Operating systems

Two Apples a day won't keep hackers at bay, but neither will Firefox


Quick, what's Apple's biggest vulnerability? Right, QuickTime!

QuickTime just happens to run on both Windows and Mac OS X, which makes this the second cross-platform threat I have reported here in the past week. This is also the second time in a week Apple has released a security patch to block malicious Web sites from using QuickTime flaws to wreak havoc on those visitors who could be tricked to visiting.

The Register has a brief article on the vulnerabilities and also carries a piece on a dozen other recently patched holes in OS X, including a serious threat due to a problem with mDNSResponder.

Thanks a "heap," Apple.

And, lest non-Mac users feel safe with their freeware,  it turns out that Firefox add-ons, including the notorious Google toolbar, pose serious security threats. This and other plug-in vulnerabilities in Google Browser Sync and the Yahoo! toolbar (as well as the AOL and Ask.com toolbars -- and even the Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker) were discovered by graduate student Christopher Soghoian.

I think until the dust settles on this one I'll go back to using IE.

25 comments
apotheon
apotheon

. . . and this is it. Hell, I even watch Flash animations with a separate, open source media player. By the way, you might want to have a look at this, John: [url=http://googlebar.mozdev.org/][b]Open Source Googlebar[/b][/url] (edit: oops, fixed)

Tony Hopkinson
Tony Hopkinson

Clicked on the thumbs up to see what eejit thought this was a worthwhile article and became one of them. :( Knock a vote off please, probably the other two are bogus as well, just too embarrassed to admit it. 0 / 7, not looking good

heres_johnny
heres_johnny

If you'll notice, there isn't a 'thumbs-down' vote available on this one. I don't think that's accidental, either.

DanLM
DanLM

I started playing around with vb.net express. Yes, I know it's a scaled down vb.net. But, it's free for getting my feet wet. Actually got my first app(something I'll use) to work in a couple hours too. Now, if I can only figure out how to make it portable for my thumb drive. But, back to my question. Can you suggest any vb.net books? Dan

Tony Hopkinson
Tony Hopkinson

I can say the WROX press . net and C# books are very good, never had a bad one in fact. They are always my first point of call.

DanLM
DanLM

I will go hunting when I get home from work tonight, much appriceated. Dan

heres_johnny
heres_johnny

But you, John McCormick, are an idiot. Why waste our time with an article like this? The same ADD-ON toolbars you mention (I emphasize add-on because you have to install them, they don't normally come with Firefox) were made first for IE. Did you think we wouldn't know that? Damn, your editors must be falling asleep at the switch to let this one go by.

TechExec2
TechExec2

. It's good to alert people to issues with QuickTime and Firefox add-ons. But, as written, this article is flame bait. [b][i]"...I think until the dust settles on this one I?ll go back to using IE..."[/i][/b] Let's all jump from the frying pan into the fire? Not for me on Windows, Mac OS X, or Linux. I don't run those Firefox plug-ins on my systems. If I did, I would just remove them.

Tech Locksmith
Tech Locksmith

You mean it actually might provoke comments? Actually comments are welcome, it gives members a chance to express their opinions, especially now that blog postings are limited to a few people. If you don't run those plug-ins or use QuickTime, then you really should skip the warnings. If you want an explanation of why I use them, it is because a lot of plug-ins are very useful and switching back to a fully patched IE version while Google patches a problem seemed like a reasonable solution as compared to ditching all the functionality I moved to Firefox to get. It seemed like a simple fix to my clients too, especially since they all have both Firefox and IE already loaded on their systems and I had customized Firefox extensively for them.

apotheon
apotheon

"[i]switching back to a fully patched IE version[/i]" I suppose that depends on your definition of "fully patched". Wikipedia has a table comparing [url=http://en.wikipedia.org/wiki/Comparison_of_web_browsers#Vulnerabilities][b]browser vulnerabilities[/b][/url]. Judging by the statistics there, I'm less than enthused by IE's stats, especially considering that IE7 is showing current vulnerabilities unpatched for up to about 13 months (and change) while IE6 shows vulnerabilities unpatched for up to a period of more than three years. (edit: added IE6 reference, just in case)

