http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

I don't agree with everything he says, but he brings up some good points.

He does make some good points, although I never experienced the mysterious servers he claims when I first download Firebird back at 0.6. And I have noticed that almost all extensions are unsigned, but I only download ones I am fairly sure of.

Plus, I went 3 months without a virus, spyware, or adware scan, and after updating all three and scanning, only had 10 suspicious files (while some people would end up with aroun 50-300). For the general, gullible public, he's right: it isn't foolproof. But for those who actually watch what they do online, I don't see a problem.

I can see his views about Firefox downloading from mirror.sg.depaul.edu, but I don't see any of the other problems he found with the download process. As for Windows not being able to verifying the publisher, that could be just a Windows thing to keep people loyal to the company. Think about it. Some company has produced software to attempt to combat your huge empire over the world. It's only natural to not sign the software. Practically everyone is warned not to download stuff they don't trust, and if Windows comes up with a nasty looking warning, most computer users probably won't accept it. As for his errors, I never had such problems. I never got a 7-zip error or a blank dialog.

I can see what he's saying about default options, but I don't view that as a problem. Unless you're careless enough to just hit enter at each dialog box, people should actually read what the dialog box has to offer before making a choice. You shouldn't hit "OK" on any dialog you don't understand, especially if it's blank. I wouldn't.

When I tried to download Firefox from Internet Explorer, it says it downloads from "mozilla.cs.utah.edu". If I try to download from Firefox, it's "http://mozilla.isc.org/pub/mozilla.org/firefox/releases/1.0/win32/en-US/".

Microsoft is not in charge of issuing digital certificates, Windows only reads them. It has nothing to do with Microsoft trying to "keep people loyal to the company" because I've used many products from other companies that have digitally signed installers (VMware, for one).

HAHA:
http://it.slashdot.org/article.pl?sid=04/12/21/0038235&tid=172&tid=154&tid=109&tid=113&tid=1
Read the comments.

It's Slashdot. Did you expect anything else?

No sir.
:(

Read both of'em and... no sir. Never happened (with FF). On the other hand with IE, it happened 'till kingdom come.
Especially when I had my laptop at my aunt's house and go out to relax a bit and left it on. From the moment my younger cousins nailed the PC 'till I got back, it's only mere speculation in where they surfed but I sure can bet it wasn't the kiddies sites... They sneaked in my PC 'cause I had a parent watch app on her (my aunt's) PC to allow safe browsing for her kid (and friends that might came around). It was only a 'mere' browser Hi-jacking, spy/addware, searching for notepad.exe, 'cause a sleazy version slided in, for sums the full works. :P

It happened again later with FF and I hadn't such trouble as the other time. See my latest log in the Hi-Jack This log thread (http://www.warboards.org/showthread.php?t=5544) as a proof of when this happened. :)
Java scripts / Active X control sucks with IE. And when I go extensions galore is only on their site and maybe a few others that might look into upon recomendation. ;)

As for the unsigned bit, since most of it needs or requires Microsoft related stuff to be approved, I ain't that worried. :smirk:

Talk about making a mountain out of a molehill...

Digital Signing is currently a laughable endeavor, and is no better than not having something signed. It's easy enough to fake a digital signature. And that's basically his entire argument out the window, other than the download mirror redirect.


And at least with Firefox, you're prompted for every installation or browser plug-in. IE has numerous holes that will allow a server to install something anyway without your knowledge or consent.

IE has numerous holes that will allow a server to install something anyway without your knowledge or consent.Unless you manually turn all the security features off, I don't think that's possible. You mean "had" instead of "has" or do you have some info to back that up?

http://secunia.com/product/11/

I don't see any security alerts about sites being able to install any old component on my computer without my consent. None of the outstanding vulnerabilities are rated at the most severe level anyways.

I like how there are 4 exploits in Firefox 1.x, but 74 in IE 6.

