Firefox security issues persist despite update

system · 2007-09-08T05:59:00.000Z

Hi!
Here it is: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1270748,00.html ???

EDIT: modifying URL

DavidR · 2007-09-08T12:51:25.000Z

The URL still doesn’t work, getting a 404 error.

system · 2007-09-08T12:52:51.000Z

You are correct, it doesn’t work, he needs to re-edit his post.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1270748,00.html

DavidR · 2007-09-08T13:20:07.000Z

That works, unfortunately I’m non the wiser for the visit, due to the non-disclosure of the full details as Mozilla work on it.

It is probably similar to the original URI issue that if you had NoScript installed you had some degree of protection. I like the bit that it relates to IE7 if you have it on your system then you are vulnerable.

I guess that being a bit of a slacker ;D I haven’t updated to IE7 as I use IE so infrequently (and being a dial-up user). I use IE6 as I didn’t think IE7 was ready for prime time and I can still get security updates for IE6 I guess that won’t change in a hurry. If they stop security updates for IE6 or IE7 gets SP1 whichever happens first I may choose to install IE7.

bob3160 · 2007-09-08T14:28:53.000Z

I use IE6 as I didn't think IE7 was ready for prime time

IMHO, IE7 is better than IE6. It also addressed many security issues and is certainly ready for prime time. :)

system · 2007-09-09T01:05:48.000Z

David -

Though Opera is my primary browser, I do have a small need for IE and I can say for sure that IE7 is much better than IE6. Perhaps you could download it overnight while you sleep?

DavidR · 2007-09-09T01:48:04.000Z

I get bumped off after a 2 hour period, if I get a slow download the 2hr bump will drop the connection (would I be miffed if I found it had almost downloaded it only to have to do it again), I so very rarely use it I’m in no hurry whilst security updates are available. Just checked and I though IE was bigger it is reported as 14.8MB so not so huge as was led to believe, but no rush. If I could completely remove IE I would I hate the OS integration otherwise I could get rid of it.

I have even stopped using windows auto update and monitor a few of my newsletter emails and (http://www.microsoft.com/technet/security/current.aspx), which mention the updates and download them manually (from firefox) in the order I want not that dictated by (auto update) WU as it can be a real pain in the rear with dial-up.

bob3160 · 2007-09-09T02:03:41.000Z

David
Download managers like Gigaget work wonders when downloading
large files even when using dialup.
Granted, they don’t help with Windows updates but for all other downloads, they can resume
a broken download which is something windows doesn’t do.

DavidR · 2007-09-09T02:33:52.000Z

I use Star Downloader already, but I think when you go through the WGA checks before you can download IE7 I think it starts the download straight away on completion of the WGA. I would also have to use IE6 without DMR to go through this download and I really am in no hurry to have this hassle.

It would probably be easier to try and get it on CD. Or perhaps from a cover CD.

I really do hate IE enough to avoid IE7 as long as feasibly possible and that will be when IE6 is no longer supported with security updates, which should be some time yet. Then I will be forced to make a decision, I may even be at a point where I will be upgrading my system who knows.

Lisandro · 2007-09-09T02:50:51.000Z

bob3160 post:5:

I use IE6 as I didn't think IE7 was ready for prime time
IMHO, IE7 is better than IE6. It also addressed many security issues and is certainly ready for prime time. :)

I feel the same. IE7 is far ahead of IE6.

system · 2007-09-09T11:25:39.000Z

I’ve been using IE7 for some time now…no problems whatsoever. It’s a much more secure browser than IE6 has ever been.

David…I too have dialup on one of my pc’s and IE7 downloaded without a hitch. I actually downloaded it during prime time when everyone was patching their pc’s with windows updates. :o

It’s too bad they don’t offer it alone on a disk for those of us with dialup so that we could add it to our computers easily.

DavidR · 2007-09-09T13:05:50.000Z

The extra security in IE7 is when it is used with Vista but it is not the same under XP. Not to mention what this whole topic was about a security issue which is only present if you use firefox and have IE7 installed on your system, so no thanks to IE7 for some considerable time.

The Windows Vista version of IE 7 will provide a Protected Mode that gives the browser sufficient rights to browse the Web, but not enough rights to modify user settings or data. Protected Mode will only be available to Vista users because the functionality depends on the reworked user account system in Windows Vista.

Vista’s version of IE 7 will also be able to automatically install security and other updates; that will not be the case in the XP version.

So the benefit for me is virtually zero (I avoid using IE like the plague) provided security updates are still available for IE6 and I have no plans for Vista either in the near or medium future.

system · 2007-09-09T13:11:50.000Z

Thanks avatar2005 and Darth_Mikey for the information and the links regarding Firefox.

system · 2007-09-09T14:02:17.000Z

news post:13:

Thanks avatar2005 and Darth_Mikey for the information and the links regarding Firefox.

You’re wellcome!

polonus · 2007-09-09T17:03:46.000Z

Hej avatar2005,

Here you see what they (developers) do on it, but the flaw lies with M$ basically to reappear:
https://bugzilla.mozilla.org/show_bug.cgi?id=389580

You can manipulate through ole automization,through IGMP 224.0.0.2, UDP in dhcp (68) etc.
exploiting inside the windows system 32 file: notepad.exe ; explorer.exe, hijackthis.exe through browseui.dll. The exploit is a couple of years old and a favorite for malcreants to exploit firefox via IE explorer, and watch for traffic on port 2709! It is a sneaky exploit you have to watch out for.
ProtoWall as an addition to harden your FW can be advisable.

pozdrawiam,

polonus

system · 2007-09-09T19:34:53.000Z

Dziekuje Damian za informacje 8)
If I whenever swich to FF I’ll use your advice.
Take care.
Rostik.

polonus · 2007-09-10T21:08:11.000Z

Hi Rostik,

There is no need to switch over to FF yet, because this thing is an ongoing saga, and there are a couple of bugs involved there. It is almost like some religious war between the developers of both camps IE versus FF. Read what I write here: http://madamemmastent.smfforfree.com/index.php?topic=1542.0 (seen from my experience with Flock browser)
and the info in this link here: http://msinfluentials.com/blogs/mobilejesper/archive/2007/07/26/the-protocol-handler-saga-continues-say-what-secunia.aspx
That means it is not a problem easily to be solved, and those with FF and IE7 on their system are not secure, even if their XP2 is fully patched. All aspects of this exploit should be fully investigated.
Good that you posted about it, these are very important items, I think the problem arose when things were rearranged from IE6 to IE7.
Rostik - Firefox doesn’t do any additional processing on the schemes in question.
It just passes them to ShellExecute, like every other scheme.
It’s actually Windows that processes them differently,
and in particular this processing changed with the IE7 upgrade.
In particular, try the following two URIs in “Start > Run …” on an XP system with IE7 installed:

mailto:test%../../../../windows/system32/calc.exe".cmd

mailto:test../../../../windows/system32/calc.exe".cmd

The former launches calc.exe, while the latter launches the default mailto: handler.

Damian

system · 2007-09-11T17:50:32.000Z

Thanks Damian for the information. Very interesting

Announcements