Sebastian G. wrote:
> kurt wismer wrote:
>
[snip]
>>> Nonsense, it is really easy because almost every webbrowser is secury
>>> by default out-of-the-box.
>>
>> now you're just being absurd....
>
>
> Or correct. Just take a look at the major players Mozilla Firefox,
> Mozilla Seamonkey, Opera, Konqueror and w3m. Agreed, Mozilla Firefox is
> a bit obscure, but neithertheless still secure by default.
and the absurdity continues... apparently internet exploder (what most
people use to browse the web with) doesn't exist in your world, and of
the browsers that do exist firefox (of all things) is the one you
consider obscure...
>> vulnerabilities exist in most non-trivial programs whether the good
>> guys know about them or not so i will say *all* web browsers have
>> unpatched vulnerabilities and time will bear me out...
>>
>> and no, the bad guys don't depend on vulnerabilities already known to
>> the good guys... they have their own black hat researchers and their
>> own vulnerability black market...
>
> Thanks for stating the trivial exception that doesn't need to be
> discussed. Now, can you present some incidents showing any significant
> relevance?
lets just be perfectly clear, here... you want me to list documented
vulnerabilities in mainstream browsers for which there is no patch yet...
i just explained 2 things... the first was that the vulnerabilities that
the would get documented in the fashion you're looking for are not
necessarily the ones that are actually relevant to this discussion (it's
the ones that the blackhats know about but the whitehats don't that are
most relevant)...
the second was that we can take the assertion that most browsers contain
unpatched vulnerabilities as axiomatically true and let time do the work
of revealing the details of those vulnerabilities... in other words, if
browsers and all the components that plug into them never need security
updates ever again then you were right, otherwise not so much..
but, just to put the last nails in the coffin of the debate on how easy
it is to find vulnerabilities, these articles are all from the past
month and each one is about something different and has something
related to web browsing...
http://blogs.zdnet.com/security/?p=636
http://blogs.zdnet.com/security/?p=652
http://www.symantec.com/enterprise/s...ack_again.html
http://isc.sans.org/diary.html?storyid=3540
http://www.symantec.com/enterprise/s..._the_loos.html
http://securitywatch.eweek.com/apple...r_windows.html
http://www.liquidmatrix.org/blog/200...vulnerability/
http://securitywatch.eweek.com/vulne...tsoever_1.html
>>> It's hard getting exposed at all.
>>
>> no, it's not... it's quite easy because the exploits can be served
>> through mainstream sites like cnn.com...
>
>
> Exposure is measures by the vulnerabilities, not by the websites serving
> them. Who the hell cares if cnn.com serves some third-party scripts with
> malicious intends as long as the intend can't materialize into an actual
> compromise?
>
>> wrong... exposure has to do with whether you came in contact with it,
>> not whether you got compromised by it...
>
>
> In that case, exposure should be about 100% and every system would be
> compromised. Not. Without an unpatched vulnerability, that's a no-go.
it's clear to me that you are equating exposure to compromise, in spite
of the fact that (for example) you can be exposed to a biological
contagion without getting sick...
>>> ECMAScript is obviously interpreted by the webbrowser as well.
>>
>> aside from the fact that that is not the only script language out
>> there...
>
>
> Huh? It is, especially due to imply by the HTML standard. It's also that
> I have yet to see a webbrowser supporting any additional scripting
> language.
the majority of web users still use ie, ie supports additional scripting
languages, and ie's jscript interpreter is separate...
>>>> what about multimedia? what about other document formats like pdf?
>>> That's external. Do you let such things load by default or what?
>>
>> of course it's external, that's the point... rendering web content
>> normally involves external functionality in addition to what's built
>> into the browser... even rendering images is 'external' (and has been
>> a source of problems - see wmf and vml)...
>
>
> External ! embedded. And which webbrowser renders WMF and VML?
no browser does, the browser hands that job off to a different component...
>> it seems dustin is correct, i'm wasting my time here... it's
>> unreasonable to expect users to know that paypalsecurity.com is
>> registered to a different entity than paypal.com is...
>
> Sure it's reasonable, you just shouldn't expect people to be reasonable.
> Heck, when you don't know the URL syntax, then you should expect to run
> into security problems. Still it's the users fault, for intentionally
> ignoring minimum required knowledge.
oh it is reasonable? ok then i suppose i can reasonably expect you to a)
list the primary domains of all the sites you visit regularly and b)
list *every* *single* domain that is also registered to those entities...
that is essentially what you're expecting others to be able to do... so
go ahead, list away...
--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
Reply With Quote