Slashdot Mirror
Gaping Holes In Fully Patched IE7, Firefox 2
Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.
Naw, Opera just randomly crashes and then has a default behavior of restarting the site that causes it to randomly crash.
Please, for the good of Humanity, vote Obama.
Wow, I'm so glad I installed Firefox so I'm immune to all of these IE bugs!
Oh, wait, what did that say?
-AC
Perhaps I'm ignorant, but does anyone ever find themselves a victim of these "gaping holes"? I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses. Is there a site/blog that reports such statistics?
Article tagged as goatse.
In order to be affected, doesn't one first have to go to the shady site that has this stuff scripted in the page? Yes, this may be a bug, but like a web page-bound virus, is one that the user has to inflict upon himself by going to a site he probably shouldn't be going to in the first place.
And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.
Well there's always Opera?
I use Lynx, you insolent clod! Get off my lawn!
Anyone have info on how stacks up to IE/FF? http://30days.itious.com/
21st-Century-Citizen
I am using the latest Firefox 1.5. I went to the demo page : http://lcamtuf.coredump.cx/ifsnatch/ . The first test shows that it is possible to rewrite the content of an iframe. That is rather dangerous in situations involving trusted messages.
The 2nd demo was supposed to snoop on the keyboad, but it invoked a pop-up, which was immediately blocked by the pop-up blocker. So unconfimed as far as I know. However, the demo page did open a CNN.com page.
Anyone has better "luck" to demo the keyboard snooping?
Fantasy: http://ferrisfantasy.blogspot.com/
Just frickin' wonderful. In every version of the browser, totally massive security holes, all announced at the same time. Sheer beauty.
Get to cuttin, boys!
oh well... most if not all sites that I frequent that use javascript I tend to trust... if they have a backend exploit then they would rather take other info without bothering us web surfers.
cookie STEALING, page HIJACKING, memory CORRUPTION, code EXECUTION, and URL bar spoofing ATTACKS.
So where the fuck is home land security when you need them.
Keeps all of that Firefox JavaScript nastiness at bay, plus flash ads to boot. :)
if Javascript is turned off. Move along, nothing to see here.
No holes for elinks? Oh well...
(sits back in corner with large grin on face)
Try using a... I don't know RECENT VERSION.
Train stations have bugs too, apparently.
no, I don't have a sig
http://impoll.net/cgi-bin/v.cgi?p=1585&r=1
following could cause cookie stealing, page hijacking, memory corruption, code execution or URL bar spoofing attacks !!
Mongrel News all the news that fits and froths
What version are you using? I haven't noticed this behavior.
I have, however, noticed Firefox 2 crashing a lot more than it used to.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
No holes for Lynx? Oh well...
(sits back with biggest grin on face)
I'm using the latest version of Opera (9.21), and it takes up more memory and crashes more often than FF does. In fact, sometimes opening two heavy flash windows causes it to be unresponsive and then crash shortly afterwards.
1 + 1 = 3?
And I'm browsing with Konquerer!
(struts around smugly until his browser crashes due to some plugin incompatibility bug)
3 holes in Natalie Portman? Oh yeah!
(sits back with the biggest grin on his face)
Do you even lift?
These aren't the 'roids you're looking for.
I had Opera crashing on me on, say, 50-60 times in the past 5 years i've been using it (back from version 6). Of those, 60% were issues with that piece of shit Flash plugin for Linux, and even that got much better. Opera crashed? No problem, just hit "resume" when you restart.
Opera is as stable as FF (and way more stable than IE) with a fraction of the system requirements - and faster than both. Try an up to date version, you'll be surprised.
I'm not familiar with iframes, but would not running javascript on untrusted webpages protect from this?
--The universe will not be altered by forum threads, even those which are very wry. --Tycho Brahe (Penny Arcade)
And they want to drop support of 1.5 this month, when 2.0 isn't even really ready yet? When did Microsoft take over the Mozilla Foundation?
Anyone want to wager on who has this hole fixed first, IE or Firefox?
that is not stable.
