Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

U.S. CERT Cyber Security Alert SA04-261A Multiple vulnerabilities in Mozilla products
United States Computer Emergency Readiness Team ^ | September 17, 2004 | U.S. -CERT (Computer Emergency Readiness Team)

Posted on 09/17/2004 4:02:07 PM PDT by Stoat

US-CERT

National Cyber Alert System
Cyber Security Alert SA04-261A archive

Multiple vulnerabilities in Mozilla products

Original release date: September 17, 2004
Last revised: --
Source: US-CERT


Systems Affected

  • Mozilla Suite (Mozilla web browser, Mozilla Mail)
  • Firefox web browser
  • Thunderbird email client


Overview

By taking advantage of one or more vulnerabilities in Mozilla products, an attacker may be able to take control of your computer.


Solution

Upgrade to the latest version

Mozilla has released updated versions of the affected products. You can download the latest versions:


Description

There are vulnerabilities in various features of Mozilla's web browsers and email clients. Some of the vulnerabilities are connected to the way the application handles URLs or images. In one instance, an attacker could cause an application to crash or could take control of your computer by convincing you to view a malicious web site or email message.

For more technical information, see US-CERT Technical Alert TA04-261A.


References



Feedback can be directed to US-CERT.


Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

September 17, 2004: Initial release

Last updated September 17, 2004



TOPICS: Announcements; Business/Economy; Technical
KEYWORDS: browser; computer; computing; firefox; internet; mozilla; secruity; thunderbird; uscert
Navigation: use the links below to view more comments.
first 1-5051-58 next last
Uber-Geeks please see the "technical" version of this alert at:

http://www.us-cert.gov/cas/techalerts/TA04-261A.html

1 posted on 09/17/2004 4:02:09 PM PDT by Stoat
[ Post Reply | Private Reply | View Replies]

To: Stoat
Quite a few actually

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes:

VU#414240 - Mozilla Mail vulnerable to buffer overflow via writeGroup() function in nsVCardObj.cpp

Mozilla Mail contains a stack overflow vulnerability in the display routines for VCards. By sending an email message with a crafted VCard, a remote attacker may be able to execute arbitrary code on the victim's machine with the privileges of the current user. This can be exploited in the preview mode as well.

VU#847200 - Mozilla contains integer overflows in bitmap image decoder

A vulnerability in the way Mozilla and its derived programs handle certain bitmap images could allow a remote attacker to execute arbitrary code on a vulnerable system.

VU#808216 - Mozilla contains heap overflow in UTF8 conversion of hostname portion of URLs

A vulnerability in the way Mozilla and its derived programs handle certain malformed URLs could allow a remote attacker to execute arbitrary code on a vulnerable system.

VU#125776 - Multiple buffer overflows in Mozilla POP3 protocol handler

There are multiple buffer overflow vulnerabilities in the Mozilla POP3 protocol handler that could allow a malicious POP3 server to execute arbitrary code on the affected system.

VU#327560 - Mozilla "send page" feature contains a buffer overflow vulnerability

There is a buffer overflow vulnerability in the Mozilla "send page" feature that could allow a remote attacker to execute arbitrary code.

VU#651928 - Mozilla allows arbitrary code execution via link dragging

A vulnerability affecting Mozilla web browsers may allow violation of cross-domain scripting policies and possibly execute code originating from a remote source.

2 posted on 09/17/2004 4:03:52 PM PDT by Centurion2000 (Truth, Justice and the Texan Way)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Stoat
And the beast shall be made legion. Its numbers shall be increased a thousand thousand fold. The din of a million keyboards like unto a great storm shall cover the earth, and the followers of Mammon shall tremble.

from The Book of Mozilla, 3:31

(Red Letter Edition)

3 posted on 09/17/2004 4:04:01 PM PDT by steveo (Member: Fathers Against Rude Television)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Stoat

And I thought it was regarded as a more secure alternative to Explorer.


4 posted on 09/17/2004 4:04:42 PM PDT by Buford T. Justice
[ Post Reply | Private Reply | To 1 | View Replies]

To: Buford T. Justice

Well, you will notice that the vulnerabilities were fixed almost as soon as they were discovered.

If you have the code, you could fix them yourself if you like.

Mistakes can happen, but at least the architecture is not inherently insecure.


5 posted on 09/17/2004 4:08:59 PM PDT by proxy_user
[ Post Reply | Private Reply | To 4 | View Replies]

To: Buford T. Justice

Its more secure because thre are far fewer users of it, not to mention its open source. That being said I have updated it.


6 posted on 09/17/2004 4:10:48 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Stoat

Thanks for the post. Updated.


7 posted on 09/17/2004 4:16:00 PM PDT by Arkinsaw
[ Post Reply | Private Reply | To 1 | View Replies]

To: Arkinsaw
"Thanks for the post. Updated." You're welcome; I'm happy if this has been of some help :-)
8 posted on 09/17/2004 4:18:47 PM PDT by Stoat
[ Post Reply | Private Reply | To 7 | View Replies]

To: Stoat

Ah, now we know what the geeks in Redmond write in their spare time, now that their stock options are tanking.


9 posted on 09/17/2004 4:21:38 PM PDT by FreedomFarmer (Less carrot, more STICK!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: aft_lizard

Aft_lizard said:
"Its more secure because thre are far fewer users of it"

Ah, I see you buy into the Microsoft FUD that MS software is only insecure because its popular.

Would you keep your Money in a bank that was robbed daily because the claim they were popular, while they never bother locking the vault door, or even having a vault in the first place?

Where did you get the idea that because something is popular it has to be a security sieve?

I'd really like to know - because that's Bill Gates' favorite excuse. But then, Bill has the honor of having the only browser that the Dept of Homeland Security recommends you NOT use:

http://www.kb.cert.org/vuls/id/713878


10 posted on 09/17/2004 4:30:47 PM PDT by konaice
[ Post Reply | Private Reply | To 6 | View Replies]

To: Stoat

My FireFox and Thunderbird are up to date! I'm saved!!!


11 posted on 09/17/2004 4:36:01 PM PDT by Solamente
[ Post Reply | Private Reply | To 1 | View Replies]

To: Stoat

BTTT


12 posted on 09/17/2004 4:38:01 PM PDT by Fiddlstix (This Tagline for sale. (Presented by TagLines R US))
[ Post Reply | Private Reply | To 1 | View Replies]

To: konaice

Can you disprove it? You like using jingos to make a point too? Sorry but the fact remains that if Mozilla was the number one software we would all be bitching about security problems, popups and other annoyances. Not to mention since Mozilla is open source, its hard not to argue that since the coding is open that it is easier to crack and infect. So tell me again why its safer other than it has fewer users?

Seriously you cant buy the anti-argument that its simply the program and not the amount of users.

Question to you. If you were a hacker looking to cause great amount of damage to the internet, would you choose Opera? Mozilla or IE?

Eagerly waiting.


13 posted on 09/17/2004 4:38:47 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Stoat

I am using Firebird 0.7. Which do I download. Mozilla, Firefox, or Thunderbird? I don't use the mail utility.


14 posted on 09/17/2004 4:38:52 PM PDT by fritzz (Power tends to corrupt, and absolute power corrupts absolutely - Lord Acton)
[ Post Reply | Private Reply | To 1 | View Replies]

To: fritzz

"I am using Firebird 0.7. Which do I download. Mozilla, Firefox, or Thunderbird? I don't use the mail utility."

If you don't use the mail and you want a fast, lean and mean browser, try Firefox; I love it to pieces :-)


15 posted on 09/17/2004 4:41:53 PM PDT by Stoat
[ Post Reply | Private Reply | To 14 | View Replies]

To: Stoat

Thanks.


