The hounds are after the fox. Great stuff

Discussion in 'NZ Computing' started by Gordon, Oct 23, 2004.

  1. Gordon

    Gordon Guest

    There is a link off the mozilla.org page

    http://www.mozillazine.org/talkback.html?article=5404

    Quote In part

    Mozilla and Other Browsers Vulnerable to Tabbed Browsing Spoofing Attack
    Wednesday October 20th, 2004

    Secunia has issued an advisory regarding tabbed browsing spoofing
    vulnerabilities in the Mozilla series of browsers. One spoof involves
    persuading the user to open a link to a trusted site in a new tab and then
    opening a JavaScript input box that appears to come from the trusted site
    when it actually sends its data back to the trickster. Another flaw again
    requires the user to open a link to a trusted site in a new tab, though
    this time the spoofer uses JavaScript to continually move focus back to a
    form field on the malicious page without causing the active tab to change
    from the trusted site. This means that a user who tries to enter form data
    on the trusted page will instead be passing information to the attacker.
    Slashdot has an article about this latest spoofing flaw, which also covers
    other browser holes published by Secunia today. According to Secunia's
    original tabbed browsing vulnerability advisory, the Mozilla Foundation
    was informed on October 4th, sixteen days ago.

    Unquote.

    Now gentle people here is the "manufacturer" of a product saying look, our
    product is not perfect.

    If one reads between the lines it reads, people, we have a hole, let us
    plug it. Ideas accepted.

    MS would say privately, a hole, let us hope that no one finds out.

    it is very good to see the many folks who see fit to attcak Firefox, for
    it shows

    a) That Firefox is a force eating away at their wallet
    b) The ignore you and then laugh at you phases are over before version 1
    is released.
    c) The consumer, and Internet security is about to be lifted.

    NB MS is late again to the party and it is only because of an attack on
    their wallet that they feel the need to respond.
     
    Gordon, Oct 23, 2004
    #1
    1. Advertisements

  2. Gordon

    Max Burke Guest

    Gordon scribbled:
    Do you know about this recently discovered 'hole' in Mozilla browsers
    running on many major versions of Linux?
    http://www.securityfocus.com/bid/11440

    Snip the usual crap....

    ALL OS'es have bugs; ALL OS'es require patching. All software running on
    ANY OS has bugs. It's NOT something that is unique to Microsoft and
    windows. Why do so many 'advocates' for *nix/OSS want this fact to be a
    'pissing contest' as some sort of 'advocacy' for *nix/OSS is for them to
    justify and explain. I personally would prefer that they/you NOT use
    nz.comp and nz.general to justify and explain why they/you need to behave
    this way as a *nix/OSS user/advocate......
     
    Max Burke, Oct 23, 2004
    #2
    1. Advertisements

  3. Gordon

    thing Guest

    Well we could start off with,

    Just about all the old versions, RH8.0, long superceeded....

    RHAS2.1, while still supported/current old hat.

    Mandrake 9.x, guess what we are on 10.0.

    Its like saying win95/8 is vunerable....

    Mind you I suppose its not a total list....

    <shrug>

    but there is an even more interesting one re: malformed inputs into most
    non-IE browsers, now that looks nasty. It also rips into the comments
    that Open source code is less vunerable because many eyes can/have seen
    it. I await with a great deal of interest the examination and reply to
    this bug.

    While a piece of nasty code might result in a single user on a
    Unix/Linux box being compromised, it is highly unlikely that it is going
    to be a root exploit. Though not impossible, such a situation on
    Linux/Unix is rare, a successful exploit tends to show less absolute
    damage than a similar one on MS OS.....
    Maybe we are getting frustrated with dealing with yet another zero MS
    virus getting into our networks. Or getting up early to patch yet more
    critical vunerabilities on MS boxes when we are nervious that applying
    the patch is going to munt the boxes, necessitating a rebuild and tape
    restore.

    Note I work on tru64, Solaris, Linux, BSD and Windows, Windows simply
    causes me/us more pain than any of the rest combined.

    Now the interesting questions are,

    1) At what point does the pain get so bad MS gets ripped out?
    2) Once we have a significant Linux global eco-system whether the pain
    will be as bad putting us back to square one?

    Although MS cliams MS is targetted because it is more popular, and it
    would be as bad on Linux I have yet to see anything
    quantifiable/tangable supporting that contention bar wishful thinking.

    regards

    Thing
     
    thing, Oct 23, 2004
    #3
  4. Gordon

    Max Burke Guest

    thing scribbled:
    Are you REALLY claiming that every Mozilla user is using the latest version?
    REALLY?
    If they ARE getting on to your network then I could suggest you're not doing
    your job very well....
    Well if I was to follow the criteria you 'apparently chose to follow [above]
    then I wouldn't let any opensource OS or software on any of my computers.

    I subscribe to several security email lists, and have several Linux/OSS
    websites in my favourites list.
    Going by what I read there I get daily securtity email lists about Windows,
    *nix, etc and nearly those list far more *nix and OSS bugs than Microsoft
    bugs...
    Using *nix and OSS software requires almost DAILY updates and patches to fix
    these numerous bugs and fixes....

    How do YOU keep up with them all??????

    ALL OS'es have bugs; ALL OS'es require patching. All software running on
    ANY OS has bugs. It's NOT something that is unique to Microsoft and
    windows. Why do so many 'advocates' for *nix/OSS want this fact to be a
    'pissing contest' as some sort of 'advocacy' for *nix/OSS is for them to
    justify and explain. I personally would prefer that they/you NOT use
    nz.comp and nz.general to justify and explain why they/you need to behave
    this way as a *nix/OSS user/advocate......
     