Most of the malware is for IE, but it's quite frequent for an advertising network or such to be compromised and to send out infected ads. Plenty of websites and ad networks have been hacked for no apparent reason other than to infect people. It's far from the only way they trick people, of course. They like to require special software to use their smileys, screen savers, programs to download some site's crap (especially for porn, like the porn dialers from the days when modems were common), fake anti-virus and spyware tools, etc. If you have to download some special tool to use a site, and it's not a well-known thing like a common media codec or something to extract RARs, etc., it seems like it's almost certainly illegitimate.
That said, I personally have not been affected, but I use Firefox (which has the less critical holes) + NoScript (which completely blocks the holes in TFA, not to mention many others). And even if they did get the exploit to work and had it steal my cookies, there's hardly anything in there because all cookies get deleted when I log out. And I have Adblock Plus, so I'm not going to get hit by any compromised ad networks or whatever to begin with, especially because I'm incredibly mistrustful about what programs I install.
If you want a blog to read, try F-Secure's blog.
1) If Article Posted about IE security bugs
- Regular mudfest, everyone throwing mud on Microsoft
& IE. Everyone saying I have FF/Linux/Safari whatever,
so I am safe. Nobody talks about changing settings,
disabling javascript or Activex as a good workaround.
2) If Article Posted about FF security bugs
- Lot of workarounds posted - disable Javascript,
get some plugin, change some settings, don't go to
the website etc. How great that the it is open source,
someone will fix the bug in one hour & release patch.
Bugs are avenues to show how great open source is.
Now both are posted together, let's collate responses
at the end of the day
Quicktime's FF plugin seems to be insanely unstable. I can only play a few files before it crashes Firefox. Otherwise it's been rock solid (aside from this exploit deal).
I am a science fantasy fan
A damn lot of crashes are exploitable.
Even something as harmless-looking as a NULL pointer read can indicate an exploitable crash. It may mean a stack overflow. It may just be a NULL pointer read, which is (almost unbelivably) exploitable on Windows because of the way plug-ins and exception handlers work.
More than likely, Opera restarts with the site before the one that caused the crash.
Unfortunately for Opera, most sites are written according to IE's buggy standards. While Opera does try to accomodate the poor HTML written by web programmers who think the Internet is viewed only through IE-colored glasses, sometimes it is difficult to accomodate to flagrant stupidily that is IE's rendering engine.
You're a rare weirdo. Much of the web won't work without scripting, or at least won't work well.
You're missing out on the nicer wiki/blog editors, live updates to the price of a computer purchase as you add/remove components, tolerable web mail interfaces, and (if your CPU is fast) the experimental slashdot interface.
Those are just the nerd things. I'm told there are numerous non-nerd things on the web as well, with far more scripting.
Comment removed based on user account deletion
The problem is on some installs+assorted plugins when it opens up a window with the help of javascript. Running FF2 on Fedora 7 x64 now and it does not behave like that anymore.
Thor Larholm also announced a Firefox hole today. Wasn't completely patched in the last release.
.. paranoid crackpot leftover from the days of Amiga.
Now I can figure IE is running on a MSFT product, but Firefox is a little more eclectic.
So is this a problem with Firefox on Linux, and on what flavor?
There, fixed that for you.
I run Microsoft Windows XP SP2, so I am safe. IE users can simply disable JavaScript in the control panel - any user of closed source knows how to do that! Plus, they don't even have to go to the web site. Microsoft will fix the bug by the next Tuesday of the next month, which is an AMAZING response time, don't you think! The best thing about closed source is you don't have hackers accessing it!
Now, as far as Firefox, that STUPID Mozilla Foundation makes some of the most amateur mistakes! They can't even forsee these sorts of bugs! What sort of poor excuse for a QA department do they have over there? I bet they employ high school kids just learning C to write their code for them. And, plus, they have the gall to be open source! I despise them with every ounce of my very being. Everything they do makes my blood boil!
Friends don't let friends install MZ junk!
i'll give it this, even though it's HIGHLY frustrating when trying to create truly rich experience applications: Flash is now amazingly sandboxed. so much so that it's actually quite handicapped. you can go so far as to disallow hyperlinks from flash domain-wide, as myspace has now done after flash was used in an XSS attack - which, incidentally, is not so much the fault of javascript as it is poorly sanitising input on the part of web developers.
I would be more inclined to use it if the default QT appearance for Opera didn't look like ass when running under non-KDE environments.
