Secunia CSI7
Create Profile
Our Commitment
Open Discussions
My Threads
Create Thread

Forum Thread: Is Insecure Browsing Secunia's business?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:

This thread has been marked as locked.
highstream Is Insecure Browsing Secunia's business?
Member 8th Jun, 2009 08:11
Ranking: 6
Posts: 29
User Since: 19th Dec, 2007
System Score: N/A
Location: N/A
With this function, Secunia crosses from the line monitoring the status of providing information and available security fixes to, in effect, becoming a kind of security police. I don't want it for that role - I can read the newsletters and blogs if I wish, while waiting for fixes. More important, I don't find the purpose of taking on that role to be obvious. What are users supposed to do with an Insecure Browsing warning, flood the vendor's servers with email??

It's also incompletely implemented in a way that highlights the underlying problem. I just did a new HDD install with Win XP. Along the way to XP3, it installs IE6, which is an insecure browser. Afterward, I installed IE8, which replaces IE6, but PSI Beta finds IE6 to be still around and gives a warning. Since Windows doesn't show IE6 as installed any more, isn't it incumbent upon Secunia to provide information as to the offending file(s)? Of course, that's not necessarily so easy to do. In the meantime, or until at least a Win 7 install, the user faces an ever-present warning. What's the point?

Underlien RE: Is Insecure Browsing Secunia's business?
Member 8th Jun, 2009 14:45
Score: 0
Posts: 95
User Since: 4th Dec 2008
System Score: N/A
Location: DK

I like the new feature.

I like to know if there is vulnerabilities in the software i use, patched or unpatched. This might make me reconsider if i want to use an alternative program or not.

The fact that i can read about the unpatched vulnerability with one click makes it so much easier to see what risk i put my system into by using the insecure program, and see if there is a useable workaround.

I see this feature as a information board specified to my system. I can use the information or not, but at least i know that i might be at risk.

Was this reply relevant?
genegold99 RE: Is Insecure Browsing Secunia's business?
Member 8th Jun, 2009 18:52
Score: 5
Posts: 128
User Since: 25th Nov 2008
System Score: N/A
Location: US
Yeah, but as an Ubuntu/Linux user with two Windows versions running, you're not typical. For most, there's little alternative to their current browser but another one that's at risk. The problem with the Beta is not that it provides info, but how it does it. Spreading fear under the guise of information is not a good thing, TV news practices in the U.S. notwithstanding. That IE (8/7/6) is risky is no secret. That info can go into a security bulletin. If PSI is going to report about a non-current browser - isn't IE6 out of date? - then doesn't it have an obligation to provide some specific files and maybe even some guidance, just as it does with other applications?

An example. This morning I decided to uninstall IE6, based on the info provided by the Beta (see first post). The catch is that to do that - to delete the files - apparently requires booting from Safe Mode w/o Networking, and uninstalling and reinstalling IE8 around it (downloading a copy in advance). Doing that not only got rid of IE6, but also resolved the Beta's insecurity about IE8. Yes, it's a beta, but shouldn't Secunia have figured that out for itself and passed along the info? After all, what I did takes more than the average user's computer knowledge and ability and confidence.

So to answer my question, yes, Insecure Browsing is Secunia's business, but not in any old way.
Was this reply relevant?
Alan_Baxter RE: Is Insecure Browsing Secunia's business?
Member 8th Jun, 2009 20:35
Score: 0
Posts: 61
User Since: 1st Mar 2009
System Score: N/A
Location: US
Last edited on 8th Jun, 2009 20:49
on 8th Jun, 2009 18:52, genegold99 wrote:
That IE (8/7/6) is risky is no secret.

And so are Firefox, Opera, and Safari. Browsing the Internet is inherently risky. Thinking you're safe because you're using a particular browser, even if it's patched against all known vulnerabilities and exploits is foolish. But I still want PSI to inform me about any known, unpatched vulnerabilities. That way I can attempt to mitigate them, when feasible. I don't want to rely on security bulletins alone.

(unknown source)
This morning I decided to uninstall IE6, based on the info provided by the Beta (see first post).

I'm running XP SP3 with IE7. I get no warning or even mention of IE6. I certainly never attempted to uninstall it. I'm not that crazy. Was IE6 automatically uninstalled when I installed IE7? I do get a warning about an unpatched Moderately Critical vulnerability in IE7 that's been known about since October 2006. I use the mitigation suggested by the Secunia Advisory I've quoted here:
(unknown source)
Do not browse untrusted sites while browsing trusted sites.

But I didn't even know about the vulnerability until I saw the PSI report.
Was this reply relevant?
This user no longer exists RE: Is Insecure Browsing Secunia's business?
Member 9th Jun, 2009 02:14
I use Finjan SecureBrowsing to provide safety ratings of URLs showing in your browser:

I use a HOSTS file managed by HostsMan to prevent known bad sites from being visited: <== I use the 3.2.70 Beta6 with HostsServer proxy to speed up browsing.

This is Layered Protection and Secunia PSI is one of the tools I use.
Was this reply relevant?

This thread has been marked as locked.

 Products Solutions Customers Partner Resources Company
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
Technology Partners
 About us

© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer