Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Posted: 2/10/2006 5:13:13 PM EDT
[Last Edit: 2/10/2006 5:14:42 PM EDT by 71-Hour_Achmed]
Something for Max_Mike to choke on.

Summary: IE is inherently unsafe; Firefox requires the user to be a total idiot to be unsafe.

news.yahoo.com/s/cmp/20060210/tc_cmp/179102616&printer=1

Spyware Barely Touches Firefox

By Gregg Keizer
TechWeb.com
Thu Feb 9, 2:15 PM ET

Internet Explorer users can be as much as 21 times more likely to end up with a spyware-infected PC than people who go online with Mozilla's Firefox browser, academic researchers from Microsoft's backyard said in a recently published paper.

"We can't say whether Firefox is a safer browser or not," said Henry Levy, one of the two University of Washington professors who, along with a pair of graduate students, created Web crawlers to scour the Internet for spyware in several 2005 forays. "But we can say that users will have a safer experience [surfing] with Firefox."

In May and October, Levy and colleague Steven Gribble sent their crawlers to 45,000 Web sites, cataloged the executable files found, and tested malicious sites' effectiveness by exposing unpatched versions of Internet Explorer and Firefox to "drive-by downloads." That's the term for the hacker practice of using browser vulnerabilities to install software, sometimes surreptitiously, sometimes not.

"We can't say IE is any less safe," explained Levy, "because we choose to use an unpatched version [of each browser.] We were trying to understand the number of [spyware] threats, so if we used unpatched browsers then we would see more threats."

Levy and Gribble, along with graduate students Alexander Moshchuk and Tanya Bragin, set up IE in two configurations -- one where it behaved as if the user had given permission for all downloads, the other as if the user refused all download permission -- to track the number of successful spyware installations.

During Levy's and Gribble's most recent crawl of October 2005, 1.6 percent of the domains infected the first IE configuration, the one mimicking a naïve user blithely clicking 'Yes;' about a third as many domains (0.6 percent) did drive-by downloads by planting spyware even when the user rejected the installations.

"These numbers may not sound like much," said Gribble, "but consider the number of domains on the Web."

"You definitely want to have all the patches [installed] for Internet Explorer," added Levy.

In the same kind of configurations, Firefox survived relatively unscathed. Only .09 percent of domains infected the Mozilla Corp. browser when it was set, like IE, to act as if the user clicked through security dialogs; no domain managed to infect the Firefox-equipped PC in a drive-by download attack.

Compare those figures, and it seems that IE users who haven't patched their browser are 21 times more likely to have a spyware attack executed -- if not necessarily succeed -- against their machine.

Most of the exploits that leveraged IE vulnerabilities to plant spyware were based on ActiveX and JavaScript, said Gribble. Those two technologies have taken the blame for many of IE problems. In fact, Firefox boosters often point to their browser's lack of support for ActiveX as a big reason why its security claims are legit.

Levy and Gribble didn't set out to verify that, but they did note that the few successful spyware attacks on Firefox were made by Java applets; all, however, required the user's consent to succeed.

Microsoft's made a point to stress that Internet Explorer 7, which just went into open beta for Windows XP, tightens up ActiveX controls by disabling nearly all those already installed. IE 7 then alerts the user and requires consent before it will run an in-place control.

Good thing, because one of the research's most startling conclusions was the number of spyware-infected sites. One out of every 20 executable files on Web sites is spyware, and 1 in 25 domains contain at least one piece of spyware waiting for victims.

"If these numbers are even close to representative for Web sites frequented by users," the paper concluded, "it is not surprising that spyware continues to be of major concern."

The moral, said Levy, is: "If you browse, you're eventually going to get hit with a spyware attack."


Link Posted: 2/10/2006 5:23:44 PM EDT
[Last Edit: 2/10/2006 5:33:16 PM EDT by warlord]
Just not running IE will not guarantee that you won't get hit. The best thing is to run the usual, anti-virus and anti-spyware software. I've been getting a few pop-ups on Firefiox 1.0.7.

