back to article Germany warns surfers against Firefox

German's official cyber-security response team is advising surfers not to use Firefox pending the release of a patch to defend against a critical unpatched vulnerability. BürgerCERT, a division of the German federal government's security in information technology (BSI) department, warned surfers to steer clear of the open …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Unhappy

    I think I was hit by this yesterday.

    I was running Firefox 3.6 and last night I clicked to open up a page on ThePirateBay and got immediately rooted. Now, I wasn't executing anything, or downloading any torrents, just opening a page with torrent details hit my machine immediately (before you ask, I'm not someone trying to put people off downloading or visiting TPB, other pages on the site were fine, I'm sure it was some rogue ad banner or some crap in the messages). Watched an almighty fight between this and Avast trying to block rootkits and lots of stuff being executied, in the end the rootkit won, Avast dissapeared to be replaced by "Vista Anti-Malware 2010".

    New hard disk now in my hands, clean reinstall tonight. Lesson learned. Going to use Chrome for TBP in future. And Avast is going in the bin. Still prefer Firefox in general though...

    1. Anonymous Coward
      Grenade

      Avast is innocent here !

      You, by running as an admin gave permission to an untrusted piece of software to stop and shutdown the Avast anti-virus. Let's be clear, Avast obeyed the orders of an admin and no anti-malware in this (Windows computing) world would have surrendered to that. That's how it is supposed to be!

      Sorry to wake you up to this reality.

      1. EXAFLOPS'R'US
        Paris Hilton

        Sandboxing

        I've had the same experience - except for the fact that I use Sandboxie!

        So when I watched the AV duke it out with the dodgey website, it was the effort of two mouseclicks to kill all processes running in the sandbox, then empty the sandbox and move on with life. In all, I lost 10 seconds of my life and had no data loss at all.

        TRY it people! http://sandboxie.com

        Paris - she knows what sandboxes are all about.

        1. Anonymous Coward
          Pint

          RE: Sandboxing

          I did try it! What a gem!

          Thanks for the heads up! I know of a few people that will use this and breathe a sigh of relief.

          1 Pint to you.

        2. noboard

          sandboxie is great

          but can only run on 32bit systems. If MS ever let them port it to the 64bit world I'll be a happy man.

          Still a 32bit machine with sanboxie installed is almost as good.

      2. Anonymous Coward
        Grenade

        Also...

        Firefox is also innocent here.

        the only person to blame is the freeloader.

        Visit dodgy sites, expect shit to happen.....

    2. Deadlock Victim
      Thumb Up

      This has been said a thousand times..

      "I was running Firefox 3.6 and last night I clicked to open up a page on ThePirateBay and got immediately rooted."

      But, I'd call that poetic justice.

  2. Anonymous Coward
    Jobs Horns

    The Emperor's new clothes - fox fur

    When are people going to wake up and realise that Firefox is no better than IE.

    Do you notice how whenever the fanboys compare them, they love to compare the security record of older versions of IE over the last 15 years against the latest version of Firefox rather than IE8? And when they talk about market share, they always compare individual versions of IE against all versions of Firefox combined rather than separating Firefox 2.0, 3.0, 3.5 or quoting the figure for all versions of IE, etc.

    1. The Other Steve

      Yes

      And indeed, your point is rather neatly proved by the fact that said fanbois can't even muster up a response other a downvote.

      Still, it's early, they probably aren't home from school yet.

      1. Anonymous Coward
        Anonymous Coward

        School is out.....

        ..........and this 'fanboi' just got home to read this schoolboy howler:

        "And indeed, your point is rather neatly proved by the fact that said fanbois can't even muster up a response other a downvote."

        And indeed, your point is rather neatly proved by the fact that said fanbois can't even muster up a response other than a down vote.

        See what I did there, Steve?

    2. alain williams Silver badge

      Why are you an anonymous coward ?

      Afraid to show that you are a MS employee ?

      1. The Other Steve
        Flame

        Yeah !

        Yeah, that's right, anyone who disagrees with a fanboi must an MS shill. And what time *did* you get in from school ?

        1. Anonymous Coward
          FAIL

          re : "Nazi analogies"

          I think you'll find that you were first to mention them and thus by the corollary to Godwin's Law, you automatically lose the argument.

      2. Anonymous Coward
        WTF?

        Not long now before the fanboys resort to Nazi analogies

        Why must I be a MS employee. Oh per-leese.

