Buggy browsers

[GomJabbar]

Symantec: Browser Bugs Rampant in '06

According to Symantec’s twice-yearly Internet Security Threat Report, hackers found 47 bugs in Mozilla’s open-source browsers and 38 bugs in Internet Explorer (IE) during the first six months of this year. That’s up significantly from the 17 Mozilla and 25 IE bugs found in the previous six months.

Even Apple’s Safari browser saw its bugs double, jumping from six in the last half of 2005 to 12 in the first half of 2006. Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much. Opera bugs dropped from nine to seven during the period.
------------
"There is no safe browser," said Vincent Weafer, senior director with Symantec Security Response. "If you’ve got a browser, make sure you’re configuring it correctly," he added.

[dsigma6]

What are the chances that the firefox bugs in the first half of this year are gone, and no more have been found!

[GomJabbar]

I've been using Opera for the last 6-months or so. Seems like a good choice.

[christopher_wolf]

If you want real security, go to a browser like Off-by-One or the like. Extremely minimal and practically no security bugs whatsoever. It is perhaps the lowest you could go without getting an actual text-only browser.

[GomJabbar]

No thanks. I'm not that security-phobic.

I am conscious of and cautious when it comes to security, but I am not obsessed by it.

[christopher_wolf]

Actually, I should have said, "If one wanted real security[...]" first off.

[jdhurst]

/me chuckles.

A careful read of the news will tell that, in fact, none of Windows, MAC, Linux, IE, FireFox, and, ... (need I go on) are safe from attack. I have not had a virus on my computers since 1994 when my long-time vendor shipped me a Windows 3.1 box (my first Internet box) and it came with a virus from the vendor build. Needless to say, they were apologetic, supplied me a free anti-virus suite and fixed the machine. None before and none since. Good old common sense always rules.
... JD Hurst

[dsigma6]

Good old common sense always rules.
... JD Hurst

well that attitude certainly makes sense, and not saying i don't adhere to that...but you don't have to visit a particular site to find yourself in trouble.

[christopher_wolf]

I have not had a virus on my computers since 1994 when my long-time vendor shipped me a Windows 3.1 box (my first Internet box) and it came with a virus from the vendor build. Needless to say, they were apologetic, supplied me a free anti-virus suite and fixed the machine. None before and none since. Good old common sense always rules.
... JD Hurst

Did I tell you about the time when I was downloading MS anti-spyware, which came directly from Microsoft's site, installed it, then had it flag the download it came in as having spyware/adware? I ran other 3rd party scans on it and checked what programs came down; sure enough, there was a sneaky sucker of an ad program in their that was "not affiliate with Microsoft" but just happened to come over on the download to show me ads. I was laughing for about 5 minutes at the sheer irony of it.

I haven't had a virus/malware/trojan/worm on any of my systems for 5 years running and I have been to the literal edges of the web. Most of such malware depends on the user being not so bright, a little too click happy, and not nearly enough backup happy.

[DIGITALgimpus]

These reports aren't exactly fair. They only count the data that they have, so an open source project will by default have many more security issues reported... if someone reports something privately to Microsoft without disclosure, or a MS audit turns something up, it's not counted.

So all that's reported for IE bugs, is what MS and some security groups report, that's not necessarily the entire list.

[archer6]

I have not had a virus on my computers since 1994 when my long-time vendor shipped me a Windows 3.1 box

I haven't had a virus/malware/trojan/worm on any of my systems for 5 years running

OK guys you certainly have my attention. I've only had a few in the last 5 years but that a few too many.

Please share your software setups / computing practices that have yielded such stellar results, regarding AntiVirus , Spyware, Firewall protection etc.

Thanks....

[jdhurst]

<snip>
OK guys you certainly have my attention. I've only had a few in the last 5 years but that a few too many.

Please share your software setups / computing practices that have yielded such stellar results, regarding AntiVirus , Spyware, Firewall protection etc.

Thanks....

1. Always have a good Anti Virus installed. Make your own choice, but use one.
2. Always have a software firewall running in addition to a hardware firewall. On a laptop, you may not always be behind a hardware firewall.
3. Install a spyware tool. I use Ad Aware Pro.
4. Use a mail pre-screen tool. I use Mail Call 2, but there are newer ones out there. These allow you to look at your mail, and delete dodgy or unwanted mail from the POP server before downloading into your email client. Exchange servers are different, but your company should be protecting those.
5. Make certain your virus application is scanning incoming mail at all times - NO exceptions.
6. Don't visit dodgy sites on the Internet.

