Maxthon vs firefox

[Harvey Van Sickle]

On 12 May 2005, Dick Hazeleger wrote
re: K-Meleon

Hi Harvey!

I Have tried that one several years ago, didn't like it at the
time though. Time to have a look at it again... Thanks for
bringimg it back to memory again

I'll be interested to know what you think.

(Like you, I tried it a couple of years ago, and it was definitely
*not* ready for prime time then! Pretty good now, though.)

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

So these sites know everything that's happening on the Internet?
Obviously a certain 'critical mass' of machines needs to be
attacked before these sites are aware that the vulnerability is
being exploited.

The sites get it pretty quickly, as I noted before.

What do you suppose is the probability of a critical vulnerability
being independently and simultaneously discovered by white hats and by
black hats? I'd say it's extremely low, and that's the only scenario
in which your idea might do anyone any good.

I was referring to the fact that the general user is not aware of
this information.

As much as the general userbase are ever aware of this stuff, they
would have been if those pages had been public, since it would have
been reported in the mainstream tech media, blogged about, put up at
secunia, etc.

So you are saying that I am not exposed becuase there is a known
(by a few people) vulnerability but becuase hardly anyone knows
about it I am not at risk?

You are not exposed because there is no exploit for you to be
exposed to. And that's because only a few white hats know about it,
and they are not exploiting it.

Isn't that just security by obscurity?

Call it what you want. It's not as if the security folks at
Microsoft and elsewhere haven't given this any thought; you should
send your feedback to them if you think you have a point they
haven't considered. Unless you have a better argument for exposing so
many users to exploits than your assertion that /you/ want to know
about vulnerabilites asap, I don't see a point in arguing it.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

On 12 May 2005, Dick Hazeleger wrote
re: K-Meleon


I'll be interested to know what you think.

(Like you, I tried it a couple of years ago, and it was definitely
*not* ready for prime time then! Pretty good now, though.)

I played with it for a while when the latest version was released a
little while back, having last tried it a couple of years ago. I'm
sorry I didn't keep any notes, but I did find it very much better than
before.

 

[Harvey Van Sickle]

On 12 May 2005, »Q« wrote

I played with it for a while when the latest version was released
a little while back, having last tried it a couple of years ago.
I'm sorry I didn't keep any notes, but I did find it very much
better than before.

It's horses and courses; it seems to do everything I need, and lets me
customise a little bit here and there. An example: I wanted a "one-
click" to open a number of groups and asked about that in the forums;
one of the regulars/developers responded with a macro that would do it,
and I've now got that working just fine.

In effect, I seem to have almost all of the functionality that I
personally wanted from FF -- might be 100%; can't think of anything
that I'm missing -- but with none of the tiresome "my-browser's-
wonderful-and-everything-else-sux" stuff that, basically, got me down.
(It's a personal gripe: I had that problem with both Opera and Firefox
-- and, in a related sense, a good IE shell, iRider.)

(I've said this before somewhere, but maybe I'm just perverse and like
non-standard apps: main browser's K-Meleon; XNews for news; Poco for
mail.)

 

[Lius]

liussantoso @ gmail . com

E-Mail?

-- Bob

 

[Mel]

So these sites know everything that's happening on the Internet? Obviously
a certain 'critical mass' of machines needs to be attacked before these
sites are aware that the vulnerability is being exploited.

A few years ago I read a post from a self proclaimed hacker
who claimed to have discovered and been exploiting a then recently
reported flaw in IE for over a year, of course he may well
have been spouting hot air.

The risk of falling victim to a flaw while it hasn't reached your 'critical
mass' must be miniscule.

So you are saying that I am not exposed becuase there is a known (by a few
people) vulnerability but becuase hardly anyone knows about it I am not at
risk?

Isn't that just security by obscurity?

I would say it is, however by keeping the vulnerability secret you
are placed at no additional risk than you were when using the browser
before the vulnerability was discovered.

Publishing details about a flaw before it is fixed and users
have had sufficient opportunity to update would expose the users
to an unnecessary risk. The recent firefox work around
mitigated the most serious vulnerability, but it did not eliminate
all risk, neither did it guarantee that a hacker couldn't find
a similar flaw to get the exploit working again. It would
have been better it hadn't been leaked.

Unless you use a browser that only renders text with no support
for scripting or images, then your browser is highly likely to contain
a number of as yet undiscovered bugs, all complex software inevitably
does. A few of these bugs will be exploitable, although the severity
can be minimalised by good design. So you can be fairly confident
that even after you apply the latest patch to whatever browser you
use, your browser is still vulnerable.