And the masses cried out, "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0!"
It looks allright (using the static QT version) under XFCE, which happens to be a pure GTK+ desktop enviroment. Stock configuration - i only adjust toolbars and such.
Ive renamed Firefox "CrashZilla", it would be nice to browse the web for more than 1 hour without it freezing up or crashing. Yes I have the latest version and all the latest plugins. I have no issues with Konqueror on KDE 3.5.7 (using the same plugins) and Firefox 1.5.* ran for days without crashes.
I have yet to get the demo to work for the "bait and switch" attack. I'm running IE7 on Vista... Anyone had success getting the demo to work? Scratch that... As I was typing this a dialog prompted me my Google cookie info. OK... this "vulnerability" took over a minute to accomplish and my browser kept navigating back and forth between 2 different sites. It was pretty obvious that something malicious was going on and I hardly doubt that this will be leashed onto many unsuspecting web users. This is one hole that is far stretched... err... fetched.
Sorry, posting to undo an accidental negative moderation.
then the demos don't work :-)
Bring out the Opera fan boys... (of which I must deny if asked if I am one... for safety purposes)
while Fx/Linux or OS X are? This had to come some day. :P
Yesterday Firefox crashed on me TEN TIMES!!! Today it was about five. Before yesterday, hardly ever. Is it time to finally make the move to Linux? I think Ballmer has finally grabbed my browser by the balls, and there's nothing I can do...on Windows at least.
You are reading a sig. Cancel or allow?
We all knew back in the early days of Javascript that it would be a security nightmare. But we (collectively) went ahead with it. We put together web pages that depended on it, so browsers had to support it and users had to enable it. Now we've waited so long that it seems impossible to undo what we've done. But maybe it isn't completely impossible to undo. And keep in mind that the longer we wait, the harder it will be to undo.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
You young whippersnappers and your fancy shell doo-dads. In my day, we had to lick a live 10Base5 cable to browse gopher and that's the way we liked it!
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
(sits back with the biggest grin on his face)
but do you have pics of her sealed up air-tight?
If we're going to require that the most secure OS for IE7 be used to test it, shouldn't we use the most secure OS for Firefox 2.0 be used to test it? If so then a Linux distro is required for Firefox and none of these holes work (or so people here claim, if you've got evidence to the contrary I'd be interested to hear it). Or we could simply use the most common OS that IE7 and Firefox is used in, which would be XP. Your choice.
It's a bit simplistic to assume that $browser will always keep you safe. On the other hand, it's important to remember that there are many alternatives available. The good thing about this is that each engine has its own vulnerabilities, so for the same malware to target Firefox, IE, Opera and Safari, it would have to target four different exploits. At least with intended behavior of HTML/DOM/CSS, Gecko, Trident, etc. are (ostensibly) aiming at the same target.
Ever notice that the only vulnerabilities which are really cross-browser tend to be misuse of functionality (like the Unicode domain spoofing attacks a few years back), rather than exploits of bugs?
That's because it's Insanely Grrrrreat!
My first reaction was that people had gotten bored with the joke tags. This is the internet, after all, and internet fads fade with time just as the real-world ones do -- faster, even.
Then I remembered that a few days ago I saw people commenting on pouring hot grits down pants, and petrified Natalie Portman (though admittedly this was a Star Wars thread), and realized that on Slashdot, old jokes don't fade away.
One might even say, in Soviet Slashdot, old memes forget you!
BTW, mark that one NSFW. I must be new here, I haven't seen that one before. OMG. Is that goatse in another pose? I dunno if there is anyone else whose ass is that gaping... Well if I were a slashdot editor I'd make that a new front page icon. But alas people are entirely too serious much of the time...
i definitely agree; there's so much complexity to securing a browser regarding javascript (since the javascript concept is essentially innately insecure), i definitely feel that moving to a static-er web would make sense. additionally, without having to develop things with javascript, developers could put more effort towards more useful things, or experimenting with newish interesting stuff like xhtml (and xlink's embed feature, so we can have the 'slashdot new discussion system' types of things without javascript, maybe)
the privacy of one's mind is important.
you do have something to hide.
Are you serious? Have you looked at that icon? There's a huge hole right in the middle, and no one seems to acknowledge it!
