US-CERT Vulnerability Note VU#713878: IE Specific Security Hole

[LennonCook]

United States Computer Emergency Readiness Team Vulnerability Note VU#713878: Microsoft Internet Explorer does not properly validate source of redirected frame.
A slightly dated article that I've mentioned atleast once in IE debates, and have been looking for for a little while. Published in July, updated just this week (December 13). This is the part which deals with IEs security in general, rather than just this specific vulnerability (my emphasis):

Quote:

Use a different web browser There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages).

I know that there are almost certainly some people who have read rants posted by me and several other people, who have doubted their objectiveness and relevance. Now that I have a relevant article from an official source that more people realise I'm not only a random ms-hating doomsayer. [img]smile.gif[/img]

[Hivetyrant]

no, no, no, I know you think im one of those people Lennon, but I agree with you now, MS does have alot of problems, but I do think you should cut back on the slandering just a bit, it cant be good for your health [img]tongue.gif[/img]

[LennonCook]

Quote:

Originally posted by Hivetyrant: no, no, no, I know you think im one of those people Lennon, but I agree with you now, MS does have alot of problems, but I do think you should cut back on the slandering just a bit, it cant be good for your health [img]tongue.gif[/img]

Slander: words falsely spoken that damage the reputation of another

By that definition, there are two ways in which what I'm doing isn't slander.

[Link]

Lennon, I've said it before, and I'll say it again. We respect you and your opinion on the forum a lot, but that doesn't mean you need to post a new argument (or the same argument in a new post) concerning Microsoft and its adversaries every week!

I don't favor Microsoft in any way, don't think Firefox is in any way less than IE, but I do think you're taking this too far. You may disagree with me, of course, but remember that it's one thing to actually have and opinion and a totally different thing to have that opinion and 'forcefeed' it to all and sundry.

[LennonCook]

Except, link, that only half of what I say is opinion. It is my opinion that Firefox is the best browser, and that Linux is the best OS. It is fact (according to both CERT and Secunia) that Internet Explorer is insecure and hence inherently dangerous.
Also, I do not force feed this to everyone. I can't stop anyone from skipping my posts (and nor would I want to). The force feeding is done by Microsoft forcing Internet Explorer onto every Windows user since Windows 95. And this is what I am trying to stop: I am attempting to give people the knowledge that there are alternatives (a fact which Microsoft tries to hide), and a good reason to switch: Internet Explorer does not meet the basic requirements for a good application.

[Thoran]

I dunno, Firefox has just came out and it already has a number of "moderately critical" flaws detected.

I think the jury is still out on Firefox.

I like linux but on my machines (with bleeding edge hardware usually) the free versions I've tried have not been reliable. I want to buy a copy of 64 bit SuSe Linux for my NUMA dual opteron... but it's missing a couple drivers, maybe when the become available.

I used Firefox for a while... just wasn't as convenient as IE for me (too slow, too unreliable), so I went back to IE. I guess I'll have to give the release version a try.

With regards to weaknesses I keep up with the patches. I've never had a virus (despite having broadband for over 10 years) even though I know Windows and IE have their problems. I think it has a lot to do with following good browsing habits, set your security to high, don't browse in the admin account (although I do that regularly... my bad), don't download anything, don't go to sleazy sites (internet porn, warez, etc...), don't open email attachments, and keep your firewall up and running.

I just don't see any compelling reason to switch, I don't think Firefox is that great, I don't think IE is that bad. I'm glad Linux is providing competition for Microsoft, but M$ doesn't dominate the market with inferior products. Even bundled IE wouldn't have gotten them far if it wasn't as good as Netscape.

I'm no M$ nutcase, I simply choose the best tool for the job. I used to be a big Visual Studio.NET programmer... then I started using the Macromedia suite, now I use Coldfusion for anything Web or Networking related... overall it's just better for that realm. If firefox has improved over the late beta that I had perhaps I'll start using it, but I doubt it's THAT much better (unless you're out to make an anti-m$ statement that is).

[Hivetyrant]

Firefox has its problems too, I mean it cant even use downloaded fonts

[ 12-16-2004, 10:30 PM: Message edited by: Hivetyrant ]

[LennonCook]

Quote:

I dunno, Firefox has just came out and it already has a number of "moderately critical" flaws detected.

Well, OK, I guess "one" is a number. [img]tongue.gif[/img] Secunia reports four open vulnerabilities in Firefox: one moderately critical, three less critical.

The moderately critical "frame injection vulnerability" is not being worked on directly (bug 273699), but it's dependancy (bug 103638) has a good deal of progress being made. Once 103638 is fixed, it will be probably be a somewhat trivial manner to fix 273699.

The "tab spoofing" is in the Apple Java Plugin, not Firefox proper, and it only affects MacOS X. Due to restrictions that almost saw a split between 1.0 and 1.0-mac, regressions specific to MacOS are to be expected (for all intents and purposes, 1.0 is still beta on MacOS).

The tabbed browsing vulnerabilities are partially fixed in 1.0, with a proposed patch for the remaining vulnerabilities (see bug 262887). Meaning that if this patch works as expected, this will be fixed very soon (in the nightly builds, in Mozilla 1.7.6, and possibly as an auto-update for Firefox).

The cross-domain cookie injection vulnerability is unpatched at this point.

That means, of 4 bugs, 2 have quite a bit of work being done on them. Considering IE has bugs of similar criticalbility that have been open for years, Firefox's track record isn't too bad.

If Firefox is slow, you need to speed it up. This is it's greatest benifit: you can tweak the hell out of it if you want to. And for most of it, you don't even have to have the source code (let alone having to recompile it). Just take a look at the URL about:config, and start fiddling. [img]smile.gif[/img]

[LennonCook]

Quote:

Originally posted by Hivetyrant: Firefox has its problems too, I mean it cant even use downloaded fonts

Sure it can. Have a look in Tools -> Options -> Fonts sometime.

[Hivetyrant]

Quote:

Originally posted by LennonCook: quote: Originally posted by Hivetyrant: Firefox has its problems too, I mean it cant even use downloaded fonts

Sure it can. Have a look in Tools -> Options -> Fonts sometime. [/QUOTE]Dont know why I am posting this, because you will never admitt you are wrong but here goes:

Quote:

Downloadable fonts are not supported. Downloadable fonts are usually used on sites using writing systems for which proper support has been missing in browsers in the past. These sites (for example some Indian sites) code the text in Latin gibberish and then use a font that to the browser and operating system seems to be a Latin font but has eg. Devanagari glyphs, so that when the Latin gibberish is rendered with the font it seems to a human reader to be intelligible text in some language. Obviously, that kind of ad hockery falls apart when Unicode-savvy browsers come along and render Latin gibberish as Latin gibberish (since that’s what is coded in the file from the Unicode point of view). Instead of providing support for downloadable fonts, Mozilla is addressing the real issue: support for various Unicode ranges. However, there are still bugs related to support for Indic scripts on some platforms. For example, on Mac OS X Mozilla does not use the Devanagari font that comes with the system but can use a third-party font like TITUS Cyberbit. A lot of work has been put into Mozilla’s Unicode support. Supporting downloadable fonts in a cross-platform way would also be a lot of work and would potentially require navigating past a bunch of patents but the rewards would be small. For the purpose of rendering non-ISO-8859-1 characters Mozilla already provides Unicode support that, in the long run, is a lot better approach than using pseudo-Latin downloadable fonts separately on each site.

This is from http://www.mozilla.org/docs/web-deve...nloadablefonts