16 posted on 09/17/2004 4:43:27 PM PDT by fritzz (Power tends to corrupt, and absolute power corrupts absolutely - Lord Acton)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Stoat

But, but, but ... I thought this was impossible! They said that only Microsoft products have vulnerabilities and that I would become 50 pounds lighter, a foot taller, and my winkie would lengthen by 2 inches if I stopped using them!


17 posted on 09/17/2004 4:43:39 PM PDT by asgardshill (By direct order, I LOVE ALAN KEYES!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: fritzz
You're welcome :-)
18 posted on 09/17/2004 4:45:04 PM PDT by Stoat
[ Post Reply | Private Reply | To 16 | View Replies]

To: Buford T. Justice
"And I thought it was regarded as a more secure alternative to Explorer."

It is - but there's a difference between more secure and perfect. If and when God starts coding, we'll get some perfect software. Until then, I'd rather be exposed to Mozilla's handfull of security flaws per year than Internet Explorer's flood of security flaws per week.
19 posted on 09/17/2004 4:49:07 PM PDT by NJ_gent (Conservatism begins at home. Security begins at the border. Please, someone, secure our borders.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: aft_lizard
"Its more secure because thre are far fewer users of it"

The security of the code has nothing to do with the number of people using it. Mozilla tends to be far more secure than Internet Explorer because it's been designed with security in mind, and because it's not so tightly integrated into the OS as to bring about the end of the security world for a computer whenever a small security flaw is found.
20 posted on 09/17/2004 4:51:39 PM PDT by NJ_gent (Conservatism begins at home. Security begins at the border. Please, someone, secure our borders.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: asgardshill
"They said that only Microsoft products have vulnerabilities and that"

Whoever "they" are, they're pretty ignorant and silly. Mozilla is certainly many steps above Internet Explorer and Outlook/OE in just about every way (security, standards compliance, functionality, expandability, etc), but it's not perfect. Recruit God to code for the Mozilla project and you'll get perfect code. Otherwise, you'll just end up with some of the best code modern humans have written for a web browser/email client.
21 posted on 09/17/2004 4:55:53 PM PDT by NJ_gent (Conservatism begins at home. Security begins at the border. Please, someone, secure our borders.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: aft_lizard
Sorry but the fact remains that if Mozilla was the number one software we would all be bitching about security problems, popups and other annoyances.

Mozilla blocks popups no matter how many people are using it. You figure it's some kind of giant cluster thing?

So tell me again why its safer other than it has fewer users?

It's safer because:

1. It's a cleaner, more modern design. IE's code problems (mostly design problems) go back to it's original code base nearly 10 years ago. Mozilla's code is mostly new. The vast majority of the Netscape code was jettisoned because it was such a mess.

2. It's not integrated into the OS. A vulnerability of the browser doesn't affect the mail client, file manager, update system, help pages, etc.

3. It was built by a group that sees security as a design problem, not a marketing problem. Microsoft still hasn't understood the lesson.

4. It allows users a much finer control of what content to allow and what to reject. Popups, java, javascript, and other contect can be excluded either completely or site-by-site with a few simple clicks.

5. It has safe and sane defaults.

Seriously you cant buy the anti-argument that its simply the program and not the amount of users.

It's not an anti-argument. It's a provable fact. Shall we examine the security of Apache and Sendmail against IIS and Exchange? IIS and Exchange should be successfully attacked much less according to your theory, since IIS and Exchange have a much smaller user base than Apache and Sendmail. That's provably not true.

Question to you. If you were a hacker looking to cause great amount of damage to the internet, would you choose Opera? Mozilla or IE?

I'd look for the most easily exploited code and then use it as a jump-off point. And that would be IE. The fact that IE is also the most used code is a nice benefit, but not really necessary.

Try not to confuse correlation and causation.

22 posted on 09/17/2004 5:02:06 PM PDT by Knitebane
[ Post Reply | Private Reply | To 13 | View Replies]

To: Stoat

Thanks for posting this.


23 posted on 09/17/2004 5:03:03 PM PDT by DB ()
[ Post Reply | Private Reply | To 1 | View Replies]

To: aft_lizard

"its hard not to argue that since the coding is open that it is easier to crack and infect. "

Then why is all the cracking and infecting done to CLOSED source code, and none to OPEN source code??

