|
United States Computer Emergency Readiness Team Vulnerability Note VU#713878: Microsoft Internet Explorer does not properly validate source of redirected frame.
<span style="color: lightblue">A slightly dated article that I've mentioned atleast once in IE debates, and have been looking for for a little while. Published in July, updated just this week (December 13). This is the part which deals with IEs security in general, rather than just this specific vulnerability (my emphasis): Quote:
|
no, no, no, I know you think im one of those people Lennon, but I agree with you now, MS does have alot of problems, but I do think you should cut back on the slandering just a bit, it cant be good for your health [img]tongue.gif[/img]
|
Quote:
<span style="color: lightblue">By that definition, there are two ways in which what I'm doing isn't slander. |
:rolleyes: Lennon, I've said it before, and I'll say it again. We respect you and your opinion on the forum a lot, but that doesn't mean you need to post a new argument (or the same argument in a new post) concerning Microsoft and its adversaries every week!
I don't favor Microsoft in any way, don't think Firefox is in any way less than IE, but I do think you're taking this too far. You may disagree with me, of course, but remember that it's one thing to actually have and opinion and a totally different thing to have that opinion and 'forcefeed' it to all and sundry. |
<span style="color: lightblue">Except, link, that only half of what I say is opinion. It is my opinion that Firefox is the best browser, and that Linux is the best OS. It is fact (according to both CERT and Secunia) that Internet Explorer is insecure and hence inherently dangerous.
Also, I do not force feed this to everyone. I can't stop anyone from skipping my posts (and nor would I want to). The force feeding is done by Microsoft forcing Internet Explorer onto every Windows user since Windows 95. And this is what I am trying to stop: I am attempting to give people the knowledge that there are alternatives (a fact which Microsoft tries to hide), and a good reason to switch: Internet Explorer does not meet the basic requirements for a good application. |
I dunno, Firefox has just came out and it already has a number of "moderately critical" flaws detected.
I think the jury is still out on Firefox. I like linux but on my machines (with bleeding edge hardware usually) the free versions I've tried have not been reliable. I want to buy a copy of 64 bit SuSe Linux for my NUMA dual opteron... but it's missing a couple drivers, maybe when the become available. I used Firefox for a while... just wasn't as convenient as IE for me (too slow, too unreliable), so I went back to IE. I guess I'll have to give the release version a try. With regards to weaknesses I keep up with the patches. I've never had a virus (despite having broadband for over 10 years) even though I know Windows and IE have their problems. I think it has a lot to do with following good browsing habits, set your security to high, don't browse in the admin account (although I do that regularly... my bad), don't download anything, don't go to sleazy sites (internet porn, warez, etc...), don't open email attachments, and keep your firewall up and running. I just don't see any compelling reason to switch, I don't think Firefox is that great, I don't think IE is that bad. I'm glad Linux is providing competition for Microsoft, but M$ doesn't dominate the market with inferior products. Even bundled IE wouldn't have gotten them far if it wasn't as good as Netscape. I'm no M$ nutcase, I simply choose the best tool for the job. I used to be a big Visual Studio.NET programmer... then I started using the Macromedia suite, now I use Coldfusion for anything Web or Networking related... overall it's just better for that realm. If firefox has improved over the late beta that I had perhaps I'll start using it, but I doubt it's THAT much better (unless you're out to make an anti-m$ statement that is). |
Firefox has its problems too, I mean it cant even use downloaded fonts :(
[ 12-16-2004, 10:30 PM: Message edited by: Hivetyrant ] |
Quote:
The moderately critical "frame injection vulnerability" is not being worked on directly (bug 273699), but it's dependancy (bug 103638) has a good deal of progress being made. Once 103638 is fixed, it will be probably be a somewhat trivial manner to fix 273699. The "tab spoofing" is in the Apple Java Plugin, not Firefox proper, and it only affects MacOS X. Due to restrictions that almost saw a split between 1.0 and 1.0-mac, regressions specific to MacOS are to be expected (for all intents and purposes, 1.0 is still beta on MacOS). The tabbed browsing vulnerabilities are partially fixed in 1.0, with a proposed patch for the remaining vulnerabilities (see bug 262887). Meaning that if this patch works as expected, this will be fixed very soon (in the nightly builds, in Mozilla 1.7.6, and possibly as an auto-update for Firefox). The cross-domain cookie injection vulnerability is unpatched at this point. That means, of 4 bugs, 2 have quite a bit of work being done on them. Considering IE has bugs of similar criticalbility that have been open for years, Firefox's track record isn't too bad. If Firefox is slow, you need to speed it up. This is it's greatest benifit: you can tweak the hell out of it if you want to. And for most of it, you don't even have to have the source code (let alone having to recompile it). Just take a look at the URL about:config, and start fiddling. [img]smile.gif[/img] |
Quote:
|
Quote:
Quote:
|
<span style="color: lightblue">Ah, right - I misunderstood you. It doesn't support letting a website automatically put another font on your computer, no. It does let you use fonts you have downloaded manually, in much the same way any good word processor does.
|
nope, I have dwnloaded a font and I cannot use it. Ill PM you the details.
|
<span style="color: lightblue">*grumble* ... *goes off to unhide menus* .. *grumble, grumble*
|
<span style="color: lightblue">Ok, it doesn't seem to be possible after all. I'd say that this (the websites behavior, not Firefox's) is non-W3C (I will check this, though). Websites using non-standard fonts does tend to cause accessability problems, after all.
