New about:blank hole in FF help phishers!

Hi malware fighters,

I think our good friend, bob3160, seems to be right, when he predicted that now is the time we are going to see all the holes and flaws in the Mozilla type of browsers. He did not need a crystal ball to predict this. The polish researcher Michal Zalewski has found up yet another dangerous vulnerability in Firefox that can help phishers to execute code while the address bar stays empty. Read about it here: http://seclists.org/bugtraq/2007/Feb/0323.html

Still FF or Flock is secure UNLESS NoScript is installed. I wonder why they have not brought this inevitable extension inside the default browser and incorporated it from the day it appeared. It saved our beautiful behinds in many a respect with these 0-day holes as well.

polonus

I think our good friend, bob3160, seems to be right, when he predicted that now is the time we are going to see all the holes and flaws in the Mozilla type of browsers. He did not need a crystal ball to predict this.
Unfortunately, polonus, predicting the inevitable doesn't take a great deal of skill. As soon as this type of browser gained it's popularity, it was bound to be exploited at a rate similar to that of the MS Internet Explorer type of browser. Fame and exploitation seem to go hand in hand. Just as it does in real life.
As soon as this type of browser gained it's popularity, it was bound to be exploited at a rate similar to that of the MS Internet Explorer type of browser.

Not true. MS have proved that a popular browser can be secure with IE7. All the flaws found in IE7 and Firefox 2 have been relatively minor. Neither is going to have the wide-open holes of IE6, touch wood. The rate of exploitation in that browser was unique and hopefully won’t be seen again. :wink:

Hi FwF,

I am not so certain about that. Not to say that the Cache Java Code hole of IE6 will be repeated, where you can run a remote java servlet as local, so stealth a user would not suspect anything out of the ordinairy. That hole has been plugged. But browsers are insecure by design. So security is only relative. If we do not have other security protocols with trusted verified authentication, the browser gonna stay one of the royal vectors of attacking the integrity of a computer. No doubt about that.
Another question is usability. I need good browser security without having to install various security extensions or additional security programs to make that browser less of a security risk. This all should be inside the browser, and the user of the browser should not be aware of it, that is usability.
To make Firefox or Flock secure I have NoScript, don’t know why it was not brought aboard right on (usability, and people don’t like to alter things as they are by default), some link and site security scanning (DrWeb’s, SiteAdvisor etc), some cookie safety monitor, stealther (to run a browser leaving around mininal tracks),
way to check referral, anti phishing code installed in the browser (controller, ft commands, globalstore, list-warden, phishing-afterload, phishing-warden, reporter, sb-loader & tr.fetcher (had to bring in this code manually from the FF 3.0), then a way to flush the browser history, cache etc.after each and every session, there should be a button for that, and not CTR+SHFT+DEL (the socalled three finger salute). Why don’t I fully trust browsers as they come and are installed, after experiencing all the holes and flaws I experienced and heard about only during last year.
Do you know what is in the coding? Iit is a soup boiled up off of the new patches, the old Google code, some IBM code, even code from good ol’Netscape (been around from the archaic days of 1998 etc.).
The Net is “broken” really and browsers are part of that.Don’t try to sell people a false feeling of security. But when they do what I did they can be on a rather clean system for years. It needs adapting to reality, and taking a series of security tweaks of the browser at hand.

polonus