|
05. Mar 2010, 06:14 PM
|
#1 (permalink) |
|
Senior Member
Join Date: Oct 2009
Location: UK
Posts: 1,505
|
Web browsers and security
I would like to ask the members of this forum for their opinions regarding the latest browser releases and the security advisories provided by Secunia.
According to Secunia PSI, on my machine I have three installed browsers with security flaws. They are IE8, Firefox 3.6, and the latest version of Opera 10.50. We've all heard about the risks involved when using IE and advise people to avoid using it, but if Secunia are to be believed then Firefox and Opera are no different in that respect. So should we be using them ?.. should we still be advising others to use them ?.. or should we be seeking out safer browsing alternatives ? Because Secunia say that both Opera and Firefox are "not safe for browsing" and both show a "higher criticality" rating than IE8, which is still insecure. All three are flagged "insecure, no solution" I would also like to ask if you think that browser developers are rushing out the latest versions of their software in order to gain a higher market share over the competition instead of taking the time to make sure things are working properly before releasing them to ordinary users as final versions ? I've always believed that by using a 'safe' browser, configured correctly and with safe browsing add ons etc, is one of the main things in keeping a PC free from internet threats, that together with a decent AV. I feel that many users are confused over this issue. So bottom line, are Secunia and their PSI scan results to be trusted, or are the browsers mentioned above safe to use ? |
|
|
|
05. Mar 2010, 07:57 PM
|
#2 (permalink) | |
|
Copy Editor
Join Date: Sep 2009
Posts: 1,118
|
I believe there is no such thing as 100% security due to too many variables and the cunning of mankind. This equally applies to browsers, your car, home etc.
All anyone can do is to take sensible precautions regarding browsers which you have already done: Quote:
Perhaps, there is some truth in your assertion that '...browser developers are rushing out the latest versions of their software in order to gain a higher market share over the competition...' but for obvious reasons this is extremely difficult to verify. I also think a patch would have been forthcoming by now if the aforementioned issue was really that serious. Just like an opportunist burglar who sees an open window, a hacker will always pose a potential threat to an 'insecure' PC but as long as you keep things in perspective and take the precautions that you have already mentioned then I am certain the earth will keep on turnin'! 
__________________
(Mx16 + Cx1 + Lx2) + (Tx5 + Nx2 + Bx33) |
|
|
|
|
|
05. Mar 2010, 11:16 PM
|
#3 (permalink) |
|
Super Moderator
Join Date: Jul 2008
Location: India
Posts: 15,290
|
I have Opera 10.50 and Firefox 3.6 installed on my system. I just ran a Secunia scan, and as posted by deya, the browsers are reported to be insecure.
Regarding, the vulnerability in Firefox 3.6, it is not yet confirmed, whether it is really a vulnerability or not. The vulnerability is said to be a zero-day exploit, and discovered by a person... but that person, does not want to tell Mozilla, what the vulnerability is. So, till now, it is not yet confirmed. That can be seen on the security advisory page of Firefox 3.6 on Secunia too. About Opera vulnerability, on the security advisory page, the name of the person who discovered is there... and also the vulnerability is said to be confirmed. Its surprising though, because Opera 10.50 final version was released just few days ago. I wanted to post about that version too, because Opera has tried to look like Chrome with this new version. But, that later maybe. No browser is totally secure. Vulnerabilities are discovered in them all. But, the question is how soon they are patched. Several vulnerabilities keep popping up in IE, and get patched slowly. I don't know about other browsers, but Mozilla are very quick to patch the vulnerabilities. That's why non-IE browsers are said to be more secure. IE8 is certainly secure than its previous versions... but still, vulnerabilities are found and take time to patch. Mozilla take the vulnerabilities quite seriously, and patch them soon. I agree about the latest versions being released before time, and before thorough checking. Its happening with both browsers and software. I use Firefox... and I should say, I will applaud Mozilla for taking their time with the release of this version. Firefox 3.6 was targeted to be released in Dec 2009... but it was released much later in 2010. This shows that Mozilla took their time in releasing Firefox 3.6, and did not hurry, even if their target dates had passed. Result is a great version release. Similar was the case with Avast. They also took their time in releasing Avast 5, and released it a much later date than scheduled. This shows their seriousness. I really like Firefox, and Avast, and will keep using them.
