Here we go again
Here we go again, lets not tell anyone what it is until we fix it, in a few months time.
Yahoo, yippie Kai Yay!
Browser manufacturers will release an update in the next few weeks to block a new type of malware that exploits a cross-platform flaw that allows attackers access to Mac, PC, mobile, and even games console internet users. "PC, Android, Mac – the vulnerability hits them all the same," said Sveta Miladinov, founder of the …
AMEN! I'd like to know what this exploit looks like - is it the ability to fake a page's URL, making www.honestsite.evilsite.com look like www.honestsite.com, is it the ability to do cross-site scripting to scrape user credentials, or what? Is it Javascript based, or CSS, or plain HTML? Will not running Javascript (e.g. running NoScript) block it? What mitigating actions (other than unplugging our computers and sobbing in the corner) can we take?
ANNNNNN-D! Why doesn't No Such Agency just dispatch a GlobalHawk and patch with extreme prejudice the people who exploit it?
That's quite an interesting graph, one that should concern a regular poster who does not like Microsoft.
It should also concern those who favor Opera in the EU browser wars and those who dislike Google/Android.
It seems to me that Microsoft has done quite a bit to make IE10 more safe and robust than their earlier versions as well as improve it against it's competitors products.
Will there ever be even faint praise for MS? Only time will tell.
"It should also concern those who favor Opera in the EU browser wars and those who dislike Google/Android."
Well, I can't see Opera on the graph, so I don't know whether to be concerned or not. I'm going for "not" as browser infections are vanishingly rare unless the user is a moron.
No kidding. I love Firefox, but that graph greatly concerns me.
Especially since I use KIS to protect my computer. KASPERSKY INTERNET SECURITY browser protection add-ons don't work with a new Firefox version until typically 6 weeks after that Firefox version is put into production.
Kaspesky refuses to address the issue by getting involved in Firefox's beta program, getting a preview of what is going into production so they can be compatible on day one.
Especially since I use KIS to protect my computer. KASPERSKY INTERNET SECURITY browser protection add-ons don't work with a new Firefox version until typically 6 weeks after that Firefox version is put into production.
Kaspesky refuses to address the issue by getting involved in Firefox's beta program, getting a preview of what is going into production so they can be compatible on day one.
/me thinks I'd be dropping that thing into the bitbucket with the rest of the trash if they can't play nice with everyone else and actually provide me the protection they say they provide.
Why should that graph concern anyone, or show that IE is better as you seem to be trying to imply? The number of blocked threats is irrelevant, the number of unblocked threats is all that matters. The graph is silent there.
Isn't it possible that there are websites that do something like 'if browser = IE then attempt exploit' but maybe don't do it for some other browsers? This is rather like saying Windows AV software is better than the same company's AV software on Mac OS, because the Windows version neutralizes 100x more viruses!
"I've spent the last few years saying "this year will be the year that there's a big virus attack on Macs", and every year so far I've been wrong. Perhaps there won't be a widely spreading attack, just exactly the same kind of phishing attacks aimed at users of all platforms."
More like the Mac/Pc ratio is still far too small for miscreants to bother!
The graphs are apparently tests of lab computers with vanilla installs of the browsers with any AV internet security add-ons turned off.
So I explain the graphs as MS making a much more secure browser this month than Google, Apple and Mozilla.
The big question for me is whether the graphs are like this month after month.
Did MS merely have a good month?
Did Mozilla merely have a bad month?
IF this is how it typically has been for the past year, I would seriously consider going back to MSIE from my beloved Firefox. (Especially, as I said above, because the Kaspersky KIS I use isn't usually compatible with the latest FF release until its been out 6 weeks.)
Those kind of results have been pretty consistent for a long time now. IE may once have deservedly had a reputation for poor security, but Microsoft have done impressive work in massively improving things and it really is the safest browser by a long way these days.
"primarily intended for use in phishing attacks rather than giving access to full systems"
OK maybe i should wait until details are out, but "phishing" sounds like a bain attack, not a system attack.
A browser can't really defend against that *unless* it phones home all the time in order to block what its home base considers insecure.
