http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

Another example to not enable javascript or java!

Thanks. Disabled, Java in my FF and all is good.

You could also heed the workaround advice:

Solution:
Do not browse untrusted web sites while browsing trusted sites. (http://secunia.com/advisories/15489/)

To me this doesn't seem like a very exploitable vulnerability, but I guess some people might fall for it? How often do you have to use a javascript prompt to enter a web site? I never have, but maybe some do?

I haven't tried this extension, but have been curious about it:

NoScript - Whitelist JavaScript blocking for a safer Firefox experience! - what is it? - InformAction (http://www.noscript.net/whats)

I haven't tried this extension, but have been curious about it:

NoScript - Whitelist JavaScript blocking for a safer Firefox experience! - what is it? - InformAction (http://www.noscript.net/whats)
------------------------------------------


Have you seen this Elwood.......I haven't tried it yet as I'm secure with the stuff I run!@
http://www.dslreports.com/forum/remark,13412796

Well it seems to work fine with lots of options!

I just installed it to one of my profiles, going to play with it a while.

http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

Another example to not enable javascript or java!I guess I'm secure, because I clicked on the test link and opened Google and waited for quite a while, but no Java script appeared.

How do you disable all aspects of Java?

How do you disable all aspects of Java?
--------------------


I see your using Mozilla 1.7....you should at least update to the latest or use Firefox as it will continue to be updated unlike Mozilla!


As for the java and javascript this extension works great for instant access to all those options....JUST UNCHECK THE APPROPRIATE BOXES!

http://prefbar.mozdev.org/

Interesting, tested it at work and it did work, I'll have to try it at home. I can't see how this would be bad for me, since I still have to enter the information myself, but I can see how it would catch some people pretty good.

You could also heed the workaround advice:

Solution:
Do not browse untrusted web sites while browsing trusted sites. (http://secunia.com/advisories/15489/)

To me this doesn't seem like a very exploitable vulnerability, but I guess some people might fall for it? How often do you have to use a javascript prompt to enter a web site? I never have, but maybe some do?

I haven't tried this extension, but have been curious about it:

NoScript - Whitelist JavaScript blocking for a safer Firefox experience! - what is it? - InformAction (http://www.noscript.net/whats)


Elwood, I downloaded it the other day and it seems to give me the security I want with being able to use Java.

Phil

Ok, i failed the test using firefox so i then disabled java and javascript and then my browser passed the test. However, can i ask, what is the diffrence between Java and Javascript?
Sorry if this sounds a dumb question but hey, you know how it is :))

Java (http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=java&action=Search&sourceid=Mozil la-search)

JavaScript (http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=javascript&action=Search&sourceid =Mozilla-search)

I guess I'm secure, because I clicked on the test link and opened Google and waited for quite a while, but no Java script appeared.

Same here.No Java script
chari

Just FY'allsI ...

Running Firefox 1.0.4 with Java and Javascript both enabled. Passed test.

alan

Just FY'allsI ...

Running Firefox 1.0.4 with Java and Javascript both enabled. Passed test.

alan

Still using Tabbrowser Extensions, I assume?

The bugs inherent in TBE seem to be beneficial in some instances.

>>Still using Tabbrowser Extensions, I assume?<<

Yes. And it hadn't occured to me that TBE might be breaking the javascript in the test site. But wasn't 1.0.4 supposed to address this very vulnerability?

So far I have seen only one instance of noticably buggy behavior in TBE (the one we talked about having to do with a requested popup at the NYTimes, or was it the Washington Post website.) And TBE is just so useful for automating tabbing behavior that I am reluctant to give it up.

What I should do is make a "test-bed" Profile to test out extensions one at a time, and then a "bugless" Profile to go along with my "full" Profile which contains known buggy extensions like TBE. And then choose which Profile to use depending on where I am going. And I might, next time I feel like rooting around in the innards of Firefox!

alan

But wasn't 1.0.4 supposed to address this very vulnerability?

No, this is a newly discovered one. 1.0.5 should be out shortly.

I stopped using TBE [trashed a couple of profiles] months ago..and like Elwood use Tabmix,which does everything I want it to.........:)

Well, I swapped out TBE for Tabmix -- and you're right, it does what I want it to do without breaking javascript applications. Of course, now I fail the test ...

alan

Hot Dang !

I just LOVE that "NoScript" extension.... Here's how I have it setup and wanted to verify with Rick that this is how you have your's in Firefox as well.

1. I have in about:config this enabled: javascript.enabled "true"

2. I keep the no-script running and have most places blocked except like: mail.yahoo.com; my.yahoo.com; forum.worldstart.com, dslreports.com, msn.com (email account) and others I know I need Javascript for to function on a given website I go to all the time. Then U have the option of "Temporarily" allowing Javascript, which I believe is on a Per Session view and when U close browser I think it removes that TEMP access....

I did do that test at Secunia and I passed with these settings.. Mind you I have not installed JAVA since I reset up my system last week... So guess I should check once I have that installed, but no hurry for that yet... Downloading the update now....

Sherri

*note: I also use Flashblock v1.3.1 Firefox extension and download all .swf files... Dont view them Online any longer.