Slashdot Mirror
New Spoofing Vulnerability in IE
Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."
Get it here
Comment removed based on user account deletion
Using the latest version of Avant Browser, on a fully patched XP SP2 system. It seems obvious since Avant is based on IE but I thought it would be useful to know.
It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
Everytime there's a major Firefox event, a release or New York Times ad, they chip it by having another IE vulnerability to raise awareness of Firefox. Thanks Microsoft!
I use wget and read the raw html in a text editor.
Just tried it with Safari. Clicking the demo link does absolutely nothing. Turning off pop-up blocking and clicking the link does ... absolutely nothing.
Next.
everyone on ./ already knows to run firefox. thanks anyways.
i just tried this on the box iam sitting at (win2k sp4 + up2date patches) and i just get a script error with "permission denied"
Not the advertised exploit, but pretty damn annoying in its own right.
No, you're not safe. Check this out. It is recent too, released on Dec 10, 2004.
To me, whenever I see a vulnerability article for IE on Slashdot, I say to myself "Man...why does that seem like it's such a trivial programming error to fix?" as opposed to when there's a vulneraibility to Firefox/all browsers, when it's something like "Wow, someone really took some time to craft that one out"...just a thought.
It is pitch black. You are likely to be eaten by a grue.
Apparently it's been patched.
Next, we'll be reading about studies showing that two hydrogen atoms and one oxygen atom form a clear, wet substance.
Now, the impact of the Firefox New York Times ad will be hard to quantify.
I tried the link in Mozilla and as expected nothing happened. I then tried it in IE.
It took about 30 seconds to open the popup and im not sure it would have opened at all if i didnt start clicking around the page to unfreeze IE. It seemed IE was in some kind of loop the title bar was flashing as if it was gaining and losing focus rapidly. Its obvious something fishy was going on.
I run IE at work (not my choice) but have all ActiveX set to prompt. When clicking the link, if I select "No" this has no effect. I've never clicked "Yes" to that prompt yet and haven't noticed any important features I'm missing out on.
Yes the prompt on 90% of web pages is annoying. Yes I love firefox.
I have the latest version of Spoofstick (1.02 released 8/18/2004) and PivX Qwik-Fix Pro (v1.4) and the vulnerability tests positive in my up-to-date IE: a new window appears with both IE and Spoofstick reporting the site as citibank.com
Hopefully the guys over at the mozilla.org website will take note of the current number of Firefox downloads to see what size surge this generates. I'd love to see a nice graph with key dates on it for that matter - the PR1 release, the 1.0 release, the announcement of the various IE exploits... :)
UNIX? They're not even circumcised! Savages!
Use FireFox!! There is even an extension called Spoof Stick.
"We will remember not the words of our enemies, but the silence of our friends. " Dr. Martin Luther King, Jr.
This is not a reason to use Firefox - it's useless in Firefox.
... all. Oh.
I just clicked the demo link using Firefox 1.0, and nothing happened at
Never mind.
sigs, as if you care.
...people start banging on Firefox hard enough to expose vulnerabilities?
Or, is Mozilla just that good at plugging leaks before they happen?
I really want to try this but I have such problems getting stuff to run in wine.
What changed under Obama? Nothing Good
This so called vuln is not quite one.... Perhaps just to the XP crowd (awwww). On the up-to-date patched Win2k system I use, (IE 5.00.3700.100), all the script does is to cause cascading script errors. Similar annoyance is compared to those kiddiot hacker sites that crash the browser.
What exactly was this supposed to do again? BTW, the "exploit" isnt one in Mozilla, firebird, Lynx, Links, Konqueror..
With Internet Explorer for the Mac hovering above the link makes the status bar say "javascript:start();", but clicking on it does absolutely nothing. Exact same result with Safari.
OK. I use Mozilla anyway, so I shouldn't care about this particular bug. But the last couple mentioned here on /. that affected Mozilla, used Javascript to transfer data entered from one window to another. There's been a few of these, so I disabled Javascript and turn it on only when needed. Is this such a hard workaround? If you like IE, and you need ActiveX, can you just leave it off until a webpage needs it? There's going to be hundreds of these exploits popping up -- no one can fix them all.