I've been using their "free" basic service for years; it was always their small little 16x16/32x32 icon; not really intrusive.
Then suddenly my pages using their stats service had a nasty pop-under. I've seen this at other sites too and found out the "new" advertisement ways after a few weeks when I started getting bothered seeing the same pop-unders over and over while I wasn't even on any other sites.
These pop-unders were all activated under Firefox and it's clearly in their TOS they can advertise on websites; only; which I had on my website was all except "good" for my site; the pop-under involved pornography because of a reference to some articles about STD's a couple of years ago. It made me sick to always get that XXX-commercial on my own website and got rid of Nedstat ever since.
webalizer for the win! less eye candy but still enough stats to chew on without all the nastyness...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Cue website installing a WoW password stealer in 3, 2, 1 ...
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
posting ac will do it, and you can moderate the discussion properly after doing so
So secure in fact, that you could write an operating system with full memory protection and filesystem access control in it. It only needs threading, but no doubt someone has already figured out a way to do that, probably by letting the host application add some needed functions to the object model. There is nothing in the JavaScript language that is inherently insecure. Perhaps implementations can be buggy, but then again, HTML or CSS implementations can be buggy too.
The security holes are usually not within JavaScript, but within the obscure, convoluted object model that has become the standard, most often some way of having the browser fetch pages from other websites as if the user loaded them or similar loopholes. That these are possible at all is a major design flaw, but, and I'll say this again, it's not a flaw in JavaScript.
And Safari?
the first and second ones are pretty scary. the 3rd one is kind of silly to me.
by the way, this is a test page I wrote, stealing your slashdot cookie by exploiting vulnerability #1: slashdot_hack1.html. once clicked your session will be kicked out because I pwned it. tested under IE6
"Upon completion of this investigation, Microsoft ... may [issue] a security advisory"
First off, thanks for replying & sorry for my late reply (busy & it's late now, here goes):
8 74ee73e9a212bfbabbaba41cf36e3&t=16097
.txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person (still gets email scanned though)))
I tried it, & didn't see it! NO PROBLEMO here, & I checked for "error #3" you mentioned, on Mr. Zalewski's actual referring page...
SOME BACKGROUND INFO. HERE (I assumed you were on Win32 yourself by the by, like I am) FOR ANYONE WHO TRIES THIS TEST ON A WIN32 RIG & OPERA:
Here I am running Windows Server 2003 SP #2!
(A personally 'security-hardened' model I have been working on for many years since the NT 3.5x days onward to this version of the OS)
It has been way, WAY hacked up for security via things like:
1.) IP security policies (modded AnalogX one, very good)
2.) SCW was run over it first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, @ least, as as starting point)
3.) PLUS, this version of the OS has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting of all types by default)
4.) General security policies in gpedit.msc/secpol.msc
5.) Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc in UNIX/LINUX I suppose)
6.) AND std. stuff like AntiVirus (NOD32 latest) + SpyBot as my resident antispyware tool running in the background!
7.) Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE), see this URL where I did a lot of research for a prebuilt list for another forums, to see how/why this works:
http://forums.techpowerup.com/showthread.php?s=51
(And, of course, the user feedback on its effectiveness, as well as MacOS X, which uses the same general principals)
8.) Plus good email client practices like using
As is now? I score an 84.735 on the CIS Tool 1.x (Linux, MacOS X, Solaris, & other OS models ports of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run), from "The Center for Internet Security" here:
http://www.cisecurity.org/bench.html
Ah man... There's SO MUCH MORE I do to secure this, but too much to list really!
(I am sure I am overlooking some stuff, details & such - things like the fact I use a LinkSys/CISCO BEFSX41 "NAT" true firewalling router with cookie & scripting filtering built-in @ the hardware level), but that IS the bulk of it!)
ALL for security... & this post is especially for background to anyone on Win32 that DOES show an error in this test, as giorgosts on Linux did (to whom I am responding).
So, based on my test?
This has to be script related, because I did not see it @ all (no action from err #3 reported on Mr. Zalewski's page (and I did not think I would, because I keep scriptings of ALL kinds generally turned off 99.999% of the time in my webbrowsers on the public internet @ least)).
Good news!
(Above all - Thanks for your response & data)...
