back to article Germany warns surfers against Firefox

German's official cyber-security response team is advising surfers not to use Firefox pending the release of a patch to defend against a critical unpatched vulnerability. BürgerCERT, a division of the German federal government's security in information technology (BSI) department, warned surfers to steer clear of the open source …

COMMENTS

This topic is closed for new posts.

Page:

Unhappy

I think I was hit by this yesterday.

I was running Firefox 3.6 and last night I clicked to open up a page on ThePirateBay and got immediately rooted. Now, I wasn't executing anything, or downloading any torrents, just opening a page with torrent details hit my machine immediately (before you ask, I'm not someone trying to put people off downloading or visiting TPB, other pages on the site were fine, I'm sure it was some rogue ad banner or some crap in the messages). Watched an almighty fight between this and Avast trying to block rootkits and lots of stuff being executied, in the end the rootkit won, Avast dissapeared to be replaced by "Vista Anti-Malware 2010".

New hard disk now in my hands, clean reinstall tonight. Lesson learned. Going to use Chrome for TBP in future. And Avast is going in the bin. Still prefer Firefox in general though...

2
5
Grenade

Avast is innocent here !

You, by running as an admin gave permission to an untrusted piece of software to stop and shutdown the Avast anti-virus. Let's be clear, Avast obeyed the orders of an admin and no anti-malware in this (Windows computing) world would have surrendered to that. That's how it is supposed to be!

Sorry to wake you up to this reality.

6
0
Paris Hilton

Sandboxing

I've had the same experience - except for the fact that I use Sandboxie!

So when I watched the AV duke it out with the dodgey website, it was the effort of two mouseclicks to kill all processes running in the sandbox, then empty the sandbox and move on with life. In all, I lost 10 seconds of my life and had no data loss at all.

TRY it people! http://sandboxie.com

Paris - she knows what sandboxes are all about.

1
0
Grenade

Also...

Firefox is also innocent here.

the only person to blame is the freeloader.

Visit dodgy sites, expect shit to happen.....

0
1
Pint

RE: Sandboxing

I did try it! What a gem!

Thanks for the heads up! I know of a few people that will use this and breathe a sigh of relief.

1 Pint to you.

0
0

sandboxie is great

but can only run on 32bit systems. If MS ever let them port it to the 64bit world I'll be a happy man.

Still a 32bit machine with sanboxie installed is almost as good.

0
0
Thumb Up

This has been said a thousand times..

"I was running Firefox 3.6 and last night I clicked to open up a page on ThePirateBay and got immediately rooted."

But, I'd call that poetic justice.

0
0
Jobs Horns

The Emperor's new clothes - fox fur

When are people going to wake up and realise that Firefox is no better than IE.

Do you notice how whenever the fanboys compare them, they love to compare the security record of older versions of IE over the last 15 years against the latest version of Firefox rather than IE8? And when they talk about market share, they always compare individual versions of IE against all versions of Firefox combined rather than separating Firefox 2.0, 3.0, 3.5 or quoting the figure for all versions of IE, etc.

9
27

Yes

And indeed, your point is rather neatly proved by the fact that said fanbois can't even muster up a response other a downvote.

Still, it's early, they probably aren't home from school yet.

1
11
Silver badge

Why are you an anonymous coward ?

Afraid to show that you are a MS employee ?

9
1

Finally!

Exactly, basically people just need a basic understanding of what a browser is (lots of people don't they generally assume facebook is indeed an application installed on the PC), and that it does need to be updated like anti-virus every now and then.

You're correct, neither is better in security TBH, and things like chrome and safari are only 'secure' as they have such small market shares there is little point in developing weaponised exploits for them.

1
1

Sorry to disappoint you

The last major problem in IE, if I remember correctly, was the one that was used in the Chinese attack against Google. Although it was targetted at IE 6, the vulnerability was also present in 7 and 8. Microsoft released a fix shortly after the event but they knew about the problem when it was reported to them last August and they did nothing about it. By comparison, Mozilla have already released a fix for this vulnerability, albeit beta, a little over a month after it was reported.

No browser is completely secure, but there is a difference between IE, which was only fixed when there was some seriously damaging PR, and Firefox, which was fixed when the problem was reported.