    Max Burke, Oct 23, 2004
    #4
  5. Gordon

    nick Guest

    You only have to keep up with the ones you use.
    Windows Update only does basic stuff.
    Most linux distros can update every installed application with a single
    command.
     
    nick, Oct 23, 2004
    #5
  6. Gordon

    Peter Ashby Guest

    Of course instead of missing the point you could realise the point was
    not the existence of bugs but how different companies/organisations deal
    with them. But putting up strawman arguments instead are so much easier
    aren't they?

    Peter
     
    Peter Ashby, Oct 23, 2004
    #6
  7. Gordon

    Allistar Guest

    emerge sync && emerge -pv world

    Allistar.
     
    Allistar, Oct 23, 2004
    #7
  8. Gordon

    Max Burke Guest

    nick scribbled:
    I didn't ask WHAT you had to keep up with......
    Every day?
     
    Max Burke, Oct 23, 2004
    #8
  9. Gordon

    Max Burke Guest

    Peter Ashby scribbled:
    No Peter, Gordons post was just another Microsoft bashing post.
    Funny how you deliberately ignored that....
     
    Max Burke, Oct 23, 2004
    #9
  10. Gordon

    Max Burke Guest

    Allistar scribbled:

    Every day?
    And how do you know what it's installing, what it's fixing, if it actually
    fixes that bugs, that it's compatiable, that it wont cause problems for
    yourself or your users...
    It's not a very 'safe' way to keep up to date is it....
     
    Max Burke, Oct 23, 2004
    #10
  11. Gordon

    Peter Ashby Guest

    The same way you deliberately ignored the point of the difference,
    closing your mind because of the messenger.

    Peter
     
    Peter Ashby, Oct 24, 2004
    #11
  12. Gordon

    nick Guest

    Whenever you want.
    Automatically if you like.
     
    nick, Oct 24, 2004
    #12
  13. Gordon

    Allistar Guest

    Not normally. Maybe every few days.
    The -pv switch tells it to only tell me what it will install/upgrade, not
    actually do the upgrade for me. I then make a decisio non what to upgrade
    and what not to.
    It's safe enough for me.

    Allistar.
     
    Allistar, Oct 24, 2004
    #13
  14. Gordon

    Max Burke Guest

    Peter Ashby scribbled:
    The point of Gordons post was to BASH Microsoft.

    That is the point YOU are deliberately ignoring.


    He claimed that it take Microsoft ages to fix bugs, while OSS fixes bugs
    quickly. That was the *Microsoft BASHING* point of his post

    That is BS.
    How long have the bugs in OSS existed before they get found and fixed? Is
    it just the current version? The last two versions? Or all prior versions
    right up until the time the bug is discovered and FINALLY fixed.....

    How long does it REALLY take the OSS community to fix the bugs in OSS...

    ALL OS'es have bugs; ALL OS'es require patching. All software running on
    ANY OS has bugs. It's NOT something that is unique to Microsoft and
    windows. Why do so many 'advocates' for *nix/OSS want this fact to be a
    'pissing contest' as some sort of 'advocacy' for *nix/OSS is for them to
    justify and explain. I personally would prefer that they/you NOT use
    nz.comp and nz.general to justify and explain why they/you need to behave
    this way as a *nix/OSS user/advocate......
     
    Max Burke, Oct 24, 2004
    #14
  15. Gordon

    Max Burke Guest

    Allistar scribbled:
    I only need to check that once a month, but XP SP2 will notify me if there
    are updates available to install.
    Now tell me why that is wrong, but what you do is right?
    As far as I can see it's not much different....
    Well gee, that is what I do, because *Microsoft* gives me (and everyone else
    that uses a Microsoft OS) that exact same option. Tell me again why that's
    wrong when it's a Microsoft OS Allistar, but right when it's not.....
     
    Max Burke, Oct 24, 2004
    #15
  16. Gordon

    Peter Ashby Guest

    You see those words 'the same way'? have you thought about what they
    might mean?

    And you are still ignoring the point which was about openness much more
    than speed of response. I think that point was perfectly valid.

    Peter
     
    Peter Ashby, Oct 24, 2004
    #16
  17. Gordon

    nick Guest

    It varies, but its very fast indeed for the main projects that major linux
    users like sun ibm hp, the distribution vendors and the majority of the
    worlds internet service depend on, like the kernel, apache, proftpd, bind,
    qmail samba etc. They prefer to be members of the "OSS community" because of
    the rapid response that such a community effort can achieve.
     
    nick, Oct 24, 2004
    #17
  18. Gordon

    Peter Guest

    But faithful Windows users don't have to worry about that - now Windows is
    Trustworth Computing. Billy Gates said so, so it must be true. Windows is
    secure now, and that is why it is worth paying all that money for it. In
    fact , it is so good people don't need to use anything else and that's why
    Microsoft deny us the inconvenience of having to make a choice.



    Peter
     
    Peter, Oct 24, 2004
    #18
  19. Because you want this group to be PRo MS you start contests of your own.
     
    Patrick Dunford, Oct 24, 2004
    #19
  20. Crap. There are a much larger number of software packages running on Unix
    /Linux, not everyone will have all of them.
    The OSS community invented some excellent tools like apt-update to keep
    things going.

    As it is I just did a scan of all our XP machines and found that despite
    automatic updates being enabled, a number of machines on our network are
    not fully up to date with Windows fixes and therefore potentially are
    vulnerable.

    now I am damned if I am going to have to make everyone a local
    administrator because of MS's flawed automatic updates software or put in
    a third party solution costing thousands of dollars.
    Just stop cutting and pasting this into every message like some sort of
    stuck record.
     
    Patrick Dunford, Oct 24, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.