;D ;D
http://wolvix.org/article.php?id=24
-{ Quote: "After a lengthy discussion between Oithona and me, we've come to the conclusion that Wolvix is simply too small, fast and stable to be able to compete with the latest installment of Microsoft Windows®. So the decision has been made to move Wolvix over from Slackware to a Ubuntu base using KDE 4.0 as the default desktop environment.

During our internal testing we found that the new Ubuntu based Wolvix was still to fast to mimic the speed of the latest Windows version. As a response to this Oithona has developed a Python script that will consume about 85% of all the CPU resources, and fill up all available RAM in order to get the OS to constantly use the swap partition. Work is in progress to create a program that will pop up and ask for confirmation (Cancel/Allow) for 1 out of 3 tasks the user performs - We're also looking into forcing all applications to run as root. Modifications has been done to the installer ensuring that the new Wolvix will not use any less than 20GB of hard drive space. The install process will take about 2 - 3 hours depending on your hardware. (A quad core 3.5GHz CPU and 4GB RAM is recommended)

We've spent hours discussing what the new Wolvix version should be named. Oithona wanted to follow in the tradition of other Ubuntu derivatives and call it Wolfbuntu, while I had my mind set Wolvix Wista. As a compromise we've agreed that the new name will be Wolfbuntu Wista. We expect to have the first alpha version of Wolfbuntu Wista ready in 5 to 6 years, so stay tuned.
-Wolven" }-

;D ;D ;D

Good one............so as I suspected, Ubuntu is the Widnows of Linux world.

I don't understand why so many people, present company excluded, are against Ubuntu. It works, it's easy, it draws the crowd to the Linux world, it's doing good to all of us, so me wonders ...
Mrk

I know it's April Fools', but I'd just like to point out how unwise it is to underestimate Microsoft. Jokes aside, I just hope this particular distro doesn't go Mozilla's way, who's still busy crowing about their "superiority" over IE when the fact is their product has devolved into one of the most unsafe browsers today.

-{ Quote: "I don't understand why so many people, present company excluded, are against Ubuntu. It works, it's easy, it draws the crowd to the Linux world, it's doing good to all of us, so me wonders ...
Mrk" }-


The same reason people are against MS, security holes aside and barring the stupid registry, MS works and so does Ubuntu. Its the top rated distro in distrowatch.

-{ Quote: "I know it's April Fools', but I'd just like to point out how unwise it is to underestimate Microsoft. Jokes aside, I just hope this particular distro doesn't go Mozilla's way, who's still busy crowing about their "superiority" over IE when the fact is their product has devolved into one of the most unsafe browsers today." }-

I ought to know better by now than to do this, but I just have to ask how you arrived at the conclusion Firefox is one of the most unsafe browsers.

IE: (version 7)

1. Has its claws so deep within the OS it isn't even funny.

2. Has Active X, one of the most unsafe technologies out there.

3. Has no ability whatsoever to add security functionality to it and its security settings are complicated unless a knowledgeable person is setting them or a trusted security website has been consulted (imho).

FF:

1. Is separated from the browser, so browser holes don't affect the OS and vice versa.

2. Does not support Active X.

3. Is easily configurable to provide greater security via TRUSTED extensions...yes, I know, extensions can add risk, yada yada...stick to Noscript and Adblock Plus then.

-{ Quote: "but I just have to ask how you arrived at the conclusion Firefox is one of the most unsafe browsers." }-
By the number of security vulnerabilities that have been constantly popping up. It outranks IE, Opera, and Chrome combined. You're asking the obvious.

-{ Quote: "1. Has its claws so deep within the OS it isn't even funny." }-
A popular yet horribly misinformed argument. I could provide a lengthy explanation, but right now it seems hardly worth the time when all you do is throw down a cliched piece of propaganda. Suppose you provide evidence on how IE's "deep claws" are detrimental to security, and then we'll talk.

-{ Quote: "2. Has Active X, one of the most unsafe technologies out there." }-
ActiveX is simply code. You might as well be saying that executable files are unsafe.

