Your opinion on the safest browser?

Since your post came right after mine and the remark about "contests...lists...bull-oney" seemed directed at the Pwn2Own contest, some winners of which I referenced, I couldn't see what else those words referred to but my previous post.

Sorry if I misunderstood you.

I agree there was much hype in the media about that contest, for example, that neglected quite a few important details, including limits to the usefulness of any knowledge gained from such events.

No doubt.

 

Thanks for your reply Rich. You make a good point about "Exploit in the wild" and it makes sense. It also makes sense to focus on them as they are the real and current threat/s.

If you do hear of any browser only exploits in the wild please let us know.

Regards,
IP

 

Over the years when it comes to malware prevention, I've found a lot of power lies within in the browser itself. A good web filter helps too.

 

In my opinion, Lynx is the safest browser (since it's text-only).

Almost all browsers in mainstream use are vulnerable in some shape or form, be it JavaScript, malicious image files (WMF, ANI), Flash, etc. Basically, the more "media-rich" the browser, the more attack vectors there are.

I use Opera, Firefox and Chromium equally, all with Proxomitron. I liked the functionality of NoScript in Firefox so much that I felt I needed the same protection in Opera and Chromium (and other browsers), so I wrote a Proxomitron filter for this purpose.

 

Test Center: How secure is Firefox?
Test Center: How secure is Opera?
Test Center: How secure is Google Chrome?
Test Center: How secure is Internet Explorer?
Test Center: How secure is Safari?

 

The safest browser is the person operating the computer - if he / she wants to be!

 

From http://www.viruslist.com/en/analysis?pubid=204792056:

From http://tech.yahoo.com/news/pcworld/20090620/tc_pcworld/couldoperaunitebeabotmastersbestfriend:

 

There is no such thing as the safest browser.

Use the browser you like, learn how to use it and surf smart. Putting a browser in a sandbox does not make the browser more safe it simple adds a layer of protection to a browser that may have security holes.

Threads like this really accomplish nothing.

 

Thanks for the references.

I wish the author would have shown an exploit pack with an Opera exploit. His example (Mpack I think) is the most common pack for sale, and contains just the usual IE stuff. I'm left wondering what the specific exploits used against the other browsers were. All previous vulnerabilities for Firefox and Opera have been patched.

This will bear watching...

Opera Unite has caused a furor already - this Platform is a disaster waiting to happen.

If this is a "feature" that won't be optional, I know several people who have indicated they would abandon Opera.

rich

 

I don't know what the safest browser is, but I'm happy with Opera. It, as of now, isn't so insecure it would bother me, and yet it has a rich set of features for actual web browsing that I like that I can find on no other browser (at least not without planting a ton of extensions on the browser).

The articles appear to be outdated. Opera 9.64 supports DEP and ASLR. Which, by the way, don't do nearly as much as the article seems to imply. Good technologies, sure, but they don't have nearly as great an impact as being able to control scripting and plugins for each site and setting a default disabled for both - which is something you can't do with, say, Firefox, without extensions like NoScript.

If you are prone to being cynical, like I am, you might note the source of the article - viruslist.com or in other words Kaspersky. AV companies don't exactly have a clean track record of telling things like they are and not partaking in hype and FUD. My general rule of BS dictates that whenever an AV company claims that something is exploitable and indeed being exploited now, but doesn't offer any kind of reference or proof at all, not even one tiny example, they're either lying or greatly exaggerating to market their own AV products as necessary.

As for exploit packs in general, all that I have seen will use perhaps a couple of the latest ones and mostly very old ones (months, even years old). Most of the exploits will be against IE, of course. If there is an Opera exploit in there - never seen one actually in the wild, same as you - it will almost certainly be one that was patched months ago.

I am one of those people who will jump ship if Opera doesn't toss "Unite" or at least give me a version that does not have Unite built-in. I just don't want anything like that, ever. It is a security disaster waiting to happen, no matter how they may have tried to sandbox it. Not to mention that it is incredible bloat. If I want a web server, I will run Apache. I want my browser to be a browser, not a server.

