Mozilla Security

[Britannica]

A few weeks ago I finally got round to using Mozilla (v1.6) browser
and email instead of IE/OE, but am left wondering if I am now immune
to all of the exploits inherent in MS software.

The latest SCOB trojan is an example. It seems this is a server side
exploit using java to infect user systems. Does Mozilla use java and
is Mozilla just as vunerable as IE to this kind of trojan ?

I can't see any settings for java or active-x in the Navigator
Security preferences dialogs.

TIA

 

[null]

A few weeks ago I finally got round to using Mozilla (v1.6) browser
and email instead of IE/OE, but am left wondering if I am now immune
to all of the exploits inherent in MS software.

BTW, it's at version 1.7 now. You should still keep both your OS and
IE patched (since IE is embedded in the OS). Set security to high in
all zones of IE and only use it for Windows updating and downloading
patches. Then reset security to high in all zones again.

The latest SCOB trojan is an example. It seems this is a server side
exploit using java to infect user systems. Does Mozilla use java and
is Mozilla just as vunerable as IE to this kind of trojan ?

No. Moz is not vulnerable. You have the option of installing Java. If
you don't need it for anything (such as online banking), don't install
it.

I can't see any settings for java or active-x in the Navigator
Security preferences dialogs.

Don't install the activex plug-in either. That's just asking for
trouble.


Art
http://www.epix.net/~artnpeg

 

[Christopher Jahn]

BTW, it's at version 1.7 now. You should still keep both
your OS and IE patched (since IE is embedded in the OS).
Set security to high in all zones of IE and only use it for
Windows updating and downloading patches. Then reset
security to high in all zones again.


No. Moz is not vulnerable. You have the option of
installing Java. If you don't need it for anything (such as
online banking), don't install it.

And BTW, Java is not a security risk - javascript is. And
there is a setting in Preferences to control it.

Don't install the activex plug-in either. That's just
asking for trouble.

But not a lot of it: the plug-in only runs Media Player.

--
Christopher Jahn
:-(

http://home.comcast.net/~xjahn/Main.html

After a number of decimal places, nobody gives a damn.

 

[Britannica]

BTW, it's at version 1.7 now. You should still keep both your OS and
IE patched (since IE is embedded in the OS). Set security to high in
all zones of IE and only use it for Windows updating and downloading
patches. Then reset security to high in all zones again.


No. Moz is not vulnerable. You have the option of installing Java. If
you don't need it for anything (such as online banking), don't install
it.


Don't install the activex plug-in either. That's just asking for
trouble.

Thank you. My Internet Banking works fine without any of the Active-x
and Java stuff...and since using Moz I haven't encountered any
websites that don't behave.

Unless there is any really critical reason to go with ver 1.7 I'll
stay with 1.6 to get familiar with it.

 

[Michael Forsythe]

Thank you. My Internet Banking works fine without any of the Active-x
and Java stuff...and since using Moz I haven't encountered any
websites that don't behave.

Unless there is any really critical reason to go with ver 1.7 I'll
stay with 1.6 to get familiar with it.

1.7 is a little faster and has quite a few other improvements, but when
you're ready it'll be there waiting.

I would recommend the following security precautions:

Mail & Newsgroup account settings (do for each account)

Mail & News Acct. Settings > Composition & Addressing: uncheck Compose
Messages in HTML Format

Edit > Preferences > Privacy and Security > Images > check, Do not load
remote images in Mail & Newsgroup Messages

Edit > Preferences > Advanced > Scripts & Plugins > uncheck Enable
Javascript for Mail & Newsgroups

View > Message Body > As plain text

disable: View > Display attachments inline

 

[Aaron]

No. What actually happens is that IIS web servers all around the world
are being infected by some unknown exploit.

Infected servers, will be modified such that they use a unpatched
Internet explorer javascript exploit to infect visitors to such websites,
so if you are running IE with JS (active scripting) on ,you will be
infected.

For the typical user not running a webserver, the exploit that affects
IIS server is irrelevant.



Does
If it did use java, yes. And even then Mozilla only uses SUN java , and
that is nowdays way safer than MS JAVA (which some people are still using
with IE, depending on operating system and service pack).

And BTW, Java is not a security risk - javascript is. And
there is a setting in Preferences to control it.

