Why use browsers which lag one or more release cicles?

Exactly. EXACTLY! And thus my usage of "reset" TIME! (discovery). Remember, the universal versions you're randomly not updating may contain the same weak sauce rushed patches you condemn. Or ya rolling flash/chrome/v.1? If you don't use such soft such as the aforementioned, or relevant to the thread topic, Chromium-laggards, then your info does not really even fully apply. You use FoxESR. ESR is sec-patched. You're not trail-lagging, but you also missed the relevant bus. Windows_Security's point IMO was NOT bigger release numbers are more secure; otherwise, he'd be recommending Chrome Dev release over stable which he is clearly not.

Time-based game matrix. You either 1. don't/can't update chromodo/aol/flash/skype/sonic2/etc and sit with a KNOWN public vulnerbility OR 2. update/etc, and this may introduce another vuln; in either case, as YOU JUST stated yourself, the latter RESETS the time black/whitehats have in order to analyse the NEW code-base while still having corrected the first vuln (unless hackers are clarevoyant). So logically, initially sit with one potential unknown/unresearched vuln or don't update and sit with TWO potentials with one of them being a KNOWN public vuln, your pick.

Only one circumstance makes sec-updating a partial loss: if the ~new~ patch opens ~new~ bugs that are more easily/actively exploited versus the OLD vulns the patches corrected.

On this premise, amarildojr is correct as implied. ~Most exploits are based on the old time-lagged code vulnerabilities, not the fresh patch.~ And a reason within itself as to why we update. Time-to-attack versus remediation.

& are we seriously arguing about updating on a sec forum, dunno?

I think the point of this thread got lost a minute ago.

which IMO is...

A Kees PSA.

Stop using Chromium/"trailing software" clones unless you realise the security gap/lag versus the added value they may claim to provide. Moreover, often you can just extract the valuable 'proprietary' extensions from the cloned browser IF you even trust the code which is partially mitigated by Chromium tech yet still a problem in itself (how many eyes?). However, many of these extensions/functions are at the chromestore (more eyes), are already native :flag tweaks (many eyes), or stable code settings (tons of eyes).

& Deprecated XP/Opera etc are not trailing softs. They're DEAD, Jim. They're not edgy or cool vintage like top-siders nor vinyl....just fodder for cheap legacy malware.

 

This is a bit off topic, so I'll just briefly say that if the exploit is to be persistent, it eventually writes to disk. I believe Kaffeine noted that the anti-executable caught the 3rd stage. If one is concerned about fileless, some type of anti-exploit product is necessary. One of Kaffeine's clients is Malwarebytes, and he said that their product blocked the first stage of the Angler Kit fileless exploit.

You can PM to me if you want further information.

Eleven or more years ago when the White Listing concept started to emerge (it soon became a rather argumentative topic) one company, SecureWave, noted,

One organization whose System Administrator I knew had Group Policies set up which blocked any unauthorized code that would attempt to intrude via a browser or plug-in exploit.

While keeping the latest versions of the Browser and related software is just good policy for these companies, the Administrators I knew weren't concerned about any time lag between the updates because of the protections they had over their networks.

----
rich

 

Happy new year to everyone, thx for the interesting posts and discussions

 

Hardly dead when I'm using both to post on Wilders with no security issues after years of use. Xp and Opera Presto are cool, especially Opera which has never had any malware I'm aware of, legacy or otherwise.

 

Xp on the other hand wasnt really secure even when it was supported and now has more holes than swiss cheese and those will never be fixed. I always liked the old version of opera and still miss some of the features but i prefer to use software that is still supported and developed..

 

When XP support ended I expected there would be a lot of exploits released that would target that platform. After almost two years I still wait for news about mass exploitation of XP users. Did anybody hear about exploits targeting and exploiting let's say thousands of XP users?

 

Hello Minimalist,

I haven't heard, even though there was a lot of Press warning of such. One example:

Are cybercriminals looking to reap the rewards the day Microsoft stops patching Windows XP?
August 27, 2013
http://www.zdnet.com/article/hackers-cash-in-on-windows-xp-retirement-exploit-kit-prices-to-surge/

Note the "wiggle room" language: "Perhaps" and "Although..."

One answer as to why a surge of exploits didn't follow:

Exploit Kits: Cybercrime's Growth Industry
http://www.vipreantivirus.com/resources/white-papers/exploit-kits-cybercrimes-growth-industry.aspx

----
rich

 

Thanks Rmus for those links.
That may be part of an answer - shifting focus to Flash exploits and similar, which can be used across different OSs.
It's also interesting that there were no reports about IIS v6 being exploited on Windows Server 2003. I would expect even some worm-able exploit being discovered. But who knows, they might be used in targeted attacks.

 

And different browsers.

In addition to the common Exploit Kit attacks, often targeted exploits take advantage of this. From a recent vulnerability in a file sync and share software product:

Exploit any browser
https://www.debian.org/security/2015/dsa-3244

Obviously, the protection depends on the users keeping up with their product updates, as in this case:

----
rich

 

with the still relativity high usage stats of windows xp I would expect it to be targeted as it is a low hanging fruit especially since when Microsoft release patches to newer versions of windows the criminals will use the exploits on windows xp as well knowing it will never be patched. i know that you can be safe on any platform if you are careful and take precautions. i used windows xp and IE6 for years on an admin account and never encountered any malware.

Their are other reasons for upgrading to a newer OS and software than security. I do wonder if somepeople who are sticking to windows xp and refusing to upgrade have actually tried newer versions of windows.

as a computer technician i got bored of supporting users using windows xp years ago as i knew all the flaws which have been fixed in newer versions of windows.

 

Xp could and can be secured quite nicely if you know what you're doing. It was the default consumer configuration that had every user running as full administrator that was the problem which was compounded by a lax approach to app development which resulted in many apps that would only run with administrative privilege.

When I was learning about locking down systems with group policy and ACLs, I liked to play with the computers in public libraries which I found generally to be very well locked down and secure. I learned a lot by seeing how they were set up and applied it to my own systems but never to the point the Xp boxes were locked down in our local public library.

 

Quoted from Tavis Ormandy: https://twitter.com/taviso/status/694593412100542465

Bug: https://code.google.com/p/google-security-research/issues/detail?id=704

My bold.

 

Chromodo is now officially nicknamed as Crossmodo the best cross site scripting browser around

 

Did you see that directly or through my thread/post which was earlier than your post? Just would like to link to my thread if that's the case.

 

Pulled directly from Tavis' Twitter feed. For accuracy sake, though, my post came five minutes prior to your thread. I just wasn't sure if I should create a new thread or to find another thread with relevant discussion. Regardless, it's good information that shines some light on Chromium forks and I thank you for sharing with the community as well.

 

I'm the one who should be linking to your post - I'll link to your post. I agree good info for the community.

 

Nice