Slashdot Mirror
Mozilla Developers Respond to Malware
An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."
wasn't this bug known for a while and was just recently issued a fix for it?
I'd still rather use a marginally flawed Mozilla browser than a fully dysfunctional Intercourse Exploiter browser
--- I'm going to get a score of -1 for this post because the mods are fuckers.
I'm quite happy to see that the Mozilla team is pro-active in fixing the bugs that could allow MalWare to install unchecked.
Yet, a base Mozilla 1.7 downloaded right after release will have this issue for a very long time. This situation is worse, in one big way, than the Internet Explorer issues; Mozilla users 'feel' safe. Non-techies that use Mozilla assume it's 'safe' because a geek once told them that this is the case.
I've been an Open Source supporter for quite a long while, but the days of relative desktop safety for F/OSS cross-over users is coming to a close.
And, I'm probably not the only one who "shivers", when reading, "... almost a carbon copy of the new Internet Explorer Information Bar ..."
There's no way to defend that.
Kinetic stupidity has a new brand leader: Allen Zadr.
Will be how fast the community can fix these types of issues compared to M$'s response time.
I think we all know that whatever is the popular software is what will be targeted so the big difference maybe how it's responded to.
"If any question why we died, Tell them because our fathers lied."
Why do they justify themselves why they just brought an excellent fix within a tiny lapse of time ?
Trolling using another account since 2005.
Some microsoft products were affected also.
this is precisely the reason the Firefox was equipped with thought guided missiles...to destroy unseen threats.
Linux is to the internet as Duct Tape is to the Universe.
This coupled with the fact moz/firefox is already more secure than IE means Moz users are not invunerable but we have a better chance than the IE crowd.
If moz gets too bad, I'll just switch to Opera. What we need in the long run, is to have a totally new browser developed about 6 times a year. If everyone switches browsers every other month, these malware stooges will be put in their place.
I think that there is a major disadvantage when it comes to attacking the Mozilla series of applications -- they are all on multiple operating systems. It's worth noting that this bug was only found on Windows systems operating Mozilla, and while this may be the largest base of people using the program, I get the impression that a lot Linux and OSX folks are using them as well. Yet everyone is so eager to jump on Mozilla for having a bug, even though it only affected one of the operating systems. I think that's a pretty good track record, espically with the speed that it's been fixed in. I'd like to see that with IE.
If that's not good enough... just install the Internet Explorer skin for firefox.
if people are going to start targetting mozilla for exploits, then we can see the true difference between security/stability of OSS vs proprietary products. i have no doubt that mozilla will come out in the lead, because in being open source when there IS a problem, it is fixed in a timely manner :)
There is a fine line between easy to use and easy to exploit. Let's not repeat the mistakes of others.
UNIX/Linux Consulting
It's nice to see that mozilla is attracting a bigger crowd of users, but the developers should take this thred seriously.
I am an avid FF user, and like a chain of events ever since the flaw was publicised I have been seen how FF cant handle certain web sites and find myself opening msie. I just feel so dumb. Still FF rules and we al know it. Its like they opened pandoras box!
It was widely reported that a flaw was found in 'Mozilla' which was not correct. The flaw was in the Shell: protocol on Windows. That's why the alleged 'flaw' in Mozilla did not exist on non-Windows platforms. The only 'flaw' in Mozilla was its failure to block the use of the shell: stuff on Windows (which the patch now does).
"Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000."
Actually I think the biggest marketing achievement in the last 10 years was Microsoft convincing the public that Win2000/XP is more secure than Win9x.
Rest assured, if Firefox ever does make it big time, ~20-30% of browsers, malware writers WILL exploit any hole they can find.
Hopefully the developers will be quick enough to fix it, but will users be sharp enough to get the patches. I think automatic updates for firefox are what is needed to ensure users have less to worry about. I know myself that the patch for the shell exploit was not a simple matter of clicking search for updates, as the update program times 0out after 2 secs.
Firefox won't be immune to the legions of spammers, crackers, marketers and pornographers which have already begun to exploit it. With some kind of autoinstaller/updater or a faster update cycle users could be confident that whatever new tricks the spammers come up with, the fixes will be prompt. Hopefully anyway.
I know autoinstallers aren't in vouge, for many good reasons. But if it's just for one, largely selfcontained program, would it really be so bad.
Maybe at the very least mozilla could have a list of critical, anti-spam and other update categories. Or would that just confuse people
May the Maths Be with you!
These exploits are just the price of success in the browser business. I have no doubt that Mozilla products are more secure than IE, but even if significant holes are found, I'll put the turnaround time for the fix up against MS track record anyday.
