Jump to content

Mathwiz

Member
 View Profile  See their activity

  • Posts

    1,867

  • Joined

  • Last visited

  • Days Won

    51

  • Donations

    0.00 USD 

  • Country

    United States

 Content Type 

Everything posted by Mathwiz

  1. Mathwiz
    You completely missed the point! If MSE can scan for the exploit on Windows, then surely widely-available AV software can scan for the exploit on Linux. Serpent 52 is patched. Try a pre-September version.
  2. Mathwiz
    I know, everyone hates CAPTCHAs, although they are a necessary evil. So it's understandable that folks keep coming up with "sit back and relax" alternatives. But this is what "Friendly Captcha" says it does: I know this sounds paranoid, but that sounds to me a lot like cryptomining. Even if "Friendly Captcha" is innocent of that charge, how long before someone develops an automated pseudo-captcha that cryptomines? "You want access to this website? You have to help us mine Bitcoin or some such...." I also have trouble understanding how "solving a crypto puzzle" proves you're NOT a bot - unless maybe you get rejected if your PC solves it too quickly! But that seems easy for the bots to work around....
  3. Mathwiz
    StartPage happens to be my preferred and default search engine. One feature I like is that you can set the page size to 20 results vs. 10, so you can keep traditional pagination without having to hit "Next" quite so often. As a result I haven't used Google search directly in quite some time, and hence was unaware of the scrolling bug on Serpent 55.
  4. Mathwiz
    So you're saying it does nothing even if you use a valid user ID and password. If using an invalid sign-on, I would at least expect an error message, rather than doing nothing at all. Doesn't work using Serpent 55 (probably all the UXP browsers too) even on Windows 7, so the problem is likely just another unsupported Googlism. If we can figure out which one, a polyfill might be found for it.
  5. Mathwiz
    Just to show the skeptics that the vulnerability is real and not mere fearmongering, you can download a "bad" WebP image here: https://github.com/mistymntncop/CVE-2023-4863/raw/main/bad.webp Important note: This WebP file does not contain any malware or exploit code! I wouldn't link to such a thing here on MSFN, even with a warning (and if it did, I don't think GitHub would allow it anyway). But it does trigger a buffer overflow in unpatched software, likely leading the software to crash. (For example, I got the "Aw, snap!" page in 360EE.) Therefore, you can use this as a "quick-and-dirty" test for vulnerable, unpatched software. On patched software (I used @roytam1's Serpent 55) the image displays a hard-to-read, black-on-grey image of the text of the above URL, showing that in theory, a WebP file can both contain actual content and exploit the overflow bug. I was pleased that Microsoft Security Essentials on Windows 7 detects the problem with the file and quarantines it! I'm not sure how thorough MSE's scanning is, but if you have Windows 7, it appears that MSE (which is free AV software from Microsoft) will keep you safe from (at least) downloading a file with this exploit. I don't say this often, but hooray Microsoft! Also, the fact that MSE can successfully scan WebP files for this issue implies that other Web sites should be doing the same thing. Now I don't know for sure that they all do, but it gives me some confidence that a malicious WebP will be caught before it can spread over social media. Email providers should be doing the same, of course. So that makes WebP seem a lot less scary than it was in September. I'm not sure which, if any, AV products will do the same for XP or Vista. That might be worth testing.
  6. Mathwiz
    @j7n: I think an exploit would have to be specific to at least the OS; probably also to the program that displays the malicious image. Since most folks are using updated browsers and image display programs now, I think the danger of a "generic" virus being passed around is now rather small, although not zero. No hackers are trying to spread ransomware among the tiny numbers of XP and Vista users any more. I think the greatest risk to XP and Vista users is from spear-phishing. Don't think you're an unlikely target just because you aren't a criminal and therefore "have nothing to hide." If you have access to confidential information at your job, if you have a jealous/suspicious spouse or partner (even if the suspicions are unjustified), or even if you hold unpopular political opinions, there are folks with reason to spear-phish you. Those folks would likely know that you use older, unpatched software because the newer, patched versions don't run on XP or Vista. A hacker could use that knowledge to craft a malicious WebP image and send it to you in an email. If the WebP image is part of the email itself (as opposed to just a link) your email client (which could be a Web browser using Web mail) wouldn't even give a warning before trying to display it. You would be vulnerable if your email client or browser is new enough to use the "optimized" libwebp from 2014, but not new enough to have the patch from this September. But as far as using an unpatched browser, I think the danger is small; mostly from sites where user-created images could be hosted, such as social media, fora (like MSFN!) and/or Web mail. So you should be reasonably safe using unpatched browsers like 360EE, Kafan, etc., as long as you don't use them for those kinds of sites.