EDIT: But, I know how people will react to this. Just to make the point clear, this is NOT a bug in Firefox. This is intended behavior. Edit again, for clarity. [ 12-16-2004, 11:27 PM: Message edited by: LennonCook ] |
Quote:
And, just for equal time here, yesterday a class at U-IL Chicago released 44 vulnerabilities in common UNIX apps, which they discovered as a project for their class. http://tigger.uic.edu/~jlongs2/holes/ Nobody's perfect :D |
Quote:
And, just for equal time here, yesterday a class at U-IL Chicago released 44 vulnerabilities in common UNIX apps, which they discovered as a project for their class. http://tigger.uic.edu/~jlongs2/holes/ Nobody's perfect :D </font>[/QUOTE]I've said it before but IMO if other OS's and Apps were the subject of as concerted and intense an attack as M$ faces from it's many opponents... they'd fare no better. Open Source, by virtue of its inherent openness (it's greatest strength imo)... would be PARTICULARLY susceptable. The risk I see here for M$ opponenets is if M$ can actually put together a secure system... its competitors won't have an adequate response. It's like drug immunity... the more and harder a bug is attacked by a drug, the quicker it builds up immunity and if it survives it emerges stronger than the competition. It's survival of the fittest, and the community is currently assisting M$ in debugging their goliath, seems like fun but possibly not so smart in the long run. I think more people should be working to uncover the weaknesses of the apps they're loyal to (Linux, Firefox, whatever) in order to prevent M$ from getting an insurmountable lead. I'm sure you've all seen the previews of longhorn (and NGSCB)... it's a significant change in security model, and if effective (and it looks like it may be) it will be something that will need to be addressed by the competition. |
Quote:
That was perfect Thoran, I could not have put it better [img]graemlins/thumbsup.gif[/img] |
You should know by now that you can wait forever on m$ bugfixes ;) But well you never know, maybe one day. Windows might be your thing and there are things to like about. Nobody tells you to go open source or to another operating system. But I'd think a bit more realistic and say that windows is just not so good on security at the moment and that you take the advantages windows has for you over the risk. You don't choose operating systems just on one aspect of them.
I think in the christmas holidays I'll be going to install freeBSD as well. It looks pretty cool as well and I still have HD space. Maybe slackware as well. |
Quote:
I used Slackware from '95 until I came to college; loved it! I switched to FreeBSD on a lark when I got a cheap new laptop and thought I'd see what's up. The ports package is absolutely wonderful (though I hear Gentoo's got something very similiar, portage). |
Quote:
I used Slackware from '95 until I came to college; loved it! I switched to FreeBSD on a lark when I got a cheap new laptop and thought I'd see what's up. The ports package is absolutely wonderful (though I hear Gentoo's got something very similiar, portage). </font>[/QUOTE]Yep the package management sounds good. That's the most important thing for me [img]smile.gif[/img] Debian made me lazy :D But well I don't feel like ending up in dependency hell. |
Quote:
<span style="color: lightblue">This article uses Apache and IIS to disprove both points. Apache is open source, and more popular than IIS (70% market share and rising, I believe), and yet it is historically the more secure of the two. The number of attacks is a factor, yes, but hardly the only one. Quote:
Quote:
EDIT: The patch I mentioned before for the Tabbrowsing Vulnerabilities has been granted review+ . It is now only waiting for superreview and approval-1.7.6 , and it will be checked in to the mozilla.org CVS . [ 12-17-2004, 08:24 PM: Message edited by: LennonCook ] |
Quote:
Quote:
These days there's no excuse for 'IE only' web sites, I use Coldfusion for my App. Server and have no trouble accomodating any browser you want to use. Quote:
[ 12-18-2004, 08:00 PM: Message edited by: Thoran ] |
I don't understand exactly why IE is integrated... It comes with the OS, so I'm not paying extra, or regaining any money by not using. Firefox is free, as is mozilla and netscape. Where does the money cme from?
|
Quote:
As to Firefox and Mozilla, they are free because the authors have no interest in charging for them. Their incentive comes from making a program that the community will be happy with, which will also give their customers more reason to buy larger software packages from them in future. Also, they do sell Firefox on CD, aswell as selling a guidebook, and other donationware. If you're wondering, then, why they don't charge for their products anyway, I see it like this: Ziroc doesn't charge us for using Ironworks, either (and has, on several occasions, blatantly refused to even consider it). We are here because we want to be, not because we can afford to be. It is the same with Mozilla corp and their products. Mozilla corp accept donations aswell, in the same way that Ironworks does (although, they aren't forced to live off these like Ironworks is). As to Netscape, it isn't free. They don't charge you money admitedly, but they have plugs to other AOL products (products which often have spyware,, and hence $$$ for AOL), and Netscape can't be personalised at all: everything is locked to default. |
Ah ok, cos I was just wondering why they did it...
Thank you for enlightening me :D |
| All times are GMT -4. The time now is 03:51 PM. |
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
©2024 Ironworks Gaming & ©2024 The Great Escape Studios TM - All Rights Reserved