
But look who is talking. Symantec is filing anti-trust lawsuit because Vista have in-built security features? Should MS or IE or FF make deliberately unsecure programs, so that parasites like symantec or macfaee or nortron make millions??
On my XP/debian/PCLOS system, I use FF with following options–>>don’t save passwords–dont save forms–clear cache each exit–dont save cookies–no disk cache–no clicks on links in email–no history–no bookmarks
Add to this zonealarm, TOR, avast, adwareSE, spywareblaster, prevex (ALL FREE)and it makes reasonabally secured system
Edited 2006-09-25 17:30
It’s a bit bloated. All the applications together could easily collide
I stick with Antivir and Sygate (no longer in development it appears – taken over by Symantec ) – and AdAwareSE Personal…
3 apps – that ought to do it in conjuction with K-Meleon or other Gecko-browsers.
Symantic are like current Governments, they see they irrelevance and thus are spreading FUD to support their existance.
I would have to say that Symantic is one company with IT products I personally shy away from and advise all other people in my business to do as well. I have never seen a network get so easily owned by a trojen as with one that is suposedly “protected” by Symantic products. The only things they have made that are of use to the IT world are SpeedDisk, Ghost, and WinDoctor which when used in combination with another reg cleaning tool can be quite effective.
Their Security Products BLOW.
Yup. Sygate is good if you still have it, but unfortunately it was ditched by Symantec. They buy competitors and kill them, leaving their poor Symantec product as the survivor.
Anybody with knowledge about other Sygate-like firewalls?
//I stick with Antivir and Sygate (no longer in development it appears – taken over by Symantec ) – and AdAwareSE Personal… //
Not good enough. The computer that my son uses has Windows, Antivir, AdAwareSE Personal and a separate hardware firewall built in to the router, and yet still the machine picked up an infection.
I have advised him to use the dual-boot and run Firefox under Linux to use the Internet.
When the machines boot to Linux, I assign them a different fixed IP to when they boot into Windows. Shortly, I will set filtering rules in the router so that when the machines boot to Windows they have no access to the Internet. That way, my son will only be able to browse the Internet if he boots the machine to Linux.
That will save me a lot of hours from cleaning the Windows machines of infections.
Edited 2006-09-26 01:12
Didn’t Antivir immediately discover the infection?
I’ve had 1(!) infection in two years, and that one was immediately discovered and promptly removed – and it took only a few minutes to ensure that everything was okay. Of course it helps that I use Thunderbird for mails, and only on Linux.
But usually you won’t be infected by viruses unless you use warez. Then of course you must expect to be hit quite often (according to information from secunia and other security related companies).
In your case I assume we’re talking about an Error 40
Edited 2006-09-26 01:22
//Didn’t Antivir immediately discover the infection? //
No.
My son reported that every few minutes the browser would open a site that he hadn’t asked for. Unsolicited advertising.
I ran Adaware. It told me there was an installation of Look4me on the system. I told Adaware to remove it. Adaware said it had done so. I re-booted.
… Infection still there. Ran Adaware again. Detected again. Removed again, rebooted again … still there.
Ran Adaware again. Detected again. Removed again, rebooted again … still there.
That was enough times. I googled Look4me.
http://www.google.com.au/search?q=look4me+virus&start=0&ie=utf-8&oe…
… and found a way to remove it.
The long and the short of it was, the machine got infected, despite the protections I had in place.
It got infected because it was a Windows machine.
Therefore, the cure is, don’t use a Windows machine. (That is my own policy anyway, certainly for uses such as Internet banking, but I suppose it isn’t as important for a homework and games machine).
PS: there is no warez on the machine.
Edited 2006-09-26 01:50
This seems like a terrible bandaid to a much bigger problem. Why not teach the kid how to use the internet properly? Why not teach him how to scan for virus’ himself?