        You must be a Mozilla employee to not like the inarguable truth of what I say. if you are, go and implement HTML5, CSS3 and SVG as well as Safari, Opera and Chrome, rather than squandering valuable catch-up time on here. If you're not, why do you think I must be for not thinking like you? How very... religious.

    3. idasben

      Finally!

      Exactly, basically people just need a basic understanding of what a browser is (lots of people don't they generally assume facebook is indeed an application installed on the PC), and that it does need to be updated like anti-virus every now and then.

      You're correct, neither is better in security TBH, and things like chrome and safari are only 'secure' as they have such small market shares there is little point in developing weaponised exploits for them.

    4. Joseph Haig

      Sorry to disappoint you

      The last major problem in IE, if I remember correctly, was the one that was used in the Chinese attack against Google. Although it was targetted at IE 6, the vulnerability was also present in 7 and 8. Microsoft released a fix shortly after the event but they knew about the problem when it was reported to them last August and they did nothing about it. By comparison, Mozilla have already released a fix for this vulnerability, albeit beta, a little over a month after it was reported.

      No browser is completely secure, but there is a difference between IE, which was only fixed when there was some seriously damaging PR, and Firefox, which was fixed when the problem was reported.

      1. Anonymous Coward
        Anonymous Coward

        Outstanding!

        "No browser is completely secure, but there is a difference between IE, which was only fixed when there was some seriously damaging PR, and Firefox, which was fixed when the problem was reported."

        Couldn't have put it better myself

        Business makes money, FOSS makes good software

    5. Anonymous Coward
      Anonymous Coward

      @AC

      If FF's no better than IE why are you bitching about it?

  3. Anonymous Coward
    FAIL

    "Rooted" ??

    "I was running Firefox 3.6 and last night I clicked to open up a page on ThePirateBay and got immediately rooted."

    Do I correctly assume you ran FF as "Administrator" ? That is a very, very bad idea.

    Hint: There is no need to do that, especially when you surf the intertubes. Set up a user w/o administrative rights and use the "Administrator" only when necessary (to install SW, configure network address etc).

    1. Ihre Papiere Bitte!!

      Good & Basic advice, but...

      How many of us run as admin, just because it's easier? I'm guilty of it more often than I should be, and I'm pretty sure I'm not the only one. I have an admin account and a user account, and when I install new shinies, I use the admin account - and will frequently surf whilst I do so, without really thinking much about it.

      Yes, we should know better, but until it happens close to home, many of us* will personally do the very things we complain about the users doing.

      (*yes, I know I'm opening myself up for criticism for saying this, and may get a mountain of "I NEVER do that!!" responses, but I do it, and know a bunch of other people all over the world in various aspects of the IT industry who do exactly the same.)

      1. Anonymous Coward
        Thumb Up

        Certainly

        And it is necessary because the #!"¤% developers don't have a clue how to build their programs so they can run under non-admin accounts.

        1. Anonymous Coward
          Boffin

          Pass the buck

          As a developer, I have to admit your like 95% correct on that one... though it's usually not so much as 'don't have a clue' as 'aren't allowed to'. In most cases the corporation management is the ones that don't have a clue, and they give unrealistic expectations such that its not possible to finish the application "the right way".

          Anon so my company doesn't hunt me down.

        2. Ken Hagan Gold badge
          Flame

          Re: Certainly

          Send such software back as "Broken, didn't run on my PC." and demand a refund. If need be, point out that expecting end-users to run as admin is equivalent to expecting them to post their bank account password online. (See above, for an example of why.)

          OK, I can appreciate that you might have a fight on your hands but anyone who thinks such software is fit for purpose in 2010 needs a visit from Trading Standards. It is no longer acceptable (if it ever was) to say that parts of the software were written a long time ago when this sort of thing was accepted. It wasn't (MS have been railing against this for over a decade) and even if it was, it is no longer and such products should be withdrawn from sale.

          Only when these tossers are no longer allowed to sell such criminally negligent offerings will they bother to learn how to program.

        3. Spicer
          Joke

          Re: non-admin users

          What!?! You mean there can actually be more than one user logged on the system running my stupendous code? Never!

    2. Anonymous Coward
      Anonymous Coward

      UAC?

      Possibly the only time to support UAC from Vista/Win7, but this would prevent this kind of access by alerting you to items trying to utilise admin rights, so long as of course you've not turned it off....

      But isn't that the case with anything? lots of problems i've come across before have been when people have seen a popup that says 'do you want anti-virus? It will make you safe!', click yes then hello rootkit....

      1. The Other Steve

        UAC is per process

        and indeed, for the life of a process, so it's less helpful than you might think. Plus you can turn it off, which means that relying on it for security is broken. And as you say, the 'ask the user' model is definitely broken.

        But there isn't really anything a browser needs to do that requires elevated permissions anyway. FF will run quite happily from a normal user account on Windows as well as unix type systems.

    3. Big-nosed Pengie
      Linux

      The title is required, and must contain letters and/or digits.

      "Do I correctly assume you ran FF as "Administrator" ? That is a very, very bad idea."

      Indeed it is.

      Allowing Windows to connect to the Internet is an even worse idea.

    4. Anonymous Coward
      Anonymous Coward

      WIN 7

      Or get Win 7 and the UAC will automatically strip out your Admin privileges when you go online. They are learning , you know.

  4. Anonymous Coward
    Unhappy

    yeah but

    That's 2 browsers you are advised to stay clear off, how many are there? None is immune.

    total safety = stay off the internet.

  5. Anonymous Coward
    Anonymous Coward

    BürgerCERT

    Can I have fries with that?

  6. Squirrel
    WTF?

    hardcore

    http://www.sandboxie.com/ - unless you trust the site 100% and it's running on some impenetrable machine with infallible software...

    There' s probably alternatives but I'm not aware of them.

    1. Angry clown

      You're right

      There are alternatives like VirtualBox or VMware with a virtual disposable Windows machine or even better, VMware Player with and Internet browsing appliance. Or at a minimum, install a copy of Firefox portable with no plugins, disable Javascript and you can browse anywhere on the net.

  7. Anonymous Coward
    FAIL

    Rogue banner ad??

    Isn't the whole point of running FF is that you have ABP and NoScript ?

  8. Pink Duck
    Megaphone

    Insecure browsing

    As of right now IE8, Firefox 3.6 and Safari 4 are all insecure with solutions pending, according to Secunia. The worst potential of those is with Firefox so the German government is taking responsible action. Regardless, running your desktop with admin rights is asking for it.

    1. Not That Andrew

      Add Opera 10.5 to that list

      Opera 10.5 also has a potentially exploitable crash bug that is on the "to-do" list as well:

      http://my.opera.com/securitygroup/blog/2010/03/09/the-malformed-content-length-header-security-issue

      1. Rasczak
        Thumb Down

        Re: Add Opera 10.5 to that list

        <Quote>

        Opera 10.5 also has a potentially exploitable crash bug that is on the "to-do" list as well:

        <\Quote>

        The latest version of Opera available at the time of your post has no currently known outstanding security bugs.

        1. Not That Andrew
          FAIL

          Yes it did

          Read the linked article in my first post. It from is the _official_ Opera Security Blog. The update was only released AFTER I posted

  9. Anonymous Coward
    Anonymous Coward

    so what now?

    Don't use IE or FF. Guess that means we use Opera, instead? Or maybe Chrome, because Google is always on Our Side and will Do No Evil. How about we makes users smarter instead.

  10. Greg J Preece

    Head, meet desk

    "Don't use IE, use Firefo-, no, wait! Use...er..."

    Love all the anti-FF crowd coming out to crow - as they normally do - about Firefox and IE both being software (ie, they have bugs).

    Let me explain this for you nice and slowly, IE fans. We use FF not because it has less security holes (though it does seem to) - we use it because when there is a problem, the patch comes out a whoooole lot faster. Well, that and a whole host of other reasons.

    No browser is immune to security holes/bugs/flaws. None. The difference is in the patching. IE generally takes about an ice age or two. Firefox....doesn't.

    *Doot de dooo doooo dooooo*

    You acquired a clue! Achievement Unlocked!

    1. Greg J Preece

      FF FTW, again

      Not that I want to have a smug moment or anything, but:

      http://go.theregister.com/feed/www.theregister.co.uk/2010/03/23/firefox_zero_day_fix/

      :-)

    2. Anonymous Coward
      Anonymous Coward

      Foamy the Squirrel reference?

      Given that TVs will all soon be YouTube, NetFlix, MSG or MDK (MSN?) and lord knows what else up to the hilt and have more grunt than Jeremy Clarkson, the choice of rendering and JavaScipt engines for these featurful embedded systems will be critical. MSTV? The trust may not be there...

      Personally, I would look forward to a DOS attack against episodes of Eastenders.

      1. Greg J Preece

        Foamy Reference

        Glad someone spotted it. Hello, fellow Squirrel Cultist!

  11. Anonymous Coward
    Stop

    Just use Opera

    Darn sight more secure than IE and Firefox, faster and standards compliant too.

    if you want to be even safer (as nothing is 100% safe), then use Opera with it's own NoScript to to turn of Javascript and/or plugins either on a site by site basis Site Preferences (F12) or Globally (Ctrl F12). (you can even do the reverse, turn it off globally and back on for select sites).

    Good time to give Opera 10.51 a whirl, as it got released today, another 20-30% quicker than 10.50 (which was already 20% quicker than Chrome and 60% quicker than Firefix and 700% quicker than IE8).

    1. heyrick Silver badge

      There's more than just disabling JavaScript...

      How is it with cross-site scripting? How is it with redirected clicks (clickjacking, I think it is called). Is there a plug-in to nuke Flash cookies (yes, all the smart people use Flash cookies as your browser doesn't know about them... so they are not usually blocked). Will it disable Flash with a per-object permission model (not per-page or per-site)?

  12. Anonymous Coward
    FAIL

    'I'm not someone trying to put people off downloading'

    ...but you ARE someone who has the brass nerve to moan about 'getting rooted' while poking your nose around the dark and sweaty crevices of the internet?

    Here's a wacky idea. Try the tips above that I'll not reiterate as the others have done an admirable job.

    Oh, and here's another suggestion - trying PAYING FOR SOMETHING instead of stealing it, and you might actually come out of that particular transaction a little cleaner. Sounds like you got what you deserved, all those five-fingered discounts have caught up with you, no?

    1. Nexox Enigma

      Paying doesn't make you safe...

      """- trying PAYING FOR SOMETHING instead of stealing it, and you might actually come out of that particular transaction a little cleaner."""

      Admittedly buying media / etc would have prevented this particular infection, assuming the user was downloading copyrighted materials, but occasionally media you buy comes with malware too. There was that Sony root kit on some CDs, and periodically electronics (phones, portable media players, etc) come with their own crap.

      """Sounds like you got what you deserved, all those five-fingered discounts have caught up with you, no?"""

      Also I might recommend that you be a little less of a douche. I doubt that'll happen, however.

      1. Anonymous Coward
        Flame

        Really?

        Are you actually trying to justify piracy (and by extension the THEFT) of copyrighted material, contrary to common law, because sometimes, once in a blue moon, an M$ trojan makes its way onto your shiny new Sat Nav from the manufacturer? That argument is weak, to state the bleedin' obvious. It's like saying 'I don't pay my electricity bills because I might get a paper-cut from one'. Lame. I wasn't stating that paying for stuff is a surefire, smiley-face 'malware free' stamp (although back in the real world it mostly is). I was merely pointing out that people in glass houses shouldn't throw stones, as the poster earlier alluded to with his burglar analogy.

        Of course this individual was downloading copyrighted materials. Oh no, wait, I just forgot - I always head straight to The Pirate Bay when I want legally available materials instead of going to their official sources! Doh, my bad.

        Look, you're right, and perhaps I was bit of a douche. But whatever way you look at it, piracy is bad news for us all. If you'd ever worked in the creative industries you'd understand the realities beyond your torrent client, how hard it hits the 'small people' - the ones you don't see there on the screen, depriving them and future talent of vital opportunities and the chance of earning their crust. I can only imagine what it does for software developers, who, I would imagine must be pretty p*ssed off to see people shoplifting the fruits of their fingers. Same difference, no shop.

        If you go smashing car windows looking for loot, don't complain when your hand bleeds.

        1. Graham Dawson Silver badge
          FAIL

          Use of terms

          "Piracy" is not theft. Piracy is unauthorised duplication. Unauthorised duplication is not theft, it is unauthorised duplication. Theft is removal of someone's property without permission and the result is that they no longer have it and consequently lose an investment they made in that property. If they were going to sell that property they then lose the potential sale of that property.

          You can't pirate someone's chair.

          Piracy doesn't involve physically removing stock from a shop. No "five-fingered discount, no physical loss requiring the expense replacement, no loss of money from a sale that can no longer be made. The argument of potential lost revenue is also incorrect, as the potential revenue is still sitting on the shelves of retailers in the form of physical stock.