__________________
Anupam Last edited by Anupam; 05. Mar 2010 at 11:22 PM. Reason: Corrected some mistakes |
|
|
|
|
06. Mar 2010, 08:02 AM
|
#4 (permalink) |
|
Super Moderator
Join Date: Jul 2008
Location: India
Posts: 15,290
|
The vulnerability in Opera is confirmed.
http://www.theregister.co.uk/2010/03...vulnerability/ The link was posted by an anonymous user on the main site.
__________________
Anupam |
|
|
|
|
06. Mar 2010, 09:14 AM
|
#5 (permalink) | |
|
Senior Member
Join Date: Jan 2010
Location: Not Vegas
Posts: 111
|
Quote:
That is one of the inherent strengths with Linux. A default install gives you nothing more than a standard user account and you have to sudo to gain root/admin level control. Win7 is doing that now, but even Vista gave your the option to become an administrator on initial setup. |
|
|
|
|
|
06. Mar 2010, 11:32 AM
|
#6 (permalink) | |
|
Site Manager
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 15,211
|
Quote:
__________________
Buy a Hoover and prove technology sucks. |
|
|
|
|
|
06. Mar 2010, 12:53 PM
|
#7 (permalink) |
|
Senior Member
Join Date: Feb 2009
Location: Wales, UK
Posts: 1,174
|
I've been using Secunia PSI (only on demand) for quite a while now, and have had IE, Firefox and Opera installed for a similar length of time. My observations are that even though all 3 browsers are currently flagged as having vulnerabilities, historically, IE has been vulnerable for the longest periods, followed by Firefox (though much less so), and Opera least of all. It will be interesting to see which one fixes their current vulnerability first (of course I am aware that some holes are easier to patch than others, and indeed that some vulnerabilities are considered more serious than others).
|
|
|
|
|
06. Mar 2010, 01:30 PM
|
#8 (permalink) |
|
Senior Member
Join Date: Oct 2009
Location: UK
Posts: 1,505
|
Thank you for the response. I agree with all that's been said here, I posed the question really because I think there is confusion surrounding this issue. And while I agree that no browser is 100% safe and that devlopers release patches to combat threats the thing is, they still exist, according to Secunia PSI.
If you have these programs installed, as many do, and one program is telling you that you have unsecure software installed but there is, as yet, no fix then I think this is the confusing part. Secunia PSI is very useful software, I use it and recommend that others use it every once in a while to help keep installed software updated with the latest versions, patches etc. Secunia are a reputable company, but could it be that the wording that they use to report certain threats is maybe a little over cautious ?.. which in turn leads users into confusion as to what action to take. The words 'not safe', 'unsecure' and 'critical' for example. Just take for an example this website, gizmos. On the 'Best Free Web Browser' page the joint top recommendations are Firefox and Opera, and nothing wrong with that recommendation at all because, as we know, they're both good (and those recommendations can be found on many other sites so I'm not singling out any one inparticular here) Yet the security threat people say that they have security flaws. I fully appreciate that it's up to the individual to take the advice onboard, or not as the case may be, and that it's okay to use these browsers providing that you to take care to use safe surfing practices. But others don't, and so they cease to use the browsers on the recommentation of Secunia. It's a trust thing, isn't it ? I think that as long as there are criminals out there looking to exploit weaknesses in Web browsers then this will be a never ending story, that's just the way of things unfortunately. But I also think that this whole browser war thing, and the developers seemingly endless need to keep outdoing the competition is doing more harm than good, and that perhaps the security threat people ought to think about the wording in their advisories if the threats can not be proven. It would be great to hear from some of these developers, or Secunia to explain their point of view. I post questions like this on here because I know it has a huge volume of readers, and that maybe someone from one of these company's happens across it and it prompts them into a response.. I know that this won't happen. But at the moment all that seems to be happening is people saying to me "oh, I'm just going to use Internet Explorer and take my chances because they all seem to have their faults".. that's a direct quote from a friend of mine just this morning. So by causing this confusion the opposite of what the developers want is happening, people who just want to use the internet are reluctant to change from IE. And I'm even beginning to wonder myself if that is indeed the case, in terms of what's secure and what's not. |
|
|
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