//This seems like a terrible bandaid to a much bigger problem.//
Au contraire, it is a wonderful fix to the problem. All of the problems, annoyances and costs of Windows disappear. It saves heaps of my time, as well.
//Why not teach the kid how to use the internet properly? Why not teach him how to scan for virus’ himself?//
He does use it properly … in the sense that he uses the machine for what it is intended, in the correct manner. He is not doing a single thing wrong that an ordinary Windows user is not supposed to be doing.
In order to keep my machine clean and working correctly, the thing I have to cure him of is using Windows, not of using the internet. (It turns out in our case, going against the commonly accepted stereotypes, that the father in our case is the savvy PC geek and the kid is the one who asks “how do I use this?”).
As Symantec will happily tell you, and to show that I am on topic: “Symantec: ‘There Is No Safe Browser'”.
http://www.osnews.com/story.php/15965/Symantec-There-Is-No-Safe-Bro…
What they actually mean, of course, (and what they somehow fail to mention) is that the there is no safe browser on Windows.
Edited 2006-09-26 06:01
Unfortunately it’s not the number of holes but the,
a) size, (how easy is this to exploit).
b) time, number of days until everybody knows how.
c) vulnerability, how much damage can they do with it.
d) exposure, (rely on the user to do something stupid or is just looking at a page enough).
Symantec has been doing a lot of scare mongering lately. I guess the fact that their only source of income is selling security related products may have something to do with it.
$ nc http://www.osnews.com
GET / HTTP/1.1
Host: http://www.osnews.com
…
This is FUD
If a browser has root access it is a problem.
IIIIIIIIIIIEEEEEEEEEEEEEEEE
What’s that have to do with IE?
Any browser on windows, run under admin, has “root” access. This includes Firefox.
//Any browser on windows, run under admin, has “root” access. This includes Firefox.//
Agreed. The real problem is Windows.
//What’s that have to do with IE?//
IE is part of Windows. IE is therefore part of the real problem.
To be secure on the web, one solution is to run Firefox under Linux.
Edited 2006-09-26 01:12
No, it has nothing to do with IE.
I use Opera on Windows and I’m just fine.
//No, it has nothing to do with IE.
I use Opera on Windows and I’m just fine.//
The point is, most users are not fine. With every “protection” there is available, Windows still gets infected.
Most of the so-called “protection” available isn’t really protection at all … it is merely detection of infections after the event.
Microsoft have consistently refused to fix the real problem – that being that Windows will execute stuff that it has no idea about where it came from, and that has not been given permissions to execute by any local user of the machine at all (let alone an admin).
That is why using Windows is a risk of infection. Using Opera won’t save you.
For example, this one:
http://www.eweek.com/article2/0,1895,2017620,00.asp
… is a very recent malware attack on a zero-day exploit in VML on Windows.
Being fully patched and firewalled won’t save you.
Not using Windows will save you, however.
Edited 2006-09-26 03:12
.. How exactly am I vulnerable to an IE EXPLOIT while using Opera?
Also, not usingWindows won’t “save” you. At most, it’ll decrease risk.
//.. How exactly am I vulnerable to an IE EXPLOIT while using Opera? //
That particular exploit may not affect you. There are many that will.
As said by another poster: “The sheer amount of viruses in the wild means that, no matter how careful your are or how much you think you know, at some point you’re going to receive one in an email or a drive-by download on a website.”
… or even on a CD you purchased from a reputable company.
… and Windows will happily execute it for you without question.
//Also, not usingWindows won’t “save” you. At most, it’ll decrease risk.//
There are no known active self-propogating malware programs out there, in the wild, ever detected for my particular combination of Firefox running under Linux. Especially since I install on this system only software from open-source repositories.
At this time, not using Windows in this particular way reduces the known risk to zero.
Edited 2006-09-26 04:29
“That particular exploit may not affect you. There are many that will.”
Then don’t say the below, ffs:
“Using Opera won’t save you.