          It may be wrong, but it isn't theft. Calling it theft simply makes you look stupid.

          1. Anonymous Coward
            Troll

            Oh dear, here come the train spotters

            I love how freetards / torrent zombies get anally retentive about 'i's and 't's and 'definitions' of words to try and paper over the fact that they are common-or-garden burglars, with some loosely constructed framework of skewed ideologies and excuses. If you want something of value in this world, you pay for it. That's...how stuff works. I tell you what, if you are so principled about this, why not walk into your bosses office and forfeit your salary? Because that's what you are expecting developers / entertainers / content developers (of ALL levels) to do. No? Oh. Thought not - because RIGHT, you don't work for free.

            You're right. I'm no legal expert and very much doubt you really know what you're talking about either. That might be why people are getting sued for...wait a minute...file sharing! Ah! But stop splitting ridiculous hairs and admit - you know it's fundamentally wrong. And illegal.

            Copyright does not merely refer to physical media - and so the fact you haven't taken it from a shelf in a shop means diddly-squat. That's why movie downloads - iTunes, Xbox Live, whatever - are DRMed. Because guess what sonny, they ain't your's to have without paying for - irrespective of media. If you've tea-leaved something via whatever means you've still taken the PRODUCT and not payed for it. It's like saying 'I didn't steal it, I wore my Harry Potter invisibility cloak'.

            Pfff. Whatever.

            You can spew whatever vitriolic bile back you want. The source of the (worrying) hatred in retorts to file-sharing truths is based on one tenet - the raw nerve. It sure isn't guilt, but you know you're nicking stuff and you don't like being called out on it. It's that simple, campers.

            Love and tenderness to you all.

            1. heyrick Silver badge
              Flame

              A small dose of reality

              Pirating stuff is immoral, and actually I had a giggle from the guy who got whammied while visiting TPB. Kinda what he deserved.

              But look at it from the other side, for the industry is more than happy to get the media spouting headlines like "illegal downloads" (which, uh, aren't) because it plays with the emotions, induces fear. They have lobbied themselves into a position to ask governments to implement totally unrealistic measures to protect their business model whilst totally disregarding the fact that existing measures exist - but hey, the existing ways are a hassle. It is far easier to induce fear (again) with a "you dick with us, we cut you off from your precious virtual world". And, to top it all, the secret talks regarding ACTA which was an anti-counterfeit thing has been hijacked to twist it around to be a weapon or the bidding of media companies and copyright holders. An industry that tried to foist DRM on music (and pretty much lost), is still trying DRM with video, doesn't give a toss about "fair use" legislation, and sees nothing wrong with region coding DVDs for no purpose that benefits the end-user.

              Is it any wonder some people are so willing to point out the 'i's and 't's when there is so much FUD being thrown around? I'm not a legal expert either, but perhaps if you fired up Google and did some poking around, you would realise that the whole thing is a crock.

              This doesn't mean you should feel sorry for pirates, far from it. But, by the same token, you shouldn't act as a proxy mouthpiece for the media companies either. Read, apply your brains, and draw your own conclusion. *Neither* side is right, and in trying to sort out the chaos, those with the most cash are stomping all over us in a way that, in the future, could prove to be extremely damaging. Are you really okay with that?

              1. Anonymous Coward
                Big Brother

                Hmmm. OK.

                Fair points there, Sir, casting aside my theatrical temper for a moment.

                I'll definitely go along with most of that - there's a worryingly wobbly framework of shonky anti-piracy methods and legislation as the powers-that-be scramble and panic to 'control' the situation. I accept that. I am NO fan of that situation and hope I haven't conveyed that.

                I am going to pull you up on accusing me of acting as a 'proxy mouthpiece' though. Have you ever been involved in media production at the low end? You know, the dirty, impoverished, barely-no-pay to buy food end? If you had at any level, you would genuinely appreciate the lack of bucks flowing around and there's no doubt that if people aren't paying for stuff, then there's even less. Furthermore, it's pretty gutting to see your (very) hard work enjoyed by someone who is simply too tight to pay for it.

                I'm gonna grab my coat, but I agree - the 'system' is all gone-to-pot. I'm most definitely not OK with how 'they' are dealing with piracy. Don't get me wrong for one precious minute. This shouldn't foster any sympathy with pirates though, who posit themselves as being on some noble quest across the seas of big, bad capitalism. Don't dress it up any other way - as you say, it's immoral and just plain nicking stuff, really.

                1. heyrick Silver badge
                  Boffin

                  The lack of bucks... [long rambling eclectic missive]

                  One thing that always bugged me about El Reg's various surveys is that it assumes you're in an IT dept. There's never a "geek for the fun of it" option. Well, that's me. I program and such for fun. Some people look at porn, I look at code. Takes all sorts, I guess... I like programming, and I can code what I want when I want. Looking at some of the horror stories that turn up in these forums (plus my company's so-called IT support (_still_ IE6)), I think I'm probably glad I don't do it as a job. It would be tragic if what I love became a non-stop aggravation.

                  My real job? Pretty menial stuff with a decidedly unimpressive pay. And while you might ask what I expect being a foreigner in another country with a less than perfect grasp of the language, there is the issue of the 40-50 other people I work alongside who make the place run but also receive pay cheques that aren't going to set the world alight. It pays the bills, it buys the food, it puts a computer in my lap and WiFi signals through the air. I'm doing okay.

                  I can sympathise with the media production guys, the low-down paid-crap people that actually make the whole shebang work. But like the company I work for has management with company-provided cars, generous holidays, perks-a-plenty, and a pay scale that looks to be logarithmic... how much of the media company's situation is actual piracy, and how much is greed higher up the food chain?

                  Oh sure, the bosses will point to piracy. But back to my company - they had an employee savings scheme which, I think, was part company subsidised. This has been cancelled due to the economy, the financial situation, and that the company is working with barely any profit at all because of, blah-de-blah-de-blah. We employees can forget any hope of a perk this year, yet the R&D guys have gone to shiny new premises, there's going to be a new storehouse built, all the old CRTs were recently replaced with flat panel displays, though many of the clunky old computers have gone with the guys in charge walking around holding laptops. No doubt the money that didn't put into the employee savings scheme helped buy some of this stuff. No, I'm not bitter, I didn't take the offer as the Ts&Cs translated to gibberish as far as myself and Google could make out. :-)

                  Thing is, the film/tv/recording industry execs have repeatedly demonstrated something of a lack of ethics, and it would not surprise me one iota if the real problem is your media guys just aren't valued by those in charge, piracy being little more than an excuse to point to. This is nothing special really, look at long strings of company director pay packets, especially in the banking industry. Maybe if people were paid their genuine worth instead of what they felt they could take, the people up the top would get a little less and the people at the bottom would get a little more. But it'll never happen, for the ones paid the most want the most and all the little people have next to zero power in a climate of more people than jobs. We, essentially, get to bend over and take it like a man with a smile on our faces. But, then, why not? I might not be rolling in dosh, but I have my ethics, I know I'm not screwing anybody over in order to give myself more, and at the end of the day if the caca hits the fan, it's zip to do with me or my judgement. So, um, I'll take my pathetic pay and I'll let all the shit fall on somebody else's head. The only _only_ thing I regret is I'm unlikely to visit a certain country far to the east of here. Uh well, you can't have it all. I know that. It's a shame the captains of industry don't.

                  Geek icon, 'cos my DNA markers are named after all the instructions in the 6502 repetoire. ;-)

        2. Anonymous Coward
          FAIL

          @Really?

          Question : Which part of the Theft Act does copyright infringement comes under?

          Answer : it doesn't.

          Don't bother coming back until you know what you're talking about

    2. Nanki Poo
      WTF?

      Errr ...

      http://www.theregister.co.uk/2005/11/01/sony_rootkit_drm/

      That's all...

  13. Jonathan

    re: I think I was hit by this yesterday

    whilst downloading some illegal files?

    "Mr. Policeman, I injured myself climbing out of this window after I'd finished burgling the place."

    ?

  14. Lars Silver badge

    It would be nice

    to know if this programming error affects every OS or not. Simply is this a Windows/Firefox only problem or not.

  15. Brian Davies
    FAIL

    Pedant alert...

    "Versions of Firefox prior to 3.6 are not prone to this specific vulnerability but are subject to other bugs, so reverting back to earlier versions of the browser isn't the smartest idea."

    Reverting implies going back. No need for both words '...reverting to earlier versions...' is sufficient!

    1. Anonymous Coward
      Anonymous Coward

      How about

      'Reverting, Bach!'

  16. Blain Hamon
    Welcome

    Hah! I'm safe!

    They called me mad when I held onto my copy of Lynx! Mad, I tell you!

    1. Old Marcus

      Except

      You can do sod all with it.

      1. Anonymous Coward
        Anonymous Coward

        What do you want to do?

        Elinks works fine for me when I'm monitoring a customers application over a low speed link

    2. Anonymous Coward
      Anonymous Coward

      Lynx

      Lynx!?

      You opulent fool! I stand on the beach and whistle 300 baud towards the ocean, 6 to 8 weeks later my request is returned in a glass bottle. I don't know why anyone would need a more up to date way to "surf" the net.

      1. Andus McCoatover

        Luxury! Only 6 weeks?

        You'll be running Vista, natch.

  17. Bucky 2
    Pint

    No solution

    [That is, if you're not part of the solution]

    I remember a couple years ago I got my shiny new Windows laptop, it came with 3-months free versions of Norton and...something else...I don't remember what anymore.

    The first thing I did was create a couple of user accounts without admin privileges for day to day use (one for me, one for the husband).

    The anti-virus programs whined and complained that they wouldn't work unless I logged in as an Administrator.

    The only reasonable conclusion was that the AV thing is just a protection racket, and I uninstalled them post-haste.

    As my old Chemistry professor used to say, "If you're not part of the solution, you're part of the precipitate."

  18. Anonymous Coward
    Thumb Down

    @Certainly

    "And it is necessary because the #!"¤% developers don't have a clue how to build their programs so they can run under non-admin accounts."

    I don't know what kind of special apps you run, but all vanialla-apps like browsers, office packages, image processors, Bittorrent, VisualStudio run very well WITHOUT Administrator rights.

    I recently had a 3270 terminal emulator who wanted to write something into c:\windows\system32, but would continue without me allowing it. I could have allowed the emulator specific rights to write that special file, though; without running as Administrator.

    Applications that actually need Admin rights have become very scarce, actually.

    I would even argue that running as a non-Admin allows you to safely not run ProtectionWare (aka Virus Scanners).

    1. Anonymous Coward
      Anonymous Coward

      @jlocke

      "I don't know what kind of special apps you run, but all vanialla-apps like browsers, office packages, image processors, Bittorrent, VisualStudio run very well WITHOUT Administrator rights."

      Have you considered that some people use multi-tasking computers to run more than one program at a time? If you use a program or creative tool that requires you to be logged in as an administrator to function, you don't really have a choice over how 'vanialla-apps like browsers' run when they appear as the next open app on the taslkbar.

      Or should people log out and in again as a normal user just to check the latest news headlines, check their gMail and see if they have any new Facebook messages, and then log out and in again as an Administrator to continue working? And by 'they', I mean normal people working in offices or studios who just want to check their mail and don't want to know about "all that shit". Normal people - exactly the kinds of people who need their browser to be safe and secure for them.

      1. flowsnake
        Gates Halo

        "runas" is what you're looking for

        <quote>Have you considered that some people use multi-tasking computers to run more than one program at a time? If you use a program or creative tool that requires you to be logged in as an administrator to function, you don't really have a choice over how 'vanialla-apps like browsers' run when they appear as the next open app on the taslkbar.</quote>

        Actually, you do have a choice. Use a non-admin user. Elevate priviliges using the "runas" command for any badly written apps that want to be run as an admin.

        <a href="http://technet.microsoft.com/en-us/library/bb490994.aspx>TechNet reference for "runas"</a>

  19. SilverWave
    Linux

    Lucid 10.04 Beta1 FF 3.6.3pre

    Gain access to the latest ubuntu-mozilla-daily ppa.

    Code:

    sudo add-apt-repository ppa:ubuntu-mozilla-daily

    Now install Firefox as below (or via the Synaptic Package Manager).

    Code:

    sudo apt-get update

    sudo apt-get install firefox

    Done in 5mins Panic Over :-)

    Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3pre) Gecko/20100316 Ubuntu/10.04 (lucid) Namoroka/3.6.3pre - Build ID: 20100316073122

    Or just use chromium until FF is patched.

    1. Anonymous Coward
      FAIL

      Er . . . Thanks for that.

      It's so easy. Gosh, it couldn't be simpler.

      I'll ne sure to get the mother-in-law to do that as well.

    2. Tom Chiverton 1

      no no no no

      No no no no. Do not install the daily builds. They could well broke at any moment. If you must give this advice, at least point this out.

