I wonder wat IE7 will do now :-D

But as we see.....Bigger IE gets.....better vulnerablities.............BIGGER FIREFOX GETS......BETTER SECURITY

Opera.....well.....i dont use it.....but i see a beta come up almost everyday here.......and each time they have some fix.....

Firefox......less betas [only 2 and 3].....since there is improved security......less fixes.....better satisfying content!!

and that is why opera and its users are happy with widgets.

*cough*fanboy*cough*

Let me get this straight, you're comparing widgets to extensions? Did you suffer massive head-trauma recently?

well you see.....

extensions=widgets=activex plugins=plugins=whatevermacscallthem

internet explorer=large market share=most targeted

firefox=gaining ground=recently targeted

opera=tiny market share=nobody cares enough about the opera crowd to target them or they assume they have no money to take.

check my math looks good to me

Prefect, except for one minor, but telling error:

extensions=widgets=activex plugins=plugins=whatevermacscallthem

Should read:

extensions!==widgets!==activex plugins!==plugins

Note: (Macs call them widgets, but Opera Widgets!==Konfabulator widgets!==Mac widgets.)

They aren't even close. The functions are vastly different, and the feature set is more or less limited depending. Not even going to go into the security and useability of the respective code or interface.

That's an unproven argument, and I believe it to be[/b] absolutely false.

In 1995, there were thousands of viruses for MS-DOS, and possibly millions of MS-DOS users.

Linux and Mac OS have millions of users today, so where are the viruses?

Firefox has over 10 million users (POOMA estimation based on 5% of downloaders actually sticking with it, see below for the 200 million downloads link. Estimate is likely WAY LOWER than actual.) so where are the exploits?

*1* malware here and there using [b]some other technology to perpetuate the malware really doesn't count.

That's an unproven argument, it's absolutely false.

Prove it.

You cannot claim it is unproven, and then in that same sentance[/b] claim it is false.

Either it's proven (true or false), or it's unproven.

It is [b]unproven.

Exactly, widgets are NOT extensions, believe me. I yearn for the day that opera supports extensions or even allows 3rd parties to tie into the browser to fill in the gaps that the opera dev's fail at.

Widgets allow you to use the browser on the desktop for mini-tools, extensions do not do this.

fixed, heh

As for proving it, read my comment again. I provide evidence indicating that the virus scene for Firefox (and incidently for Linux and Mac OS) should be much worse than it is based on MS-DOS as my example.

Sure, it could be wrong but it's not worth the time to persue it further. It appears pretty solid at face value though.

Feel free to break it down, I'm all ears.

heh

The user numbers probably aren't as important as the percentage of the user base. They are likely to aim for the biggest target.

Yet you use words like "possibly".

Look, I'm not making any claims. I'm just saying it's all speculation.

As for face value, if I took everything at face value, I'd be living in a beach-front Condo in Montana right now. ;)

The only evidence to support that argument is that Windows is the biggest target. This doesn't instantly imply it is targeted because of it's marketshare.

It could be argued that it was an easy target, actually evidence of that could be the shear drop in volume of Windows based worms since Microsoft instituted it's security initiative.

We are the fanboys.

Your logic is useless here.

Prepare to be flamed and trolled.

Resistance is futile (We won't listen anyway).

heh

I think the point is not that Linux and MacOS have millions of users (maybe between both of them), but how many millions on users on Linux/MacOS versus how many in Windows.

Viruses will always target the predominant OS.

Now, the good think is that finally Firefox is beginning to get some of the fire that has been shoot at IE. Maybe because its marketshare is growing???

I'm happy still using IE, specifically IE7 (and I haven't had a virus/spyware issue since MS-DOS times) ;)

Firefox is getting some of the fire, how? Claiming that viruses will always target the predominant OS doesn't prove that it's a fact.

It would be naive to assume Linux and Mac OS don't have millions of users, Redhat isn't printing it's money. ;-)

LOL

Your logic is very flawed...

common sense = most exploits are aimed where they will have the largest impact. Your logic implies that 10 people standing in a corn field have the same chance of being hit by a car as 10 people standing in the street.

That's not common sense, it's opinion.

Your logic doesn't even relate to my comment in any way.

Maybe if you were comparing a street to a street, and you used different cities one with more people than the other you may *MAY* have 1/2 an argument, but well I guess not.

"It would be naive to assume Linux and Mac OS don't have millions of users, Redhat isn't printing it's money. ;-)"

He never said they don't have millions of users. It's the percentage. Why do hackers care to attack millions of users when they can attack hundreds of millions on windows?

"maybe between both of them"

Try reading it again.

The comments here are funny, most of you arguing with so-called strawman tactics. I'm from norway, and even -I- understood the article correctly - it's not Firefox thats the problem, but IE! Please just end the damn IE/Firefox-war, IE loose in any method you use to try IE "win" in a discussion. What I don't understand it's why you even bother to defend IE, it's so unintelligible that I sometimes wonder if you are payed by M$. And I'm sure that most of the "IE-defenders" has never tested Firefox or know little/nothing about browsersecurity at all. It doesen't hurt to just try Firefox, does it? If you don't like Firefox, try Opera. Just a desperate M$-lover or tory person would use IE as their default browser.
Of course can malicious software hit your computer and make harm anyway if your not careful or regulary check the system, but if you can as good as exclude one of the most exploited technique you would be much safer..wouldn't you?

I recommend you all to read The MAZZTer's comments, this user know what s/he is talking about.

this program will protect you from any web exploit!

http://nonadmin.editme.com/DropMyRights

Firs NOT all web exploits! plus it will cripple your browsing:"There's a known limitation with using DropMyRights to run Internet Explorer in "C" or "U" mode when accessing web sites that require SSL or SSPI-based user authentication (e.g. NTLM)."

Thanks for the SPAM.

Well, instead of debating which browser is at fault, why not investigate what VBS/Psyme is?

Do a search in Google, and we can find that this exploit was discovered in 2003, and it takes advantage of the vulnerability in ADODB.Stream object. Do some search again, and we can find that Microsoft has patched this vulnerability in 2004 by disabling ADODB.Stream object in Internet Explorer.

A vulnerability that was patched in 2004.

So to conclude, if a user does not update his/her system, he/she deserves the problems.

Just like I.E. the bigger Firefox gets, the more exploits we will see for it.

Just like I.E. the bigger Firefox gets, the more exploits we will see for it.

Read the summary, twit.

Unlike IE, the bigger firefox gets, the more exploits we will see for IE through Firefox.

This still does not affect firefox. It affects IE.

IE...exploited again...imagine my suprise.

Yeah yeah, it might use IE flaws to install itself. But the point remains, only firefox users would want to install a firefox extension.

This threat likely wouldn't exist if firefox didn't have a signifigant share of the market, or if it did this would infect a whole 2 people who wanted the extension.

MS needs to fix their issues or let users completely remove it.

I'm still right, the bigger Firefox gets, them more exploits you will see for it or for its extensions, twit.

Well thats where you're wrong. This trojan avoids that confirmation dialog and installs the spy component silently. Also read the summary again ecause it says VBS/Psyme affects IE, not FormSpy...
I have this sucker in front of me.
It's a SFX package containing JS and XPI file.
First one is to avoid that confirmation and second is the core component.

Why do half the replies here assume that it's a Firefox exploit? READ THE SUMMARY MORE CAREFULLY. It is installed through an INTERNET EXPLORER exploit.

Theoretically, any malware that would exploit this vulnerability would be able to do anything it wants to your computer. Installing an extension is just a matter of adding the extension files to your Firefox profile and updating the installed extensions list to point to it.

Firefox will not allow extensions to be installed from unknown sites until you explicitly add it to a list. And then, when an extension install dialog pops up, there is a 5 second delay before you can choose to install it.

(Sorry for my flood of posts here, but people who don't know how to read but insist on writing tick me off.)

You need to read more carefully and actually follow that up with more thought...

Internet Explorer is exploited to install it, but it still infects Firefox. Apparently it's exploiting both somehow, because how is IE having access to even install something in FF to begin with? Just because it starts with IE, doesn't mean FF isn't being exploited as well.

More importantly, never underestimate the ignorance of users who blindly click Yes, OK, and Agree without actually understanding what they're doing.

Firefox stores extensions in files in your profile folder. I think it's safe to assume the trojan just plops it's file in with your firefox files.

It's also possible both programs need to run at once, and the trojan gains access to Firefox's memory space, and causes Firefox to jump to an "install extension" function.

Or maybe it changes Firefox's settings to disable the security prompt and then silently navigates it to the XPI package.

At any rate, whatever it does, it's clear that it has system access when it does it. It could just as easily install an IE toolbar, shortcuts on your desktop, a malicious winamp skin, and so on so forth.

Firefox's install theme/extension dialogs prevent blind clicking by disabling the "Install" button for 5 seconds. This gives the user enough time to resize what exactly the dialog is he's looking at, during which time he can't blindly dismiss it without canceling it as well.

I understand how some of these things work, I have gone rooting in my Firefox profile directory before to see how it ticks. I know how extensions are installed and stored. I know what I am talking about.

Actually, this summary is not very good. It is not even really correct. An article on Information week is much better and is actually a dialog with McAfee staff. Below is a small portion which you can read at http://www.informationwe...tml?articleID=191202224

"The scam starts with spam posing as a message from the billing support department of mega-retailer Wal-Mart, said Craig Schmugar, the virus research manager at McAfee's Avert Labs. When someone opens the attachment, the Trojan downloads and installs two components, a keylogger as well as a sniffer."

As for Firefox not letting extensions install without your knowledge, this is what the article says:

"But it's the way that FormSpy gets onto a machine that's unique, Schmugar said. FormSpy masquerades as a Firefox extension, or browser add-on. It spoofs Numberedlinks 0.9, an extension that in its legitimate form lets users navigate links with the keypad. FormSpy uses some of the actual extension's code to put its hooks into Firefox.

Normally, Firefox extensions -- which in Windows have the .xpi file extension -- display a confirmation dialog that the user must acknowledge before the add-on installs. The bogus Numberedlinks, however, skips that.

The Trojan writes files directly to the Firefox folders without putting up the confirmation," said Schmugar."

So "The MAZZTder" before you believe a summary try reading more articles and get more facts. It ticks me off when people berate people and they don't have all the information either.

never underestimate the ignorance of users who blindly click Yes, OK, and Agree without actually understanding what they're doing.

That would be more the fault of the user, and not the software, though, would it not?

I've been saying it for years: when is Mozilla going to certify extensions? Until then, every other malicious jackass will giggle at how easy it is to undermine open source apps. That's really low, man.

They already do. Everything available from the Mozilla Add-Ons site is certified.

It's not Mozilla's fault if you install uncertified extensions from third-party sites.

Nothing is secure in the hands of an idiot.

unless they dont even know how to turn it on, then it is secure from all but the idiot kicking it in frusteration.

Of course, you are right. I should have been more specigfic.

A thousand apologies...

Exactly. But it's inane to bash Mozilla for not trying, when they clearly are.

Did I?

Where?

I don't get the article. It said the viris is installed using an exploit for IE known as VBS/Psyme, and people who use FF like myself don't really use IE. So how could it possibility get install?

That's why it's been classified as "low risk." But it could still happen.

Hang on, something is wrong, I can't hear the hoards of Firefox fanboys ranting about how secure Firefox is, and how great entensions are...

Guess why?

Because you have to install the dang thing yourself. It's no different than clicking a link that tries to launch an .exe file.

Don't be so dim.

get your head closer to the monitor ...

FIREFOX is still pretty secure, just because of one user-created malicious extension you cant go on to judge the whole browser.... any software can be insecure if put in the hands of an idiot !!!!!!!

Ok I See I'm going to have to repeat myself. This can't autoinstall because Firefox asks you if you are sure you want to install....on top of that putting a time delay then you have to click ok once again. So only a complete fool would install this thing...so why don't you get busy installing it already.

and let me add, no software is hack/crack free. It just a matter of time. If the perfect software exist, why do we need to have an IT dept, just buy that software, install, and forget about it because it's bulletproof.

Why would FF user be worried about this problem dipwad?

Quote since it appears you can't read:

"It is installed using an exploit for Internet Explorer known as VBS/Psyme"

which most FF advocates don't use.

Unless they are going to a site that will not display right in FF...

As opposed to an anti-Firefox fanboy ranting about things that are only happening in his imagination?

1) Sites that don't display right in FF aren't worth my time to fire up in another browser, or even to click the IETab icon and wait while the IE rendering engine slowly and painfully loads. I'll either tolerate the bad website design, or find a better site.
2) If a site blocks non-IE browsers, I'll temporarily spoof my user agent to bypass the block.
3) If a site needs ActiveX, I will say "screw it" and find a site that uses a more universally supported format such as Java, unless it's a site I know I can trust (such as Microsoft Update, which is really the only ActiveX site I use, because I'm pretty much forced to).

Try reading the summary, you have to browse to the site in Internet Explorer, and a vulnerability is exploited to give the trojan access to your Windows profile, from there it can install itself as an extension.

Except Firefox is never exploited. IE is exploited, and at that stage malware could wipe your computer or do anything it wants to anyways.

I love how they couldn't exploit Firefox to do this so they had to exploit IE instead haha.

"Hang on, something is wrong, I can't hear the hoards of Firefox fanboys ranting about how secure Firefox is, and how great entensions are..."

That would be because nothing has changed. It's an Internet Explorer vulnerability that is exploited, not a Firefox one. Go read the article summary again.

I am betting not all FF users are as loyal or capable as you though.

"3) If a site needs ActiveX, I will say "screw it" and find a site that uses a more universally supported format such as Java, unless it's a site I know I can trust (such as Microsoft Update, which is really the only ActiveX site I use, because I'm pretty much forced to)."

I'm kind of surprised that Microsoft is still able to get away with that. Could they be sued for FORCING people to use Internet Explorer to get updates for WINDOWS?

I think brand loyal are for idiots. I am using FF now because it the easiest to us, and I can customize the way I want it too. If there is another browser pop up tomorrow, and can do more, I will make a switch in a heart beat.

Firefox is fine. This affects IE users who have firefox installed.

Please stop being an idiot.

You did read the summary, right? *cough*

It's a malicious Firefox extension that is distributed by Internet Explorer.

Both browsers are at fault.

I'm sorry, but that makes about as much sense as saying it's both the house's fault and the match's fault that the fire burned it down.

Or like saying the safes Houdini escaped out of weren't secure because they're far easier to open from the inside than from the outside.

The trojan uses IE to get system access, from where it can do whatever it wants to. In this specific case it chooses to install a malicious Firefox extension. It could as easily choose to wipe your hard disk.

Once a program has full system access, it's all over, all bets are off, and it can do anything that it wants, regardless of system security settings (because it's just worked around them).

How the hell can you say Firefox is at fault when IE is being exploited to put a file on a filesystem?

Would you blame media player if it opened a media file that an IE exploit[/b] put into it's library? I doubt it.

Boy, the [b]fools are out in force today.

There are 2 seperate issues here.

1/ That the trojan downloads itself through a IE exploit.

2/ Firfox executes the exploit despite it's dubious origin.

Anyone that pretends Firefox is not partially at fault here, is deluding themselves.

Seems Firefox's extensions are a similar weight around it's neck, as ActiveX is to Internet Eplorer.

So you would blame media player if it had files added to it's library by IE then, huh?

By your logic everything should contain some form of DRM / certification process.

