secunia.com · Domains · Slashdot Mirror

Re:Only be a good think by Anonymous Coward · 2004-10-26 03:33 · Score: 0 · on Google-branded Firefox?

Yes, by all means check out Secunia. Here's the links for Firefox and IE.

I found this part particularly interesting:

"Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical... Currently, 16 out of 63 Secunia advisories, is marked as "Unpatched" in the Secunia database."

And for Firefox:

Mozilla Firefox 0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical... Currently, 3 out of 16 Secunia advisories, is marked as "Unpatched" in the Secunia database."

Also, the "criticality" break down for advisories in 2004:

IE Extremely: 13% Highly: 39% Moderately: 13% Less: 17% Not: 17% FF Extremely: 0% Highly: 13% Moderately: 44% Less: 44% Not: 0%

For the months listed (going back to May), Firefox has had 16 advisories[1]. IE has had 14. But how many IE vulnerabilities have been outstanding during that time? The ONLY reason IE has a lower number of advisories since May is because the security holes were found earlier! No, Firefox has not had more vulnerabilities in the last six months. That's a flat-out lie. It's only had more *discovered* in that time. And all the critical ones have been fixed. And overall they've been much less severe than IE's holes.

As for them "sitting in the Moz codebase for years", where do you think the IE holes came from? That's right, they've been sitting in the IE codebase for years. Go figure. At least the Mozilla team fixes them promptly when they are found.

Hell, one of the Firefox vulnerabilities was actually a Windows vulnerability!

[1]I'm now noticing that some advisories include multiple vulnerabilities. I don't have time to examine each advisory to count actual vulnerabilities and check their severity, but I encourage anyone who has the time to do it. I'm reasonably confident that Firefox would come out on top in pretty much any reasonable comparison.

Re:Only be a good think by Anonymous Coward · 2004-10-26 03:33 · Score: 0 · on Google-branded Firefox?

Yes, by all means check out Secunia. Here's the links for Firefox and IE.

I found this part particularly interesting:

"Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical... Currently, 16 out of 63 Secunia advisories, is marked as "Unpatched" in the Secunia database."

And for Firefox:

Mozilla Firefox 0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical... Currently, 3 out of 16 Secunia advisories, is marked as "Unpatched" in the Secunia database."

Also, the "criticality" break down for advisories in 2004:

IE Extremely: 13% Highly: 39% Moderately: 13% Less: 17% Not: 17% FF Extremely: 0% Highly: 13% Moderately: 44% Less: 44% Not: 0%

For the months listed (going back to May), Firefox has had 16 advisories[1]. IE has had 14. But how many IE vulnerabilities have been outstanding during that time? The ONLY reason IE has a lower number of advisories since May is because the security holes were found earlier! No, Firefox has not had more vulnerabilities in the last six months. That's a flat-out lie. It's only had more *discovered* in that time. And all the critical ones have been fixed. And overall they've been much less severe than IE's holes.

As for them "sitting in the Moz codebase for years", where do you think the IE holes came from? That's right, they've been sitting in the IE codebase for years. Go figure. At least the Mozilla team fixes them promptly when they are found.

Hell, one of the Firefox vulnerabilities was actually a Windows vulnerability!

[1]I'm now noticing that some advisories include multiple vulnerabilities. I don't have time to examine each advisory to count actual vulnerabilities and check their severity, but I encourage anyone who has the time to do it. I'm reasonably confident that Firefox would come out on top in pretty much any reasonable comparison.

Re:Only be a good think by Anonymous Coward · 2004-10-26 03:33 · Score: 0 · on Google-branded Firefox?

Yes, by all means check out Secunia. Here's the links for Firefox and IE.

I found this part particularly interesting:

"Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical... Currently, 16 out of 63 Secunia advisories, is marked as "Unpatched" in the Secunia database."

And for Firefox:

Mozilla Firefox 0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical... Currently, 3 out of 16 Secunia advisories, is marked as "Unpatched" in the Secunia database."

