[ale] nailing down firefox security and privacy - PT 1

[david at systemoverlord.com (David Tomaschik)]

On Thu, Oct 13, 2011 at 12:54 AM, Michael B. Trausch <mike at trausch.us> wrote:

> You left out the part where she downloaded and opened the program that
> is required to do this. ?Programs don't just auto-download and open on
> the client system, even on something as insecure as Windows. ?Java
> applets cannot spawn executables, JavaScript cannot spawn executables,
> and Flash cannot spawn executables, so the user still actually has to
> download and then open an executable in order for it to deliver its
> payload.

I'd planned to stay out of this one -- as much as I like a good
debate, I've been busy lately, but I can't leave this part alone.
There have been a sufficient number of remote code execution
vulnerabilities that you can't say "Programs don't just auto-download
and open on the client system, even on something as insecure as
Windows."

CVE-2010-2884 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2884
CVE-2009-3459 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3459
MS11-018 (Many CVEs included)
https://technet.microsoft.com/en-us/security/bulletin/ms11-018


-- 
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com