I highly doubt you can form an argument that would lead ANYONE to think that Firefox's extensions are nearly as bad as ActiveX is.

Lets start by counting the exploits, do you have any idea how many times ActiveX has been exploited?

I thought not.

"Both browsers are at fault."
ummmmm....NO!

"The trojan uses IE to get system access, from where it can do whatever it wants to. In this specific case it chooses to install a malicious Firefox extension."

Bingo...The MAZZTer hit the nail on the head so to speak. The root of this problem is IE. If Firefox were auto installing the extension I could see blaming Firefox.

Oh and thanks for correcting me earlier The MAZZTer.

Ugggh...I hate when that happens. It's the only reason I keep IE around. And I'm not talking about some random pisspot site, I'm talking bigger name sites. At one point spiketv.com would not load up in FF.

If the site won't display then it's not worth my time...enough said

My thoughts exactly. If I site absolutely requires IE then it's not worth wasting my time.

".....(such as Microsoft Update, which is really the only ActiveX site I use, because I'm pretty much forced to)"

Now you can be free of that site too :)

WindizUpdate - http://windizupdate.com/

Been using it for months.

no lets start by counting numbers of users. then we can continue on to counting the number of people who think it is more beneficial to exploit a browser that will affect more people and potententially allow them to steal more peoples identity, then to exploit a browser witht less.

well its not like you can remove it;-)

yeah because one is part of the core of an operating system the other is just a browser.

There's also this really wicked thing called 'Automatic Updates'.

Hit Winkey-(Break) and click the Automatic Updates tab. Click on Download and Notify radio button.

Never have to browse Windows (or windiz) update ever again.

Ok, how many users were using DOS when viruses like stealthc and yankee doodle were plaguing PCs?

Counting the number of users is a stupid argument that doesn't make sense. There are *MILLIONS* of people using Windows, Mac OS, Linux, IE, and / or Firefox.

The number is astronomical compared to the days when *MAYBE* 50 million MS-DOS users, there were thousands of viruses back then.

Using your own argument, since there are (edit) MILLIONS of people using Firefox (Firefox approaches 200 million downloads: http://www.spreadfirefox.com/node/24065) there should be thousands of exploits already just like there were for MS-DOS when it's marketshare climbed this high.

So, where are they?

'nuff said

Can't for a moment consider the society?

Do hackers and such "give a s***" about Firefox?

They may have 200 million users, but IE has that and several hundred million more.

...just sayin'.

If they go where the majority of users are....

Wouldn't you think that out of the several hundred million more that some of them would be [nuts|crazy|stupid|foolish] but [smart|arrogant|script kiddie] enough to want to make Firefox look bad?

I would think so.

Sure, having more people to target is absolutely a factor but it absolutely in no way completely eliminates other targets.

Boy, imagine a military that only hit large targets ignoring all the smaller safe houses. Could you imagine how flawed the logic behind that strategy would be?

The logic implying that Windows is *ONLY* attacked and no other operating systems / applications are can't only be because it's the largest target it just doesn't make any sense at ALL. Surely it is a factor, but it can't be the biggest factor.

Chew on that..

:-P

heh

"Never have to browse Windows (or windiz) update ever again."

Never again have a choice.

Never again choose to not download/install those things you never use because Microsoft were too lazy to actually REMOVE uninstalled Windows components.

I wonder if they think that Mozilla might have thought of this possiblity before hand.....hence Firefox asking if you are sure you want to install an extension and then having a time delay.

Could this mean in the future, you must request developer keys from Mozilla to make your extension work?

How would that help? Once you have the key, you can do what you want!

"A fool and their money are soon parted"...

No, because Firefox surfers are not affected by this trojan, only IE surfers (as usual) with Firefox installed. Read the article summary again.

So if you only use IE then you don't get to install that FF extension in the 1st place.

ooor.......If you use only Firefox you don't get to install this extension in the first place. Which I'm to the point that if a website is IE only then it's not worth my time.

unlucky for us a fool never stops complaining about it either.