Home Mail MemberMap Chat (0) Wallpapers
Go Back   ChiefsPlanet > The Lounge

Reply
 
Thread Tools Display Modes
Old 02-10-2006, 01:29 PM  
KcMizzou KcMizzou is offline
Supporter
 
KcMizzou's Avatar
 
Join Date: Sep 2002
Location: Parkville MO
Casino cash: $5270
In case anyone hadn't already switched to Firefox

Spyware Barely Touches Firefox

By Gregg Keizer
TechWeb.com Thu Feb 9, 2:15 PM ET

Internet Explorer users can be as much as 21 times more likely to end up with a spyware-infected PC than people who go online with Mozilla's Firefox browser, academic researchers from Microsoft's backyard said in a recently published paper.

"We can't say whether Firefox is a safer browser or not," said Henry Levy, one of the two University of Washington professors who, along with a pair of graduate students, created Web crawlers to scour the Internet for spyware in several 2005 forays. "But we can say that users will have a safer experience [surfing] with Firefox."

In May and October, Levy and colleague Steven Gribble sent their crawlers to 45,000 Web sites, cataloged the executable files found, and tested malicious sites' effectiveness by exposing unpatched versions of Internet Explorer and Firefox to "drive-by downloads." That's the term for the hacker practice of using browser vulnerabilities to install software, sometimes surreptitiously, sometimes not.

"We can't say IE is any less safe," explained Levy, "because we choose to use an unpatched version [of each browser.] We were trying to understand the number of [spyware] threats, so if we used unpatched browsers then we would see more threats."

Levy and Gribble, along with graduate students Alexander Moshchuk and Tanya Bragin, set up IE in two configurations -- one where it behaved as if the user had given permission for all downloads, the other as if the user refused all download permission -- to track the number of successful spyware installations.

During Levy's and Gribble's most recent crawl of October 2005, 1.6 percent of the domains infected the first IE configuration, the one mimicking a na�ve user blithely clicking 'Yes;' about a third as many domains (0.6 percent) did drive-by downloads by planting spyware even when the user rejected the installations.

"These numbers may not sound like much," said Gribble, "but consider the number of domains on the Web."

"You definitely want to have all the patches [installed] for Internet Explorer," added Levy.

In the same kind of configurations, Firefox survived relatively unscathed. Only .09 percent of domains infected the Mozilla Corp. browser when it was set, like IE, to act as if the user clicked through security dialogs; no domain managed to infect the Firefox-equipped PC in a drive-by download attack.

Compare those figures, and it seems that IE users who haven't patched their browser are 21 times more likely to have a spyware attack executed -- if not necessarily succeed -- against their machine.

Most of the exploits that leveraged IE vulnerabilities to plant spyware were based on ActiveX and JavaScript, said Gribble. Those two technologies have taken the blame for many of IE problems. In fact, Firefox boosters often point to their browser's lack of support for ActiveX as a big reason why its security claims are legit.

Levy and Gribble didn't set out to verify that, but they did note that the few successful spyware attacks on Firefox were made by Java applets; all, however, required the user's consent to succeed.

Microsoft's made a point to stress that Internet Explorer 7, which just went into open beta for
Windows XP, tightens up ActiveX controls by disabling nearly all those already installed. IE 7 then alerts the user and requires consent before it will run an in-place control.

Good thing, because one of the research's most startling conclusions was the number of spyware-infected sites. One out of every 20 executable files on Web sites is spyware, and 1 in 25 domains contain at least one piece of spyware waiting for victims.

"If these numbers are even close to representative for Web sites frequented by users," the paper concluded, "it is not surprising that spyware continues to be of major concern."

The moral, said Levy, is: "If you browse, you're eventually going to get hit with a spyware attack."

http://news.yahoo.com/s/cmp/20060210/tc_cmp/179102616
Posts: 54,696
KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.KcMizzou is obviously part of the inner Circle.
  Reply With Quote
Old 02-10-2006, 02:05 PM   #2
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Keep pumping Firefox. As soon as there's enough of them out there to be worth the time and effort, there will be spyware for it.
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 02-10-2006, 02:09 PM   #3
Simply Red Simply Red is offline
You seem nice.
 
Simply Red's Avatar
 

Join Date: Sep 2005
Location: Out of the office
Casino cash: $2016449914
VARSITY
Quote:
Originally Posted by htismaqe
Keep pumping Firefox. As soon as there's enough of them out there to be worth the time and effort, there will be spyware for it.
Now what kind of attitude is that?

A realistic one, you say.

