Slashdot Mirror
Mozilla Developers Respond to Malware
An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."
This coupled with the fact moz/firefox is already more secure than IE means Moz users are not invunerable but we have a better chance than the IE crowd.
I think that there is a major disadvantage when it comes to attacking the Mozilla series of applications -- they are all on multiple operating systems. It's worth noting that this bug was only found on Windows systems operating Mozilla, and while this may be the largest base of people using the program, I get the impression that a lot Linux and OSX folks are using them as well. Yet everyone is so eager to jump on Mozilla for having a bug, even though it only affected one of the operating systems. I think that's a pretty good track record, espically with the speed that it's been fixed in. I'd like to see that with IE.
Rest assured, if Firefox ever does make it big time, ~20-30% of browsers, malware writers WILL exploit any hole they can find.
Hopefully the developers will be quick enough to fix it, but will users be sharp enough to get the patches. I think automatic updates for firefox are what is needed to ensure users have less to worry about. I know myself that the patch for the shell exploit was not a simple matter of clicking search for updates, as the update program times 0out after 2 secs.
Firefox won't be immune to the legions of spammers, crackers, marketers and pornographers which have already begun to exploit it. With some kind of autoinstaller/updater or a faster update cycle users could be confident that whatever new tricks the spammers come up with, the fixes will be prompt. Hopefully anyway.
I know autoinstallers aren't in vouge, for many good reasons. But if it's just for one, largely selfcontained program, would it really be so bad.
Maybe at the very least mozilla could have a list of critical, anti-spam and other update categories. Or would that just confuse people
May the Maths Be with you!
These exploits are just the price of success in the browser business. I have no doubt that Mozilla products are more secure than IE, but even if significant holes are found, I'll put the turnaround time for the fix up against MS track record anyday.
"The problem with internet quotations is that many are not genuine" -Abraham Lincoln
Now let us hope that there are no spoofing mechanisms discovered that result in users believing they're on one of the whitelisted sites to allow such installations. As someone on that board had already pointed out, allowing all of mozilla.org as a means to install code can result in people taking advantage of bugzilla.mozilla.org and ftp.mozilla.org.
You know, I really appreciate hearing from developers who recognize a potential threat and are informing us how they are working to fight the problem. Their method might be taking a page out of Internet Explorer for SP2, but if it works than it's good.
This story comes at a perfect time for me. I'm a Mozilla diehard, and I just ran Ad Aware 6 to find that some malware bypassed security (even Norton Internet Security) to install itself. One of the progs I found was malware called Winfavorites, and although Symantec says this is detectable malware, I had run Norton Antivirus and it went undetected. Looks like it's smartest to run a combination of programs just in case!
I might add that I don't blame Mozilla for it. I blame the programmers who sell their soul for cash to these unscrupulous companies only looking to profit while hurting the systems they populate.
The dangers of knowledge trigger emotional distress in human beings.
As Mozilla browsers become more popular, and thus face credible threats on the scale that IE has been facing, this may well be the breaking point for OSS in general.
Business types are afraid of OSS mostly for the fact that it's "unsupported." To them, support doesn't mean having developers on hand to fix problems so much as it does having someone to blame when things go wrong. As long as someone else is fiscally responsible for their technology problems, their customers/shareholders are happy.
They won't admit to believing the above, but it's true: I have first hand experience with it. They'll say that they need the support to protect them from threats and vulnerabilities. They cite Microsoft's patches and updates as proof that the support is useful. They claim that OSS is only safer because no one targets it, and thus the threats aren't as severe. They don't believe any of that, but it's what they use to rationalize their decisions.
If Mozilla continually and expertly deals with these vulnerabilities, that argument will fall flat. They'll either have to admit just what they're -actually- paying for when they claim "support," or they'll at least begin to look into OSS alternatives.
At least, that's what I hope ^_~
GeekNights!
Late Night Radio for Geeks!
Last week, right before this news, there was news that a lot of people switched to FireFox because of the vulnerabilities in IE.
Who's going to tell them now that they should upgrade their FireFox to the fixed version, because there was a problem?
It doesn't really matter that it was fixed quickly. The people that didn't install updates for IE, won't install the updates for their brand new FireFox either. Sadly.
I believe posters are recognized by their sig. So I made one.
Yes. The flaw was that Mozilla handled the protocols it knew and passed all unknown protocols to the OS to handle. Windows was (is) all too happy to launch programs with the shell protocol.
Why is anything anything?
IMHO, desktops (GNOME, KDE) are crossing the line and even X itself has some "features" that may lead to exploits if developers aren't careful - remember the window manager is just a program that can actually control other programs on the machine. No application should ever tell another what to do based on untrusted data, that's reserved for the user (clicking a link doesn't count as approval - the link may not do what it claims).
When you add a feature, consider what a criminal might use it for and who the burden will land on to prevent it. With shell: the burden lands on any application you might possibly launch and that's just unacceptable. With a window manager, consider that I may want to offer my display server to some untrusted application (airline reservation system) running on a remote machine - great possibilities and a great security risk. Because so much is accessible through X we don't use it that way.
I'm rambling now trying to gather too many thoughts in too little time.