Strange it says update to firefox 1.0.5 and I have 1.0.7 and this is still vulnerable. Unless I have been tweaking my settings to death again Grin
You’re not alone, DavidR, I had the same thing. I’m using 1.0.7 as well and indeed it is still vulnerable. Hope the new Firefox 1.5 (1.4?) release will fix this.
This is not as serious as it is made out to be, personally I’m not unduly concerned. The test page is a proof of concept and requires your co-operation.
In real life you first have to arrive at a site with this exploit embedded in the page and you have to be tricked/mislead to click on a link (and a javascript function called) go to another page. So visiting legitimate sites that you initiate the connection, e.g. use either your favourites or type the url rather than use a link in a dodgy email. So common sense should help you here.
I have just reported it is still vulnerable in 1.0.7 at the Secunia site see the View the Secunia advisory regarding your browser: you click on the firefox link there is a means of providing feedback on the advisory.
Yes No Script (personally I’m waiting on it getting a little older) will ask if it should be executed, which is better than disabling javascript as for many site it would make browsing unworkable.
I almost always browse while my browser’s java turned off so I don’t have problems with the site at all.
??? Tech, why are you still asking this? Considering the number of your posts, you must be accustomed to BBcode and some emotion icons in Avast boards, I think.
I agree with DavidR that the construct of the test looks a bit scary.
But you have to deliberately co-operate to let it work.
It shows however that script (embedded script) is an important way for malicious code into a browser.
Rule 1. Use your brain all the time;
Rule 2. Use script only at sites you trust or know to be trusted;
Rule 3. Pre-scan your hyperlinks (Dr. Web’s pre-link scanner plug-in);
Rule 4. Always have the latest version of browser and related software and all patches;
Rule 5. Have Avast run inside your browser (see instructions on their home page).
You made me very happy I am a NoScript firefox extension user.
Just as I always suspected !!!
If I allow javascript globally, I do get the popup with FF 1.0.7.
If I use Noscript, of course a trusted site like google.com in my noscript whitelist, no popup
I have ones got a trojan, probably just cause of those popups that still open without NoScript in some sites.
??? Polonus, I am occationally puzzled why you don’t seem to expect other users to have common sense, which DavidR mentioned, if not special technical knowledge. Of course, I respect your knowlege, though. 8)
Does Google site need java? For I am doing a pragmatist approach where I simply turn on java only when the sites require it and are trustable. Also, I recommend Firefox users to use Mycroft.
Tech, that’s wierd since I browse the fora with only the images on but no java at all.
The problem is that I don’t know, in Maxthon, if I disable download of ‘Scripts’ I think I’ll disable javascripts too.
I can only disable ‘Java applicatives’ but this is not the same.
If I disable scripts, no smiles.
Does Google site need java? For I am doing a pragmatist approach where I simply turn on java only when the sites require it and are trustable. Also, I recommend Firefox users to use Mycroft.
It has 2 javascripts according to NoScript.
You mean NoScript and not MyCroft? I did a google search and MyCroft seems to be a search plugin?
Edit: Certainly no java in google. Java is not the same as javascript.
Sorry Tech, I was just talking generally on the topic that the proof of concept test requires your co-operation. In real life it relies on deception to get you to first visit the site that has the malicious javascript code embedded in the link to another site/page. You also have to be tricked/deceived/persuaded to click the link. So it is not as easy to get caught if you use common sense.
I write all these postings of mine with all users in mind. And I know of course you surf with sense, really I would not expect otherwise. And to you Jarmo P. Yes, this is my friend as you always expected, and that is why we use JS only when it is safe to use, so SELECTIVELY In case of doubt use Dr. Web’s hyperlink scanner plug-in, and you will get a report on what to expect when you later click this link through. Also good when you try to download things, you getthe packers, the code etc. With Avast running inside the browser there is not so much to worry about. But prevention is always better then having to let Avast correct it when it is trying to run.
Then I just updated automatically to the Filterset G and G-Beta-Whitelist 2005-10-31a, to give me just that extra bit of protection. This is the practical approach, make sure you do not run the risk,
I meant both java and java script. I have never turned on java/script at Google site but I don’t think I cannot use some functions because of that so I wondered.
Yes, rather than portal search pages, personally I use search plug-ins, which enable quicker access. Also, Mycroft is different from other suspicious parasite plug-ins.
As you read this you can see, why we use NoScript to lift the ban on script only if we trust the site. Well the thing about third party cookies goes for itself. Especially in firefox and Flock you have to pay attention when the url text is YELLOW and you get a pop up window, this could be for a malware download. These browsers can also be affected by malicious installs via Java applet NoScript prevents this or pre-hyperlink scanning with the Dr. Web plug-in.
Unless this is some sort of P-of-C test the “Here is a good link with advice for Secure Browser Configuration for IE type and Firefox type browsers:” link is down or a typo.