You mean people STILL use IE, once they've been to Slashdot? Doesn't seem to really relate to us any more..
I like muppets.
Not only the existence of the bug, but Microsoft's attitude towards the last one like this.
From Microsoft Help & Support. "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."
Just defeat the purpose of hyperlinks. Thanks MS!
Disable ActiveX and this wont work. This exploit depends on ActiveX to run.
Your hair look like poop, Bob! - Wanker.
I'm in SP1 and opened the link in IE, doesnt do anything, just shows the javascript error icon.
At least the announcment was timed well.
It's easier to fight for one's principles than to live up to them.
I see what's going on here. Microsoft put so many exploits into IE that eventually the black hats will be overwhelmed with possibilities, to the point of quitting. It's like the vulnerability-options DDoS.
Here we have one that broke up with IE. Fun story ;)l ?tag=nl.e497/
http://reviews.cnet.com/4520-3513_7-5570803-1.htm
In the NYT ad, they should've added every IE bug that's been discovered since Firefox was released. I mean they are probably the biggest contributors to FF's popularity.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
Tried it and did not work. The google toolbar reported an increasing number of popups blocked. Infact, it was going crazy.
I disabled the google toolbar. Then when I click on the link, nothing happened. The page kept reloading, so I think the IE SP2 popup blocker was blocking it.
Im not sure what the exploit is, but this clearly does not work with an Win XP SP2 system.
Why is that "Score:1, Interesting"
That's like a pregnant woman saying "I'm screwed"!
I'm running SP1, but when I hover on the test link my status bar says:
javascript:start();
Maybe it's an exploit, but I wouldn't fall for it.
sp1 seems to be effected also.
Where I work, we have code reviews, automated code scrubbers, and extensize QA, and we're a relatively small shop compared to them.
I know they're trying, otherwise it would be a lot worse, and SP2 did a good bit to improve things, so I can't be that hard on them.
Jerry
http://www.syslog.org/
Microsoft bashing is always fun, but I really just want to be able to use any browser, on any OS. This why I hope Firefox takes off
"People who don't give a shit just plain don't know about it." I recently told a guy who is responsible for IT at a public school about Firefox. He had not heard of it.
Ignorance is curable, stupid is forever.
did you open this link thinking it was to a new news story? didn't we go over this last week sometime?
So, to check a Hotmail message, I just need to manually type
g ?m sg=MSG1103631600.24&start=3248752&len=4735&imgsafe =n&curmbox=F000000001&a=b2cbfd3baddabfc913aacc3f36 f8590f
http://by2fd.bay2.hotmail.msn.com/cgi-bin/getms
in my address bar....
Thanks, Microsoft! I needed to brush up on my typing skills.
Alternatives are wonderful things.
http://it.slashdot.org/article.pl?sid=04/10/30/155 5251&tid=113&tid=128&tid=172&tid=1
A BROWSER? WHAT THE FUCK IS THAT??! IS IT LIKE AN EXPLORER SUV?
I wonder if this exploit is also in Outlook and/or Outlook Express? If so, it'd be very easy for someone to send out spam with what looks like 100% legit, right down to what URL is displayed in the link when hovered and the address bar URL once opened, thanks to this exploit.
If you put a bandaid over your mouse buttons that stops you pressing them then you are probably correct.
(with pointed finger) Ha-Ha
music lover since 1969
that's what happens when you click *any* javascript link.
Mod Parent Up
How to detect Internet Explorer and encourage IE users to switch to Firefox...
EricOmg loook IEs goth anhoter exploit, tihs cumes two shove taht OSS softwaré is steel supereor two microsoft.
Maybe it's just me, but I would love to see what IE's source code must look like at this point with all the patching it has gone through over the years.
Even more amazing perhaps are the facts that:
Most certainly the best built house of cards on the planet!
Yes, it's startling how easy I could be tricked if I went to a strange website, clicked on a link labeled "javascirpt:start()" on the task bar, then waited for my pop-up blocker to start counting upwards frantically for about 5 minutes until a new window opened up with a spoofed adress bar, and I didn't notice that all the other links on that page are hosted off of the site that's in the adress bar. It's the perfect crime if you're a goddamn idiot.