  7. Mathwiz
    WebP is a combination of two different image formats: a lossy format similar to JPEG using VP8 codec, and a lossless format using WebP's custom lossless codec. The bug was in the lossless codec's handling of Huffman coding.
  8. Mathwiz
    I read quite a bit about this vulnerability back when it came to our attention. AIUI, the "in the wild" exploit was a spear-phish - it was used to spy on a specific individual via his smart phone. I don't believe the target's name was revealed, for obvious privacy reasons. Edit: According to this Cloudflare blog post: Spear-phishing is usually done by email, so a Web browser may not have been involved at all. But, unlike with a typical email phish, this victim didn't need to click a link, open an attachment, or respond to the email in any way. And the malicious WebP was likely an innocuous, or possibly even invisible, image. But you're assuming that a malicious WebP file could not also contain a real image. I don't believe that's been shown to be the case. That, I think, is what folks don't get about this vulnerability. Anyone could unknowingly be spreading malware simply by sharing a cool image or posting it to social media. (I would hope that most social media companies scan uploaded WebP's for the exploit nowadays, but I wouldn't bet on it.) Maybe your browser is patched, but if you download it and your photo viewer isn't patched, bam!
  9. Mathwiz
    It's probably an EU thing. The EU has rules requiring Web pages to get informed consent before doing things like tracking their users. So, much of the world (including the US where I live) never sees that page. Perhaps a VPN with an IP in the EU would let non-EU residents get the consent page and work on a bypass.
  10. Mathwiz
    Those two add-ons do totally different things. uBlock filters unwanted junk out of the Web pages you download. Stylus lets you customize the appearance of Web pages (and more) by telling the browser how to display the elements on the page. You shouldn't expect Stylus to filter anything. It could make ads invisible, but your browser would still download them (and you'd still be tracked by them). And you shouldn't expect uBlock to make Web pages look exactly like you want. It could block unwanted style sheets or Web fonts but that's about it. Quit trying to use a hammer to turn a screw!
  11. Mathwiz
    True; yellow text would be awfully hard to read over a white or light background!
  12. Mathwiz
    Just to clarify a few things about the terminology we're using, the "K" number refers to the (approx.) number of pixels across, while the "p" number refers to the number of pixels vertically. 2160p (aka UHD) is 3840x2160. We call it 4K but it's actually more like 3.75K. There are a few true 4K displays in existence, but most "4K" displays are actually 3840x2160. 1440p (aka QHD) is 2560x1440, so more like 2.5K than 2K.... 1080p (aka FHD) is 1920x1080, so closer to 2K
  13. Mathwiz
    That's the theme all right; but I was looking in the .xpi file for the User Agent Status extension. It only had one .css, and I was pretty clueless what I needed to do to it without @AstroSkipper's help.... As far as dark themes, I initially started using them on my Android phone because it has an AMOLED display, and the darker the screen, the longer the battery can go without needing to be recharged. Eventually I kind of got used to them and tried a few out on my Windows PC. I didn't really like any of the dark system themes that came with Windows 7, so I went back to the "Classic" theme (that makes it look like Windows 98!) but I did like that particular dark theme for Australis, so I've used it ever since.
  14. Mathwiz
    Odd that it was initially visible on yours but not mine; but be that as it may, your tweak fixed it on mine too! I know basic .css but the part I never would have figured out is all the #ua-status-* tags. I assume they're specified elsewhere in the .xpi but I wouldn't have had the foggiest idea where to look for them! You've obviously had quite a bit more experience with tweaking extensions than I; thanks again!
  15. Mathwiz
    Hmm.... Only one .css file I can find, in /chrome/skin, and it doesn't specify much: #ua-status-toggle {width: 24px; height: 24px;} toolbar[iconsize="small"] #ua-status-toggle {width: 16px; height: 16px;} Looks like it just makes the add-on's icon 24x24, unless it's in a toolbar with small icons, in which case it's 16x16. There's a bunch of .xul code in this thing though! I assume that's where the "secret" lies. Unfortunately I know nothing about xul, so I'm pretty much stuck at this point.
  16. Mathwiz
    Looks like a great extension! Unfortunately there's another theme compatibility problem: I'm using the FT DeepDark 14.3 theme and almost nothing is visible! I could give up on the theme, but first I thought I'd ask: is there any way to adjust the add-on's color scheme to accommodate a black background?
  17. Mathwiz
