Slashdot Mirror
Mozilla Developers Respond to Malware
An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."
I'm quite happy to see that the Mozilla team is pro-active in fixing the bugs that could allow MalWare to install unchecked.
Yet, a base Mozilla 1.7 downloaded right after release will have this issue for a very long time. This situation is worse, in one big way, than the Internet Explorer issues; Mozilla users 'feel' safe. Non-techies that use Mozilla assume it's 'safe' because a geek once told them that this is the case.
I've been an Open Source supporter for quite a long while, but the days of relative desktop safety for F/OSS cross-over users is coming to a close.
And, I'm probably not the only one who "shivers", when reading, "... almost a carbon copy of the new Internet Explorer Information Bar ..."
There's no way to defend that.
Kinetic stupidity has a new brand leader: Allen Zadr.
Will be how fast the community can fix these types of issues compared to M$'s response time.
I think we all know that whatever is the popular software is what will be targeted so the big difference maybe how it's responded to.
"If any question why we died, Tell them because our fathers lied."
I know we all like to take jabs at Microsoft, but really people, we will take these comments more seriously if you don't make your little "witty" changes to the names. IE: no more "M$, Micro$oft, Internet Exploiter"..etc
if people are going to start targetting mozilla for exploits, then we can see the true difference between security/stability of OSS vs proprietary products. i have no doubt that mozilla will come out in the lead, because in being open source when there IS a problem, it is fixed in a timely manner :)
There is a fine line between easy to use and easy to exploit. Let's not repeat the mistakes of others.
UNIX/Linux Consulting
It was widely reported that a flaw was found in 'Mozilla' which was not correct. The flaw was in the Shell: protocol on Windows. That's why the alleged 'flaw' in Mozilla did not exist on non-Windows platforms. The only 'flaw' in Mozilla was its failure to block the use of the shell: stuff on Windows (which the patch now does).
The shell: vulnerability is a bad example. Other things like buffer overflows are pertinant, but will not support the idea that open source is any more or less prone to attack. Bugs occur in any software.
What has not yet occured is a plug-in or extension for Mozilla/Firefox that is similar to the kinds of spyware/malware that has been developed for IE. If the "AOL crowd" starts dumpping IE for Mozilla/Firefox, spyware/malware authors will have a reason to invest their time and money into developing such applications. Seriously, how will the Mozilla team ensure somone doesn't intentionally install an extension because some website told the user that it will "accelerate their web experience for free?"
It wasnt just Mozilla Firefox and the like.
And there's the rub. As was reported before, the problem with Mozilla was only on Win32 platforms. Then, it comes out that MSN IM and Word are also affected with this problem. So, truly the bug lies in Windows. Why this point isn't getting more press, I am not sure, but it really should.
That depends. Does the link promise free pr0n, money, or chocolate? Or does the link say it will find and destroy malware or pr0n on your system.
Social engineering is the most effective exploit of any system.
I'm in the hole of the broadband donut.
No, the bug was in Windows XP's handling of the shell: protocol. It can be exploited to run arbitrary code. When this was found out, Mozilla team released a patch to prevent shell: protocol links from working, cutting off access to the real culprit in Windows, which won't be fixed until SP2 for XP.
The 'bug report' opened at Mozilla in 2002 was essentially trying to deal with the way Mozilla handles unknown protocols. The normal way was just to pass them to the OS.
E.g. since aim: isn't recognized by Mozilla, an aim: link would be passed to the OS, and if you had AOL IM installed, it would have registered to handle that protocol. (Often used to install a new "buddy icon.")
I believe Mozilla is now going to allow you to let certain protocols through, instead of allowing all.
So it's QUITE a stretch to say that this exploit bug we're talking about is (a) in mozilla, and (b) around since 2002.
Ironically, the word ironically is often used incorrectly.
