Why use browsers which lag one or more release cicles?

Discussion in 'other software & services' started by Windows_Security, Dec 28, 2015.

  1. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235

    Just look at the release dates and notes versus the CVE dates. So even if Comodo base version Chromium 45 contained modern corrections (they don't)--it lagged days over Chrome.
    Dec1-25 http://www.cvedetails.com/vulnerabi...product_id-15031/year-2015/Google-Chrome.html
    Dec8 http://googlechromereleases.blogspot.com/2015/12/stable-channel-update_8.html
    Dec15 http://googlechromereleases.blogspot.com/2015/12/stable-channel-update_15.html
    Dec18 http://download.cnet.com/Comodo-Chromodo/3000-2356_4-76386288.html (latest version)

    Chromodo previous version 45.7.11.387 on Nov26

    Now do the math.

    Chrome has tons of devs and paid bug bounty--very active. They add fuzzing modules (SyzyASAN) to Chrome Developer releases (currently v.49 based). There is no need for Comodo to add more peeps to the pile granted all the owrk is already done for them and for free and hence the decision to use Chromium open-source. Now if they/Comodo/etc do find bugs but don't report them back to the mothership, all licensing and legal obligation aside, that is in bad form and to me enough reason not to use them; the choice is yours.

    As to the rest of it eg talk about how exploits are rare and blackhats use SE and trojans---pure hogwash. Rolling updates is not a silver bullet but a basic tenant for Comp sec. Security updates remove vulns. People are essentially backing up their POOR decision making via hyperbole. As to security/feature updates introducing new bugs, the time to exploit gets reset and hackers must restart. Why one UPDATES!
     
  2. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    I'm using and outdated browser on an outdated OS(Opera 12 & XP) to post on Wilders and for forums in general. The Xp installation is from around 2009 and has been used and cloned onto several systems and VMs. Never once has either the OS or the browser been exploited. Hardly hyperbole. All the time both Opera and Xp have been used, there have been vulnerabilities. There are always going to be vulnerabilities no matter what OS or browser you use.

    Rather than a basic tenet of computer security, rolling updates a more often than not just quick fixes for the most blatant vulnerabilities in a product that was poorly designed and coded in the first place but, nevertheless, became widely used and distributed. Flash is a glaring example of this.

    As I previously stated, it is much more efficient and effective to deal with vulnerabilities and exploits in general and implement security measures that deal with them as a class than to continually patch existing vulnerabilities.
     
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Well, security updates only remove KNOWN vulns. So if the system doesn't have the proper mitigations in place, it's possible to exploit the system even if it's fully up-to-date.

    I'd say hackers don't need to "restart" with every update. In fact, blachats are one step ahead for the majority of time. We might have a serious vulnerability in Linux or even OpenBSD that is not known yet but is here for decades. A few very smart blackhats could know about them and could be exploiting it on a daily basis. It's possible.

    Even if COMODO/AOL don't patch their browsers regularly, it is possible to secure them. They're not "Vanilla" anyway, they advertise these browsers as "having multiple security enhancements". I don't know.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Why not?

    I still use Opera 12 because its features that I like are not replicated in any other browser.

    I have hopes for Vivaldi, but it has a long way to go...

    About vulnerabilities: well, a quick check of the CVE database reveals that Opera has been neglected as of late:

    https://www.cvedetails.com/vendor/1961/Opera.html

    And no Opera vulnerabilities are used in the current Exploit Kits (that I've been able to find, anyway).

    If you are a cybercriminal, why fool with exploiting Opera, which has such a small user base, when exploiting the plug-ins is so much easier and successful, and not browser- dependent?

    ----
    rich
     
    Last edited: Dec 31, 2015
  5. @Rmus

    Rich, as an IT veteran, why not consider Lynx, it has an even lower number of users as Opera 12 and does not even know about plug-in problems

    In the two years I used Lynx I never had a problem with exploits. Like many other, I was taken away by the interface of Mosaic which changed everything ;)

    Regards Kees
     
  6. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    "Never once has either the OS or the browser been exploited. Hardly hyperbole. All the time both Opera and Xp have been used, there have been vulnerabilities. There are always going to be vulnerabilities no matter what OS or browser you use."

    Are you saying XP and Opera have never been exploited or is this jsut your personal experience. This is what we call "anecdotal evidence" and hasty generalizations, both fallacious reasoning. And yes, likewise there will be car accidents that seat belts and air bags would not have aided--but we still use them. Furthermore, obscurity is not security else I could just retort in every post in this entire forum with the troll answer: "get a Mac."

    "Flash is a glaring example of this."

    "And no Opera vulnerabilities are used in the current Exploit Kits (that I've been able to find, anyway)."

    If you visit Xylotol or Kafeines malware research sites for 2015, all EKs were flash based. Okay, I am going to remove flash and suggest we close this site; I have solved the malware problem...everyone go home. Sounds silly, right, because it is silly. Yes, likelihoods matter, but not all wild malware is known, kitted, or continuously reported about. This is preboxed malware for hire and does not reflect the full malware environment. "Get a Mac~~/"

    "If you are a cybercriminal, why fool with exploiting Opera"

    Because I will check your browser/plugins then redirect you to a site which contains Opera/PI based exploits, even use CVE-2013s. These can be recycled and cost very little money; what's Blackhole or Infinity run these days....free? This is why you very seldom see Opera or ancient IE exploits being mentioned. There are no new exploits because you never updated and removed the oldk nown ones! Same deal with Safari. Like taking candy from a baby.

    "I'd say hackers don't need to "restart" with every update. "

    It was suggested that one should not update because it simply creates NEW bugs while fixing old known vulns. This typically is untrue and regardless does indeed "restart" vuln seeking versus the NEW bugs. Otherwise, you are talking about something I am not (old unknown vulns). Please re-read.


    So why do people use outdated/trailing gear: they find value in it despite the possible security shortcomings. Why people use deprecated XP etc.

    Oh, and get an Apple IIc...use IE6....LYNX...something, something market share.
     
  7. ChrisFerro3

    ChrisFerro3 Registered Member

    Joined:
    Nov 15, 2015
    Posts:
    45
    I'm fiddling around using Firefox Version 30, I disabled the automatic updates and it runs very well even though its old, its faster then the new versions available.
     
  8. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    The process of coding is imperfect and performed by human beings who are even less perfect so any new code is likely to have flaws and vulnerabilities and it is going to take time to discover them. There are coding practices that result in tighter code but they aren't always followed and sloppily coded products often become very successful. Flash and Skype are both good examples of this. One aspect of the current culture of rushing out updates and releases is that the code is not very well tested and the possibility of undiscovered bugs is high.

    You might try the ESR releases of Firefox. They get security fixes for an extended period of time. The current ESR version is 38 ESR.
     
  9. ChrisFerro3

    ChrisFerro3 Registered Member

    Joined:
    Nov 15, 2015
    Posts:
    45
    Ah, I can look at the ESR version, I thought it was amazing that one user here still runs opera 12 with no problems.
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    Way more than one user and not without some problems but most sites still work. It is still great for forums and works with most forum software. The old Opera inspired a lot of devotion and most of us long time users haven't found anything as good in this modern era of dumbed down browsers for dumbed down OSes.
     
  11. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    I use an outdated flash player on linux within an un-sandboxed browser.(pale moon.)and i have never come across any exploit of any kind.Works just fine and i suspect the people who are being exploited are the click-happy daredevil type of web user.

    All this nonsense that security companies try to feed us with an ever growing malware threat and thousands of trojans just waiting to attack us as soon as we log on is quite absurd.

    There is a reason eugene kaspersky is a millionaire and the rest of us are not...feeding off our irrational fear of every imaginable malware in existence.
    Exploits and vulnerabilities fit into this category quite nicely.

    Take chrome for example,When chrome is attacked in this debacle of a pwn2own contest,i find it interesting that the source of these exploits is never available for the public to view so why would we assume we would come across it in the wild.?..I mean really what are the odds of coming across a pwn2own and vupen etc created exploit..Slim to say the least.

    Paying thousands of dollars/pounds for someone to exploit chrome i find ridiculous plus it just creates a financially fuelled frenzy to crack the browser with an exploit ,which incidentally only the cracker will know how it works,so why would we the general home user be bothered about this..?
     
  12. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Exactly. So much panic and paranoia is unreal. I have never been hit by an exploit or virus, unintentionally, in over 10 years.
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,081
    Location:
    Texas
    There is no need to panic. Being aware of what is going on is always good.
     
  14. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Yes, quite absurd, but highly profitable for them! ;)
     
  15. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    yes indeed.
    Kaspersky and other security company leaders love the paranoia.:)
     
  16. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    My answer is... MalwareBytes Anti-Exploit PRO.
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hello Kees!

    Lynx is a text browser - not of much use to me.

    Regarding browser exploits: Using Opera since v3.1, I have never had a security alert during normal web activity.

    Also, I tested web-based exploits for more than 10 years and never found one to work when using Opera. I followed the malware domain lists, kept an eye on isc.sans.edu daily Diaries - they usually were the first to report exploits.

    One type of exploit I could never test was Malvertising. Whenever I would learn of a compromised site, by the time I went to it, the malicious Advertisement had been removed.

    Malvertising sounds scary, however it is just a fancy type of redirection. Redirection exploits have been around for many years. Malvertising is actually easier to protect against for those who use some type of ad-blocking.

    Redirection is not an exploit (taking advantage of a vulnerability) against a browser's code. All browsers redirect, unless told not to by the user.

    Here is an old exploit which illustrates redirection.

    The site was a legitimate e-card site which was compromised by inserting "refresh" code into the page to initiate the redirection:

    mypics-code.gif

    The malware site was coded to resemble an advertising site. Code initiated an attempt to download an executable:

    mypics-block.gif


    Regarding browser (or any type of) security: people have their own level of comfort and risk assessment. Some people have bars on their windows at home, others do not. Just look at the different types of products evidenced by Wilders members. We all make our own decisions and speak only for ourselves.

    .........

    I notice it's less than two hours until the end of this year where you are.

    Happy New Year, Kees!

    ----
    rich
     
  18. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Well, they did start most of it lol.
     
  19. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    My answer is ... Ubuntu.
     
  20. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    No need for Linux...:isay::isay:
     
  21. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    This is pretty much my experience with Opera. I can't even remember the first version I used but it was around 2002. The reason I started using it was that it was light and much more secure than IE and wasn't married to the OS so even if it was compromised, the damage it could do was limited. At the time, there weren't that many alternatives to IE in Windows. Netscape was dated and Firefox had yet to come out.
     
  22. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Well, it is one solution, sort of.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    @Rmus,

    have you analyzed the Angler exploit yet? It's capable of "fileless infection", a method discussed in these forms before, where it can bypass AV and HIPS, such as Faronics, by writing a payload to memory first before writing anything to disk:

    A few quotes from the individual who analyzed it:

    It looks to be quite a powerful form of malware. One thing I gather from it and some other latest exploits I've read about, one just has to steer clear of IE and Flash to significantly increase their odds of avoiding these drive-bys.
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    No, I don't analyze the Exploit Kits -- I leave that to those with the tools and expertise. Although, I do check from time to time to see which exploits are served up by the various Kits.

    My interest in the exploits is at the perimeter of the security defense -- how can they be prevented from intruding into the operating system -- rather than what they do if an intrusion is successful.
    I think those are from Kaffeine, the French malware researcher. I recall that he was one of the first to analyze the infection steps of fileless malware.
    Probably so... the vulnerabilities exploited seem to be those in the plug-ins used by the other browsers.

    ----
    rich
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Probably the most sensible strategy toward malware prevention :thumb:

    Right, I think he's the researcher.

    I was just curious on your take of this exploit because I see Faronics anti-executable come into play in many of the examples you've posted here at Wilders. With this one bypassing it in Kaffeine's analysis, I was wondering how this exploit would be prevented with your security approach (fwiw, I have no doubt it would be stopped by your setup). My guess is you've got some sort of script control at play in your browser? Also, in an effort to demonstrate I'm trying to stay on topic in this thread, it's these type security approaches that should, at least theoretically, mitigate, if not completely negate, any holes a browser behind a release cycle or two might introduce into the equation.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.