I would write more, but it is VERY late here, & time for shuteye!
APK
This Freaking IE is never ever secure. Its really a worthless app. I use Safari and firefox...
Best Regards, Eliena Andrews
I use NoScript all the time. If I get to a page who's scripts I _want_ I allow them, or temporarily allow them.
I don't miss much except for the bullcrap. Yea, it takes all of a keystroke or a context menu selection whenever I decided I want "the full web experience".
The truth is, most of the time, nobody _wants_ "the full web experience."
Live and Learn... give it a try for a while and you will get hooked (unless you are incredibly lazy, which I am also, sometimes. 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
That's the most brilliant idea I've seen in this entire thread so far. We need a <noscript>, or perhaps a <sandbox></sandbox> tag which allows us to specify what can be done inside of a frame, embedded object, or anything else linked to from a remote site.
That would make a huge difference.
Because if the cookie is made of plastic, then it might be difficult to chew.
Is Epiphany affected? (My install of Epiphany (Debian Etch) is using a gecko-1.8 backend, according to Help >> About)
mod parent up. (possibly gp)
Blah blah sig blah blah blah irony blah blah
I had mod points a week ago, I wish they hadn't expired.
This is an awesome idea, and we need it!
http://img367.imageshack.us/img367/9813/snapshot9j p4.png
homeland security is a fairy tale.
Reduce, reuse, cycle
Sounds like the US government to me. :)
He who lights his taper at mine, receives light without darkening me.
Here at work we use IE6 on XP SP2 workstations and not a single one of those vulnerabilities affects us.
Why? Because we don't let IE run scripts of any kind unless it's from a site we trust. IE has had security zones for years yet hardly anyone uses them. A single group policy object enforces our list of trusted sites, nobody's computer can run javascript on any site we've not already decided is safe.
Ok, there's a small risk of someone hacking one of our trusted sites, but I can live with that.
So far we've had 2 years of uninterrupted browsing, with nobody at our company getting a single piece of malware on their machine.
And the best bit: It's surprisingly low maintenance. We get maybe one request a month now to add a new site to the list.
It's a bit simplistic to assume that $browser will always keep you safe.
Indeed yes. And as the big targets (e.g. IE, FF on Windows) become more hardened against attacks, malware authors will move over to lesser-used targets. There have been vulnerabilities in Opera, Lynx, in fact probably every browser ever. Almost certainly, some still exist.
Browser security is such a serious problem that my gf not only uses Opera, but uses it within a virtual machine (VMware). The only apps that run outside the VM are "trusted" apps that must be protected from keyloggers, such as WoW. Using this VM scheme means that she is safe from unpatched Opera vulnerabilities as well as unpatched vulnerabilities in other net-facing software such as Messenger, Flash, Winamp and Teamspeak. I just hope that VMware is as safe as it is supposed to be.
You almost had me take the bait.
"This hideous CSS-laden version of slash is a big step down from the previous pure html version"
Wonderful mis-use of "laden" and "pure".
The AJAX-y comment system is far better than the old multiple-page-load model, and I suspect you know it. The point being, as you said yourself, that a site has to work without javascript. But it doesn't have to work *well*.
-
Brendan Eich, the father of JavaScript, proposes a <JAIL> tag to block scripting (PDF slides warning)
-
RSnake's take on content restrictions proposals.
And for users? good ole NoScriptThere's a browser safer than Firefox, it is Firefox, with NoScript
Opera
Where's the multi-million dollar independent security analysis of the Wii Browser?
;)
*Thinks about it*
Runs on Opera so it's probably fine.
"And in other news today, Opera has admitted that its latest batch of cookies are not perfectly organic. Supporters of Firefox and IE -- manufacturers of Coca-Cola and LEGO, respectively -- have claimed this to be a decisive victory in the battle for healthy nutrition."
"Lynx, on the other hand, continues to insist on a breatharian lifestyle."
Oh, gosh, mister! Please don't steal my chips ahoy, or my oreos! Anything, but that!
I am not your blowing wind, I am the lightning.
I don't care what you think, nobody is going to use that extension by default and it will never be enabled by default. Your attempt to make measurements of Firefox security with it enabled are reminiscent of Microsoft's attempts to get C2 certification for Windows NT when it wasn't connected to a network.