"The problem with internet quotations is that many are not genuine" -Abraham Lincoln
I thought Mozilla WAS the response to malware.
Now let us hope that there are no spoofing mechanisms discovered that result in users believing they're on one of the whitelisted sites to allow such installations. As someone on that board had already pointed out, allowing all of mozilla.org as a means to install code can result in people taking advantage of bugzilla.mozilla.org and ftp.mozilla.org.
You know, I really appreciate hearing from developers who recognize a potential threat and are informing us how they are working to fight the problem. Their method might be taking a page out of Internet Explorer for SP2, but if it works than it's good.
This story comes at a perfect time for me. I'm a Mozilla diehard, and I just ran Ad Aware 6 to find that some malware bypassed security (even Norton Internet Security) to install itself. One of the progs I found was malware called Winfavorites, and although Symantec says this is detectable malware, I had run Norton Antivirus and it went undetected. Looks like it's smartest to run a combination of programs just in case!
I might add that I don't blame Mozilla for it. I blame the programmers who sell their soul for cash to these unscrupulous companies only looking to profit while hurting the systems they populate.
The dangers of knowledge trigger emotional distress in human beings.
As Mozilla browsers become more popular, and thus face credible threats on the scale that IE has been facing, this may well be the breaking point for OSS in general.
Business types are afraid of OSS mostly for the fact that it's "unsupported." To them, support doesn't mean having developers on hand to fix problems so much as it does having someone to blame when things go wrong. As long as someone else is fiscally responsible for their technology problems, their customers/shareholders are happy.
They won't admit to believing the above, but it's true: I have first hand experience with it. They'll say that they need the support to protect them from threats and vulnerabilities. They cite Microsoft's patches and updates as proof that the support is useful. They claim that OSS is only safer because no one targets it, and thus the threats aren't as severe. They don't believe any of that, but it's what they use to rationalize their decisions.
If Mozilla continually and expertly deals with these vulnerabilities, that argument will fall flat. They'll either have to admit just what they're -actually- paying for when they claim "support," or they'll at least begin to look into OSS alternatives.
At least, that's what I hope ^_~
GeekNights!
Late Night Radio for Geeks!
The shell: vulnerability is a bad example. Other things like buffer overflows are pertinant, but will not support the idea that open source is any more or less prone to attack. Bugs occur in any software.
What has not yet occured is a plug-in or extension for Mozilla/Firefox that is similar to the kinds of spyware/malware that has been developed for IE. If the "AOL crowd" starts dumpping IE for Mozilla/Firefox, spyware/malware authors will have a reason to invest their time and money into developing such applications. Seriously, how will the Mozilla team ensure somone doesn't intentionally install an extension because some website told the user that it will "accelerate their web experience for free?"
- Enable Javascript
- Enable install from XPI locally and globally
- Click on a Javascript link on a WWW page (which would be shown in status bar) (N.B. Mozilla does not execute XPI-related JS automatically--the user must have clicked the link)
- Wait a few seconds while watching a very large uncancellable dialog box saying "A website is requesting permission to install the following item", giving full details of the program it is installing (including its signatures in big red letters, its name and its URI), and saying in big bold letters, "Malicious software can damage your computer or violate your privacy. You can only install software from source you can trust."
- After waiting a few seconds you, you then had to press a button labelled "install now".
I'm guessing that even some ex-MSIE users might not go through all that on the request of a malicious WWW site they have found.I digress.
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
Last week, right before this news, there was news that a lot of people switched to FireFox because of the vulnerabilities in IE.
Who's going to tell them now that they should upgrade their FireFox to the fixed version, because there was a problem?
It doesn't really matter that it was fixed quickly. The people that didn't install updates for IE, won't install the updates for their brand new FireFox either. Sadly.
I believe posters are recognized by their sig. So I made one.
Why have "XPI" at all?
My Opera seems to work just fine without any such exploitable technology.
I can't speak for them, but if I were the public relations for the project, I'd say, "we're going to trust Windows' protocol handlers a lot less." Just like how Windows' flawed design makes it dangerous to use Windows' shell functions to decide what to do with various filetypes, the Moz devs are going to have to include special testing procedures for their Windows releases to determine how underlying design flaws can make a third-party product vulnerable.
I think Mozilla Project got a bum rap on this one. When an XP service pack fixes the same issue in all effected products (including IE and Word), I'm inclined to think that it was a Windows problem to begin with.