-{ Quote: "3. Has no ability whatsoever to add security functionality to it and its security settings are complicated unless a knowledgeable person is setting them or a trusted security website has been consulted (imho)." }-
That's perhaps because it's fundamentally secure enough that it doesn't need the user to manually whitelist every piece of Javascript out there, as one of its competitors does.

Ha ;D ;D good laugh.

-{ Quote: "By the number of security vulnerabilities that have been constantly popping up. It outranks IE, Opera, and Chrome combined. You're asking the obvious.


" }-


Fully agreed on that, also there are some inherent issues like slow browsing after a session of heavy browsing as well as well as high memory consumption and slow start up continue to plague Firefox.

Eice, the number of vulnerabilities means nothing in itself. It's like counting potatoes on a counter. What does it tell you. Nothing.
Mrk

-{ Quote: "I don't understand why so many people, present company excluded, are against Ubuntu. It works, it's easy, it draws the crowd to the Linux world, it's doing good to all of us, so me wonders ..." }-
It is good, it does works well....just Wolven having a dig . :D

LOL: by virtue of it's success in the :o 1% market share, has Ubuntu become a target. ??

On a second re-read, I find it amusing how the writer of the article tries to satire Vista's UAC, when Linux itself forces the user to sudo just about every other command. And in the very next breath the writer talks about forcing all programs to run as root.

-{ Quote: "Eice, the number of vulnerabilities means nothing in itself. It's like counting potatoes on a counter. What does it tell you. Nothing.
Mrk" }-
You're right. I should probably rephrase it as "the quality of the code, security-wise".

In which case FF takes hands down... IE is a crapponics of code.
Mrk

-{ Quote: "In which case FF takes hands down... IE is a crapponics of code.
Mrk" }-
Yes, because given the public-domain statistics released so far, we all know that more vulnerabilities = better quality. A fine Mozilla tradition since 2006.

btw have mozilla fixed the profile manager "bug"
if you use the profile manager for firefox and put it say in my documents" by mistake and then told the profile manager to delete the profile it would empty all the folders and sub folders of where the profile is installed.

i was lucky i had a backup of my data. I did it a few years ago.

the bug in bugzilla had already been first opened for around 2 years at that point. and if you try to create a new ticket it was closed right away.

-{ Quote: "Yes, because given the public-domain statistics released so far, we all know that more vulnerabilities = better quality. A fine Mozilla tradition since 2006." }-

We all know number of vulnerabilities is linearly proportional to the risk, exposure time, severity of vulnerabilities, right? Wrong.

Vulnerabilities are not linear.

Going by your logic, the least healthy person is the one who regular checks at the doctor's office and is occasionally diagnosed with small issues versus one who never goes to doctor and has who knows what illnesses ...

Anyhow, I'm tired and in no mood for these kinds of discussions. IE rules, use it, enjoy.

Mrk

-{ Quote: "By the number of security vulnerabilities that have been constantly popping up. It outranks IE, Opera, and Chrome combined. You're asking the obvious.


A popular yet horribly misinformed argument. I could provide a lengthy explanation, but right now it seems hardly worth the time when all you do is throw down a cliched piece of propaganda. Suppose you provide evidence on how IE's "deep claws" are detrimental to security, and then we'll talk.


ActiveX is simply code. You might as well be saying that executable files are unsafe.


That's perhaps because it's fundamentally secure enough that it doesn't need the user to manually whitelist every piece of Javascript out there, as one of its competitors does." }-


Not sure why I bother furthering the discussion with such an attitude, but here goes:

1. How is it that IE being so hooked into the OS (which it is, there's enough proof of that that I hardly need to provide anything) is "safe?

2. Active X may be just code (and I certainly agree), but it's also one of the most abused. So, code or not, it's unsafe without restrictions.

3. At least Noscript can show you malicious scripts before you let them activate. IE shows you, um, well, nothing. I don't recall whitelisting a hell of a lot of javascript, but I guess whatever.