My Greatest Heist - Muisc partly inspired by the unbeatable Qwantz
...if they just posted news announcing days when vulerabilities aren't found in IE.
--AC
This doesn't have much in common with the %00 bug, which was essentially a visual bug, vaguely useful to convince that small percentage of people that verifies the URL of the site they're in instead of going by the look&feel of the page.
This bug however allows to break cross-domain scripting boundaries.
A practical example is that an attacker could craft a web page so that when a slashdotter visits it, it automatically submits a silly comment in reply to a particular post (yes, in spite of the hidden formkey field.)
Worse things could be done, like automatically grabbing the last 10 emails from your hotmail account if you happened to be logged in, send random replies to them, etc...
Use your imagination.
Describing this as a way to "completely spoof the address bar" misses the impact of this bug entirely.
All in all, a pretty cool exploit. I can't help but wonder if the double use of ExecScript and setTimeout is really necessary, but maybe that's an attempt to make it work accross more environments.
It's already been fixed.
I haven't seen that mouse-mod yet! Submit a blog to /. and it'll probably be posted...
Sorry I thought someone would have beaten me to this by now...
lol, that's the one thing that pisses me off more than anything about using a hotmail account, they convert all links into total gobbeldy gook just so they can stick that hotmail header on wherever you head, makes it totally impossible to verify where you're being directed to
"Does anyone really care anymore?"
:)
Of course we care. We need something to feed our Firefox > * egos.
After all, I have the mighty Microsoft-written XP SP2 Firewall to protect me.
My best sig is this one
Consider ...
<HTML>
<HEAD><title>fake citibank.com</title></HEAD>
<frameset rows="*" frameborder=0 border=0 framespacing=0>
<frame src="http://www.citibank.com/" scrolling=yes frameborder=no>
</frameset>
<body leftmargin="0" rightmargin="0" topmargin="0" bottommargin="0">Hello!</body>
</HTML>
I've had a good portion of my Windoze using friends and neighbors come up to me and ask if I have Firefox. Previously, these same people would glaze over when I attempted to explain why using IE wasn't a good idea. But now they feel "in the know", and are going around sharing their newfound knowledge with anyone who didn't see the ad. Far be it from me to rain on their parade :-)
Using this vulnerability to say that OSS is superior to MS is like saying that my television superior because it is immune to email viruses.
Firefox doesn't support ActiveX, and that's why the vulnerability doesn't work.
In other news, Microsoft has just announced the new standard file extension on the Internet is now .txt ;)
Except for the anoyance of clicking the prompt all the time. My problem is that even with ActiveX dissabled (not prompted; completely off) there are still many websites I visit that would pop up an anyoying 'this page may not look/work properly without ActiveX' warning on every single page that you are forced to click 'OK' to acknowledge. When I turn something off, I don't want to be harassed about it. Of course Firefox doesn't have this problem. :-)
"You saved 1968." - Ms. Valerie Pringle to the crew of Apollo 8
Once again I catch myself viewing this in terms of medieval military actions, like MS sitting sieged in their huge fortress, supplies are plenty but the cannons keep shooting and every other week one of the towers goes down.
No problem, there are lots of towers and even more teams they can order to repair and rebuild the citadell. Only, as times go it starts to paralize them. Fixing, fixing the fixes and adapting to the fixed environment creeps into everything they do, eroding their energy to act.
605413? Yes, it's a prime.
Not everyone looks at the task bar, don't forget that...
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
> By manually typing the URL in the address bar, you can verify
> the information that Internet Explorer uses to access the
> destination Web site. To do so, type the URL in the Address
> bar, and then press ENTER
Ironically MS themself break this with their hotmail service. When going to a link from a Hotmail email, the link is converted to a hotmail link followed by a seekrit ID key a hundred lines long, just to show you the (possibly spoofed) page with that hotmail header on it.