Fred
"A fool and his freedom are soon parted"
-RMS
Mozilla is Open-Source Software, therefore any exploits there may be, are easily discoverable, in this aspect, proprietary code would seem more invincible by default eh? OSS is more than just a team working on a project, it is a quest by those to search for better and more stable software. I ask you today, since that OSS relies on contributers of code to fix many bugs that may pass by developers, and therefore can we really blame Mozilla for the exploits in their code? Look at Microsoft for instance, when their code was proprietary, exploits were found with brute force, when the Windows 2000 source code leaked, a person made a BITMAP to exploit the core of the OS, tell me, which is worse?
Karma: Good, or bust!
K-meleon, Moz based browser I use (and have for 3 years both at home and here at work on winders) was fixed by the users with a simple User_Pref
Who needs a 20Mb download, huh?
Nick
Clearly, those in the press who live in the pocket of the redmondians would have us believe that this is a good reason not to stop using I.E. After all, you may go to all the trouble of switching and still not have nirvana.
Well, even if the beta versions of Mozilla aren't instant nirvana; they're already more secure, more stable, faster, smaller, and better looking.
The mozilla browser also comes with better karma, and I've heard some people have regrown hair, enlarged body parts, and improved their sex lives simply by switching.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
I think it's obvious that the (the article touches lightly touches on it) big advantage that Free software users will have over people
using microsoft's software (and other proprietary software, for that matter) is the speed with which fixes occur. Release early, release often,
remember? That applies to bugfixes and security patches too. I think that as soon as there is a semi-automated way to distribute fixes to people
with less technical knowledge in a trusted and secure way, then Free Software will become very quickly a mainstream alternative to the noobs and
grandmothers.
The flaw certainly affected Firefox, but given that it also affected things like Microsoft Word, was Firefox itself necessarily targeted? That is, did the guy who came up with the exploit have Firefox in mind?
The difference may seem irrelevant, but if Firefox wasn't targeted, it means that the evil will of the cracker community has not yet been turned to finding the bugs in Firefox the way that they have in IE. I'm pretty sure Firefox will fare better than IE did, but when you've got so much effort aimed at a product, and with the source available, they will find any easily-findable bugs.
If they did target Firefox, then we begin to have some idea how many security bugs there really are in Firefox, by seeing the rate at which new exploits appear. Thus far, the answer is "quite slow", and I hope that's because people are targeting it and failing.
You just have to love how easy it is to install this Mozilla patch. What IE fix works this simply? Open page. Click link. If this were IE, there would be one, minor, takes-forever step now: Restart computer.
www.homestarrunner.com ?
requires flash.
They've got to stop websites from being able to push downloads without any user-intervention.
I seeing increasing numbers of sites linking to this presumably dodgy site (which I'm not making a hyperlink, visit at your own risk)
xxxtoolbar.com
which automatically attempts to download some "netscape_toolbar.exe".
Regardless of my settings on FireFox it seems I cannot prevent it popping up a download dialog for the file, thank godness AdBlock allows me to remove the site completely.
see http://secunia.com/advisories/12048/
Join Team Mozilla #38050 Folding@home
Whole of mozilla.org?
by dave532
Tuesday July 13th, 2004 1:30 AM
"Mozilla Firefox 0.9 just allows update.mozilla.org (though this has since being expanded to the whole of mozilla.org)."
Allowing the whole of mozilla.org is a bad idea because bugzilla.mozilla.org can allow anyone to upload a malicious XPI
To:
Re: Whole of mozilla.org?
by Ben_Goodger
Tuesday July 13th, 2004 3:44 AM
good point. fixed.
I will work to elevate you, just enough to bring you down
Serial Meta Moderator
Hogwash. The reason there are NO viruses for unix is because of structural differences in the OS. Anyone with half a brain knows this. If malware is installed on a unix box, it is completely because of the actions of an admin.
So when I read "that it is now big enough for malware" in regards to a solid project that has been around for years, and has had a wide userbase for quite some time, I'm a bit irked. I start to wonder when taco got his MCSE, and how much the microsoft advert $'s are getting to him. Call me cynical, but it's been big enough. Do not try to pass that horse crap. Secondly, the mozilla problem wasn't even a mozilla problem - mozilla was just running a MS product that had the problem.
Not saying unix/linux/oss et al. is "bulletproof," that it has no security problems, or whatever. But lets not make erroneous casual remarks, ok? They only serve to confuse people.
I was hoping they would do something about the protocol problem, and default to not allowing unknown or unexpected OS-handled protocols or helper applications.
This new dialog would be a great place to add
'$webpage is attempting to display an image from exploit:format+c:\'
so that by default new registered protocols and helper applications would be blocked rather than permitted until the user explicitly whitelists them.
Helper apps, too:
'Should $file.pdf be opened with the Adobe Acrobat plugin? [always] [always for this site] [just this once] [no] [never for this site] [never]'
I'm tired of going in and re-removing 'automatically perform the associated action for each of the following file types' over and over and over again.
What browser is it that script kiddies and virus writers using if not Mozilla? I never would have conceived of them going after someone that's NOT MS.
So what, should I switch to Lynx? or is there an undisclosed hole in that too?
I think he means, for developers. the OSS community as a whole.
I work for IBM. Unsupported things don't get fixed any slower than supported things. The only difference is that supported things that fail don't get blamed on the departments that run them.
It's probably too late, historically speaking, to do this, but not only should plug-ins be complicated to install (requiring a seperate download-unpack-install-from-shell and not within browser), but getting site-provided code to run locally should be hard as well, *always* requiring an active acknowledgement generated by the browser (perhaps with an increasingly severe security warning depending on what functions the code contains) to begin execution of the code, along with a failsafe stop/start switch unscriptable by a site that the user could hit if they didn't like the results.
If there were numerous obstacles to running site-provided code locally, then the end-user uptake would be very low, and if it was low, sites wouldn't be built that required it, and if sites didn't require it, people wouldn't have it installed in the first place -- creating a "good" catch-22 situation where browser exploits just wouldn't exist.
But it's probably too late. People have assumed that the browser is a generic container for client-server applications and everyone expects to be able to run code locally, and the code they expect to run is the worst kind -- ActiveX controls with tentacles buried deep in the OS.
It seems to me that any program that provides a framework to allow third-party extensions to hook in, could be exploited. The real problem is, and will continue to be, the vast majority of ordinary windows user running everything with administrative priviledges.
What's to prevent a malware programmer from coding an extension that, while performing some legitimate task, is also a rudimentary keylogger?
I'm sure I'm not the first to say this... but... how about people who release plugins actually sign them? Then we can build our trust network around that, not where you are downloading it from.
My 2cents
Kurt
... is a Pope of safe web browsing counseling abstinence, who everyone loves but no one takes seriously.
I'll volunteer. All I need is a Pope hat.
While I agree with your general point, (I've always found Winblowz particularly irritating), I have to disagree on the specific. M$ is a widely used and unambiguous abbreviation, the more correct MS has multiple meanings. So, unless the context makes it very clear M$ will do for me. Having said that I tend to use MS.
It will be interesting to see how OSS developers handle a full court press by maleficent hackers. For all talk and criticism about Microsoft's security responses, I don't believe OSS has ever encountered the concentrated, unrelenting targeting Microsoft has to endure. Will OSS have the organization and time to endure what Microsoft has to endure?
On another note...
I wonder, at the rate we are going, with millions of full featured operation systems connecting to the internet, if all of these security issues will slowly make the internet useless. Perhaps it is time for a major paradigm change. Perhaps we should do away with idea of full featured operating systems existing on millions of PCs, and get back to the old mainframe idea, with users connecting to a central, secure OS/server using a dumb terminal. After all, a handful of servers are defendable. Millions of fully featured PCs will never be defendable, and will always be a threat to one another.
The internet is fast enough that a rich, powerful GUI interface into such a remote OS/server is feasible. A company, such as Microsoft, IBM, etc., could sell access to a secure OS/Server. I think enough people have a robust internet connection to make this practical.
In this case, it appears that the Mozilla developers had known about the shell: exploit for a couple of years but, instead of protecting users from it, just decided it was Microsoft's problem and left it at that.
Maybe that's better in some academic sense than people accidentally creating security holes they don't know about, but it isn't all that impressive either.
The most important thing to be in abrowser is speed and ease of use. I've got IE, an old Netscape, Firefox, and a handful of other esoteric small project browsers. It may be full of holes, but IE is the best when it comes to browsing. I'd love Firefox a lot more if it wouldn't keep telling me "Connection Refused" five or six times before I -finally- get the lucky refresh that lets the page load. IE'll do that right away. Maybe IE just doesn't tell me the connection was refused and keeps retrying for me, but that's -nice-. It's -helpful-. It's damn near -considerate-. I don't want to be George Jetson, pushing a button all the time, just to websurf.
Tho I do like the tabbed browsing. Lets me open a page five times so I can finally get one that doesn't say "Not responding".
If you develop for Windows, you have to develop for it as it is. That is, you have to expect that things aren't secure in the way you like them to be or don't work the way you might like them to work.
The attitude Mozilla should have that they should only call library and OS interfaces on each OS that they can have a reasonable expectation to be safe and secure in practice. That is, they need to orient themselves not only based on what they think an API ought to do or how the API ought to behave, but what it actually does. If they don't, then some of the blame for security holes will fall on Mozilla.
