Firefox Myths Debunked

Status
Not open for further replies.

TS | Thomas

Posts: 1,318   +2
No doubt many of you have heard of or even read "Firefox Myths". The purpose of this (ongoing) thread is to debunk several of the claims made - as backed up by multiple reliable (& as recent as possible) sources - along with highlighting the misrepresentation of sources & other errors;

(Mis)Quotes

"...Good stuff - give it a read." - Asa
Actual comment - "Robert Accettura has a nice response to the poorly constructed & mostly worthless article Firefox Myths. Good stuff - give it a read".

"...all web sites are IE compliant, use a browser with IE engine & tabs, & a fully patched system = 100% security." - FreewheelinFrank (MrFlibble)
Actual comment - "This includes 1 of Mastertech's typical phrases designed to suggest he is not the author ('Makes interesting reading') but then goes on to use the first person. Strange- that would be the first time for Mastertech. The notions are his: all web sites are IE compliant, use a browser with IE engine & tabs, & a fully patched system = 100% security."

"I'm not a big fan of evangelism or hyperbole, so when a page called "Firefox Myths" entered my radar recently, I was very interested." - Tre
Actual comment - "I’m not a big fan of evangelism or hyperbole, so when a page called “Firefox Myths” entered my radar recently, I was very interested. Then sadly disappointed. Rather than a balanced analysis of some of the folklore surrounding Firefox, it is merely a stream of weak arguments against imaginary “myths” supported by misquoting or deliberate misreading of sources. I’m not even going to reference the page".

"It's an interesting read..." - Robert A. (Mac User)
Actual comment - "Someone looking for their 5 minutes of fame (obviously not worth 15 minutes) decided to post some Firefox Myths. It’s an interesting read, though has a few oddball statements, that really don’t make sense".

"The sources & data are convincing..." - Ryan J. (Editor note - this should start "...the sources")
Actual comment - "Even though the sources & data are convincing, I see nothing pro-Firefox there - notice no links about IE's insecuity I wonder why."

"...your web pages are actually pretty good: I personally link to Secure XP" - MrFlibble (FreewheelinFrank)
Actual comment - "What is clear is that Mastertech has unbelievable energy for incessantly persuing the same arguments over & over & over again, he is entirely incapable of admitting that anybody else has a valid point of view, let alone might actually have anything to add to the discussion that might contradict his pre-set notions, & will never give up until he has the last word on this subject, or until he finds the last internet forum on the planet to post in again & start up the whole argument again. Mastertech, I personally don't care if you have a bee in your bonnet about Firefox. I don't care if you see yourself as some kind of "Master Technician" come to save us from falacy. Personally I think you are becoming the "laughing stock of the internet." I don't care how many forums you post your articles/blogs/web pages in. Just know that you have attracted a lot of attention now, so posting 1 of your articles & talking about the author in the third person isn't going to work anymore. Admit authorship for what you write & post. Anybody Googling you past postings can see you have been dishonest. Some of your web pages are actually pretty good: I personally link to Secure XP, but as far as I am concerned you are a busted flush".

"Mozilla Firefox is a great web browser, but its praise is not without its share of exaggerations. ...Internet Explorer typically starts up faster than Firefox... Firefox is by no means perfectly safe. Users still have to use reasonable caution when downloading files & plugins from untrusted websites. Firefox ... does not yet have complete support for the current CSS, DOM, or even HTML standards." - David H. (Linux User)
Actual comments - "Internet Explorer typically starts up faster than Firefox the first time you double-click on the program icon. This is mainly because the core Internet Explorer engine is actually loaded into memory as your computer is starting up. Furthermore, not all components of the web browser are in memory when the browser window comes up. Some components, such as the favorites manager, are only loaded into memory when you access them, while Firefox loads everything at once.

Something as complex as a web browser will almost certainly have security vulnerabilities crop up from time to time. No major web browser has a perfect security record. There are some fundamental differences between the architecture of Firefox compared to Internet Explorer with regard to security, & Mozilla has shown a much better record than Microsoft at fixing its browser's vulnerabilities, as shown in this security summary, but Firefox is by no means perfectly safe. Users still have to use reasonable caution when manually downloading files & plugins from untrusted websites.

No web browser is 100% standards compliant. The web technology standards are very extensive & it often takes many years to implement all of the features of a standard, plus additional time to fix the bugs. In addition, the standards are always evolving & becoming more & more robust. Firefox (along with Opera, Safari, & Konqueror) is certainly a leader in the field of standards support, & is quickly adopting new emerging technologies, but it, like the others, does not yet have complete support for the current CSS, DOM, or even HTML standards. More information is available in this standards support summary".

"Any browser is more secure by not supporting... Firefox. All Browsers have vulnerabilities... No Browser can claim... to be 100% standards compliant" - Thomas (Editors note - This is actually me)
Actual comments (i.e. this thread) - "Any browser is more secure by not supporting ActiveX, not just Firefox.

All Browsers have vulnerabilities (& more will be discovered); what's more important than the number of vulnerabilities is how quickly they are patched & in that regard Firefox has a proven record of being quite secure much of the time, Opera also proved extremely responsive in this regard.

No Browser can claim (Or ever has claimed for that matter) to be 100% standards compliant. However, both Firefox & Opera clearly have made significant movement in this area while IE 6 lags well behind in all but 1 area".

"I'm tired of all of these Firefox fanboys who try to brush off the facts on your page... This is laughable. Your Firefox Myths page clearly says that it's dealing only with Windows versions of Firefox... Of course the fanboys refuse to look at the sources... I want to shove that... into their faces... This would be excellent ammo against the fanboys." - David H. (Linux User)
Actual comment - "Hey, guess what? It seems Mastertech has been watching this thread (a loophole in the ban system). I have removed him from all topic watch lists, so he should no longer be receiving notifications of new posts on these forums.

I also sent him the following e-mail:

Subject: Firefox fanboys spouting more lies

I'm tired of all of these Firefox fanboys who try to brush off the facts on your page. Someone on my forums tried to tell me that Firefox on Windows has never had an extremely critical vulnerability. This is laughable. Your Firefox Myths page clearly says that it's dealing only with Windows versions of Firefox, & it plain as day lists "1 Extremely Critical" vulnerability for Firefox, directly linking to Secunia's advisory page as the source. Of course the fanboys refuse to look at the sources, but I want to shove that vulnerability into their faces. I went to the source and started looking for the vulnerability, but I can't seem to figure out the Secunia website. Could you please give me a link to the extremely critical vulnerability Secunia lists for Firefox on Windows? This would be excellent ammo against the fanboys.

Thanks in advance!

I'm looking forward to his response. Wink

(& for historians who might wish to dig up this post, the contents of this e-mail are very much sarcastic & are purely intended to point out flaws in his article.)"


Quotations used have been severely distorted & taken completely out of context. What is shown as complimentary on Firefox Myths are in fact critical & contradictory when read in full.
 
Myth - "Firefox is Secure"

WashingtonPost - Security Fixes Come Faster With Mozilla;
"Last month, I looked at how long it took Microsoft to issue security updates for known software flaws in the Windows software that powers most of today's computers. Last week, I conducted the same analysis on free software produced by the Mozilla Foundation, perhaps best known for its Firefox Web browser.

Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.

The thing to remember is that Microsoft's market reach has always made it the primary target for virus writers & online criminal groups. Windows runs about 90 percent of the world's computers & Microsoft's Internet Explorer still commands about 85 percent of the browser market. It's difficult to say whether Firefox is inherently any more secure than Internet Explorer but you can't discount the fact that most of the online bad guys tend to focus on Internet Explorer users.

For at least 38 days in 2005, Internet Explorer was vulnerable to unpatched critical security flaws that were being exploited actively by viruses, worms & spyware. For at least 256 days last year, Internet Explorer contained unpatched vulnerabilities where the exploit method had been publicly disclosed but was not necessarily being used.