Also, the "criticality" break down for advisories in 2004:

IE Extremely: 13% Highly: 39% Moderately: 13% Less: 17% Not: 17% FF Extremely: 0% Highly: 13% Moderately: 44% Less: 44% Not: 0%

For the months listed (going back to May), Firefox has had 16 advisories[1]. IE has had 14. But how many IE vulnerabilities have been outstanding during that time? The ONLY reason IE has a lower number of advisories since May is because the security holes were found earlier! No, Firefox has not had more vulnerabilities in the last six months. That's a flat-out lie. It's only had more *discovered* in that time. And all the critical ones have been fixed. And overall they've been much less severe than IE's holes.

As for them "sitting in the Moz codebase for years", where do you think the IE holes came from? That's right, they've been sitting in the IE codebase for years. Go figure. At least the Mozilla team fixes them promptly when they are found.

Hell, one of the Firefox vulnerabilities was actually a Windows vulnerability!

[1]I'm now noticing that some advisories include multiple vulnerabilities. I don't have time to examine each advisory to count actual vulnerabilities and check their severity, but I encourage anyone who has the time to do it. I'm reasonably confident that Firefox would come out on top in pretty much any reasonable comparison.

Re:What about security? by metalpet · 2004-10-25 11:10 · Score: 1 · on Firefox - The Platform

> if you look at sites like Secunia, there have been _MORE_ vulnerabilities in Firefox than IE in the last six months!

Not all vulnerabilities are equal. Not every security hole can result in your computer becoming a zombie.
Yet by merely counting them, you're implying this is somehow comparable to this

A better way to measure the security (or lack of) of a product could be to keep a calendar:
For every day that goes by with at least one publicly known yet unpatched serious vulnerability (and no, I don't think <script>prompt("enter your CC# now","")</script> qualifies), put a mark on the corresponding product for that day.
After a few weeks/months, tally up the number of days you were explicitely put at risk by using a particular product.

I'd be extremely surprised if FireFox didn't come out spectacularly ahead of IE on this kind of test.

Re:What about security? by metalpet · 2004-10-25 11:10 · Score: 1 · on Firefox - The Platform

> if you look at sites like Secunia, there have been _MORE_ vulnerabilities in Firefox than IE in the last six months!

Not all vulnerabilities are equal. Not every security hole can result in your computer becoming a zombie.
Yet by merely counting them, you're implying this is somehow comparable to this

A better way to measure the security (or lack of) of a product could be to keep a calendar:
For every day that goes by with at least one publicly known yet unpatched serious vulnerability (and no, I don't think <script>prompt("enter your CC# now","")</script> qualifies), put a mark on the corresponding product for that day.
After a few weeks/months, tally up the number of days you were explicitely put at risk by using a particular product.

I'd be extremely surprised if FireFox didn't come out spectacularly ahead of IE on this kind of test.

Putting a Windows machine naked on the net. by SgtChaireBourne · 2004-10-24 00:40 · Score: 1 · on Windows vs. Linux Security, Once More

Of course it is possible to keep a Windows machine naked on the net without it getting cracked.

Depends on whether that net is connected to the Internet or not. The more I learn about MS-Windows, the more I doubt that it possible. Here are four things to think about:

1. You can't connect an unpatched MS-Windows machine to the 'Net. Even Redmond admits that in their blame-the-admin campaign. See also articles like, "Unpatched {Windows} PC "Survival Time" Just 16 Minutes".

2. Even if you download the patch and install it before exposing the MS-Windows machine to the 'Net, the patch may not work. MS Patches are infamous for being incomplete, breaking 3rd party applications, failing to patch what they claim to patch, or even resurrecting old security problems. e.g. Attack pierces fully patched Windows XP

3. Even if the patch does work, there are many widely known problems left unaddressed by the patch, such as this problem that MS still hasn't acknowledged.

4. Even if the points above are magically resolved, you still have reality bite you: You can't patch fast enough.

A lot of folks are heavily in denial about just how bad shape MS really is in. It's been a great ride, but it's time to get off. If you weren't early in and at the top of the pyramid scheme, then don't even think about it. Either way it's time to look away from Redmond and back to software that works and is actually designed to work.

IIS 6.0 vulnerabilities is not zero... by burnin1965 · 2004-10-22 13:44 · Score: 1 · on Windows vs. Linux Security, Once More

Looking at securityfocus.com and secunia.com it seems that IIS 6.0 has had at least 3 vulnerabilities discovered, one of which is still unpatched.

Apache 2.0.x, on the other hand, has at least 20 vulnerabilities listed so your point about IIS vs Apache is valid, but I just don't want you to fool yourself into thinking IIS 6.0 is somehow the savior of the web.

Its also interesting to note that Windows Server 2003 Enterprise Edition has 31 advisories while Red Hat Enterprise Linux AS 3 has 89 advisories

Now what is really interesting is to see the number of vulnerabilities that are unpatched when comparing Microsoft's solutions to the FOSS solutions. It seems that even though Microsoft has fewer advisories they also have more of them that seem to be unpatched. So that seems to be good news for FOSS and perhaps is proof in what has been said all along on the FOSS side, the bugs get fixed faster than on the closed source side.

Its interesting to look at the numbers anyhow, but I still see no reason to dump my linux installs for any expensive Microsoft offerings anytime soon.

burnin

IIS 6.0 vulnerabilities is not zero... by burnin1965 · 2004-10-22 13:44 · Score: 1 · on Windows vs. Linux Security, Once More

Looking at securityfocus.com and secunia.com it seems that IIS 6.0 has had at least 3 vulnerabilities discovered, one of which is still unpatched.

Apache 2.0.x, on the other hand, has at least 20 vulnerabilities listed so your point about IIS vs Apache is valid, but I just don't want you to fool yourself into thinking IIS 6.0 is somehow the savior of the web.

Its also interesting to note that Windows Server 2003 Enterprise Edition has 31 advisories while Red Hat Enterprise Linux AS 3 has 89 advisories

Now what is really interesting is to see the number of vulnerabilities that are unpatched when comparing Microsoft's solutions to the FOSS solutions. It seems that even though Microsoft has fewer advisories they also have more of them that seem to be unpatched. So that seems to be good news for FOSS and perhaps is proof in what has been said all along on the FOSS side, the bugs get fixed faster than on the closed source side.

Its interesting to look at the numbers anyhow, but I still see no reason to dump my linux installs for any expensive Microsoft offerings anytime soon.

burnin

IIS 6.0 vulnerabilities is not zero... by burnin1965 · 2004-10-22 13:44 · Score: 1 · on Windows vs. Linux Security, Once More

Looking at securityfocus.com and secunia.com it seems that IIS 6.0 has had at least 3 vulnerabilities discovered, one of which is still unpatched.

Apache 2.0.x, on the other hand, has at least 20 vulnerabilities listed so your point about IIS vs Apache is valid, but I just don't want you to fool yourself into thinking IIS 6.0 is somehow the savior of the web.

Its also interesting to note that Windows Server 2003 Enterprise Edition has 31 advisories while Red Hat Enterprise Linux AS 3 has 89 advisories

Now what is really interesting is to see the number of vulnerabilities that are unpatched when comparing Microsoft's solutions to the FOSS solutions. It seems that even though Microsoft has fewer advisories they also have more of them that seem to be unpatched. So that seems to be good news for FOSS and perhaps is proof in what has been said all along on the FOSS side, the bugs get fixed faster than on the closed source side.

Its interesting to look at the numbers anyhow, but I still see no reason to dump my linux installs for any expensive Microsoft offerings anytime soon.

burnin

IIS 6.0 vulnerabilities is not zero... by burnin1965 · 2004-10-22 13:44 · Score: 1 · on Windows vs. Linux Security, Once More

Looking at securityfocus.com and secunia.com it seems that IIS 6.0 has had at least 3 vulnerabilities discovered, one of which is still unpatched.

Apache 2.0.x, on the other hand, has at least 20 vulnerabilities listed so your point about IIS vs Apache is valid, but I just don't want you to fool yourself into thinking IIS 6.0 is somehow the savior of the web.