Here's the hole in that theory: no one has ever successfully sued Microsoft for technology problems with MS products. Worms, viruses, etc have all cost reported billions of dollars (real cost unknown, but obviously significant), yet MS does not bear the consequences of those losses.
The question of whether it is possible for us (as a species) to build completely error free systems (thus making it feasable to hold vendors responsible for mistakes) is for another time. The possibility that software is more abstract and thus more complex for humans than any other form of commercial engineering maybe the case.
This is not to let MS off the hook. In my dealings with them, the company in the past has tended to let the marketers write the program specifications, often over the objections of actual engineers. The difference in perspective between a salesperson and an engineer is significant with regards to long term security and reliability.
Yeah, yeah. Point is, Mozilla shouldn't have been affected at all (like Opera, for example).
Yeah, Opera never suffers from security problems!
Gimme a break. No fancy software is secure.
Ironically, the word ironically is often used incorrectly.
Disclaimer: My post is about the "let me make name changes I think are clever and funny" trend and not the parent poster.
As opposed to people massively using names like "Lunix" or "open sores"?
I've... never seen anything like that used here on Slashdot. Not ever.
That's not saying it hasn't been, but it's sure a hell of a lot less common.
As long as those MS zealots don't disappear, expect names like "M$".
Wouldn't you rather be the bigger person?
Personally, I'd rather have intelligent discussion about the strong and weak points of various OS/software/languages/etc. here than stupid name calling. Maybe it's just my own prejudices, but when I see a post with that kind of crap, I assume I'm as likely to get reasonable discourse out of the post as I am to get a fair and balanced opinion about non-Causasians from a member of the KKK. I skip to the next post.
(I also assume the poster lives in their parents' basement and has never touched a real girl, but I keep that to myself. That'd be unfair and non-constructive name-calling, too.)
Are you serious? You're saying that an operating system that let anybody use it by simply selecting 'Cancel' on the login screen (if even enabled), is more secure than Windows 2000/XP. Madness.
I don't believe OSS has ever encountered the concentrated, unrelenting targeting Microsoft has to endure.
You're mistaken in your belief.
People argue that Microsoft's getting unfairly blamed becauise they're the majority of the targets. And yet in areas where they haven't been the primary target they have still often had a significantly larger number of exploits for extended periods of time.
For example, for years IIS had a consistent 30% share in the webserver market, yet over the same period IIS served the vast majority of defaced websites.
Folks - this is not just a Mozilla/Windows problem. Just a few short weeks ago, a lot of noise was made about a very similar URI exploit on Mac OS X, both through any browser that runs on OS X (noise was made about Safari, and I verified that the exploit was also present in Camino) and OS X's help system.
Because of the seemingly general nature of this type of exploit - why are we letting browsers run code ?? The web SHOULD primarily be to exchange information (text, images, audio, video). Why are we allowing remote program execution?
This brings up an interesting concept. It has been the conjecture of most people on this forum that opensource is more secure because it's more freely examined. This doesn't hold true if the opensource code in question is never actually examined.
A number of years ago, an initiative was created to make FreeBSD the most secure operating system on the planet. OpenBSD is the result, and I have to say that they did a darn fine job of it.
I'd like to propose that the Opensource community do the same thing with Mozilla. Start a line-by-line security audit of the Mozilla code base. Leverage the opensource massively distributed model and create the first browser that can be called truely secure.
If you don't want to do it to create a truely awesome product, then just do it to rub Microsoft's nose in something that they are completely incapable of. *evil grin*
Wake up - the future is arriving faster than you think.
It is slightly worrying. What's *more* worrying is that, in a proprietary software company, the software package might have been *released* like that, because no one on the devel team thought it was a bad idea. That's the beauty of open-source -- you're bringing many, many eyes outside the devel team to look at and critique your design decisions, and if something is flawed, someone will notice it and persuade people with CVS access to fix it, many times before the software in question is released. In a sense, we're *all* part of the devel team, if we want to be.
Go Mozilla!