In this case, the Mozilla developers knew what the API they were calling did. As I understand it, they had even known of the possibility of the shell: exploit for quite some time. Furthermore, the security hole could have been fixed in Mozilla, yet the Mozilla chose not to do anything about it. The secure thing for Mozilla to have done would have been only to hand over a few known protocols to the OS for handling (mailto: and maybe ftp:), and only if Mozilla first verified that the entire URI was, in fact, valid and harmless.
A vulnerability appears in IE or Outlook, and the Internet is swamped for MONTHS with exploits while MSFT twiddles their thumbs, or tries to make a patch that won't break the OS.
In the world of Mozilla, people get pissed if it takes longer than a week.
The problem of ignorant unpatched users still exists, but having people migrate to something that has a more diligent security team is definitely a step in the right direction. It even helps the IE users. Malware writers are wasting time on multiple browsers, now.
Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target.
The score is now:
Mozilla - 1
IE - hundreds and still counting...
I like those odds!
IMHO, desktops (GNOME, KDE) are crossing the line and even X itself has some "features" that may lead to exploits if developers aren't careful - remember the window manager is just a program that can actually control other programs on the machine. No application should ever tell another what to do based on untrusted data, that's reserved for the user (clicking a link doesn't count as approval - the link may not do what it claims).
When you add a feature, consider what a criminal might use it for and who the burden will land on to prevent it. With shell: the burden lands on any application you might possibly launch and that's just unacceptable. With a window manager, consider that I may want to offer my display server to some untrusted application (airline reservation system) running on a remote machine - great possibilities and a great security risk. Because so much is accessible through X we don't use it that way.
I'm rambling now trying to gather too many thoughts in too little time.
This keyboard sucks. That would be:
LET M$="Microsoft"
Self awareness - try it!
my personal favorite: LookOut
then there's: microsoftie
Folks - this is not just a Mozilla/Windows problem. Just a few short weeks ago, a lot of noise was made about a very similar URI exploit on Mac OS X, both through any browser that runs on OS X (noise was made about Safari, and I verified that the exploit was also present in Camino) and OS X's help system.
Because of the seemingly general nature of this type of exploit - why are we letting browsers run code ?? The web SHOULD primarily be to exchange information (text, images, audio, video). Why are we allowing remote program execution?
Non-techies that use Mozilla assume it's 'safe' because a geek once told them that this is the case.
I've always told people that Mozilla is much safer. Which it is by most people's standards, but I never imply that it is completely, impenetrably safe.
"...reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target"
So, by your logic, having security holes in the code of a product is indicative of being "big enough for malware authors to target"? From what I can recall it was a proof of exploit and not actual, functional malware. POEs get written all the time, remember the "OMFG Macs can get v1ruseZZZZ fr0m mp3z0rs!!!" spook a while ago? Yup, that was a POE too. Am I missing something or is the entire tech industry ass-backwards on their logic skills?
Be careful! Bears shouldn't consume large furry dogs.
This brings up an interesting concept. It has been the conjecture of most people on this forum that opensource is more secure because it's more freely examined. This doesn't hold true if the opensource code in question is never actually examined.
A number of years ago, an initiative was created to make FreeBSD the most secure operating system on the planet. OpenBSD is the result, and I have to say that they did a darn fine job of it.
I'd like to propose that the Opensource community do the same thing with Mozilla. Start a line-by-line security audit of the Mozilla code base. Leverage the opensource massively distributed model and create the first browser that can be called truely secure.
If you don't want to do it to create a truely awesome product, then just do it to rub Microsoft's nose in something that they are completely incapable of. *evil grin*
Wake up - the future is arriving faster than you think.
Yes, IE has a lot of issues, but the day FF/Moz is 50/50 with IE (which is fine by me btw), you'll start seeing more of this.
I do hope FF/Moz holds their own and proves more secure - but people shouldn't gloat about FF/Moz 'superiority' until it's really put to the test. IE has like 95% of the market and FF has comparatively little - and hence, little attention from malignant hackers and the like
If people want to see FF/Moz thrive they should expose and rant at flaws with the same ferocity they do with IE.
'The unexamined life is not worth living' - Socrates
And I have a feeling that no matter how proactive they are from now on, certain people will continue to remain focused on that single incident.
"If they had implemented a whitelist of known-good URL schemes back then, it would have been a proactive security measure."
Yes, that is correct.
"The Mozilla team isn't proactive on security issues."