AHH HA. You are correct sir.
Posts: 43,729
Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.Simply Red is obviously part of the inner Circle.
  Reply With Quote
Old 02-10-2006, 02:22 PM   #4
redhed redhed is offline
The mad repper
 
redhed's Avatar
 

Join Date: Sep 2000
Location: Along the Interurban
Casino cash: $8882
I like Maxthon.
__________________
CHIEF lifer!
Posts: 3,484
redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.redhed wants to die in a aids tree fire.
  Reply With Quote
Old 02-10-2006, 02:23 PM   #5
Mr. Laz Mr. Laz is offline
Don't Tease Me
 
Mr. Laz's Avatar
 

Join Date: Dec 2000
Location: KS
Casino cash: $1021380
Quote:
Originally Posted by htismaqe
Keep pumping Firefox. As soon as there's enough of them out there to be worth the time and effort, there will be spyware for it.
i can't believe in took you 30 minutes to swoop


Posts: 83,769
Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.
  Reply With Quote
Old 02-10-2006, 02:27 PM   #6
Simplex3 Simplex3 is offline
MVP
 
Simplex3's Avatar
 

Join Date: Sep 2003
Casino cash: $5000
Quote:
Originally Posted by Simply Red
Now what kind of attitude is that?

A realistic one, you say.

AHH HA. You are correct sir.
I love how people who don't know s**t about software security completely discount proper design. You've obviously purchased both Windows AND the MS line that the problems aren't their s**tty design.
Posts: 28,527
Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.
  Reply With Quote
Old 02-10-2006, 02:29 PM   #7
bkkcoh bkkcoh is offline
MVP
 

Join Date: Aug 2000
Location: Lewis Center, Ohio USA
Casino cash: $5530
Quote:
Originally Posted by htismaqe
Keep pumping Firefox. As soon as there's enough of them out there to be worth the time and effort, there will be spyware for it.

No, Microsoft will buy and shelve it...
__________________
Brian K.
Aspire to Inspire before you Expire
Posts: 5,251
bkkcoh is a favorite in the douche of the year contest.bkkcoh is a favorite in the douche of the year contest.bkkcoh is a favorite in the douche of the year contest.bkkcoh is a favorite in the douche of the year contest.bkkcoh is a favorite in the douche of the year contest.bkkcoh is a favorite in the douche of the year contest.
  Reply With Quote
Old 02-10-2006, 02:34 PM   #8
phxchief phxchief is offline
Disasterpiece
 

Join Date: Jan 2002
Location: Shawn Marion owns you
Casino cash: $5000
People still use IE? Haha.
Posts: 635
phxchief is a favorite in the douche of the year contest.phxchief is a favorite in the douche of the year contest.
  Reply With Quote
Old 02-10-2006, 02:35 PM   #9
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Quote:
Originally Posted by Simplex3
I love how people who don't know s**t about software security completely discount proper design. You've obviously purchased both Windows AND the MS line that the problems aren't their s**tty design.
Or I know enough about software security to know that a properly configured browser is safe, regardless of whether it's Netscape, IE, or Firefox.
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 02-10-2006, 02:35 PM   #10
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Quote:
Originally Posted by Laz
i can't believe in took you 30 minutes to swoop


I've actually been busy today at work. It's a rare occurrence.
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 02-10-2006, 02:39 PM   #11
Simplex3 Simplex3 is offline
MVP
 
Simplex3's Avatar
 

Join Date: Sep 2003
Casino cash: $5000
Quote:
Originally Posted by htismaqe
Or I know enough about software security to know that a properly configured browser is safe, regardless of whether it's Netscape, IE, or Firefox.
So MS gets a pass for shipping software with an insecure configuration? Of course you're discounting the flaws like the recent image vulnerability where configuration wouldn't have saved you.
Posts: 28,527
Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.Simplex3 would the whole thing.
  Reply With Quote
Old 02-10-2006, 02:41 PM   #12
jidar jidar is offline
MVP
 
jidar's Avatar
 

Join Date: May 2005
Location: a
Casino cash: $5000
Quote:
Originally Posted by htismaqe
Keep pumping Firefox. As soon as there's enough of them out there to be worth the time and effort, there will be spyware for it.
No **** that.
I'm not going to let that shit slide.
The fact is that back when Netscape was the dominate browser and IE was just breaking onto the scene in the mid 90s with IE 3 and then 4 professionals involved with the Internet and IT were screaming about the security issues involved. At the time Netscape was crappy and crashed a lot but at least it was comparitively secure, then along comes MS with their features-first attitude and ActiveX which they then stuck on everyones desktop and told them to use. It was a terrible idea. The Unix world had already been through this features first security second attitude in the 70s and 80s and we could see it happening again. All of a sudden there was this whole feature set that had never been there before the security model was aboslutely atrocious.
People were complaining. People were complaining and it had nothing to do with Microsoft, it had nothing to do with which browser would win, it had everything to do with the fact that browsers suddenly had broken a taboo and been given access to do things they never had before. MS thought it was okay though because they had a security model around it. Of course it was a terrible model.
I personally had conversations on Usenet just like this one where we argued about why people shouldn't be using IE.

Of course the first time the job I worked at was brought to it's knees because of an IE virus I was completely livid. All of the "I told you so's" fell on deaf ears though, and now we get people who try to rewrite history.

No. The bottom line is their security model is the fault, it's always been a peice of shit, it isn't just their popularity. I know because I was there when it was rolled out, I was a part of the argument, and you're not going to tell me otherwise.
Posts: 5,502
jidar is not part of the Right 53.jidar is not part of the Right 53.jidar is not part of the Right 53.jidar is not part of the Right 53.jidar is not part of the Right 53.jidar is not part of the Right 53.jidar is not part of the Right 53.jidar is not part of the Right 53.jidar is not part of the Right 53.jidar is not part of the Right 53.jidar is not part of the Right 53.
  Reply With Quote
Old 02-10-2006, 02:44 PM   #13
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Quote:
Originally Posted by Simplex3
So MS gets a pass for shipping software with an insecure configuration? Of course you're discounting the flaws like the recent image vulnerability where configuration wouldn't have saved you.
MS gets a pass? Yeah, I guess so, considering I don't really give a ****.

My computer isn't infected, so that's good enough for me.

And as someone who designs security solutions for living, I rather like Microsoft...
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 02-10-2006, 02:46 PM   #14
JBucc JBucc is offline
MVP
 

Join Date: Oct 2005
Casino cash: $5000
I like firefox because of all the customization. But I used IE for a long time and didn't have any problems out of it with spyware so I'm cool with it.
Posts: 12,015
JBucc is not part of the Right 53.JBucc is not part of the Right 53.JBucc is not part of the Right 53.JBucc is not part of the Right 53.JBucc is not part of the Right 53.JBucc is not part of the Right 53.JBucc is not part of the Right 53.JBucc is not part of the Right 53.JBucc is not part of the Right 53.JBucc is not part of the Right 53.JBucc is not part of the Right 53.
  Reply With Quote
Old 02-10-2006, 02:47 PM   #15
phxchief phxchief is offline
Disasterpiece
 

Join Date: Jan 2002
Location: Shawn Marion owns you
Casino cash: $5000
Quote:
Originally Posted by jidar
No **** that.
I'm not going to let that shit slide.
The fact is that back when Netscape was the dominate browser and IE was just breaking onto the scene in the mid 90s with IE 3 and then 4 professionals involved with the Internet and IT were screaming about the security issues involved. At the time Netscape was crappy and crashed a lot but at least it was comparitively secure, then along comes MS with their features-first attitude and ActiveX which they then stuck on everyones desktop and told them to use. It was a terrible idea. The Unix world had already been through this features first security second attitude in the 70s and 80s and we could see it happening again. All of a sudden there was this whole feature set that had never been there before the security model was aboslutely atrocious.
People were complaining. People were complaining and it had nothing to do with Microsoft, it had nothing to do with which browser would win, it had everything to do with the fact that browsers suddenly had broken a taboo and been given access to do things they never had before. MS thought it was okay though because they had a security model around it. Of course it was a terrible model.
I personally had conversations on Usenet just like this one where we argued about why people shouldn't be using IE.

Of course the first time the job I worked at was brought to it's knees because of an IE virus I was completely livid. All of the "I told you so's" fell on deaf ears though, and now we get people who try to rewrite history.

No. The bottom line is their security model is the fault, it's always been a peice of shit, it isn't just their popularity. I know because I was there when it was rolled out, I was a part of the argument, and you're not going to tell me otherwise.
Posts: 635
phxchief is a favorite in the douche of the year contest.phxchief is a favorite in the douche of the year contest.
  Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump




All times are GMT -6. The time now is 12:49 AM.


This is a test for a client's site.
A new website that shows member-created construction site listings that need fill or have excess fill. Dirt Monkey @ https://DirtMonkey.net
Powered by vBulletin® Version 3.8.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.