Agreed, but javascript is also used heavily on many sites, from opening
links to creating user initated popups with information (not onload
popups!), it's kind of impossible to disable it closely.

Firefox/mozilla is nice because they allow you to control a little what
type of effects are allowed with JS. Eg you can disallow javascript
tricks that hide/change your statusbar (for phishing), or scripts that
disable your right click menu ...

Aaron (my email is not munged!)

 

[Britannica]

1.7 is a little faster and has quite a few other improvements, but when
you're ready it'll be there waiting.

I would recommend the following security precautions:

Mail & Newsgroup account settings (do for each account)

Mail & News Acct. Settings > Composition & Addressing: uncheck Compose
Messages in HTML Format

Edit > Preferences > Privacy and Security > Images > check, Do not load
remote images in Mail & Newsgroup Messages

Edit > Preferences > Advanced > Scripts & Plugins > uncheck Enable
Javascript for Mail & Newsgroups

View > Message Body > As plain text

disable: View > Display attachments inline

Very helpful....thanks. All now set as suggested.

There are a couple of things with Mozilla I can't get to work...

Using a different folder location to the default Windows\Application
Data\ for News and Mail Folders and Navigator Cache.

In IE I could view pages from the History listing off-line but Mozilla
won't let me do this...although I expect there is some setting that
will, - I just can't find it.

Is there a message board somewhere for Mozilla newbies to ply their
ignorance ??

 

[John Corliss]

Very helpful....thanks. All now set as suggested.

There are a couple of things with Mozilla I can't get to work...

Using a different folder location to the default Windows\Application
Data\ for News and Mail Folders and Navigator Cache.

In IE I could view pages from the History listing off-line but Mozilla
won't let me do this...although I expect there is some setting that
will, - I just can't find it.

Is there a message board somewhere for Mozilla newbies to ply their
ignorance ??

Well, don't know about message boards but here's some newsgroups you
might like:

news:comp.infosystems.www.browsers.ms-windows (if you're using Windows)

 

[fitwell]

[snip]

No. Moz is not vulnerable. You have the option of
installing Java. If you don't need it for anything (such as
online banking), don't install it.

And BTW, Java is not a security risk - javascript is. And
there is a setting in Preferences to control it.

I do online banking which is why I switched over to Firefox. But I'm
not sure re all the security controls.

Which Preference do you mean, Firefox's Preferences? If that's the
case, what do we need to look for, pls?

How do I know if I have it or not in either Firefox or IE, pls?

 

[fitwell]

[snip]

The latest SCOB trojan is an example. It seems this is a
server side exploit using java to infect user systems. Does
Mozilla use java and is Mozilla just as vunerable as IE to
this kind of trojan ?

No. Moz is not vulnerable. You have the option of
installing Java. If you don't need it for anything (such as
online banking), don't install it.

And BTW, Java is not a security risk - javascript is. And
there is a setting in Preferences to control it.

I do online banking which is why I switched over to Firefox. But I'm
not sure re all the security controls.

Which Preference do you mean, Firefox's Preferences? If that's the
case, what do we need to look for, pls?

[snip]

I just found this in Firefox - hopefully it does the job for one
aspect at least, that of disabling Javascript:

Tools > Options > Web Features > Enable JavaScript unticked.

 

[Aaron]

Very helpful....thanks. All now set as suggested.

There are a couple of things with Mozilla I can't get to work...

Using a different folder location to the default Windows\Application
Data\ for News and Mail Folders and Navigator Cache.

In IE I could view pages from the History listing off-line but Mozilla
won't let me do this...although I expect there is some setting that
will, - I just can't find it.

Is there a message board somewhere for Mozilla newbies to ply their
ignorance ??

http://forums.mozillazine.org/ - though it might or might not be working
currently, due to the rush of visitors after the release of firefox 0.9.1


Aaron (my email is not munged!)

 

[John]

A few weeks ago I finally got round to using Mozilla (v1.6) browser
and email instead of IE/OE, but am left wondering if I am now immune
to all of the exploits inherent in MS software.

The latest SCOB trojan is an example. It seems this is a server side
exploit using java to infect user systems. Does Mozilla use java and
is Mozilla just as vunerable as IE to this kind of trojan ?