For example, this one:
http://www.eweek.com/article2/0,1895,2017620,00.asp
… is a very recent malware attack on a zero-day exploit in VML on Windows.
Being fully patched and firewalled won’t save you.”
Edited 2006-09-26 04:43
“Then don’t say the below, ffs:”
Why on earth not, ffs?
You do realise that IE is an inextricable part of Windows, and that the bulk of it is unavoidably pre-loaded each time you start Windows?
You could well fall to an IE exploit on Windows even if you do run Opera to browse the web.
What part of “that exploit is an IE exploit not windows” do you fail to understand?
What part of “IE is integrated into the very core of Windows” do you not understand?
As others have already stated, but I figured I’d add my two cents…
Symantecs products themselves are crap. They are almost as bad as the viruses themselves. Most any virus will first disable Symantec’s anti-virus anyhow, so that it can’t perform updates.
I use Avast Anti-virus and Kerio Firewall and they do the trick nicely. In fact Avast will even catch spyware, and provides resident protection (otherwise it sits there in memory and if a virus does somehow get through the firewall, it usually will catch it and delete or quarantine. Not to mention it only takes 30 seconds most of the time to update the virus definitions, whereas I’ve seem Norton’s take at least 15 minutes.
Avast is also free for home use. You only need to register it once a year or so. Corporate use is another thing, but the features it has for a corporate server are very nice indeed (It’ll download all virus definitions then push it out to all the client software, so that each workstation doesn’t have to run updates.)
For those that don’t remember, before SP2 was released that actually had the Windows Firewall enabled by default, you could have your computer connected to the net for a day, and you’d have a virus (I know, a friend’s eMachine was infected, and all she had done was go to msn.com to check her email.)
Ok, let’s try this again.
The exploit DOES NOT AFFECT YOU IF YOU DO NOT USE IE.
Do you get it yet?
//Ok, let’s try this again.
The exploit DOES NOT AFFECT YOU IF YOU DO NOT USE IE.
Do you get it yet?//
Ok, let’s try this again.
“There is No Safe Browser” (if you are using Windows to browse the internet).
Do you get it yet?
How does that contradict what I said? It doesn’t.
What are you not understanding here?
//What part of “that exploit is an IE exploit not windows” do you fail to understand?//
What part of “that particular exploit may not be a problem if you don’t use the GUI part of IE (the non-GUI part you have no choice about using), however there are many other unpatched exploits out there that would still be a problem for anyone using Windows to browse the internet” did you fail to understand?
As poster leech put it (far more succinctly than I): ‘What part of “IE is integrated into the very core of Windows” do you not understand?’
What part of “the majority of people using Windows to browse the internet also use IE” did you fail to understand?
What part of Symantecs comment “There is No Safe Browser” (they meant on Windows even if they didn’t actually say that) did you fail to understand?
What part of “no browser is a problem if you run it on an OS other than Windows” did you fail to understand? (1 possible exception – IE on Linux under wine).
Edited 2006-09-26 22:50
Wow, I can’t believe you still don’t get it. You’re making other points that I NEVER ADRESSED in response to your post. I was simply pointing out that you worde your response like someone using Opera instead of IE is vulnerable to that exploit, which is not true.
THAT IS IT. NOTHING MORE.
//Wow, I can’t believe you still don’t get it. You’re making other points that I NEVER ADRESSED in response to your post. I was simply pointing out that you worde your response like someone using Opera instead of IE is vulnerable to that exploit, which is not true. //
You haven’t shown that this is the case, you have just stated it is so. You utterly ignore the point that most of IE is still running as part of Windows, even if you use Opera as your browser. You utterly ignore that (most of) IE is a core part of the Windows OS which is running all the time.
I pointed at just one exploit that was a recent problem. It happens to be a problem for IE, most of which runs when you are just using Windows (even without any IE window open). In any event, even if using Opera on Windows means that you are not vulnerable to that one particular exploit has very little to do with the thread topic, which is a claim by Symantec that ‘There Is No Safe Browser’ (they mean on Windows).
