There is a problem with certificates for Mozilla/Firefox browser that could false icon to be displayed when entering secure sites. Mozilla will be fixing/upgrading in about a week. Here is the article I found this in:
zdnet (http://zdnet.com.com/2100-1105_2-5286138.html)

They say this flaw goes all the way back to Netscape 4.0!

I knew that eventually this was going to happen.
I use both ie and firefox and like both a lot.
I am not so concerned for myself but the one good point is that the mozilla people seem to fix things faster than MS does.
Just another example that everything can and will be a target on the net.
Sighhhh....
Mark

Yes, and do not use Windows Update.0.5 in Extensions before reading comments, seems to be spyware hoping newbies bite.

:eek:

I'm not sure what you mean?
I have the 5 version from the MS site [actually I got it as part of a critical update] I know that everyone did not get it this way and lots of people still have version 4 but is my version bad?
I did not get it thru extensions from Mozilla
Mark

Someone is using confusing labels to foist malware on the Extensions site.
You might get confused and get something you don't want. The v 5.0 Windows Update from MS is fine.

Thanks,
By the way it works well. Little side panel on the right helps noobies set up auto up date.
thanks again,
Mark:)

The windows update 0.5 extension is not malware or spyware. It's a small 2kb file which adds a button for going to the Windows Update site via opening an IE window (similar to IE View).

There is NO spyware. It's only a 2Kb file. The .jar can be inspected and there is absolutely no malicious code within. :rolleyes:

There were reports of 180 software application on Windows unless trollers are posting on Mozilla site.
:confused:

If you are speaking of the comments about the extension on the extensions page, there are only two people who say it is spyware. Only one reports 180 search assistants. Utter garbage. Like I said, it's a very small 2Kb file, completely harmless.;) It simply adds an entry under tools for windows update.

Thanks Malcore,

I read those two posts and forgot this site's good advice from friends vs those trolls.

:D

Nice point Malcore,
Can always count on you with Mozilla
Mark
By the way I am using it more than ie now:D :D

I am using it 95% of the time too, it works great!

Keeping the malware off the PC is pretty cool too.
:)

I just downloaded the little extension. Saves about 2 steps to get updates for Windows.
since I use firefox so much now it will come in handy.
I read all the comments and yes it did seem to be put there by trolls [the negative comments]
Mark
Just a note my favorite extension is still spellbound, very good spell checker and in my opinion better than ie spell

It's funny how when the words "malware" and "spyware" are thrown about in relation to any piece of software, it really pricks one's ears up nowadays. You almost want to believe it's true, the satisfaction of finding out another purveyor of this ####! :D

Just as there are so many malware makers out there, there are just as many fearmongers and bs artists. Can't believe it all. Research and find the truth, as with anything we read on the web. (except here of course) ;)

Glad you're still going full steam Mark, and you didn't get bored. :)

Just another example that everything can and will be a target on the net.

An excellent point we'd all better not forget. I've been checking out Linux as an alternative OS for almost 2 years and use it almost exclusively now, but I do try to always keep in mind that if Linux ever does become a true mainstream OS the virus/malware writers will start to target it more heavily, same as they currently do M$ software. I have to admit M$ has been so heavy handed with their methods and so lax with security the past few years it's not exactly undeserved...

Another comment was that the Mozilla people tend to scramble to get fixes ready a lot quicker. I noticed that too, not long after Firefox started getting a lot of attention around here. v0.9.1 was released and a flaw was discovered a few weeks later. Within a week, (2 or 3 days I think) a new version of Firefox was available for download. About the only time I've seen M$ do that is instances like the MS Blaster worm, where huge numbers of computers, and especially high dollar corporate customers, are seriously impacted. Most other times it will be a month or more.

I'm just surprised this has been around for so long without being spotted...Netscape 4???

Other related notes:

I also noticed This Article (http://zdnet.com.com/2100-1104_2-5253504.html) after reading the one posted above, it looks like some innovations might be on the way from the producers of alternate browsers to devise a way to do the kind of things ActiveX does by other methods, and keep it more secure at the same time. Might be worth watching, and is certainly a good idea...

In Still another article (http://zdnet.com.com/2100-1105_2-5250697.html) both from the same site, a couple of comments I think are well worth considering. The US Computer Emergency Readiness Team [CERT] has been recommending switching to alternate browsers, among other things, in response to recent IE browser flaws.

Quoted from the article,

CERT also noted that people who opt for non-IE browsers but who continue to run the Windows operating system are still at risk because of the degree to which the OS itself relies on IE functionality.

Example - you don't have to open a browser to be infected by the Sasser worm, just be connected to the Internet. It searches random IP addresses to find computers "open for business" on certain ports, connects and does its job without a browser being necessary, unless my understanding of the way it works is badly mistaken.

A mozilla representative also stated:

"...encouraged Web developers to stop writing Web sites that rely on ActiveX. Game and photo-uploading sites are among the worst offenders,...

ActiveX is one of the biggest areas where these exploits have occurred, and from these recent exploits, you can see that exposing users and making that technology available has some real danger. Sites need to rethink what they're doing to protect users." {end quote}

That is one of the best suggestions I've seen yet, I've been wishing websites would simply STOP USING ActiveX for a long time, and to a lesser degree java. It can't do any damage if it's not used, same as a shotgun. Hanging on a wall or stored on a gunrack, a gun is harmless. It's only in the hands of an idiot that a gun becomes dangerous. It's only when implemented by websites that ActiveX and java can allow malicious users the opportunity to cause trouble.

OK I'll get off my soapbox... :rolleyes:

Pete,
Good post, but I have a few questions.
I have been around awhile but I am not quite sure what java and active x controls really do?
I guess I will google and see if I can learn something:) Also if these are not used what is the alternative and does that stop the movement forward of the net?
What I mean is things like internet banking and most interactive things people can do on the net?
another silly example would be pogo games. There are 4 or 5 million people who play these games everyday.
Just curious.
Mark

Well, I can't give you a definitive answer because to be honest, I don't really understand java and ActiveX myself. I just know that they have both been utilized for various functions in webpages for a good while, and are both useful, but both have also been used for malicious purposes far too often and present a tremendous security risk for the average user.

By using ActiveX and java/javascript, most of over 65,000 viruses have plagued home users for the past 6 or 7 years since IE 4 was released. Before that you had to either load a floppy or be deceived into opening a downloaded file off the Internet. Now it's done automatically...not good...Take a look in the Applications and Security section of the forums, you'll see just what a big problem it's becoming. Browse through a few Hijack This logs and Google around for a few of the filenames that don't look right...random characters for filenames, misspelled clones of legitimate filenames, most anything over 8 characters (*) ...you'll find tons of links to other forums similar to this one also being overloaded with malware problems to figure out.

* As a result of the DOS 8 character limit, Microsoft never uses more than 8 characters for their filenames, which can tip you off to a number of malicious files. Many other software vendors do the same, because if something happens and Windows suddenly decides to truncate long filenames, their programs probably wouldn't work. A DOS directory listing of C drive shows folder names like PROGRA~1, that's a truncated filename. If that were a program executable, it would not work any more. For folder names it's not much of a problem except in the case of Microsoft products, with folders all starting with the word Microsoft. Then you get MICROS~1, MICROS~2...so which folder is Word??? Excel? Front Page???

Back to the point though...

Things have gotten to the point that Java and ActiveX are so frequently being used for malicious purposes, even though it might diminish functionality of some webpages, the website designers need to stop using those protocols. (Am I right in calling them protocols? I'm not actually too sure...functions?)

Overall, not using them would not have a monumental impact on the Internet. I've kept java and ActiveX severely restricted for the past 3 years, turning Java on only when absolutely necessary. A few things didn't work, like the US Robotics site when I need to download drivers. Look around though, and they have a text link you can use, but it's not easy to find. I haven't tried it but things like Yahoo games probably wouldn't work, but if you're absolutely sure a site is safe, Java can be enabled temporarily to use that site. It's a hassle, but lots safer.

Other things I'm not too sure about...eBay? Banking? Pogo games? I never used those so I don't have an answer. I do know that I've been running this Windows machine on the Internet for over 2 years on this OS install, and Adaware still finds ZERO. Do I miss Yahoo games? Not really, the forums take up so much of my time I don't get to do much else anyway, so I rarely even think about it any more.

Other things...If you look at the bottom of this page, you'll see a drop-down box with the forum categories, click one and either Java or ActiveX clicks the "Go" button for you. I have to click it manually. (OK, maybe not any more, I'm using Firefox right now, and I'm not sure if that works or not, I haven't tried it yet. But I will...)

Some few websites also show up as a blank white window, but very few. In 2 years on this OS, maybe a dozen webpages have done that. And I usually check every link posted on the forums, plus Google searches for information I need on computers, guitar amps/tubes, archaeology, music in general, medical research related to a family member, astronomy, and a number of other topics. A dozen or so sites in all - that really isn't bad...

The alternative is constantly trying to clean up after Cool Web Search, Gator, Xupiter, Brilliant Digital, countless "toolbars", Time Sink, Alexa, Favoriteman, Win Tools, Save Now, WhenU, Lop, Hot Bar, NewDotNet, eZula...get the picture?

Yes, not using Java and ActiveX diminishes the functionality of the Internet in some cases, but just looking at the [very short] list above, I think it's a good trade off so far, but I don't use some of the things a lot of other people do. My niece tried Firefox and said eBay didn't work right. I can't confirm that, it's the only feedback on eBay I've gotten so far.

Overall, I don't miss either, or the crud they allow onto my machine, but there's still hope, the people producing alternate browsers may jump in with both feet and find alternatives to both that will do the same things, in a much more secure manner.

By the way, I turned Java and ActiveX off because I was hit by one of the first browser hijackers to come along. Took me 2 weeks to find out what it was and how to deal with it, nobody knew much about them at that time. All I knew was I suddenly had a porn site I'd never heard of for my start page, several links to other porn sites in Favorites, and it came right back when I changed it then rebooted...I turned Java and ActiveX off because I got tired of haviong to run scanreg to replace my registry every few days when some site or other would drop another one on my machine. Tried Opera for that reason in fact, didn't like it.

Anyway, I'd like to see some feedback on this issue, how many others think web designers need to get away from using these two troublesome "enhancements" on their websites? Who else has seriously restricted them for a while and checked out just how much of the Internet won't work right any more? Especially things like eBay, banking, Yahoo or Pogo games...What are your observations?

Java is a versatile programming language that can be used embedded in chips in all sorts of appliances, as software applications installed on a computer or as an applet that runs within a browser to give a web-page certain enhancements. Java has to be compiled into machine code before it can be used. It is only applets that concern us here. Java applets were all originally "sandboxed". That is to say their permissions were restricted and they could not read or write the HDD. IE and Netscape developed different ways of relaxing such permissions (see http://www.microsoft.com/java/security/ for further details) but essentially this involves two areas: firstly, whether the code was modifiable or not by others and secondly, that users had to explicitly agree to installing or running such "plug-ins". Unless you click on OK for the run or install option that will be presented, at least once, to you - then Java applets are "safe" as long as they come from a safe source.