I can't see any settings for java or active-x in the Navigator
Security preferences dialogs.

TIA

Use SpyBot for further protection .
http://beam.to/spybotsd
http://www.spybot.us/spybotsd13.exe
http://majorgeeks.com/download2471.html
Editor's Note: The Resident shield in version 1.3 has an issue
allowing certain cookies (Specifically Double Click)when set to
notify. If page loading becomes a problem, right click the icon in the
Systray, select "Resident IE" and either uncheck "Use Resident in IE
sessions" or check "Block all bad pages silently".
Once you have the program installed , open SpyBot and select the
"Immunize" icon on the left & Click on Immunize , in the new page .
Permanently running bad download blocker for Internet Explorer .
Select > Block all bad pages silently & click Install .
Then check the box "lock hosts file read-only as protection against
hijackers".
Select your download site .
Open Spybot Search and Destroy. After clicking the button that says
"Search for Updates" & the check is finished , you will see 5 items
near the top of the window, "Search for Updates", "Download Updates",
UniDo(Europe), "Show Log" and "Help". Next to UniDo(Europe) you will
see a "down" arrow. Click the "down" arrow and you will see download
site choices (3 in Europe, 1 in USA and 1 in Australia). Right click
on your selection to make it default .
A Beginner's Guide to Spybot
http://www.trincoll.edu/depts/cc/documentation/security/spyware/Spybot_guide.htm

SpyBot lock host files greyed out
If it doesn't have a hosts file you cant lock it, so that tweak will
be grayed out.
Have SpyBot install its hosts file.
http://www.zerosrealm.com/immunizing.php
Note: For those running in "Basic" mode ( version 1.2 ) you will NOT
see this. You must be running in Advanced mode! To get in advanced
mode, a really easy way is to go to Start >> All Programs >> Spybot
Search and Destroy >> Spybot Search and Destroy (advanced). Click it.
You are now in advanced mode.
Select your download site .
Open Spybot Search and Destroy. After clicking the button that says
"Search for Updates" & the check is finished , you will see 5 items
near the top of the window, "Search for Updates", "Download Updates",
UniDo(Europe), "Show Log" and "Help". Next to UniDo(Europe) you will
see a "down" arrow. Click the "down" arrow and you will see download
site choices (3 in Europe, 1 in USA and 1 in Australia). Right click
on your selection to make it default .

 

[Derald]

n IE I could view pages from the History listing off-line but Mozilla
won't let me do this...although I expect there is some setting that
will, - I just can't find it.

If you mean the ability to view cached WWW pages while offline, it
works for me in Moz 1.7. Simply select "work offline" from the file menu
and select from the history, although, you may have to make adjustments
in Edit-->Preferences-->Advanced-->Cache in order to prevent Moz from
trying to log on to check for updated page. Note: History list and cache
lifespans are independant user prefs; the simple appearance of a URL in
the history list does _not_ mean that a local (cached) copy is
available.

Is there a message board somewhere for Mozilla newbies to ply their
ignorance ??

The "official" Mozilla end-user support groups are on Netscape's
secure server (go figure) but there is virtually no traffic there.
You will find at least two interesting attempts at end-user
documentation here: http://www.mozdev.org/projects/active.html
Specifically, look at numbers 95, and 146. Mozilla.org, mozdev.org, and
mozillazine.org are important sources of information for non-developer
end users but it will take some effort to ferret it out.

 

[Derald]

I can't see any settings for java or active-x in the Navigator
Security preferences dialogs.

Unmodified/extended Mozilla 1.7:
Java toggle: Edit-->Preferences-->Advanced;
Javascript actions: Edit-->Preferences-->Advanced-->Scripts&Plugins.

The preferences toolbar "prefsbar" extension puts those toggles in a
toolbar, if desired.

 

[Christopher Jahn]

And it came to pass that wrote:

On Tue, 29 Jun 2004 10:13:27 +0100, Britannica
[snip]

The latest SCOB trojan is an example. It seems this is a
server side exploit using java to infect user systems.
Does Mozilla use java and is Mozilla just as vunerable
as IE to this kind of trojan ?

No. Moz is not vulnerable. You have the option of
installing Java. If you don't need it for anything (such
as online banking), don't install it.

And BTW, Java is not a security risk - javascript is. And
there is a setting in Preferences to control it.

I do online banking which is why I switched over to
Firefox. But I'm not sure re all the security controls.

Which Preference do you mean, Firefox's Preferences? If
that's the case, what do we need to look for, pls?

[snip]

I just found this in Firefox - hopefully it does the job
for one aspect at least, that of disabling Javascript:

Tools > Options > Web Features > Enable JavaScript
unticked.

That'll do it, but be aware that many sites - particulary
banking sites - rely on javascript.

The advanced button gives you some more options.

But by and large, javascript can't make Mozilla do anything
terrible, AFAIK. Most exploits rely on IE and its integration
with the OS.

--
Christopher Jahn
:-(

http://home.comcast.net/~xjahn/Main.html

My life and my homework are finite

 

[Christopher Jahn]

The "official" Mozilla end-user support groups are on
Netscape's
secure server (go figure) but there is virtually no traffic
there.

That probably should say "no traffic jams". They are
reasonable active groups. The Unofficial mozilla FAQ is also
useful:
http://ufaq.org

--
Christopher Jahn
:-(

http://home.comcast.net/~xjahn/Main.html

Tongue-tied and twisted, just an earthbound misfit, I.

 

[Christopher Jahn]

Agreed, but javascript is also used heavily on many sites,
from opening links to creating user initated popups with
information (not onload popups!), it's kind of impossible
to disable it closely.

Firefox/mozilla is nice because they allow you to control a
little what type of effects are allowed with JS.

Um, which is exactly what I'm talking about.

--
Christopher Jahn
:-(

http://home.comcast.net/~xjahn/Main.html

My life and my homework are finite

 

[John]

A few weeks ago I finally got round to using Mozilla (v1.6) browser
and email instead of IE/OE, but am left wondering if I am now immune
to all of the exploits inherent in MS software.

The latest SCOB trojan is an example. It seems this is a server side
exploit using java to infect user systems. Does Mozilla use java and
is Mozilla just as vunerable as IE to this kind of trojan ?

I can't see any settings for java or active-x in the Navigator
Security preferences dialogs.

TIA

Also these .

SpywareBlaster
http://www.wilderssecurity.net/spywareblaster.html
SpywareBlaster doesn't scan and clean for spyware - it prevents it
from ever being installed.
Freeware

SpywareGuard
http://www.javacoolsoftware.com/spywareguard.html
SpywareGuard provides a real-time protection solution against spyware
that is a great addition to SpywareBlaster's protection method. An
anti-virus program scans files before you open them and prevents
execution if a virus is detected - SpywareGuard does the same thing,
but for spyware! And you can easily have an anti-virus program running
alongside SpywareGuard.

 

[null]

Also these .

SpywareBlaster
http://www.wilderssecurity.net/spywareblaster.html
SpywareBlaster doesn't scan and clean for spyware - it prevents it
from ever being installed.
Freeware

SpywareGuard
http://www.javacoolsoftware.com/spywareguard.html
SpywareGuard provides a real-time protection solution against spyware
that is a great addition to SpywareBlaster's protection method. An
anti-virus program scans files before you open them and prevents
execution if a virus is detected - SpywareGuard does the same thing,
but for spyware! And you can easily have an anti-virus program running
alongside SpywareGuard.

I've never found a need for apps like that using Mozilla. It's nice to
have Adware and Spybot around to check once in awhile, but they never
find anything on my PC.


Art
http://www.epix.net/~artnpeg

 

[fitwell]

[snip]

I just found this in Firefox - hopefully it does the job
for one aspect at least, that of disabling Javascript:

Tools > Options > Web Features > Enable JavaScript
unticked.

That'll do it, but be aware that many sites - particulary
banking sites - rely on javascript.

The advanced button gives you some more options.

But by and large, javascript can't make Mozilla do anything
terrible, AFAIK. Most exploits rely on IE and its integration
with the OS.

Hallelujah and I hope that's the way it is. I unticked JavaScript
only to have to keep ticking it as many things don't work! <g>

So last major thing is to get security up to tight in IE, apparently.
I'll be tackling that next in my Firefox.

Thanks.