Internet Explorer is older than Firefox, so it obviously has more. It also includes fixed holes. Speaking of which, Microsoft has patched or partially patched 14 of the 34 found holes. The Firefox team has partially patched only one of the four holes. In this regard, the IE team has done a better job fixing IE than the Firefox team has.

Internet Explorer is older than Firefox, so it obviously has more. It also includes fixed holes. Speaking of which, Microsoft has patched or partially patched 14 of the 34 found holes. The Firefox team has partially patched only one of the four holes. In this regard, the IE team has done a better job fixing IE than the Firefox team has.
And it only took them what... a few years?

4 problems to IE's 34 (or 74?). Seems pretty good to me. Especially for something tied to fucking AOL.

In this regard, the Firefox team has done a better job coding then the MS Team. A lot of FF is OS-Like and has many contributors from all around the world and from multiple communities.

I mean, seriously, would you expect Linux-Users to contribute to a crappy project?


It is important to point out that extremely respected security analysts such as Bruce Schnier recomment against using Internet Explorer, Period.

Firefox is often cited as a good alternative.

So if I combine your advice with Bruce Schnier's, it boils down to:

1. Be diligent when downloading Firefox to ensure you are getting it from the right source.

2. Do not use any untrusted plugins.

3. Do not use IE except when absolutely necessary to download your intial copy of Firefox.

I liked that comment a tad XD

-Neo

EDIT: a couple of the exploits for Firefox don't even work for me ("test" links and such... niether shows I have a problem) and another is retarded and is already not going to get "fixed" becuase it would not be prudent to. Funny, see Firefox doesn't have any super critical problems, or in fact, as had any the past few months. IE can't say the same since there is still a few unpatched!

Internet Explorer is older than Firefox, so it obviously has more. It also includes fixed holes. Speaking of which, Microsoft has patched or partially patched 14 of the 34 found holes. The Firefox team has partially patched only one of the four holes. In this regard, the IE team has done a better job fixing IE than the Firefox team has.
And it only took them what... a few years?

4 problems to IE's 34 (or 74?). Seems pretty good to me. Especially for something tied to fucking AOL.

In this regard, the Firefox team has done a better job coding then the MS Team. A lot of FF is OS-Like and has many contributors from all around the world and from multiple communities.

I mean, seriously, would you expect Linux-Users to contribute to a crappy project?
Drats! Beaten to the point.

Not another attempt to bash FF!?! And so soon? :rolleyes:
*Rolf* Get IE right 1st and then you may come crappin' about it (FF).

If you had bothered to actually look at the link, you'd see that it's 34 this year vs. 4 this year so the playing field is equal. MS hasn't had more time. They've fixed a larger percentage of their bugs in the same amount of time than the Firefox team has. Also, I wouldn't attribute all of the "good stuff" to the Firefox team. A lot of the core programming is unchanged since the Netscape days. No product is bug free and in general, I'd much rather use a product who's creator acknowledges and fixes the bugs than one that ignores them.

And finally before we get too far off topic, I want to see the still unpatched security hole that Exedore was talking about which allows sites to randomly install malicious code on my machine.

If you had bothered to actually look at the link, you'd see that it's 34 this year vs. 4 this year so the playing field is equal. MS hasn't had more time. They've fixed a larger percentage of their bugs in the same amount of time than the Firefox team has. Also, I wouldn't attribute all of the "good stuff" to the Firefox team. A lot of the core programming is unchanged since the Netscape days. No product is bug free and in general, I'd much rather use a product who's creator acknowledges and fixes the bugs than one that ignores them.
As for this, I ain't sure if you're refering to me. But my IE does the same crap in certain sites even after upgrading. :concern:

By a mere long shot, have you considered the personel involved with both browsers? I guess that IE should have a lot more personel related to it than FF does. So it prob'ly should have more techies messing with it just to fix it. So far 'till today, I still couldn't see a safer version presented (to the general public), compared to FF that is.