You do not have support for that statement. The most you can claim is that they are not 100% proactive.
It's easy to take the moral high ground in hindsight.
Now, look at the flaws they have PROACTIVELY dealt with. No ActiveX crap. Which means no ActiveX security holes to deal with. That's proactive.
But you don't see that. Mozilla can head off a HUNDRED security issues by choosing a more secure model, but non-existant flaws do not get reported.
Count the number of holes in IE. Then count the number of holes in FireFox.
FireFox has fewer and FireFox was designed with better security in mind. That is proactive.
Let's says a Cracker uses an IE exploit to change the Hosts file to override the DNS lookup for Mozilla.org? This could be used to fool the WhiteList.
Not likely, you say?
The Cracker create a IE-Only accessible pr0n site to have Joe-user to launch IE just to see a nudy-pic.
Then he creates a MOZ-only page to force Joe-user to switch again to MOZ to DL the XPI Cracker-ware.
It might not be done as obvious as this but the possibility is there.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Who is this "us" you speak of?
Some of us are old farts, and some of us still use Microsoft Windows, and some of us get so infuriated that we have to do something. Slashdot does have a pro-Linux/BSD bias, but for Linux/BSD users there are presumably better resources. For us old Windows users, Slashdot is an essential resource.
It falls back to the classic problem found in modern computer systems where if you present the user a chance to hang themselves they will do it.
Singing a plug-in just validates where it came from but never makes a gaurentee that the package does what it says it was designed to do (if it says anything at all!). You can sign malware and a user not realizing they shouldn't trust the source will happily click "Yes install!"
Signing of installs should always be done but users can not read into the signature more than what it means: Soandso validated these binaries. Implying that a signature is security is dangerous.
What I find funny, is the fact that the author speaks of the often-frowned-upon PROVEN FACT often touted by MSIE users:
.
/. page, I get bombarded with adware install alerts for mainly "Avenue A". ..so that begs the question, WTF are adware-serving banners even doing here? /. staff pizza parties? .org or not.
"it is now big enough for malware (virus and spyware) authors to target."
Yep, there it is folks.
The words MSIE users have been waiting to hear.
The admission that SIZE MATTERS.
Folks, myself included, have spoken things like:
"Once a browser/os gets large enough to cause any real damage, or a possibility to damage, or a chance to make money, then the attacks will begin."
Begun this Clone War Has.
Interesting OT note:
Everytime I go to almost any
Anyone else get this?
I thought this was a non profit?
Extra cash for
Your either
For a super anti-MS-ideology site you'd think you would be aware of that by now.
This would be an OS specific solution, but...
Why not have browsers run as a special user, with access limited by default to a special folder (and any sub-folders that it creates) within the home directory of the user invoking it?
This would be analogous to running httpd as nobody, but a bit different. The user could be, say, the normal user name suffixed by ".net" (because it is for use on the net). (OK, so that's a bad joke. You get the idea.) And the logon shell should probably be set to false. (The browser user shouldn't have any home directory of it's own.)
I think we've pushed this "anyone can grow up to be president" thing too far.
After doing an upgrade with Synaptic I now have a flaming fox icon on my Gnome toolbar instead of the pitchfork icon.
I'll use anti-virus as an example. Instead of fixing the old macro-viruses (yes, I know they're fixed now, stfu) in Word and Excel, you had to keep your anti-virus signatures constantly updated. It took Microsoft a long, long time to deal with the root cause. Now that they have, macro viruses are few and far between.
So far, I see Mozilla focusing on the root cause of the problems. This is FAR more effective as once you deal with one problem, you have dealt with all the similar problems.
Okay I just downloaded Spybot and ran it with Tea Timer. Guess what? Over 2500 malware objects found and now cleaned. That's *after* running Ad Aware and Norton Antivirus. Jeeeeesus. Thanks for pointing to that software package! :-) /me is grateful!!!
The dangers of knowledge trigger emotional distress in human beings.
If the black hat can change the hosts file he can already execute arbitrary local code, there's nothing to stop him from installing anything else he wants, so there's no point in worrying about whether he can elevate "local system" privilege to "local user" privilege. :)
NOT EVERYONE IS A PROGRAMMER! In fact, MOST people are programmers. Most people use computers to do something else. They are secrataries, or bussinessmen, or musicians, or artists, or janitors, and so on. They lack the requisite skill to fix the problem. And don't get on the geek high horse of "Well everyone should be a programmer", that's a load of shit and you should know it. No matter how talented you think you are, I gaurentee I can find something you lack the requisite skills to do, and other things you lack the time or motivation to do.
