Completely forgotten about SeaMonkey. I figured Mozilla was too busy with FF, TBird, etc. to still have it in development.

I started with FF. Am now running Opera. Do I want to run Google Chrome, SeaMonkey or yet another browser. Hmmmmmmm.

If you're happy with Opera's performance (sorry about the pun), why install more stuff? You'll end up with a crudded up registry and slow-downs.

Nah ... no more stuff. I got enough. Did install AdBlocker Plus though.

http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/

That guy thinks IE8 is one of the more secure browsers.

I'm not using IE8 anyway, so I'm not terribly worried. 

TRUE OR FALSE:

1.  Even if an alternate browser is used (eg. Firefox), and IE still remains on the system, that system is still vulnerable.

2.  One can be safe from IE vulnerabilities only when IE is removed completely from the system.

3.  Removing IE completely from the system will not in anyway harm the system.

A system is vulnerable with any browser.

aeligos:

Microsoft has issued an advisory for an unpatched vulnerability affecting all versions of Internet Explorer on all platforms. The vulnerability could allow a malicious Web page to trigger a denial of service or remote code execution in the context of the IE user. Exploit code for the vulnerability has been published, but there are no reports yet of active exploits in the wild.

The vulnerability is of a type known as "use-after-free" and is in the CSharedStyleSheet::Notify function in the CSS parser in mshtml.dll. Multiple @import calls in the attack document trigger the vulnerability. It was first reported by wooyun.org.

The exploit bypasses Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) by taking advantage of a library it loads (mscorie.dll). This was not compiled with the /DYNAMICBASE option that enables ASLR and therefore loads predictably at the same address. Microsoft doesn't say why this, and apparently other libraries, weren't compiled with this option, but suggests that you use its Enhanced Mitigation Experience Toolkit (EMET 2.0) to force all loaded DLLs to dynamically rebase. This change should make the exploits highly unlikely to succeed. A video on the Microsoft Web site demonstrates the process.

Microsoft also stresses that protected mode in Internet Explorer 7 and 8 on Windows Vista, Windows 7, and Windows Server 2008 mitigate the vulnerability by limiting the privileges of attack code that succeeds in exploiting the vulnerability.

--------------------------------------------------

1. Mitigates does not mean prevents. It means 'decreases'. They don't say how much.

2. Highly unlikely also does not mean you are safe.

He mentioned something about not installing Flash. I have Flash player. Is that the open door?

Flash is vulnerable to other things:

Latest Vulnerabilities in Flash Player:

A recent vulnerability in the latest Adobe Flash version lead to a massive attack yesterday (12/24/10).

More than 220,000 pages on the Internet have been hacked most likely with an automated tool using a SQL injection attack. Those pages, some of well respected companies such as Nokia but also many non-profit organizations and town websites, redirect the user to websites that host the exploits for the Flash vulnerability.

If the system meets the requirements the exploit is used to download and execute trojans that steal information and droppers that download additional trojans. Information that are stolen are for example World of Warcraft account information while the droppers download files that add the computer to a botnet. (according to Trendmicro)

Most antivirus companies have already updated their software to disable the possibility that this exploit can be used on the computer the software is running on.

Your best bet if you do not use antivirus software is to either disable Flash for now or use an extension like NoScript to block Flash on every domain but trusted ones.

What if I just get rid of Flash player? If it isn't there no vulnerability ... right? I could uninstall it.

Correct Savyg. Sorry not to have responded sooner. Here are the latest patches/fixes for Mozilla browsers/email vulnerabilities. You'll note these problems have been addressed and fixed.

Opera vulnerability:

http://www.infoworld.com/d/security-central/opera-software-patch-browser-vulnerability-soon-046 

Mozilla vulnerabilities:

http://blogs.pcmag.com/securitywatch/firefox/ 

http://www.mozilla.org/security/announce/ 

Trivia: The date on the Opera link is March 2010.  The date on the MS Advisory in OP is December 2010.  Seems like the MS Advisory should have included: "We further advise that you do not hold your breath while waiting on us to patch this." 

(still loving my new Opera toy )

I upgrade FF to version 3.6.13 yesterday. So far so good. Have a question about Opera though. When I open it the browser goes to the last page it remembers not to the current page like FF does. Why is that?

Uvah, just follow the numbers in the screenshot.