Look What I Found

Look What I Found

Bob
Bob

May 3rd, 2006, 2:16 am #1

After seeing a news report on the "first ever" virus to affect Apple's Mac OS X operating system -- actually a trojan horse rather than a virus -- I did a search for anti-virus programs for Macs. In the process, I came across stories about the "vulnerabilities" of the Mozilla Firefox web browser, which piqued my interest. I'm sure every system and computer known to man is vulnerable to something, and I don't know what the actual risks to using FF might be, but I thought you might be interested in seeing this:

http://www.uscert.gov/cas/techalerts/TA06-107A.html
Reply
Share

Nat
Joined: January 1st, 1970, 12:00 am

May 3rd, 2006, 3:33 am #2

This applies to versions before FF-1.5.0.2
I've already upgraded to 1.5.0.2
I get a alert whenever a new version is released.

In any case any problems FF has IE has ten times worse.

Reply
Like
Share

John Bayko
John Bayko

May 3rd, 2006, 3:34 am #3

After seeing a news report on the "first ever" virus to affect Apple's Mac OS X operating system -- actually a trojan horse rather than a virus -- I did a search for anti-virus programs for Macs. In the process, I came across stories about the "vulnerabilities" of the Mozilla Firefox web browser, which piqued my interest. I'm sure every system and computer known to man is vulnerable to something, and I don't know what the actual risks to using FF might be, but I thought you might be interested in seeing this:

http://www.uscert.gov/cas/techalerts/TA06-107A.html
There are different degrees of vulnerability. "Open source" software, like Firefox, tend to have a lot of minor vulnerabilities reported, because the source code is available to anyone who wants to see it (what "open source" means), so a lot of programmers find bugs that would not be noticed in products where only a few people can see the code (such as Microsoft Internet Explorer or Opera).

The severity ranges from potential vulnerabilities, where someone might figure out a way to exploit it someday, but nobody knows how yet, to theoretical, where a way has been figured out, but nobody's done it yet, to demonstrated exploits which someone has made working code which is harmless, to exploits "in the wild" which have been used by malicious people to actively cause damage or take control.

Although it is much easier to produce a working exploit for software where the source code is available, there are also more people able to fix the problem, and they can usually do it quickly. This is one of the reasons Apple makes the source code for many core products, like the Darwin operating system or the Safari web browser, available to anyone who wants to look at it.
Reply
Share

Nat
Joined: January 1st, 1970, 12:00 am

May 3rd, 2006, 4:56 pm #4

After seeing a news report on the "first ever" virus to affect Apple's Mac OS X operating system -- actually a trojan horse rather than a virus -- I did a search for anti-virus programs for Macs. In the process, I came across stories about the "vulnerabilities" of the Mozilla Firefox web browser, which piqued my interest. I'm sure every system and computer known to man is vulnerable to something, and I don't know what the actual risks to using FF might be, but I thought you might be interested in seeing this:

http://www.uscert.gov/cas/techalerts/TA06-107A.html
I just got a alert that there is an even newer version of Firefox than one I mention above.
FF 1.5.0.3 is out and presumingly has all the latest security updates.
Reply
Like
Share

Bob
Bob

May 3rd, 2006, 9:40 pm #5

I just checked my version of FF . . . 1.5.0.3 . . . cool. I was wondering: For those who have a Mac . . is the Safari a safer browser than Mozilla . . . or vice versa . . . or are they both quite safe and its a mute point?

btw . . . I want to welcome John B. back. I decided I'm going to be less contentious with ppl whom I previously skirmished with . . . . try to benefit from others' experience and knowledge, rather than become irritated by it. So, welcome back, Mr. B.
Reply
Share

John Bayko
John Bayko

May 4th, 2006, 3:03 am #6

"I want to welcome John B. back."

I'm not so much "back" as not had much to say. Or sometimes busy. I've gone over a month without posting often in the past.


"For those who have a Mac . . is the Safari a safer browser than Mozilla . . . or vice versa . . . or are they both quite safe and its a mute point?"

Safari is a bit less capable than Firefox, and in that sense is "safer" - fewer things to go wrong. But both are usually pretty good, though there was recently a very embarassing Microsoft-scale security hole in Safari.

The main security problem with Microsoft products is the tendency to integrate things with each other in an ad-hoc way to get things to work sooner.

To give an analogy, imagine a corporation in which there are set procedures for operating between departments. For example, for someone in sales to submit expense claims from a business trip to accounting, or to apply for leave from human resources. If you want to do something unusual, the bureaucracy doesn't have a procedure and you're stuck until the problem gets passed upwards to someone who can approve the exception, or design a new procedure to follow.

Alternatively, imagine a company where people play loose with the rules, and just get things done. It's a lot easier to deal with change, as long as you can make sure the people who have to know what to do are kept informed.

The latter is roughly what Microsoft used to do, up until a few years ago. This is partly what made them successful - they'd just slap together software that looks good on the surface and hits the 80% mark that most people need, and then patch problems as they come up later. The main problem is that when software gets larger, nobody can understand all the things that interact, and a problem in one area can have an effect elsewhere. The software has no authority where you can add checks for security.

Think Enron, as a corporate example. It was a very loose, undisciplined corporation that fell apart because there was no authority or procedures for doing things correctly.

This is why Microsoft Outlook can be vulnerable to a bug in Internet Explorer or Windows Media Player, even when you're not using either.

Open source projects are different by their nature, because each project only manages a much smaller piece of functionality. The groups provide interfaces which other projects use to interact, and can't bypass them - or not reliably, since if they do start using internal code (they have the source code, they figure out how to do that), that internal code is likely to change, maybe within days, maybe within years. This makes development slower, except that what they can do is group A tells group B they need an interface, and they copy the code and modify it, so group B can just say "okay" and accept the changes. Or they'll point out some problems, and they'll work on the changes together.

This means that there are points of authority (interfaces) where you can decide what's allowed or not. You can spend extra effort at those points to try to prevent bugs. Software like this also usually has more of a hierarchy that what Microsoft has typically done, making it even harder to bypass security.

As of a few years ago, Microsoft changed their development process to improve security, so everything must be audited, and all future code must be in well defined layers through interfaces. The problem is they have a very large amount of old code which was developed using the older, sloppy methods. Some of it may never be replaced.

In any case, Mozilla/Firefox is available for Macintoshes too.


"I decided I'm going to be less contentious with ppl whom I previously skirmished with"

In that case, I'm almost reluctant to point out that you meant "moot" up there, not "mute".
Reply
Share

Nat
Joined: January 1st, 1970, 12:00 am

May 4th, 2006, 3:31 am #7

John, I've been wanting to ask you this a long time- and I guess this is as good a opportunity as any- just what do you do when you are not enlightening us here at Potpourri?

Are you the college professor that we all assume?
Reply
Like
Share

John Bayko
John Bayko

May 4th, 2006, 3:50 am #8

I thought I'd mentioned what I do in the past - particularly to the poster known as "vaxgirl", since she was in the same profession, more or less.

I also thought I had mentioned that I just happen to be a curious person, and have a habit of looking up answers when I have questions. Posting a message is sometimes a way of putting my thoughts into order on a subject - a bit selfish I suppose, but harmless I figure.
Reply
Share

Nat
Joined: January 1st, 1970, 12:00 am

May 4th, 2006, 4:01 am #9

Vaxgirl? Gosh, I don't even remember her.
Since I'm old and becoming senile you are going to have to help me out-
What did Vaxgirl do?
Reply
Like
Share

SHADOW
SHADOW

May 4th, 2006, 2:47 pm #10

What do you do John?
Reply
Share