Not exactly what i want my browser to do.
(I use varous versions of FF at home, as far back as 3.0.x {ofc always with NS and AB}, use IE at work, but chrome? uuuuhhh)
Microsoft have done impressive work in massively improving things and it really is the safest browser by a long way these days
"The safest browser" is a meaningless phrase. Browser "safety" is far too vague a term to indicate anything useful in the abstract; information-system security is only meaningful in the context of a threat model. And if "safety" did mean anything useful in this context, it would primarily be a function of the user's actions.
Shame that IE-9 is so fragile.
It regularly crashes and asks nicely if it can search the web for a solution. IT sometimes happens just when it is sitting there open on a page that is totally static HTML.
THen there is IE-10. Half the sites I visit don't render properly and some WebMail accounts that I have don't even work with it.
No wonder that IE-6 is still out there in the wild.
As a result, I have relegated IE to use only when I visit MS sites.
Firefox with Adblock-Plus, FlashBlock and NoScript is my main browser. There again I got do visiting Pron sites that I know (from a friends experience) are loaded with malware.
I am beginning to wonder in these graphs should also have % malware by site time included.
That would give another view on the problem.
I don't understand why you are using all three addons when NoScript does what FlashBlock does (a Flash embed won't load until you give permission in NoScript). Most ads are JS enabled and therefore NoScript blocks those, as well.
So why use all three?
Unlike you, instead of dumping FF and go to IE, I preferred to dump the Antivirus and I'm perfectly happy without it. Just keeping Windows and everything else patched, logging in with low privileges and not using IE kept me safe for the past few years. As somebody was mentioning here, an insurance does not protect you against accidents.
The notion of a vulnerability that works across all these environments (remember: the article quotes the reporter as saying it works on 'PC, Android, Mac'), without touching shared code, suggests that it's not really the browser that's the problem...
I mean, what do PC, Android and Mac have in common in terms of platform? You could argue Webkit, seeing how Chrome on all platforms, plus Safari all use Webkit, but that's not really the point being made if 'potentially' games consoles are vulnerable.
For it to be a cross-environment vulnerability, it must target something common to each environment, and the first thing that comes to mind is the bit after the browser, after the operating system, i.e. DNS. Another DNS poisoning/MITM type attack?
As for the graphs, I'm really not sure what to make of that exactly. I'd argue that most people who intentionally veer off the straight and narrow (IE land) are probably more aware of the kinds of things out there and less likely to click on something that seems phishy.
My money is on a fundamental design flaw in the JavaScript language, Some feature or a combination of features that is implemented the same way in all major JavaScript implementations. This could be hard or impossible to fix without breaking compatibility with some web pages.
But soon we will know.
Since it's cross-platform and cross-browser, is it maybe some bad handling of Internationalised Domain Names and character sets and lack of notifications going between one SSL site and another equally-valid SSL site with an almost-same-looking name?
Or even an identical-looking name that doesn't get flagged up (they fixed that obvious one already, right?) because e.g. a plain-looking 'e' appears elsewhere in the character set, e.g. in the 'accented' section. But if it's an SSL-secured site, it's safe, right...?
And even if it's visibly wrong when you hover over the link, can one 'hover' on a fondleslab to see it?
Call me paranoid, but it suspiciosly looks like yet another tiny company trying to get some cheap publicity by blowing out of proportions some aspects of misusing a perfectly normal feature. Like, 'if you click on url to infected file it <gasp> dowloads it. And if you click yes a couple of time it OPENS IT AND IFECTS THE WHOLE WORLD!"
IE10 maybe more secure than Chrome, FF, Safari but is only available on Windows. So if your running a iOS, Android, Mac OS or even Windows versions prior to 7 you can't install it. And i hardly see the millions of users of these other OS throwing out there devices and buying windows 8 just to get IE10
Or webmasters?
Buttons, which do not reveal their destinations, are plain evil.
Mouseover events triggering JS are plain evil.
Mystery meat navigation - silly, but evil nonetheless.
Fortunately we can cross off the dreaded iframes, as those seem to be out of fashion now.