Quote
Doon

Daveski17 asked: "Should we (KM users) be worried by these security problems?"

Well, this new exploit is almost as bad as it gets, although with javascript as a minimum requirement it doesn't worry me.

OK thanks for the info, that is a little scary then.

Quote
Doon
And then he said: "to be able to easily turn Javascript off for general browsing is a superb idea."

Daveski, it sounds like you've haven't discovered the wonders of the privacy bar, if you scroll to the bottom of this posting you can see my privacy bar, I click on it constantly.

I've found the privacy bar but I can toggle Javascript On/Off with the F7 button right?

I like your animation!

K-Meleon ~ Not a Melon!

I know security is important but how much of it do you need with this new exploit? I have hardware & software firewalls, an AV suite, SpywareBlaster, Windows Defender (realtime) & MBAM & SUPERAntiSpyware as 'on-demand' scanners.

Oh, & I disable Javascript if I am generally surfing in KM.

I think that I'm covered!

Plus I check the Conficker Eye Chart occasionally.

K-Meleon ~ Not a Melon!

WHOA, what a list...
Okay, let me think.... Ah yes! One thing is missing yet (or I missed it oops): Do you have a disk image for backup? :cool:
Hey seriously, congrats! Am a bit envious, whish I had a similar equipment, paranoid as I am, but every time I get my butt up somehow and research stuff run out of time, and then never find the time and energy again to continue *blush* Perhaps next time ;-)

Well...my AV comes free with my ISP & everything else is freeware apart from Windows Defender which was shipped with my OS (Vista HP). I had to buy the hub (router) with the hardware firewall but I can run 6 computers off it. Unfortunately I only have 2 computers & one of those is offline at the moment. When I get it online I will run Ubuntu on it. I won't have to worry too much about security with Linux hopefully.

K-Meleon ~ Not a Melon!

I think you're well covered Dave, hehe. Generally speaking, ActiveX and javascript have always given exploits the keys to the kingdom when little else has, so keeping them under control is often enough. Although earlier this month an EOT exploit against Internet Explorer was published, which didn't require ActiveX or JavaScript to trigger, which is about as severe as it gets. But no matter what, exploits come and go, and in my view sensible browsing habits are more important than any security software.

As far as this new KM exploit goes, at this stage it's only a proof of concept, and I don't know if separate code is required to affect each web browser. If separate code is required then perhaps KM won't be as likely to be targeted, assuming a KM user could even FIND a website using the exploit, unpatched and unprotected, with javascript enabled.

In general I'd recommend sandboxing all browsers with Sandboxie if possible (particularly when letting non techies loose on the net), which is free for personal use but requires Windows 2000 or higher. I don't get to use it much but I think it's one of the greatest programs ever made. Small, lightweight, simple and completely configurable, it basically contains anything you run inside it, from web browsing sessions, to software installations or even viruses, delete a sandbox afterward and it's like none of the above ever existed on your drive. Typical reviews here and here, with more here at the official site.

Siria, Windows 98 has it's privileges, one of which is great online security. Long years of practical experience with it, without so much as a firewall or resident anti-virus / anti-malware, have made me feel invincible.

I'm glad you think I'm covered LOL! I will have to look at Sandboxie one of the days.

K-Meleon ~ Not a Melon!

Quote
Doon

In general I'd recommend sandboxing all browsers with Sandboxie if possible (particularly when letting non techies loose on the net), which is free for personal use but requires Windows 2000 or higher. I don't get to use it much but I think it's one of the greatest programs ever made. Small, lightweight, simple and completely configurable, it basically contains anything you run inside it, from web browsing sessions, to software installations or even viruses, delete a sandbox afterward and it's like none of the above ever existed on your drive.

Doon,

Thanks for the detailed faq on this exploit and on possible remedies, so I have just downloaded and installed 3.40 sandboxie and am running KM under it. Any advice on how to's with this barrier app much appreciated.

N

It seems that I'm the only one the PoC doesn't work for (W2K/K-M 1.5.3) and I can't figure out why it doesn't :s



Edited 1 time(s). Last edit at 11/28/2009 07:42PM by Yogi.

You are right, I tried Firefox 2.0.0.22pre, K-Meleon 1.5.0 and 1.5.3, and Seamonkey 1.1.18 in this webpage with the crash code and nothing happend, no crash, only errors in the Error Console.

K-Meleon in Spanish



Edited 2 time(s). Last edit at 11/28/2009 08:57PM by desga2.

Thanks for the confirmation

Nothing happens in 98se either (KM 153, nothing blocked), except that the loading icon took forever to stop (2-3min?) Afterwards it loaded quick again, perhaps it was just my connection, no idea.
But it's strange that nothing happens, for no one it seems, and the error console says there's a syntax error... Perhaps their example code is wrong??? Or it's just not true and that bug never really affected KM???