By contrast, Firefox users were exposed to potential threats that might take advantage of publicly released exploit code for only 17 days. I could not find any public reports of viruses, spyware or worms using those exploits during the time that the Firefox vulnerabilities were unpatched."


Browser Security Test;
"We tried to compare how fast the bugs get fixed after they are discovered in the 3 browser families [Internet Explorer, Mozilla, Opera].

Internet Explorer - Actually there was only 1 period in 2004 when there were no publicly known remote code execution bugs - between the 12th & the 19th of October - 7 days in total. That means that a fully patched Internet Explorer installation was known to be unsafe for 98% of 2004. & for 200 days (that is 54% of the time) in 2004 there was a worm or virus in the wild exploiting one of those unpatched vulnerabilities.

Mozilla - There were 56 days (15%) in 2004 when there was a publicly known remote code execution in Mozilla & no patched release.

Opera - In total, in 2004 Opera had publicly known unpatched remote code execution vulnerabilities for 65 days (17%) - the 2 "unpatched periods" happened to intersect.

The domination of Internet Explorer made it a preferred target for both malware writers & security researchers, creating a steady stream of vulnerabilities. Windows XP Service Pack 2 released on August 9, 2004 did not seem to alter this trend.

In 2004 Mozilla had the shortest "exposure period" of the 3 browsers compared. The growing popularity of Mozilla & Firefox was at least to some extent due to better security it currently provides to its users. However as Mozilla browsers become more common they are bound to attract attention of malware writers. It would be interesting to see how well Mozilla will do security-wise when its user base approaches that of Internet Explorer.

Opera did not fare as well as it could given that it gets relatively little attention from people actively looking for vulnerabilities."


Secunia Vulnerability Reports;
Mozilla Firefox 1.x. Currently, 4 out of 33 Secunia advisories, are marked as "Unpatched" in the Secunia database.

Microsoft Internet Explorer 6.x. Currently, 20 out of 104 Secunia advisories, are marked as "Unpatched" in the Secunia database.

Opera 8.x. Currently, 0 out of 15 Secunia advisories, are marked as "Unpatched" in the Secunia database.

Lynx 2.x. Currently, 0 out of 2 Secunia advisories, are marked as "Unpatched" in the Secunia database.

Konqueror 3.x. Currently, 1 out of 10 Secunia advisories, are marked as "Unpatched" in the Secunia database.

Safari 2.x. Currently, 2 out of 4 Secunia advisories, are marked as "Unpatched" in the Secunia database.

It's worth noting that Secunia doesn't necessarily detail all current vulnerabilities for the above Browsers - As Secunia states;

"Note: All vulnerabilities discovered by Secunia Research are reported directly to the vendors in a responsible manner, giving the vendor 2 weeks to reply with a confirmation & details about the expected release date for the security update. Secunia always wait for the security update - as long as the vendor keeps a reasonable time frame for issuing the update & actively co-operate with the Secunia Research team."

Operawatch similarly states;

"Security vendor Secunia doesn't list any unpatched security holes for the Opera browser on its site at this time. Opera usually coordinates its browser updates with Secunia, so that Secunia doesn't release any information about security vulnerabilities in the browser before a patch is made available."


A Crawler-based Study of Spyware on the Web;
"A common perception about Firefox is that it is more secure against drive-by download attacks, in part because it does not support ActiveX components, a common contributing factor to IE browser vulnerabilities.

In October 2005, we gathered a new crawl of the same Web site categories that we explored for the IE drive-by download study. Our methodology for selecting seed domains to crawl was identical to our other crawls, except we tuned the crawler to favor breadth across sites rather than depth within a site. We did this in anticipation of there being far fewer malicious domains that target Firefox, & accordingly we wanted exposure to a larger number of domains. Table 13 shows the results of our study. Out of the 45,000 URLs we examined, we found 36 (0.08%) that performed drive-by spyware installs on Firefox. These spyware installs affected only the cfg y browser configuration (Firefox 1.0.6 without XP Service Pack 2). We found no cfg n attacks (Firefox 1.0.6 with XP Service Pack 2), i.e., we did not observe any Web pages that exploit Firefox vulnerabilities to install spyware without the user’s consent.

To study drive-by installations of spyware using the Internet Explorer browser on Windows, we performed a crawl of 45,000 URLs in May & 2 crawls of 45,000 URLs in October 2005. Our study found a reduction in the fraction of domains hosting drive-by downloads across the categories we examined. In general, a small number of infectious domains are responsible for the majority of infectious links. Once a user browses an infectious domain, they are very likely to be hit with a spyware infection, often whether or not they respond “yes” to a security prompt. Overall, in our most recent crawl, we found drive-by downloads attempted in 0.4% of the URLs we examined & drive-by attacks that exploit browser vulnerabilities in 0.2% of the examined URLs. We also examined whether the Firefox browser was susceptible to drive-by installations. We found that only 0.08% of examined URLs performed a drive-by download installation, but all of these required user consent in order to succeed. We found no drive-by attacks that exploited vulnerabilities in Firefox."


Reality - All Browsers have vulnerabilities (& more will be discovered); what's more important than the number of vulnerabilities is how quickly they are patched & in that regard Firefox has a proven record of being quite secure much of the time, Opera also proved extremely responsive in this regard.
 
Myth - "Firefox is More Secure because it does not use ActiveX"

What Are The Dangers Of ActiveX - MSDN - Designing Secure ActiveX Controls;
"An ActiveX control can be an extremely insecure way to provide a feature. Because it is a Component Object Model (COM) object, it can do anything the user can do from that computer. It can read from & write to the registry, & it has access to the local file system. From the moment a user downloads an ActiveX control, the control may be vulnerable to attack because any Web application on the Internet can repurpose it, that is, use the control for its own ends whether sincere or malicious. But, you can take precautions when you write a control to help avert an attack."


How to secure Internet Explorer - SANS/FBI Top 20 Vulnerabilities;
Most of the flaws in IE are exploited through Active Scripting or ActiveX Controls....
Note: Disabling Active Scripting may cause some web sites not to work properly. ActiveX Controls are not as popular but are potentially more dangerous as they allow greater access to the system.


Washington Post - Research: Buggy, Flawed 'ActiveX' Controls Pervasive;
"The most recent high-profile scare over an ActiveX control came as part of the recent controversy over a flawed piece of anti-piracy software installed by certain Sony BMG music CDs. After the label released a program to help customers remove the software, security experts found that the program left behind an ActiveX control that any Web site could use to plant any files -- even viruses or spyware -- on a visitor's computer if they browsed the site with IE.

Part of the reason Sony's ActiveX component was potentially such a threat has to do with the way Windows machines are configured by default. In Windows XP computers with Service Pack 2 installed, for example, Internet Explorer allows Web sites to download software to the user's machine via ActiveX controls that are marked "safe for scripting." This means that any Web page can use the control & its methods, which in many cases includes the ability to download & execute potentially hostile code.

Smith said his research indicates that the Sony BMG case is just the most visible example of a far more pervasive problem with the way companies design & distribute such controls. Smith has spent several months refining a set of software tools that can scour Windows PCs for poorly designed ActiveX components that could expose users to serious security risks if they merely visit a specially crafted or hostile Web site....

Smith found dangerous security problems in ActiveX controls distributed by dozens of other major companies, including PC manufacturers & even some of the nation's largest Internet service providers. In a letter he sent last week to the CERT Coordination Center -- a group at Carnegie Mellon University's Software Engineering Institute that studies computer security vulnerabilities -- Smith noted that the results produced by his tools so far paint a grim picture for the current state of ActiveX security.