So look, if you want OSS to be considered as a new paradigm and a serious, better, alternitive to commercial software, then you'd better damn well advocate they act like it, and that means taking responsiblity for their projects and fixing bugs in a timely fashion.
Now if you don't like that, it's fine. You can advocate that OSS is a toy for geeks, and you use it at your own risk. However, if that's the case, don't advocate it as a superior solution to the common man.
Oh and PS: Someone did patch it, the Moz Team just ignored it.
I'm not quite sure I agree. I mean, it's one thing to talk about someone using a computer as part of their job handling your money - but most spyware/virus/trojan horse threats are making victims of grandma and grandpa, just struggling to use their computer to email the grandkids, or the stay at home mom trying to scan in medical receipts to fax to her insurance company, or even the college student that's only a casual computer user - but just wanted to listen to some music and get some papers typed up and submitted to his/her professor via the net.
Sure, "ignorance" can be pointed to as the reason they have problems - but it's rather elitist to simply act like it's all their fault for not choosing to invest tons of time in mastering the PC, instead of many other things they might be working on instead.
The fact is, when the "home computer" first came out, it never really made any promises to the general public. It was available, and if it piqued your interest, you bought one, sat down and learned how it worked. Most folks passed on them.
Nowdays, it's a huge industry, and you have everyone from Microsoft to Intel and AMD to your local retailers promising "ease of use" and hawking the fact that "you can't live without one!". If the products allow all of these virus infections and spyware threats to damage the computing experience - they're simply not living up to what they promised. I don't fault the users. An OS designed for the "masses" should be able to prevent malware from damaging things, even if the user clicks some pop-up trying to install a free piece of software.
It's sort of like the "heuristic scanning" features in some anti-virus packages, but taken a step further. Make the OS intelligent enough to know when a program is trying to perform destructive activity and prevent it at the OS level. Assume the user isn't smart enough to "just know" which programs are good and which are bad.
I don't think you can claim copyright retroactively! It starts from the year of publication.
Slate, a Microsoft magazine urged users to use mozilla as well, however, I dont think this was a charitable request, instead, make users use this alternative, microsoft will sit back and watch as mozilla gets exploited by malware, make a big shit about it every time, (possibly even write their own as well) then come out with a version of IE that isnt exposed the the type of malware that mozilla is exposed to, and use choice marketing words to get people to download it (even buy it)
Microsoft is gonna use Mozilla as a pawn in the browser wars to re-affirm their grounds in the Browser Monopoly.
You are a moron.
Welcome to moronville.
Population: you.
Of course it did, they had to because it points out the inconsistancies with some of their arguments. Whether or not it existed as an MS or Mozilla bug shouldn't be the issue, it should be what can we do to fix it now that it out. I realize that some of you will say that if it was OSS then it would never had happened, we can I join you in your Utopian world?
I will say this though, I do agree MS needs to get their head out of their ass and try to correct what is wrong with the software they have instead of building newer versions that have even more problems.
That the story submitter buys into the "it's insecure because it's popular" myth is one thing; for Slashdot to willy-nilly accept it is another. Very odd.
That the "shell://" hole in Mozilla (thereby Firefox and Thunderbird) exists is true; but it is not truly a Mozilla whole; Mozilla passes the unhandled scheme to Windows and Windows serves the hole. It's a Windows hole. MS Word (among others) also is vulnerable to the "shell://" exploit.
This exploit is specific to Windows. Windows is being targeted, not Mozilla.
So, don't just move to a more secure browser, jump to Mac OS X, Linux, and or *BSD for a better Internet Experience.
-- @rjamestaylor on Ello
Hole/Bug/Virus/Worm/etc.etc.etc. score:
Firefox: 1
Internet Exploder: 3876234978561389456238946534298
I'm not sure why internet exploder has so many more holes, but i think it might just be because more people use it and more people try to attack it. (i doubt that) but i still feel safer using firefox. The hole has more to do with the OS than it does the browser.
oh well, i still prefer firefox
I think most people prefer internet explorer because it's there. I NEVER used IE, i always used Netscape, (and now mozilla) and that was when the battle of the browsers was still big, but I think netscape was MORE popular. Microsoft cornered the cornered the market when in Windows98, When they merged IE with Windows Explorer, so to browse your files you HAD to use IE, (today thats still the problem, i wish i could use FireFox as my file manager) IE is only popular because of bundling I still think FireFox is a more seccure browser, simply cause it is, and there isn't so much "IE Friendly" HTML, i've noticed, that on pages not published with Frontpage or any other MS product, Firefox often looks better. and pages done with Frontpage often still look better in firefox. I still think firefox is a more secure browser because it isn't jammed with useless features like IE. I have the "view with IE" extention on firefox, i NEVER need to use it. The only thing i can think of that can't be used in firefox is Launch.com Oh well, stick with firefox
At least in ver1.7 it does. Go to "preferences" console in Mozilla. In the Advanced tab, under softare installation, you can set Mozilla to check for updates weekly and alert you when there are new hotness fixes or versions.
