How significant is spyware?

True, but finding a specific open port does not guarantee that the "correct" service matching it will be listening... so it's a bit different but you are right nonetheless.

I have never endorsed disabling Java script outright... I simply invoke the idea that having dynamic controls on a per site, per script basis is far better given the inherent risk.

Besides I clean a lot of infected system... They must be getting nailed somehow? Preventing it is better than cleaning up the damage wouldn't you agree?

 

Fair enough. But speaking strictly as an ex-Firefox user, from my own personal opinion - the only thing that Firefox does better than Opera is MARKETING.

You don't need NoScript to stop those zero-day vulnerabilities, for one. The Secunia records speak for themselves. But I digress.

 

I'd guess this is a matter of how each one of us wants to spend his/her free time
I consider Flash as a general annoyance and I only load interactive content on-demand.

With NS you could identify the script loading the junk and disable that specific script while allowing the rest. Much more flexible, IMO.

 

bellgamin,

XSS is nothing but Javascript. It's just the name of a Javascript-based exploit, like how MS0614 is nothing but plain old Javascript as well. If you turn off Javascript, then it cannot touch you. In fact, that's exactly what NoScript does for you.

I remember usong K-Meleon once when I eventually got fed-up with the Firefox memory leak. An amazingly light and fast browser, if a bit rough around the edges.

 

Surely, Mozilla knows a thing or two about marketing. Besides all these, there's philosophical question of being an Open Source app.

Right. But, for me, it's better to stop them right before execution. I don't want to give the bad guys even one chance of bypassing a layer (here we go again with layering )

AFAIK, there's none Firefox vulnerability being actively exploited. I could be wrong, though.
And every Opera build includes a fair amount of security fixes. You know, there are lies, damned lies and statistics

FF3 fixes a good amount of memory leaks (which I never experienced myself, go figure) and changes some memory management algorithms which some people call memory leaks.

 

Easily done as well, two keystrokes.

A theoretical advantage on paper doesn't always translate to a practical one in real life.

 

Very true (see second quote on sig). But I've used this theoretical advantage enough times that it became practical to me. I'd guess that with different browsing patterns, it may be useless or too cumbersome. As always, YMMV

 

Stop what? Opera doesn't have those vulnerabilities.

Sure, we don't see them, but they must be there. It can't be possible that Opera actually has less vulnerabilities and needs to release fixes less frequently than Firefox.

Some people call it (slowdowns, memory-hogging) a feature. Hey, whatever floats your boat. Anyway, I opted for the already-present fix years ago instead of suffering through it until v3 is released at some distant point in the future.

 

Some plug-in may introduce a vulnerability sometime. But Opera has the (security) advantage of less plug-in support than Firefox (example: no official support of a current WMP release IIRC).
JS is a complex, daily evolving language. It wouldn't be reasonable to expect a bug-free JS parsing engine.
But I (partially) agree, at this moment, Opera might be considered more secure "out of the box" regarding patched/unpatched vulnerabilities and I guess than it has a speedier response time than Firefox (maybe)

Every Opera changelog quotes JS and other security fixes. Opera (and Firefox AFAIK) have stayed a step ahead of the bad guys. How much will this last? I don't know (the same question is applicable to Linux and other "secure software")

Poorly-coded/broken add-ons have been proved to be a cause of memory leaks. The caching algorithms may be considered somewhat obsolete (they're completely changed in v3). The single-threaded, JS-based UI may be prone to some slowdowns (fixed in v3)
Firefox is guilty of not following standard NT memory management, but the leaking/hogging issues has been overhyped (IMO)

The release of FF3 is somewhat close, it's entering RC stage.

 

Then help me to understand what THIS site says about XSS. Unless I misunderstand (which is likely) the following statement on that website SEEMS to indicate that XSS can ensue from more than only JS...

P.S. I'm back to K-mel. If all you guys have the cojones to run around buck naked, then I can at least strip down to a loincloth. Umm... K-mel's F7 is my *loincloth* (F7 JS-off; F7 JS-on).

 

Every scripting language can be a target of XSS. Actually, it's a non-threat, but it may become prevalent in the not-to-distant future.
Some discussion of XSS and countermeasures here and here
XSS-related blog entries

 

Interesting links, but they are pretty much over my head.

Make it simple for my pea-brain, please. Namely, tell me -- Is the following statement (T)rue or (F)alse?
XSS is nothing but Javascript. It's just the name of a Javascript-based exploit.

 

False, you can do XSS throu Flash. The key to the understanding of XSS is that its goal isn't the placing of a malicious executable in your local filesystem. Forget about remote code execution, HIPS prompts and the like.
The main goal of XSS is identity thief at the stealthiest level. Browse a trusted site, execute a script without domain boundaries and done. Credentials stolen.

 

XSS attacks can only ensue from Javascript - at least, the demonstrated attack methods so far. I'm afraid that website was rather sensationalist in nature. Those tags he listed were the WAYS that Javascript can be embedded into other media. <SCRIPT>, for example, tells the browser to parse this section of HTML as Javascript. <OBJECT> and <EMBED> buries elements into a website that are controlled using, again, Javascript. And so on and so forth. Javascript programming 101, really.

The thing about Javascript is that despite the small size of its applets and relative simplicity to write, it's surprisingly powerful and can be inserted into a variety of objects - even image files. But at the end of the day, whatever form or format they're embedded into, they're still Javascript applets. That's all there is to it.

Lucas, you're usually quite the rational person, so this does make me roll my eyes a bit. Would you like to explain how your credentials will be stolen if you don't actually TYPE them out into the compromised webpage?

 

That makes me proud of myself

I've read that you can read cookies and other elements of the browser's cache with XSS. I'll have to do a bit of research. I think that the thread with the ZoneLabs example mentions this.

EDIT:
Found some references

 

That'd be a new one.

Awaiting your findings.

 

See the edit above

 

At first glance, it looks like the whole attack hinges on the victim possessing some form of automatic password filling at the exact site the attacker wants to exploit.

If that's the case, then I guess it really doesn't concern me.

 

Yes, you click a link, which points to a compromised version of a trusted site and then it steals the data inside the session cookie.

 

Hey Lucas, i agree with Solcroft that as young as you are your knowledge is quite impressive !!