"In some cases, these insecure controls come pre-installed on a Windows PC from the factory," Smith wrote to CERT. "In other cases, insecure ActiveX controls are silently installed as part of application software packages. In most cases, these insecure controls are being distributed by brand-name, Fortune 500 companies."

Using a tiny bit of a Javascript -- a powerful programming language commonly found on Web sites -- an attacker could create a Web page that attempts to break into a system by methodically trying out a series of exploits against known ActiveX security flaws. "Such a Web page would basically be a door rattler that keeps trying out exploits until it finds an open door into a system," Smith said.

Last month, America Online released a patch to fix a serious ActiveX flaw Smith found in the software AOL users need to get online through the company's service. Last year, Smith told telecom & Internet-service giant Verizon that the account-setup CD-ROMs the company sends to new customers contained a misconfigured ActiveX control that a Web site could manipulate to take over an affected user's machine.

Smith found another vulnerable control created by computer maker Hewlett-Packard that shipped with millions of brand new HP machines.

Another similarly defective ActiveX control made by a major Internet service provider was factory-installed on certain brands of computers starting in 2003. In that case, Smith found that the faulty control was active even if the user was not a customer of that ISP.

Using his diagnostic tools, Smith learned that a major printer manufacturer is distributing a number of "safe for scripting" controls with errors which are likely exploitable. The controls in question are used for product support & are silently installed by the application software CD-ROM that accompanies the printer maker's products.

Tom Liston, a senior consultant with Intelguardians, a Washington-based security consulting group, said ActiveX controls have been a scary thing for a long time because users are forced to rely on the good software-development practices of all of these third-party vendors.

In the latest quarterly update to its list of the "Top 20" most critical new software vulnerabilities, the SANS Internet Storm Center listed a large number of flaws in third-party programs such as media players & security software. Experts observed that the list showed that even though Microsoft has gotten better about fixing easily exploitable flaws in its products, online criminals have shifted their attention to third-party programs built to run on top of Windows.

An attack exploiting poorly written third-party ActiveX controls would fit that trend, Liston said."


iD Software's Brian Hook on ActiveX (Slashdotted);
"ActiveX, for those that don't know, is a "technology" that allows you to download a piece of natively executable software from any arbitrary location (e.g. embedded in a Web page) & let it run.

If this seems insanely unsafe, that's because it is.

I can make an OCX that basically formats your hard drive, stick it on a Web page with a tag, & if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page."


Wikipedia - ActiveX Security;
The embedding of COM into the Internet Explorer web browser (under the name of ActiveX) created a combination of problems that has led to an explosion of computer virus, trojan & spyware infections. These malware attacks mostly depend on ActiveX for their activation & propagation to other computers. Microsoft recognized the problem with ActiveX as far back as 1996 when Charles Fitzgerald, program manager of Microsoft's Java team said "If you want security on the 'Net', unplug your computer. ... We never made the claim up front that ActiveX is intrinsically secure." ActiveX as it is currently implemented is intrinsically insecure & is the biggest weakness of Internet Explorer not addressed by Windows XP Service Pack 2.

As COM & ActiveX components are run as native code on the user's machine, there are no restrictions on what the code can do. Many of these problems have been addressed in platforms developed since COM such as the Java platform, & later by the .NET platform as well.


What does Microsoft intend to do? MSDN - ActiveX Security: Improvements & Best Practices;
"Because ActiveX controls, or any browser extension, add features for Web sites, they also increase the possibility of a security vulnerability. Internet Explorer 7 (IE7) will reduce the number of ActiveX controls available to Web sites on the Internet & thereby reduce the chances of a security vulnerability. IE7 makes it easy to use common sites with important controls but lets users opt-in to using the advanced features that might be exposed by more obscure ActiveX controls.

This IE7 feature is called ActiveX Opt-In. By default, ActiveX Opt-In disables the controls on a user's machine. When the user encounters a Web page with a disabled ActiveX control, they will see an Information bar with the following text: "This site might require the following ActiveX control: 'ABC' from 'XYZ'. Click here to allow the control to run..." The user can choose to enable the ActiveX control from this Information bar"

Reality - Any browser is more secure by not supporting ActiveX, not just Firefox.
 