Its also interesting to note that Windows Server 2003 Enterprise Edition has 31 advisories while Red Hat Enterprise Linux AS 3 has 89 advisories

Now what is really interesting is to see the number of vulnerabilities that are unpatched when comparing Microsoft's solutions to the FOSS solutions. It seems that even though Microsoft has fewer advisories they also have more of them that seem to be unpatched. So that seems to be good news for FOSS and perhaps is proof in what has been said all along on the FOSS side, the bugs get fixed faster than on the closed source side.

Its interesting to look at the numbers anyhow, but I still see no reason to dump my linux installs for any expensive Microsoft offerings anytime soon.

burnin

Re:Windows just might be ahead of *NIX here... by mcrbids · 2004-10-22 10:53 · Score: 1 · on Windows vs. Linux Security, Once More

Fine, but why isn't ProPolice distributed/enabled by default in gcc?

Yeah, it's "been around for ages!".

But, if that's the case, then why do we have buffer overflow fixes in OpenSSH , Mozilla, and Apache?

See, I know I could probably install this compiler extension, and pass flags and all that. I'm sure Gentoo nuts do it all the time.

But why the hell is this not done by default, everwhere, if it's been available for NN years? This is where Microsoft may actually be ahead of us.

But, I guess pointing out this unpopular fact makes me a troll?

Re:Make Sure That You Only Present... by gabebear · 2004-10-22 07:07 · Score: 4, Interesting · on Windows vs. Linux Security, Once More

No matter how you cut the vulnerabilities in Win2K3 some of the vulnerabilities are definitely part of IIS 6.0. However I don't believe for a second that Microsoft is reporting all security problems, such as this problem that M$ still hasn't acknowledged.

The Apache group is much more forthcoming about security problems and I don't trust Windows as a server platform.

HE SHOOTS! HE SCOREZ!!! by Anonymous Coward · 2004-10-20 06:11 · Score: 0 · on Big Day For Browser Vulnerabilities

I use Konquerer as my main browser, with Mozilla and Epiphany as more "functional" browsers for specific sites I've found that need Java or Javascript (or cookies, for that matter). And lo and behold, that's exactly what's written in the article.

---
Solution:
Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.
---

Not limited to just content in the tab page... by KJACK98 · 2004-10-20 05:11 · Score: 1 · on Big Day For Browser Vulnerabilities

If you goto the second issue for Mozilla here and then click on the citibank link, its interesting that it grabs text in the url textbox, or if you open any other XUL dialog box (New Bookmark Folder - Though in IE its not affected when adding a bookmark) it doesn't let you enter text... This same vuneribility exists in internet explorer (grabs text in url textbox too) but I wonder if it can be exploited in IE/Mozilla using a hidden frame, or inline? I tested it with autofill but that part was fine.

*Konqi User Yawns* by danalien · 2004-10-20 04:33 · Score: 1 · on Big Day For Browser Vulnerabilities

>The Mozilla etc problem seems equally serious.

OOOhhhoo, finally my wish will be granted *ooooohhooo, bounces around out of happiness*

*fast reading*

Secunia Research has discovered a vulnerability in Konqueror... [blah blah blah]...
Inactive tabs can launch dialog boxes.... [blah balh blah] ...
Successful exploitation would normally require that a user is tricked... [blah blah blah]...
*Oohhh*A test is available * ooh ooh, does one dare ...*
...
The vendor reports that the vulnerability has been fixed in KDE 3.3.1.

*NoooooooooooooHHHH! ... SHIT, SCHEISE, SKIT, GREY PUPON *or what ever they say in french* , SAR, RAHAT! ... *etc etc etc* ..., why musta've be running KDE 3.3.1! ... ooohwhy, why, why can't our great überlord(s) grant one they wish to experince IE-*like*-vulnerability(ies)?! whyy, ooh you cruel überlord(s)!!* ... *goes crying on his pillow*

</sarcasm>

*Konqi User goes back to Yawning*

*Konqi User Yawns* by danalien · 2004-10-20 04:33 · Score: 1 · on Big Day For Browser Vulnerabilities

>The Mozilla etc problem seems equally serious.

