Browser based attacks increase
Posted by Daniel Fleshbourne on 13 April 2004 - 09:49 · 11 comments & 619 views
About the Author
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(6 replies)
#1 Posted by pHuzi0n on 13 Apr 2004 - 10:18
- They need to change "browser based attacks" to 'Internet Explorer based attacks'.
-
#1.1 Posted by NinjaOfLove on 13 Apr 2004 - 12:29
- Not entirely true. Opera, Firefox, Mozilla all have exploits, and each new release features bugfixes and patches to work around them. Not as many as IE, but there's also the argument that being the browser used by the vast, vast majority of the internet, IE is going to be attacked more often.
I'm using the SP2 Technical Preview and the security measures in IE are excellent. -
#1.3 Posted by pHuzi0n on 13 Apr 2004 - 16:49
- 1) A bug in any other browser is less severe since they're not TIED INTO THE OS like IE is.
2) Bugs in other browsers get fixed BEFORE they get exploited but IE hasn't been updated in ages (just patched to hell and gone).
3) Saying that IE is secure is like saying a wood shack is secure because you put a lock on the door even though there's holes in the walls big enough for Oprah to fit through. -
#1.4 Posted by rogerroger on 13 Apr 2004 - 19:26
- Let me correct you pHuzi0n.
1) Doesn't matter. A bug could allow access through the browser to the underlying OS. If you like, you can look up the bug history of Mozilla and a few others. Some pretty nasty stuff there and those browsers were not tied to the operating system!
2) Stop assuming something. You just make an ass of yourself. In a recent 3rd party review, MS actually patched their systems faster on average than competitors. There were some well known bugs in Mozilla and Opera that were around for some time. Heck there is still a hole in Firefox that has been around for months!
3) IE is more secure each time it comes out and like someone else said, the xp sp2 version is very tight. I'm impressed; however, it is up to the user to ensure he/she is patched to avoid all these problems in the first place!
4) What's your obsession with Oprah?
-
#1.5 Posted by pHuzi0n on 13 Apr 2004 - 20:45
- 1) A bug in any program should still not allow an exploit to gain priveledges. If it does then it's a problem with the OS. In this case the problem is that the browser (IE) is tightly integrated with the OS and so it has lead to eploits that can have full control of the system.
2) In a recent FLAWED 3rd party review they neglected to realize that MS doesn't announce any bugs until they're close to having a patch. They also didn't realize that different bugs have different SEVERITIES and that IE has worse bugs then a normal browser would.
3) I was just using an example of a large person that most people know of in order to illustrate how gigantic the holes in IE are.
Back to the real topic, have you EVER heard of anybody 'enticing users to malicious Web sites' that exploit a bug in ANY browser other than IE? I rest my case that it should be changed to 'Internet Explorer based attacks'. -
#1.6 Posted by Xeron on 13 Apr 2004 - 21:22
- A security hole in any application that is run in the administrator context can affect the entire system. Whether it is integrated into the OS is irrelevant.
What MS need to look into is making it easier to run windows as a restricted user and use alternative credentials when necessary.
e.g. If I want access to a folder that only admins can access, i want to be asked for an admin password, not just told access denied. If I want to install a bit of hardware as a restricted user, i want to be asked for a password. Of course, a group policy setting should be there to allow admins to say whether it should prompt for a password or just immediately deny.
-
(2 replies)
#2 Posted by SunnyB on 13 Apr 2004 - 10:58
- I use firefox instead of IE but Firefox is also vulnerable.
A badly crafted shockwave flash presentation can knock
Firefox completely offline and crash the OS. The after-effects
are a corrupt prefs.js and corrupt or lost bookmarks,htm.
I have experienced this first hand and have since reset
and backed up all the preferences and bookmarks. I plan to
re-visit the same site and flash.swf to see if the effects are
duplicated or if it was just a fluke. -
#2.1 Posted by PseudoRandomDragon on 13 Apr 2004 - 15:50
- It was most likely just a fluke. Even if it wasn't, Macromedia would be to blame, not Firefox.
-
#2.2 Posted by JaggedFlame on 13 Apr 2004 - 16:46
- What's your point? He's saying that no matter what you use, you're vulnerable to browser-based attacks, which happens to be the subject of this article.
-
#3 Posted by Xeron on 13 Apr 2004 - 11:05
- To help against spoof attacks, why can't they add some extra details to the padlock symbol like this:
with the address taken from the 'Issued To' section of the certificate?
In 2003, 36.8 per cent of the IT workers surveyed said that their organization had suffered a browser-based attack in the last six months.The report said that attacks by worms and viruses were still considered by IT staff as the biggest threat. However this figure was down from 80 per cent the previous year to 68 per cent.
** 36 Windows XP Pre-Service Pack 2 Critical Updates
** 29 Windows XP Pre-Service Pack 2 Recommended Updates
** 06 Internet Explorer Updates
** 02 Outlook Express Updates
** Bootvis Tool (version 1.3.37)
** Euro Conversion Tool
** MSN Messenger 6.1.0211 w/ Option to uninstall Windows Messenger 4.7
** Windows Messenger 5.0.0482 (if you chose not to install MSN Messenger)
** Microsoft Virtual Machine w/ 2 Updates
** Sun Java 1.4.2_04 (for those running SP1a or SP1)
** Microsoft Baseline Security Analyzer 1.2
** Microsoft Data Access Components 2.8 w/ 1 Update
** Microsoft DirectX 9.0b w/ 1 Update & Optional Control Panel Shortcut
** Microsoft Jet 4.0 Service Pack 8
** Microsoft Jet 4.0 Service Pack 8 Replication Update
** Microsoft .NET Framework 1.1 w/ 1 Update
** Microsoft SharePoint Migration Tool
** Microsoft Windows Journal Viewer
** Windows XP PowerToys (including 8 Bonus Powertoys)
** Microsoft XML 3.0 SP4
** Microsoft XML 4.0 SP2
** Windows Media Player 9 w/ Update to Build 3093 & 8 other Updates & Enhancements
** Windows Movie Maker 2.0
** Windows Rights Management Client 1.0
** 3D Windows XP ScreenSaver
** Adaptec ASPI Layer for Windows XP
** Bliss Screensaver
** Microsoft American Flag ScreenSaver
** Device Manager Shortcut to All Programs Menu
** Desktop Icon Restore Tool
** Windows Media Player Classic version 6.4.7.5
** Microsoft Virtual CD Tool
** Google Toolbar
** Ink Redist
** PortReporter Tool
** Euro Fonts Update
** Hive Cleanup tool
** Ability to remove ASP.Net Uset Account
** Ability to remove all Windows XP ScreenSavers
** Ability to remove all Win9x based Wallpapers
** Ability to remove all Windows XP Wallpapers
** IE Spy-Ad
** Optional Internet Explorer Spellcheck tool
** System Uptime Tool
** Macromedia Flash Player
** Macromedia Shockwave Player
** MSN Plus 2.5.4
** Neowin Screensaver (XP logon Hack)
** Microsoft NZ Bliss Wallpaper
** Option to replace update 8-Bit Shutdown and Logoff Icons on Windows Classic Theme
** Startup Monitor
** Startup CPL
** UxTheme.dll Patcher (so you can use custom themes)
** 60 Registry Tweaks
** And Much More!!