Because the code is Open, the vast majority of bugs and just plain sloppy code are found because millions of eyes are looking at it.

That's the beauty of open source, it quickly migrates to perfection. Its innards are all right there in plain sight yet it STILL can't be cracked. That is the definition of quality - you can see exactly how it works but you still can't break in.

Its a well known addage in information technology that "Security by obscurity is no security at all".
Keeping your code secret does not make it secure.

Microsoft is secret - yet it is totally insecure.

Vastly more is to be gained by breaking into web servers than into Joe Sixpack's computer. Yet the only web servers routinely broken into are those running Microsoft IIS (closed source), and it accounts for less than 20% of all servers on the web - but 98% of all breakins.

If I was a hacker looking to break in, I would pick the SOFTEST TARGET. Not the most PLENTIFUL TARGET. Ask any thief.

I can't believe after 5 years of Microsoft's CLOSED source software inflicting billions of dollars of damage on the net and business that there is STILL someone who believe the Micorsoft B.S. that insecurity comes with popularity.

You really need to upgrade your education on this issue.


24 posted on 09/17/2004 5:03:18 PM PDT by konaice
[ Post Reply | Private Reply | To 13 | View Replies]

To: Stoat

bookmark


25 posted on 09/17/2004 5:09:22 PM PDT by WestCoastGal (Jr" I dunno what happened, it just felt like the hand of God came over and hit me real hard")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Knitebane

Jiminy christmas you guys DID NOT ANSWER MY Fn QUESTION.

If Firefox was the number one browser with 95% of the market would it or would it not have as many issues as IE when it comes to ceratain security problems ie; pop-ups, spy-ware,mal-ware,hijack-ware? If you were a person looking to cause massive world wide internet propblems would you or would you not target the largest company out there?

Mozilla blocks popups no matter how many people are using it. You figure it's some kind of giant cluster thing?>>>>

Where in the world did you come up with that nonsense, seriously. Popups and hijackers, spy ware and others are specifically coded towards IE, of course IE is going to have more problems there. What does the amount of users have to do with it? Its all about what they are geared at. I cant believe I am having this argument.

Look I use firefox, I like it and will continue to use it. I just dont buy into the theory that IE is a totally inferior product because you say so, its inferior because its the target of the world community. And if Firefox ever got that big it would fallter also.


26 posted on 09/17/2004 5:12:28 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 22 | View Replies]

To: konaice

Then why is all the cracking and infecting done to CLOSED source code, and none to OPEN source code?? >>>

Because open source makes up less than 5% of the market. Why bother with it. Your question is similar to asking somebody why most drownings are caused by water, could it be because most people swim in water, bathe in it, drink it?


Lets not forget on your other argument here about closed source, remember they are a company, they are in it to make money.They can do it only at the expense of its consumer for so long.


27 posted on 09/17/2004 5:16:48 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 24 | View Replies]

To: aft_lizard
Jiminy christmas you guys DID NOT ANSWER MY Fn QUESTION.

I did answer your question. I'm sorry it wasn't the answer you wanted.

If Firefox was the number one browser with 95% of the market would it or would it not have as many issues as IE when it comes to ceratain security problems ie; pop-ups, spy-ware,mal-ware,hijack-ware?

The answer is NO.

Just like Apache, the number one web server, doesn't have as many issues as ISS.

Just like Sendmail, the number one mail server, doesn't have as many issues as Exchange.

Popups and hijackers, spy ware and others are specifically coded towards IE, of course IE is going to have more problems there.

No, they aren't, and I begin to see the problem here. You don't understand how the underlying technology works, so you don't understand why Mozilla works differently.

And if Firefox ever got that big it would fallter also.

And once again:

WRONG

28 posted on 09/17/2004 5:41:20 PM PDT by Knitebane
[ Post Reply | Private Reply | To 26 | View Replies]

To: Knitebane
I did answer your question. I'm sorry it wasn't the answer you wanted.>> You did not. <> So now I can compare a motorcycle to a car? Or my apple here to that orange in the fridge? ITs browser to browser you cant extrapolate because Apache is better than ISS then Firefox therefore will be better than IE. <<>> Ever tried to install google toolbar on firefox? or yahoos toolbar? Its funny because it wont on mine, I wonder why that is? (did you know alot of mal-ware uses the same technology as them but they involuntary install it on your computer) Just curious since you say I dont understand the way it works. I am sure this is somehow making your case, but it doesnt. <>> And there you go again, predicting the future, unequivicolly.
29 posted on 09/17/2004 5:56:07 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Knitebane

I did answer your question. I'm sorry it wasn't the answer you wanted.>>

You did not.

The answer is NO.

Just like Apache, the number one web server, doesn't have as many issues as ISS.

Just like Sendmail, the number one mail server, doesn't have as many issues as Exchange. >>

So now I can compare a motorcycle to a car? Or my apple here to that orange in the fridge? ITs browser to browser you cant extrapolate because Apache is better than ISS then Firefox therefore will be better than IE.

No, they aren't, and I begin to see the problem here. You don't understand how the underlying technology works, so you don't understand why Mozilla works differently.>>>

Ever tried to install google toolbar on firefox? or yahoos toolbar? Its funny because it wont on mine, I wonder why that is? (did you know alot of mal-ware uses the same technology as them but they involuntary install it on your computer) Just curious since you say I dont understand the way it works. I am sure this is somehow making your case, but it doesnt.

and once again:

WRONG>>>

And there you go again, predicting the future, unequivicolly.


30 posted on 09/17/2004 5:58:13 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 28 | View Replies]

To: aft_lizard
Please learn to format. Poor formatting makes it a lot of work to find your comments.

That said...

Ts browser to browser you cant extrapolate because Apache is better than ISS then Firefox therefore will be better than IE.

Your argument is that the popularity of a particular piece of software is related to the amount of security problems that it has.

I have offered two examples of how that argument is not valid, yet you continue to go way around the issue in an effort to keep from having to see the truth.

Ever tried to install google toolbar on firefox? or yahoos toolbar?

I fail to see how software add-ons have any relevance to the security of the software itself. Perhaps you can dig down deep into your programming or security experience and explain it to me.

(did you know alot of mal-ware uses the same technology as them but they involuntary install it on your computer)

I did know that. I also know that the more integrated the browser is into the operating system, the easier it is to exploit the computer at a lower level.

I also know that the idea that malware can be installed without the user knowing is a design flaw common to Microsoft software.

And I also know that the history of exploits and the seriousness of those exploits indicate that your position on the popularity of a bit of software having anything to do with it being exploited is silly.

31 posted on 09/17/2004 6:07:27 PM PDT by Knitebane
[ Post Reply | Private Reply | To 29 | View Replies]

To: DB
"Thanks for posting this" You're welcome! I hope that it has been of some help :-)
32 posted on 09/17/2004 6:23:12 PM PDT by Stoat
[ Post Reply | Private Reply | To 23 | View Replies]

To: Knitebane
I fail to see how software add-ons have any relevance to the security of the software itself. Perhaps you can dig down deep into your programming or security experience and explain it to me.>> It goes like this: YOU ANSWERED IT IN YOUR FOLLOWING ANSWER! did you know alot of mal-ware uses the same technology as them but they involuntary install it on your computer) I did know that. I also know that the more integrated the browser is into the operating system, the easier it is to exploit the computer at a lower level.
Now let me make this one last case too you, because after this I am iggying this thread. The reason why IE has more problems is because it is bigger, simple but not accepted by you, fine. OK the reason why having a bigger more broadly accepted browser is more dangerous is because the number of vendors and programs out there are targeted towards it, fine you dont buy that either. OK Now the more programmers and users of said item the more different the programs, ok. Now let me continue on with my bad "formatting". The more there are different programs out there such as yahoo bar, integrated video, java scripted mail clients etc the more people out there get to know the script and the flaws. When you have had literally billions of reviews of software that goes out and works with said browser flaws will be found and exploited. Mozilla hasnt had that sort of exposure with FireFox, it will eventually and it will possibly stand up to the test of time or it wont that remains to be seen.
This argument is over and is quickly going go down to the level of apes tossing shit at each other. So I will leave it at that, if you cant see or understand that view then so be it. But try and keep the insulting out of it.
33 posted on 09/17/2004 7:16:12 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Knitebane

I know I said I was ending this argument.

