SOLVED Urgent Message for Firefox 3.6 users

[catilley1092]

Going back as far as 2006, there has been a reported problem by Secunia (in FF) regarding a threat called "arbitrary code execution" that is one of the most serious threats there is. It can completely take over your computer. Firefox 3.6 is the latest target for this, and although it's mostly a Windows issue, Linux users are at risk, too. FF 3.6.2 is supposed to remedy this, but I'm now becoming a little leery of FF. However, you can and should check for updates to FF 3.6, and the new version will be there. I just don't know if I'll continue to use it, they (FF) certainly didn't warn anyone about this, unless I missed something in the fine print. FF is releasing too many versions too fast, and everytime one is released, it shows the various "fixes" and "patches" that are applied to the new version. It leads me to think "what hasn't been fixed or patched". So please act w/o delay in updating, or find yourself another browser. Which may not be a bad idea.

 

[Veedaz]

I know I'm in a minority but I don't use FF ... tried it a few times over the years but still don't like it

 

[davehc]

Lol - you are not alone

 

[bassfisher6522]

Thanks for the update....I use FF sometimes, IE 8 mostly but lately I've been using chrome. I like the speed of of it but it lacks the features and richness of IE 8. Sacrifices must be made some where.

 

[catilley1092]

For a long time, I used IE7 with no problems, then I got an offer to "improve" IE last spring. At the time, I was running XP Pro (I skipped Vista) and my laptop was running fine up to that point. So being that I like the latest browser, I accepted. What a mistake that was. But without rehashing the entire story, that's what led me to Firefox 3.5RC. Little did I know what I was getting into. That's why FF releases a new version of a browser every month, in an effort to cover their vulnerabilities. While they do say what's fixed, it's what they don't say that worries me. I've uninstalled FF from Win 7 (x2), XP Pro (x2), and Win 2K. For the time being, I'll use IE8, except with Win 2K, I'll give Opera a try. See, what happened was, I was on another forum, and I ran across a thread that I thought was attacking FF, and without even researching as to what was going on, I defended FF, saying they would never hide anything. This went back and forth for a couple of posts, and finally, the moderator gave me an official warning, telling me that I was giving users a false sense of security, and that if I continued on, the next step would lead to a suspension. At that point, I gathered my thoughts and went to the very first post of the thread. This has been an issue since 2006. I felt like a total ass, once I read the posts. Secunia revealed exploitations in FF years ago, I'm surprised it hasn't came up on this forum, being that Windows users were more at risk. However, this particular threat can break through the armor of any OS, if the one behind the attack is skilled, and the victim is not well protected, and does not know what's going on. Someone using an "arbitrary code execution" can literally take your computer over. Think about that for a minute: Take control of your computer, and you are helpless. That's a scary thought. It's not just a virus or everyday malware, it's one of the most serious things that can happen to you on the net. Read about it in Wikipedia, it gives a full description of it. But that's the end of the relationship between Firefox and me. Currently, I'm back to IE8. I may give it another shot for a while. It may prove to be better on Windows 7 over XP Pro.

 

[Nibiru2012]

bassfisher - check out my response on this page:
https://www.w7forums.com/have-dumped-firefox-ie8-any-better-t4959.html#post33976

It looks like IE8 is still insecure and such. check out the screenshots I posted.

 

[catilley1092]

This thread is solved, as far as I'm concerned. The pre-release of IE9 is here, it's a little rough around the edges, and unsupported, but it shows that Windows is committed to moving beyond IE8, finally.

 

[SlyDelvecchio]

I'm not boycotting Firefox because some exploits have been patched.

Every program has exploits. A lot are discovered and remain unpatched. A lot of programs exploits aren't even made public.

At least Firefox's exploits are discovered, made public and patched. What more can we ask for?

IE9?! Pfft. They lost me at IE5.

Chrome is OK. Has a lot of bugs though, and some which affect me - like when Chrome freezes for 15 seconds on some fields.

 

[catilley1092]

I must admit that I jumped the gun a bit. But you have to realize how serious this problem of arbitrary code execution is. It's one of the most dangerous threats out there. It doesn't matter what brand of OS you use, sometimes it doesn't even matter what AV you use. Whoever is behind these attacks are very smart, in a bad way. Just think about it for a second: Your computer being fully remotely controlled in front of your eyes, and besides shutting down (sometimes you have to either drop the battery out, or unplug a desktop), there's nothing that you can do. Nothing. This is extremely severe. It didn't happen to me, so I don't know how to get rid of the problem. I only hope that FF truly did fix the problem, and if there's anymore browsers that has the potential for this problem to sneak through, that there fixed, too.

 

[SlyDelvecchio]

I agree it would be a serious problem. I have experience in software security, prevention, exploits etc. My original interest in computers was actually from "the dark side" - when I was much younger.

I wouldn't worry too much about arbitrary code execution exploits in FF. They are easy to find, patch and prevent. They are also actually rather difficult to implement a payload with.

Depending on the type of exploit it is, the attacker would have to have you visit a website which exploits FF, runs arbitrary code, retrieves a payload then connects back to an external machine. There are a lot of steps required to successfully do this.

Firewalls would help. Both software and hardware.
Antivirus software would help - no, not on the exploit itself but maybe on the payload, whether it recognise the payload (i.e. reverse_tcp) or heuristically analyse it as a threat.

Yep, exploits are dangerous stuff - but nothing to worry about too much.
Seal your ports, put up your firewalls, setup your router correctly and watch what you install.

To put things into perspective, I, personally, am able to take over pretty much any XP or Vista machine - and even a lot of 7 machines by using similar exploits (buffer overflow) etc.
I know of one particular 7 exploit that only a few people know about. It takes around 5 minutes and gives me root access. Currently only works over LAN though, and a little more information than normal is required.

 

[catilley1092]

That is a mighty large operation that you work for, you're probably never short of work to do. Good to see that there's jobs that CAN'T be exported to the poorest nations of the world, to take advantage of cheap labor and have total disregard for the people, and the environment in which they live. Technology and medical fields are the last of the best jobs left.

 

[SlyDelvecchio]

It's nice to find some like-minded people still around.

I won't be moving jobs. I like my job. I won't even be bought by a corp.

 

[catilley1092]

No need for you to worry, you'll have a job as long as you want one. Plus, all of the extra cash you can make on your days off, if you wish to. I know of one such person, he retired at an early age, yet still makes as much as $600 daily. But he does not allow his customers to make demands of him, and if he decides to go fishing or whatever, the computer business is left behind. I don't blame him at all.

 

[andsome]

I know I'm in a minority but I don't use FF ... tried it a few times over the years but still don't like it

I tried it together with Thunderbug for e mail, and got rid of them both, As far as I am concerned IE8 and Windows Live Mail are tops.

 

[Nibiru2012]

Meh........

 

[roban]

When IE comes up with tools like Firebug maybe I'll consider using it.