it seems Firefox is now the most unsafe browser around
http://www.itwire.com/content/view/29219/53/
(beaten by IE, Safari and Opera)

how safe do you think KMeleon is compared to all of them?

I think it is pretty safe. But on this forum we have guys who don't think, THEY KNOW.

I hope some of them will answer you.



Edited 1 time(s). Last edit at 11/22/2009 05:23PM by panzer.

This is old news really, I first saw it here.
I think that this has more to do with the amount of plug-ins/add-ons that Firefox users can actually employ. I rarely use Firefox, I thought Fx #2 was superb but I really prefer K-Meleon now. I don't know how this affects the general security of KM though in comparison. I suggest you consider using SpywareBlaster as this will specifically give extra protection to any Gecko-engined browser including K-Meleon. I think that the last paragraph of this link is interesting:

'Cenzic’s analysis doesn’t make any distinction between security vulnerabilities that were corrected and vulnerabilities that have actually been exploited in the real world, which means that although Firefox had the most vulnerabilities reported, that doesn’t actually mean its the least secure browser…or that Opera is the most secure.'

K-Meleon ~ Not a Melon!

KM is not based on FF so if FF is vulnerable, this doesn't mean that KM is also.

No clue on my part, sorry.
I just find it amazing, how quickly and extremely things should have changed, hmm... And as they say, never trust statistics that you haven't faked yourself :cool:

And when I look at all my privacy button blocks and other stuff, IMHO the security depends rather more from the user than from the browser software... There will always be some hidden holes through which malicicious guys can sneak in, but if, for example, I have javascript blocked (at least on pages that don't insist on it), the chance for intruders falls already drastically. Also if one uses a good firewall. Also if one doesn't click on all sorts of suspicious links without thinking or open all mails with automatic preview (or rather people seem to think "Hey, it's the browsers job to protect itself, so not MY fault, never!)

Yeah, it kinda reminds me of Lies, damned lies & statistics! LOL

K-Meleon ~ Not a Melon!

i am using kmccf without AntiVirus software for a bout a month， but my system is quite healthy up to now.

IMHO NOT the browser that fixes most problems during a given period, but that which does not fix insecurities and is deeply rooted into a system full of decom vulnerabilities, namely IE is definitely less secure.

Current high number of bugs is due to the fact that there are new techniques of screening for them. From what info I have read: Opera and Mozilla actively use them to make their products more secure. I have no info who else uses the kits that semi-automatically create and screen bugs.

The author of the linked article wants to apply a direct association between fixed bugs and insecurity. I personally would prefer a system that counts the number of days with open known flaws but not the raw number of flaws that were fixed during a given period.

What matters most? I would think the number of unfixed known bugs and exploits in the wild is most essential for measuring insecurity.

For known problems search e.g. google "secunia K-Meleon bugs btw exploits".
Maybe also look for known IE bugs and exploits. Do the same for all browsers that matter to You. Most so called exploits for FF newer make it past the proof of concept stage. ActiveX exploits have been around for ages, IMHO.

K-Meleon shares the html engine with other Mozilla applications but in the past did not share all FF vulnerabilities. Probable reason K-Meleon uses another toolkit for its GUI. K-Meleon's security can also rely on the fact that nobody is looking for its problems. There is no market share that warrants searching for K-Meleon exploits.

p.s. IMHO Opera and Mozilla engines should be the savest, since they have the longest record of continuous development and were not rushed to be brought into market in an short intensive effort. Many of IE's up to today remaining problems are from that its features were rushed into existence during the browser war.

I didn't think that Gecko-engined browsers utilised ActiveX. I think Google Chrome can. I thought ActiveX was a Microsoft thing. I still recommend SpywareBlaster. It has a freeware version & is low maintenance.

This is from their page:

Multi-Angle Protection
Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
Block spying / tracking via cookies.
Restrict the actions of potentially unwanted or dangerous web sites.



Secure Your Browser
SpywareBlaster provides protection for your favorite web browser(s):

Internet Explorer
Mozilla Firefox
Netscape
Seamonkey
Flock
K-Meleon

and browsers that use the IE engine, including:
AOL web browser
Avant Browser
Slim Browser
Maxthon (formerly MyIE2)
Crazy Browser
GreenBrowser

K-Meleon ~ Not a Melon!

