Saturday, November 25, 2006

MSIE 7 and Firefox 2 Still Not Reasonably Secure

We heard all the security hype when MSIE 7 and Firefox 2 came out and it turns out it was tons of hype and hoopla that was completely meaningless. They'll stop us from being Phished but those Java trojan horse and worm vulnerabilities still exist and have a revolving door to get into your computer if you have Java enabled.

This issue was highlighted in a recent post about McAfee SiteAdvisor Green Lights Notorious Malicious Sites but I thought I'd post about this again just in case people missed the part at the bottom of that long post highlighting how all of these vulnerabilities existed long before either version shipped and they simply didn't fix them or give us reasonable controls to hinder the problem.

The simple solution to avoid things like the Win32/Agent.RX trojan is to disable Java altogether, not Javascript but Java itself. The problem is there are a lot of useful applets all over the net, especially the fun ones like games on Pogo.com, or Yahoo Games, so eventually we'll want to turn Java back on in the browser for those sites.

Now the hard question:

Just how hard would it be for the browsers to allow us to enable Java and Javascript per site?


This was a very blatant oversight of a well known vulnerability, yet it still exists in recently released products without any type of protection other than to completely disable Java. If that Java option per site exists I sure missed it as I snooped around the options before posting this. If it's there it's buried somewhere in the basement of options or I'm blind as nothing just hopped out about this issue other than to disable Java altogether.

Funny, they have silly options for privacy freaks to ask about cookies, or remembering passwords, and all sorts of other good things but when it comes to real security, WHAMMO! here comes the trojan without as much as a warning.

If you can warn about installing add-ons without first asking permission so how hard can this be, to simply ask first if we want to load Java?

That's a very strong statement from at least 2 browser providers that have made it very clear they don't give a shit if we get hacked or not if we have Java enabled. The technology to stop the browser from loading Java without asking permission is so simple that an apprentice programmer could implement it.

Had my virus scanner not been up-to-date, I'd have been screwed pure and simple.

Gee thanks browser makers, thanks for these major security updates.

5 comments:

cdman83 said...

Firefox actually has an extension which can enable Javascript on a per-site basis (get it from https://addons.mozilla.org/firefox/722/ ). As for Java it is secure (although slow and a memory hog) if (a) you didn't accept bogus certificates and (b) you use an up to date JVM. I would be curious what the case is in your situation and also what AV product you use and why.

IncrediBILL said...

Why in the heck should people get add-ons and extensions for something that should be built into the browser?

cdman83 said...

Because "people are dump" :). Jokes aside, very few people understand what javascript is, how it works, etc. Turning it all off would just result in a "it doesn't work" reaction. Security is not a state, it is a mindset which is similar to paranoia :). In my opinion the majority of the people are not willing to make an effort (invest money, time, etc) to learn how things work and how they can stay secure.

Sander said...

In all mozilla-based browsers, you can enable/disable all kinds of content on a per-site basis with hostperm.1; there's just no user interface for it at this point.

I suspect Java would fall under the "object" type of content as listed here: http://wiki.mozilla.org/User:Mvl/permissions - but if not, try the others.

IncrediBILL said...

Sander,

I know that sort of thing is available but it doesn't help non-technical types as it's certainly not user friendly. You think my 70+ year old mom would find it in the first place and figure it out if she did?

Possible, but highly unlikely.

Besides, the MSIE crowd has nothing comparable and sadly the world still uses MSIE more than anything else.