The problem is, IE shouldn't have been hit in this way - especially as it was locked down so tightly, and wasn't even being used at the time. Vaguely worried by this, I tried some other browsers...the results aren't exactly fantastic reading for the Mozilla Foundation.

Firefox 1.0.1 - The install works.
Mozilla - The install works.
Avant browser 10.0 (build 153) - The install works.
Netscape 7.2 - The damn thing kept crashing, but eventually I was able to discover that the install works.
NetCaptor 7.5.4 - The install is blocked.
Opera 7.5.4 - The install is blocked.

As you can see, with Opera, its safe :)
thats why I prefer using Opera instead of other browsers...
IE is good in a way still... FF is now finally proven that aint that good....

tough sh*t...

It's not like Mozilla separately develops all the products you listed above. If one of them is affected, all of them probably are. It's not like they have a worse record than anyone else because three of their products were affected.

This is a perfect example for all of those people who think Firefox is made of steel. If it can be built, it can be unbuilt.

No web browser is 100% perfect, so don't buy into the claim that Firefox, or any other browser, will fully protect you from security threats. If you're using Firefox because you like its features, that's fine, but I am tired of hearing people (mostly computer illiterate people) say that Firefox will keep you safe.

This story is about a exploit that is currently in circulation.. the exploit doesnt unknowingly do anything. on browsers that arent IE engine based, it pops up a window that notifies the user that the certificate from the issuing site is expired and that if you click yes then you risk downloading possibly malicious code. if you click no then nothing happens. if you click yes, it installs a buncha links, startrup porograms, and opens up tons of spam sites.

This isnt anything but a simple exploit that requires a person to be a total moron to happen. When you go to a website and their certificate is expired and the content is unknown, then if you tell the browser to proceed, you deserve what you get.

Grab yourself a copy of XPLite and remove all traces of IE, including the HTML rendering engine. No more IE-based worries. Period.

"ON ITS OWN, IE blocks the malware's installation, which means ANOTHER browser must be used for the attack to succeed. " [emph. added] I don't care what windows you use (unless unauthorized or illegally modified)--if you use Microsoft Windows 2000 or newer, you have ActiveX: Firefox, Opera, IE, whatever. You're stuck with ActiveX. Try using Linux...or even MacOS if you like having a decent GUI. As for XPlite, most network admins like compatability at least...

It has nothing to do with ActiveX this time, it has to do with JAVA... moreover, it's Sun's Java that is the problem.

Incidentally, Sun released 1.5.02 version of their Runtime yesterday, it would be interesting to see if that issue is resolved.

You overlook the fact that there are an unfortunately large number of "morons" (I would prefer the term uneducated users, but whatever) in the world these days.

Use of the vulnerability causes a malicious user/software to be able to use ActiveX. Basically, IE would block the initial attempt in and of itself, but if another browser has the issue, the vulnerability will likely be used to run a malicious ActiveX script. If IE were completely gone there would be no reason to exploit the Java flaw (no IE means no ActiveX), but the Java flaw does not work in IE itself (follow that? I may not...)--so we're both right. Sort of. :)

As a side note, yes, this is a "bogus" flaw, much like the "flaws" in IE that Secunia claims have not been patched. I like to think of this sort of issue as "a means for third parties to mislead end users." Is that a vulnerability? Is my newspaper a security flaw, as advertisers may sneak an ad that is misleading? Can I get a computer virus through "malicious" TV commercials? Yeah I am exaggerating a little...I may not like Firefox, but geez, don't point the finger on this one--it just isn't their problem! (I do agree FF is not made of stell, however.)

The vulnerability is user error, not java. Java properly warns the user not to trust the code.

The problem ultimately lies in making users admins of their own systems and letting code from the net have local file access. It's a problem that will *never* go away because too many programs need that access. Java Sandbox or not, this is an industry problem than can effect many stupid users.

> (no IE means no ActiveX)

ActiveX is not part of IE, it's part of Windows. In fact, the system that ActiveX is based on was already in Windows 3.1.

ActiveX is a way to build components that can be used cross-application as well as cross-language (if you don't mind the OCX/DLL file tagging along with your app on deployment). It's just not built for IE, period. IE makes ActiveX available for web pages, which (since an ActiveX object is free to do anything in the OS) is a painful mistake. But it does have its many legitimate uses.

Anyone who thinks ActiveX by itself (in other words, unattached to IE) is anymore of a problem than Java, needs to zip it and go away.

well... i wonder why was this exploit out...
nevertheless, means new updates very soon.
one simple question: how da hell ya remove that exploit in case you clicked on yes?

still 70% of home pc users make mistakes and click on yes....

simple concern...

like I said, if a person sees a window pop up telling them the contect is from an expired certificate and is of unknown possibly malicious content, if thery choose to continue anyhow they get what they deserve. That's like driving down the road and seeing a sign saying road closed, bridge out, continue at your own risk, any person with 1/2 a brain would not continue. those who do deserve what they get

dont blame anyone but the end user for this one. Sun's Java TRIES to warn you that you are doing something you should not be doing. that you choose to do so anyway makes YOU at fault, not Sun Java

Maybe adamlau was being sarcastic...