Ok, one last time I will try to explain.
You: “In any event, even if using Opera on Windows means that you are not vulnerable to that one particular exploit has very little to do with the thread topic”
Maybe not, but read what part of your post I had originally addressed again. Look again:
You: “Using Opera won’t save you.
For example, this one:
http://www.eweek.com/article2/0,1895,2017620,00.asp
… is a very recent malware attack on a zero-day exploit in VML on Windows.
Being fully patched and firewalled won’t save you.”
I was RIGHTLY pointing out that that particular exploit was an IE ONLY exploit and WILL NOT AFFECT YOU IF YOU RUN OPERA INSTEAD OF IE. Because you brought up Opera not “saving” you, then an IE exploit. The burden of proof is on you to prove that Opera is vulnerable as well. I was simply pointing out an error in your post, and you seemed to be unable to just accept that and move on, but instead launch into a tirade of a response to me that had nothing to do with what I had pointed out.
//I was RIGHTLY pointing out that that particular exploit was an IE ONLY exploit and WILL NOT AFFECT YOU IF YOU RUN OPERA INSTEAD OF IE. Because you brought up Opera not “saving” you, then an IE exploit. The burden of proof is on you to prove that Opera is vulnerable as well. I was simply pointing out an error in your post, and you seemed to be unable to just accept that and move on, but instead launch into a tirade of a response to me that had nothing to do with what I had pointed out.//
No. You have not pointed out any such a thing. In response, I pointed out to you that the bulk of IE is running on a Windows system, even if you are using only Opera to browse the web. You might think you are using Opera and not IE, but you aren’t. You are running both. The only part of IE that you are not running is the IE GUI.
So now, the burden is on you to demonstrate that the particular IE vulnerability in question is constrained to that small part of IE which is not running if you don’t have the IE GUI open.
If the vulnerability is in that part of IE which is at the core of Windows, then indeed, even for the specific vulnerability mentioned, you are not saved from it by running Opera,if you happen to have IE on the system (which nearly every installation of Windows does have).
It is still very much a strong probability if you are running Windows that “Using Opera will not save you” even for this particular vulnerability. And indeed, in a more general sense, as Symantec pointed out, against the general run of Windows and/or IE vulnerabilities “Using Opera will not save you”.
//The burden of proof is on you to prove that Opera is vulnerable as well.//
I make no claim that Opera is vulnerable. The claim is only that Windows is vulnerable (specifically the part of Windows that is called IE), and you are probably running the code that is vulnerable even if you think you are using Opera to browse the web.
As poster leech put it: ‘What part of “IE is integrated into the very core of Windows” do you not understand?’
You seem to be unable to just accept that fact and move on.
Edited 2006-09-27 04:22
No. You have not pointed out any such a thing.
Yes I did. End of conversation.
//Yes I did. End of conversation.//
Pfft. No you didn’t. You are like the ostritch with your head in the sand.
Here, try a little experiment for me. Start Windows with no other applications running.
Double click on “My Computer”. In the address bar, type in “C:” … OK? Leave that window open.
Now open up IE. In the address bar, type in “C:” … OK? Wow, are we seeing double, or what?
Conclusion: IE is embedded into the core of the Windows OS.
Further to that – most vulnerabilities to IE are exposed to attack merely through running the Windows OS. If you are running a browser on Windows (any browser at all) and are accepting data from the web, then you are exposed to vulnerabilities.
First, all that illustrates is that Explorer and IE share some components. What does the “core” mean anyways?
Since you are so dense, let me try to explain it to you in more detail.
Point 1: Read the article. A quote from a security expert on the exploit: “He said the exploit can be mitigated by turning off JavaScript in the browser.” This illustrates that the exploit is somewhere within the javascript component of IE. JS is available in windows via the Windows Scripting Host (WSH), which a program has to actively implement to use.
