Mozilla Developers Respond to Malware

An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."

This will be the true test.

[Schezar]

As Mozilla browsers become more popular, and thus face credible threats on the scale that IE has been facing, this may well be the breaking point for OSS in general.

Business types are afraid of OSS mostly for the fact that it's "unsupported." To them, support doesn't mean having developers on hand to fix problems so much as it does having someone to blame when things go wrong. As long as someone else is fiscally responsible for their technology problems, their customers/shareholders are happy.

They won't admit to believing the above, but it's true: I have first hand experience with it. They'll say that they need the support to protect them from threats and vulnerabilities. They cite Microsoft's patches and updates as proof that the support is useful. They claim that OSS is only safer because no one targets it, and thus the threats aren't as severe. They don't believe any of that, but it's what they use to rationalize their decisions.

If Mozilla continually and expertly deals with these vulnerabilities, that argument will fall flat. They'll either have to admit just what they're -actually- paying for when they claim "support," or they'll at least begin to look into OSS alternatives.

At least, that's what I hope ^_~

Re:Mozilla "innovation" reaches new low?

[Finuvir]

Would the fact the vulnerability in Firefox and Mozilla only affected the Windows 2000/XP versions, and not the ones on other platforms, suggest that it might have been a vulnerability in windows rather than Mozilla?

Yes. The flaw was that Mozilla handled the protocols it knew and passed all unknown protocols to the OS to handle. Windows was (is) all too happy to launch programs with the shell protocol.

Ignorant developers

[gr8_phk]

The software should not allow a web site to initiate any action on the client side. Security 101 here people. Opening files using the default application is pushing the limit. Allowing the site to specify what you run was just plain stupid. The Mozilla team should not just disable that feature by default, but should remove it entirely. There are work arounds for the small fraction of users who have a legitimate use for that.

IMHO, desktops (GNOME, KDE) are crossing the line and even X itself has some "features" that may lead to exploits if developers aren't careful - remember the window manager is just a program that can actually control other programs on the machine. No application should ever tell another what to do based on untrusted data, that's reserved for the user (clicking a link doesn't count as approval - the link may not do what it claims).

When you add a feature, consider what a criminal might use it for and who the burden will land on to prevent it. With shell: the burden lands on any application you might possibly launch and that's just unacceptable. With a window manager, consider that I may want to offer my display server to some untrusted application (airline reservation system) running on a remote machine - great possibilities and a great security risk. Because so much is accessible through X we don't use it that way.

I'm rambling now trying to gather too many thoughts in too little time.