Re: The 10 Immutable Laws of Security
- From: "Kerry Brown" <kerry@xxxxxxxxxxxxxxxxxxx*a*m>
- Date: Wed, 21 Mar 2007 07:03:39 -0700
"Ian" <Ian@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:19D1FBE7-6D6A-4CAF-A2D5-22803D6BEA5B@xxxxxxxxxxxxxxxx
"Kerry Brown" wrote:
If you are serious about security then you know that Firefox is quickly
becoming as insecure as IE.
It would be interesting to know how many of the Firefox vulnerabilities are
actually exploitable, though. I suspect the number is quite low.
One fact I've observed is that automatic updates are a major security flaw
in themselves. Mozilla have had exploitable issues with their auto-update
scheme, and it's one item I tend to turn off. I also tend to disable Java in
the browser if it's installed, since it's so rarely used and has numerous
exploits.
Even if the updater itself isn't exploitable, the user-interaction creates
an issue, in that a user conditioned to respond 'Yes' to automatic updates
will also respond 'Yes' to malware which simulates an automatic update, for
example "You need to update your Flash player to view this site..." In almost
all cases a user manually clicking 'Yes' will bypass any security
arrangements that would otherwise thwart the malware. Even on Vista.
Since we've made it clear to users that we don't use automatic updates,
therefore all such messages are to be treated as suspect, the rate of
malware-infestation has dramatically reduced.
I wasn't criticizing Firefox in particular. I was trying to point out that using an obscure (or less popular) program isn't really a valid security method. In XP I think Firefox is more secure than IE6 and probably IE7. In Vista with UAC turned on IE7 is more secure. My whole point is that while we should try to use programs that are more security conscious there is no guarantee that an exploit for any given program doesn't exist. Programs shouldn't be trusted by the OS to the extent they are in XP to start with. If the underlying OS is not designed for security and the user then runs as administrator it really doesn't matter how well a program is written exploits will probably be found and used if the program is popular enough to make it financially worthwhile. Even if the program is not popular if an easy to use exploit is found the malware authors will probably use it. Some of the sites pushing out malware will continue to try attacks on your computer for several minutes after you have left their site. They try many different attacks for many different programs including firewalls, AV, etc..
--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca
.
- References:
- The 10 Immutable Laws of Security
- From: siljaline
- Re: The 10 Immutable Laws of Security
- From: Kerry Brown
- The 10 Immutable Laws of Security
- Prev by Date: PRINTING something on myspace.com
- Next by Date: Re: PRINTING something on myspace.com
- Previous by thread: Re: The 10 Immutable Laws of Security
- Next by thread: Re: The 10 Immutable Laws of Security
- Index(es):
Relevant Pages
|