*sigh* I don't know, I don't claim to be a browser expert, I just read what I can and try to learn. So far everything I've learned is that IE may not be an atom bomb waiting to go off as far as security, but it's certainly not Fort Knox. Then again, what is?

Charlie Miller, the researcher (at Pwn2Own) who broke into a fully patched MacBook machine using a Safari code execution vulnerability:
-{ Quote: "For all the browsers on operating systems (at Pwn2Own), the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you." }-
-{ Quote: "It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it." }-
-{ Quote: "It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it." }-

"A day after his (Nils) perfect sweep of the breaking into fully patched default configurations of all three main Web browsers — Microsoft Internet Explorer, Mozilla Firefox and Safari for Mac OS X":
-{ Quote: "Let me correct something. It was a Firefox on Mac OS X vulnerability and exploit. The bug does affect Windows but, honestly, it’s way harder to get the code to run reliably on Windows. That’s the reason I did my Firefox attack on the Mac. I’m not allowed to talk about it but, for that bug, to get real exploitation on Windows is difficult because of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). On the Mac, I could trigger it and exploit it easily." }-

-{ Quote: "I don't understand why so many people, present company excluded, are against Ubuntu. It works, it's easy, it draws the crowd to the Linux world, it's doing good to all of us, so me wonders ...
Mrk" }-
I don't figure it either, except maybe it's just that success is a target for certain people. I think Ubuntu is great for all the reasons you listed, and more. :thumb:

-{ Quote: "We all know number of vulnerabilities is linearly proportional to the risk, exposure time, severity of vulnerabilities, right? Wrong." }-
I agree, to a certain extent. Which was why I decided to rephrase my words into "the quality of the code, security-wise". Yet given the staggering advantage Firefox has in sheer number of vulnerabilities, I think my original words are still somewhat justified.

-{ Quote: "Going by your logic, the least healthy person is the one who regular checks at the doctor's office and is occasionally diagnosed with small issues versus one who never goes to doctor and has who knows what illnesses ..." }-
That would be assuming IE never goes to the doctor.

-{ Quote: "Anyhow, I'm tired and in no mood for these kinds of discussions." }-
True. Perhaps the example I used in my intial post was less than appropriate for this forum...

-{ Quote: "Not sure why I bother furthering the discussion with such an attitude, but here goes:" }-
This is the second time you've mentioned something to this effect, so I feel obliged to address it. If you feel that you should know better than to do something, please don't, by all means. If you still do it anyway, then perhaps you know less than you think, or are lacking in wisdom.

-{ Quote: "1. How is it that IE being so hooked into the OS (which it is, there's enough proof of that that I hardly need to provide anything) is "safe?" }-
Given that there's "enough proof", surely it's trivial to provide one or two pieces of evidence out of the many. Let's have something more substantial than populist propaganda to discuss.

But since you do admit that your knowledge in this area may not be complete: Windows calls upon mshtml.dll (IE's Trident rendering engine) when it needs to render parts of the OS. That's your "so hooked into the OS". A far cry from the cliche that IE has its "deep claws" over your OS kernel, isn't it? Like hacking movies, facts are often much tamer and less sensationalist than wild fiction.

-{ Quote: "2. Active X may be just code (and I certainly agree), but it's also one of the most abused. So, code or not, it's unsafe without restrictions." }-
No restrictions?

ActiveX is one of the most tightly controlled technology in IE today. It's segregated into multiple security zones, checked for digital signatures, and even after that you are still prompted at least twice if you want to run one (just try installing, say, the Adobe Flash plugin for IE). It's probably even more controlled than downloading and running EXE files, which are more likely to infect you than ActiveX.

-{ Quote: "3. At least Noscript can show you malicious scripts before you let them activate. IE shows you, um, well, nothing. I don't recall whitelisting a hell of a lot of javascript, but I guess whatever." }-
IE shows you nothing for the same reason Linux doesn't need an antivirus: it's immune to a lot of the so-called bad stuff. But if you like NoScript's philosophy, you can replicate that effect quite easily using IE's security zones. I think NoScript is a poor implementation of security, if it can be called security at all, but if it appeals to you, IE happens to be able to do the same.

