Slashdot Mirror
Mozilla Developers Respond to Malware
An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."
I'm quite happy to see that the Mozilla team is pro-active in fixing the bugs that could allow MalWare to install unchecked.
Yet, a base Mozilla 1.7 downloaded right after release will have this issue for a very long time. This situation is worse, in one big way, than the Internet Explorer issues; Mozilla users 'feel' safe. Non-techies that use Mozilla assume it's 'safe' because a geek once told them that this is the case.
I've been an Open Source supporter for quite a long while, but the days of relative desktop safety for F/OSS cross-over users is coming to a close.
And, I'm probably not the only one who "shivers", when reading, "... almost a carbon copy of the new Internet Explorer Information Bar ..."
There's no way to defend that.
Kinetic stupidity has a new brand leader: Allen Zadr.
Will be how fast the community can fix these types of issues compared to M$'s response time.
I think we all know that whatever is the popular software is what will be targeted so the big difference maybe how it's responded to.
"If any question why we died, Tell them because our fathers lied."
I know we all like to take jabs at Microsoft, but really people, we will take these comments more seriously if you don't make your little "witty" changes to the names. IE: no more "M$, Micro$oft, Internet Exploiter"..etc
if people are going to start targetting mozilla for exploits, then we can see the true difference between security/stability of OSS vs proprietary products. i have no doubt that mozilla will come out in the lead, because in being open source when there IS a problem, it is fixed in a timely manner :)
There is a fine line between easy to use and easy to exploit. Let's not repeat the mistakes of others.
UNIX/Linux Consulting
It was widely reported that a flaw was found in 'Mozilla' which was not correct. The flaw was in the Shell: protocol on Windows. That's why the alleged 'flaw' in Mozilla did not exist on non-Windows platforms. The only 'flaw' in Mozilla was its failure to block the use of the shell: stuff on Windows (which the patch now does).
The shell: vulnerability is a bad example. Other things like buffer overflows are pertinant, but will not support the idea that open source is any more or less prone to attack. Bugs occur in any software.
What has not yet occured is a plug-in or extension for Mozilla/Firefox that is similar to the kinds of spyware/malware that has been developed for IE. If the "AOL crowd" starts dumpping IE for Mozilla/Firefox, spyware/malware authors will have a reason to invest their time and money into developing such applications. Seriously, how will the Mozilla team ensure somone doesn't intentionally install an extension because some website told the user that it will "accelerate their web experience for free?"
It wasnt just Mozilla Firefox and the like.
And there's the rub. As was reported before, the problem with Mozilla was only on Win32 platforms. Then, it comes out that MSN IM and Word are also affected with this problem. So, truly the bug lies in Windows. Why this point isn't getting more press, I am not sure, but it really should.
Mozilla is Open-Source Software, therefore any exploits there may be, are easily discoverable, in this aspect, proprietary code would seem more invincible by default eh? OSS is more than just a team working on a project, it is a quest by those to search for better and more stable software. I ask you today, since that OSS relies on contributers of code to fix many bugs that may pass by developers, and therefore can we really blame Mozilla for the exploits in their code? Look at Microsoft for instance, when their code was proprietary, exploits were found with brute force, when the Windows 2000 source code leaked, a person made a BITMAP to exploit the core of the OS, tell me, which is worse?
Karma: Good, or bust!
That depends. Does the link promise free pr0n, money, or chocolate? Or does the link say it will find and destroy malware or pr0n on your system.
Social engineering is the most effective exploit of any system.
I'm in the hole of the broadband donut.
No, the bug was in Windows XP's handling of the shell: protocol. It can be exploited to run arbitrary code. When this was found out, Mozilla team released a patch to prevent shell: protocol links from working, cutting off access to the real culprit in Windows, which won't be fixed until SP2 for XP.
The 'bug report' opened at Mozilla in 2002 was essentially trying to deal with the way Mozilla handles unknown protocols. The normal way was just to pass them to the OS.
E.g. since aim: isn't recognized by Mozilla, an aim: link would be passed to the OS, and if you had AOL IM installed, it would have registered to handle that protocol. (Often used to install a new "buddy icon.")
I believe Mozilla is now going to allow you to let certain protocols through, instead of allowing all.
So it's QUITE a stretch to say that this exploit bug we're talking about is (a) in mozilla, and (b) around since 2002.
Ironically, the word ironically is often used incorrectly.
K-meleon, Moz based browser I use (and have for 3 years both at home and here at work on winders) was fixed by the users with a simple User_Pref
Which is exactly how it's actually fixed on normal Mozilla and Firefox as well. What's your point? That there absolutely shouldn't be a fix easy enough for non-techies to use just because it can be done by fudzing around the hidden config system?
Who needs a 20Mb download, huh?
The people who couldn't possibly understand even about:config, or well, not really, they could always just install the 512 byte shellblock.xpi
Here's the hole in that theory: no one has ever successfully sued Microsoft for technology problems with MS products. Worms, viruses, etc have all cost reported billions of dollars (real cost unknown, but obviously significant), yet MS does not bear the consequences of those losses.
The question of whether it is possible for us (as a species) to build completely error free systems (thus making it feasable to hold vendors responsible for mistakes) is for another time. The possibility that software is more abstract and thus more complex for humans than any other form of commercial engineering maybe the case.
This is not to let MS off the hook. In my dealings with them, the company in the past has tended to let the marketers write the program specifications, often over the objections of actual engineers. The difference in perspective between a salesperson and an engineer is significant with regards to long term security and reliability.
Yeah, yeah. Point is, Mozilla shouldn't have been affected at all (like Opera, for example).
Yeah, Opera never suffers from security problems!