But I must apoligize I reread my posts, and it seems to me that I am the one being an a**. I dont mean to be on this, sometimes I get flustered.

I stand by my arguments though in either case, just my language can change.


34 posted on 09/17/2004 8:00:56 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 31 | View Replies]

To: NJ_gent
It is - but there's a difference between more secure and perfect. If and when God starts coding, we'll get some perfect software. Until then, I'd rather be exposed to Mozilla's handfull of security flaws per year than Internet Explorer's flood of security flaws per week.

Good point. I moved over to Firefox in January and have been very happy with it.

Cheers!

35 posted on 09/17/2004 8:52:58 PM PDT by Buford T. Justice
[ Post Reply | Private Reply | To 19 | View Replies]

To: Stoat

Updated, and thankee kindly for the headsup!


36 posted on 09/17/2004 9:38:17 PM PDT by Titan Magroyne (Uniform of the day: Freepajamas)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Titan Magroyne
You're quite welcome! I am happy that this has been of some help.
37 posted on 09/17/2004 9:58:09 PM PDT by Stoat
[ Post Reply | Private Reply | To 36 | View Replies]

To: Stoat

I just downloaded firefox. Can any other users out there tell me how you like it or dislike it.


38 posted on 09/18/2004 1:41:17 AM PDT by rdl6989 (<fontface="Rather Not">)
[ Post Reply | Private Reply | To 37 | View Replies]

To: RhoTheta

Ping.


39 posted on 09/18/2004 7:30:34 AM PDT by Egon (I will quit this post only when properly relieved.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Stoat

thanks for the tip.


40 posted on 09/20/2004 12:39:00 AM PDT by AmericanVictory (Should we be more like them, or they like us?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: AmericanVictory
"thanks for the tip." You're welcome! I am happy if it has been of some help. :-)
41 posted on 09/20/2004 12:48:52 AM PDT by Stoat
[ Post Reply | Private Reply | To 40 | View Replies]

To: aft_lizard
It goes like this: YOU ANSWERED IT IN YOUR FOLLOWING ANSWER!

Uh, no. Whether one can plug in additional features to software is completely different from the core code that contains vulnerabilities.

Now let me make this one last case too you, because after this I am iggying this thread.

That's convenient.

The reason why IE has more problems is because it is bigger, simple but not accepted by you, fine.

By me and by much of the security community. The concept of "used more = hacked more" is provably false, and while you can continue to ignore that fact, it doesn't make your argument acceptable.

This argument is over and is quickly going go down to the level of apes tossing shit at each other.

Like most of the trolls that I swat on the tech threads, I have no interest in changing your mind. Rather, my purpose is to keep you from spreading FUD and poisoning the minds of other readers.

If you want to slink back under your bridge that's perfectly fine by me, but don't expect me to stop posting simply because you've painted yourself into a logic corner.

42 posted on 09/20/2004 12:15:10 PM PDT by Knitebane
[ Post Reply | Private Reply | To 33 | View Replies]

To: Knitebane

If you are a security expert I weep for our security.


43 posted on 09/20/2004 12:48:56 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 42 | View Replies]

To: aft_lizard
Start weeping, troll.

I've been in computer security since 1989 and computers in general since 1982.

I currently work for one of the largest backbone providers in the world as a security professional, monitoring for intrusions.

As such, I can state as a fact that you have no idea what you are talking about.

