FireFox is making up ground

Because Noscript updates through FF, it can update through owner/ maker creator

Sorry TLU

 

I agree Tlu. You no know what talking or confuse issue. Firefox can no write C:\Program Files if use in limited user. May be Tlu and me mis understand what you say. I not sure. But Firefox run with limited right (as limited user) cannot write to C:\Program Files. Clear?

 

Okay,

I went to a very old ...... snapshot and installed mozilla suite again. Added old version of Noscript. Did monitor what was installed. When using Noscript it did not install its XPCOM components in the user profile, but installation directory. But this was not the cause of Firefox, but due to seamonkey limitation.

Install of just Firefox and old Noscript, did install the XPCOM components of Noscript in the user profile.

So I asked myself does my memory serve me so wrong? What am I missing? So I did some testing and found out that I missed an improvement of Firefox.

Bottem line:
- my example is wrong, as I could check for myself (I luckily have the knowledge to do so, thanks Thomas )
- this third party/add-on back door did exist, and was closed with FF 3.6 , called the component lockdown feature (see https://developer.mozilla.org/en/Migrating_raw_components_to_add-ons )

So indeed FireFox is making up ground: (corrected roundup)

- Cross site scripting protection ( implemented in 3.6 )

- Sandboxing plug-ins called Electrolyses (or out of process plugins as it is called at dev board of mozziila), to be implemented soon so plug-ins like Adobe reader, Flash etc become safer. Out of process implementation (not sandboxing) is scheduled in new beta 3.6.4

- FF offers several ways of writing plug-ins/extentions which all partly (thanks Thomas, @mods I cannot edit first post anymore) are installed in the admin space. With directory lockdown implemented in 3.6 this back door is closed

- Correct Mime type sniffing and enforcing. The devs of FF luckily have made a 180, until this is implemented in 3.6 https://developer-stage.mozilla.org/en/Incorrect_MIME_Type_for_CSS_Files I advise FF users to allways use Addblock

- Sandboxing of third party code not likely to happen in FF 4 see https://www.wilderssecurity.com/showpost.php?p=1676171&postcount=4


Regards Kees

 

Clear? To me yes see

The fact that you did not see it, does not imply that it does not exist as clearly () mentioned in the development center URL, I provided in the previous post. To undertsand why it is considered a security risk see this bug report https://bugzilla.mozilla.org/show_bug.cgi?id=519357. ) another argument should be that Mozilla mentioned this feature in their security blog http://blog.mozilla.com/security/2009/11/16/component-directory-lockdown-new-in-firefox-3-6/ funny to see a "stability" improvement announced in the security blog )

I hope you are familiar with owner/creator NTFS permission rights, this could cause updates in the components directory even when running LUA.


Mhh you thought to join in on a fan boy bashing frenzy, now the 'victim' counters back (only with facts, no disqualifying of the poster, when I am wrong I stand corrected)

 

Ahhh,

I could not understand why I associated Noscript with dubious updates. After some searching I found it again, see http://www.neowin.net/news/war-between-adblock-plus-and-noscript-money-on-the-table

I think Noscript author either used -install-global-extentions command or used the raw component XPI drop.

Regards Kees

 

You pride man. That ok. You wrong and admit. Firefox never able write C:\Program Files when run user limited. Owner/creator not here since cant write C:\Program Files. User limited no chance to own/create path in C:\Program Files. Then you talk on SeaMonkey or Suite. As I say you confuse issue. But that ok. Now you know.

 

so how secure is firefox when used with adblock plus, flash killer (applied when flash annoyances pop up), flashblock, keyscrambler, noscript, prevx's safeonline (free version) + online armor free for firewall? (+ sandboxie when concerned)

with that setup, what dangers should i watch out for? what browser + plugins combo would be safer without signicant performance hit?

fwiw, i login to windows as an admin user, but the "Administrator" admin account also exists, and i think the guest account may be enabled (or at least I enabled whatever xp pro required to enable folder sharing between computers on my home network). i briefly tried DropMyRights and SuRun, but found them to be a hassle (would learn to use them if I were convinced that they were needed).

 

Make sure the build in admin account has a password. With the security line up you are using it does not matter which browser you use. SO it is up to your preferences really