... JD Hurst

[christopher_wolf]

Well, here are mine

For Downloading:

1.) If the site URL seems, in anyway, suspicious. Do not download anything from it. Sounds simple, but there are hotlinking techniques that can redirect your browser through a jungle of relays that terminate in a questionable URL. Check the URL via the "Properties" via context menu if need be.

2.) Check the MD5 sum of the file with a trusted source of the checksum if you can, this will let you know if it has been tampered with en route or was maliciously planted; it also lets you know if the file is corrupt or not.

3.) If there are any unexpected files types in it, do not run it; for example, if you wanted to obtain a series of pictures and instead got some pictures with a few *.exe or *.bat files as well, you should be *very* suspicious.

4.) There should almost *always* be a README file in ASCII text; the file extensions vary, the best thing is to try and open it up in WordPad, NotePad, UltraEdit 32, or Vim to see if it is indeed a text file and whether or not it has a readme to it. This is an excellent way to detect malware as, in general, most legit software will inform you as to what it will be doing, or want to do, on your system.

5.) If you are still suspicious about an executable, run it with limited access user credentials. Setup an account on your system that is to be used for this purpose and doesn't have admin, operator, or superuser privileges. It should only do what you expect of it and shouldn't require such privileges unless you either knew about it in advance or know, from a trusted source, that it must have such privileges to run. In addition, it should exit in very clean manner if it does need those privileges and cannot acquire them; once it does so, it should inform you about the issue with a dialog box that conveys the information correctly. It should *not* quit, hang, spin off various other jobs (check the task manager), or peg the CPU at high levels of use. There are exceptions, but cleanly written and transparent code is almost always not malicious.

For Browsing:

1.) Check the URL, then double check to see if everything on the page makes sense, in one way or another, and there are no clusters of links that take you to a site whose content has nothing to do with the original site. This is usually the first step in most phising operations and they can be extremely intricate; as an example, 419ers created an almost exact, and precise, replica of the InterPol website. If you are unsure, do a whois or DNS lookup on it.

2.) If it is for any type of transaction, involving either money or information, make sure that their contact information works and that you can contact a representative if need be. Check to make sure they respond to your emails in a prompt and timely fashion as well and that their mail handler is trustworthy enough not to accidentally drop or corrupt emails.

3.) For any commercial email or announcement on a mailing list you get from them; there should be an Opt-Out disclaimer at the bottom and various other links to unsubscribe to the email list.

4.) Check the reputation of the website and its content with other users if at all possible. This has the added benefit in weeding out real idiosyncracies from actual anomalous and/or suspicious behavior on the part of the site.

5.) Check the background of the site and who posted what about it on various newsgroups, mailing lists, forums, etc. If there is an unusual amount of untowards comments in relation to the site, then tread with caution.

Firewall, Anti Virus, Anti-Spyware, and Email:

1.) Get a Firewall that has good transparency when it comes to viewing the inbound and outbound traffic, it would be great if it could resolve the outbound IPs and inbound ports as well in real time (Kerio does this rather well). If something looks like it either shouldn't be contacting an unfamiliar IP, then it could be regarded as highly suspicious. Some firewalls also help stop code injection techniques via invalid instructions. Form an update schedule for the AntiVirus software and schedule scans. *Always* set the Antivirus software up such that it will scan both incoming and outgoing mail from selected email accounts; this is very important.

2.) If you do choose to use AV software, set it up such that it scans everything that is downloaded from either your browser or various IM clients; the AV software should have a whole bunch of command line options for that (AVG is a good example) where you can specifiy to scan a single file after it has finished downloading. I would also recommend antispyware such as Spybot S&D and Ad-Aware and daily scans.

3.) Form a vault or other secure area to test suspicious files and/or store known threats on a physically removable device that is well marked. Keep it clean and organized, make sure you know *exactly* where infected files get stored.

4.) Limit physical access to your system with strong passwords and make backups of critical data using a secure USB stick/storage device with encryption software. In the event that the files are comprimised or otherwise tampered with, you can restore them from backups and view the changes made before and after to get a better idea of the threat.

5.) Create a set of, high entropy, 20+ character strong passwords and use a different one each time. If possible, try to use the fingerprint reader in crowded public areas and avoid slowly typing out the password. Create a schedule where you refresh the password every month or 2 months.


There are more, but I figure that this post is a wee bit too long as it is; if there is more interest in this, I could always make a little article and post it in the HOWTO & FAQS area of the forums.

[Puppy]

Hackers claim zero-day flaw in Firefox
http://news.com.com/Hackers+claim+zero- ... g=nefd.top