Internet Browsers and Security

Discussion in 'other security issues & news' started by Delgado, May 5, 2004.

Thread Status:
Not open for further replies.
  1. Delgado

    Delgado Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    131
    I hear a lot of talk about Internet Explorer and security risks, but sureley with all the tools available to work with Explorer, and frequent patching, this must be the most secure browser of all? How many security tools are available for Opera or Mozilla etc.? Or am I talking rubbish?

    :D :D
     
  2. dog

    dog Guest

    Hi delgado, :)

    I'm far from an expert ... but I believe most of the security issues re. IE involve ... system rights ...being apart of the OS and having the same system rights is where the problem all beings.

    Other browser aren't trusted apps and don't have the same rights IE does. I've just switched to FireFox which is a great browser ... at least the one I preferred over the others. I know this isn't a complete answer but at least it's a start. :)

    HTH, ;)

    dog - *puppy*

    I'm not that technical, so experts correct me if I'm wrong. ;)
     
    Last edited by a moderator: May 5, 2004
  3. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Well here's one article from spywareinfoforum.com on the subject of browser hijacking and IE. One of the issues with IE is that it is integrated into the OS, unlike third-party browsers like the Mozillas and Opera. http://www.spywareinfoforum.com/articles/hijacked/prevent.php

    Currently IE in default install mode is insecure....ActiveX and scripting is enabled. This can allow not only browser hijacks and spyware to install themselves to a PC without the user's knowledge but also other forms of malware as well. If you look at all the threads here from people seeking help removing spyware, it's probably a safe bet that perhaps 99% if not more of those folks are surfing the web with IE's default settings. (Spyware can also be downloaded with a number of "free" programs also, but "drive by" browser hijackings and spyware installations as people web surf are exclusively accomplished by taking advantage of IE's lax default security, aka features like ActiveX and scripting.)

    This is in addition to the various IE vulnerabilities for which MS has issued patches and others either yet to be discovered or just not actively exploited. There are documented potential IE vulnerabilities that MS has not yet patched.

    I like IE and use it often. Although I have it fairly tightened up and also use Proxomitron with JD5000's configuration filter set, I certainly wouldn't claim that IE is the most secure browser. (And although I never had any problems with spyware I still installed SpywareBlaster and SpywareGuard as insurance. ;) )

    Reportedly XP SP2 will include improved security for IE 6. But it's not yet clear (as far as I know anyway) that these security improvements for IE 6 also will be provided as an IE update for those not using XP.
     
  4. TheSnowGuy

    TheSnowGuy Guest

    Although a user if IE...I would hardly consider it secure. Still exploitable.
    At the moment I personally am having a rather serious issue....the last M$ patch was not compatible with Sun java on my system......have not heard of anyone else reporting this issue so have sought out the answer on my own.....to date I am unable to use sun java....the system freezes.
    Have also noticed that even at this late date not everyone knows how to secure IE properly...those "drive by downloads" SIG mentions are avoidable but yet happen over and over. But thats a people issue.
    In my case I purposedly use an older version of IE......some say thats a risk but I find no issue with it as yet...plus its smaller, lighter...which lends nothing to making it more secure. I suppose the best I can say is that I have "slowed" down the in-security by use of other programs. For the reasons already mention by Dog and Sig....it does not seem likely that IE can ever be totally secure.....I wish it could be..then I could drop the other programs and regain disc space...LOL
     
  5. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Hmn....just saw dvk's post in the TDS forum discussing CoolWebSearch. Apparently the latest versions can get on a system even if the user is surfing with a third=party browser:

    This interesting discussion is at
    https://www.wilderssecurity.com/showthread.php?t=30811

    Again, components of IE are active even if you use another browser since IE is incorporated into the OS. Which is why MS advises people who don't use IE to still keep IE updated with all the patches since it is still on their system.
     
    Last edited: May 5, 2004
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Better yet, ensure that Java, Javascript and ActiveX are disabled by default either using a web filter (like WebWasher or Proxomitron) or a firewall with filtering capabilities (like Outpost or Kerio). Web traffic is as capable of messing up a system as an email-borne virus and should be limited accordingly - only enable active content for sites you trust.

    To get a better idea of browser security, check the list of exploits found for them - Internet Explorer 6 (49), Opera 7 (20) and Firefox (0).
     
  7. dog

    dog Guest

    Yikes! :eek: even 3rd party browsers are vulnerable ... :( ... I guess this madness will never stop ... Sig - Good advice re: patches ... It should be standard practice for everybody ... but for some unknown reason it is not! :doubt: and just to add ... but this should also be standard ... keep all Security Apps updated ... and it helps to stay current with latest goin' ons here at Wilders :ninja: or not ;) .

    BTW: Paranoid ... great links re: the known exploits of those browsers. ;)

    dog - *puppy*
     
    Last edited by a moderator: May 5, 2004
  8. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    quick peak from aboo...

    good info from Paranoid re: http filters.

    so nobody leaves this thread with the wrong impression, the data re: Opera would be more accurate if shown for Opera 7.23 the latest stable browser version.

    If this is done I think the only known vulnerability is the File Download Extension Spoofing: http://secunia.com/internet_explorer_file_download_spoof/

    minor issue as long as you don't select open file also proxo can be used with filter written by Mizz Mona to more clearly id this exploit as shown in post #38 https://www.wilderssecurity.com/showthread.php?t=11975&page=2

    current beta is Opera 7.5 and I'm sure they will close this minor issue.

    as for firefox, here is where u can find a list of vulns for it:

    http://www.securityfocus.com/bid/vendor/ type in mozilla for the vendor:

    1st one I found for firefox 0.8 is: http://www.securityfocus.com/bid/9747

    the '04 list was pretty long and you have to ferrett out the issues specific to firefox 0.8 by going to each vuln and viewing whether it is applicable.

    -----

    bottom line: my view - either Opera or Firefox is better security wise than IE
     
  9. slammer_JvA

    slammer_JvA Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    1,588
    Location:
    Below sea-level. Safe and sound behind our dikes:
    Very useful thread you started here Delgado!

    And many thanks to all who replied so far.
    @ sig: great feedback! I was especially interested in the use of IE with proxomitron; you provided me with yet another great site (JD5000!), thanks!

    For more reading: I started a simular thread/question here:
    https://www.wilderssecurity.com/showthread.php?p=172145#post172145

    (@ mods: Perhaps the two threads can be merged in some way?)

    Regards,
    Slammer
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Peakaboo,

    Good point - most of the known exploits will have been fixed, which my post did not make clear. However the number of past exploits can be an indication of how securely designed a product was (and therefore how many more vulnerabilities are likely to crop up in the future). I was rather surprised at the number of Opera but then it's good to see that IE isn't getting all the attention and that Opera are on the ball with the fixes....

    However, checking out the list of eEye's Upcoming Security Advisories can be quite revealing also. MS have one that has not been fixed for over 200 days - nevertheless this is an improvement from when this article was written.
     
Loading...
Thread Status:
Not open for further replies.