Gimme a break. No fancy software is secure.
Ironically, the word ironically is often used incorrectly.
Disclaimer: My post is about the "let me make name changes I think are clever and funny" trend and not the parent poster.
As opposed to people massively using names like "Lunix" or "open sores"?
I've... never seen anything like that used here on Slashdot. Not ever.
That's not saying it hasn't been, but it's sure a hell of a lot less common.
As long as those MS zealots don't disappear, expect names like "M$".
Wouldn't you rather be the bigger person?
Personally, I'd rather have intelligent discussion about the strong and weak points of various OS/software/languages/etc. here than stupid name calling. Maybe it's just my own prejudices, but when I see a post with that kind of crap, I assume I'm as likely to get reasonable discourse out of the post as I am to get a fair and balanced opinion about non-Causasians from a member of the KKK. I skip to the next post.
(I also assume the poster lives in their parents' basement and has never touched a real girl, but I keep that to myself. That'd be unfair and non-constructive name-calling, too.)
It will be interesting to see how OSS developers handle a full court press by maleficent hackers. For all talk and criticism about Microsoft's security responses, I don't believe OSS has ever encountered the concentrated, unrelenting targeting Microsoft has to endure. Will OSS have the organization and time to endure what Microsoft has to endure?
On another note...
I wonder, at the rate we are going, with millions of full featured operation systems connecting to the internet, if all of these security issues will slowly make the internet useless. Perhaps it is time for a major paradigm change. Perhaps we should do away with idea of full featured operating systems existing on millions of PCs, and get back to the old mainframe idea, with users connecting to a central, secure OS/server using a dumb terminal. After all, a handful of servers are defendable. Millions of fully featured PCs will never be defendable, and will always be a threat to one another.
The internet is fast enough that a rich, powerful GUI interface into such a remote OS/server is feasible. A company, such as Microsoft, IBM, etc., could sell access to a secure OS/Server. I think enough people have a robust internet connection to make this practical.
If you develop for Windows, you have to develop for it as it is. That is, you have to expect that things aren't secure in the way you like them to be or don't work the way you might like them to work.
The attitude Mozilla should have that they should only call library and OS interfaces on each OS that they can have a reasonable expectation to be safe and secure in practice. That is, they need to orient themselves not only based on what they think an API ought to do or how the API ought to behave, but what it actually does. If they don't, then some of the blame for security holes will fall on Mozilla.
In this case, the Mozilla developers knew what the API they were calling did. As I understand it, they had even known of the possibility of the shell: exploit for quite some time. Furthermore, the security hole could have been fixed in Mozilla, yet the Mozilla chose not to do anything about it. The secure thing for Mozilla to have done would have been only to hand over a few known protocols to the OS for handling (mailto: and maybe ftp:), and only if Mozilla first verified that the entire URI was, in fact, valid and harmless.
Bombarding the user with incorrect, jargony warnings rarely improves security. It also leads to "dialog fatigue", which reduces security in the long run.
The shareholder is always right.
Are you serious? You're saying that an operating system that let anybody use it by simply selecting 'Cancel' on the login screen (if even enabled), is more secure than Windows 2000/XP. Madness.
Folks - this is not just a Mozilla/Windows problem. Just a few short weeks ago, a lot of noise was made about a very similar URI exploit on Mac OS X, both through any browser that runs on OS X (noise was made about Safari, and I verified that the exploit was also present in Camino) and OS X's help system.
Because of the seemingly general nature of this type of exploit - why are we letting browsers run code ?? The web SHOULD primarily be to exchange information (text, images, audio, video). Why are we allowing remote program execution?
It's also much more reliable, and on higher end systems, seems much faster than Win9x, unless you are badly starved for memory (say, less than 256MB.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This brings up an interesting concept. It has been the conjecture of most people on this forum that opensource is more secure because it's more freely examined. This doesn't hold true if the opensource code in question is never actually examined.
A number of years ago, an initiative was created to make FreeBSD the most secure operating system on the planet. OpenBSD is the result, and I have to say that they did a darn fine job of it.
I'd like to propose that the Opensource community do the same thing with Mozilla. Start a line-by-line security audit of the Mozilla code base. Leverage the opensource massively distributed model and create the first browser that can be called truely secure.
If you don't want to do it to create a truely awesome product, then just do it to rub Microsoft's nose in something that they are completely incapable of. *evil grin*
Wake up - the future is arriving faster than you think.
By your logic, Apache webservers would be paying the "price of success". In reality, it is Microsoft IIS servers that are suffering security breaches, despite the fact that IIS runs far fewer websites than Apache.
PJRC: Electronic Projects, 8051 Microcontroller Tools
It is slightly worrying. What's *more* worrying is that, in a proprietary software company, the software package might have been *released* like that, because no one on the devel team thought it was a bad idea. That's the beauty of open-source -- you're bringing many, many eyes outside the devel team to look at and critique your design decisions, and if something is flawed, someone will notice it and persuade people with CVS access to fix it, many times before the software in question is released. In a sense, we're *all* part of the devel team, if we want to be.
Go Mozilla!
Not patch your Linux version, but perhaps start trusting it less. The lesson for Linux users here, is that the Mozilla designers apparently trust the host OS more than you would expect -- they were willing to expose an interface that you would think of as local, to the internet. That should raise any Linux user's eyebrows. It reveals an error in thinking, that suggests that Mozilla-on-Linux expoits certainly aren't out of the question.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The advantage to open source, in this situation, is that this is transparent and everyone can look in on the process. We can see, in hindsight, where the mistake was made (choosing a blacklist strategy instead of whitelist or user confirmation). And then we (the whole community, not just Mozilla) can try to avoid making the same mistake again.