Point 2: IE has components which are included in windows and usable by third party applications. This includes the rendering engine (mshtml.dll/shdocvw.dll), certain “shell” APIs, the Windows Scripting Host, etc. You must EXPLICITILY include these in your application to be vulnerable to any exploits contained within them.
Point 3: Opera is cross-platform and thus uses only what it needs on the host OS. In the case of Windows, they use very few of these components. I’m pretty sure they use some of the “Shell” APIs (which is a misleading name, because a some of the functions are simply file functions).
Point 4: Opera does NOT make use of the Windows Scripting Host (this can be verified through a number of programs such as Dependency Walker), which is the where the exploit you linked is contained. It is not implicitily included either. Therefore, simply using Opera does not expose you to this vulnerability.
Do you understand this or should I go into further detail?
//First, all that illustrates is that Explorer and IE share some components. What does the “core” mean anyways? //
The core means a great collection of odds and sods. Dialog boxes, client windows handlers, message handlers, mouse drivers, display drivers, widgets & icons, all sorts of things … many of which Opera will doubtless use.
//Since you are so dense, let me try to explain it to you in more detail. //
You get modded down for personal attacks. You should get twice modded down when you make such an attack and you are wrong at the same time.
//Do you understand this or should I go into further detail?//
I understand what you said, but I point out that an OS is a few orders of magnitude more complex than that.
A call to WSH could easily end up in a parser subroutine and later in a display rendering service (such as the GDI) – and the vulnerability could easily be contained therin. Just because you can block it by disabling WSH by no means implies it lies strictly within that area … it just means the access to the exploit is via WSH. The scripting host in Opera could easily contain a route to the vulnerable component as well.
E.g a while ago there was a vulnerability in the Windows GDI that was exploited whenever the GDI displayed .wmf files or data. That vulnerability affected any program that used the GDI to display .wmf files … which was most programs. Almost no-one implemented an independent .wmf handler when the GDI handled it.
So, unless you can point to the explicit code which is vulnerable, you still haven’t shown that you won’t be exposed to it if you use Opera.
And even if you do … you haven’t really got anywhere. You may have found one vulnerability that truly affects IE only (lucky you), but in the more general sense the main point still stands … most of the vulnerabilities that are due to IE can also affect other browsers if you are running Windows, because IE is embedded into the core of Windows.
Do you understand this or should I go into further detail?
You: “A call to WSH could easily end up in a parser subroutine and later in a display rendering service (such as the GDI) – and the vulnerability could easily be contained therin. Just because you can block it by disabling WSH by no means implies it lies strictly within that area … it just means the access to the exploit is via WSH. The scripting host in Opera could easily contain a route to the vulnerable component as well. “
Actually, if any routine is called in WSH, dependency walker would show it. It does not.
You: “E.g a while ago there was a vulnerability in the Windows GDI that was exploited whenever the GDI displayed .wmf files or data. That vulnerability affected any program that used the GDI to display .wmf files … which was most programs. Almost no-one implemented an independent .wmf handler when the GDI handled it. “
Correct. Everyone uses GDI because they pretty much have to. It’s a truly core part of windows where as WSH isn’t.
You: “So, unless you can point to the explicit code which is vulnerable, you still haven’t shown that you won’t be exposed to it if you use Opera.”
I don’t have to because I already explained to you why it is not possibly for Opera to be vulnerable to THAT exact exploit in the IE scripting engine. You are correct that it is possible that Opera is vulnerable to the same thing, but that would be a freak coincidence and nothing more, and is highly unlikely, considering it was not reported that Opera is vulnerable to the same thing.
Have they heard of Opera or Konqueror?
Aren’t those pretty secure?
[quote]
Microsoft may lag as a browser patcher, but when it comes to operating systems, the company leads the pack, according to Symantec. The slowest? Sun Microsystems.