OOOhhhoo, finally my wish will be granted *ooooohhooo, bounces around out of happiness*

*fast reading*

Secunia Research has discovered a vulnerability in Konqueror... [blah blah blah]...
Inactive tabs can launch dialog boxes.... [blah balh blah] ...
Successful exploitation would normally require that a user is tricked... [blah blah blah]...
*Oohhh*A test is available * ooh ooh, does one dare ...*
...
The vendor reports that the vulnerability has been fixed in KDE 3.3.1.

*NoooooooooooooHHHH! ... SHIT, SCHEISE, SKIT, GREY PUPON *or what ever they say in french* , SAR, RAHAT! ... *etc etc etc* ..., why musta've be running KDE 3.3.1! ... ooohwhy, why, why can't our great überlord(s) grant one they wish to experince IE-*like*-vulnerability(ies)?! whyy, ooh you cruel überlord(s)!!* ... *goes crying on his pillow*

</sarcasm>

*Konqi User goes back to Yawning*

Re: Cached Links by Anonymous Coward · 2004-10-20 04:12 · Score: 0 · on Big Day For Browser Vulnerabilities

Coralize the links, they'll load WAY faster and more reliably:

http://secunia.com/advisories/12712/
Changes to:
http://secunia.com.nyud.net:8090/advisories/12712/

Reality Distortion Fields ON! by Zarf · 2004-10-18 23:46 · Score: 3, Insightful · on IE Shines On Broken Code

The same person tells us that Apache sucks when compared with IIS. Does this mean we've all been wrong about Microsoft products? If we take Microsofts word for it we have indeed and should seriously consider switching back to IIS. After all, [THE FOLLOWING IS SARCASM:] this conclusively proves that IIS is far superior to the Linux Apache Mysql Perl/Python/Php system.

Reality Distortion Fields ON! by Zarf · 2004-10-18 23:46 · Score: 3, Insightful · on IE Shines On Broken Code

The same person tells us that Apache sucks when compared with IIS. Does this mean we've all been wrong about Microsoft products? If we take Microsofts word for it we have indeed and should seriously consider switching back to IIS. After all, [THE FOLLOWING IS SARCASM:] this conclusively proves that IIS is far superior to the Linux Apache Mysql Perl/Python/Php system.

Baldfaced by rdt21 · 2004-10-14 23:38 · Score: 1 · on IE Holes Not Microsoft's Fault, Says Bill

Q: Speaking of security, Internet Explorer has had well-publicized holes
Gates: Understand those are cases where you are downloading third-party software.

We understand that you are lying, Mr. Gates. There are plenty more where those come from.

Re:Only 7? by jesser · 2004-10-09 12:54 · Score: 2, Informative · on The Web's 20 Worst Security Flaws

I wouldn't take SANS's list of browser security holes too seriously. It lists the most publicized holes in Mozilla rather than the most serious holes. (To get a list of the most serious holes, look the "critical severity, high risk" holes (marked in red) on mozilla.org's list.) SANS's list includes Mozilla XPInstall Dialog Box Security Issue, which was fixed a few months ago, but fails to mention that a fully-updated version of IE in SP2 is still vulnerable. Under the list, SANS claims that Firefox does not have automatic updates, which is false.

Re:Sure I do by Frizzle+Fry · 2004-10-08 12:17 · Score: 1 · on FTC Files Spyware Case Against Sanford Wallace

If the number of exploits scaled by popularity, why are there more bugs for IIS than for Apache?

Gosh, that is hard. Let me think for a while...

Oh, I got it! Because you're lying through your teeth! These pictures are pretty:
http://secunia.com/graph/?type=adv&period=all&prod =73
http://secunia.com/graph/?type=adv&period=all&prod =1438

Your claim makes as much sense as if I were to say that IE has much worse performance than other browsers because IE 2.0 was slow. Yeah, it's easy to make claims when you ignore any recent history that contradicts you. Ok, I'm done now. You can back to saying that Apache has fewer security problems than IIS 4 and thus no one should use IIS. From this point forward, we'll all just keep our mouths shut and pretend IIS 6 doesn't exist (since trying to claim that it's had more problems than Apache would be too ridiculous even for slashdot... or so I thought).