EditToAdd: and a hardware(NAT) firewall.
Link Posted: 2/10/2006 5:25:33 PM EDT
Link Posted: 2/10/2006 5:41:44 PM EDT
Let's see. My company sells a product for viewing sites on the internet. Of those users that have such a product, 90% of them use my product ($$$$).

To my left: Hacker man. He is usually a malicious egotist whose goals in life are to make life miserable for me by trying to destroy my product, thus making life miserable for my consumers, and to gain fame, anonomously of course.

To my right: My competitors. As they own a very small percentage of the market, it is not to Hacker mans' advantage to squander time trying to destroy their product as it will not gain him the fame and self-satisfaction he seeks. In addition, he may just be covertly employed by said competitors.

Now on the scene: The Hacker mans competitors. Knowing that Hacker man has the major share in the destruction of the major web-site viewing software, they hatch a new scheme. They will now make a concentrated effort, slowly at first, but an effort to now try to destroy my competitors product as they as well need their own covert fame and self-satisfaction. This will also, in their minds only perhaps, begin to make their market share bigger in the hacker game.

Link Posted: 2/10/2006 5:42:29 PM EDT
Safarii on MAC OS X is your friend...
Link Posted: 2/10/2006 5:49:07 PM EDT

Originally Posted By capnrob97:
Safarii on MAC OS X is your friend...



Konqueror on Linux is your best friend
Link Posted: 2/10/2006 6:21:23 PM EDT

Originally Posted By adair_usmc:

Originally Posted By capnrob97:
Safarii on MAC OS X is your friend...



Konqueror on Linux is your best friend


Konqueror on Knoppix is your best friend's hot girlfriend whom he likes to share with you.
Link Posted: 2/10/2006 6:22:17 PM EDT

Originally Posted By 71-Hour_Achmed:

Originally Posted By adair_usmc:

Originally Posted By capnrob97:
Safarii on MAC OS X is your friend...



Konqueror on Linux is your best friend


Konqueror on KnoppixKubuntu is your best friend's hot girlfriend whom he likes to share with you.



Fixed
Link Posted: 2/10/2006 6:25:54 PM EDT

Originally Posted By Bubblehead597:
Let's see. My company sells a product for viewing sites on the internet. Of those users that have such a product, 90% of them use my product ($$$$).




Where do you get the dolar signs from a free product that nobody pays for? (i.e. IE)
Link Posted: 2/10/2006 6:29:56 PM EDT

Originally Posted By warlord:
Just not running IE will not guarantee that you won't get hit. The best thing is to run the usual, anti-virus and anti-spyware software. I've been getting a few pop-ups on Firefiox 1.0.7.

EditToAdd: and a hardware(NAT) firewall.


Popups aren't (necessarily) spyware, trojans, viruses, or other maliciously downloaded software. All I ever see of them is when some website (cough FORBES cough) wants to offer me the "opportunity" to take a marketing survey for a cellphone manufacturer.



Originally Posted By Bubblehead597:
Let's see. My company sells a product for viewing sites on the internet. Of those users that have such a product, 90% of them use my product ($$$$).

To my left: Hacker man. He is usually a malicious egotist whose goals in life are to make life miserable for me by trying to destroy my product, thus making life miserable for my consumers, and to gain fame, anonomously of course.

To my right: My competitors. As they own a very small percentage of the market, it is not to Hacker mans' advantage to squander time trying to destroy their product as it will not gain him the fame and self-satisfaction he seeks. In addition, he may just be covertly employed by said competitors.

Now on the scene: The Hacker mans competitors. Knowing that Hacker man has the major share in the destruction of the major web-site viewing software, they hatch a new scheme. They will now make a concentrated effort, slowly at first, but an effort to now try to destroy my competitors product as they as well need their own covert fame and self-satisfaction. This will also, in their minds only perhaps, begin to make their market share bigger in the hacker game.


Except that Hacker Man is prevented from using his favorite tool to infect your users' computers if the users dump you in favor of your competitors' software, since none of your competitors offer a backdoor that compromises the users' systems' security at all times no matter what the users do (see article in first post). Instead, the users would deliberately have to do something stupid -- click "I accept this virus" (again, see article in first post) -- in order to infect their systems, which most users are not stupid enough to do.