[/quote]
What was that comment about Microsoft? So when there’s a negative point about Microsoft writers have to balance it somehow with a good point????
I don’t think that is the case. There are many in the IT security industries who praise the use of alternatives because of the problems Microsoft has with their products. I think, in this situation, Symantec simply wanted to show that while Microsoft may slack in they Internet Explorer area, they at least attempt to patch problems in Windows. That’s that I got out of that statement.
Concerning the subject line; I, personally, do care about Microsoft’s good points. It shows that they are a corporation that takes, some, accountability for their products.
By the way, that was an awfully loaded statement.
Perfectly simple for me-i run Firefox as an ordinary user under Linux for all my important browsing (internet banking etc). Even if there is a vulnerability it wont go far. And i know exactly whats running on my system and being Linux theres no spyware,trojans. I also sit behind a ADSL router. Symantec are just scare mongering.
Sigh. Too many posts to reply to.
* No browser is secure. If you’re exchanging data with a server on the internet you’re at risk. There’s a reason the term “zero-day exploit” exists. It’s basically a reference to the people who think their balls are big enough to run on an unsecured internet connection without any precautions, because they “know what they’re doing”. It’s a similar argument to the people who drive without a seatbelt because they consider themselves to be a safe driver.
* People who think they are secure because they don’t have open ports on their firewall need to backtrack and notice that sign on the wall that said “Welcome to the 21st century”. Obviously they missed it. Vulnerabilities are a little more sophisticated now than script kiddies trying to ping your open ports.
* Anti-virus software is obsolete and ineffective, but it’s still reckless to run a Windows system without it (whether on the client or the gateway). The sheer amount of viruses in the wild means that, no matter how careful your are or how much you think you know, at some point you’re going to receive one in an email or a drive-by download on a website. Why play the odds?
* *nix and OS X users think they’re immune to viruses, and they’re right, only in the sense that none exist in significant volumes yet. But their day will come.
* Symantec Anti-Virus is malicious software. It embeds itself in your system, it uses undocumented hooks that cause incompatibility with other applications, causes system instability, it extorts money out of you and it very often requires a utility to properly remove. It sucks and I consider the fact that HP and Dell preinstall it on new systems to have far more of a damaging effect on consumers than anything MS ever did with IE.
* XP is a reasonably secure OS as long as you keep up with the updates, but IE6 is a black hole at this point. I’ve been running the IE7 beta on all of the Win systems I have to use, and it’s not bad. It’s actually interfered with things I take for granted in the name of security, like using intranet services or ssl for my local firewall appliance. I consider that a good thing.
//* *nix and OS X users think they’re immune to viruses, and they’re right, only in the sense that none exist in significant volumes yet. But their day will come. //
Debatable. Very, very debatable.
How is a virus going to propogate past the “execute permissions” roadblock? People have been trying for years to design a virus to get past that, and their success is measured by the fact that none exist in the wild.
Also, how is malware going to “trojan” its way on to a system where the policy is “install only from open source repositories”?
There is a strong case to be made for a claim that the virus and malware situation with Linux and OSX will never ever get anywhere near the plague proportions it is on Windows, regardless of how popular either of those operating systems eventually become.
* *nix and OS X users think they’re immune to viruses, and they’re right, only in the sense that none exist in significant volumes yet. But their day will come.
Exept that on *nix file suffixes don’t mean anything.You have to specifically chmod + <..>.
Execpt that with linux it’s possible to make a SELinux policy for firefox or to simply add a AppArmor policy or patch the kernel with exec-shield,grsecurity,PAX,RSBAC,etc
Can you harden and compile your windows kernel?
the only safe browser is one installed on a computer that has no internet connection. once u log into the net u expose yourself to the unknown and thus reliquish your complete control of your system. coders and hackers are good, when they want to find a bug a whole they can and they will. untill u unplug the cord. the safest browser is not a specific on. it is one that a user has been porperly trained on responsible web browsing.