Slashdot Mirror
Mozilla Developers Respond to Malware
An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."
I'd still rather use a marginally flawed Mozilla browser than a fully dysfunctional Intercourse Exploiter browser
--- I'm going to get a score of -1 for this post because the mods are fuckers.
This coupled with the fact moz/firefox is already more secure than IE means Moz users are not invunerable but we have a better chance than the IE crowd.
If moz gets too bad, I'll just switch to Opera. What we need in the long run, is to have a totally new browser developed about 6 times a year. If everyone switches browsers every other month, these malware stooges will be put in their place.
I think that there is a major disadvantage when it comes to attacking the Mozilla series of applications -- they are all on multiple operating systems. It's worth noting that this bug was only found on Windows systems operating Mozilla, and while this may be the largest base of people using the program, I get the impression that a lot Linux and OSX folks are using them as well. Yet everyone is so eager to jump on Mozilla for having a bug, even though it only affected one of the operating systems. I think that's a pretty good track record, espically with the speed that it's been fixed in. I'd like to see that with IE.
If that's not good enough... just install the Internet Explorer skin for firefox.
"Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000."
Actually I think the biggest marketing achievement in the last 10 years was Microsoft convincing the public that Win2000/XP is more secure than Win9x.
Rest assured, if Firefox ever does make it big time, ~20-30% of browsers, malware writers WILL exploit any hole they can find.
Hopefully the developers will be quick enough to fix it, but will users be sharp enough to get the patches. I think automatic updates for firefox are what is needed to ensure users have less to worry about. I know myself that the patch for the shell exploit was not a simple matter of clicking search for updates, as the update program times 0out after 2 secs.
Firefox won't be immune to the legions of spammers, crackers, marketers and pornographers which have already begun to exploit it. With some kind of autoinstaller/updater or a faster update cycle users could be confident that whatever new tricks the spammers come up with, the fixes will be prompt. Hopefully anyway.
I know autoinstallers aren't in vouge, for many good reasons. But if it's just for one, largely selfcontained program, would it really be so bad.
Maybe at the very least mozilla could have a list of critical, anti-spam and other update categories. Or would that just confuse people
May the Maths Be with you!
These exploits are just the price of success in the browser business. I have no doubt that Mozilla products are more secure than IE, but even if significant holes are found, I'll put the turnaround time for the fix up against MS track record anyday.
"The problem with internet quotations is that many are not genuine" -Abraham Lincoln
Now let us hope that there are no spoofing mechanisms discovered that result in users believing they're on one of the whitelisted sites to allow such installations. As someone on that board had already pointed out, allowing all of mozilla.org as a means to install code can result in people taking advantage of bugzilla.mozilla.org and ftp.mozilla.org.
You know, I really appreciate hearing from developers who recognize a potential threat and are informing us how they are working to fight the problem. Their method might be taking a page out of Internet Explorer for SP2, but if it works than it's good.
This story comes at a perfect time for me. I'm a Mozilla diehard, and I just ran Ad Aware 6 to find that some malware bypassed security (even Norton Internet Security) to install itself. One of the progs I found was malware called Winfavorites, and although Symantec says this is detectable malware, I had run Norton Antivirus and it went undetected. Looks like it's smartest to run a combination of programs just in case!
I might add that I don't blame Mozilla for it. I blame the programmers who sell their soul for cash to these unscrupulous companies only looking to profit while hurting the systems they populate.
The dangers of knowledge trigger emotional distress in human beings.
As Mozilla browsers become more popular, and thus face credible threats on the scale that IE has been facing, this may well be the breaking point for OSS in general.
Business types are afraid of OSS mostly for the fact that it's "unsupported." To them, support doesn't mean having developers on hand to fix problems so much as it does having someone to blame when things go wrong. As long as someone else is fiscally responsible for their technology problems, their customers/shareholders are happy.
They won't admit to believing the above, but it's true: I have first hand experience with it. They'll say that they need the support to protect them from threats and vulnerabilities. They cite Microsoft's patches and updates as proof that the support is useful. They claim that OSS is only safer because no one targets it, and thus the threats aren't as severe. They don't believe any of that, but it's what they use to rationalize their decisions.
If Mozilla continually and expertly deals with these vulnerabilities, that argument will fall flat. They'll either have to admit just what they're -actually- paying for when they claim "support," or they'll at least begin to look into OSS alternatives.
At least, that's what I hope ^_~
GeekNights!
Late Night Radio for Geeks!
Last week, right before this news, there was news that a lot of people switched to FireFox because of the vulnerabilities in IE.
Who's going to tell them now that they should upgrade their FireFox to the fixed version, because there was a problem?
