matgb: Artwork of 19th century upper class anarchist, text: MatGB (Firefox)
Mat Bowles ([personal profile] matgb) wrote2008-12-18 12:09 am
  • Add Memory
  • Share This Entry
Entry tags:

Run Windows Update. NOW.

Seriously, there's a major security hole in Internet Explorer that also opens up vulnerabilities in other browsers. Even if you rarely if ever use IE, you need to secure your system if you're running Windows. If you don't know how to, Yahoo! Tech has a handy guide. It's fairly major, several popular websites have been hijacked, one well known webcomic artist got infected while looking at his own comic. MS normally only patch at scheduled times, for them to rush something out this quickly is almost unheard of:
Acting with record speed, Microsoft has issued a patch for the just-announced security flaw that impacts all recent versions of Internet Explorer, from version 5 to the latest betas of IE 8. The next security update had not been due from the company until January 13, making this a very rare occurrence.
Most scary? Up until now, I had thought Opera was a pretty good browser, it's certainly nice to use. It appears though that Opera was subject to the same vulnerabilities as it uses the same XML renderer memory buffer as IE. No, I don't really understand that bit either. So Opera gets downgraded.

If you're still using Internet Explorer for your browsing, really, it's NOT SAFE. No browser is completely secure, but IE is part of the core operating system of Windows, and when there are unpatched exploits, the attack can get directly into Windows itself. By far the safest way to browse[1] is with Firefox, and it's probably tied after that between Apple's Safari and Google's Chrome. Opera remains a groundbreaking bit of software, but if the default behaviour is still to pretend to be IE and also open up vulnerabilities regardless, it isn't as good as it should be.

For the full security shield, Firefox has plugins such as Flashblock, Adblock and NoScript that really do push it to the top. At the very least, Flashblock stops system hogging flash from hijacking your browsing unless you want it to, it's the first thing I install after Fx on a new machine. Always.

Another part of this vulnerability involved Adobe's Acrobat Reader. PDFs are, unfortunately, now a part of life, and there are still many many idiots that put their PDFs online and think they've got a decent web presence. Given this, the PDF download plugin for Firefox is essential, and switching to a much faster and less system intensive reader (I use Foxit) for your default PDF setup is probably a good plan as well.
[1] I'm ignoring text only and other lite browsers such as Lynx here, just talking about normal, standard plays YouTube vids and looks normal browsers.
Flat | Top-Level Comments Only
matgb: Artwork of 19th century upper class anarchist, text: MatGB (Default)

[personal profile] matgb 2008-12-18 12:45 pm (UTC)(link)
This will probably make more sense to you that me: Specifically, he got infected from running Opera on Windows, wherein Opera exports their XML data binding functions to the published operating system engine, which is dun-dun-da-daaaaa the one that IE uses (Remember the bit about how IE was inextricably part of Windows? Yeah. Great design decision.) which is Microsoft's. The exploit basically uses a set of XML code that builds data objects in memory that sit in IE's memory space within the OS, carefully crafted data objects that bear binary code. The exploit then specifically exploits the fact that the XML rendering engine, when told to get rid of the data objects, doesn't perform proper memory management and garbage collection, and doesn't run in a sandbox /per se/ with lowered data execution privileges and operating system resources but in fact runs as whatever level the user runs IE at. Which is almost always with permissions to install software. This is a classic memory buffer overflow exploit, and is entirely Microsoft's fault for not fixing it so long, long ago.

Firefox can have plugins (I have them, I use them in a secure manner, if anyone ever gets an exploit to automatically trigger them I'll remove them, it's unlikely as they're not common usage). Opera defaults on install (I'm told) to send the user agent as IE, and apparently uses the IE XML memory buffer, which is where the problem was.

I used to recommend Opera to anyone that wasn't using extensions, what's the point of Fx if you don't use the extensions after all, out of the box Opera is better.

But if what I've read is correct, Opera is less secure, thus I'll now recommend Chrome, which at least has brand recognition for people that care about such things or trust names they know.

[identity profile] fridgemagnet.livejournal.com 2008-12-18 01:02 pm (UTC)(link)
That makes sense. I'm quite surprised that Opera does that actually, but in this instance it was unwise.

The thing is of course that while in this instance Opera trusted Windows not to be vulnerable to buffer overflow attacks when it was, there's nothing to say that Firefox or Chrome or whatever other browser isn't also trusting some other Windows service which is vulnerable.

Unfortunately you sort of _have_ to trust some of the services of the OS you're running on, and while some companies trust very few of them (Opera for instance does a whole load of stuff on its own, which is why it looks slightly odd and I was surprised to see this) they're all going to trust a few. In this instance Opera is vulnerable and other browsers which don't use that service aren't, but that's not indicative of some sort of long-term issue with Opera IMO.
Flat | Top-Level Comments Only