Gizmos Freeware Reviews  

Go Back   Gizmo's Freeware Forum > Debating Chamber > Internet, Web Apps and Networking

Reply
 
Thread Tools Display Modes
Old 05. Mar 2010, 06:14 PM   #1 (permalink)
Senior Member
 
deya's Avatar
 
Join Date: Oct 2009
Location: UK
Posts: 1,505
Default Web browsers and security

I would like to ask the members of this forum for their opinions regarding the latest browser releases and the security advisories provided by Secunia.

According to Secunia PSI, on my machine I have three installed browsers with security flaws. They are IE8, Firefox 3.6, and the latest version of
Opera 10.50.

We've all heard about the risks involved when using IE and advise people to avoid using it, but if Secunia are to be believed then Firefox and Opera are no different in that respect. So should we be using them ?.. should we still be advising others to use them ?.. or should we be seeking out safer browsing alternatives ? Because Secunia say that both Opera and Firefox are "not safe for browsing" and both show a "higher criticality" rating than IE8, which is still insecure. All three are flagged "insecure, no solution"

I would also like to ask if you think that browser developers are rushing out the latest versions of their software in order to gain a higher market share over the competition instead of taking the time to make sure things are working properly before releasing them to ordinary users as final versions ?

I've always believed that by using a 'safe' browser, configured correctly and with safe browsing add ons etc, is one of the main things in keeping a PC free from internet threats, that together with a decent AV.

I feel that many users are confused over this issue. So bottom line, are Secunia and their PSI scan results to be trusted, or are the browsers mentioned above safe to use ?
deya is offline   Reply With Quote
Old 05. Mar 2010, 07:57 PM   #2 (permalink)
Copy Editor
 
torres-no-tan-magnifico's Avatar
 
Join Date: Sep 2009
Posts: 1,118
Default

I believe there is no such thing as 100% security due to too many variables and the cunning of mankind. This equally applies to browsers, your car, home etc.

All anyone can do is to take sensible precautions regarding browsers which you have already done:

Quote:
Originally Posted by deya View Post
... using a 'safe' browser, configured correctly and with safe browsing add ons etc, is one of the main things in keeping a PC free from internet threats, that together with a decent AV...
I to have Secunia PSI installed on both my LT and DT but I certainly will not stop using FF just because there is no solution to the so called 'insecure' issue.

Perhaps, there is some truth in your assertion that '...browser developers are rushing out the latest versions of their software in order to gain a higher market share over the competition...' but for obvious reasons this is extremely difficult to verify.

I also think a patch would have been forthcoming by now if the aforementioned issue was really that serious.

Just like an opportunist burglar who sees an open window, a hacker will always pose a potential threat to an 'insecure' PC but as long as you keep things in perspective and take the precautions that you have already mentioned then I am certain the earth will keep on turnin'!
__________________
(Mx16 + Cx1 + Lx2) + (Tx5 + Nx2 + Bx33)
torres-no-tan-magnifico is offline   Reply With Quote
Old 05. Mar 2010, 11:16 PM   #3 (permalink)
Super Moderator
 
Anupam's Avatar
 
Join Date: Jul 2008
Location: India
Posts: 15,290
Default

I have Opera 10.50 and Firefox 3.6 installed on my system. I just ran a Secunia scan, and as posted by deya, the browsers are reported to be insecure.

Regarding, the vulnerability in Firefox 3.6, it is not yet confirmed, whether it is really a vulnerability or not. The vulnerability is said to be a zero-day exploit, and discovered by a person... but that person, does not want to tell Mozilla, what the vulnerability is. So, till now, it is not yet confirmed. That can be seen on the security advisory page of Firefox 3.6 on Secunia too.

About Opera vulnerability, on the security advisory page, the name of the person who discovered is there... and also the vulnerability is said to be confirmed. Its surprising though, because Opera 10.50 final version was released just few days ago. I wanted to post about that version too, because Opera has tried to look like Chrome with this new version. But, that later maybe.

No browser is totally secure. Vulnerabilities are discovered in them all. But, the question is how soon they are patched. Several vulnerabilities keep popping up in IE, and get patched slowly. I don't know about other browsers, but Mozilla are very quick to patch the vulnerabilities. That's why non-IE browsers are said to be more secure. IE8 is certainly secure than its previous versions... but still, vulnerabilities are found and take time to patch.
Mozilla take the vulnerabilities quite seriously, and patch them soon.

I agree about the latest versions being released before time, and before thorough checking. Its happening with both browsers and software.
I use Firefox... and I should say, I will applaud Mozilla for taking their time with the release of this version. Firefox 3.6 was targeted to be released in Dec 2009... but it was released much later in 2010. This shows that Mozilla took their time in releasing Firefox 3.6, and did not hurry, even if their target dates had passed. Result is a great version release.
Similar was the case with Avast. They also took their time in releasing Avast 5, and released it a much later date than scheduled.

This shows their seriousness. I really like Firefox, and Avast, and will keep using them.
__________________
Anupam

Last edited by Anupam; 05. Mar 2010 at 11:22 PM. Reason: Corrected some mistakes
Anupam is offline   Reply With Quote
Old 06. Mar 2010, 08:02 AM   #4 (permalink)
Super Moderator
 
Anupam's Avatar
 
Join Date: Jul 2008
Location: India
Posts: 15,290
Default

The vulnerability in Opera is confirmed.

http://www.theregister.co.uk/2010/03...vulnerability/

The link was posted by an anonymous user on the main site.
__________________
Anupam
Anupam is offline   Reply With Quote
Old 06. Mar 2010, 09:14 AM   #5 (permalink)
Senior Member
 
freedog96150's Avatar
 
Join Date: Jan 2010
Location: Not Vegas
Posts: 111
Default

Quote:
Originally Posted by deya View Post
I've always believed that by using a 'safe' browser, configured correctly and with safe browsing add ons etc, is one of the main things in keeping a PC free from internet threats, that together with a decent AV.
I always add that you should cruise the internet with at most a standard user account and better yet, a limited user account. Too many people surf with an admin level account (at least on Windows platforms) which allows any exploit to simply install without permission.

That is one of the inherent strengths with Linux. A default install gives you nothing more than a standard user account and you have to sudo to gain root/admin level control. Win7 is doing that now, but even Vista gave your the option to become an administrator on initial setup.
freedog96150 is offline   Reply With Quote
Old 06. Mar 2010, 11:32 AM   #6 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 15,211
Default

Quote:
Originally Posted by freedog96150 View Post
I always add that you should cruise the internet with at most a standard user account and better yet, a limited user account. Too many people surf with an admin level account (at least on Windows platforms) which allows any exploit to simply install without permission.

That is one of the inherent strengths with Linux. A default install gives you nothing more than a standard user account and you have to sudo to gain root/admin level control. Win7 is doing that now, but even Vista gave your the option to become an administrator on initial setup.
This is true, Windows has made great strides forward with this in Win7 and yet one of the most searched queries is for how to turn UAC off! Some folks get just what they deserve.
__________________
Buy a Hoover and prove technology sucks.
MidnightCowboy is offline   Reply With Quote
Old 06. Mar 2010, 12:53 PM   #7 (permalink)
Senior Member
 
Join Date: Feb 2009
Location: Wales, UK
Posts: 1,174
Default

I've been using Secunia PSI (only on demand) for quite a while now, and have had IE, Firefox and Opera installed for a similar length of time. My observations are that even though all 3 browsers are currently flagged as having vulnerabilities, historically, IE has been vulnerable for the longest periods, followed by Firefox (though much less so), and Opera least of all. It will be interesting to see which one fixes their current vulnerability first (of course I am aware that some holes are easier to patch than others, and indeed that some vulnerabilities are considered more serious than others).
Sope is offline   Reply With Quote
Old 06. Mar 2010, 01:30 PM   #8 (permalink)
Senior Member
 
deya's Avatar
 
Join Date: Oct 2009
Location: UK
Posts: 1,505
Default

Thank you for the response. I agree with all that's been said here, I posed the question really because I think there is confusion surrounding this issue. And while I agree that no browser is 100% safe and that devlopers release patches to combat threats the thing is, they still exist, according to Secunia PSI.

If you have these programs installed, as many do, and one program is telling you that you have unsecure software installed but there is, as yet, no fix then I think this is the confusing part. Secunia PSI is very useful software, I use it and recommend that others use it every once in a while to help keep installed software updated with the latest versions, patches etc. Secunia are a reputable company, but could it be that the wording that they use to report certain threats is maybe a little over cautious ?.. which in turn leads users into confusion as to what action to take.

The words 'not safe', 'unsecure' and 'critical' for example.

Just take for an example this website, gizmos. On the 'Best Free Web Browser' page the joint top recommendations are Firefox and Opera, and nothing wrong with that recommendation at all because, as we know, they're both good (and those recommendations can be found on many other sites so I'm not singling out any one inparticular here) Yet the security threat people say that they have security flaws.

I fully appreciate that it's up to the individual to take the advice onboard, or not as the case may be, and that it's okay to use these browsers providing that you to take care to use safe surfing practices. But others don't, and so they cease to use the browsers on the recommentation of Secunia. It's a trust thing, isn't it ?

I think that as long as there are criminals out there looking to exploit weaknesses in Web browsers then this will be a never ending story, that's just the way of things unfortunately. But I also think that this whole browser war thing, and the developers seemingly endless need to keep outdoing the competition is doing more harm than good, and that perhaps the security threat people ought to think about the wording in their advisories if the threats can not be proven.

It would be great to hear from some of these developers, or Secunia to explain their point of view. I post questions like this on here because I know it has a huge volume of readers, and that maybe someone from one of these company's happens across it and it prompts them into a response.. I know that this won't happen.

But at the moment all that seems to be happening is people saying to me "oh, I'm just going to use Internet Explorer and take my chances because they all seem to have their faults".. that's a direct quote from a friend of mine just this morning. So by causing this confusion the opposite of what the developers want is happening, people who just want to use the internet are reluctant to change from IE. And I'm even beginning to wonder myself if that is indeed the case, in terms of what's secure and what's not.
deya is offline   Reply With Quote
Old 12. Mar 2010, 02:45 PM   #9 (permalink)
Senior Member
 
Join Date: Feb 2009
Location: Wales, UK
Posts: 1,174
Default

Here is what Opera is currently saying about the vulnerability in v10.50
Sope is offline   Reply With Quote
Old 16. Mar 2010, 02:30 PM   #10 (permalink)
sa1
Full Member
 
Join Date: Dec 2008
Posts: 69
Default

Quote:
Originally Posted by Sope View Post
Here is what Opera is currently saying about the vulnerability in v10.50
Opera 10.51 RC has been released which contains the fix. Will be released as a final in the next few days.
sa1 is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT +1. The time now is 05:59 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.