Javascipt, VBscript, Jscript and so on are nothing to do with Java - They are all grouped together as scripting languages. They work client side (on your computer and not on the server's computer) and so can run from static html pages. Scripts can augment what an otherwise static page does but they are generally safe and don't read or write your HDD (though that can appear to access it by allowing you to view your own HDD in My Computer or to open your email application with an address already inserted into it). They can present the user with dialog boxes or pop-up pages with information that can be useful or as annoying advertisements. They can create effects such as roll-over images and cascading menu bars and buttons. They can augment navigation, such as go back a page, etc, etc. They achieve much of their function by utilising DOM objects. These are just a common language eleents within webpages to give conformity to what happens when you use your mouse such as mouse-over and on-click events and methods regarding the browser's windows and their appearance, the most pervasive of which have become the various pop-up menus. Blocking pop-ups just prevents a sub-set of scripts from running and allows the rest of them - most of which embellish webpages - to persist.

ActiveX have become the real villains and are uniquely Microsoft. As with Java they are installed as plug-ins but there the similarity ends. ActiveX controls can certainly augment web pages and web design and are relatively simple to program and use by developers. They are, however they are dressed-up, executables. Historically they developed from OLE (object linking and embedding) and from "COM objects", which may, programically, just be a "collection of methods and objects" but these have such a wide range that they can do just about anything when let loose on your computer. Also, unless you have specifically denied them in your IE options, they can be installed and run without explicit permission. Forget about whether they are signed or not - they are executables (programs that can DO THINGS TO YOUR COMPUTER) that can be installed an run from any webpage that is simply browsed with IE. They are the main way that so much spyware, trojans and hijackings are being installed. They very seldom augment what you see on your web-pages, as can easily be manifested by using opera or firefox, which mostly render things just fine. Macromedia use them to install their flash objects and Microsoft use them for their Windows Updates.

This is a good subject to elaborate on particularly since there is much misinformation about it here and there. I believe everything I have said is correct but am open to correction or elaboration. It needs to also be stated that IE has other security flaws than just ActiveX and which are utilised by uncrupulous websites, individuals and miscellaneous hackers and crackers.

Personally speaking I don't mind having both java and scripting enabled in IE and in the Mozilla and Opera group (but I do block the pop-up scripting subsets separately) - but I do surf pretty safely and don't click on things "willy-nilly". I do block everything ActiveX related in IE (including the MyCoputer Zone, which isnt shown there by default), use IE sparingly and add microsoft and macromedia to the trusted sites zone so that I can use their ActiveX controls as necessary. Mozilla and Opera dont use ActiveX though there is special plug-in you can get for Netscape to enable it - though for heavens sake why I just don't know.

To my knowledge the PCGuide forums have never used ActiveX or Java but do use Javascript (client side) and php (server side). I'm happy enough to have the guide in my trusted sites zone - regardless.

Interesting Paul.

I do block everything ActiveX related in IE (including the MyCoputer Zone, which isnt shown there by default)

Does this mean in the My Computer Zone you have everything Active-X disabled? Does not Windows itself use Active-X, for instance in the extended services console in XP? I previously attempted to disable or set to prompt all Active-X in the My Computer zone, but found some functionality of Windows (in particular the Services console, unless set to standard , or constant script errors and notifications if reading Help files) was limited. I had set mine to disable all unsigned Active-X (running or downloading), enable signed Active-X and prompt for download of signed Active-X in the My Computer zone (although I now use SP2).

By the way, this is all disabled in SP2, scripting permissions in the local zone have tightened up considerably, possibly causing some headaches for programmers.

Wow Paul! Good thread,

I have applications at work that require Java to be enabled in order to make scanning buttons appear on large MFPs from the customer's client computers. This is an issue whenever Java is missing from imaged Windows clients in a workplace setting and I ALWAYS seek permission from the customer's IT Manager before installing Java plug-ins, usually recommending Sun's latest versions vs the JVM included on the application software disks.

Pete,
Firefox has Java enabled by default in Tools>Options>Web features.

I have had Byte/Verify trojans (always a pair) show up three times on the personal home PC since I switched from JVM to J2RE but they get reported by the AV program and removed before the malware has been loaded. Of course I also run other protection measures.:)

Does this mean in the My Computer Zone you have everything Active-X disabled? Does not Windows itself use Active-X, for instance in the extended services console in XP?[
Yes to the first part - I disable/set-to-prompt everything ActiveX related. The second part of your question I would restructure. It isn't whether Windows uses ActiveX its whether certain applications running inside Windows use ActiveX. ActiveX controls can by used by VisualC++ and VBasic Programmers inside their exe files and the VBA inside MSWord, MSExcel, MSAccess can all install and utilse ActiveX controls.

So my interpretation is that it doesnt matter if such programs/macros use ActiveX controls within Windows - they will not be blocked from running them by changing the IE security settings; they are not using IE after all. However if a local file is viewed in/opened with IE then it is in the MyComputer Zone and IE is being used so its inherent security is called into play - (this can be relevant to HTA and CHM help files which both actually use IE or an IE clone to view their HTML content but which are normally exempt from any MyComputer Zone security). I just don't know about the extended services console in XP but if this uses HTML within IE from a local file then I guess that IE's security could well come into effect.

Good stuff guys,I gotta say that yes I have had a few Trojans in my day but not much else.
I keep my security settings pretty much at medium but I am loaded with the ad-awares,spybot,etc.
Due to Malcore and PrntRd I have switched for the most part to firefox with the java plugin and things have been running great.
If I am going to enjoy the net there are certain risks that I am willing to take but I do try and keep to known sites.
I don't think the problem is with people such as ourselves but with the vast majority who don't know and in most cases don't care.
If the net becomes a chore they will just stop using it.
But as you can see from our hijack posts more and more people are becoming aware and at least trying to maintain a small amount of security.
I just believe that my computer is a tool that I will use to get enjoyment and certain basic things done with. if it gets to the point where there is no way of doing this without turning off things that I enjoy, then my friends it's time to move on
The worm always turn and the bad guys will get it in the end:D
Mark

I hear what you're saying Paul. Just wanted to point out that if anyone decides to enable the "5th Security Zone", My Computer, and disables ActiveX completely for this zone, they will have problems viewing the help files for Windows in general. The Services Console (services.msc) can be viewed in two ways: extended (default) and standard. The extended does use IE or some "web content", for if you click on a service you will have information describing each service to the left, with options to Start, Stop or Restart the service.

This extended panel is gone when ActiveX is disabled for the My Computer zone and attempting to read any help files for XP is quite troublesome, constantly cautioned about IE script errors, told you have ActiveX disabled and the page won't display properly or asked if you wish to continue running scripts (this with Disable script debugging checked and Display a notification about every script error unchecked).

Mark, I here you also, but it's an interesting topic nonetheless.;)

I understand Malcore. Probably there's no longer any need to block ActiveX in the MyComputer Zone as long as one is up-to-date with all MS Security and Critical Updates. Until MS released the MS04-013 patch blocking ActiveX in the MyComputer Zone seemed the only good defence against the Zero Day Worm (http://www.pcguide.com/vb/showthread.php?s=&threadid=28843&perpage=20&highlight=mhtml&pagenumber=1). That is when I changed my security settings and I haven't ever changed them since that time.

The simple approach is to use "an alternative browser" and just use IE on the web when it has to be used and only for trusted sites.

Mozilla just announced a critical bug reporting reward to get people looking for the flaws before it goes to Firefox 1.0.
announcement (http://www.mozilla.org/press/mozilla-2004-08-02.html)

As a web designer, I can safely say that those persons who disable javascript are over-reacting and those persons who use IE are under-reacting.

I ceased using IE several years back and only use it when forced to use a site that won't work with anything but IE. As a web designer, I can't help but be critical of any site that was 'Designed for IE' and doesn't work the 'other' browsers.

Java is a bit of a nuisance due to how much it slows down the machine (M$ fault not Sun's). ActiveX is evil. If you are really paranoid then just unplug and quit worrying.

Just my general observations from under the soap box.