Which internet browser do you use?

[ArmchairAthlete]

IE!

And development got opened on IE again. Hopefully IE7 won't take too long to be released (or, at least a beta).

EDIT:

you obviously dont visit many pr0n sites......................

I visit shady sites and still don't get spyware. The fools who never keep their system up to date give IE a bad name.

If enough people use Firefox, Spyware writers WILL target it.

 

[mattg1981]

Originally posted by: Zelmo3
Konqueror for now, at least until I can get Firefox's fonts to look good in Linux.

I have the same problem ... and with moz 1.7 or higher the fonts are ugly

 

[Nothinman]

1. anytime you type in an url in the address bar it always opens up in a new tab, not the same one that is active like it is currently in firefox

Definatley covered by tabbed browser extentions.

3. When you middle click on a link for it to open in a new tab it should go next to the current tab, I think it was like that in firefox0.8 but was removed in 0.9 so it opens up at the other end.

I believe this is configurable in the tabbed browser extensions.

And development got opened on IE again. Hopefully IE7 won't take too long to be released (or, at least a beta).

IE7 was slated to be stuck in Longhorn, are you saying that's changed?

Konqueror for now, at least until I can get Firefox's fonts to look good in Linux.

I've been using Galeon and Firefox in Linux for quite some time and the fonts look fine, make sure you have some decent fonts installed. There are packages with free TTF fonts, the MS pseudo-free fonts, etc and generally they 'just work'.

What's wrong with you people ? I've never gotten an IE exploit and I surf all day long.

Exploits are the least of the reasons to not use IE, but they're a big one. And an even bigger one now that the following story was posted, I doubt I'd want to take my chances unless I was a huge IE zealot.

http://zdnet.com.com/2100-1105_2-5247187.html?tag=zdfd.newsfeed

 

[BFG10K]

But then again, if he wants to go thru all the effort

Effort? Running under a restricted account is hardly an effort, not to mention that it'll stop the vast majority of exploits and viruses dead in their tracks.

install Linux or Free/OpenBSD and aviod the whole costing-money/costing-freedom/virus/worm crap in the first place.

You are seriously mistaken if you think alternative OSes have no exploits, bugs or viruses.

 

[Nothinman]

Effort? Running under a restricted account is hardly an effort, not to mention that it'll stop the vast majority of exploits and viruses dead in their tracks.

It's a huge enough effort that everyone at MS runs as a local admin. it's not even possible to easily enable/disable a network interface if you're logged in with a restricted account and that's something that's required on notebooks.

You are seriously mistaken if you think alternative OSes have no exploits, bugs or viruses.

Name one that required no user interaction and got full root remotely, like all the Win32 RPC worms.

 

[BFG10K]

it's not even possible to easily enable/disable a network interface if you're logged in with a restricted account and that's something that's required on notebooks.

Name an example scenario you're thinking about.

Name one that required no user interaction and got full root remotely, like all the Win32 RPC worms.

Go and browse the exploit lists and see how many you can find (I don't know offhand).

In the meantime:

Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.

 

[aux]

firefox, opera

 

[Nothinman]

Name an example scenario you're thinking about.

The scenario was me using my laptop, I couldn't use a limited account because I couldn't disable/enable the NIC or WIFI and there's even no way to do it via the CLI like ifup/ifdown on Linux.

Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.

I thought we were talking about workstations here, how many of them are installed and enabled by default on the workstation versions of those distros? If you would think about it for a minute you would realize that comparing the sheer number of advisories is pointless because there's a ton more software on a Linux CD than there is with even the server version of Windows, in some cases the software is even redundant when a distro includes more than one package that performs the same function.

And on top of all of that, how many of them have active, flourishing worms out there right now? It would take you less than 5 minutes to get a RPC worm if you put an unpatched Windows box on the Internet.

 

[Robor]

IE 6 with the beta SP2 for XP installed. Has a built-in popup blocker. I tried Firefox but I hate how the bookmarks/favorites display so I went back to IE.

 

[n0cmonkey]

Originally posted by: BFG10K

In the meantime:

Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.

I hate these comparisons because they are always such crap. From a link on the link you posted:

2004 - 13 Secunia Security Advisories
- SuSE update for dhcp/dhcp-server

If SuSE is using the standard DHCPd and DHCP client, this was not a SuSE issue.

- SuSE update for kernel

This was not just a SuSE issue.

- SuSE update for CVS

This was a CVS issue.

- SuSE update for kdelibs

KDE.

- SuSE update for cvs

CVS.

- SuSE update for mc

MC, which is known to be crappy for the most part.

- SuSE update for kernel
- SuSE update for kernel

Kernel maintainers.

- SuSE update for CVS

CVS.

- SuSE update for OpenSSL

OpenSSL

- SuSE update for XFree86

XFree86.

- SuSE update for kernel

Kernel maintainers.

- SuSE update for tcpdump

tcpdump.

Hmmm, none of these appear to be SuSE problems. Moving on:

2003 - 35 Secunia Security Advisories
- SuSE update for kernel

Kernel.

- SuSE update for rsync

Rsync.

- SuSE update for gpg

GPG.

- SuSE update for OpenSSL

OpenSSL.

- SuSE update for MySQL

MySQL.

- SuSE update for sendmail

Sendmail.

- SuSE update for OpenSSH

OpenSSH. 17 advisories since 2k1. Not bad.

- SuSE update for Pine

Ugh, a pine issue.

- SuSE update for pam_smb

pam or samba maintainers, not sure.

- SuSE update for sendmail

Sendmail.

- SuSE update for kernel

Kernel maintainers.

- SuSE update for Postfix

I thought they were using sendmail? I guess they put out advisories for EVERY PIECE OF SOFTWARE THEY INCLUDE ON THE CD WHETHER YOU INSTALL IT OR THEY MAKE IT OR WHATEVER. This is an IBM issue.

- Linux Kernel 2.4 Multiple Vulnerabilities

Kernel maintainers.

- SuSE update for nfs-utils

NFS utilities maintainers.

- Linux-PAM User Name Spoofing Vulnerability

PAM maintainers.

- SuSE update for pptpd

PPTPd maintainers.

- SuSE update for CUPS

CUPS guys.

- Linux Kernel Denial of Service Vulnerabilities
- Linux Kernel route cache flooding Denial of Service

Kernel maintainers.

- SuSE update for samba
- Samba exploitable buffer overflow

Samba.

- SuSE update for OpenSSL

OpenSSL.

- SuSE update for sendmail
- Sendmail Address Parsing Buffer Overflow

Sendmail.

- SuSE kernel updates

Kernel maintainer.

- SuSE update for mutt

Mutt.

- SuSE updates for Qpopper

Qpopper?

- SuSE updates for file

GNU.

- Multiple Vendor RPC XDR Library Integer Overflow

Library maintainer.

- SuSE updates for samba
- Samba Packet Fragment Re-assembly Buffer Overflow

Samba.

- SuSE updates for tcpdump

tcpdump.

- SuSE updates for sendmail

sendmail

- SuSE updates for openssl

OpenSSL.

- SuSE updates for libmcrypt

Whoever maintains libmcrypt.

As you should be able to see by now, these are not just SuSE issues. If we took Microsoft Windows 2000 advisories, and threw in an advisory for just about every piece of major software that runs on it, wouldn't that list look kind of similar?

So basically, you cannot use advisories released as a metric to decide how "secure" a system is. You should know that by now, unless you were just doing this for trolling factors and I didn't get the joke.

 

[drag]

Originally posted by: BFG10K

it's not even possible to easily enable/disable a network interface if you're logged in with a restricted account and that's something that's required on notebooks.

Name an example scenario you're thinking about.

Name one that required no user interaction and got full root remotely, like all the Win32 RPC worms.

Go and browse the exploit lists and see how many you can find (I don't know offhand).

[L=In the meantime]http://www.techworld.com/security/news/index.cfm?newsid=1798[/L]:

Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.

You'd also see that Suse operating system comes with many optional setups.

It has 2-3 different versions of SQL databases, several different versions of FTP server, variations of Apache servers.

I have about 7-10 gigs of software that I installed on my computer that is "Debian" according to websites that have statistics of those types of exploits.


When comparing exploits between Windows vs Linux exploits compare every peice of software that is ever installed on Windows + Windows itself vs Linux because that's what your looking at.

Also most of those advisories are theoretical. Nobody had yet found a way to exploit them, but it was conceviably exploitable so they were fixed anyways.

If you want to see for your self go here [L=http://www.linuxsecurity.com/advisories/[/L] and then ask yourself what normal users are going to be using all of these services.

And if you actually read what I'd put there instead of just spounting off propaganda BS. I didn't meantion anything about how so much secure Linux is from remote exploits vs Windows, I said that you wouldn't have to worry about sacrificing your rights, your money and subjected yourself to the risk endless stream of viruses, spyware, and worms that go hand in hand with using MS software.