It's not the number of flaws in IE that make it arguably less safe
than other browsers, it is that they have often been made public
before Microsoft have had sufficient time to patch them and
the sometimes prolonged amount of time it has taken to produce
a fix.

 

[Aaron]

There is no complexity in Maxthon. Just plenty of options for the
advanced user. For most people, the default config is just great.

For most people the default firefox set is fine too.

As large as Firefox is compared to Maxthon, it should contain at least
as much functionality. Without a bunch of plugins and configuration,
Firefox is bare bones by today's browser standards.

But as mentioned to you a dozen times already in the past. Maxthon is a
mere shell, while firefox includes the gecko engine. So this comparison is
misleading.

 

[Aaron]

Exploits of unpatched vulnerabilities show up quickly on security
sites, newsgroups, mailing lists, etc. Once the proof-of-concept
exploits for this latest Firefox vulnerability were out, how long
did it take for it to show up at secunia? How long after that did
it show up here?

More than 12 hours.

 

[Aaron]

You are not exposed because there is no exploit for you to be
exposed to. And that's because only a few white hats know about it,
and they are not exploiting it.

Probably blackhats do know a few tricks, but they arent likely to use it on
some random target surfing a website ,since the value of the exploit
disappears once it's known.

Such exploits are carefully horded and unleashed only for big important
targets, or alternatively sold for a tidy sum.

 

[Bob Adkins]

But as mentioned to you a dozen times already in the past. Maxthon is a
mere shell, while firefox includes the gecko engine. So this comparison is
misleading.

Aaron, as mentioned to you many times in the past, I don't WANT the Gecko
engine. Why would I want another rendering engine when mine works perfectly
fine?

-- Bob

 

[Harvey Van Sickle]

On 13 May 2005, Bob Adkins wrote

Aaron, as mentioned to you many times in the past, I don't WANT
the Gecko engine.

But your comparison was of the *relative* sizes of Maxthon and FF, and
you seemed to be saying (I paraphrase) that FF ought to do more than it
does out of the box, given its comparative size to Maxthon.

Comparing the functionality-to-size of the two of them -- which is what
you were doing -- is misleading unless you add in the size of the IE
engine that Maxthon uses to establish its "real" (that is,
comparable) size.

 

[Fuzzy Logic]

You are not exposed because there is no exploit for you to be
exposed to. And that's because only a few white hats know about it,
and they are not exploiting it.


Call it what you want. It's not as if the security folks at
Microsoft and elsewhere haven't given this any thought; you should
send your feedback to them if you think you have a point they
haven't considered. Unless you have a better argument for exposing so
many users to exploits than your assertion that /you/ want to know
about vulnerabilites asap, I don't see a point in arguing it.

Apparently I don't need to contact Microsoft. They will now be releasing
advisories of security flaws within one business day of hearing about them
(fix available or not):

http://news.zdnet.com/2100-1009_22-5697945.html?tag=nl.e589
http://www.microsoft.com/technet/security/advisory/default.mspx

 

[elaich]

Aaron, as mentioned to you many times in the past, I don't WANT the
Gecko engine. Why would I want another rendering engine when mine
works perfectly fine?

Becuase yours is interwoven into your operating system, which opens up the
possibility of the entire system being compromised by an attack on the
engine. That's not possible using Gecko. About all that could happen is
that a backdoor, keylogger, or virus gets planted

 

[Fuzzy Logic]

Becuase yours is interwoven into your operating system, which opens up the
possibility of the entire system being compromised by an attack on the
engine. That's not possible using Gecko. About all that could happen is
that a backdoor, keylogger, or virus gets planted

Here is a interesting quote from one of the IE developer's on this very
topic:

The issue of not being part of the Operating System is an interesting one
though that is frequently the subject of misunderstanding. IE is part of the
Windows Operating System so that parts of the OS and other applications can
rely on the functionality and APIs being present. IE in turn relies on
Operating System functionality to do it's job. To be clear there are no
Operating System APIs that IE uses that are not documented on MSDN as part
of the platform SDK and available to other browsers and any other software
that runs on Windows. The security of any browser is irrelevant to if it is
part of the operating system.

If we are to debate security of browsers then let's bring in relevant
arguments and accurate details about different possible attacks rather than
rely on the irrational fear that because IE is part of the operating system
it must be exposing OS functionality to the web. This is not the case as any
software has access to the same set of OS APIs and can therefore expose the
same set of OS functionality as IE.