MS, You fail it!
newpage = addressbar.getaddress();
page = load(newpage);
if (!page.contains(MS_SEC_ADV_Q195038) {
if (!page.contains(MS_SEC_ADV_Q350835) {
if (!page.contains(MS_SEC_ADV_Q503850) {
if (!page.contains(MS_SEC_ADV_Q102488) {
if (!page.contains(MS_SEC_ADV_Q539683) {
if (!page.contains(MS_SEC_ADV_Q693896) {
if (!page.contains(MS_SEC_ADV_Q849284) {
if (!page.contains(MS_SEC_ADV_Q205789) {
if (!page.contains(MS_SEC_ADV_Q539023) {
page.display(); }}}}}}}}}
else { page.crapout(); }
I see slashdot links to them daily now and they were practically nonexistant (in the "spotlight" at least) until the past week or so.
Here's an idea - can we patent this exploit then sue Microsoft's ass next month when we find it in IE again?
If the public were better informed about technology and the reason why they keep getting popups and viruses and malware and spyware, and the reason why their Internet doesn't work anymore and why it takes their computer take 10 minutes to boot up when it only used to take 3, and they guess they just need to go down to BestBuy and buy another one. If people knew their machines were becoming pieces of crap over time because of flaws and vulnerabilities in their operating system and Internet browser, don't you think they would buy and use an alternative?
There are 01 types of people in this world. Those that understand binary, and me.
well, technically it doesn't do much. If you click the link again, it goes to citibank.
Oh, really! Good thing I'm not everybody then!
My Greatest Heist - Muisc partly inspired by the unbeatable Qwantz
That is all I get. Maybe it has something to do with running IE on CxOffice on Linux...
Oh well, what the hell...
When I go the the site in IE I get a message about office 2000 installing!!
Very odd. Just a pop-up I'm guessing....
Mark
As Nietsche famously said, "If you stare too long into the Abyss, 1d4 Tanar'ri of random type will attack you."
Seems it needs to screw with your registry to do it - after I denied the change it wanted just an empty windows came up (no content, no controls).
sic transit gloria mundi
Works without a hitch? Not quite. When it renders CSS properly in standards mode, then you can say that ;)
It does, however, show how easily exploitable and dangerous ActiveX is, and is a good incentive to switch to a more secure browser.
> da ya think for just a moment you tooks some creative license
> when you summarized the MS page?
Creative license? like directly quoting MS's own entire paragraph on the most effective step to protect yourself from malicious hyperlinks?
No, I think he quoted MS spot on. If MS are going to claim the MOST EFFECTIVE STEP towards protecting yourself from hyperlink spoofing is re-typing in entire fucking URLs, then they deserve to be shot. Cheaply or not.
I trying Firefox currently. While it passed the test for this new attack, it vulnerable to at least one other attack described by Secunia: http://secunia.com/multiple_browsers_window_inject ion_vulnerability_test/
Anyone know the score? What is Firefox vulnerable to and when will it updated?
ShoutingMan.com
I received email today phishing for logon info for Washington Mutual Bank. Curiously, with the Google toolbar installed and active the link lead to a page with the vulnerabilty where the spoofed address was pushed down into Google toolbar real estate, leaving the actual address visible in the address bar above.
Now, any savy Internet user is aware of phishing scams and I clicked on the link with nothing more than idle curiousity, but I have to wonder if any number of spyware toolbars would cause the same behaviour as the Google toolbar.
???
That reminds me of two Denial of Service Vulnerabilities which I published in October. Microsoft has yet to do anything about either of them, though they were notified.
The first involves an Improperly Closed Tag and will crash the browser.
The second is an Inline List which will peg the cpu.
While the phishing attempts are serious threats, these two have capability for more mailicious intent. It would be nice if microsoft would patch these.
Which version of Firefox are you using? I'm using 1.0 and it looks nearly identical to IE 6.0 with the Google toolbar. It's no faster (but no slower) than IE. And I've found its functionality to be about 90% that of IEs.
I'm sticking with Firefox because it seems to be more secure and the tabs seem like a decent way to go. But I'm not wowed by it. It's still playing catchup, in my view.
ShoutingMan.com
Mmm, goatsex.
This story points to the same Secunia Advisory (SA13483) as Slashdot's December 8th story "New Vulnerability Affects All Browsers" http://it.slashdot.org/article.pl?sid=04/12/09/005 3205&tid=172&tid=95&tid=8/
You had to replay it since Microsoft wasn't singled out in the first headline.