Vulnerability in multiple browsers; K-Meleon 1.5.3 and SeaMonkey 1.1.18 also affected

Remote Array Overrun (Arbitrary code execution) -> details http://securityreason.com/achievement_securityalert/72 - prior K-Meleon versions may also be affected.

More infos here and here.

Oh great...
Another deadly javascript bug - did I mention the chances for getting affected by anything drop drastically if someone just disables javascript, at least on sites where it's not needed...? :cool:

But hey, I'm amazed that KM is actually mentioned on such research sites, wasn't aware its that "important"!! Anyway, thanx for the info! Hope anyone can fix it...

Nice, timely posting by Matt.
Another perspective on the same exploit: vupen.com/english/advisories/2009/3299

I too have wondered about K-Meleon security matters. About all I know (I'm a newbie) is that apart from new official K-Meleon builds there is always the unofficial Gecko updater that apparently covers rendering engine exploits fixed by the Mozilla SeaMonkey folks (http://kmext.sourceforge.net). I have no idea what benefits may exist in other unofficial K-Meleon builds as I've never tried one and I've barely even read about them. I also know there are security related extensions like Policies Manager (see previous link) but I haven't actually used any myself. And in general, disabling javascript is certainly always wise, as Siria has pointed out (I've kept it disabled for many years).

Quote

For known problems search e.g. google "secunia K-Meleon bugs btw exploits".

For future clicking, some predefined K-Meleon searches at security bulletin sites:
- http://www.securityfocus.com
- http://www.vupen.com
- http://webapp.iss.net
- http://search.us-cert.gov

Doon,

Personally, I have found surfing with JavaScript off is a good thing, but sometimes when I need javascript for my Groups of Tabloids (sports fix), I turn it back on and then use Policies Manager to individually tailor some of the worst offending tabs bad behavior.

N

I must admit that moving to Gecko 1.9 is necessary now.
At the moment K-Meleon 1.5 with the unofficial updates
is probably still on the safe side, but the Seamonkey
nightly builds for Windows, containing Gecko 1.8 have
been stopped on November 10th, and I don't know if they
will be resumed at a later date.
Up to now K-Meleon with Gecko 1.8 could still be updated
using the Gecko engine of these nightly builds.
If these Geckos 1.8 will not get the necessary security
updates anymore, it will not be possible anymore to fix
existing vulnerabilities in a K-Meleon using Gecko 1.8 .
Therefore I believe that having an official version based
on Gecko 1.9 in the near future is absolutely necessary,
even if disabling javascript, if not needed, would make
most attacks ineffective. Nevertheless I have no information
if our developers have the necessary time to release a
1.9 Gecko version soon. They do this work alongside their
daily actual profession.

Fred

Should we (KM users) be worried by these security problems? :s

K-Meleon ~ Not a Melon!



Edited 1 time(s). Last edit at 11/24/2009 03:37AM by Daveski17.

i am quite impatient with 1.6 km，since 1.5x is so stable，in fact many users care less about security, they may care more about speed, like me.



Edited 1 time(s). Last edit at 11/24/2009 05:04AM by chinarobin.

Quote
Fred
I must admit that moving to Gecko 1.9 is necessary now.
At the moment K-Meleon 1.5 with the unofficial updates
is probably still on the safe side, but the Seamonkey
nightly builds for Windows, containing Gecko 1.8 have
been stopped on November 10th, and I don't know if they
will be resumed at a later date.
Up to now K-Meleon with Gecko 1.8 could still be updated
using the Gecko engine of these nightly builds.
If these Geckos 1.8 will not get the necessary security
updates anymore, it will not be possible anymore to fix
existing vulnerabilities in a K-Meleon using Gecko 1.8 .
Therefore I believe that having an official version based
on Gecko 1.9 in the near future is absolutely necessary,
even if disabling javascript, if not needed, would make
most attacks ineffective. Nevertheless I have no information
if our developers have the necessary time to release a
1.9 Gecko version soon. They do this work alongside their
daily actual profession.

Fred

Fred,,

There were rumors of a SM 1.1.19?

N

There have been nightlies called Seamonkey 1.1.19pre,
that have Geckos 1.8.1.24pre, but there have been no
new ones after November 10th .This must not be definitive,
but at the moment we have no newer Geckos 1.8 .
K-Meleon may not be endangered yet, but soon more and more.
The vulnerability that Matt mentioned could possibly
be dangerous. The bug

MSFA 2009-59 Heap buffer overflow in string to number conversion

could lead to arbitrary code execution with the rights of
the user. Javascript would have to be enabled.
Look here :

http://www.mozilla.org/security/announce/2009/mfsa2009-59.html

The bug was fixed in Firefox 3.5.4 and 3.0.15 in the release
of October 27th and in Seamonkey 2.0 .

Seamonkey 1.1.18 seems to be affected, and with it possibly
also K-Meleon 1.5.3 which has been updated to Gecko 1.8.1.23 .

It could be advisable to update K-Meleon 1.5.3 with the gecko of
one of the latest Seamonkey 1.8 nightlies that came out after
October 27th, which have been probably made safe.

Bugs that will appear from now on could be dangerous
for K-Meleon, because new 1.8 Geckos for Seamonkey will
not be available anymore, as it seems.
Firefox will continue with the 3.0.x series for a while,
but the necessary dlls for K-Meleon would have to be
extracted from its big xul.dll . Maybe someone knows if and
how that could be done.

Fred

Fred,

So this is the "Remote Array Overrun " exploit to which there is no solution in FF 3.5.4 and earlier FF and SM based on Gecko 1.8 as they won't write the code?

N

Quote
Doon

For future clicking, some predefined K-Meleon searches at security bulletin sites:
- http://www.securityfocus.com
- http://www.vupen.com
- http://webapp.iss.net
- http://search.us-cert.gov

K-Meleon is a "GUI" maybe a "shell" to use native windows widgets for Mozilla GREs.

While K-Meleon never shared XUL located vulnerabilities it also suffered from problems when its GRE base shared with other Mozilla applications was effected.

Please compare the links with K-Meleon's update history. Current, recent and old complaints in the links refer AFAIK to official versions.

IMHO one should include non official updates for interested users. K-Meleon versions 0.9 and later were updated beginning AFAIK April Foolsday 2005. That was when they started to search and find problems in Mozilla 1.7.x. It was always up to each K-Meleon user to do the own or to use un-official updates.

AFAIK Fred's argument points to the real, big, main problem. While we can replace SM nightlies with our own builds, we are at a dead end as soon as the 1.8 branch's code is not updated to cover new found vulnerabilities.

When taunted: Kairo, who seemed to advocate continued support for older windows versions, answered that SeaMonkey project had not choice but use the toolkit backend, since the SM project has not sufficient manpower to maintain an completely independent branch for long. K-Meleon project is in the same or in a worse position. It has even less manpower.



Edited 3 time(s). Last edit at 11/24/2009 01:25PM by guenter.

Guenter,

Kairo says that there will be a discussion in December about whether or not SM can support 1.xxx code.


P.S.

Guenter, I don't suppose this visual expressis of any use?

http://www.microsoft.com/Express/VC/

You need the full package? Like this?

http://www.amazon.com/Microsoft-Visual-Studio-2008-Standard/dp/B000WM1Z46/ref=dp_cp_ob_sw_title_1


P.P.S.
Doon thanks for the link. Here is code for adding to search engine list.


Vupen Security

http://www.vupen.com/english/searchengine.php?keyword=

with spaces so it will show here:

http:// www. vupen. com/english/searchengine.php?keyword=

N



Edited 4 time(s). Last edit at 11/24/2009 06:24PM by ndebord.

Just a side note because I've recently wasted so much time struggling with a "bug" (not), since it took me so long to notice the spaces in another link, actually in a macro, argh :-P Here the spaces are mentioned, that's ok, but there it was not, sigh.

Still I think it would be safer (or foolproofer ) to net insert spaces but instead just put any tag directly before the link: Make it bold or italic or give it a color or underline or quote or whatever.... just have a ] directly touching the addy

http://www.vupen.com/english/searchengine.php?keyword=
http://www.vupen.com/english/searchengine.php?keyword=
http://www.vupen.com/english/searchengine.php?keyword=
http://www.vupen.com/english/searchengine.php?keyword=
That works in other forums too.

