Firefox Security Problems

[Rhys]

From http://news.zdnet.com/2100-1009_22-6121608.html :

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

The hackers claim they know of about 30 unpatched Firefox flaws.

So much for Firefox being more secure than IE! (Although I do like it and use it most of the time). I am trying IE 7 Beta also, though and find it much better than IE 6.

 

[nChrist]

Hello Rhys,

Brother, it's great to hear from you.

I think that javascript can make any system vulnerable. I use a free extension for Firefox called "NoScript", and you can turn java off. You can set trusted sites only, but an increasing number of sites won't work at all without java being turned on. So far, I think that the choices for just about any browser are limited - either scripts on or off. Microsoft's latest security patches for IE 6 simply warn you that a site is running a script, and you get an option of "yes" or "no".

Various types of scripts are so powerful that I think users will eventually need to have more selective control to safely use the Internet. OR, one could use the approach to simply turn them off and not go to sites that depended on them to work. I might add that would be a huge number of sites now. Using "NoScript" for Firefox simply turns them off except for the specific list of sites you authorize.

There's another way of stopping many problems that most users don't know about. Several security-related sites on the Internet publish lists of sites that run destructive scripts. They keep the site lists fairly up to date, and you can place them in your "HOSTS" file setting them with a loopback of 127.0.0.1. The "HOSTS" file makes these destructive sites inaccessible to your computer. This, along with other security, is almost a necessity these days. Spy Bot Search and Destroy, Windows Defender, and many other popular and free security programs are almost a must these days. Regardless, the best answers always involve only giving trusted sites low security access to your computer. I want to brag some about our ADMIN of Christians Unite and say this is one of the safest sites I know of. 3rd parties can still try various things, but ADMIN has made it very difficult for them to get through the defenses of Christians Unite. SO, I have no problem at all in listing Christians Unite as "trusted" and "low security".

I didn't forget about the other security that should be installed on every computer - a good firewall and a good anti-virus program. There are many excellent and free choices for overall security. Here's a list I would recommend:

1 - Spybot Search and Destroy together with Windows Defender.
2 - One of several high-rated "HOSTS" files that lock out known destructive sites.
3 - Avast anti-virus.
4 - ZoneAlarm Firewall.
5 - "NoScript" for Firefox, or user control of scripts for any other browser. People should know that scripts are dangerous to allow except for trusted sites. If the browser doesn't have some way for the user to have some control over scripts, that browser would not be a good choice.

All of the above together are excellent protection and completely FREE.

Love In Christ,
Tom

[Rhys]

Brother Tom,
    I haven't had much time lately!
     Thanks for the tip on "Noscript", I'll try it as I like Firefox. I agree that most sites use scripts these days - I had that trouble with my bank site which uses a lot of Active-X and requires IE to run. Would think a bank would be more concerned with security! I put it in the "trusted sites" category so I could turn Active-X off.
     IE 7 gives you 3 choices - not running scripts, running them, or being prompted each time. Not any different than IE 6.
     Originally Javascript (as opposed to Java), was supposed to be contained and not be able to be a security risk. (Active-X always was a risk.) Somebody goofed on that one!
     I run ZoneAlarm, AVG antivirus, AdAware, Spybot, and just started using Windows Defender. I haven't had any problems, but just put this thread up as a reminder that non-Microsoft products aren't really any more secure - it's just that when they were only used by a few people there wasn't a great incentive to hack them. Microsoft suffered most of the attacks as their products were the most widely used. I think that is changing.

[Joey]

Rhys, you are right about the security flaws found in firefox and as firefox becomes more popular, it will be an open target for people trying to exploit it. A few years back, so few people used firefox, it was hardly worth attacking it. But as it became more popular, the attacks on this system increased.
But you will still be safer running firefox than IE. You will not have your browser/homepage hijacked as its not possible and you will find the developers always rush out a fix for any flaw discovered on firefox...And of course, as bro Tom says, make sure you use all other forms of defense as well, such as Firewall, AV, etc etc.

Joey

[nChrist]

Brothers and Sisters,

I understand completely about many people being busy. I also know that school just started back, and a lot of other things are going on.

I think that anyone can make a sad conclusion these days that there's no such thing as outstanding Internet software for the person who who doesn't know anything about security. It would be OK to be an absolute beginner in computer security for only a short time, and then the person would either have to learn a few things or have their computer attacked. I hope that I expressed this in a way that it makes sense. A completely safe computer for a beginner would not work at all on the majority of sites on the Internet. The reality is that nearly everything on the Internet now has some sort of script or code that can be abused and be dangerous. On the other side of the coin, many webmasters are also having to protect their sites from attack while still making their site safe and friendly for their users. I'm positive this is a pretty difficult task, especially when your users have a variety of browsers and a variety of things that they want in their services.

In short, I think that the days of easy and safe Internet use for an absolute beginner are over. This is just one of the reasons why an outstanding webmaster would always want to build a reputation of providing safe services and try to protect their users in every reasonable way. For Christians, we would add the necessity to be free of bad advertising or anything else that would be inappropriate for us or our children.

Love In Christ,
Tom

John 10:27-28 NASB  "My sheep hear My voice, and I know them, and they follow Me; and I give eternal life to them, and they will never perish; and no one will snatch them out of My hand.