The most meaningful measurement of security for an application is looking at the default installation. Most people will never get beyond that.
Need a Python, C++, Unix, Linux develop
Troll?
If this has been only about IE, people would be posting "Use Firefox" all over the place.
Just like everytime there's a story about Windows flaws, we get "Get a Mac" comments modded up. As for the "And lynx too" posts, I could say "Get a Commodore 64" for those articles, which is also free of Windows viruses and security flaws.
For some reason, Opera doesn't fit into the cool "be different" crowd. It can't be an issue of not being open source (which is what people usually say as the reason), since that doesn't apply for OS X.
Who cares about Opera, seriously? I am more interested in usability than that "speed" thing that doesn't show any result.
One crash in a month is for sure less stable than my experience with firefox 2, of course, it all depends on a lot of random factors so it doesn't matter. But that session thing you mentioned about hitting "resume" is not a great deal anyways, I am not sure that IE7 got sessions though. But I guess it would be pretty lame to restore a session after flash caused a crash, it would just reload the page that caused the crash and make you crash again...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
davecb5620@gmail.com
LOL, man... that's whacked: "Evil Script"!
(The name, makes the point though, & thanks for showing me that madness - I believe you)!
APK
P.S.=> I am glad I do not keep JavaScript running on my webbrowsers on the public net typically! apk
I'm running Vista Business 32 with IE7 fully patched. None of the IE demos worked for me specifically the first one marked critical. I guess I feel a little better, but I do believe the vulnerability exists.
I'm not sure I understand what "ad" you're talking about. (not only does Opera have built in a feature similar to adblock, you can even use Adblock's list of blocked addresses. However, Opera doesn't come with this list by default. But then again--FF doesn't come with Adblock at all by default)
For how much Slashdotters rip apart the DRM industry, which spends millions upon millions only to have their key's hacked in a day, we sure do expect a lot from our browsers.
Just frickin' wonderful. In every version of the browser, totally massive security holes, all announced at the same time. Sheer beauty.
Hey, don't worry, there are plenty of undiscovered massive security holes in there too.
Plan your backups accordingly.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Opera has an independent code base, so there's hope. I usually install all three for my users to have on days like this.
(Of course, I worry about it less than many, since half of my people are still using PPC-era Macs.)
//Information does not want to be free; it wants to breed.
Go, go Dillo! It's yet to crash on me. Granted I only use the computer in question to run Folding@Home and the occasional /. post where I need/want to say 'And I'm using/doing <something> under linux right now!'. ^>^
Lose: misplace or fail || Loose: not bound together
The hard thing about NoScript is when a page totally fails to load anything useful and you have to decide to allow one or more of three scripts each from different domain. Often it is easy, you're on yahoo so you allow yahoo. Sometimes it is far from obvious. To get some yahoo pages to work you have to allow yming.com to run scripts, and you have to pick that one from a list including several cryptically named advertiser sites. I don't mind this extra step, and with the current web model I don't see another way around it, but I hardly expect Joe Casual Surfer to even know what a script is.
-- QED
hmmm... we usually post "Just use some other browser" and when you run text-only Lynx is the only browser available.
...and my std. question for people comparing an UNIX with Commodore 64 is "What exactly do I need a GUI for ?"
The google groups IFRAME was replaced in FF and not in Opera.
Once again I'm proud of my choice of browser.
We are Turing O-Machines. The Oracle is out there.
It seems like it would be pretty easy for the Anti-virus vendors and other anti-malware vendors to tap into the javascript engine and detect these sorts of things.
So you go to www.somecrappysite.com and it tries to run jscript. Then the tool you are running does some analysis and says...hmmm...that seems strange. If it knows it is an attack it stops the page from loading and blocks the page straight up. If it is unsure it can ask the user if they want to continue AND ask the user if they can upload the information for analysis.
I think we should keep IE and Firefox patched up, but realtime analysis seems like a better idea.