I found the problem, php code must be interpreted. Really you have in the code a very big float number:

<script>
var a=0.9999999999999999999999999 ... and a lot of it ... 99999999999999999999;
</script>

You can test it in the Attachments of this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=516396
Links:
"Secunia's PoC"
"SVG test case for this NSPR bug"

The browser still loading this links and take 100% of CPU, application take unresponsive and I suppose crash it at the end.
If you like see the code you can use right click and save the link target in your disk to show code in a text editor or load the links with IE and view source.

K-Meleon in Spanish



Edited 1 time(s). Last edit at 11/29/2009 02:15AM by desga2.

Quote
desga2
- KM 1.6 will released in February or March 2010 (possibly first Beta with Gecko 1.9.1) and I think final release could be for May but posibily it already include Gecko 1.9.2 (based in Seamonkey 2.1).

no desga2. Seamonkey 2.1 will be using Gecko 1.9.3 based code similar to Firefox 3.7. I know because I've tested an SM 2.1a1pre nightly build earlier this month which has Gecko 1.9.3a1pre engine. only Firefox 3.6 will be based on Gecko 1.9.2.

nice to hear Fred and others see the light of planning to integrate Gecko 1.9.x into KM. looking forward next year to using an official KM build that has Gecko 1.9.x.



Edited 1 time(s). Last edit at 11/29/2009 02:41AM by 4td8s.

Good work! I saw no effect with the simple crash test but the bugzilla links did as desga2 described, unresponsive with 100% cpu usage. K-Meleon had to be killed but I saw no signs of a crash after letting it run a few minutes. Underwhelming.

---

ndebord, I'm afraid I have no specific advice about Sandboxie settings but I recommend reading the documentation at the site as well as going slowly through all of the options in the Sandboxie control window. I also highly recommend using the Sandboxie forum to search and read (a great database of information) as well as to post questions at (no registration required), the users and the developer are very helpful.

IMHO a stupid OS - if it allows 100% CPU or RAM to one app!

& not effective when each application programmer must cover CPU and Mem handling instead of the OS vendor.

p.s. AFAIRemember forum contains posts about Sandboxie - so some K-Meleon users might know settings 4 KM and it might be worth while to start a thread here too.

Quote
Doon
Good work! I saw no effect with the simple crash test but the bugzilla links did as desga2 described, unresponsive with 100% cpu usage. K-Meleon had to be killed but I saw no signs of a crash after letting it run a few minutes. Underwhelming.

---

ndebord, I'm afraid I have no specific advice about Sandboxie settings but I recommend reading the documentation at the site as well as going slowly through all of the options in the Sandboxie control window. I also highly recommend using the Sandboxie forum to search and read (a great database of information) as well as to post questions at (no registration required), the users and the developer are very helpful.

Doon,

Thanks... I've already started using it with KM and just through trial and error. I will go to the forum and see how to tweak it. Much thanks.

N

Doon,

This is how I'm using sandboxie right now (along with dropmyrights).

"C:\Program Files\Sandboxie\Start.exe" C:\DropMyRights\DropMyRights.exe "C:\Program Files\K-MELEON\k-meleon.exe" N

N

More informaton about the bug. It appears that only until # 10.10 did Opera ASA actually fix this bug!

K-Meleon ~ Not a Melon!

@desga2
Thanks for the link!
As far as I can see the "SVG test case for this NSPR bug" doesn't imply JavaScript.

@Daveski17
Did you test the 2 PoCs desga2 referred to with Opera 10.10?
Opera 10.10 freezes the same way K-Meleon does.

Yes, the "SVG test case for this NSPR bug" doesn't imply JavaScript.
Gecko 1.9.1.3 crashes. Gecko 1.9.1.4 and higher do not crash.
Firefox 3.5.4 and Firefox 3.5.5 , as well as my variations
KM-F354, SM2pre and 1.5.3-Gecko1.9.1 work ok with this bug.

Fred

My KM freezes too on the SVG bug. Getting out only with taskmanager kill.
Thanks for the links, I'll just copy it again to quicker find it:

Info page with SVG-test: https://bugzilla.mozilla.org/show_bug.cgi?id=516396
ATTENTION: Direct link in it that freezes KM: https://bugzilla.mozilla.org/attachment.cgi?id=406726

Looking for a solution, I opened about:config and typed SVG, and was delighted there was a hit:
svg.enabled TRUE
After setting it to FALSE, the browser doesn't freeze anymore, only asks whether it shall download or open that file :cool:

I dimly remember there was already another SVG freeze bug awhile ago, but IIRC my system wasn't affected... Not sure anymore at all, and not sure either if that bug was fixed, but anyway:
Correct me if I'm wrong, but guess we can live for now without SVG, don't we?? It's a rather new vector image format, not fully supported yet by many browsers and therefore very rarely used yet by webmasters - or so I guess :cool:

I figure there might be other ways yet for such "overflowings", but for now I still feel a bit safer again


BTW: Does anyone have a clue what to do best if tapping into such a freezing trap? Is that code executed already while the browser starts freezing, or somehow after killing or what? Have absolutely no clue there. Should one hit the power button? Or is it enough to kill the browser? Or is both too late already? Or???