TechExec2
TechExec2

. [b][i]"...You mean it actually might provoke comments?..."[/i][/b] No. It actually might provoke flames from some QuickTime, Mac OS X, and Firefox users. The article would have been worthwhile if it said: "Be sure to apply these patches to QuickTime and Mac OS X, and remove these Firefox add-ons until they are fixed". Instead, the article essentially said "QuickTime, Mac OS X, and Firefox users should not be so damn smug about security". I don't entirely disagree. But, the message should be to stress vigilence and avoid overconfidence. ** The QuickTime security issues mentioned were already fully patched and automatically rolled out to users via the Internet. ** The Mac OS X security issues mentioned were already fully patched and are automatically rolled out to users via the Internet. ** The Firefox-related issues are not even in Firefox. They were in 3rd-party add-ons. Removing them is the correct workaround. This article did a much better job of inflaming than informing. It was a taunt. It was flame bait. P.S. And, I'll bet you did not really go back to IE. That was just another rhetorical comment. Of course, only you know for sure.

apotheon
apotheon

"[i]I believe it was Captain Renault who said in Casablanca, "I'm shocked, shocked to find there is gambling going on here!'[/i]" Yes, that's who said it. Great movie. Not Bogie's best, but it's the one that gets all the attention. "[i]it is a LOT simpler to just have them switch their browser to IE for a day.[/i]" Simpler, maybe, but based on the patch response rate of Microsoft and the fact that (unlike an open source project like Firefox) Microsoft has a tendency to try to punish anyone that lets on there's a discovered vulnerability to the public while sitting on them for months at a time before fixing them, I'm inclined to believe that known vulnerabilities in Firefox are probably less dangerous than whatever vulnerabilities may or may not exist in IE at any given time. The patch time records for MS software at eEye Digital Security are quite telling. Even though eEye has finally bent its knee to the power of the overwhelming economic power of Microsoft, and no longer publicly releases information about vulnerabilities of which it is aware until MS says it's okay, the guys at eEye still post original discovery and report dates along with time to final patch roll-out after Microsoft "lets" them do so. The picture painted by these records is not pretty. eEye still shows numbers for some vulnerabilities that have been left unpatched so long that they're likely to never be patched, however. Those are the scariest numbers of all -- and that's not a sign of a good choice of alternative when one of IE's competitors develops a vulnerability. "[i]Bill Gates was only 8 years old when I wrote my first computer program[/i]" Funny -- I was even younger than that when I first wrote my own computer program. "[i]if I'm wrong too often they find it easier to fire me than Microsoft.[/i]" That's amusing. They still might want to consider whether they should fire Microsoft, though. Some of them would surely benefit -- though you might not benefit, business-wise, for suggesting it.

Tech Locksmith
Tech Locksmith

I believe it was Captain Renault who said in Casablanca, ?I?m shocked, shocked to find there is gambling going on here!? Well - I?m shocked, shocked to discover IT workers with differing opinions on software and willing to share them. Still, I prefer to think that professionals don?t flame, they share ideas. I happen to like lively discussions and, apparently a lot of my readers do also. As for the plug-ins, removing them is certainly A workaround. For you it is apparently the "correct" workaround. Of course that is a lot easier when you are talking one PC or a single company. It gets a lot more complicated when you have 10 clients with about 20 PCs each. In that case it is a LOT simpler to just have them switch their browser to IE for a day. A 30 second fix instead of a MUCH longer process both for me and for my clients ? also one they can implement themselves without paying my outrageous charges for actually messing with their machines. Not to mention that automatic updates to Firefox can cause some of the plug-ins I have written for clients to stop working. One size doesn?t always fit all, which is also why we have discussions here in the blogs. Actually I use both IE and Firefox all the time, how else would I spot problems? It happens that I did greatly increase my reliance on IE and had moist clients switch for a day till I could check out the fixes. I?m not a big fan of automatic updates. I've had too many turn around and bite me. Besides, my clients don?t pay me to let Microsoft, or some other vendor update their computers at the drop of a bit. For some strange reason they trust me more than they trust those big companies. Perhaps because Bill Gates was only 8 years old when I wrote my first computer program and only 5 when I built a tic-tac-toe game. And, if I'm wrong too often they find it easier to fire me than Microsoft.

NickNielsen
NickNielsen

Aren't the Yahoo, Google, Ask, and AOL plug-ins also available as plug-ins for IE? This article wasted bytes.

Tony Hopkinson
Tony Hopkinson

Why not just get rid of QuickTime? What the hell was the posting about ? It happens on windows and XWindows so I'll go back to IE. ? :p What running under Wine on Linux ? What a crap article. !

OldER Mycroft
OldER Mycroft

He was being paid to slag-off one while inferring the other was safe. Who the hell is this guy? Doesn't he have an editor? Looks like he doesn't!