If you are really curious Sam Spade has a link deobfuscator feature.
BTW the site seems to not be working right now, but that should be temporary.
I'm a firm believer in the philosophy of a ruling class. Especially since I rule. -Randal, Clerks
I'm sure you thought a buffer overrun vulnurability in Firefox was incredibly novel.
And I'm sure the drag/frames thing seemed incredibly simple to you...
I seriously don't think Bill Gates or Steve Ballmer pays any attention to you.
just a web application developer and instructor in Toronto, ON Canada
That's one great thing about Netscape's forthcoming hybrid Gecko/Trident(IE engine)-based product... With the theme they've got on their prototype, you'd DEFINITELY know you were being spoofed if the fake looked like IE :D
I'm thinking hard here, and the only things I am coming up with are OS shell integration and activeX, which are dubious at best.
It has surpassed IE in the following categories:
And if you don't like it, you have the ability to uninstall it!
I used to bulls-eye womp-rats in my pants
No, you just type www.hotmail.com into your address bar and then navigate to and open the message as all the links you used to navigate from entering the address in the toolbar can be considered trusted.
Bill Gates died and went to heaven. As he stood in front of St.Peter at the Pearly Gates, he saw a huge wall of clocks behind him. He asked, "What are all those clocks?"
St. Peter answered, "Those are Software Vulnerability Clocks. Every computer program on Earth has a Software Vulnerability Clock. Every time a program is compromised due to a bug in the code, the hands on that program's clock will move.
"Oh," said Bill, "which clock is that?"
"That's the UNICOS clock. The hands have never moved, indicating that it was never compromised by an attacker."
"Incredible," said Bill. "And which clock is that one?"
St. Peter responded, "That's the OpenBSD clock. The hands have moved twice, telling us that the "Only one remote hole in the default install, in more than 8 years!" was compromised only two times in this operating system's life."
"Where's Internet Explorer's clock?" asked Bill.
"That's in Jesus' office. He's using it to drive the generators, which provide power for our celestial copy of Las Vegas."
I'm thinking hard here, and the only things I am coming up with are OS shell integration and activeX
Javascript whitelisting and/or security zones. I cannot always remember to turn off javascript after I have enabled it for a particular site, so this is a very important feature to me. Until Firefox adds it I'll stick with IE thank you very much.
How many of these exploits work with active scripting and activeX turned off? Not many.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
Everytime I install FF for someone, I install and explain that they can right click and select "open in IE"(which I"ve installed the extension for).
Problem solved. I've not had one (out of dozens) switch back.
If only this story came on the same day as Firefox's NYT ad. The first page of the ad could have been this story!
I'm much more funny, interesting and insightful than the moderators think
Never mention your competitor? I don't think competitor is quite the word here. IE vs. Firefox is not really a competition either. The reason Coke sells better than Pepsi is because people have tried both, and they think "I like Coke better." The reason 90% or so (the vast majority) of poeple use Internet Explorer isn't because they think "I tried both and weighing the featurs of each, I choose IE."
It's much more of a matter of people (A) not hearing about Firefox, and (B) not using it because they don't know how.
Both can easily be solved with a 5-minute download and 30 seconds of explaining "popup blocker" and "safe browsing".
Back to 'never mention your competitor in advertising' is usually a bad idea because:
1) It recognizes the competition, implies that they are viable competitors, and creates awareness of them.
2) It credits/merits the competition, almost suggests there's a reason to choose their product.
I really don't feel that either of the two apply here.
A) IE is very recognized. I don't think there is anyone that uses the internet that doesn't know what it is.
B) Nobody 'chooses' IE. It is spoon-fed to everyone and most people either don't know better or don't care.
C) "Implies your product won't/can't stand up on its own merits" --Well, in a way it can't. The biggest problem with other browsers is lack of awareness. If you don't represent Firefox as 'an alternative to IE' you will not be likely to influence anyone but attuned computer users.
D) As for "= you have LOST" -- Either that, or 'are losing' or 'are behind'. EVERY PC and Mac comes standard with IE, and EVERY PC has it currently installed. The vast majority of people who use the internet use IE. Firefox has a long way to go.