4
0
Flame

Yeah !

Yeah, that's right, anyone who disagrees with a fanboi must an MS shill. And what time *did* you get in from school ?

1
7
WTF?

Not long now before the fanboys resort to Nazi analogies

Why must I be a MS employee. Oh per-leese.

You must be a Mozilla employee to not like the inarguable truth of what I say. if you are, go and implement HTML5, CSS3 and SVG as well as Safari, Opera and Chrome, rather than squandering valuable catch-up time on here. If you're not, why do you think I must be for not thinking like you? How very... religious.

1
5
Anonymous Coward

@AC

If FF's no better than IE why are you bitching about it?

1
0
Anonymous Coward

Outstanding!

"No browser is completely secure, but there is a difference between IE, which was only fixed when there was some seriously damaging PR, and Firefox, which was fixed when the problem was reported."

Couldn't have put it better myself

Business makes money, FOSS makes good software

3
0
FAIL

re : "Nazi analogies"

I think you'll find that you were first to mention them and thus by the corollary to Godwin's Law, you automatically lose the argument.

1
0
Anonymous Coward

School is out.....

..........and this 'fanboi' just got home to read this schoolboy howler:

"And indeed, your point is rather neatly proved by the fact that said fanbois can't even muster up a response other a downvote."

And indeed, your point is rather neatly proved by the fact that said fanbois can't even muster up a response other than a down vote.

See what I did there, Steve?

1
0
FAIL

"Rooted" ??

"I was running Firefox 3.6 and last night I clicked to open up a page on ThePirateBay and got immediately rooted."

Do I correctly assume you ran FF as "Administrator" ? That is a very, very bad idea.

Hint: There is no need to do that, especially when you surf the intertubes. Set up a user w/o administrative rights and use the "Administrator" only when necessary (to install SW, configure network address etc).

13
1

Good & Basic advice, but...

How many of us run as admin, just because it's easier? I'm guilty of it more often than I should be, and I'm pretty sure I'm not the only one. I have an admin account and a user account, and when I install new shinies, I use the admin account - and will frequently surf whilst I do so, without really thinking much about it.

Yes, we should know better, but until it happens close to home, many of us* will personally do the very things we complain about the users doing.

(*yes, I know I'm opening myself up for criticism for saying this, and may get a mountain of "I NEVER do that!!" responses, but I do it, and know a bunch of other people all over the world in various aspects of the IT industry who do exactly the same.)

6
3
Thumb Up

Certainly

And it is necessary because the #!"¤% developers don't have a clue how to build their programs so they can run under non-admin accounts.

10
0
Boffin

Pass the buck

As a developer, I have to admit your like 95% correct on that one... though it's usually not so much as 'don't have a clue' as 'aren't allowed to'. In most cases the corporation management is the ones that don't have a clue, and they give unrealistic expectations such that its not possible to finish the application "the right way".

Anon so my company doesn't hunt me down.

3
0
Gold badge
Flame

Re: Certainly

Send such software back as "Broken, didn't run on my PC." and demand a refund. If need be, point out that expecting end-users to run as admin is equivalent to expecting them to post their bank account password online. (See above, for an example of why.)

OK, I can appreciate that you might have a fight on your hands but anyone who thinks such software is fit for purpose in 2010 needs a visit from Trading Standards. It is no longer acceptable (if it ever was) to say that parts of the software were written a long time ago when this sort of thing was accepted. It wasn't (MS have been railing against this for over a decade) and even if it was, it is no longer and such products should be withdrawn from sale.

Only when these tossers are no longer allowed to sell such criminally negligent offerings will they bother to learn how to program.

3
0
Joke

Re: non-admin users

What!?! You mean there can actually be more than one user logged on the system running my stupendous code? Never!

2
1
Anonymous Coward

UAC?

Possibly the only time to support UAC from Vista/Win7, but this would prevent this kind of access by alerting you to items trying to utilise admin rights, so long as of course you've not turned it off....

But isn't that the case with anything? lots of problems i've come across before have been when people have seen a popup that says 'do you want anti-virus? It will make you safe!', click yes then hello rootkit....

2
0

UAC is per process

and indeed, for the life of a process, so it's less helpful than you might think. Plus you can turn it off, which means that relying on it for security is broken. And as you say, the 'ask the user' model is definitely broken.

But there isn't really anything a browser needs to do that requires elevated permissions anyway. FF will run quite happily from a normal user account on Windows as well as unix type systems.

0
0
Linux

The title is required, and must contain letters and/or digits.

"Do I correctly assume you ran FF as "Administrator" ? That is a very, very bad idea."

Indeed it is.

Allowing Windows to connect to the Internet is an even worse idea.

2
0
Anonymous Coward

WIN 7

Or get Win 7 and the UAC will automatically strip out your Admin privileges when you go online. They are learning , you know.

0
0
Unhappy

yeah but

That's 2 browsers you are advised to stay clear off, how many are there? None is immune.

total safety = stay off the internet.

2
0
Anonymous Coward

BürgerCERT

Can I have fries with that?

2
0
WTF?

hardcore

http://www.sandboxie.com/ - unless you trust the site 100% and it's running on some impenetrable machine with infallible software...

There' s probably alternatives but I'm not aware of them.

2
0

You're right

There are alternatives like VirtualBox or VMware with a virtual disposable Windows machine or even better, VMware Player with and Internet browsing appliance. Or at a minimum, install a copy of Firefox portable with no plugins, disable Javascript and you can browse anywhere on the net.

0
0
FAIL

Rogue banner ad??

Isn't the whole point of running FF is that you have ABP and NoScript ?

14
1
Megaphone

Insecure browsing

As of right now IE8, Firefox 3.6 and Safari 4 are all insecure with solutions pending, according to Secunia. The worst potential of those is with Firefox so the German government is taking responsible action. Regardless, running your desktop with admin rights is asking for it.

4
1
Bronze badge

Add Opera 10.5 to that list

Opera 10.5 also has a potentially exploitable crash bug that is on the "to-do" list as well:

http://my.opera.com/securitygroup/blog/2010/03/09/the-malformed-content-length-header-security-issue

0
1
Thumb Down

Re: Add Opera 10.5 to that list

<Quote>

Opera 10.5 also has a potentially exploitable crash bug that is on the "to-do" list as well:

<\Quote>

The latest version of Opera available at the time of your post has no currently known outstanding security bugs.

2
0
Bronze badge
FAIL

Yes it did

Read the linked article in my first post. It from is the _official_ Opera Security Blog. The update was only released AFTER I posted

0
0
Anonymous Coward

so what now?

Don't use IE or FF. Guess that means we use Opera, instead? Or maybe Chrome, because Google is always on Our Side and will Do No Evil. How about we makes users smarter instead.

4
0

Head, meet desk

"Don't use IE, use Firefo-, no, wait! Use...er..."

Love all the anti-FF crowd coming out to crow - as they normally do - about Firefox and IE both being software (ie, they have bugs).

Let me explain this for you nice and slowly, IE fans. We use FF not because it has less security holes (though it does seem to) - we use it because when there is a problem, the patch comes out a whoooole lot faster. Well, that and a whole host of other reasons.

No browser is immune to security holes/bugs/flaws. None. The difference is in the patching. IE generally takes about an ice age or two. Firefox....doesn't.

*Doot de dooo doooo dooooo*

You acquired a clue! Achievement Unlocked!

17
3

FF FTW, again

Not that I want to have a smug moment or anything, but:

http://go.theregister.com/feed/www.theregister.co.uk/2010/03/23/firefox_zero_day_fix/

:-)

0
0
Anonymous Coward

Foamy the Squirrel reference?

Given that TVs will all soon be YouTube, NetFlix, MSG or MDK (MSN?) and lord knows what else up to the hilt and have more grunt than Jeremy Clarkson, the choice of rendering and JavaScipt engines for these featurful embedded systems will be critical. MSTV? The trust may not be there...

Personally, I would look forward to a DOS attack against episodes of Eastenders.

0
0

Foamy Reference

Glad someone spotted it. Hello, fellow Squirrel Cultist!

0
0
Stop

Just use Opera

Darn sight more secure than IE and Firefox, faster and standards compliant too.

if you want to be even safer (as nothing is 100% safe), then use Opera with it's own NoScript to to turn of Javascript and/or plugins either on a site by site basis Site Preferences (F12) or Globally (Ctrl F12). (you can even do the reverse, turn it off globally and back on for select sites).