-{ Quote: "So far everything I've learned is that IE may not be an atom bomb waiting to go off as far as security, but it's certainly not Fort Knox. Then again, what is?" }-
I'm not saying IE is Fort Knox. I'm just saying that Mozilla is so busy basking in their glory from 2006 and 2007 that they perhaps still don't understand the state of their product as it is now. A fate that I hope Wolvix won't come to.

-{ Quote: "Let me correct something. It was a Firefox on Mac OS X vulnerability and exploit. The bug does affect Windows but, honestly, it’s way harder to get the code to run reliably on Windows. That’s the reason I did my Firefox attack on the Mac. I’m not allowed to talk about it but, for that bug, to get real exploitation on Windows is difficult because of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). On the Mac, I could trigger it and exploit it easily." }-
Firefox is as insecure as ever. Vista's security features just helped compensate for it. Is it just me, or is it just ironic that a product, whose developers once promised "would never be as buggy as IE", is now dependent on Microsoft's code to shore it up?

-{ Quote: "I agree, to a certain extent. Which was why I decided to rephrase my words into "the quality of the code, security-wise". Yet given the staggering advantage Firefox has in sheer number of vulnerabilities, I think my original words are still somewhat justified.


That would be assuming IE never goes to the doctor.


True. Perhaps the example I used in my intial post was less than appropriate for this forum...


This is the second time you've mentioned something to this effect, so I feel obliged to address it. If you feel that you should know better than to do something, please don't, by all means. If you still do it anyway, then perhaps you know less than you think, or are lacking in wisdom.


Given that there's "enough proof", surely it's trivial to provide one or two pieces of evidence out of the many. Let's have something more substantial than populist propaganda to discuss.

But since you do admit that your knowledge in this area may not be complete: Windows calls upon mshtml.dll (IE's Trident rendering engine) when it needs to render parts of the OS. That's your "so hooked into the OS". A far cry from the cliche that IE has its "deep claws" over your OS kernel, isn't it? Like hacking movies, facts are often much tamer and less sensationalist than wild fiction.


No restrictions?

ActiveX is one of the most tightly controlled technology in IE today. It's segregated into multiple security zones, checked for digital signatures, and even after that you are still prompted at least twice if you want to run one (just try installing, say, the Adobe Flash plugin for IE). It's probably even more controlled than downloading and running EXE files, which are more likely to infect you than ActiveX.


IE shows you nothing for the same reason Linux doesn't need an antivirus: it's immune to a lot of the so-called bad stuff. But if you like NoScript's philosophy, you can replicate that effect quite easily using IE's security zones. I think NoScript is a poor implementation of security, if it can be called security at all, but if it appeals to you, IE happens to be able to do the same.


I'm not saying IE is Fort Knox. I'm just saying that Mozilla is so busy basking in their glory from 2006 and 2007 that they perhaps still don't understand the state of their product as it is now. A fate that I hope Wolvix won't come to.


Firefox is as insecure as ever. Vista's security features just helped compensate for it. Is it just me, or is it just ironic that a product, whose developers once promised "would never be as buggy as IE", is now dependent on Microsoft's code to shore it up?" }-

1. Regarding my knowing better, lol, actually, point taken.

2. With regards to Windows using IE's rendering engine, it doesn't sound like the smartest idea in the world, but I'm not Microsoft :) This must be the area in which all the "IE problems are Windows problems/Windows problems are IE problems" comes into play.

3. I think restrictions was a poor word to use on my part. But if Active X is so controlled, and IE is immune to the so called bad stuff and doesn't need scripting protection, where are all the drive by downloads and malicious activity coming from that's turning IE into "swiss cheese". I've read about these "drive bys" and other things (obviously not enough), and it all seems to point to executable code (how else?).

So is IE's troubles caused by vulnerabilities that only get exploited when a user gets the temptation to "click here!", or are there real issues that allow the bad guys to "unlock the door" to your system regardless of what you do? Have all the "tests" magazine articles, media reports, and security blogs been making all these suggestions and leaving out the part where "if Joe doesn't click the banner ad, Joe doesn't get touched"?