Which is all facts, obvious to everybody. Weither or not Linux is superior or Windows has superior software programmers is irrelevent to what I said.

I was being ironic because obviously you believe that people should subject themselves to software with these problems and train themselves to work around it instead of taking the easy way out and simply use software were they don't have to worry about stuff like that. (so much)(speaking of IE vs Firefox)

 

[BFG10K]

The scenario was me using my laptop, I couldn't use a limited account because I couldn't disable/enable the NIC or WIFI

Why do you need to disable/enable the hardware? Do you disable a sound card when you're not playing audio? No? Why then do you need to disable the NIC if you're not on the network?

As you should be able to see by now, these are not just SuSE issues.

And?

If we took Microsoft Windows 2000 advisories, and threw in an advisory for just about every piece of major software that runs on it, wouldn't that list look kind of similar?

You mean like you're doing in this thread when referring to Internet Explorer? Why is it OK to knock IE but not KDE or Apache?

Oh that's right, Linux is just a kernel isn't it? Or at least when it suits your argument anyway.

And if you actually read what I'd put there instead of just spounting off propaganda BS.

The only propaganda I see in this thread is Linux fans providing excuses as to why their bubble of secure computing isn't just a figment of their imaginations.

I was being ironic because obviously you believe that people should subject themselves to software with these problems and train themselves to work around it

So you constantly run as root on your Linux box(es) then? If not then according to your logic you're simply working around your platform's problems.

 

[drag]

I was being ironic because obviously you believe that people should subject themselves to software with these problems and train themselves to work around it

So you constantly run as root on your Linux box(es) then? If not then according to your logic you're simply working around your platform's problems.

Ah... I see.

When using ROOT your god over your operating system. Anything goes. You can accidently delete the entire OS, because it's designed specificly to give you ultimate power over your OS so that you are not bound by any restrictions to what you can and cannot do.

So using your logic then since Root is specifcly designed to give me as much freedom as possible, then IE is specificly designed to provide a vector for installing spyware and viruses?

Your logic is crap because running root has nothing remotely similar to having to aviod clicking on pop-ups when using IE as a normal user. There is a purpose to having a Root account, there is not a purpose to ActiveX vunerabilities.

I certainly hope you understand something that is designed in as a feature VS flaws in program design. Flaws that don't get fixed and numerious flaws that come up on almost a weekly basis.

Your living in a fantasy land. IE is actually are realy crappy peice of software when it comes to security.

It actually realy realy is. Seriously. IT IS. and I am certainly not alone

All software is not created equal, all software is not equivalient. Some software actually is seriously flawed and IE is such a peice of software.

If you want to go on using IE, thats fine. There are plenty of reasons to continue using it. Some websites don't work with Firefox/Mozilla correctly, windows updates don't work thru it, firefox isn't as tightly integrated into the OS as IE. and Shockwave doesn't work with it... and ... and I am sure that I can think of some more stuff if I tried.

But if your trying to tell me that a guy is stupid because he is tired of putting up with IE's f-ups, or your trying to prove to me that IE doesn't have serious flaws, then you have some issues that nobody here can help you with.

 

[BFG10K]

So using your logic then since Root is specifcly designed to give me as much freedom as possible, then IE is specificly designed to provide a vector for installing spyware and viruses?

IE has absolutely nothing to do with it given we're comparing Root to Administrator.

Your logic is crap

Except it isn't even remotely my logic.

there is not a purpose to ActiveX vunerabilities.

ActiveX can be completely disabled. This is a further example of what I mean about setting up the system properly.

You wouldn't stick your box non-firewalled and with root access and all security disabled on the internet would you? Why then do you expect Windows users to run their boxes like that and then automatically blame IE when a problem occurs?

Remember MSBlaster? Even just having the firewall enabled completely blocked it. If some XP/2003 user caught it then they have only themselves to blame. Likewise a restricted account stopped the virus from attaching itself to the system so if any NT based user caught it again, they have only themselves to blame.

Your living in a fantasy land. IE is actually are realy crappy peice of software when it comes to security.

It has security issues for sure. My points are simply:

• Running a restricted account on a properly configured box will protect you from practically all of its issues.
• Other browsers and OSes have security issues too and need to be locked down equally for protection.

But if your trying to tell me that a guy is stupid because he is tired of putting up with IE's f-ups,

How many of IE's f-ups are stopped by running under a restricted account, firewalling your connections and disabling potential security problems like Active X?