It doesn't really matter that it was fixed quickly. The people that didn't install updates for IE, won't install the updates for their brand new FireFox either. Sadly.
I believe posters are recognized by their sig. So I made one.
I can't speak for them, but if I were the public relations for the project, I'd say, "we're going to trust Windows' protocol handlers a lot less." Just like how Windows' flawed design makes it dangerous to use Windows' shell functions to decide what to do with various filetypes, the Moz devs are going to have to include special testing procedures for their Windows releases to determine how underlying design flaws can make a third-party product vulnerable.
I think Mozilla Project got a bum rap on this one. When an XP service pack fixes the same issue in all effected products (including IE and Word), I'm inclined to think that it was a Windows problem to begin with.
Fred
"A fool and his freedom are soon parted"
-RMS
The flaw certainly affected Firefox, but given that it also affected things like Microsoft Word, was Firefox itself necessarily targeted? That is, did the guy who came up with the exploit have Firefox in mind?
The difference may seem irrelevant, but if Firefox wasn't targeted, it means that the evil will of the cracker community has not yet been turned to finding the bugs in Firefox the way that they have in IE. I'm pretty sure Firefox will fare better than IE did, but when you've got so much effort aimed at a product, and with the source available, they will find any easily-findable bugs.
If they did target Firefox, then we begin to have some idea how many security bugs there really are in Firefox, by seeing the rate at which new exploits appear. Thus far, the answer is "quite slow", and I hope that's because people are targeting it and failing.
They've got to stop websites from being able to push downloads without any user-intervention.
I seeing increasing numbers of sites linking to this presumably dodgy site (which I'm not making a hyperlink, visit at your own risk)
xxxtoolbar.com
which automatically attempts to download some "netscape_toolbar.exe".
Regardless of my settings on FireFox it seems I cannot prevent it popping up a download dialog for the file, thank godness AdBlock allows me to remove the site completely.
OSS is a double edge sword, yes it helps u see the code, but it also helps them. I want to exploit a bug, i just load up bugzilla.
Never forget that.
Whole of mozilla.org?
by dave532
Tuesday July 13th, 2004 1:30 AM
"Mozilla Firefox 0.9 just allows update.mozilla.org (though this has since being expanded to the whole of mozilla.org)."
Allowing the whole of mozilla.org is a bad idea because bugzilla.mozilla.org can allow anyone to upload a malicious XPI
To:
Re: Whole of mozilla.org?
by Ben_Goodger
Tuesday July 13th, 2004 3:44 AM
good point. fixed.
I will work to elevate you, just enough to bring you down
No, this was a Mozilla flaw. All OSes support custom URI handlers which will execute arbitrary applications. Said URIs are not expected to be necessarily safe.
The Mozilla team recognized this fact two years ago and discussed white-listing URI protocols but it was never implemented until they were pushed by the publicity of this "vulnerability," which is not a sign of good security practice.
This problem is identical to a serious vulnerability recently discovered in Safari where a nafarious site could make use of the disk:// URI handler and the default automatic custom URI installer to download and execute arbitrary code. Has anyone checked to see if Mozilla/FireFox are also vulnerable to this?
Yes. The flaw was that Mozilla handled the protocols it knew and passed all unknown protocols to the OS to handle. Windows was (is) all too happy to launch programs with the shell protocol.
Why is anything anything?
I was hoping they would do something about the protocol problem, and default to not allowing unknown or unexpected OS-handled protocols or helper applications.
This new dialog would be a great place to add
'$webpage is attempting to display an image from exploit:format+c:\'
so that by default new registered protocols and helper applications would be blocked rather than permitted until the user explicitly whitelists them.
Helper apps, too:
'Should $file.pdf be opened with the Adobe Acrobat plugin? [always] [always for this site] [just this once] [no] [never for this site] [never]'
I'm tired of going in and re-removing 'automatically perform the associated action for each of the following file types' over and over and over again.
What browser is it that script kiddies and virus writers using if not Mozilla? I never would have conceived of them going after someone that's NOT MS.
So what, should I switch to Lynx? or is there an undisclosed hole in that too?
I'm sure I'm not the first to say this... but... how about people who release plugins actually sign them? Then we can build our trust network around that, not where you are downloading it from.
My 2cents
Kurt
The most important thing to be in abrowser is speed and ease of use. I've got IE, an old Netscape, Firefox, and a handful of other esoteric small project browsers. It may be full of holes, but IE is the best when it comes to browsing. I'd love Firefox a lot more if it wouldn't keep telling me "Connection Refused" five or six times before I -finally- get the lucky refresh that lets the page load. IE'll do that right away. Maybe IE just doesn't tell me the connection was refused and keeps retrying for me, but that's -nice-. It's -helpful-. It's damn near -considerate-. I don't want to be George Jetson, pushing a button all the time, just to websurf.