Tech Locksmith
Tech Locksmith

Who am I? I presume it was a rhetorical question since you can learn that from my Member Profile, but just so you know I do read comments, I will post a brief answer. I?m a technology reporter who wrote his first computer program in 1963 and managed a mainframe in the late '60's. Starting with machine language (binary) I have programmed in more than 50 "languages" (probably 150+ if you count different versions and platforms) at least enough to test the language and complier. I've been reporting on PCs since the first IBM PC was sold. It happens that my first review for the old Byte was listed in Cambridge Scientific Abstracts (my background is in physics and math since there was no such thing as a computer science major when I was in school.) Experience isn?t everything, but it is something. I don't recall ever stating in 17,000+ published articles that IE was "safe." In this particular instance, it was probably "safer" than Firefox (with the Google plug-in) for a brief period of time before the plug-in threat was patched. Whether either Firefox or IE are safe in any absolute meaning of the term is certainly highly debatable since people seem to keep finding new vulnerabilities in both. Yes, I have editors. I have excellent editors here at TR, unlike some I have had at other publications where the editors actually inserted factual errors into some of my articles or reviews because they didn't know nearly as much about computers as I did. I quickly moved on from those editors and publications. A few of my blog entries get some minor editing here but they are published under my name and express my thoughts. As it happens, I can take complete responsibility/blame for this particular brief blog posting. The editors do read these comments so they are aware of your concerns. All comments are appreciated. "And the truth shall set you free! Sometimes free to look for other employment.? - jm

Tony Hopkinson
Tony Hopkinson

With some of TR's authors. Still if we keep having a dig, may be it will embarass them into a bit of quality, or at least honesty.

Tony Hopkinson
Tony Hopkinson

you put your name to, is all I can say. I welcome the heads up the so called solution implied by moving back to IE should have at least been backed by one or two provisos though.

Tech Locksmith
Tech Locksmith

Or, you could just take it for what it was, brief notification of newly reported vulnerabilities which were publicly disclosed and therefore potentially significant. I notice that at least 4 people thought it was worthy of being posted so perhaps I was right to post it. Yes, I do have editors, but blogs are intended to allow expression of different "voices" in a way that heavily-edited news reports and articles don't. Some people actually enjoy the difference as evidenced by the fact that they read the blogs and even post comments. But, don't worry, my editors read every single comment so they are aware of your concerns. Your comments are always appreciated.

DanLM
DanLM

I see these threats all deal with plugins. And removing plugins is pretty straight forward. What are you losing? Not a thing. I did read that right, correct? The only issue was the plugins themselves? And the Google toolbar you mention, there is one for IE as well. If it's broke in one brwoser, what makes you think it's not broke in the other? Dan

Tech Locksmith
Tech Locksmith

Yep, removing the plug-ins is a solution, but I use a lot of them and will just have to reinstall them after the Google problem is fixed. That isn't all that difficult for home users and for me it is just the machines in my office, although it does mean five systems to change, but it also means going around to my clients and doing the same for them. The simple solution was to tell them to all switch to IE for a day. I could spend all day every day fixing problems with software but when there is an easy alternative I prefer to get things done and my clients like to keep their offices working ? one easy solution was to go back to IE for a day ? I don?t happen to have very many ?plug-ins? in IE so it was a quick and dirty fix for me and my clients, especially since it looked as if it would be fixed in a few hours. As for Google and IE, so far I haven?t seen any report that the tool is vulnerable in IE, just the one in Firefox. THAT is what makes me think it is broken in one but not the other.

apotheon
apotheon

If you remove the Google toolbar from Firefox, you lose the functionality of the Google toolbar. If you switch to IE without the Google toolbar, you lose the functionality of the Google toolbar. Given that parity in loss of functionality from a plug-in that has been shown to harbor one or more vulnerabilities, you chose IE over Firefox without the toolbar. Remind me again why IE without the Google toolbar is better than Firefox without the Google toolbar.

DanLM
DanLM

Was you was switching permanitly changing to IE from FireFox. [i]The simple solution was to tell them to all switch to IE for a day.[/i] Again, my breaking the golden rule of a tech person burned me. Never assume. Dan

Tech Locksmith
Tech Locksmith

Sorry if you were misled, but I thought: "I think until the dust settles on this one I?ll go back to using IE." was pretty clear - the operative portion being "until the dust settles" which I thought most IT professionals would understand to mean until the Firefox problem was sorted out (fixed.) It really didn't require much in the way of assumptions but apparently you weren't the only reader who got carried away and thought that simple half-joking phrase actually meant "burn all copies of Firefox and never again use anything except IE." When all it actually meant was "until the dust settles on this one I?ll go back to using IE." The English language can be tricky but I do try to use it with some precision, a good policy for programmers. Thank you for your input.

Editor's Picks