E
eLmimo
Sorry, it should be read: "can't be give yet"
Sorry, it should be read: "can't be give yet"
A
Aaron
eLmimo said:
Well given that you were the one that made the claim, I find it strange
that someone else had to supply the info
Besides it was with one special case, using one specific IE shell. Such
cases are isolated events, and generally as a rule IE shells are not
safer than default IE.
X
xtort
So, like, if Schroedingers cat and Pavlovs dog got into a fight, who would win?
A
Aaron
EnAr said:
They scary, considering that what it does is that it installs a IE
hijacker
But of course, you will have to accept first before it does.Besides the developers have taken many steps to tighten up security for
example
1) By default , block all installs, except for sites you have approved.
So random sites you have not approved will not be able to install any
malware.
2) All sites (even whitelisted sites) will not be able to borther you
with popup prompts unless you click on the link. This prevents nonsense
sites from peppering you with popups the moment the page loads
3) There is a specific 3 second delay after the popup prompt occurs,
before you can click install.
Even without these precautions, you still have to explictly click
install, before you can be infected, which is a far cry from MS's
ActiveX system which has being plagued by bugs that allow autoinstallation.
Do we at least know that the extensions listed on the
Given that such sites are heavy traffic sites, and the average firefox
user is extremely competent, it would be highly unlikely for such sites
to host malware without anyone noticing very quickly.
It's no more risk, than you running off to some site to install a
program someone here (whom you trust) recommends.
B
Ben Cooper
Aaron said:They scary, considering that what it does is that it installs a IE
hijacker
does.
Besides the developers have taken many steps to tighten up security
for example
1) By default , block all installs, except for sites you have
approved. So random sites you have not approved will not be able to
install any
malware.
2) All sites (even whitelisted sites) will not be able to borther you
with popup prompts unless you click on the link. This prevents
nonsense sites from peppering you with popups the moment the page
loads
3) There is a specific 3 second delay after the popup prompt occurs,
before you can click install.
Even without these precautions, you still have to explictly click
install, before you can be infected, which is a far cry from MS's
ActiveX system which has being plagued by bugs that allow
autoinstallation.
Do we at least know that the extensions listed on the
Given that such sites are heavy traffic sites, and the average firefox
user is extremely competent, it would be highly unlikely for such
sites to host malware without anyone noticing very quickly.
It's no more risk, than you running off to some site to install a
program someone here (whom you trust) recommends.
So, what's the difference between using one browser over the other?
These seem to be the same arguments made *against* using a MS based
browser.
Are XPIs as "dangerous" as ActiveX?
A
Aaron
d sAb t
eY
Yes, apparantly they are a generic way to install any type of software
directly from the net, and not just browser extensions. So like ActiveX
they can run practically anything , and have full permissions (unlike Java).
ActiveX has gotten a very bad rep, because of the fact that by default
it used to come with a very loose set up restrictions which allowed
"driveby" downloads to install adware on your computer. As such it
quickly became the weapons of choice for adware makers to install
programs on your computer.
Even now, if you totally disable activeX you still get an annoying pop
message about sites not working properly, so it seems MS still wants us
to use ActiveX
Coupled with the discovery of several bugs over the years that allowed
sites to bypass or spoof trusted security zones (or even outright ignore
the restrictions), even with the proper activeX permissions in the
internet zone, users could still be hit by malware installed by activeX
if their trusted zone allowed ActiveX controls.
All these factors have currently led to the view that ActiveX is very
dangerous , though I suspect this view is somewhat outdated espically
with SP2. It's still a bad idea to install Activex controls without
knowing what they do, but at least you still have the choice to install
it or not. I believe currently Javascript is a much bigger threat. But
JS is a much harder beast to tame.
As I already said earlier, the firefox people are very aware of the
problems and the tricks used by malware people to exploit Activex and
has a result by default firefox as very tight restrictions (no
installations at all by default except by trusted sites) and various
means to protect the user from other tricks.
eY
Ben said:
Yes, apparantly they are a generic way to install any type of software
directly from the net, and not just browser extensions. So like ActiveX
they can run practically anything , and have full permissions (unlike Java).
ActiveX has gotten a very bad rep, because of the fact that by default
it used to come with a very loose set up restrictions which allowed
"driveby" downloads to install adware on your computer. As such it
quickly became the weapons of choice for adware makers to install
programs on your computer.
Even now, if you totally disable activeX you still get an annoying pop
message about sites not working properly, so it seems MS still wants us
to use ActiveX
Coupled with the discovery of several bugs over the years that allowed
sites to bypass or spoof trusted security zones (or even outright ignore
the restrictions), even with the proper activeX permissions in the
internet zone, users could still be hit by malware installed by activeX
if their trusted zone allowed ActiveX controls.
All these factors have currently led to the view that ActiveX is very
dangerous , though I suspect this view is somewhat outdated espically
with SP2. It's still a bad idea to install Activex controls without
knowing what they do, but at least you still have the choice to install
it or not. I believe currently Javascript is a much bigger threat. But
JS is a much harder beast to tame.
As I already said earlier, the firefox people are very aware of the
problems and the tricks used by malware people to exploit Activex and
has a result by default firefox as very tight restrictions (no
installations at all by default except by trusted sites) and various
means to protect the user from other tricks.
?
=?ISO-8859-1?Q?=BBQ=AB?=
Yes. Most notably, there is no way to have XPIs install without the
user clicking 'ok' to approve the installation.
S
Sietse Fliege
Aaron said:
Easy for you to say. ;-)
Do you have links, please?
A
Aaron
»Q« said:
Well didn't they say the same of ActiveX? At least with the right
settings and barring exploits
A
Aaron
Sietse said:
Hee Hee, testing thunderbird, still getting used to it.
What kind of links do you want? A link where some big name security guy
comes out and says so?
Such links might exist, but my feeling is mainly reinforced by the fact
that many guys who I respect have independently said pretty much the
same thing in various places (forums, chats).
For a more objective assessment, perhaps you can hop down to one of
those sites that list security exploits ,(http://secunia.com/product/11/
is popular) and check out how many exploits gives the solution as
"disable active scripting" as opposed to ones that say "disable Activex
plugins".
JS has being used for everything from cross-site scripting attacks,
phishing/spoofing, remote executation of code etc..
I guess JS is much harder to handle, because lots of sites assume you
have that on (javascript links), unlike ActiveX, so recommending people
to turn off active scripting all the time is not suitable for average users.
Thankfully for firefox and other advanced browsers you have greater
control over what JS can do, so you can turn off some of the more
dangerous ones while retaining the basic functions.
S
Sietse Fliege
Aaron said:
Thank you. I'll check it out.
E
Eugene Esterly III
Bruce the Shark said:Well, I know there are many others, but Firefox, IE, and Opera are
really the top 3 browsers around. Opera has never been 100% free,
because it's ad-supported, but now Micro$oft is saying that the
latest version of IE will ONLY run under Windows XP! That means
to use it, you'll have to upgrade... making IE no longer "free".
Source: http://tinyurl.com/3ktm2 (Cnet news article).
I'm glad I use Firefox.
So am I. I use Firefox as my primary web browser. IE is one my comp
but that is only for accessing Windows Update but other than that, I
don't use IE anymore.