Browser security question

Comments

• mjwilson

  November 2008 edited November 2008

  Battle Bunny wrote: »

  If a browser has all plugins disabled, and all features with "Java", "script", "active", "X" or "cookie" in their name disabled, would there still be any means by which a page loaded by that browser could be used to surreptitiously install software on the user's computer - and if so, how?
  
  The reason I ask is that I've always assumed that the answer to this is "No" and so I've used a browser suitably disabled when doing general searches which might encounter malicious embedded code. I've (almost) never installed a firewall or virus checker on the PC in question (it's not this one) and I've never encountered any problems since implementing that idea (that PC uses a dial-up connection).
  
  (I did install McAfee Firewall for a short while a few years ago, but it hammered the hard disk so much during startup that I soon removed it.)

  
  Can't think of any at the moment, although of course every browser has its bugs.
• Rickard

  November 2008 edited November 2008

  Battle Bunny wrote: »

  If a browser has all plugins disabled, and all features with "Java", "script", "active", "X" or "cookie" in their name disabled,

  
  I do not know the answer, but it should be interesting to know how your internet experience was? Could you browse most sites or did you run into problems? I would expect that many sites these days use a lot of these less-secure add-ons..
• mel the bell

  November 2008 edited November 2008

  your essentially safe, prolly 90%?
  but as mj said they have their own exploits, some worse than others.
  a lot of windows apps have buffer overflow exploits and such like

  Professional Mel-the-Bell Simulator................"So realistic, I found myself reaching for the Kleenex King-Size!" - Richard Darling
• Zup

  November 2008 edited November 2008

  As mjwilson said, every browser has its bugs. Maybe some HTML code or some images can trigger bugs and execute malicious code.

  I was there, too
  An' you know what they said?
  Well, some of it was true!
• ewgf

  November 2008 edited November 2008

  What about virtual sand boxes? I've probably got the phrase wrong, but I've heard that there are programs that will run anything (in this case, your browser) in Windows as though it's a virtual PC, and nothing that happens in this virtual PC can alter anything outside it, so that if an infection gets through your browser, at most it can only effect your virtual PC, and so when you turn off the PC, or just exit the virtual PC, then any infections are lost.
• BloodBaz

  November 2008 edited November 2008

  Regarding safety, yes, many exploits can be scuppered by removing all client side programmability from your browser (JavaScript, ActiveX, Plugins etc.) but it would stop you from literally clicking on an executable (dangerous_file.exe, anna_kournikova.jpg.vb), and selecting Run. Not that many threats move through the web in that way (email, yes but not www).
  
  Your web experience will suffer however, particularly with missing JavaScript support on many sites.
  
  Java and JavaScript operate as standard inside a sandbox but you are still open to any threats programmed in these languages that exploit "bugs" within the JS or JRE engines. Keeping your computer up-to-date can avoid this.
  
  Common Sense (which I am sure you have plenty of, ewgf) provides very good protection against threats. Most of the people I know that tell me that their computer got a virus etc. are people who are ruthless with their social networking sites and lack of thought on what they click on or download. Clever social cohesion can still fool the best of people sometimes however.
  
  That's my bit.
• mjwilson

  November 2008 edited November 2008

  Your best bets are:
  
  1. not being root/administrator when browsing
  
  2. keep your browser and OS up to date