Perhaps instead of trying to give advice to others, I should sit back down in my chair and wait for a few more lessons, because if all of the above is true, I'm truly a newbie who thought he knew more than he did.

-{ Quote: "2. With regards to Windows using IE's rendering engine, it doesn't sound like the smartest idea in the world, but I'm not Microsoft :) This must be the area in which all the "IE problems are Windows problems/Windows problems are IE problems" comes into play." }-

IE is not unique in this regard. Konqueror, for example, is both the default browser AND file explorer on KDE-based Linux systems (yet you don't hear people cry that Konqueror has its claws deep in Linux...). Like all good myths, the story of Windows/IE integration is based partially on facts. Windows needs IE's Trident engine to render some stuff, but it's more of a relationship of Windows taking control of an IE component, than IE somehow being more capable than any other compromised program at digging into and manipulating the OS kernel.

IE problems are Windows problems? Only if you believe in propaganda. IE is perfectly capable of running with reduced privileges and isolated from the system kernel, and carry on with its business without even noticing - because it has absolutely no links whatsoever with the system kernel. In fact this is what Protected Mode in IE7/8 does. In this sense it's just about as "embedded" into Windows as Notepad is.

-{ Quote: "3. I think restrictions was a poor word to use on my part. But if Active X is so controlled, and IE is immune to the so called bad stuff and doesn't need scripting protection, where are all the drive by downloads and malicious activity coming from that's turning IE into "swiss cheese". I've read about these "drive bys" and other things (obviously not enough), and it all seems to point to executable code (how else?).

So is IE's troubles caused by vulnerabilities that only get exploited when a user gets the temptation to "click here!", or are there real issues that allow the bad guys to "unlock the door" to your system regardless of what you do? Have all the "tests" magazine articles, media reports, and security blogs been making all these suggestions and leaving out the part where "if Joe doesn't click the banner ad, Joe doesn't get touched"?" }-
You're thinking about IE6, which was indeed a piece of poop. Microsoft was complacent, they wrote poor code with gaping holes, and they patched those holes slowly. Avoiding IE was VERY sound and justified advice back then, and Mozilla rode to fame on the coattails of IE's misfortune. But things in the computer world can and often change rather quickly.

-{ Quote: "IE is not unique in this regard. Konqueror, for example, is both the default browser AND file explorer on KDE-based Linux systems (yet you don't hear people cry that Konqueror has its claws deep in Linux...). Like all good myths, the story of Windows/IE integration is based partially on facts. Windows needs IE's Trident engine to render some stuff, but it's more of a relationship of Windows taking control of an IE component, than IE somehow being more capable than any other compromised program at digging into and manipulating the OS kernel.

IE problems are Windows problems? Only if you believe in propaganda. IE is perfectly capable of running with reduced privileges and isolated from the system kernel, and carry on with its business without even noticing - because it has absolutely no links whatsoever with the system kernel. In fact this is what Protected Mode in IE7/8 does. In this sense it's just about as "embedded" into Windows as Notepad is.


You're thinking about IE6, which was indeed a piece of poop. Microsoft was complacent, they wrote poor code with gaping holes, and they patched those holes slowly. Avoiding IE was VERY sound and justified advice back then, and Mozilla rode to fame on the coattails of IE's misfortune. But things in the computer world can and often change rather quickly." }-

So basically you're saying MS is still being punished for IE6, long after they finished "serving their time"? Sounds a bit like another company that's been blasted for being included in something else, but I dare not start that, lol. I guess what I take from this is:

1. IE in its current form is fine, the problem is the user.

2. Security itself is basically judged by user action, not the browser/PDF reader/Media Player/OS (in normal cases, excluding legitimately malicious or poorly written programs).

I've learned quite a bit here, I'm sure I have far to go. It's nice to take the tinfoil hat off though. I'll now approach the internet, still with caution, but a little more peace of mind.....but Sandboxie and Avast stay dangit.

I am a avid Opera user and have been using it since its launch, paid for every version till they went free. I have to admit that that IE initinally was pretty bad speially on dial up noisy lines. Most of my requests would time out so I stopped using IE and only used it for MS update or sites which wouldn't load with Opera. Even IE7 didn't impress me at all, however the new IE8 is quite a change, not only can I browse fast with it, it gives me far and fewer errors and has a nice feel and interface. I wouldn't be changing my Opera browser anytime soon but I would be giving IE8 a chance from now on. I seriously think MS has done some work in the right direction regarding the browser.

-{ Quote: "I am a avid Opera user and have been using it since its launch, paid for every version till they went free. I have to admit that that IE initinally was pretty bad speially on dial up noisy lines. Most of my requests would time out so I stopped using IE and only used it for MS update or sites which wouldn't load with Opera. Even IE7 didn't impress me at all, however the new IE8 is quite a change, not only can I browse fast with it, it gives me far and fewer errors and has a nice feel and interface. I wouldn't be changing my Opera browser anytime soon but I would be giving IE8 a chance from now on. I seriously think MS has done some work in the right direction regarding the browser." }-

I intend to give IE8 a run today actually. As far as Opera, until I learned what I did, I was reluctant to use it because of the lack of Noscript and Adblock Plus. I think that's the only thing that held me back other than a few Opera 9.2 (I believe) crash issues and such. Adblock Plus, well, I DO love it, oh so much, lol. I wish there was some free way on IE to have the same ability (IS there a list pre-made that can be used?) I know Opera also has an adblock-like script that has been mentioned.

Heck, maybe I'll just give Opera AND IE8 a chance. I can't knock Firefox too much, it's been good to me and I don't see a reason YET to dump it. Though I will say, all the statements about memory issues are so true. Memory has been an issue with FF for as long as I can remember.

Opera also has a no script equivalent user js which works as well, Opera has never needed one as it has been the browser with least amount of holes and they are also the fastest to patch holes. Just one look at Secunia advisories will show that.

http://my.opera.com/community/forums/topic.dml?id=241208

No script for Opera.

-{ Quote: "Adblock Plus, well, I DO love it, oh so much, lol. I wish there was some free way on IE to have the same ability (IS there a list pre-made that can be used?)" }-
There are numerous options for blocking ads in IE, but the best two I've found are Privoxy and IE7Pro (google for them). Privoxy acts as a local proxy, and hence is a powerful program that allows you to manipulate incoming/outgoing network data in a variety of interesting ways. It includes some ad-blocking filters by default, though if you need to modify the settings they're not very newbie-friendly.

IE7Pro, on the other hand, is very interesting. It integrates adblock, mouse gestures, prefetching, and a whole slew of other features into IE. Officially, it's not specifically compatible with IE8, but I've tried it for 2-3 days without noticeable ill effects.

-{ Quote: "There are numerous options for blocking ads in IE, but the best two I've found are Privoxy and IE7Pro (google for them). Privoxy acts as a local proxy, and hence is a powerful program that allows you to manipulate incoming/outgoing network data in a variety of interesting ways. It includes some ad-blocking filters by default, though if you need to modify the settings they're not very newbie-friendly.

IE7Pro, on the other hand, is very interesting. It integrates adblock, mouse gestures, prefetching, and a whole slew of other features into IE. Officially, it's not specifically compatible with IE8, but I've tried it for 2-3 days without noticeable ill effects." }-

I used to use IE7Pro actually, it had caused some sort of stalling issue (which now I can't remember exactly what that was), and, at least to me, it didn't seem quite as effective as AdBlock Plus. As for now, I am running both IE8 and Opera, and I have to say I am pleased. IE8 is a really nice browser. It is a slight (very slight) bit slow, but I believe that is because I am using the MVPS Host file to block ads for IE, and, having many websites in the Restricted Zone is known to slow IE8 (at least was known). So that I blame on me and not IE.

Opera on the other hand, seems like it wants to render pages before the pages even have a chance to say hello to me, lol. It's lean, and it's lightning fast. I run Avast with its web shield, so I may not even bother with the user scripts. If I run across a nasty the web shield should pick it up. As far as ads, again, the host file seems to have that covered.