Therefore, your attempted apologism sucks horsedick.
Link Posted: 2/10/2006 6:38:09 PM EDT
Link Posted: 2/10/2006 7:08:07 PM EDT

Originally Posted By 71-Hour_Achmed:

Originally Posted By warlord:
Just not running IE will not guarantee that you won't get hit. The best thing is to run the usual, anti-virus and anti-spyware software. I've been getting a few pop-ups on Firefiox 1.0.7.

EditToAdd: and a hardware(NAT) firewall.


Popups aren't (necessarily) spyware, trojans, viruses, or other maliciously downloaded software. All I ever see of them is when some website (cough FORBES cough) wants to offer me the "opportunity" to take a marketing survey for a cellphone manufacturer.



Originally Posted By Bubblehead597:
Let's see. My company sells a product for viewing sites on the internet. Of those users that have such a product, 90% of them use my product ($$$$).

To my left: Hacker man. He is usually a malicious egotist whose goals in life are to make life miserable for me by trying to destroy my product, thus making life miserable for my consumers, and to gain fame, anonomously of course.

To my right: My competitors. As they own a very small percentage of the market, it is not to Hacker mans' advantage to squander time trying to destroy their product as it will not gain him the fame and self-satisfaction he seeks. In addition, he may just be covertly employed by said competitors.

Now on the scene: The Hacker mans competitors. Knowing that Hacker man has the major share in the destruction of the major web-site viewing software, they hatch a new scheme. They will now make a concentrated effort, slowly at first, but an effort to now try to destroy my competitors product as they as well need their own covert fame and self-satisfaction. This will also, in their minds only perhaps, begin to make their market share bigger in the hacker game.


Except that Hacker Man is prevented from using his favorite tool to infect your users' computers if the users dump you in favor of your competitors' software, since none of your competitors offer a backdoor that compromises the users' systems' security at all times no matter what the users do (see article in first post). Instead, the users would deliberately have to do something stupid -- click "I accept this virus" (again, see article in first post) -- in order to infect their systems, which most users are not stupid enough to do. I think you overrestimate the average computer users intelligence level

Therefore, your attempted apologism sucks horsedick.



I am not trying to aplogize for anyone. If you could read into my post more than what you wanted to see, you could understand that this is called planning your war scenario to attack the king on the hill. But alas, another post degraded to immature namecalling. Have a nice life.
Link Posted: 2/11/2006 12:01:00 AM EDT
Speaking of spyware just for gits and shiggles,after updating on the Windows site I downloaded their "Beta Anti-spyware program" Ran it and "nope no spyware on this computer"! Funny,my other spyware programs found close to 100 bits...all from Microsoft! Go figger.
Link Posted: 2/11/2006 5:55:01 AM EDT
I run IE i have never had spyware.

its what you know that helps
Link Posted: 2/11/2006 6:00:29 AM EDT
[Last Edit: 2/11/2006 6:32:06 AM EDT by guardian855]

Originally Posted By cruze5:
I run IE i have never had spyware.

its what you know that helps



+1

People who get spyware from surfing the web are morons. I use IE, never had a problem.
Link Posted: 2/11/2006 7:06:07 AM EDT
[Last Edit: 2/11/2006 7:09:56 AM EDT by Max_Mike]

Originally Posted By Bubblehead597:
I am not trying to aplogize for anyone. If you could read into my post more than what you wanted to see, you could understand that this is called planning your war scenario to attack the king on the hill. But alas, another post degraded to immature namecalling. Have a nice life.



Oh now you have done it...

You will have him cyber stalking you every thread he sees you post in… Not a big deal though it is like dealing with a idiot child.

Under his user parameters he is still not safe using Firefox.
Link Posted: 2/11/2006 4:21:19 PM EDT

Originally Posted By cruze5:
I run IE i have never had spyware.

its what you know that helps



+1

-d
Top Top