Oh, additionally:
/click the PROPERTIES button there) -> Press/Click the Advanced Button @ the bottom Right-Hand Side (shows Advanced Tcp/IP Settings screen) -> OPTIONS tab, use it & Tcp IP Filtering is in the list, highlite/select it -> Beneath the Optional Settings, press/click the PROPERTIES button on the lower right-hand side -> Check the "Enable Tcp/IP Filtering (on all adapters)" selection -> In the far right, IP PROTOCOLS section, add ports 6 (tcp) & 17 (udp) -> In the far left "tcp ports" list - check off the radio button above the list titled "PERMIT ONLY", & then add ports you want to have open (all others will be filtered out, & for example, I leave port 80,8080, & 443 here open, only - you may need more if you run mail servers, & what-have-you (this varies by application)) -> I leave the UDP section "PERMIT ALL" because of ephemeral/short-lived ports usage that Windows does (I have never successfully filtered this properly but it doesn't matter as much imo, because udp does not do 'callback' as tcp does, & that is why tcp can be DDOS'd/DOS'd imo - it only sends out info., but never demands verification of delivery (faster, but less reliable)) -> DONE!
s /cableguy/cg0605.mspx
I omitted 1 more thing I do for securing a Windows NT-based OS: IP Port Filtrations!
Start Menu -> Connect To Item (on the right hand side) -> Local Area Connection (whatever you called it, this is the default, iirc) open it via double click OR, right-click popup menu PROPERTIES item -> Properties button on left-hand side bottom, press/click it -> NEXT SCREEN (Local Area Connection PROPERTIES) -> "This connection uses the followng items" (go down the list, to Tcp/IP & select it &
You may need a reboot:
I say this, because although IP Security Policies work with the "Plug-N-Play" design of modern Windows NT-based OS' (ipsec.sys) & do NOT require a reboot to activate/deactivate them in Windows 2000/XP/Server 2003/VISTA?
This is working @ a diff. level & diff. driver iirc (tcpip.sys) & level of the telecommunications stacks in this OS family & WILL require a reboot to take effect (for a more detailed read of this, see here):
http://www.microsoft.com/technet/community/column
Enjoy the read, it is VERY informative!
APK
P.S.=> Shows you how TcpIP.sys, ipnat.sys, ipsec.sys, & ipfiltdrv.sys interact, PLUS how you can use them to your advantage in security! apk
and Eve sends you a video of herself? Hmmm...maybe not so bad.
Tharkban (It is a signature after all)
the browsers should protect us against criminals
drm protects criminals against fair use
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Usability is the thing that drew me into Opera in the first place! Mouse gestures, excellent keyboard browsing, pop up panels, notes, quick configurations... you name it.
If I have nothing to hide, you have no reason to search me
Really? Currently 9.21 on Ubuntu 6.10, and yeah it's crash-happy. It's a lot like the old Netscape memory leaks, except instead of the system slowing down, Opera just stops responding while its CPU use soars. You have to kill the process, then restart where you left off. Then you're fine for anywhere from 30 minutes to 2 hours. I haven't been able to discern a pattern of sites or behavior that will trigger this crash.
And I haven't figured out if it's related to a handful of issues with it being a KDE app running in Gnome. (Mostly window-focus issues, no show stoppers.) The other extra that doesn't show up in my Windows version is a pause for up to 90 seconds when you click Bookmarks on the Toolbar. (No, the file isn't particularly large or deep.)
So yeah, no joke: Opera on Ubuntu is crash-happy and generally not a good port. The smooth crash-recover behavior keeps this from being bad enough to use Firefox, but when people tell you they're having Opera problems, they're not kidding. It's got a lot of bugs and not one has been addressed in the various upgrades of version 9.
HTML isn't the problem you tard
I'm glad I use Opera 9.21 for most of my browsing.
http://www.opera.com/
But I really love Firefox 2.0 because of the Firebug plugin.
Count me as another. Not only "Noscript", but a javascript&cookie filtering firewall set to default block everything not explicitly permitted. That's behind a linux proxy server (windows boxes on unroutable, internal subnet) which is behind a hardware firewall box.
May not be perfect, but I haven't had a break-in yet... (~7+ years managing my own broadband vs. using employer's and their firewall).
Yep, the Qt plugin for Firefox is a piece of crap. Anyone know of an alternative plugin to play mp3s (I mean, how often do you come across an embedded quicktime file these days)?
sealed up.. air-tight... naked and petrified.. covered in hot grits.
OH LAWD.