-{ Quote: "Firefox is as insecure as ever." }-
-{ Quote: "For all the browsers on operating systems (at Pwn2Own), the hardest target is Firefox on Windows." }-
Do you think he's wrong?

-{ Quote: "Do you think he's wrong?" }-
What makes you think that?

As I've indicated, I'm quite inclined to agree with him that Vista's inbuilt security features are indeed impressive.

-{ Quote: "What makes you think that?" }-
The question was if you thought his statement about Firefox on Windows being the hardest target was wrong. That's all.

-{ Quote: "What makes you think that?

As I've indicated, I'm quite inclined to agree with him that Vista's inbuilt security features are indeed impressive." }-


Apart from Linux, I would say MS has made great strides in field of security, they have to as they charge a hefty sum for their OS and security holes would do no good to their sales. Whats surprising to see is how complacent Apple has been and its not surprising to see it being caught with its pants down.

-{ Quote: "Apart from Linux, I would say MS has made great strides in field of security, they have to as they charge a hefty sum for their OS and security holes would do no good to their sales. Whats surprising to see is how complacent Apple has been and its not surprising to see it being caught with its pants down." }-

Could it be that Apples situation is due to arrogance on the part of Jobs and also on, what seems to me, a near obsession with Ipod and IPhone development ( I understand these are separate departments with separate of course)? For quite some time Apple has enjoyed stratospheric popularity (among professionals at least), due in part I'm sure of what Eice was saying, propaganda that the Mac was just as "bulletproof" as the actual Linux OS. I guess they were brought back to ground level.

I guess it shows that there is always safer, but never safe.

-{ Quote: "Could it be that Apples situation is due to arrogance on the part of Jobs and also on, what seems to me, a near obsession with Ipod and IPhone development ( I understand these are separate departments with separate of course)? For quite some time Apple has enjoyed stratospheric popularity (among professionals at least), due in part I'm sure of what Eice was saying, propaganda that the Mac was just as "bulletproof" as the actual Linux OS. I guess they were brought back to ground level.

I guess it shows that there is always safer, but never safe." }-


From what I see, all Linux OS continuously update the discovered security holes in a rapid pace, MS too has now become serious about this issue. Apple created a myth about their OS and RISC based hardware, when they switched to Intel, part of that went away but they still persisted with their OS is superior mantra which was bought by many gullible Apple owners. Also Apple has an aggressive almost mafia like attitude against security researchers who have bought out apple holes in the past threatening them with litigation if they didn't withdraw their findings. Now with the latest report out, the cat is finally out of the bag.

@Eice:

I don't know why you started a IE vs. Firefox comparison in this thread. But anyway, here (http://www.wilderssecurity.com/showpost.php?p=1418176&postcount=2) is my answer.

-{ Quote: "The question was if you thought his statement about Firefox on Windows being the hardest target was wrong. That's all." }-
Whether his claim was correct or otherwise, I just felt it worthwhile to take note that the underlying basis behind his claim was attributed to Vista's security, not Firefox's.

-{ Quote: "Whether his claim was correct or otherwise, I just felt it worthwhile to take note that the underlying basis behind his claim was attributed to Vista's security, not Firefox's." }-
Not entirely, otherwise he wouldn't have ranked Firefox on Windows as a harder target than IE or the others.

-{ Quote: "Not entirely, otherwise he wouldn't have ranked Firefox on Windows as a harder target than IE or the others." }-
Whether Firefox is a harder target than IE or not appears to depend on who (http://www.findmysoft.com/news/Internet-Explorer-Hacked-Flaw-Acknowledged-NSS-Says-IE8-Safer-than-Firefox-Safari/) you ask.

What we do know is that his claim was made based on Vista's security instead of Firefox's, and that he was hacking the release candidate of IE8 instead of the final version. It's tempting to resort to blind subscription of "authority" and take words out of context, but unfortunately that doesn't always result in facts.

