Mozilla have a list of known vulnerabilities on their site,
of the 65 known errors.
9 have
as the known work around.
of the 56 remaining.
29 have
as the known work around
of the 27 remaining.
3 have
as the known workaround. (seems applets have the ability to invoke java applications).
of the remaining 24.
3 say
1 has
another has
1 has
Code:
Don't open *.hta or application/hta files
Code:
Disable JavaScript, do not visit vbscript: or vnd: URLs from untrusted sources
another classic workaround for problems caused when browsing the internet
!!!
instead of fixing problems when downloading POP3 messages they suggest
- helpfull eh?
if you're having buffer overflow problems when using Mozilla software and email, why bother fixing it when you can tell your users.
Code:
Do not attach files of unknown content to mail/news messages
More mail goodness!
Code:
Disable JavaScript and do not click on imap: links
Trouble with exploits when connecting to POP servers...
mozilla says...
Code:
Do not connect to untrusted POP3 mail servers
(this one comes with my own personal rant)
In order to prevent the spread of virusses through out the internet, microsoft have restricted the attachments that can be sent through exchange servers, and restricted the type that can be open from within...
Mozilla say...
Code:
Do not open attachments from untrusted sources
When Microsoft said this they were shrugging their corperate responsibility!
having problems with Javascript security... why fix it when you can tell your users
Code:
Do not click on "javascript:" links in dialogs, or bookmark them
(with another rant)
When people found a way to spoof the address displayed in the address bar so that it displays one name, whilst actaully being directed to another unsecure site, where you may be asked to enter sensative information Microoft fixed the problem with their browser...
mozilla says...
Code:
Check the Page Info dialog and lock icon before entering sensitive data on a web page
(this appears twice)
Having crosslinking trouble... heres a GEM from the mozilla work around...
an error, which the description describes as...
Code:
Some non-tier1 platforms (BeOS) do not truncate cache files properly which could result in a page that is a mix of old and new, which could result in unwanted purchases
has workaround
Code:
Clear cache before going to a page you have visited before
Now don't get me wrong, everyone should be carefull when prurchasing online, but a problem as simple as, there may be cached pages, in what should be a secure area. the browser should force refresh these pages by it's self, not rely on the user to delete files before they start browsing.
now it seems that this problem is caused by the service providers, but I've not heard of this error on IE before.
this one is classic, say you want to add a security policy to your browser. Well it might not actually work!
Mozilla says
Code:
Do not add or change configurable security policies; the defaults are safe
No the defaults are not good enough, thats why the user wants to add their own, there is obviously something lacking in the defaults. don't try to fob me off telling me something like that.
Hackers may be able to spoof pages when you browse through a proxy...
mozilla don't fix this problem they say.
Code:
Do not use proxy, or Check the Page Info dialog and lock icon before entering sensitive data on a web page
So how exactly do I win? I can't apply a security policy on the actual browser software, because it doesn't work (see above) and I can't apply a security policy through the use of a proxy serer because it opens up a security vulnerability!
Seems there are authentification troubles concerning mail servers and HTTP authentification. mozilla says
Code:
Memorize the real mail server password prompt and do not enter your password if the dialog is not exactly the same
And finally, .hta files are excecutable, whe microsoft were faced with this problem, a securioty patch was released that fixed the vunerability...
mozilla says...
Code:
Don't open *.hta or application/hta files
Most exploits run without the uers knowledge, and they try really hard to hide themselves. they don't generaly come with links that say...
Click here, it's going to run a really bad thing that will break your computer. there is a strong possibility that your browser will be open to this form of atack, and funnily enough this is exactly what I wanted. Now click here, everybody knows that fixing your computer is fun, everyone loves to have to spendtime running virus scanners, and spyware detectors... Just click it'll be fun. I promise
Took me a long time to compile that!
you can find the list in it's original format
here.
Have fun.