Edited 3 time(s). Last edit at 11/30/2009 11:43PM by siria.

Quote
Yogi

@Daveski17
Did you test the 2 PoCs desga2 referred to with Opera 10.10?
Opera 10.10 freezes the same way K-Meleon does.

It doesn't surprise me as I don't think Opera #10 is that stable. It crashed a lot on me until I uninstalled my old Yahoo messenger.

K-Meleon ~ Not a Melon!



Edited 2 time(s). Last edit at 12/01/2009 12:29AM by Daveski17.

siria is right. Disabling svg in about:config , or
adding in prefs.js or user.js

user_pref("svg.enabled", false);

opens a download window, that can be refused.
Good workaround.

Fred

We can build without SVG support. I once did by accident. Lets reinstall my faulty GRE

Just my 2 cents - it concerns security in general. Take a look at virus bulletin ranking. According to this test Avira ist the leader, followed by AVG and Avast are top 3 free antivirus software.

Quote
guenter
We also have to think about the ppl that are stuck with Win98/ME.

They can install i.e. Firefox 3 and - I guess K-M 1.6 in future - in Win 98 using KernelEx.
Of cource, as many pointed it out before, moving to Gecko 1.9 is unavoidable.

Quote
guenter
We can build without SVG support. I once did by accident. Lets reinstall my faulty GRE

LOL! A case of clairvoyance? :cool: No really, what I'd support is to include SVG as it is now, but set it disabled by default, in the current KM download versions and in gecko updater. Just IMHO, for as long as that bug isnt fixed yet

Quote
Matt
They can install i.e. Firefox 3 and - I guess K-M 1.6 in future - in Win 98 using KernelEx.
Of cource, as many pointed it out before, moving to Gecko 1.9 is unavoidable.

I love kernelex and tried KM with it a while ago, but surprisingly it did not run with the "normal" KM-exe, still only with 9x version :-( So someone would have to find a fix for that, or we'll be stuck with an old KM version, if 9x isn't supported anymore officially by KM.

But in general kernelex is great, and it has become very flexible. When installing it, there's an option whether it shall be used for all programs by default or for none, and in the context menu of every exe there's a new tab to chose whether it shall be run with or without kernelex, and in which compatibility mode (win2000, XP, etc.)

Quote
guenter
We can build without SVG support. I once did by accident. Lets reinstall my faulty GRE

The irony of it all is....

All major modern web browsers except Microsoft Internet Explorer support and render SVG markup directly.[3] To view SVG files in Internet Explorer, either users have to download and install a browser plugin, or the webmaster can include SVG Web, a JavaScript library currently under development at Google Code.[4]

Source:

http://en.wikipedia.org/wiki/Scalable_Vector_Graphics


My favorite forums
http://www.graphixanstuff.com
http://www.closeprotectionworld.co.uk/index.php?referrerid=11530

Quote
Gorilla no baka
The irony of it all is....

All major modern web browsers except Microsoft Internet Explorer support and render SVG markup directly.[3] To view SVG files in Internet Explorer, either users have to download and install a browser plugin

Also available as Mozilla Plugin - No idea whether that improves the situation for SVG.



Edited 1 time(s). Last edit at 12/07/2009 01:42PM by guenter.

I once tried this Adobe SVG, and found it didn't actually render much of the test stuff on W3C school's SVG tutorial. As siria points out, I don't think anyone is actually using this very promising technology out on the web anyway.

The Adobe link appears to be a "plugin" to make IE work. It had no effect on km and did not install a plugin.

Note that even with its svg enabled, KM does not render their svg test page. haha.



Edited 1 time(s). Last edit at 12/13/2009 06:41AM by snuz2.

i found a site that claims to use svg: bing maps. but whether i had svg enabled or not, it reported that my browser did not have it.

Changing UA to FF2....here she comes.... it will be....yes, it shows the pin in the map !!!

Now we try with svg disabled to see what happens....and... yes it renders with no complaints whatsoever. So probably it does not need svg at all. oh well. the map does look slightly different with svg enabled, so maybe it really does work, but it's not necessary for this .

happy holidays.