SillyDog701

[Antony]

Cnet News.com has following report on Firefox's [tt]firefoxurl://[/tt] protocol.

Critical Firefox security flaw discovered

A "highly critical" security flaw has been discovered in Firefox, which could allow a malicious attacker to gain remove control of a user's system, according to an advisory issued by Secunia.

The security flaw is found in Firefox 2.0 and later versions, due to the way it registers the "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web.

Secunia.com ranked it "highly critical".

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

[Fulvio]

The Secunia site mention not to browse insecure sites. It makes sense.
Then an obscure, to me, statement:

Disable the "Firefox URL" URI handler.

what does it mean? Where do you do that?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6) Gecko/20070629 GranParadiso/3.0a6

[Ramona]

You can test your browser at this site:
Vista + IE7’s default security: Blocked site from stealing info

With the NoScript Extension nothing could be read, until enabling the site.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

[James]

The NoScript extension may be the safe way to go but it's far too inconvenient and time consuming. Frankly, I'd rather take the chance than continually mess with my settings. It's getting ridiculous how you have to practically wrap yourself in cellophane to surf a little online.

UserAgent: Opera/9.21 (Windows NT 5.1; U; en)

[Fulvio]

James,
that's life in the streets. I try to avoid as many sites as I can. I am not paranoid. Just a realist. Programs are designed by humans, and there is always a possibility that there is a crook out there.
I agree with you. I considered No Script, but declared it a potential pain.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

[James]

I do so little surfing, Fulvio, that it doesn't really concern me. After all... I'm fairly cautious anyway so it's highly unlikely I'm going to visit a "bad" site and/or click on a malicious link. But having said all that, I'm still concerned about security but not to the point of obsessing about it. After all... you can take all the precautions and still become infected so go figure.

Let me elaborate. I've a friend who refuses to buy anything online. He tells me it's too dangerous. I asked him if he ever used his credit card. He replied... yes. Well... is he aware that his credit card number is out there sitting in countless file cabinets of stores that retain such for four years. Ours does. Sometimes I watch customers carefully scratch out their number after signing the credit card receipt. What they don't realize is... when they're gone I can reprint the ticket... I can run a settlement and all the number re-appear.

The point is... we're not safe and secure in spite of all the precautions we take. It boils down to... what is reasonable... what is convenient... and what can you live with. I'm not going to tie myself up in knots worrying about every security glitch and every flaw that exists on the web. Otherwise, I might just as well pull the plug on the cotton pick'n thing and forget about it. lol

BTW... for the heck of it I installed the NoScript extension. Initially it is a pain. But I imported my bookmarks (I think I did it correctly) and it no longer bugs me on each of my favorite sites.... sort of like the firewall... initially a giant pain but eventually it quiets down. I hope I set it correctly. If not... who really cares.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5pre) Gecko/20070604 Firefox/2.0.0.4 Navigator/9.0b1

[Fulvio]

I am using NS7.2. So there!

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[Ramona]

Fulvio and James,

You both might be interested in this thread, which discusses NoScript and the security vulnerability. Georgio Maone is the author of NoScript: Firefox "firefoxurl" URI Handler Registration Vulnerability

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5pre) Gecko/20070604 Firefox/2.0.0.4 Navigator/9.0b1

[James]

Thanks, Ramona. I read through the thread but it honestly doesn't really change my mind relating to security on the internet. As I stated, I've actually installed the thing, but I doubt I will keep it since it appears to be far too inconvenient. I asked my wife if she wanted it installed and she declared an emphatic No. Her network at work, while using Mozilla, do not use the extension either. At my place of employment, they refuse to use any browser other than IE 7 so there you have it.

There's danger everywhere. As I stated previously, you can say you are safe by not making purchases online but your credit card number and date of expiration are still out there. In fact, we keep them for four years in an unlocked filing cabinet in our back room at work. Your driver's license is out there... Wickes furniture in Oregon require you believe it or not to have your license scanned when you make a credit card purchase. Yup. Ridiculous but true. You SIN is out there. We're not safe anywhere. Sure, I suppose you can take steps to at least reduce your risk, but a substantial risk is still there as long as you are online.

My son opted to dump his PC and go to a Mac. I'm sorely tempted to follow him, I'm so sick to death of all the security issues with my PC.

Anyhoo... thanks for the link.

Fulvio! Roaming about with NS 7.2! OMG! What a Man! What a Man!

UserAgent: Opera/9.21 (Windows NT 5.1; U; en)

[James]

btw... been using Opera for the past few days and I'm liking it more and more. Not sure I'm ready to jump ship just yet. Time will tell.

UserAgent: Opera/9.21 (Windows NT 5.1; U; en)

[Ramona]

Hi James,

I really wasn't trying to change your mind about NoScript, but since that thread related to our discussion here, I was interested because the author of the extension was participating in the thread.

You're absolutely right, as there is no "safe" anywhere, much less the Internet. I actually feel more secure buying on the Internet than in Dept. Stores, etc. What with stolen identities, etc., you takes your chances!

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

[Antony]

You're absolutely right, as there is no "safe" anywhere, much less the Internet. I actually feel more secure buying on the Internet than in Dept. Stores, etc. What with stolen identities, etc., you takes your chances!

Slightly off-topic here.

Always remember to keep receipts (for a few months at least) and check your monthly credit card statements.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

[James]

I do, Antony. My wife always asks for them and makes certain her MS Money accounts for everything. She's my accountant and I'd better not slip up!

Ramona, the irony of what I'm saying is... I installed NoScript but I'm not liking it. Oh... I'll probably keep it but it doesn't make me happy. I can actually say with all seriousness, while I need the internet and I still enjoy the internet, I do not enjoy it as much as I did in 1997. Life was so much simpler then... the browser... the lack of security since for the most part, it wasn't really needed all that much... the newness and excitement. Oh... some of it is still there but much has been severely tarnished by jerks and criminals and I deeply resent having to make almost daily changes just to keep from being robbed or worse. I hate this aspect of the internet.

Another aside: I'm about a year away from a new computer. I'm seriously thinking of dumping my PC for a Mac. What do you think, Antony?

UserAgent: Opera/9.21 (Windows NT 5.1; U; en)

[Antony]

Another aside: I'm about a year away from a new computer. I'm seriously thinking of dumping my PC for a Mac. What do you think, Antony?

Go for a Mac.
Your life will be hundredfold easier with a Mac than a PC, and it run Windows natively, if you really must use Microsoft Windows.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

[Antony]

This security vulnerability is fixed in [sdt=13649]Firefox 2.0.0.5[/sdt] and Thunderbird 2.0.0.5.

Mozilla Foundation Security Advisory 2007-23

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4