Slashdot Mirror
Mozilla Developers Respond to Malware
An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."
I'm quite happy to see that the Mozilla team is pro-active in fixing the bugs that could allow MalWare to install unchecked.
Yet, a base Mozilla 1.7 downloaded right after release will have this issue for a very long time. This situation is worse, in one big way, than the Internet Explorer issues; Mozilla users 'feel' safe. Non-techies that use Mozilla assume it's 'safe' because a geek once told them that this is the case.
I've been an Open Source supporter for quite a long while, but the days of relative desktop safety for F/OSS cross-over users is coming to a close.
And, I'm probably not the only one who "shivers", when reading, "... almost a carbon copy of the new Internet Explorer Information Bar ..."
There's no way to defend that.
Kinetic stupidity has a new brand leader: Allen Zadr.
Will be how fast the community can fix these types of issues compared to M$'s response time.
I think we all know that whatever is the popular software is what will be targeted so the big difference maybe how it's responded to.
"If any question why we died, Tell them because our fathers lied."
Some microsoft products were affected also.
this is precisely the reason the Firefox was equipped with thought guided missiles...to destroy unseen threats.
Linux is to the internet as Duct Tape is to the Universe.
This coupled with the fact moz/firefox is already more secure than IE means Moz users are not invunerable but we have a better chance than the IE crowd.
I think that there is a major disadvantage when it comes to attacking the Mozilla series of applications -- they are all on multiple operating systems. It's worth noting that this bug was only found on Windows systems operating Mozilla, and while this may be the largest base of people using the program, I get the impression that a lot Linux and OSX folks are using them as well. Yet everyone is so eager to jump on Mozilla for having a bug, even though it only affected one of the operating systems. I think that's a pretty good track record, espically with the speed that it's been fixed in. I'd like to see that with IE.
if people are going to start targetting mozilla for exploits, then we can see the true difference between security/stability of OSS vs proprietary products. i have no doubt that mozilla will come out in the lead, because in being open source when there IS a problem, it is fixed in a timely manner :)
There is a fine line between easy to use and easy to exploit. Let's not repeat the mistakes of others.
UNIX/Linux Consulting
It was widely reported that a flaw was found in 'Mozilla' which was not correct. The flaw was in the Shell: protocol on Windows. That's why the alleged 'flaw' in Mozilla did not exist on non-Windows platforms. The only 'flaw' in Mozilla was its failure to block the use of the shell: stuff on Windows (which the patch now does).
Rest assured, if Firefox ever does make it big time, ~20-30% of browsers, malware writers WILL exploit any hole they can find.
Hopefully the developers will be quick enough to fix it, but will users be sharp enough to get the patches. I think automatic updates for firefox are what is needed to ensure users have less to worry about. I know myself that the patch for the shell exploit was not a simple matter of clicking search for updates, as the update program times 0out after 2 secs.
Firefox won't be immune to the legions of spammers, crackers, marketers and pornographers which have already begun to exploit it. With some kind of autoinstaller/updater or a faster update cycle users could be confident that whatever new tricks the spammers come up with, the fixes will be prompt. Hopefully anyway.
I know autoinstallers aren't in vouge, for many good reasons. But if it's just for one, largely selfcontained program, would it really be so bad.
Maybe at the very least mozilla could have a list of critical, anti-spam and other update categories. Or would that just confuse people
May the Maths Be with you!
Wasn't it also that it was a shell bug in win2k/xp that actually only was an OS bug, that MS didn't fixed so they eventually did it?
These exploits are just the price of success in the browser business. I have no doubt that Mozilla products are more secure than IE, but even if significant holes are found, I'll put the turnaround time for the fix up against MS track record anyday.
"The problem with internet quotations is that many are not genuine" -Abraham Lincoln
Now let us hope that there are no spoofing mechanisms discovered that result in users believing they're on one of the whitelisted sites to allow such installations. As someone on that board had already pointed out, allowing all of mozilla.org as a means to install code can result in people taking advantage of bugzilla.mozilla.org and ftp.mozilla.org.
You know, I really appreciate hearing from developers who recognize a potential threat and are informing us how they are working to fight the problem. Their method might be taking a page out of Internet Explorer for SP2, but if it works than it's good.
This story comes at a perfect time for me. I'm a Mozilla diehard, and I just ran Ad Aware 6 to find that some malware bypassed security (even Norton Internet Security) to install itself. One of the progs I found was malware called Winfavorites, and although Symantec says this is detectable malware, I had run Norton Antivirus and it went undetected. Looks like it's smartest to run a combination of programs just in case!
I might add that I don't blame Mozilla for it. I blame the programmers who sell their soul for cash to these unscrupulous companies only looking to profit while hurting the systems they populate.
The dangers of knowledge trigger emotional distress in human beings.