And if some of major Microsoft's personel uses FF (http://www.wired.com/wired/archive/12.09/view.html?pg=3), what can you say? Nowadays I just plug IE for my OS updates (Windows 2K). And Microsoft made it, or tries to maintain, folks attached to it (IE) by making many of their other apps only compatible with it. See the MSN Messenger glitch when you try to see your e-mails by mere clicking and if you have FF as your default browser. Screw royale, that's the result.

I simply hate these attempts to force us into keeping IE around (for use). After this, how can you say to us FF users (you included) to use IE as it simply doesn't cut it? >_<

And finally before we get too far off topic, I want to see the still unpatched security hole that Exedore was talking about which allows sites to randomly install malicious code on my machine.
I installed a patch in FF recently that seems to be what you're talking about. Let me see if I can stir that link up. ;)
Done deal (http://www.mozilla.org/security/).

I simply hate these attempts to force us into keeping IE around (for use). After this, how can you say to us FF users (you included) to use IE as it simply doesn't cut it? >_<
Likewise, I can't stand the religious movement to "Spread Firefox". No Mozilla scare tactics will get me to switch. The point of the article was to show that Firefox isn't a bullet-proof fortress like everyone seems to make it out as.

Likewise, I can't stand the religious movement to "Spread Firefox". No Mozilla scare tactics will get me to switch. The point of the article was to show that Firefox isn't a bullet-proof fortress like everyone seems to make it out as.
But when all is said and done, I'd rather trust a near-imperviable castle rather than a crumbling fortress.

Likewise, I can't stand the religious movement to "Spread Firefox". No Mozilla scare tactics will get me to switch. The point of the article was to show that Firefox isn't a bullet-proof fortress like everyone seems to make it out as.

"Religious movement"? And "Mozilla scare tactics"? We aren't after another 9/11th ya know!?! *Lol*
And if it's best than the current stage of IE's, why not allowing others to know there's an option out there?

I know that (FF isn't a full-proof browser)! But at least they don't try to shove crap down our throats that we've got to use it (like IE does with compatibility issues).
Mine OE (Outlook Express) is also out the window and I'm happy to have changed it. Virus and it are a great mix (as some of my friends already experienced or are experiencing). As it (unfortunetly) happens with IE and spy/addware s**t. :P

Likewise, I can't stand the religious movement to "Spread Firefox". No Mozilla scare tactics will get me to switch. The point of the article was to show that Firefox isn't a bullet-proof fortress like everyone seems to make it out as.

So what is IE?

FF has 4. Technically 3, since one of the so called 'exploits' would be pointless to try to fix... or whatever. I forget what the Bugzilla report said, but something along the lines of "big deal" and "its not going to be fixed no matter how many times you submit it".

I'd much rather use a product who's creator acknowledges and fixes the bugs than one that ignores them.

And finally before we get too far off topic, I want to see the still unpatched security hole that Exedore was talking about which allows sites to randomly install malicious code on my machine.

Your first sentence there is really funny. Microsoft has been known to ignore bugs in anything of theres. In fact arent there plenty of stories of people trying to warn MS about a possible exploit and then being ignored for weeks -- or months? Even Spybot Search and Destroy includes links or information on IE Specific bugs, exploits and what not that havent been patched by MS.

IN fact there are links to 3rd-party sites who have created thier OWN patches to fix bugs in IE. Thats where things kind of drop off for me.

As for the security hole thing, Don't know what Exedore means since I am not, you know, him, but it probably comes down to this:

When it is (still) possible for someone to hijack your entire computer (read: something like the CWS series of hijacks, which can be picked up almost anywhere) restricting access to things like setting your home page, or search pages, often rewriting them to thier own crappy sites. On top of that, they stop MSCONFIG and/or the TaskManager from starting. To my knowledge, even with accepting a malicious extension (is there such a thing in Firefox?) its not possible for FF to effect outside programs that have nothing to do with browsing. Though who knows, maybe someone is working on such a thing.

You can continue to use IE and continue to be bothered by things like Pop Ups, Pop Unders, and annoying ads that won't go away (I remember those realyl wierd popups that were "unclosable" -- what the fuck?) On top of that, when you goto "TaskManager" and shut down IE most of the time it cuases Windows to have to reload everything like the TaskBar, etc.. I mean cmon, why? With a couple clicks, or even 1, I can block any ad, iframe ad, banner image, and even javascripts on any site. I can visit damn near any site and not haveto deal with popups, or flash ads if I so choose. Can IE do the same?

Since I havent had any experience with the new IE I cant comment on it really at all, but until MS gets off thier asses and support those of us who have windows 2000 its hard not to be upset (you realize that Win2k costs more then Windows XP - STILL in retail stores?). I mean I could see stopping support for something you dont make/sell anymore but... Windows 2k is still on the market.

-Neo

Good point, Neo. :tup:
Couldn't have said it clearer. Just laughed on it's account.

I found full directions for a really "fun" remote compromise with IE6 SP2 and WinXP SP2 from a BugTraq mailing. It's too long to post here, but I can PM it if you'd like. Basically, it uses the fact that .hta files aren't restricted to zones like the rest of IE's content in combination with exploiting the Help ActiveX controls. Yet again, the adodb object is the main culprit, as it has been with most IE6 vulnerabilities.

Granted, Mozilla and Firefox have bugs as well, but they're quickly acknowledged by the Developers and usually fixed shortly afterwards if they're major bugs.

Funny, ADODB was fixed (disabled to be more exact) months ago...

http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6-B7C8-2FBFD0D237E3&DisplayLang=en

As far as the previous Firefox argument goes, there's really no point in arguing it because you won't change your browser and I won't change mine. IE as secure and functional as I need it to be. I have never had any spyware worse than cookies and haven't had a virus in 3+ years.

Many Microsoft supporters tend to say that they prefer IE and/or Microsoft for that matter because they admit there holes and patch them. Thats all well and fine, but at last check in Aug. or so there were 34 or so holes and growing. Frankly I want an OS and browser that fix the problem while strengthing the whole program and not just creating more holes or discovering more.

The huge one up that Firefox has over IE is that when a problem occurs its not just the "Firefox" team thats working on it. Its anyone who wants to help and knows how to. Where as IE uis only a group of programmers. That is Open Sources backbone in a way is the able to collaberate the world on a project or piece of software and not just a small group of people.

I found full directions for a really &quot;fun&quot; remote compromise with IE6 SP2 and WinXP SP2 from a BugTraq mailing. It's too long to post here, but I can PM it if you'd like. Basically, it uses the fact that .hta files aren't restricted to zones like the rest of IE's content in combination with exploiting the Help ActiveX controls. Yet again, the adodb object is the main culprit, as it has been with most IE6 vulnerabilities.
...
I'm interested to know more about it. Can you please PM (or even mail) me details on it? Tks. ;)

Tim from what I've seen in that article and my knowledge that Adobe (*.pdf files seen through browser) uses/has some of IE's plugs within, shouldn't it been fixed a looong time ago? :concern:

The huge one up that Firefox has over IE is that when a problem occurs its not just the "Firefox" team thats working on it. Its anyone who wants to help and knows how to. Where as IE uis only a group of programmers. That is Open Sources backbone in a way is the able to collaberate the world on a project or piece of software and not just a small group of people.If only that were true. It's not quite as simple as submitting bug fix X to the Firefox team and bam, new release of Firefox with your little fix posted the next day. They must go through and scrutinize the code, make sure it doesn't break anything, and check the fix's own security. If you think Microsoft spends the majority of the bug fix cycle writing the code that fixes it, you're wrong. They do the same thing as Firefox. They extensively beta test even the smallest fixes across many machines, operating systems, and localizations. They can't afford to break anything.

Tim from what I've seen in that article and my knowledge that Adobe (*.pdf files seen through browser) uses/has some of IE's plugs within, shouldn't it been fixed a looong time ago?I'm not sure I follow what you're getting at...

Funny, ADODB was fixed (disabled to be more exact) months ago...

http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6-B7C8-2FBFD0D237E3&DisplayLang=en

As far as the previous Firefox argument goes, there's really no point in arguing it because you won't change your browser and I won't change mine. IE as secure and functional as I need it to be. I have never had any spyware worse than cookies and haven't had a virus in 3+ years.
Tim from what I've seen in that article and my knowledge that Adobe (*.pdf files seen through browser) uses/has some of IE's plugs within, shouldn't it been fixed a looong time ago? :concern:
I'm not sure I follow what you're getting at...
From what I read in that piece, it only seems to disable Acrobat Reader from within IE (ie, it's plugs inside IE are clensed from working). My question is, it's currently available to see *.pdf files from webpages? That is, if I want to see an ISO/EN/DIN standard (those files usally come in *.pdf format) with IE, can it be done? :o

The ADODB fix has absolutely nothing to do with Acrobat. Yes, you can still view PDF's in IE.

The ADODB fix has absolutely nothing to do with Acrobat. Yes, you can still view PDF's in IE.
I guessed so... n' was correct (*.pdf files within IE). :smirk:
Then what it is in fact? And for lame tech fellas like me to follow, please. ;)

Sorry to bust in on the Firefox vs. IE things, but IE started behaving suspiciously today...and I wondered how people from both sides of the argument would react to this. Allow me to explain.

Shortly after I booted my computer, about the time that I launched Firefox, I got a message from IE about some site trying to save a cookie on my computer, asking for my permission. What's so strange? I didn't even open IE, and according to my firewall, IE isn't allowed to access the internet without my permission. Here are some screenshots:

The strange cookies:
http://www.warboards.org/attachment.php?attachmentid=1184&stc=1
http://www.warboards.org/attachment.php?attachmentid=1185&stc=1

I know these are IE cookie settings, because here's what it looks like trying to access Warboards from IE:
http://www.warboards.org/attachment.php?attachmentid=1186&stc=1

And a Firefox cookie warning looks like this:
http://www.warboards.org/attachment.php?attachmentid=1187&stc=1

IE security problem?

I got firefox of the PCgamer DVD, Who thinks I should upload the installer somewhere (maybe kupatrix) so WBs members get the real thing.

...
IE security problem?

In case you didn't noticed even with FF installed the common Net accessing options are done through IE. Unless you do some tampering with it from inside your own OS files. It's has already been spoken (and taught) before here inside a FF thread, how to configure your OS to go directly to the Net through FireFox.
For sums, even FF uses the IE's properties config's to access the Net (unless you redirect your system otherwise).
Confusing? Maybe if you search with the local search feature (for FireFox), you'll find out what I'm talkin'. ;)

I got firefox of the PCgamer DVD, Who thinks I should upload the installer somewhere (maybe kupatrix) so WBs members get the real thing.Erm...the "real" Firefox is available at http://www.mozilla.org/products/firefox/

Erm...the "real" Firefox is available at http://www.mozilla.org/products/firefox/ (http://&quot;http://www.mozilla.org/products/firefox/&quot;) Eh... I've found mine inside the pinned post of Neox's within the Tech Annex area. But the link is the same or at least I think so. For once, I agree with ya. It's better to get those from the real thing (original site). ;)

Dezeed, I sometimes suspect those so called offers of free apps inside CD's, especially if the magazine that it comes with isn't that respected. They might come bundled with spy/addware crap. :concern:

but it respected! It is the best selling Gaming mag in the UK

Sometimes is the key here... just said that currently, when some free apps come with offer CD's, they come somewhat corrupted with spy/addware amongst the install files(s). It has happened n' could happen. :shiftyl:

Actually, that's why we (I think Tim too, but he could correct it if am wrong) are advising you to dl the real thing... ;)

if you're REALLY suspicious about the Firefox binary, feel free to compare the MD5 with the one on mozilla.org..