-{ Quote: "What we do know is that his claim was made based on Vista's security instead of Firefox's" }-
Not entirely, and you know he considered Firefox a harder target than IE (on Windows 7, not Vista). Both browsers were installed in their default configurations, which means Firefox was probably not running in Protected Mode. IE certainly was.

-{ Quote: "It's tempting to resort to blind subscription of "authority" and take words out of context, but unfortunately that doesn't always result in facts." }-Please stick to the issues, if you insist on attacking. Why make this personal and accuse me of all kinds of things?

Charlie Miller's and Nils opinions about browser security (at Pwn2Own) are based on actually having searched for and found bugs in the browser code. So I personally tend to give those guy's opinions a little more weight than people (myself included) who don't search for browser bugs.

And their opinions could be mistaken, but I think they were worth discussing.

-{ Quote: "Not entirely, and you know he considered Firefox a harder target than IE (on Windows 7, not Vista). Both browsers were installed in their default configurations, which means Firefox was probably not running in Protected Mode. IE certainly was." }-
Just a quick correction: Firefox has no Protected Mode. While it would benefit from DEP + ASLR if globally enabled, IE enjoys from some extra virtualization and integrity control features, especially when run in an admin account - which is an extra barrier to get past, even if you manage to get your exploit code up and running in the browser process space. As far as IE7/8 (with Protected Mode) and Google Chrome are concerned, a successful exploit of the browser is often limited to just that. To compromise the OS is another step.

Seeing as how almost everything discovered in the contest is being kept tightly under wraps, I guess I just like to focus on things that we do know. Before taking that one sentence at face value and turning it into a ringing endorsement of how secure Firefox is, I think it's worthwhile to inspect the "fine print", so to speak.

And of course, let's not forget that the technique used to crack non-final releases of IE had been demonstrated months ago by two other researchers. Given that, it's entirely probable that it's easier to build on someone else's work, rather than start from scratch yourself.

-{ Quote: "Just a quick correction: Firefox has no Protected Mode." }-
I didn't know that. ::)

FWIW, Firefox (and other browsers) can be configured to run under Vista/Window 7's Protected Mode, hence the reference to Firefox probably not running in Protected Mode.

-{ Quote: "And of course, let's not forget that the technique used to crack non-final releases of IE had been demonstrated months ago by two other researchers. Given that, it's entirely probable that it's easier to build on someone else's work, rather than start from scratch yourself." }-
Is it possible to take exception with something, without continually being nasty and disagreeable?

Life's too short to drink cheap wine.

I'm through discussing this with you.

-{ Quote: "I didn't know that. ::)

FWIW, Firefox (and other browsers) can be configured to run under Vista/Window 7's Protected Mode, hence the reference to Firefox probably not running in Protected Mode." }-
Well, if you would be so kind as to show us how to extend IE's Protected Mode features to other browsers, I'm sure I'll be among the first to thank you for it.

-{ Quote: "Is it possible to take exception with something, without continually being nasty and disagreeable?

Life's too short to drink cheap wine." }-
But it looks like it's certainly long enough to take cheap shots, eh?

Very few people have gotten onto my ignore list ... But some have.
Mrk

-{ Quote: "Very few people have gotten onto my ignore list ... But some have.
Mrk" }-


I hope that will never include yours truly here.

I truly doubt it ... :)
Mrk

-{ Quote: "I truly doubt it ... :)
Mrk" }-


:thumb: :thumb: :thumb:

Here is a post explaining how to enable Protected Mode for Firefox (http://www.wilderssecurity.com/showpost.php?p=1044344&postcount=19). See also here (http://www.victorc.org/2008/03/internet-explorer-7-protected-mode-vs.html).

-{ Quote: "Here is a post explaining how to enable Protected Mode for Firefox (http://www.wilderssecurity.com/showpost.php?p=1044344&postcount=19). See also here (http://www.victorc.org/2008/03/internet-explorer-7-protected-mode-vs.html)." }-
Thanks for the links.

My weekend's just over, though, so it may be a few days before I get to try them. Before I do, however, is there any way to undo these if I ever change my mind?