    I realize this is beating a mostly-dead horse, but I wonder if the author included the fix for the WebP vulnerability in his code? I don't believe it was incorporated into Chromium until V117 (although Google and Micro$oft both back-ported it into V109 for the benefit of Win 7 users).
  18. Mathwiz
    I agree, although I think it's important to note that the biggest difference is between 480p ("ED") and 720p ("HD"). Going from 720p up to 1080p ("FHD") isn't as noticeable, and going from there to 2160p ("4K") is even less noticeable unless you have a really big screen or you sit really close to the screen you have. But while each increase in resolution gives less noticeable results, it requires a greater increase in your download speed and/or processing power (for those more efficient codecs like AV1). So you have to expend ever-greater effort for ever-diminishing returns. For me personally, the cutoff point is 1080p, but I can certainly see someone being perfectly happy with 720p or even 480p. That said, I can see an advantage of having a 4K display even if I don't bother watching 4K video. Both 720p and 1080p scale up to a 4K screen smoothly.
  19. Mathwiz
    BTW there's a dedicated thread for this new browser now: Perhaps the discussion should be continued over there, but first let me note that the beta version is free, but has a "time bomb" and will quit working in August 2024 (although, due to a bug, it will start working again in January 2025 and will quit working again in August 2025, and again in 2026, etc.)
  20. Mathwiz
    Confirmed. There's also a banner I don't understand: I'm guessing it's trying to install the latest Widevine or some such (which of course it can't do), but I have no idea why DropBox would try to play DRM'ed audio, video, or whatever the heck it's doing!
  21. Mathwiz
    Of course the final decision is yours, but I'd encourage you to at least try uBlock Origin. If you hate it, you can always uninstall it. It was written for efficiency, so it's likely you'll find that it actually speeds up your browsing more than slowing it down, since your browser will no longer try to download oodles and gobs of unwanted garbage. The latest non-WE version of uBO that I have is 1.16.4.31b2, which IIRC was posted by @AstroSkipper in his thread: There may be a later version by now; I haven't checked recently.
  22. Mathwiz
    With CSS, sometimes partial/incomplete support is worse than no support! Try setting layout.css.is-where-pseudo.enabled to false. With that setting, those Web sites at least pull up, although I didn't test their functionality, so some things may still be broken.
  23. Mathwiz
    Thank you for checking; it sounds like the problem I had isn't a simple bug, but more likely, it seems, a conflict between something in the 10.26 build and one of my add-ons or custom settings. (It works in earlier builds, even with all the same add-ons and settings.) These kinds of problems are a bear to debug. Maybe I'll get lucky and the 11.10 version will just work; otherwise, it's try with a clean profile; try safe mode; try disabling half my add-ons, etc., etc. Hmm... methinks upstream must have "fixed" something else which wasn't broken. Mozilla may have too (I haven't tried a modern FF build). Exe's aren't my main concern, but St 55 has always been able to open them (if I'm feeling lucky) or save them.
  24. Mathwiz
    My example was the .exe installer on the main page, but I ran into the bug regardless of the file type being downloaded. Sorry; it wasn't entirely clear. It's actually the "Open with" option, although, when downloading an .exe, the program to be used to "open" the file is blank: Then click the "Save File" button. The file will download to your temporary files folder and then be "opened" (run, in the case of an .exe). That is certainly "best practice" and should be followed if there's any doubt, but with reasonably trustworthy sites like 7-zip.org, I've learned that one can safely get away with a few "shortcuts." With 7-Zip it's not actually necessary to close all other apps, including the browser, before installing; therefore one can have the browser run the installer and disaster won't strike. The trick, of course, is to know when it's safe to do this, and when it's more risky - and I don't have a perfect record on this myself! At any rate, as I mentioned, this bug wasn't limited to executables; that just happened to be the (perhaps ill-advised) example I gave to reproduce it.
  25. Mathwiz
    I often wonder in these cases, is Chase fearmongering, or are they a victim of fearmongering by Google, Micro$oft, Mozilla, etc.? All those companies are constantly telling us that a dire fate awaits anyone who doesn't stay on the very latest version of their browsers. Did Chase just buy into the hype? I thought it odd that Chase will accept Chrome 106 on Android, but require Chrome 109 in the UA if it admits the OS is Windows. I suppose it's possible there's a vulnerability in Chrome 106-108 that only affects Windows, but it seems more likely they're just requiring the latest versions that will run on Android 6 or Windows 7. And what's up with rejecting Edge 109 if Chrome 109 is OK? None of it makes much sense to me.
×
×
  • Create New...