Source <http://blogs.msdn.com/dmassy/>

 

[null]

Here is a interesting quote from one of the IE developer's on this very
topic:

The issue of not being part of the Operating System is an interesting one
though that is frequently the subject of misunderstanding. IE is part of the
Windows Operating System so that parts of the OS and other applications can
rely on the functionality and APIs being present. IE in turn relies on
Operating System functionality to do it's job. To be clear there are no
Operating System APIs that IE uses that are not documented on MSDN as part
of the platform SDK and available to other browsers and any other software
that runs on Windows. The security of any browser is irrelevant to if it is
part of the operating system.

If we are to debate security of browsers then let's bring in relevant
arguments and accurate details about different possible attacks rather than
rely on the irrational fear that because IE is part of the operating system
it must be exposing OS functionality to the web. This is not the case as any
software has access to the same set of OS APIs and can therefore expose the
same set of OS functionality as IE.

Source <http://blogs.msdn.com/dmassy/>

Ok then let's debate it. Back in '99 when I first started using Win 98
(I had the orignal version then) I not only used IERadicator but also
deleted four DLLs required by the IE html rendering engine. Moz and
Netscape (and Opera I believe) all worked fine. They were and are
independent of the IE html rendering engine as near as I could tell.
They have their own. Furthermore, it's well known that any javascript
vulnerabilities that a browser has are uniquely those of the
particular browser. And most importantly, the Gecko browsers have
no activex or Java by default.

Since malicous code security is the topic, I'll also mention that I
was never subject to email message exploits since I never used
OE. I used Pegasus for email which has its own html rendering,
and no embedded script capability. Later I used Moz email and
then TBird. These sane apps have scripting off by default and
they do not allow the user to Run attackments. There were never
known vulnerabilities or exploits with these apps that I've ever
heard of. But OE was infamous for exlploits of email messages.

The implication that non-MS apps share the same vulnerabilities
as MS apps is just plain wrong.

Art

http://home.epix.net/~artnpeg

 

[Mel]

Apparently I don't need to contact Microsoft. They will now be releasing
advisories of security flaws within one business day of hearing about them
(fix available or not):

http://news.zdnet.com/2100-1009_22-5697945.html?tag=nl.e589
http://www.microsoft.com/technet/security/advisory/default.mspx

Only for publicly disclosed vulnerabilities, well that's the way I read it.

"Some examples of topics that future security advisories may discuss include the following:

- "Defense in Depth" security enhancements or changes that are unrelated to security vulnerabilities
- Guidance and mitigations that may be applicable for publicly disclosed vulnerabilities"

 

[Sparky]

Here is a interesting quote from one of the IE developer's on this very
topic:

To be clear there are no
Operating System APIs that IE uses that are not documented on MSDN as part
of the platform SDK and available to other browsers and any other software
that runs on Windows.

That wasn't the case prior to the MS browser trials. It may be so now.
But considering MS' duplicitous record in the past, I'm not going to
take the word of one of their technical evangelists now. My bad.

The security of any browser is irrelevant to if it is
part of the operating system.

Really? To me, the security of the browser is of /secondary/
importance. It's the security of the OS that matters. And MS'
insistance on tightly integrating the two does present security issues
not present when talking about browsers that have been designed
w/modularity in mind.

Look, from this same blog, Massy declares in 25 point red-colored font:

IE is an essential part of the Windows Operating system.

It didn't need to be. Just ask the Netscape people. This was a
business decision and not a technical one. And, again if you've
followed the court proceedings, MS can't back away from this statement.

Fuzzy, I appreciate you trying to introduce an "interesting quote" from
an MS employee but, really, it's only interesting in its spin. Same ol'
same ol.

-Sparky

 

[David]

Aaron, as mentioned to you many times in the past, I don't WANT the Gecko
engine. Why would I want another rendering engine when mine works perfectly
fine?

-- Bob

To improve your security!

 

[Bob Adkins]

Comparing the functionality-to-size of the two of them -- which is what
you were doing -- is misleading unless you add in the size of the IE
engine that Maxthon uses to establish its "real" (that is,
comparable) size.

I know, I know. But I already have IE, and so does most FF users.

-- Bob

 

[Bob Adkins]

To improve your security!

Security is way down my list.

I do not work for a bank, credit card company, the FBI, CIA, or other high
security or mission critical job. I use my computer for keeping in touch
with friends and family, web browsing, news, and entertainment.

I have installed FF 3 times, tried it, and I like certain things about it,
but not others. Fact is, I like what I have better. I'm sure I will try FF
again in the future, but not because of security. Security is MY job, not my
browser's.

-- Bob