Myth - "Firefox fully supports W3C Standards"

The Firefox Myths Source For The Above Speaks Out;
"Hello, I am the developer of a resource you cited in your Firefox Myths article. You pointed to my standards support resource in attempt to show that Internet Explorer has better standards support than Firefox at least in regard to XHTML 1.1. I would like to explain why that claim is false....

Internet Explorer does not recognize the "application/xhtml+xml" content type, & it will only view an XML document as a webpage if special hacks are used. Internet Explorer does not actually support real XHTML in any form, & the Internet Explorer development team has openly admitted this fact.

Even to disregard the above argument, your very statement of the results of my tables was incorrect. My tables do not suggest that Internet Explorer has better XHTML 1.1 support than Firefox. It suggests that it has better support for the changes incorporated in XHTML 1.1 since XHTML 1.0. To claim that the browser has better support for XHTML 1.1, you must add up the information in HTML 4.01, the XHTML 1.0 changes, & the XHTML 1.1 changes. My tables provide that information on the summary page, & it shows that Internet Explorer has 78% support for HTML 4.01 to XHTML 1.1, while Firefox has 83% support & Opera has 88% support.

It should also be noted that HTML support is not a major concern among web developers right now. The biggest difficulty in web design lies with Internet Explorer's incomplete & often incorrect CSS support. My tables show that both Firefox & Opera have about double the support for CSS that Internet Explorer has.

You are quick to point out that Firefox has incomplete support for web standards, but you don't balance it out with a note that Firefox is a leader in the area of standards support. CSS 3, for instance, isn't even a W3C Recommendation yet. It's in the Candidate Recommendation stage, meaning the spec is ready for browsers to begin implementing it & will reach Recommendation status once it's supported by a few different user agents. No browser is expected to have close to full support for CSS 3, yet Firefox is well on its way. Of course you didn't claim otherwise, but the fact is you didn't provide a balanced perspective. Your wording clearly shows the skewed angle. "Ironically Internet Explorer supports changes to the XHTML 1.1 standard better than Firefox, 39% to 24%, even without fully supporting XHTML yet." would be better worded something like "Ironically Internet Explorer supports changes to the XHTML 1.1 standard better than Firefox, 39% to 24%, although the additions rely on features it doesn't yet support that Firefox does." The point is that those additions are absolutely meaningless when you can't use them, & "even without fully supporting XHTML yet" doesn't deliver that important point clearly...

I see the article now also cites my resource as evidence that Opera is the most standards-compliant web browser. The author of Firefox Myths doesn't point out that my resource doesn't yet include Safari or Konqueror, which is right up there as well. Furthermore, my resource certainly suggests that Firefox is more standards-compliant than Opera, if only by a little (& well within the margin of error). Opera is only ahead in HTML support, which isn't a big concern in web development anymore. Most of the real web development work is with CSS (or DOM & ECMAScript if you're making a web application). HTML support or lack thereof almost never causes problems in web design anymore."


Acid 2 Browser Test;
The following Browsers currently pass the Acid2 Browser Test - Safari, iCab, Konqueror, Opera 9 & Firefox 3. While it is worth noting that both Opera 9 & Firefox 3 are currently non-final releases; Opera 9 should be released well before Firefox 3 is. Internet Explorer is currently the primary Browser failing Acid 2 (& fails quite dismally at that).


Latest Browser Standards Support summary;
Feature______MSIE 6.0____MSIE 7.0___Firefox 1.5___Opera 8.5
HTML/XHTML____75%________75%______91%________85%
CSS 2.1________52%________59%______93%________93%
CSS 3 changes__10%________16%______27%_________8%
DOM___________50%________50%______79%________77%
ECMAScript____100%_______100%_______Y___________Y

Reality - No Browser can claim (Or ever has claimed for that matter) to be 100% standards compliant. However, both Firefox & Opera clearly have made significant movement in this area while IE 6 lags well behind in all but 1 area; IE 7 offers some improvement over IE 6.
 