Re:Sure I do by Frizzle+Fry · 2004-10-08 12:17 · Score: 1 · on FTC Files Spyware Case Against Sanford Wallace

If the number of exploits scaled by popularity, why are there more bugs for IIS than for Apache?

Gosh, that is hard. Let me think for a while...

Oh, I got it! Because you're lying through your teeth! These pictures are pretty:
http://secunia.com/graph/?type=adv&period=all&prod =73
http://secunia.com/graph/?type=adv&period=all&prod =1438

Your claim makes as much sense as if I were to say that IE has much worse performance than other browsers because IE 2.0 was slow. Yeah, it's easy to make claims when you ignore any recent history that contradicts you. Ok, I'm done now. You can back to saying that Apache has fewer security problems than IIS 4 and thus no one should use IIS. From this point forward, we'll all just keep our mouths shut and pretend IIS 6 doesn't exist (since trying to claim that it's had more problems than Apache would be too ridiculous even for slashdot... or so I thought).

Re:How Dogbert would handle this by Anonymous Coward · 2004-10-07 14:27 · Score: 1, Informative · on Microsoft Issues Ominous ASP.Net Security Warning

Hmm... Perhaps.... http://secunia.com/product/3919/

But Perl does better by Anonymous Coward · 2004-10-07 08:12 · Score: 0 · on Microsoft Issues Ominous ASP.Net Security Warning

I agree that PHP is only now learning the lessons that others learned a long time ago. But Perl only had one vulnerability.

And that vulnerability only applied if you were running Perl on Windows. Most people using Perl for web work run on something *nix based.

BTW secunia is an interesting resource. Thanks for the recommend.

Re:How Dogbert would handle this by LnxAddct · 2004-10-07 06:13 · Score: 1 · on Microsoft Issues Ominous ASP.Net Security Warning

Thats why I use Tomcat :) Java is a wonderful thing.
Regards,
Steve

Re:How Dogbert would handle this by badriram · 2004-10-07 05:16 · Score: 5, Informative · on Microsoft Issues Ominous ASP.Net Security Warning

Comparing PHP 4.3.x series to ASP.NET (both 1 and 1.1) at secunia. It seems to me that the vulnerabilities are 10 to 3. If you were recommending a product, at least do some research before you do.

Re:How Dogbert would handle this by badriram · 2004-10-07 05:16 · Score: 5, Informative · on Microsoft Issues Ominous ASP.Net Security Warning

Comparing PHP 4.3.x series to ASP.NET (both 1 and 1.1) at secunia. It seems to me that the vulnerabilities are 10 to 3. If you were recommending a product, at least do some research before you do.

Re:MSI repackaging tools by upside · 2004-10-04 21:50 · Score: 1 · on Redmondmag on Dumping IE

MSI packages are Microsoft's RPM. They are significant because Microsoft's and other companies' application deployment tools use it.

For example, I administer about 80 PCs in a school. First thing I need to do with a new application is to get it into MSI form becuase usually they come as executables. Some companies like Sun (Java) and Adobe (Acrobat Reader etc) provide tools that help you make your own package. They also aren't ready for multiuser systems where users are non-privileged. So a lot of work before I can deploy a new application.

Once they are in MSI form, I can stick them on a network share and tell all the PCs to install the programs on the next bootup. I don't have to go through 80 machines and install Firefox on every one.

Firefox comes as an executable or flat zip file. I've been working putting FF in an MSI lately and have had enough success to roll it out. There are plans to offer it as an MSI when it hits 1.0 final.

Another component they mention is group policies. You can configure IE centrally from a server, for instance now that I've deployed FF I've shut off "active scripting" (ECMAscript/Javascript/vbcript whatever) from all unknown sites. Not that it helps much because according to Secunia it's possible to circumvent IE's security zone settings due to a 7-month old unpatched security hole in IE. FF doesn't use the Windows registry so group policies are useless. Other means of enforcing settings are being developed, however.

Re:These hurt... by rlmassie · 2004-10-02 04:31 · Score: 1 · on Firefox 0.10.1 Released, Fixes Security Hole

Just a quick note on those 2 advisories. One of those bugs is also found in IE. The other is ony on OSX.