Or simpler yet, seems to work here at least, just leave out the http!
www.vupen.com/english/searchengine.php?keyword=

This is an interesting topic, especially considering the original subject "how secure is KMeleon now that Firefox is less safe?"

You can say Firefox is or is not "now" less safe, but that is mainly based on a recent report of number of vulnerabilities, and that in the current Firefox 3.x/3.5.x series. That in itself has no direct bearing on KMeleon.

But KMeleon's security to its current extent is based on the GRE 1.8.x that it is built with. And certainly there were plenty of security issues that were fixed going from Gecko 1.8.x to the current 1.9.x. And that is the current state of KM's security.

As earlier posted, not only is it high time that KMeleon be rebuilt with current GRE 1.9.x, KM has just languished using GRE 1.8.x for far too long.

Of course we would all like to see KM 1.6 right now. The facts, however, are that our development staff is tiny when compared to some other browsers. And most of that staff have jobs which pay the bills and therefore come before work on KM.

If we have security concerns, then we as users need to take steps to go online responsibly. I have just today changed my default JavaScript from on to off.

Quote
siria
Just a side note because I've recently wasted so much time struggling with a "bug" (not), since it took me so long to notice the spaces in another link, actually in a macro, argh :-P Here the spaces are mentioned, that's ok, but there it was not, sigh.

Still I think it would be safer (or foolproofer ) to net insert spaces but instead just put any tag directly before the link: Make it bold or italic or give it a color or underline or quote or whatever.... just have a ] directly touching the addy

http://www.vupen.com/english/searchengine.php?keyword=
http://www.vupen.com/english/searchengine.php?keyword=
http://www.vupen.com/english/searchengine.php?keyword=
http://www.vupen.com/english/searchengine.php?keyword=
That works in other forums too.

Or simpler yet, seems to work here at least, just leave out the http!
www.vupen.com/english/searchengine.php?keyword=

Siria,

Never thought of those options. Thanks.

<wry grin>

N

Is KM unique in being able to toggle Javascript on/off with F7? It's a very good idea.

Most of the sites I visit with KM I have bookmarked & I am quite convinced they are safe. But to be able to easily turn Javascript off for general browsing is a superb idea.

This browser keeps surprising me... in a good way. I'll end up a fanboy LOL

K-Meleon ~ Not a Melon!

Hey! Firefox users have similar problems:

Quote
Mozilla Firefox
Firefox 3.0.x will be maintained with security and stability updates until January 2010. All users are strongly encouraged to upgrade to Firefox 3.5.

Now I think this (my own profecy) about KM's next future based in all I read about this theme:

- KM 1.5.4 will released before End of Year 2009. (bug fixes, new translations, and Gecko updated to 1.8.1.23 or 1.8.1.24)

- KM 1.6 will released in February or March 2010 (possibly first Beta with Gecko 1.9.1) and I think final release could be for May but posibily it already include Gecko 1.9.2 (based in Seamonkey 2.1).

- About Seamonkey 1.1.19 this will be possibily launched at the end of year 2009 (December) or begining of 2010 (Junuary) and only if critical security bugs are fixed (ported from Seamonkey 2.01). IMHO there won't Seamonkey 1.1.20, no more updates for Seamonkey 1.1.x and KM 1.1.x and 1.5.x. Please, you must assume it
(Ready your backups for the update)

- Currently Seamonkey 1.1.19pre "Nightly" build is stopped since 10 November, as already Fred said in above post, and this pre build haven't any critical security bug fixed (ported from Seamonkey 2.0 or 2.01pre)

How to know when a critical security bug is fixed in a SM 1.1.19pre (Nightly build)? Use the Bug Radar:
http://dev.seamonkey.at/
http://dev.seamonkey.at/?d=x&i=mozilla&m=r
https://rocket.ryerson.ca/https/bugzilla.mozilla.org/describekeywords.cgi
https://bugzilla.mozilla.org/buglist.cgi?product=Core&product=MailNews+Core&product=SeaMonkey&product=Other+Applications&keywords=fixed-seamonkey1.1.19%2Cfixed1.8.1.24%2Cverified1.8.1.24

