Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Insecure Browsers

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
Steve H2O Insecure Browsers
Member 5th Sep, 2010 14:18
Ranking: 0
Posts: 4
User Since: 16th Dec, 2008
System Score: N/A
Location: N/A
I see this week IE 8 Firefox and Chrome are all shown as insecure (Secunia PSI) .At this time is there a secure browse, and if so which one is it ?
The whole situation seems too silly for words !!!!
Has anyone tried the new Dell browser (I think it is based on Firefox Technology)
Steve.

Anthony Wells RE: Insecure Browsers
Expert Contributor 5th Sep, 2010 17:07
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 5th Sep, 2010 17:10

Hello Steve ,

If you referring to the PSI "secure browsing" tab data , then :-

1)IE has a long standing "minor" Cat 2 vulnerability and M$ have no intention of fixing it . IE9 should do but is not likely to run on Xp if rumours are true :(((

2)Firefox 3.6.8 has a Cat 4 vulnerability which hopefully will be fixed by 3.6.9 in the next few days ; the Beta 4 may also fix things .

3)Chrome 5 is vulnerable/insecure and no patch .If you read the SA , you will see that it is fixed by updating to version 6.0.473.53 released to both the Stable and Beta channels :-

http://secunia.com/advisories/41242/

OR

go to version 7 in the Dev and Canary channels ; for the knowledgeable/advised only .

I have no experience of the other browser(s) , but I do know that as with all things , except death and taxes , none are ever 100% sure . Secure browsing rules are essential at all times and using an "insecure" browser you know how to handle may even be less risky than plumbing the depths of the www. out of control in a brand spanking new browser .

Hope this helps .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0
joe schmoe RE: Insecure Browsers
Member 9th Sep, 2010 11:31
Score: 38
Posts: 139
User Since: 26th Nov 2008
System Score: 100%
Location: US
Last edited on 9th Sep, 2010 11:34
I have the same problem with Firefox 3.6.9 showing up as insecure as well. I downloaded the install file and ran that and the correct version number appears in Help\About Mozilla Firefox.

Should I completely uninstall Firefox and install v. 3.6.9?

Or is that the Secunia database is a little behind?

I have not yet upgraded to PSI version 2 beta as I prefer to wait until the bugs are worked out. I am running 1.5.0.2.

Joe

Win XP SP3
1.5 GB RAM

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2018 AIS
Win 7 Home Pro SP1 Pentium D 2.8 3 GB RAM Avast 9.0.2018 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
ram5thwheel RE: Insecure Browsers
Member 9th Sep, 2010 13:01
Score: 0
Posts: 20
User Since: 24th Dec 2007
System Score: N/A
Location: US
I miss the "Insecure Browsers" tab in the beta version and hopefully the programmers will incorporate it back into the final version.

--
Thank You
Peter (Mike) Meyers

System Info:
Windows 8.1 (64 bit)
Intel Core i7-4500U CPU @ 1.8GHz / ASUS Laptop
8.00 GB RAM
Was this reply relevant?
+0
-0
TiMow RE: Insecure Browsers
Dedicated Contributor 9th Sep, 2010 13:10
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 9th Sep, 2010 13:12
Hi joe schmoe

I'm of the same opinion as you re. PSI beta, and therefore still have the secure browsing facility, showing my 3 installations of Chrome, IE and Ff.

All 3 are boxed in red relating to the same cat.4 threat of Apple QuickTime 7.x (SA 41123 applies). IE still has the same on-going cat.2 threat, which wont be fixed in IE8.

Having also updated Ff. to 3.6.9, using Check for Updates from Help menu, Ff. also remains a cat.2 threat (SA 41244 applies - click on this number in secure browsing to view). Unfortunately there is no way for to check back, but I believe this insecurity is different to the cat.4 threat in the previous version - I think this related to SA 41095 (see the following link: http://secunia.com/advisories/41095).

Funnily enough the solution offered was to update to 3.6.9 in both advisories - this obviously hasn't done the trick.

However the cat.4 threat of QuickTime is more significant than the cat.2 Firefox one, for me at least - I have QT v.7.67.75.0 currently installed and believe this to be the latest.

I wouldn't go to the trouble of un- and re- installing Ff. - if you're happy that you have 3.6.9 showing in "About" (double check from PSI Patched tab), as it probably wouldn't change anything.

What is advisable, is to ensure safe browsing practices, and consider running your browser sandboxed (e.g. Sandboxie).

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+1
-0
Anthony Wells RE: Insecure Browsers
Expert Contributor 9th Sep, 2010 13:44
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 9th Sep, 2010 13:59
Hello Joe ,

As TiMow has said , you have the latest patched version of Ff in 3.6.9.

EDIT : If so it will appear in the the "patched" tab . IF not or there is a display in the "insecure" tab , post the details her .

In "secure browsing" you will see that there is still a vulnerability which is unpatched and it is described here in the Secunia Advisory 41244 :-

http://secunia.com/advisories/41244/

It is the only known vulnerability*** which is not today patched in Ff versions 3.5.12 and 3.6.9

It is a Cat 2 problem , not unlike the IE vulnerability ; Unlike M$ , Mozilla are proposing to patch it .

At the moment , as I posted above , Google Chrome has no reported vulnerabilities , but like the weather that is bound to change .

Hope that helps .

Anthony

PS :*** the cause of the vulnerability is traced back here :-

http://secunia.com/advisories/41237/

PPS:TiMow ; here is the 2010 part of "vulnerability report :)" for Ff :-

http://secunia.com/advisories/product/28698/?task=...

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
TiMow RE: Insecure Browsers
Dedicated Contributor 9th Sep, 2010 14:01
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Hi Anthony

I know you're running 2.0 beta and therefore without secure browsing, but as stated above all my three (including Chrome) are boxed in red, relating to QuickTime.

Were you typing as I posted, or have I missed a QT update (still showing Insecure, no Solution)?

Neither PSI (stable) nor filehippo UC have alerted me to a more current version than that I have listed above (which shows up under Patched).

Regards

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-1
Anthony Wells RE: Insecure Browsers
Expert Contributor 9th Sep, 2010 14:18
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 9th Sep, 2010 14:21
Hi TiMow ,

We are talking secure browsers not secure browsing . Your QuickTime problem is only relevant to QuickTime users as is any other vulnerable add-on etc .

I don't use QT but I do have DivX which would doubtless show as insecure, no solution in the "secure browsing" tab if I still had 1.5.0.2 or the TP 1.9.x - although the latter had a bug of going green when just the browser was patched and add-ons weren't .

The OP referred to the 3 browsers themselves and Joe mentions Ff 3.6.9 ; I cannot guess what add-ons if any are applicable to an individuals idiosyncratic embellishments , so my answer is for the actual browser only .

Stick with 1.5.0.2 as the secure browsing data is much more relevant/important than the 2.0. Beta's eye candy , in my book .

My PPS in my post above let's you check back on patched or not vulnerabilities you mentioned in your post .

Hope that's clear enough .

Anthony

Ps: I'm not that slow a one finger tapper , but my edit's can be deceiving :)

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0
This user no longer exists RE: Insecure Browsers
Member 10th Sep, 2010 01:31
I too have the same problem. I'm showing Firefox 3.6.9 and just ran a scan on PSI 1.5.0.2 and it's still showing Firefox as insecure. I'm running Windows XP Professional SP3.
Was this reply relevant?
+0
-0
joe schmoe RE: Insecure Browsers
Member 10th Sep, 2010 02:04
Score: 38
Posts: 139
User Since: 26th Nov 2008
System Score: 100%
Location: US
Hi, Anthony-

Just finished reading your post, and I gotta say, sometimes I think the Firefox guys are the good guys and the M$ people not so good at times. But, they do have literally thousands of bad guys after them all the time. It's tough.

I'm sticking with v. 1.5.0.2 for now, as the insecure/secure browser section is still relevant.

Thanks for answering; I agree with you that add-ons are not as important as a secure browser. Firefox at least lets you know when an update for an add-on is available. As I said, a secure browser lasts only as long as a bad guy does not find a weakness. And they always seem to.

Joe

MS XP Home SP3
1.5 GB RAM

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2018 AIS
Win 7 Home Pro SP1 Pentium D 2.8 3 GB RAM Avast 9.0.2018 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
TiMow RE: Insecure Browsers
Dedicated Contributor 10th Sep, 2010 13:12
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
@mynahbird

If your problem hasn't sorted itself out overnight (shut-down, re-start), I would suggest that you start your own thread, as your post is almost lost in this thread, and avoid any possible confusion therein contained.

It would be helpful to include the installation path that PSI is giving for the insecure Ff (and version detected).

Just to add, briefly, using the same set up as you, I updated Ff. 3.6.9. without problems and have it listed under Patched tab as patched; and under Secure Browsing it shows a cat.2 threat against the line for Mozilla Firefox 3.6., showing "Insecure, no solution".

If this is the same for you, then you can do no more at this time.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+2
-0
Anthony Wells RE: Insecure Browsers
Expert Contributor 10th Sep, 2010 13:33
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Sep, 2010 13:34
Hello mynahbird ,

Using the PSI 1.5.0.2 in "advanced" mode , then Ff 3.6.9 will show in the "patched" tab as fully patched and in the "secure browsing" as "insecure , no solution" because of SA 41244 . This is the correct situation and fully described higher up the thread . The threat exposure is small , but safe browsing rules are always important whatever the browser status .

If you are seeing Ff in the "insecure" tab , you likely have an out of date version folder or file belonging to Ff kicking around somewhere ; then , what is the "installation path" that is showing ??

Hello Joe ,

Just a minor point , some add-ons really are dangerous when insecure :eg: Adobe Reader has just become a CAT 5 "unpatched" danger as seen in the Advisory :-

http://secunia.com/advisories/41340/

There is talk of a javascript work around but nothing official .

Adobe are a very big target because of their widespread exposure ; the same of course applies to Flash .

Stick with 1.5.0.2 and the secure browsing data , though even that is in some danger as Secunia are removing data on some programmes which are "unfixable" with a patch because of where/how they are embedded ; still "potentially" vulnerable but might no longer be displayed . If they remove "secure browsing" advice completely , as per the Beta for the new version of the PSI , then it's just another patch checker ; that would be sad .

There is some hope in that Adobe seem to be planning to sandbox their programmes and prevent the bad guys writing to the HDD and chasing your ID .

Chrome sandboxes each tab which also adds a level of security as does their embedding Flash and their own PDF reader . An ongoing fight to stay safe(ish;))

Take care

Anthony

Edit : definitely crossed with TiMow .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0
joe schmoe RE: Insecure Browsers
Member 10th Sep, 2010 17:52
Score: 38
Posts: 139
User Since: 26th Nov 2008
System Score: 100%
Location: US
Last edited on 10th Sep, 2010 18:15
Hi mynahbird,

Just as a case in point, see Anthony's last post re add-on vulnerabilities. A point not often considered are the plugins installed as well. Some of the plugins can be vulnerable as well. Firefox, for example, has a plugin check feature accessible via Tools\Add-ons\Plugins\Find Update. Firefox will run the checker and it is possible to disable some or all of the plugins, especially those not posted as 'up-to-date'. You will need to go to the plugin tab and run 'Find Update' from there.

Add-ons are listed under "Extensions'.

I am not 100% sure of what is the difference between add-ons and plugins, but I think (correct me if I am mistaken) add-ons are programs or features enhancing the use of Firefox chosen by the user, and plugins are features installed by programs elsewhere in the system you use.

The point here is that even with PSI, in spite of whatever version you may use, there are still some areas of browser security not fully understood/aware of, and it is up to the user to ensure the highest level of security possible.

I do not yet know if other browsers offer the plugin security check feature as I only use FF as my main browser. Would be interested to know if other browsers offer this feature.

If Adobe does implement sandboxing as a security measure for all of its' programs, this would greatly enhance browser security for all browsers one can use. I do think browser sandboxing is the way to go.

Yours truly,

Joe

XP Home SP3
1.5GB RAM

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2018 AIS
Win 7 Home Pro SP1 Pentium D 2.8 3 GB RAM Avast 9.0.2018 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
TiMow RE: Insecure Browsers
Dedicated Contributor 10th Sep, 2010 20:05
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 10th Sep, 2010 20:08
Hi Joe

Just to address your last sentence - I remembered to search out the following (prompted by something I read in another post and had forgotten about).

http://www.kace.com/products/freetools/secure-brow...

You may be already aware of this, but it seems to be a step in the right direction, to which you inferred.

I have only quickly skipped over the text, but it appears to offer similar properties as running a sandboxed browser.

Unfortunately for me, having ditched Adobe Reader a while back, I was put of by the plug-in inclusion, and have mixed feelings about registering up front for a free browser. EDIT: It's only free for a trial period, then it's $$$.

However, if this a glimpse into the way things are heading, it can't be all bad.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+1
-0
Anthony Wells RE: Insecure Browsers
Expert Contributor 10th Sep, 2010 20:37
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Sep, 2010 20:42
Hello All ,

@mynahbird ,

How are you getting along ??

@Joe ,

You summed it up nicely . Just a point , both Ff and the PSI only update your bits and pieces when there is a patch ; so they compliment overlap . You can check your extensions same way as the plug-ins to update , modify , disable , etc.

The value of secure browsing is that it shows the vulnerability before there is a patch . Like you said , all the same , we must be responsible to ourselves .

In chrome , you can check your extensions and plug-ins and fiddle with , disable , etc . Some are auto-updated :eg: embedded Flash and some are common to both Chrome and Ff .

In Chrome (Dev channel) you go spanner->Options->under the hood->content settings-> or spanner->tools->extensions .

@TiMow ,

Sandboxing your browser works now ; as with KACE , see what Gizmo Richards has to say :-

http://www.techsupportalert.com/safe-surfing.php

It is not easy ; so a big help and difference will be when the software suppliers make thier products run in a sandbox in the first place without your need to deal with complex (for many) configurations ; Chrome does it without telling you in so many words , but not to the extent of stopping you downloading infected data via an additional defined action .

Hope this is useful .

Take care

Anthony

PS : a keylogger could still run and steal your data from within a sandbox , so it is not the be all :((.



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
TiMow RE: Insecure Browsers
Dedicated Contributor 10th Sep, 2010 20:49
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 10th Sep, 2010 20:57
Hi Anthony

Just a quickie before shutting down.

Thanks for the link, although I have had Sandboxie (still free version) for a while, but haven't been using it recently, as I need to re-read the instructions relating to downloads.

Having said that, if I want to visit a site that is unknown and may be 'dodgy', then I do open it up.

Regards

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer