LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-25-2004, 03:50 AM   #1
mandrakemikael
Member
 
Registered: Aug 2004
Distribution: gentoo <3
Posts: 39

Rep: Reputation: 15
IE Vulnerabilities, why not in other browsers?


i have been wondering and can't figure this out. why are there so many security leaks in ms internet explorer, but not in other browsers? or are there? or are they patched? or are most of the attacks targeted towards ie? what makes ie inferior to the other browsers?

this is not exactly a linux question, but as a linux user i'd like to know why i'm supposedly safe from www threats. or even why i'm more safe in windows using firefox or mozilla than ie.
 
Old 09-25-2004, 04:09 AM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,133

Rep: Reputation: 320Reputation: 320Reputation: 320Reputation: 320
There're at least a couple of potential answers to this:

1) MSIE is integrated directly with the Windows OS and has things like ActiveX that can do things to the OS. Mozilla and other browsers are not integrated with the OS, and so there's less of a chance that they can actually exploit vulnerabilities within it. This is probably part of the answer.

2) MSIE is simply a poorly written piece of software. Without seeing the code, no one knows if this is the case or not. I personally doubt this, but you never know...

3) Mozilla and friends are just as buggy as MSIE, but they have comprised such a small share of the browser market (this is changing) that the exploit writers haven't bothered to go through them looking for holes to exploit.

Bear in mind, there have been arbitrary code vulnerabilities found recently in Mozilla, so it's not totally secure. I think that it not being integrated with the OS makes it more secure in that it can't play directly with the OS. This is cold comfort, though, if there's an arbitrary code vulnerability that allows an attacker to do rm -rf * in your home directory.

Of course, the really paranoid can create a user account just for running their browser, and then run it from a chroot jail.
 
Old 09-28-2004, 05:30 AM   #3
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 6.5
Posts: 482

Rep: Reputation: 85
I agree for some of the above. But apart from the fact the IE is integrated, the active x and everything actually is not the problem. I mean you have the same thing even with linux, were lots of security holes exist, but just they are not uncovered because not that many people use linux because it is more complicated to deal with. If IE was completely free from holes, it still would not stop people to hack and exploit machines, you do not have to have IE to exploit a machine, take linux and the libpng, yes innocent png library but alows hacking of your machine. And then with jpeg as well, Someone found out how to put a virus into a jpeg file. So the only way not to be exploited is to rip out that cable running from the pc to the dsl and not use internet at all.
 
Old 09-28-2004, 11:43 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Besides all the very good comments from btmiller, there is another problem with IE, which is that it uses "zones of trust" for allowing active scripting. Up until XP SP2, you couldn't restrict the "my computer zone" at all, so any script that managed to trick IE into thinking the script was started locally could freely modify the system. I'm not aware of any OSS browsers that have this "security" concept. There are certainly manually added "trusted sites", so if an attacker could trick the browser into thinking it was dealing with one of it's trusted zones, then you could have some problems; however the attacker would probably need to know what zones you're trusting.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
History of Kernel Vulnerabilities embsupafly Linux - Security 1 05-09-2005 11:56 PM
Apache - New Vulnerabilities (RH9) jon3k Linux - Security 4 11-18-2004 02:15 PM
WARN: Kerberos Vulnerabilities Capt_Caveman Linux - Security 0 09-01-2004 08:53 PM
sendmail vulnerabilities odious1 Linux - Security 5 11-17-2003 09:06 AM
More BIND vulnerabilities jeremy Linux - Security 0 01-31-2001 08:29 PM


All times are GMT -5. The time now is 12:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration