navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Browser status.

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
TiMow Browser status.
Dedicated Contributor 17th Sep, 2010 09:15
Ranking: 737
Posts: 728
User Since: 26th Jun, 2009
System Score: N/A
Location: CH
Using PSI 1.5.0.2, with Secure Browsing tab.

1) Firefox, updated yesterday (16/9) to 3.6.10. Correctly recognised under Patched tab. Yet, Mozilla Firefox element within Secure Browsing listing for Ff. still shows "Insecure, no Solution", (cat.2 threat); SA41244 applies, but shows the following:

"Solution
Reportedly, this will be fixed in the Firefox versions after 3.6.9 and 3.5.12."

Is this insecurity, still relating to N.S.S. (SA41327), although a solution to that is given as vendor workaround?. This should now be included in Ff. 3.6.10 (?).

2) Chrome, silently updated today (17/9) to 6.0.472.59, but not initially recognised by PSI (Patched or Secure Browsing), with program monitoring enabled; old version showing as Insecure. Deleted this, and rescanned. Insecurity removed and updated Chrome now present in both tabs.
However Chrome element within Secure Browsing listing for Chrome still shows "Insecure, no Solution", (cat. 5 threat); SA41443 applies, relating to insecure embedded flash plug-in.

Under Secure Browsing for all browsers, the listing for Flash (stand alone) shows separately as cat. 5 threat (SA41434). But Chrome (listed under plug-ins, within Chrome) shows 2 files for flash - I'm assuming the bundled is one and the stand alone (NPAPI) is the other, hence the continual threat rating for Chrome itself (Secure Browsing).

N.B. The latest Chrome update seems to have addressed other issues, but until Adobe issue a patch for Flash, and Chrome is further updated to reflect this, then the Secure Browsing insecurity remains.

Update for QuickTime became available yesterday (for me), and has removed the browser plug-in insecurity in Secure Browsing.

In the process of writing this post, I may have answered my own questions regarding current browser status. If this is not an accurate assessment, then please clarify. If it is, then it may be helpful to others, who may have similar uncertainties, as I did initially; and especially anyone using 2.0 beta, who don't have the benefit of the Secure Browsing tab.

TiMow

--
Computing is not yet a perfect science - it still requires humans.

Anthony Wells RE: Browser status.
Expert Contributor 17th Sep, 2010 17:31
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 17th Sep, 2010 17:33
TiMow ,

In Ff go to ->Help->Release Notes and you will see in the changelog/What's new in Firefox 3.6.10 that it is a major stability fix for a 3.6.9 user problem . It is not a security fix .

Your assessment of Chrome is correct in my book .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
taffy078 RE: Browser status.
Contributor 17th Sep, 2010 22:29
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
on 17th Sep, 2010 17:31, Anthony Wells wrote:
TiMow ,

In Ff go to ->Help->Release Notes and you will see in the changelog/What's new in Firefox 3.6.10 that it is a major stability fix for a 3.6.9 user problem . It is not a security fix .

Anthony


Hi TiMow - Anthony.

I had intended to post something similar to TiMow's about Firefox. The changelog might say that it's not a security fix but that's not what it said when I hit "check for (Ff) updates".

There, the message was very clear - "v 3.6.10 - A security and stability update is available".

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
mogs RE: Browser status.
Expert Contributor 17th Sep, 2010 23:00
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Just a note on the Chrome timing Timow:-
"2) Chrome, silently updated today (17/9) to 6.0.472.59, but not initially recognised by PSI (Patched or Secure Browsing), with program monitoring enabled; old version showing as Insecure. Deleted this, and rescanned. Insecurity removed and updated Chrome now present in both tabs."

The following was placed in CClips 15/9/10 at 09.16


Stable, Beta Channel Updates
Tuesday, September 14, 2010 | 18:02
Labels: Beta updates, Stable updates
Google Chrome 6.0.472.59 has been released to the Stable and Beta channels for Windows, Mac, and Linux. In addition, it has been released to the beta channel for Chrome Frame.

The discrepancy seems greater than you've alluded to ?

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Browser status.
Expert Contributor 17th Sep, 2010 23:07
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 17th Sep, 2010 23:20
Concerning Firefox :

In my experience the check for updates gives you a "standard message" ; I would take the "changelog/What's new ..." as factual and I would check it before you download/update if you are in any doubt as to what you are doing/adding to your machine .

You can also check in the Secunia "vulnerabilities report" for Moz Ff to see which SA's are extant , as I have posted previously :-

http://secunia.com/advisories/product/28698/?task=...

In this case 3.6.10 was brought out for those people who had stability problems with the security updated 3.6.9 and could not use/run a secure Ff .

Hope that is clear .

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
taffy078 RE: Browser status.
Contributor 18th Sep, 2010 07:39
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 18th Sep, 2010 07:41
thanks for your explanation, Anthony. I hadn't realised that the update message was a " standard" wording.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+