44 posted on 09/20/2004 1:34:47 PM PDT by Knitebane
[ Post Reply | Private Reply | To 43 | View Replies]

To: Knitebane

Whatever. Keep calling me troll, keep making claims. I personally dont care. I personally have ran into a plethora of problems with this "stable" browser called firefox, from its cookie management to freezing upon certain web elements, ones that have never caused me problems before.

And you seem to be forgetting that I have never defended IE other than to take on the issue you raised in a argument back towards me on security and the availability of a program. Anecdotal evidence and other opinions cannot stray from fact.

Oh and BTW if the US Govt doesnt recommend IE, then why is it supplied on all Army computers? Seems to me if it is such a threat they wouldn't even allow its distribution to such places as my s-3 and s-1 shops.

BTW since we are going on history here, when I was 12 I was kicked out of school because I hacked into the schools computer and changed my grades and about 12 others and was banned from the usage of computers until I was 18, I know longer peruse down the darker side other than to read whats up at various hacker places to read about whats new and vurnerable.


45 posted on 09/20/2004 1:53:54 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 44 | View Replies]

To: Stoat

bump for later


46 posted on 09/20/2004 1:55:53 PM PDT by eyespysomething (I'm typing up lottery tickets. I mean, as long as the content is true the rest doesn't matter.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: aft_lizard
Anecdotal evidence and other opinions cannot stray from fact.

Very well, put your money where your mouth is.

Please provide a reference that indicates that a larger user base of a program will cause more successful exploits.

We await your facts.

Oh and BTW if the US Govt doesnt recommend IE, then why is it supplied on all Army computers?

The government doesn't supply IE, Microsoft does. And Microsoft supplies IE with Windows whether you want it or not and in such a way that you can't remove it.

The government recommends using something other than IE.

Scroll down, it's about 2/3 of the way down, under the other solutions, most of which aren't effective.

BTW since we are going on history here, when I was 12 I was kicked out of school because I hacked into the schools computer and changed my grades and about 12 others and was banned from the usage of computers until I was 18, I know longer peruse down the darker side other than to read whats up at various hacker places to read about whats new and vurnerable.

Thanks for adding that. Now the other readers can decide whom to listen to, a security professional or a criminal.

47 posted on 09/20/2004 2:16:53 PM PDT by Knitebane
[ Post Reply | Private Reply | To 45 | View Replies]

To: Knitebane
Thanks for adding that. Now the other readers can decide whom to listen to, a security professional or a criminal.

I did my time.And I have more than made it up through my deeds.You insensitive pr***. To call me a criminal is rather ignorant and insulting, I did not referrence my lurid past to highlight any of my failings but rather to give you and any other readers here knowledge of where I am coming from, if you wish to insult rather than to debate then go ahead and do that, you just wont find an answer in return.

Very well, put your money where your mouth is. Please provide a reference that indicates that a larger user base of a program will cause more successful exploits. We await your facts.

If all my reasons explained before doesnt convince you nothing will. If you are so naive to believe that even if we had thousands of vendors out there adapting themselves to work with the differences in Firefox or Opera and that if you were a hacker or a insidious individual who may design programs to take advantage of your computer by selling mal-ware designed to increase awareness of your site by attacking not the least used programs but the most used programs, then I simply cant help you, I could probably go out and find articles on this or official documentation. You are arguing security I am arguing availability, your bull headedness on this issue is obviously corrupting your vision on this.

So I will try and make this one last attempt.

Have you ever tried counting cards at a black jack table? Card counting uses the law of large numbers, its not what people think it is when you count cards. You are simply guessing at what comes next in the count if say the dealer has dealt 5 cards under ten previously than it is likely that a ten will be dealt next. In the short run you are likely to come up even at a blackjack table doing this or maybe even slightly ahead, if you multiply the participants you increase your chances at a profit when you multiply that by numerous sessions over numerous days you will most likely beat the house with a 5% edge, which is huge in gambling terms. The same law applies to a largely distributed program.

An even simpler way is to say that the number one car in the world is a VW, a VW will probably have more numerical accidents than any other vehicle, forget its survivabilty rate or casualty rate, greater number=greater number of accidents.

That is simply all I have been saying. If you prefer to throw math out the window, which I highly doubt you will then it should stand.

48 posted on 09/20/2004 3:12:03 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 47 | View Replies]

To: aft_lizard
I did my time.And I have more than made it up through my deeds.You insensitive pr***.

Past behavior is indicative of future actions. If you've done your time and reformed then I'm happy for you, but as a security professional I'm not inclined to trust your judgment in security matters any more than a bank president would trust a convicted embezzler. Sorry if that sucks for you, but that's life.

To call me a criminal is rather ignorant and insulting,...

Actually, it's completely accurate. You committed a crime therefore you are a criminal. Stop me if that's too complicated for you to follow.

... I could probably go out and find articles on this or official documentation.

Which is what I asked for, but you have provided a lot of fluff and allegations, but no proof.

...The same law applies to a largely distributed program.

No it doesn't. Sezeniquote...

The Law of Large Numbers: In repeated, independent trials with the same probability p of success in each trial, the chance that the percentage of successes differs from the probability p by more than a fixed positive amount, e > 0, converges to zero as the number of trials n goes to infinity, for every positive e. (bold is mine)

You have made the assumption that the probability of the success of an exploit is constant between IE and Mozilla. That's a bad assumption, and that's where your confusion comes from.

Mozilla code, for reasons listed earlier in this thread, will have a lower exploit rate, thus a lower number of exploits as the number of installations increases.

As the number of installations approaches the number of installations of IE (and I must point out that since IE in integrated into the Windows OS, the number of IE installations will not decrease until the number of Windows installations begins to decrease.) the relative number of exploits will be lower by an increasing factor.

There are many factors which make IE and Mozilla different, including (but not limited to) quality and age of code, complexity, permissions in the OS, speed of patching, number of bug fixers, and so forth.

I still await any documentation that says otherwise.

49 posted on 09/20/2004 3:47:58 PM PDT by Knitebane
[ Post Reply | Private Reply | To 48 | View Replies]

To: Knitebane
You have made the assumption that the probability of the success of an exploit is constant between IE and Mozilla. That's a bad assumption, and that's where your confusion comes from.

I actually didnt make that assumption. What I said was, and very simply in fact was that the more of something, the more trouble, that is why I specifically negated rates you know, like 100/1 or a ratio of 100 to 1 from my conclusions. Can you argue with the fact that since more people use farber ware knives, they have more accidents attributed to them? I simply cant be more clearer.

I cant predict the variables anymore clearer than you or any other net security guru, that is why I have specifically stayed away from that or tried to make a parallel of progression between IE and Mozilla, that is mathematical stupidity.

Past behavior is indicative of future actions. If you've done your time and reformed then I'm happy for you, but as a security professional I'm not inclined to trust your judgment in security matters any more than a bank president would trust a convicted embezzler. Sorry if that sucks for you, but that's life.

Tell that to the US Army and the US Govt, they were well aware of my past and seem to have no problem with it.

Actually, it's completely accurate. You committed a crime therefore you are a criminal. Stop me if that's too complicated for you to follow.

Seeing as I never was convicted of a crime, just banned from usage in the school system for 6 years and at home via my parents, I fail to make the connection. I mean is Bush a criminal to you? He commited the crime of DUI, so according to you then in fact he is a criminal and therefore not capable of weighing in on certain subjects. Thats a terrible conclusion you come to and it shows us your narrow mind.

I have yet to question Mozillas security, yet you continue to think I have or say I have. SO you keep going on these sidebar tangents that are not in disagreement. Although what can be created by man can be destroyed by man, even with open sourcing which allows a more fluid ability to correct secuirty problems you still will have problems, I have a sensation that you believe that open sourcing is to you the end all be all of code. I dont think it is, I think the truth lies somewhere in the middle

50 posted on 09/20/2004 4:21:26 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-58 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson