- From: fluidly unsure <dripping@xxxxxxxxxxxxxx>
- Date: Sat, 03 Dec 2005 07:52:34 GMT
Lionel Fourquaux wrote:
> "fluidly unsure" <dripping@xxxxxxxxxxxxxx> a écrit dans le message de
> news: XJCjf.25090$dO2.20179@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> I was referring to ActiveX. Do other browsers have the same
>> capabilities? My experience with Opera is years-old, with Conqueror it
>> is limited, and I have none with Safari. I'm not planning on using Lynx
>> ever again.
>> In FF, software being able to install itself is available, but I haven't
>> heard of that being exploited yet. So far, this feature is more secure
>> than Active X. Who knows what tomorrow will bring.
> What you call "ActiveX" is simply the ability to extend the browser
> using binary plugins. ActiveX itself is only a very simple interface
> convention used for programming these plugins. Firefox also has binary
> plugins, with a different interface convention, and they have exactly as
> much system access as ActiveX objects.
> The main issue with IE here is that many ActiveX objects were marked as
> "safe", then turned out not to be so safe in the end. This is
> increasingly sorted out.
>>> Whatever the browser, once you break out of the sandbox, your account is
>> Sounds reasonable, but isn't that an easy task (relatively speaking)
>> in IE?
I thought privalege escalation was easier in Windows. At least prior to SP1.
> Basically, you are asking "which browser is more secure?". The question
> is too complex for a yes/no answer.
I hope not. I try to take the user's needs into consideration. When I'm
asked questions like this I tell the user that the only way to really
secure a machine is to throw it out the window and use a sledge hammer
on the HD.
Personally, I use FF/TB in a limited account for everyday work. I only
use IE in an administrative account when updating the OS/AV/etc, and in
a limited account when visiting eCommerce sites or any important site
that depends on MS's compliance. I never use any other Internet access
in an administrative account.
I advise non-techie users to use IE with SP2 and then I educate them in
"safe hex" practises.
I'm probably going to look again at Opera because it has more control
over the quality of their product and they don't allow third-party
extensions. Proof that closed-source does have some security benefits.
I use many extensions in FF/TB. But I started wondering what my set-up
has resulted in. I assume more capabilites = more code = more potential
flaws = more potential exploits. While I wasn't pleased with the
increased exposure in IE, I realized I was doing the same thing by
putting so many extensions in FF.
I used to think that extensions were safe so far-- no exploits yet. But
then I did some research and found otherwise.
>>> Very difficult registry hack: set the security zone to High for Internet
>> I didn't say you couldn't get around it, but that it was difficult. The
>> solution you offered is very draconian and will break many web-sites
>> Something more targeted like adding specific websites to the
>> trusted/restricted zones is again possible but too difficult for most
>> I use Eric Howe's Enough-Is-Enough. It works for both techies like me
>> and end-users who don't want to understand the inner-workings of
> It looks like a variation of setting the Internet zone to High, and
> adding sites to the trusted zone, with a user-friendly UI. MS has a
> similar UI here:
> Of course, it's safer, but it's too complicated for most users. Note
> default. IMHO IE with the SP2 and patches is usually good enough from
> the technical point of view, so is Firefox. Neither is perfect, so
> updates are necessary, but many attacks rather use social engineering:
> no matter how secure the browser is, it's meaningless if the users
> download and install random malware (whatever it's packaging, standalone
> program or browser extension).
Yes, EiE does use MS's power tweeks. It's just that it is easier to
install. The zones are properly set-up and these power tweeks buttons
are installed. All with about half a dozen keystrokes.
When I think about about how "security is meaningless when the end-user
downloads/installs [and clicks links that might lead to] random
malware", I start thinking about the users who are always contaminating
their machines. But then, we all make mistakes. I doubt if anybody
hasn't been duped at least once. I know there is more than one time I
thought of the potential consequences a moment too late.
>> Please don't take my posts like I'm trying to disrepute you, I want to
> I'm not taking it ill at all. There are some nonobvious points here, and
> lots of confusion being spread around (not necessarily with malicious
I was suprised when you started answering question. That is usually a
rare case. It doesn't matter if the questions are intermediate or
"newbie" questions. Many/most people with advanced knowledge seem to
think it is too demeaning for them to answer questions.
So while you are open I'm going to ask you more.
I'm looking for an inexpensive way to set up a Malware laboratory. I
already have network analysis capabilities (3 comps, a hub, Ethereal,
Now I need to:
1) put programs in a VM sand-box (like JAVA's JVM)
I know about VMWARE but don't have the money right now.
2) put programs in a directory jail (like CHROOT)
I've tried a complicated hierarchical privilege scheme but it was a real
PITA to maintain.
3) get a lite-weight debugging package for w32
I currently use VS6 with symbols installed from MSDN. But I assume it's
footprint would affect some tasks. Would you suggest GDB for windows,
WinDbg from MS, or something else?
Am I missing anything?
- From: Lionel Fourquaux
- From: Lionel Fourquaux
- From: fluidly unsure
- From: Lionel Fourquaux
- Prev by Date: Re: which ca model should i use
- Next by Date: Re: Standard way to remember passwords