Another advantage to firefox is that it alerts you when there are updates. The same can't be said of IE. IE has to rely on Windows Update.

Something seems right to me about the specific piece of software you are using being able to notify you about it's own problems. "Since you seem to use me, why don't you patch me?"

Re:These hurt... by rlmassie · 2004-10-02 04:31 · Score: 1 · on Firefox 0.10.1 Released, Fixes Security Hole

Just a quick note on those 2 advisories. One of those bugs is also found in IE. The other is ony on OSX.

Another advantage to firefox is that it alerts you when there are updates. The same can't be said of IE. IE has to rely on Windows Update.

Something seems right to me about the specific piece of software you are using being able to notify you about it's own problems. "Since you seem to use me, why don't you patch me?"

Re:Depends on your download directory by lachlan76 · 2004-10-02 02:44 · Score: 1 · on Firefox 0.10.1 Released, Fixes Security Hole

Or a little of both. I just keep all my downloads in one folder (R:\home\lachlan\program downloads (you can see which OS I like to use)). No subfolders inside, because I find it easier to remember the names than multiple directory levels when I type in filenames (eg. cp ~/program\ downloads/jdk-1_5_5-windows-i586.exe H:\\ is easier than cp ~/program\ downloads/java/jdk/jdk-1_5_5-windows-i586.exe H:\\). But if I got hit with something like this, 5.6GB of downloads disappears. And up until yesterday, I was on 56k. Not a week's downloads.

Of course, I'm not really a representative of the general public. They probably won't be affected by this exploit. They just have the other 19 to deal with ;)

These hurt... by deminisma · 2004-10-02 01:52 · Score: 3, Insightful · on Firefox 0.10.1 Released, Fixes Security Hole

Considering Firefox is supposed to be the secure alternative, 13 security advisories in the last 6 or so months isn't a good look.

Sure it isn't that bad, but nonetheless, it doesn't help the Firefox's image at all and looking at Secunia, Firefox has had more advisories than any other browser, (yes, that includes Internet Explorer and the Mozilla Suite) since May this year.

They fell for it 24 times before. by Futurepower(R) · 2004-09-23 03:38 · Score: 1 · on Public Exploit For Windows JPEG Bug

"The most ridiculous part is that EVERYBODY WILL ... FALL FOR IT AGAIN."

Exactly right: The U.S. government has bombed 24 countries since World War 2. The system of violence works by creating fear in U.S. citizens so rich people can profit. The problem happens largely because the U.S. government has a break-the-law department called the CIA. Secret government is not democratic.

This is the 55th serious vulnerability in IE found in two years. I've often wondered: Are Microsoft programmers that sloppy, or were the bugs put there to help with U.S. government surveillance? Why did the U.S. Department of Justice let Microsoft off so easily for its anti-trust violations?

Re:Most of that is probably from previous users by IntlHarvester · 2004-09-19 03:44 · Score: 1 · on 1 Million Firefoxes in 4 Days

Mozilla Multiple Vulnerabilities
Highly critical
Cross Site Scripting
Manipulation of data
Exposure of sensitive information
System access
From remote

That got me to upgrade ASAP!

I don't know if Mozilla should be bragging that up to a million users had to run out and get a critical security fix. It would be nice if there was a patch install, and they could separate out the new downloads from the upgraders.

Firefox "security" by pommiekiwifruit · 2004-09-15 05:36 · Score: 1 · on Firefox Browser On An Upward Trend

You mean apart from these critical flaws which let any website take over your machine by exploiting all the buffer overflows in it. The difference between IE and Firefox is that IE has a better automatic update system for patching security issues.

Security Advisory today by Hutchizon · 2004-09-15 05:23 · Score: 1 · on Firefox Browser On An Upward Trend

See: http://secunia.com/advisories/12526/

Yet I see no mention of it on the Mozilla home page and the downloads look the same. Is there a patch is is there not a patch?

From Secunia:

Highly critical
Impact: Cross Site Scripting
Manipulation of data
Exposure of sensitive information
System access

Affects all versions.