On a good note, a patch has been checked in that resolves this issue for upcoming Firefox builds.
https://bugzilla.mozilla...w_bug.cgi?id=307259#c61

There is also an xpi patch available to immediately resolve the issue on Firefox 1.0.6 builds. Find that at https://addons.mozilla.org/messages/307259.html

It's not just Firefox's insecurity. It's how it won't work with six of my plugins which I depend on. Unless corporate (sellout) mozilla gets control of plugins and starts certifying them, then there's NEVER a need to use the new version until they catch up. It's insane.

Uhh, dude, the reason you can't install extensions into a new release is because it will possible break your browser. It's to stop non-techie computer users from screwing up thier Firefox.
You CAN install them if you just open up a little file and change the version number...

Can't i just look at the gaming sites or porn without spyware & adware & pop-ups installing itself on my system? Well, sure you can, I use Mandrake and Firefox - it works wonders! (unfortunately for me, some of the sites use wmv instead of mpg)

Yes, sure you can indeed. A power user like you should also have no problem surfing those sites using Maxthon on WinXP.

Only ignorant people will get infected by malwares.

"Only ignorant people will get infected by malwares."

That's not *entirely* true. But yeah, I would agree with that in most cases.

If the software company promises a white hat that a patch will come soon, shouldn't the white hat withhold disclosure for a brief time to allow the patch to come out? Wouldn't that be fair play, if the software company keeps up their end of the deal?

Agreed. I'm not sure why Ferris made the vulnerability public. Of course, we don't know what the "disagreement" was about.

Um... Opera has no problems according to Secunia. Maybe it's more secure than both IE and Firefox. :)

Or maybe Secunia is BIASED, just like 90% of every other "security" web site out there...

Well, the software that I wrote also "has no problems according to Secunia". Maybe bcos they just don't give a damn. ;)

Why would they be biased? They get points for pointing out vulnerabilities, it doesn't matter what products they are. The more they are in the news the better it looks. secunia and eeye are almost household names (OK not really, but you get my point,) at this point because of this.

about:config type network.enableIDN in filter box double click the pref so it's disabled.

Done.

Firefox does have security issues that come up as does ANY software. The measurements for which is more secure is:
1) the number of vulnerabilities
2) the severity of them
3) the speed at which they get fixed.

Comparing IE to Fx
1) Tied - As of this morning IE has 85 Secunia advisories and Fx has 22. Because IE has been around longer I will give IE the benifit of doubt here and call this a tie.
2) Firefox wins. On vulnerability severity:
Extremely Critical - Fx 0 IE 12
Highly Critical - Fx 5 IE 25
Moderatly Critical - Fx 8 IE 17
3) Firefox wins again. Security patches for Fx come out very quickly, not so for IE. Fx status at Secunia just when to Highly Critical today, that is the state that IE's has been at for more than 2 years. Why doesn't MS fix those vulnerabilities like http://secunia.com/advisories/9534/ ?

TechMason

"3) Firefox wins again. Security patches for Fx come out very quickly, not so for IE. Fx status at Secunia just when to Highly Critical today, that is the state that IE's has been at for more than 2 years. Why doesn't MS fix those vulnerabilities like http://secunia.com/advisories/9534/ ?"

First of all you have good points. I'm not getting into Secunia bashing again, but--if those "unpatched" issues were so da!n terrible, how come NO VIRUS HAS EVER EXPLOITED THEM?

I agree with you. All these vulnerabilities are just there bcos they are there.

Like what I said earlier, most security incidents happen not bcos of these vulnerabilities but because of the ignorance of the user.

Let this TechMason guy be defensive. It's expected. ;)

How do you know no virus has ever exploited them? Just curious.

I've often wondered if an intelligent virus writer, in it for gain and not glory, could fairly easily develop a strategy to defy detection, and by staying under the radar ensure a much longer viable lifetime for a virus.

Take the vulnerability mentioned -- be honest -- without looking, do you know for SURE that you don't have MCIWNDX.OCX installed? Are you absolutely sure your antivirus sw would tell yo u if you did?

"How do you know no virus has ever exploited them? Just curious."

Because as you said in another post, secunia would be all over it, and so would betanews, etc. As far as that mciwndx.ocx file is concerned, I could care less if it was installed (for the record you are correct, I do not know)--wasn't a problem for the past couple of years why would it be a problem now?

I've told people that IE is no more vulnerable than most competitors. YES EVEN WITH ACTIVEX. For all those people saying "Yeah, but FF will never have security problems where someone can infect your pc without your intervention", here you go. I even posted "mark my words...it's only a matter of time". A buffer overflow problem in FF. And IE doesn't have this problem either.

Now as for why this was publicly disclosed by the same guy who did not disclose it for MS, I'd be pissed off at him if I used FF. Then again no telling what the "disagreement" was about...

So what do you recommend?

Don`t let us sitting here without a recommendation, man!

How do you deal with this stuff?

mjm has a solution, see above.

Despite major browsers such as FireFox & IE having security holes, I believe the majority of security incidents occur due to user's carelessness.

I believe FireFox is still a very good browser to use despite the numerous security issues it has. The same goes for IE. I've been using IE for years and I've never been unknowingly infected by any form of malware.

Just wanted to say that 1st, it's only since IE 6(SP1), emphasis on the service pack 1 been released that i found explorer started coming into it's own, with some inovative ideas namely built in pop up blocker,Ability to see and disable add-on's hooking to explorer but more importantly, the ability for explorer to now ask if it's ok to install active x and other vicious objects just waiting to penetrate ones system, but up until then i found explorer very weak in defence and very easy for malware to get in and stay in, in fact i ask why these features wasn't implemented years ago back when 5.5 came out because this seems the logical way to go, yet they failed to see just that, still better late then ever.

also i hope that the next version will improve on this ability even more (asking permission for installation) in explorer as i found this alone has reduced attacks on systems significantly, where as before explorer just let anything install without ever asking, this feature in it self i feel will grow even more, as it could develop into a firewall, but not on connections, but on programs wanting to install (perhaps a explorer learning mode), just a feeling as user intervention would make better descissions as the user knows roughly what the particular site is about, weather its dangerous or not, for example something wanting to install on the BBC site we would know is ok, but something on a warez site we would know is bad, explorer would never be able to know the difference, so i do think that this will improve in the next version of explorer (i hope)

also i have to say though people must bare in mind that there are many many thousands of crackers out there all trying to get one up on a big corp like microsoft, so with that in mind i'm not suprised that MS gets attacked so much, it's hard to push blame on someone when there wall is being bombarded by cannon fire but competition only has pikeman knocking on there wall (bad example i know, sorry)

but still, all in all i agree that MS do delay when security vulnabilities should be addressed more swiftly, but perhaps looking at a million lines of code after all these years can be tedious, but this of course is no exscuse.

sorry for my spelling very late, quite tired,