Announcement

Collapse
No announcement yet.

Firefox users take note!

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Firefox users take note!

    I guess the title could have been "Good News for Chrome Users!" :P

    New vulnerability found, and guidance to avoid exploit:

    http://lwn.net/Articles/412046/

    to wit:
    The Mozilla Security Blog warns of a new Firefox vulnerability which is already being exploited. "Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox's built-in malware protection. However, the exploit code could still be live on other websites." Disabling JavaScript (or running NoScript) will block exploit attempts.

    #2
    Re: Firefox users take note!

    I used to use FF :-) Then moved to Chromium (Not Google Chrome) Now I use rekonq
    Registered Linux User 545823

    Comment


      #3
      Re: Firefox users take note!

      A large part of my job is computer security - and if you look at someplace like the National Vulnerability Database - http://nvd.nist.gov you'll find that Firefox has at least as many vulnerabilities as Internet Explorer these days. Check it out -

      In the last three years IE's had 260 listed vulnerabilities in NVD while Firefox has 643. It's easy enough to check for yourself - look here:

      http://web.nvd.nist.gov/view/vuln/search

      Just enter "Internet Explorer" or "Firefox" and punch the "Search last 3 years" button.

      we see things not as they are, but as we are.
      -- anais nin

      Comment


        #4
        Re: Firefox users take note!

        using that page there is one known vulnerablility for rekonq as well

        Originally posted by NVD
        CVE-2010-2536
        Summary: Multiple cross-site scripting (XSS) vulnerabilities in rekonq 0.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) a URL associated with a nonexistent domain name, related to webpage.cpp, aka a "universal XSS" issue; (2) unspecified vectors related to webview.cpp; and the about: views for (3) favorites, (4) bookmarks, (5) closed tabs, and (6) history.
        Published: 08/02/2010
        on another not looks like opera has the most total isues @ 908, but they all seam to be fixed in v 10.63

        thanks for the link
        Mark Your Solved Issues [SOLVED]
        (top of thread: thread tools)

        Comment


          #5
          Re: Firefox users take note!

          Hi
          I was a "volunteer" at what used to be called "Computer Cops" and then "Castle Cops"....now defunct...

          The volunteers just could not handle the workload and the couple(man and wife) who ran it just became EXHAUSTED trying to keep the site going with the MASSIVE denial of service attacks and nobody............

          DONATED enough money!

          But.... even back than....what.... 2005.... we were discussing WHEN, not if, Linux would be targeted and even though the first FF exploit had not yet appeared the general discussion was that the first "concerted" attempts would be through FF...

          Speaking as someone who spent hours/days working with people who had malware/BADstuff on their computers from the standpoint of CC and the guy down the block who shows up with beer and his tower because he does NOT want his wife to know about the porn on it....

          a) do not go to sites where your grandmother would not want you to go.
          b) do not click an "attachment" unless you have a really good filter like Yahoo, or something on your machine to check it.
          c) do not click a .exe file unless you PERSONALY know the sender....

          NOW..................just how the bad guys will send a Linux item, as a .tar. or whatever....we do not know...

          But.... the basic idea is ............... DO NOT TRUST anybody that you do not KNOW online!!!

          just my experiences and there are probably people who would argue with my ideas because they are about two and a half years old now... sorry....

          woodbehindthetimessmoke

          Comment


            #6
            Re: Firefox users take note!

            Originally posted by woodsmoke
            ......
            c) do not click a .exe file unless you PERSONALY know the sender....

            NOW..................just how the bad guys will send a Linux item, as a .tar. or whatever....we do not know...
            Unless you have WINE installed, clicking on an EXE won't do anything in Linux. IF you have WINE installed the worse case mode is that your WINE installation will get hosed and you will have to reinstall it. IF the WINE virtual engine isn't running nothing will happen even if WINE is installed.

            Linux Trojans or viruses cannot be run without being installed AS A FILE on the HD. While the occasional person might save a tar file, untar it, navigate to its directory and run the necessary commands to configure, compile and install the contents of a tar file, the VAST MAJORITY do not know how, or know enough NOT to try. So, downloaded tar and other files are a poor route to use if a bad guy wants to infect a LOT of Linux computers in a short amount of time. As I mentioned before, it took a group of professional hackers over 6 months to collect 730 or so Linux boxes in their bot farm. During the same period infected emails collected over 1.3 million windows zombies in the largest bot farm ever found last year.

            Linux will never become as easy to infect as Windows because its security model is different. Unix has been around for over 40 years, and Linux for almost 20 of those years, yet you never hear of a major Unix/Linux infection, of the magnitude that commonly afflicts Windows.

            FireFox, or any browser, is susceptible to infected java applets. IF the java applets do not have a valid digital signature or certificate and IF you approve of the bogus digital signature or certification when asked by FireFox, then NO amount of software coding can circumvent that infection vector.

            But.... the basic idea is ............... DO NOT TRUST anybody that you do not KNOW online!!!
            ....
            Or, do not trust anybody online whom you do not know... Good advice.
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment


              #7
              Re: Firefox users take note!

              Sorry GreyGeek you caught me out on that:

              Unless you have WINE installed, clicking on an EXE won't do anything in Linux.

              I should have written that and didn't, too much time on the couch.

              thanks for the catch.

              woodsmoke

              Comment


                #8
                Re: Firefox users take note!

                But you can get a virus attachment even from people you do know personally if their email has been hacked and they don't know about it, yet...
                Multibooting: Kubuntu Noble 24.04
                Before: Jammy 22.04, Focal 20.04, Precise 12.04 Xenial 16.04 and Bionic 18.04
                Win XP, 7 & 10 sadly
                Using Linux since June, 2008

                Comment


                  #9
                  Re: Firefox users take note!

                  Originally posted by kyonides
                  But you can get a virus attachment even from people you do know personally if their email has been hacked and they don't know about it, yet...
                  I have windows using friends and have, on several occasions, received emails with virus attachments. You can click on them all you want. You can even save them to your HD. You can even click on them while they are setting on your HD. What you HAVE to do AFTER you save them to your HD is to modify their permissions by adding the execute permission (manually or using Dolphin). Then, if you click on them, it will only run IF they are valid shell scripts or ELF binaries. If they are EXE files it doesn't matter what their permissions are, they will never execute. When java jar files are clicked they open up in Ark.

                  In other words, you really have to work at it to get an email virus attachment to execute in Linux. That's why you rarely see a linux virus attached to an email. In fact, IIRC, it has been over eight years since I last saw a putative Linux virus email attachment. For a short period of time, a few years ago, KDE desktop files (*.desktop) could be emailed and they would run the executable they were designed for when clicked as an email attachment, but that susceptibility lasted only a week or so, and it never worked on the Mandriva DE that I was running at the time.
                  "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                  – John F. Kennedy, February 26, 1962.

                  Comment

                  Working...
                  X