Sleep is futile.
I'd love to see your justification for that remark. Anyone, in fact, please, post a single piece of evidence corroborating what this poster has just remarked.
"The dew has clearly fallen with a particularly sickening thud this morning"
....known fucking MS fuckboy troll alert....
To get the full benefit of using Mozilla etc they should be run under Linux. Although it is kind of the developers to allow the users of other crippled OS's to try their offerings it is rather counter productive. You can't make a silk purse out of a sows ear.
My faith is expressed through Nihilism. Do you understand?
Ah yes, yet another case of "if my program is crap, then it's _your_ problem. You should drop whatever you're doing and spend your free time debugging my code." Are you naturally this stupid, or do you have to work hard at it?
I don't know whatever gave you the idea that millions of people have nothing better to do than:
1. Learn programming,
2. Learn security,
3. Examine every single bloody line of source code in every program on their computer,
4. Roll their very own patched version of everything,
5. Work on merging their very own patches into every single new version. Then repeat from point 3 anyway.
You're proposing... what? That _everyone_ starts donating half their free time just to save you the bother of debugging your crap? That society as a whole starts spending billions of hours per year just in personalized patches for your bugs? Geesh. The mind boggles.
Let me give you a better idea: OSS is not an excuse to write crappy code. Crap code is crap code, regardless of whether it's OSS or not. Insecure code is insecure code. That's it.
Regardless of what the heck of a license it's under, a program is supposed to solve someone's problem. To _save_ them time, not to waste their time forcing everyone to review your code, patch it, and host their own fork that actually works.
My time is too valuable for that crap.
A polar bear is a cartesian bear after a coordinate transform.
Here's another idea for you: using the shell is the _program's_ responsibility. Passing unchecked parameters from untrusted sources to the shell, is the _program's_ security failure. Not the OS's.
It doesn't even have to do with Windows. The exact same issue existed on the server side, back in the days of web-sites with CGI programs in Perl. Not with a Windows shell, but with a Unix command-line shell.
Every single incompetent's first reaction was to just execute another program, with some unchecked parameters off a form on the command line. E.g., launch a command-line mailer to send the registration confirmation. Just concatenate together a command line out of those parameters, then give it to the shell. (Launching other small utilities is the Unix way, after all. Right?)
Guess what happened? People started noticing that you can do funny stuff to those web pages. E.g., include symbols like ">" or "<" in the input fields, and make it mail the list of names and passwords to you. (Yes, nowadays it's shaddowed. Mostly because of that exploit.) And/or turn it into a command line with more than one command.
It's not even limitted to shells. The exact same exploit is still coded by incompetent monkeys every day, in dealing with an SQL database. Every burger-flipper-hired-as-a-developper just has to write something like the following. (It's usin Oracle, btw, hence the quirk about using '%' as a wildcard.)
sqlCommand = "SELECT * FROM PRIVATE_DATA WHERE OWNER=" + userID + " AND SEARCH_FIELD LIKE '%" + userInputData + "%'"
And they display those records on the web page.
They check the userID all right. (Actually some idiots don't even check that.) But they don't check the userInputData, which comes straight from an input field on the web page.
Then someone types "' OR '%'='" in the input field, without the quotes. Let's say their userID is 666. That select just became:
SELECT * FROM PRIVATE_DATA WHERE OWNER=666 AND SEARCH_FIELD LIKE '%' OR '%'='%'
Oops. It's an OR TRUE, and it selects every single record in that table. Regardless of owner. Congrats, it's an exploit. An attacker can see everyone else's private data.
It's not Oracle's bug. It's a bug of the application which didn't bother checking or quoting that untrusted data.
That's it. You simply pass untrusted and unchecked parameters to _any_ shell, you have a vulnerability. And it's _yours_. It's not the OS's, it's not the shell's. It's yours.
A polar bear is a cartesian bear after a coordinate transform.
Now if only the scum that spend all their time attacking windows would switch to attacking linux with their hacks and viruses.
Then the truth would be seen.
In high school I took a creative writing class and one story I wrote had reference to a character waving his tentacles around, but my spell checker had changed my attempt at "tentacles" to "testicles". Luckily, I caught the error before handing the story in while reading it in a earlier class.