All in all, Firefox is the best browser available. If you don't believe me, then you probably don't have The AdBlock Extention installed. For now, yell as loud as you can, "INTERNET EXPLORER SUCKS, USE FIREFOX". Seems to work pretty well for me.
Partial Credit: The Engineer's Best friend
"Well, the bridge didn't fall all the way down!"
I would add that I encountered an MSIE recently and was shocked to discover that it still cannot print the pages displayed on the screen. Oh yes, you can click "print", but it will spread over several pages
in width and heigth, which is completely unusable. I
really was amazed to see that firefox and opera were
the only ones able to resize before printing ! I wonder how M$ can have distributed its browser with such limitations !
But I have noticed the citibank scammers have some little white text box that tries to spoof the address bar. Problem is it gets displayed way out of place.
Why isn't XP?
Can I bum a sig? I left mine at the office.
I don't think it's all that unusual for trusted sites to use popups. Popups on the web are virtually all advertising and intended to get in the way, and so on. It's no wonder that people hate them, because they don't offer anything. When a popup is actually used in a useful and predictible way, though, it's not quite as bad.
I can certainly see some internet banking software using popups for some things, for instance... such sites are likely to be trusted sites. Lots of web applications that are used in-house and often on intranets also make use of popups for various things. They'll also be running in a trusted state for much of the time.
The post you're reading doesn't exist
Am I the only one who thinks that we're just seeing the same vulnerability repackaged over and over again?
I can't find how to reproduce the exploit? (building a page like the secunia with a working exploit).
DNA in your Linux: DNALinux
Oh, look! Internet Explorer has a security failure. Gee, why people even bother using it to activities other than going to another browser's site and downloading another browser.
Well I can't use IE. Not that I really miss it. But it simply isn't compatible with Linux or BSD. Such a shame. Well not really.
Doesn't work in firefox - just shows the original page in the toolbar.
I use the Google Toolbar and the popup blocker feature would not allow the exploit to work when I tried the demonstration.
Why do you have to turn off Javascript?
ROFL
Yes, I was thinking this same thing. I clicked on it and wondered, "Gawd, what is that infernal clicking sound?" as it spasmed and tried to produce a new window. I was thinking maybe it didn't load right so I hit ctrl-N to get a new copy and it loaded paypal just as the address bar said.
You can make retards patch their IE. You can make retards switch to Firefox. You can put a warning label on a retards tube of super glue.
None of these things will truly help. A retard will still somehow end up smiling proudly with a stinky phish super glued to himself.
I don't understand why everybody loves firefox so much,it just don't "feel" as right as mozilla(IMO).Mozilla has my email,my tabs,and every thing else i need at my fingertips.Plus i don't understand why people aren't touting how easy it is to make your moz and firefox your own.I build and repair pc's on the side and have gotten a LOT of people off IE and outlook by showing them how easy it is to change the skins and adding plugins to make perfect FOR THEM."Have the web YOUR way" should be the moz/fox slogan.The average guy don't know squat about security,he just wants it to do what HE wants it to do.Also,if you linux guys would make more stuff for windows,it would be a LOT easier to convert folks.My sis is getting her first linux box next month because i told her that both her opera and foxmail would work in linux and she wouldn't have to deal with all the virii/spyware.Again,it WASN"T the OS that made her switch,It WAS the fact that her programs would work without the virus/spyware hassle.If all the programs were to work on both OS'S then the choice would be which one has the least hassles and that thanks to script kiddies,isn't windoze.
ACs don't waste your time replying, your posts are never seen by me.
I tried their test on my Windows 2003 server and IE, and Windows XP SP2 and it didn't work. Paypal website was rendered instead of secunia's page.
As the island of our knowledge grows, so does the shore of our ignorance.
It's the perfect crime if you're a goddamn idiot.
Apparently you don't work in technical support.....
That's a fine principal when you're selling soda or cleaning products, but many of the people you're trying to reach don't even know what a "web browser" is.
There are tons of people who "click on the 'e'" or "go into the Internet" or "use the Internet Explorer to get to Google"
These people don't even realize that "web browser" is a product they use, made by multiple companies. If you're lucky, they remember Netscape. If they read "Firefox 1.0!" in a newspaper, they skim past it just like they skim past "Blade-servers" and "Middleware". These are words that don't relate to their lives, so the words slide right off their minds.
You need to catch their attention with something they recognize, something that relates to them, like "Microsoft Internet Explorer is bad!" or "Hate pop-up windows?", then you explain to them that they can use Firefox instead.
Firefox not mentioning IE is like alternative energy providers not mentioning coal or oil for fear that it might raise awareness of coal and oil. Everybody is already aware, you need to accept that and use it.
Personally, I despise IE's "zones"; they're too hard to manage, and only necessary because the browser is so insecure. Instead of a simple JavaScript on/off switch, Mozilla/Firefox has options to selectively disable JavaScript functions (like status bar hijacking), and that works well enough for me. Adding a site-by-site manager on top of that would probably be too complicated for most users.
How many of these exploits work with active scripting and activeX turned off? Not many.
How many of these exploits work with Firefox with scripting enabled? Even less than that.
After viewing the demo, I went to Windows update and made sure I was current on Critical Updates for my Windows 2000 system. On the other hand, the link above (getfirefox.com) works very well!
Using this vulnerability to say that OSS is superior to MS is like saying that my television superior because it is immune to email viruses.
Well, no. OSS is superior because if an exploit like this is discovered it will be fixed in short order by the development team. And if the development team fails to do so, most likely someone else from the community will step in.
Microsoft, on the other hand, will wait. They will decide whether the harm the harm of copping to a relatively obscure exploit is worth the cost and bad P.R. of fixing it. And since IE is obviously closed source, we can't take it upon ourselves to fix the flaws.
Personally, I despise IE's "zones"; they're too hard to manage, and only necessary because the browser is so insecure.
:). Those Javascript exploits obviously won't work on IE with javascript disabled. So which is more "secure"?
That is an article of faith. Actually it's javascript that is insecure. I don't want unknown web sites running any scripts on my computer.
With all active scripting disabled I would bet that IE6 is actually more secure than firefox with javascript enabled. That is my bet and that is the only reason I use IE. I don't trust Javascript and you do. I guess that is the difference.
Ask yourself if there has ever been a javascript exploit that has also worked on Firefox or Mozilla. I can answer that for you
You are willing to put all of your trust in the Firefox devs as being perfect 100% of the time by always anticipating possible exploits before they happen. I am not. With javascript and activeX turned off I am still not quite as invulnerable as a Lynx user, but it's as close as I can get.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
I always have pretty restrictive internet explorer policies, and it seems that my "navigate sub-frames across domains" is preventing this exploit from actually working. You won't have to go so restrictive as to disable ActiveX to work around this.
-yeah my bad, forgot you could save $150 on your PC hardware by getting a better OS.... -sorry to say, but yeah, Macs still come stantard with Safari and internet explorer. IE's homepage is set to msn.com
Partial Credit: The Engineer's Best friend
"Well, the bridge didn't fall all the way down!"
Heh, you're probably right. I mean, I'm not saying this wouldn't be a problem for well... most of the internet, but then again, this is no different than a lot of things that can fsck you over on the internet. I mean, some people don't even need to check the adress bar. I saw some lady on a Cybercrime episode (Remember Cybercrime? God bless Paul Allen) who got scammed out of her credit card number by a fake AOL page. That was hosted on geocities. GEOCITIES.
If I started worrying everytime a stupid person needed help to keep themselves out of trouble, I'd be goddamn Woody Allen.
My Greatest Heist - Muisc partly inspired by the unbeatable Qwantz
With all active scripting disabled I would bet that IE6 is actually more secure than firefox with javascript enabled.
Gee, these apples are nothing like these oranges!
But seriously, I think your scripting paranoia may be justified on IE, but no, I have never seen a serious security problem with Javascript on Mozilla/Firefox. My $DAYJOB is web development work, and I know the limitations of Javascript and the DOM fairly well. And I maintain that "active scripting" is far more dangerous on IE than any other browser, since it exposes the underlying OS.