Myth - "Firefox is Secure" - Part 2
All Myths relate to running the default install of Firefox in Windows with no extensions (Editor's note - This implies the vulnerablity statements beneath all apply to Windows).

Since Firefox v1.x was released, users have been exposed to 72 security vulnerabilities & counting, 39 of which are rated as Highly Critical & 1 Extremely Critical.

The Extremely Critical vulnerability referred to - Firefox Command Line URL Shell Command Injection actually doesn't apply to Windows;

"This vulnerability can only be exploited on Unix / Linux based environments".

That is to say, Firefox has no Extremely Critical rated vulnerabilities on Windows.


The Mozilla Foundation lists 71 "known" security vulnerabilities, 23 of which are rated as Critical & 14 High.

As above, the High Severity rated vulnerability, Command-line handling on Linux allows shell execution, applies only to Linux;

"URLs passed to Linux versions of Firefox & Thunderbird on the command-line were not correctly protected against interpretation by the shell."

Reality - 13 vulnerabilities rated as High have affected Firefox for Windows not 14.
 
Firefox Myths (by author) - "Anyone who claims Internet Explorer cannot be secured from Auto-installing Spyware either doesn't know how or is lying... Some even openly admit to being unable to stop something as elementary as Malware infection when using Internet Explorer - hardly reputable sources to dispute anything!"

Firefox Myths author on 3DGamers - "1. You did not have all the security updates applied.
2. You never removed MSJVM.
3. You manually installed it.
Those are the only way you can get infected with IE."



Websense Security Labs Reports Spreading of Unpatched Internet Explorer Vulnerability;
"The latest "zero-day" vulnerability within IE, which currently has no patch available, allows the launching of malicious code on an end user's machine without consent. Utilizing this exploit, a hacker could gain control over a vulnerable machine by crafting special code hosted on websites. Websense Security Labs has discovered hundreds of websites that are specially crafted to exploit the IE vulnerability to run code on the user's machine. The websites are each intended to take advantage of the vulnerability by running shell code that connect to the Internet via HTTP & download one of several pieces of malicious code, including Bot variants, backdoors, & other Trojan Horses."

Malware pushers already using zero-day exploit;
"Yesterday the news hit about another zero-day exploit for Internet Explorer with code publicly available & today the malware pushers are already using the exploit... This vulnerability has been confirmed on a fully patched Windows XP SP 2 system running Internet Explorer 6 & affects IE 7 Beta 2 preview released in January. Other versions may be affected. AFAIK Firefox, Mozilla, Opera & not affected... Websense is reporting a rapid increase in sites using this exploit. At the time of the blog post, nearly unique 100 URLs had been found attempting to run this exploit."

Hackers exploit unpatched Internet Explorer bug to install malware;
"The security vulnerability, which is not yet patched by Microsoft, allows hackers to run malicious software (such as a Trojan, virus or worm) on a user's machines when they visit a website containing the exploit code... "Microsoft will be fuming that the security of their software is being brought into question before they have had a chance to issue a security patch," said Graham Cluley, senior technology consultant for Sophos. "Microsoft's next bundle of security patches are not due until 13 December, & it will be interesting to see if they decide to break the cycle & release a patch earlier in response to the increasing number of exploits of this problem."

Video of CreateTextRange;
"If you’re curious to see the exploit in action at one site, you can see this video here. In it, the AppWiz keylogger is installed.

Patrick Jordan
Senior Spyware Researcher"


Reality - Patches are not always sufficient to protect Internet Explorer against auto-installation of malware; several zero-day exploits in past months have highlighted this very issue. Clearly assertions to the contrary are unhelpful & patently untrue. Nor should occurrences of such installations be a source of derision.
 
Status
Not open for further replies.
Back