 

for me fire fox is the safest. mozilla firefox plus an av solution. is the best. preferably to have an anti spam toolbar

 

My favorite browser is Mozilla! It has all the features that can satisfy me and also a lot of useful plug - ins that integrate perfectly into it!

 

Anything inside Sandboxie (cliche/fanboyism I know)

I like Opera ... be nice if Opera had Add Ons, NoScript for the win!

I often see people saying they're still using IE6 and how it's never let them down ... makes me wonder if there is some esoteric thing going on like the rest of us don't know what we're missing.

http://news.zdnet.co.uk/security/0,1000000189,39693874,00.htm

But when I find out the majority of British Ministry of Defense still uses IE6 I know this is just a horrible mistake just waiting to happen. Ughhh

 

Firefox 3.5.1 plus security add-on.. Plus a lot of these others like Chrome, Opera and Safari which I did try and found only Opera to work with adsweep.js. Opera 9.6 had crashed more can't load certain pages like QVC doesn't like Opera. I upgraded to Opera 10 beta I know it's still in beta but adsweep.js failed then ads pops like mad. Still right now Firefox with Vista Aero themes is the closes to IE7 features. Firefox has virus defs from Avira every is scanned security seems okay but I still run the browser in isolated sandbox using Geswall and Keyscrambler with it. Added Spyware Blaster. Again not a lot of stuff works with Opera.

 

Nothing esoteric at all -- just users understanding how to secure the browser.

I've got IE6 installed on both my Win2K and WinXP systems. IE is not my primary browser, but up until recently, I used to browse with it from time to see if I could randomly pick up some web-based exploit that was going around. I never found anything. It made me wonder how it is that people pick up these infected pages!

I keep my IE6 unpatched so that when I see malicious URLs posted in exploit notifications, I go to the site to test other security and the exploit always fails.

If you look at the malware packages that contain IE6 exploits, you find they are all long-since patched. The multitude of people who are infected by an IE exploit don't patch, don't have other security in place to block remote code execution exploits in case of a 0-day scenario.

The conficker fiasco is a good example: The MS08-067 patch which addressed the vulnerability which the conficker worm later exploited was released on October, 2008

Microsoft Security Bulletin MS08-067 – Critical
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

The first exploit of that vulnerability occured one month later:

ms08-067 exploitation
http://isc.sans.org/diary.html?storyid=5288

Conficker, aka W32.Downadup.B, arrived in December two months after the patch:

MS08-067 Worm on the Loose
http://isc.sans.org/diary.html?storyid=5596

Is this the fault of the browser or the user?

Opera and FireFox have a long list of vulnerabilities that become patched. That is no help unless the user updates. It's no different than with IE. Opera and Firefox users tend to be more security-aware. This, of course, is the minority of browser users world-wide.

People say, Give the average user Firefox. Unless this average user learns to configure FireFox properly and learns how to use the extensions, plugins, etc, Firefox is no more secure than IE against the multitude of exploits that are targeting Acrobat, Foxit, Flash and the like. All of these attacks are triggered by Javascript in the exploit code, so that any of these three browsers, if not properly configured, is susceptible to being the trigger for these exploits.

Now, the story you link to refers to institutions using IE6. Here, we are in a different world since you are dealing with multiple users on a network, and who knows how each individual system/browser is secured. But this is not the fault of the browser: it's user error.

And so you get quotes such as this from the article:

What silly nonsense. The article should state:

Because organizations are often slow to patch and have no security in place that locks down the systems against unwanted executables, and because there is no control over how individual users configure the browser (scripting, etc), companies should switch to a different browser to insure against user incompetence and IT negligence.​

IE6 is a fine browser - light and fast. The principal reason I switched to Opera back in Win9x days is that I prefer its features and configurable *.ini files. I never thought much about the security aspect back then. Later, I echoed the growing criticisms of IE until I started looking more closely beneath the surface of things.

----
rich

 

Rmus, yes it would have been nice to hear a politician care more for the security of the nation they represent rather than the choice to use the latest cool browser. Allowing civil servants in government depts to use whichever browser they wish to is a recipe for disaster, surely?

I have been reading about this Opera Unite service. This sounds potentially like a disaster. Exploiters heaven!

Definitely seems like some gimmick to attract the kids to Opera.