Pretty much all of them I'd say.

 

[drag]

Originally posted by: BFG10K

So using your logic then since Root is specifcly designed to give me as much freedom as possible, then IE is specificly designed to provide a vector for installing spyware and viruses?

IE has absolutely nothing to do with it given we're comparing Root to Administrator.

Your logic is crap

Except it isn't even remotely my logic.

there is not a purpose to ActiveX vunerabilities.

ActiveX can be completely disabled. This is a further example of what I mean about setting up the system properly.

You wouldn't stick your box non-firewalled and with root access and all security disabled on the internet would you? Why then do you expect Windows users to run their boxes like that and then automatically blame IE when a problem occurs?

Your living in a fantasy land. IE is actually are realy crappy peice of software when it comes to security.

It has security issues for sure. My points are simply:

• Running a restricted account on a properly configured box will protect you from most/all of its issues.
• Other browsers and other OSes have security issues too and need to be locked down equally for protection.

But if your trying to tell me that a guy is stupid because he is tired of putting up with IE's f-ups,

How many of IE's f-ups are stopped by running under a restricted account, firewalling your connections and disabling potential security problems like Active X?

Pretty much all of them I'd say.

OR you can just set it up to run well and use Firefox and still be better off then using IE.

There is a lot of crap wrong with IE that MS hasn't fixed, and is probably not going to fix and there is nothing you can do to fix that.

 

[BFG10K]

OR you can just set it up to run well and use Firefox and still be better off then using IE.

It doesn't matter what software you run; if you leave your box wide open you have only yourself to blame if you get issues.

And it's not like FireFox (or any other browser) doesn't have issues.

and is probably not going to fix and there is nothing you can do to fix that.

A locked down box will protect you.

 

[drag]

here let me illistrate my point:

Macromedia crash, no solution. Causes a IE crash.
http://www.securityfocus.com/bid/10057/info/

Denial of service vunerability. Cause a IE crash.
http://www.securityfocus.com/bid/10073/info/

Denial of service vunerability. Cause memory to be used up.
http://www.securityfocus.com/bid/10097/info/

Certificate Spoofing. Causes connections to appear to be "secure" when they realy aren't.
http://www.securityfocus.com/bid/10248/info

Bad HTML coding obfuscates links. Cause you to go to a malisious link when clicking on a link that you think goes somewere else.
http://www.securityfocus.com/bid/10308/info/

Bad XML link crashes browser
http://www.securityfocus.com/bid/10318/discussion/

Uncomfirmed memory corrupt (dos crash) thru javascript.
http://www.securityfocus.com/bid/10299/info/

Page spoofing. Control browser to make it seem that your in a webpage that your not.
http://www.securityfocus.com/bid/10346/info/

Cause help pages to load, when it shouldn't be possible. Can be used with other vunerabilities in a attack.
http://www.securityfocus.com/bid/10348/info/
http://www.securityfocus.com/bid/10344/discussion/ (seems similar to above)

DOS attack the browser
http://www.securityfocus.com/bid/10351/info/

Bad CSS handling causes browser to crash
http://www.securityfocus.com/bid/10382/discussion/

This one is interesting. Multiple vendors (including kde) don't handle stuff like telnet://-nfilename correctly. Opera has a fix, Gentoo/Mandrake have a fix.
http://www.securityfocus.com/bid/10341/info/

Protocol zone bypass.
etc. etc. etc.

I got tired of it. Seems that many of these are just different ways to attack similar bugs.

Heres a old one that has no solution or patch.
http://www.securityfocus.com/bid/7939/info/
you can't fix by turning stuff off.



Note those are only ones that I picked that have no solution. There are lots of others that have solutions in the knowledge base that have no patch. There are lots more of these that I didn't list becuase I was getting tired of copying and pasting all this crap. These are just a fraction of bugs and vunerabilities wth IE.

If you want to see for yourself go to here and select "microsoft" for vendor and "title" select internet explorer.

You can also look up mozilla if you want, but you'd probably notice realy quickly that the problems are not anywere as numerous as they are with IE, plus they get fixed quicker.

It doesn't matter what software you run; if you leave your box wide open you have only yourself to blame if you get issues.

And it's not like FireFox (or any other browser) doesn't have issues.

Sure sure.

A locked down box will protect you.

Yep and if you disconnect that ethernet cord from the back of your computer then no IE vunerability will ever affect you. Unless of course your using a modem or connect to your router using USB, if that's the case then you should lock down those too.