School forces us all to use IE. Oh well, they've been well-informed of the risks, it's their own fault. :/

Wow, that Sans site is an design storm of its own.

Firefox users who take advantage of the "noscript" extension should not have any problems with this exploit.

'Funny' how the latest security issues found in IE are *always* jumped on by the MoFoCo community yet a deafening silence is the only thing heard when several Fx holes bob up.

I particularly like your 'there is no such thing as secure' theme to your comments. Very objective and realistic.

I'm also very impressed by your approach to security. Simply encourage people to change browsers! That's very holistic and sensible. I mean anti-virus, firewalls, none of that comes into it really, they're irrelevant!

Most impressive of all though, is your innovation in the security of browsers. That new Options dialogue is extremely secure. There were so many holes with it in the past weren't there? I think approaches like linking the location bar to a database of nefarious sites and changing it's colour to orange or red is just crazy talk. a new Mac-style Options dialogue and better Mac support are much more important 'security' innovations.

pb wrote:
>several Fx holes

there are a grand total of 2 firefox vulnerabilities according to secunia (it says 3 but one of them is a plugin developed *by apple* for firefox, its not a vulnerability with firefox itself). theres just not a lot of jumping to do when it comes to firefox bugs.

pb wrote:
>I'm also very impressed by your approach to security. Simply encourage people to change browsers! That's very holistic and sensible.

i assume by "your approach" you mean the US department of homeland security's approach. they are the one who issued the advisory (http://www.kb.cert.org/vuls/id/713878).

pb wrote:
>That new Options dialogue is extremely secure.

i hope you don't think that that's the only change between 1.0 and 1.5. cause that's the way you come across. mozilla has made many more improvements. a lot of them security related. i'm not sure on the specifics, but i'm sure someone who knows more than me can fill you in on the details.

pb wrote:
>I think approaches like linking the location bar to a database of nefarious sites... is just crazy talk.

finally we aggree on something.

pb wrote:
>a new Mac-style Options dialogue and better Mac support are much more important 'security' innovations.

i've never heard anyone other than you call that a security enhancement. is mozilla now restricted to only security enhancements? i would like to do security and non-security enhancements. and guess what, they have.

When I visit http://isc.sans.org/ with Firefox 1.5RC3, it says "You are considered not vulnerable" under the statistics, but when I visit with IE7, it only shows the statistics. Is that just because they haven't determined whether IE7 is vulnerable?

try refreshing. sometimes you have to refresh before it comes up.

Does pb standard for punk [female dog]? Because you're sure acting that way.

Grayson, it's possible that pd's entire last paragraph was sarcastic (as was his second-to-last paragraph). It's hard for me to tell because while it is written sarcastically, I agree more with what he says than what he means.

Anonymous, he posted as "pd", not "pb", making your name-calling even more off-topic than it would be otherwise.

Grayson, yep, refreshing worked. Now http://isc.sans.org/ shows IE7 as vulnerable.

> I'm also very impressed by your approach to security. Simply encourage people to change browsers! That's very holistic and sensible. I mean anti-virus, firewalls, none of that comes into it really, they're irrelevant!

So instead of using non-vulnerable software to begin with, you continue to use software with a serious known exploit and rely on $x amount of commercial closed software programs (each with their own problems) to clean up the mess after the fact? Sorry, but I don't see any logic or rational thought behind this statement, even with the unneccesary sarcasm taken out. You sound like a very bitter and spiteful person.

pd is just trolling, guys. let it go :-)

(Actually what bothers me about MSIE more than security is its totally crummy CSS support. As a designer, I can't do half the stuff in IE that I can in Firefox/Safari/AnythingElse.)

Oh yeah, my school also forces us to use IE (I think a few computers still have IE5!). And they complain about spyware when people play online games. Hmm.

Alan: Agreed, that's my biggest complaint about IE, too (when I'm wearing my web developer hat, anyway). IE7 should help quite a bit -- here's a list of CSS bugs they expect to fix and features they expect to add for beta 2. Of course you still have to wait for people to upgrade, and it'll only be available for Windows XP and later*, so you also have to wait for people on Win98/Me and Win2k to either upgrade their OS, buy a new computer, or switch to Firefox/Opera.

And there are still things like generated content that aren't even on the schedule for version 7. So the "everyone but IE can do it!" collection of web techniques isn't going to disappear anytime soon.

The bug in the IE works very fine here:
http://www.computerterrorism.com/research/ie/poc.htm
But if you open the page with the FF there will no calc.exe be started, but the browser hangs too (FF1.5RC3).

The mentioned IE bug isn't at all exploitable on the majority of systems, and it "only" crashes IE.

That being said, it also crashes Firefox (all versions) on the majority of systems.

Daniel, the Firefox "hang" is https://bugzilla.mozilla.org/show_bug.cgi?id=317334

Phil

When I visit SANS I don't see any mention of vulnerability.

If you want me to allow JavaScript, you'll have to say so on your NON-JavaScript web page and give me a reason why to temporarily permit it.

NoScript indicates there's a Google Analytics and a SANS Java tool lurking there somewhere. But of course doesn't tell me what they'd do.

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051125 Firefox/1.5