Security issues in IE

[Si Hunt]

Will this patch download itself automatically or do you need to hunt it out?

Si.

[WhiteCrow]

On my Vista its got an update waiting on the standby - I guess you might need to go into Windows and click the Windows Updates icon.

[WhiteCrow]

Right - and this is important too.

Microsoft have issued an update now ...

http://news.bbc.co.uk/1/hi/technology/7788687.stm

Typically it doesn't tell you how to get the update. Try Automatic Updates under Control Panel.

Now, all joking and taunting aside. If you're using an older version of IE, you should really consider moving up to the latest version. Do the reading, and make your own judgement. But it now seems a risky thing to do. I would most advise a move to Firefox 3 naturally.

But there's news for other people too - own a LINUX netbook? Then read on

I bought a netbook in October, didn't get on well with it cos of some issues with what I was trying to hack with it. In the fresh out the box format, you get Firefox version 2.

From the same article ...

Meanwhile Mozilla has released a scheduled update for its open source Firefox web browsers for at least 10 different vulnerabilities.

The bugs in the browser could have been "used to run attacker code and install software, requiring no user interaction beyond normal browsing," said Mozilla.

It is also reissuing calls for users to upgrade from Firefox 2.0 to Firefox 3.0 as soon as possible and said it is "not planning any further security and stability updates for Firefox 2".

This means Mozilla will no longer support the Firefox 2 browser against future online scams and attacks.

This means it's time to consider upgrading your Firefox. The Acer netbooks have an automatic updates feature, which hopefully should now include an update to Firefox 3. Otherwise the update process is consideraby more difficult than updating a Windows machine but there is support out there.

[Si Hunt]

Get it HERE

Si.

[Si Hunt]

Meanwhile Mozilla has released a scheduled update for its open source Firefox web browsers for at least 10 different vulnerabilities.

The bugs in the browser could have been "used to run attacker code and install software, requiring no user interaction beyond normal browsing," said Mozilla.

So it seems even Firefox users arn't safe.

Si.

[Wayne]

Typically it doesn't tell you how to get the update.

http://www.microsoft.com/technet/sec...0536625-470031

ETA: oops, i see Si beat me to it.

[WhiteCrow]

So it seems even Firefox users arn't safe.

Not quite. Firefox like all browsers has potential to be exploited.

What makes Firefox so great? Well it had all the security features IE has now in version 7, but since 2004.

* Built in virus checking
* Pop up blocking
etc

The other thing is when a security hazzard occurs, Microsoft tend to wait for a monthly update at least before issuing a repair. This issue has been unusual due to the fact they have rapidly issued a repair ... for once.

For Firefox, issueing an update for a security issue happens much more quickly.

http://en.wikipedia.org/wiki/Firefox#Security

The Mozilla Foundation offers a "bug bounty" to researchers who discover severe security holes in Firefox. Official guidelines for handling security vulnerabilities discourage early disclosure of vulnerabilities so as not to give potential attackers an advantage in creating exploits.

Because Firefox has fewer and less severe publicly known unpatched security vulnerabilities than Internet Explorer (see Comparison of web browsers), improved security is often cited as a reason to switch from Internet Explorer to Firefox. The Washington Post reports that exploit code for critical unpatched security vulnerabilities in Internet Explorer was available for 284 days in 2006. In comparison, exploit code for critical security vulnerabilities in Firefox was available for 9 days before Mozilla shipped a patch to remedy the problem.

A 2006 Symantec study showed that although Firefox had surpassed other browsers in the number of vendor-confirmed vulnerabilities that year through September, these vulnerabilities were patched far more quickly than those found in other browsers. Symantec later clarified their statement, saying that Firefox still had fewer security vulnerabilities than Internet Explorer, as counted by security researchers. As of December 10, 2008, Firefox 3 has one security vulnerability unpatched according to Secunia. Internet Explorer 7 has ten security vulnerabilities unpatched, the most severe of which was rated "extremely critical" by Secunia.

I'll just repeat those point again ...

* The Washington Post reports that exploit code for critical unpatched security vulnerabilities in Internet Explorer was available for 284 days in 2006. In comparison, exploit code for critical security vulnerabilities in Firefox was available for 9 days before Mozilla shipped a patch to remedy the problem.

* Firefox still had fewer security vulnerabilities than Internet Explorer, as counted by security researchers.

So just from a security point of view it makes sense. But I'm boring you with tech talk.

However let me make clear, that no browser, firewall or virus checker can offer 100% coverage. A certain ammount of common sense is required. Esp when you find out you've won the Nigerian lottery.

[Si Hunt]

Not quite. Firefox like all browsers has potential to be exploited.

Correct me, but the article said that updates are being issued for "vulnerabilities". So this is beyond "potential"?

What makes Firefox so great? Well it had all the security features IE has now in version 7, but since 2004.

* Built in virus checking

I have a virus checker.

Pop up blocking

Just like IE7 then.

By the way, immediately repeating yourself can be quite condescending in real life. But this is the first time I've seen someone do it in print!

Si.

[Philipnet]

Not quite. Firefox like all browsers has potential to be exploited.

At the very extreme, all software has the potential to be exploited. Whether any attempts are successful depends on the software, Operating System, Hardware and other factors.

What makes Firefox so great? Well it had all the security features IE has now in version 7, but since 2004.

* Built in virus checking
* Pop up blocking

It's good to see Microsoft actually providing new features for users of IE.
I've been a fan of tabbed browsing since I first discovered it. The 'work around' with IE was to open multiple windows, until Microsoft added the feature in IE7.
I use IE7 at work and now can't stand the lack of tabs on IE6 on my PC at home. That said I'm still not used to the user interface on IE7!

[WhiteCrow]

I was just bringing out those two main points, cos they are important ones.

And as mentioned before, yes indeed IE7 has all these features in 2008, just like Firefox had in 2004. So yup, it's like totally 4 years behind Firefox. That's not innovation.

Want to get a feel for what IE8 will be like? Try using Firefox 3.

I don't really follow the logic that if Firefox as of 10th December has one security vulnerability, but IE has ten, some of which are "extremely critical", that it follows that Firefoxes one vulnerability will somehow be worse.

Oh yeah and Firefox 3 comes with anti-malware and anti-pfishing.

http://www.computerworld.com/action/...icleId=9062798

Firefox 3.0's new anti-malware blocker, a tool that prevents some malicious pages from loading, is the browser upgrade's most important new security feature, Mozilla Corp.'s head of engineering said today.

Officially dubbed Malware Protection, the tool warns users when they steer Firefox to sites that are known to install viruses, spyware, Trojan horses and other malicious code. When a user tries to reach a site on the banned list, a large red warning appears in lieu of the page. The warning says that the intended destination "has been reported as an attack site and has been blocked based on your security preferences." A button labeled "Get me out of here!" returns Firefox to the browser's home page.

"Anti-malware is an evolution of Firefox 2.0's antiphishing," said Mike Schroepfer, Mozilla's vice president of engineering, adding that it was his first pick as Firefox 3.0's most important security addition. "This is part of our active defenses," he said.

Basically Firefox is a thing of beauty and security. Kind if like a Page 3 girl turned soldier.

[Si Hunt]

Why should I care if the features of the browser I'm using now were implemented somewhere else before I got them? As long as I've got them now, I don't care. And as I'm happy with the performance of my current browser, I don't really care that another sort has features I don't even know I want.

Firefoxes one vulnerability will somehow be worse.

Where did I say that?

Si.

[Jeff]

Why should I care if the features of the browser I'm using now were implemented somewhere else before I got them? As long as I've got them now, I don't care. And as I'm happy with the performance of my current browser, I don't really care that another sort has features I don't even know I want.

Consider this: Even with your old security software, had you been using Firefox you may have never gotten the malware/virus that destroyed your operating system a month or two ago and caused you to have to take your PC in for repairs and start over from scratch.

Firefox is more secure. That's all Mike's trying to get across. He's just trying to be helpful and informative.

[Si Hunt]

Hmmmmm. Hmmmmmmmmmm. Very easy to say though Jeff isn't it! There's no proof IE was to blame for the virus. It was most likely my virus checking facilities, which I've since upgraded.

Si.

[WhiteCrow]

One exciting feature for Firefox is the anti-malware ...

http://news.bbc.co.uk/1/hi/technology/7456151.stm

Included in Firefox 3.0 are malicious software spotters that tell users when they are on a website that has been compromised. A red box will pop up in the middle of the screen warning users of the danger.

Mr Schroepfer said: "This new type of attack where people are hijacking legitimate websites and using them as mechanisms to try and install software on your machine is truly worrying.

Behind the warning system is a list of infected sites that is updated every 30 minutes to keep up with the pace of web attacks

This is an incredibly good idea. Instead of leaving it to your virus-checker, to try as much as possible to keep you away from such compromised sites. It adds another revolutionary line of defense.

Available on Firefox 3 now. This might be available in IE 8, sometime in the future. However in my book when it comes to internet security, "jam tomorrow" isn't really good enough.

[Jeff]

Hmmmmm. Hmmmmmmmmmm. Very easy to say though Jeff isn't it! There's no proof IE was to blame for the virus. It was most likely my virus checking facilities, which I've since upgraded.

Si.

I think it was more likely the firewall than the virus checking. Not all malware are actually viruses. At any rate, it is also a very viable possibility that firefox may have stopped it. At any rate you are better off now wit a top line security suite, rather than that free junk. I got something similar to what you had when I was using AVG, and I've been sour on it since.

[Zbigniev Hamson]

I don't really follow the logic that if Firefox as of 10th December has one security vulnerability, but IE has ten, some of which are "extremely critical", that it follows that Firefoxes one vulnerability will somehow be worse.

Oh yeah and Firefox 3 comes with anti-malware and anti-pfishing.

The article you yourself linked to said that Firefox had been updated to cover 10 different vulnerabilities, so it seems odd you picked that number for IE in the above example. IE7 also has anti-pfishing stuff too.

As for tabbed browsing... well I quite like it now, but really having a load of tabs to click on at the bottom of the screen is hardly very different to having a load of browsers to click on on the toolbar at the bottom of the screen. You're still clicking on some part of the screen to change what page you look at, does having it at the top instead of the bottom really make all that much difference?

I presume if was Firefox 3 I got as I only downloaded it last week and, like I say, it didn't exactly knock my socks off.

I also don't like peas or Turkish Delight. And I had a friend who didn't like strawberries. And another friend (female believe it or not) who doesn't like chocolate. It takes all sorts.

[Zbigniev Hamson]

Oh another thought. Surely, at the moment, IE is the more exploited browser simply because it's the more popular (three quarters of the market one of the links said). If Firefox becomes the more popular browser then hackers will just target that. So if you really do love Firefox you're probably best off keeping it to yourself