Good time to give Opera 10.51 a whirl, as it got released today, another 20-30% quicker than 10.50 (which was already 20% quicker than Chrome and 60% quicker than Firefix and 700% quicker than IE8).

7
6
Silver badge

There's more than just disabling JavaScript...

How is it with cross-site scripting? How is it with redirected clicks (clickjacking, I think it is called). Is there a plug-in to nuke Flash cookies (yes, all the smart people use Flash cookies as your browser doesn't know about them... so they are not usually blocked). Will it disable Flash with a per-object permission model (not per-page or per-site)?

0
0
FAIL

'I'm not someone trying to put people off downloading'

...but you ARE someone who has the brass nerve to moan about 'getting rooted' while poking your nose around the dark and sweaty crevices of the internet?

Here's a wacky idea. Try the tips above that I'll not reiterate as the others have done an admirable job.

Oh, and here's another suggestion - trying PAYING FOR SOMETHING instead of stealing it, and you might actually come out of that particular transaction a little cleaner. Sounds like you got what you deserved, all those five-fingered discounts have caught up with you, no?

6
9

Paying doesn't make you safe...

"""- trying PAYING FOR SOMETHING instead of stealing it, and you might actually come out of that particular transaction a little cleaner."""

Admittedly buying media / etc would have prevented this particular infection, assuming the user was downloading copyrighted materials, but occasionally media you buy comes with malware too. There was that Sony root kit on some CDs, and periodically electronics (phones, portable media players, etc) come with their own crap.

"""Sounds like you got what you deserved, all those five-fingered discounts have caught up with you, no?"""

Also I might recommend that you be a little less of a douche. I doubt that'll happen, however.

7
1
WTF?

Errr ...

http://www.theregister.co.uk/2005/11/01/sony_rootkit_drm/

That's all...

0
0
Flame

Really?

Are you actually trying to justify piracy (and by extension the THEFT) of copyrighted material, contrary to common law, because sometimes, once in a blue moon, an M$ trojan makes its way onto your shiny new Sat Nav from the manufacturer? That argument is weak, to state the bleedin' obvious. It's like saying 'I don't pay my electricity bills because I might get a paper-cut from one'. Lame. I wasn't stating that paying for stuff is a surefire, smiley-face 'malware free' stamp (although back in the real world it mostly is). I was merely pointing out that people in glass houses shouldn't throw stones, as the poster earlier alluded to with his burglar analogy.

Of course this individual was downloading copyrighted materials. Oh no, wait, I just forgot - I always head straight to The Pirate Bay when I want legally available materials instead of going to their official sources! Doh, my bad.

Look, you're right, and perhaps I was bit of a douche. But whatever way you look at it, piracy is bad news for us all. If you'd ever worked in the creative industries you'd understand the realities beyond your torrent client, how hard it hits the 'small people' - the ones you don't see there on the screen, depriving them and future talent of vital opportunities and the chance of earning their crust. I can only imagine what it does for software developers, who, I would imagine must be pretty p*ssed off to see people shoplifting the fruits of their fingers. Same difference, no shop.

If you go smashing car windows looking for loot, don't complain when your hand bleeds.

0
5
Silver badge
FAIL

Use of terms

"Piracy" is not theft. Piracy is unauthorised duplication. Unauthorised duplication is not theft, it is unauthorised duplication. Theft is removal of someone's property without permission and the result is that they no longer have it and consequently lose an investment they made in that property. If they were going to sell that property they then lose the potential sale of that property.

You can't pirate someone's chair.

Piracy doesn't involve physically removing stock from a shop. No "five-fingered discount, no physical loss requiring the expense replacement, no loss of money from a sale that can no longer be made. The argument of potential lost revenue is also incorrect, as the potential revenue is still sitting on the shelves of retailers in the form of physical stock.

It may be wrong, but it isn't theft. Calling it theft simply makes you look stupid.

2
2
FAIL

@Really?

Question : Which part of the Theft Act does copyright infringement comes under?

Answer : it doesn't.

Don't bother coming back until you know what you're talking about

2
2

Page:

This topic is closed for new posts.

Forums