More info links about:
http://forums.mozillazine.org/viewtopic.php?f=6&t=1375455
http://forums.mozillazine.org/viewtopic.php?f=6&t=1449435
http://forums.mozillazine.org/viewtopic.php?f=3&t=1547535
http://home.kairo.at/?d=w&i=1&m=v&f.t=2009-08&f.tags=SeaMonkey
http://home.kairo.at/?d=w&i=1&m=v&f.t=2009-08
http://home.kairo.at/?d=w&i=1&m=v&f.t=2009-11

K-Meleon in Spanish

Thanks ndebord. I will also note that one might be able to subscribe to some of those advisory lists, to receive an e-mail whenever K-Meleon is mentioned. Also, when composing the list I left two sites out, one wasn't working at the time and one had zero entries for K-Meleon.


For side note siria, something more for your tag bag of tricks: opening and closing a tag (such as italic or bold) in the middle of a word, without enclosing any letters, is a way of getting around banned words on some forums. There are legitimate reasons for doing this apart from being rude.


Daveski17 asked: "Should we (KM users) be worried by these security problems?"

Well, this new exploit is almost as bad as it gets, although with javascript as a minimum requirement it doesn't worry me.

And then he said: "to be able to easily turn Javascript off for general browsing is a superb idea."

Daveski, it sounds like you've haven't discovered the wonders of the privacy bar, if you scroll to the bottom of this posting you can see my privacy bar, I click on it constantly.


Cheers to JamesD for the sensible browsing suggestion. I feel like I could coast for years with the current version.

My thanks to all for this interesting and informative discussion.



Edited 1 time(s). Last edit at 11/25/2009 01:46AM by Doon.

Thanks desga2 for the links.
It really seems as if nothing moves anymore to
fix vulnerabilities in Seamonkey 1.1.18 .
I have made up my mind to make an unofficial variation
K-Meleon-1.5.3-Gecko-1.9.1 based on Seamonkey 2.0
to offer a temporary updateable alternative for people that
are concerned about security.
Read the notes in the new thread.
The dlls msvcp71.dll, msvcr71.dll and mfc71u.dll must be
in your System or in the K-Meleon main folder.
If necessary, look for missing dll's in the internet.

Download at :

http://one.xthost.info/eichhein3/K-Meleon-1.5.3-Gecko1.9.1.zip

Extensions may work or won't work. I have not tested them.
This is only experimental and temporary.
Don't overwrite your existing profile.
By default, a new additional profile will be created inside
this K-Meleon variation's main folder.

Regards

Fred

Quote
ndebord
Guenter,

Kairo says that there will be a discussion in December about whether or not SM can support 1.xxx code.


http://www.microsoft.com/Express/VC/

1.) Great news. Recently SM group have ported security solutions from 3.x engines and left the rest alone. Last night I have build the next SM.pre. IMHO some security fixes from GRE 1.9 have been fed in. Right or wrong that is how I read my .GRE_checkout.log.


2.) Free Tools are sufficient to build GRE updates! I have not managed to build K-Meleon.exe. My GREs are sometimes less good than Dorian's who bought VC 7.1.
But that is because of his experience not the tools IMHO.

For GRE 1.8 You need Free Toolkit 2003 (VC 7.1 compiler) or Free VC Express 2005. VC Express 2008 is not supported.

For GRE 1.9 Free Toolkit 2003 (VC 7.1 compiler), Free VC Express 2005 or VC Express 2008.

Only VC Express 2008 is available via MS servers. But You can still find the other two via Google.

Microsoft Platform SDK for Windows Server 2003 R2 is best to use with free tools. It has the MFC, ALT and CRT includes that are only available free of charge with this handout.

---

In spite for my own wish for 1.6 and the new faster GRE 1.9.x.
We also have to think about the ppl that are stuck with Win98/ME.

Info gathering is needed by every voter in a democratic society.
While it might not be economically (money and time) feasible to support legacy OSes - it should remain on the "if-possible" list. It was said once: what You have done to my least brothers...

BTW. SM is still building nightlies for Mac. In the not too distant past there were problems with the Win & the NIX machine.



Edited 1 time(s). Last edit at 11/25/2009 05:35AM by guenter.