Tho I do like the tabbed browsing. Lets me open a page five times so I can finally get one that doesn't say "Not responding".
IMHO, desktops (GNOME, KDE) are crossing the line and even X itself has some "features" that may lead to exploits if developers aren't careful - remember the window manager is just a program that can actually control other programs on the machine. No application should ever tell another what to do based on untrusted data, that's reserved for the user (clicking a link doesn't count as approval - the link may not do what it claims).
When you add a feature, consider what a criminal might use it for and who the burden will land on to prevent it. With shell: the burden lands on any application you might possibly launch and that's just unacceptable. With a window manager, consider that I may want to offer my display server to some untrusted application (airline reservation system) running on a remote machine - great possibilities and a great security risk. Because so much is accessible through X we don't use it that way.
I'm rambling now trying to gather too many thoughts in too little time.
As of at least Mozilla 1.6, steps 1 and 2 are not necessary as they're on by default, and step 3 is not necessary as I have personally seen pages use the onLoad js handler to launch the installation dialogue. I also don't recall having to wait for the dialogue; I seem to remember the install/cancel buttons being available immediately.
I'm guessing that even some ex-MSIE users might not go through all that on the request of a malicious WWW site they have found.
Well, I've seen someone with a couple of decades experience in the (IT) industry, and someone who is well versed in all this sort of stuff as well as a multitude of other topics, absent-mindedly click the "ok" button on an activex installation dialogue, then immediately curse his stupidity.
Everyone makes mistakes, and as other people have pointed out, that's without taking social engineering into account.
It's official. Most of you are morons.
Well mozilla was the first with blocking technology. Microsoft turned around and said, hey we can do that to, but instead of a little thingy in the corner that lets you know something is blocked, why not a whole taskbar. Mozilla in turn said, you know thats a good idea.
I really don't think someone should be embarrased to use superior ideas just because they were invented at Microsoft. Pretty shallow thinking really.
Slate, a Microsoft magazine urged users to use mozilla as well, however, I dont think this was a charitable request, instead, make users use this alternative, microsoft will sit back and watch as mozilla gets exploited by malware, make a big shit about it every time, (possibly even write their own as well) then come out with a version of IE that isnt exposed the the type of malware that mozilla is exposed to, and use choice marketing words to get people to download it (even buy it)
Microsoft is gonna use Mozilla as a pawn in the browser wars to re-affirm their grounds in the Browser Monopoly.
Lots of users have already made this adjustment in thinking, when it comes to email: it has become common sense among laymen (even if they don't always practice it) that you're not supposed to "open attachments" from untrusted sources. That's actually normally a safe thing to do -- assuming your mailreader isn't buggy. Merely looking at something shouldn't be unsafe. But can you really trust a huge complex app to not be buggy? MS Outlook users say No, Sylpheed users say Yes. But that's an arbitrary distinction and the joke may be on us Sylpheed users someday.
Sandboxing for defense in depth is starting to look more attractive. I'm skeptical that it's going to be quite as easy as just chrooting the app or running it as a different user, though. My mailreader needs to run gpg with access to my local keyring; my web browser needs to be able to at least be able to display any local html file that I have access to; etc. I think designing a good system to sandbox this stuff is going to require a lot of thought. Maybe a number of different processes, some of them running as me and some running as nobody, connected with pipes or something. I don't know.
I like your httpd analogy, because it reminds me that this is actually a very old problem. We've gotten used to the need to secure servers, we now need to extend that thinking to clients.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I think most people prefer internet explorer because it's there. I NEVER used IE, i always used Netscape, (and now mozilla) and that was when the battle of the browsers was still big, but I think netscape was MORE popular. Microsoft cornered the cornered the market when in Windows98, When they merged IE with Windows Explorer, so to browse your files you HAD to use IE, (today thats still the problem, i wish i could use FireFox as my file manager) IE is only popular because of bundling I still think FireFox is a more seccure browser, simply cause it is, and there isn't so much "IE Friendly" HTML, i've noticed, that on pages not published with Frontpage or any other MS product, Firefox often looks better. and pages done with Frontpage often still look better in firefox. I still think firefox is a more secure browser because it isn't jammed with useless features like IE. I have the "view with IE" extention on firefox, i NEVER need to use it. The only thing i can think of that can't be used in firefox is Launch.com Oh well, stick with firefox