  20. Shades

    DropMyRights

    I run FF via DropMyRights (by a Microsoft employee, search for it). It supposedly drops the rights of the program you run with it down to a user level even if running as an admin. Don't know if it REALLY does anything but I've never had any problems so I can only assume that it does work... If I wanted to be ultra paranoid I could run FF via DropMyRights in a sandbox! :-)

    Actually, while I'm at it... Does anyone else use DropMyRights? DOES it really work??

  21. Stephen 27
    Megaphone

    3.6.2 is alive!

    Funny, I was just reading this article and thought I should just do a quick check for updates, and there it was 3.6.2. Nothing like a German threat to get things moving!

  22. Anonymous Coward
    Anonymous Coward

    3.6.2 is great and . . .

    . . . 3.7a3 is incredible. On a Mac with both versions all is well. Went to PB.org and that's what I got.

  23. Anonymous Coward
    Gates Halo

    IE8 FTW

    I use IE8 in Protected Mode in Windows 7 Ultimate. This is the most secure way to browse the internet because even unpatched vulnerabilities can't do any harm to my system. I won't touch Firefox with a ten-foot pole.

    1. alfredkayser
      Alert

      Even IE8 has its security issues...

      Just don't trust IE8 in PM in W7 just yet. Security issues are continously found and Microsoft is generally slow in patching them:

      from http://en.wikipedia.org/wiki/Internet_Explorer#Security:

      "The most severe unpatched Secunia advisories affecting Microsoft Internet Explorer 6.x, 7.x, and 8.x with all vendor patches applied, are all rated Extremely critical."

      "According to the latest information, security research firm SecurityFocus reports that IE6 has 396 known unpatched vulnerabilities, IE7 has 22, and IE8 has 25. "

      While much less than IE 6 and 7, IE8 still as a lot of security issues, and a number of them are marked 'Extremely critical'.

      1. Anonymous Coward
        Gates Halo

        That was precisely my point

        All the browsers have vulnerabilities. However, if you run IE8 in Protected Mode in Windows Vista/7, these vulnerabilities won't be able to harm your system. At worst, they will crash IE. Google Chrome also runs in sandbox like IE8. But Firefox doesn't. Hence, Firefox is less secure than IE8/Chrome.

    2. Anonymous Coward
      FAIL

      "the most secure way to browse the internet "

      LOLZ!

      1. Anonymous Coward
        FAIL

        Fanboy

        You don't even understand the point that's being made, or what this mode is. Yours was a knee-jerk response typical of an uninformed fanboy.

        Imagine Beavis & Buthead just muttering "Heh, IE sucks"... "Yeah, Microsoft suck, heh.". That's you that is. Sorry, fella.

  24. Anonymous Coward
    Anonymous Coward

    3.6.2 is out - all fixed

    About 12 hours ago actually.

  25. Milkfloat
    Thumb Up

    Pumping it out now

    It looks like 3.6.2 is arriving now (one week early) - I just did a manual update and was given 3.6.2.

  26. Anonymous Coward
    Anonymous Coward

    Which SW ?

    "If you use a program or creative tool that requires you to be logged in as an administrator to function, you don't really have a choice over how 'vanialla-apps like browsers' run when they appear as the next open app on the taslkbar."

    Could you please name and shame ?

  27. Reboot_IT
    Stop

    Virus attack

    I rescue about 7-8 laptops/desktops per-week from "Vista antivirus pro" and the like malware.

    I’d say browser-wise it is 50/50 Firefox and IE.

    I don't think you have a chance in hell of educating all users on how to protect themselves, and to be honest it isn't their fault. Criminal gangs have infected Google SERPS, causing a confusing pop-up when you visit supposedly legit sites. I have personally noticed that they are using PPC and natural listings to accomplish this.

    I would put the blame on Google and the anti-virus vendors for this type of variant. I reckon they should be working closer (not giving up the algorithm of cause!), and can only see the situation getting worse as more jump on the bandwagon.

    P.S You don't need to reinstall, it is possible to remove this crap with free tools from the web, and at £50 a pop. Business is good.

  28. Matthew 17

    An issue was found

    And a new fixed version arrived almost straight away, can't see a problem with that.

  29. Tom Wright
    Welcome

    LTS

    Maybe the answer to all this is to produce milestone, long-term-support versions of a browser and backport bugfixes.

    The article mentions that this hole is new to 3.6, but that other bugs exist in previous versions. Presumably the bugs have been fixed in 3.6, so why could they not be backported?

This topic is closed for new posts.

Other stories you might like