As Mozilla browsers become more popular, and thus face credible threats on the scale that IE has been facing, this may well be the breaking point for OSS in general.
Business types are afraid of OSS mostly for the fact that it's "unsupported." To them, support doesn't mean having developers on hand to fix problems so much as it does having someone to blame when things go wrong. As long as someone else is fiscally responsible for their technology problems, their customers/shareholders are happy.
They won't admit to believing the above, but it's true: I have first hand experience with it. They'll say that they need the support to protect them from threats and vulnerabilities. They cite Microsoft's patches and updates as proof that the support is useful. They claim that OSS is only safer because no one targets it, and thus the threats aren't as severe. They don't believe any of that, but it's what they use to rationalize their decisions.
If Mozilla continually and expertly deals with these vulnerabilities, that argument will fall flat. They'll either have to admit just what they're -actually- paying for when they claim "support," or they'll at least begin to look into OSS alternatives.
At least, that's what I hope ^_~
GeekNights!
Late Night Radio for Geeks!
- Enable Javascript
- Enable install from XPI locally and globally
- Click on a Javascript link on a WWW page (which would be shown in status bar) (N.B. Mozilla does not execute XPI-related JS automatically--the user must have clicked the link)
- Wait a few seconds while watching a very large uncancellable dialog box saying "A website is requesting permission to install the following item", giving full details of the program it is installing (including its signatures in big red letters, its name and its URI), and saying in big bold letters, "Malicious software can damage your computer or violate your privacy. You can only install software from source you can trust."
- After waiting a few seconds you, you then had to press a button labelled "install now".
I'm guessing that even some ex-MSIE users might not go through all that on the request of a malicious WWW site they have found.I digress.
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
How about "those greedy corporate cocksuckers with the strait-jacket EULA and dozens of politicians in their pocket"? M$ is just faster, I'm afraid...
The Slashdot Paradox: "100% Overrated"
Last week, right before this news, there was news that a lot of people switched to FireFox because of the vulnerabilities in IE.
Who's going to tell them now that they should upgrade their FireFox to the fixed version, because there was a problem?
It doesn't really matter that it was fixed quickly. The people that didn't install updates for IE, won't install the updates for their brand new FireFox either. Sadly.
I believe posters are recognized by their sig. So I made one.
Why is this modded interesting?
First of all, it wasn't a bug at all, it was a problem in Windows' URI handler. Mozilla merely redirected unknown uri's to this handler as it was expected. The "bug" the op mentions was a discussion about whether this feature was safe or not.
When it turned out that it wasn't safe, the Mozilla team was very quick to solve it.
Very simple solution by the way, just turn the redirect off... now the user has to explicitly consent with this action instead of automagical launching of apps.
By the way, this feature was a MS one, not Mozilla's idea. Recent bugs in the MS product family are actually the same. Just an exploit of the URI handling of Windows.
Wrong, generic bug about potentially hazardous protocol handlers was opened in 2002, and framework for dealing with them was created.
The specific shell: protocol was pointed out as maybe dangerous one day before it was fixed (with just a configuration change, because that framework was already there).
Very quickly fixed.
No, the bug was in Windows XP's handling of the shell: protocol. It can be exploited to run arbitrary code. When this was found out, Mozilla team released a patch to prevent shell: protocol links from working, cutting off access to the real culprit in Windows, which won't be fixed until SP2 for XP.
The 'bug report' opened at Mozilla in 2002 was essentially trying to deal with the way Mozilla handles unknown protocols. The normal way was just to pass them to the OS.
E.g. since aim: isn't recognized by Mozilla, an aim: link would be passed to the OS, and if you had AOL IM installed, it would have registered to handle that protocol. (Often used to install a new "buddy icon.")
I believe Mozilla is now going to allow you to let certain protocols through, instead of allowing all.
So it's QUITE a stretch to say that this exploit bug we're talking about is (a) in mozilla, and (b) around since 2002.
Ironically, the word ironically is often used incorrectly.
Want to know what the best part is?
The original poster was right, and your uninformed bash at his comment caused the truth to be modded down. Maybe he doesn't like Microsoft, but even paranoid people get it right sometimes.
You may want to read this interesting article. In it, you'll find that this "shell bug" he's talking about is exactly what the mozilla bug was, and that it also affects word and MSN messenger.
Sorry to burst your bubble. And technically MS didn't fix it yet, they just disabled ADODB.Stream until they do.
Disclaimer: My post is about the "let me make name changes I think are clever and funny" trend and not the parent poster.
As opposed to people massively using names like "Lunix" or "open sores"?
I've... never seen anything like that used here on Slashdot. Not ever.
That's not saying it hasn't been, but it's sure a hell of a lot less common.
As long as those MS zealots don't disappear, expect names like "M$".
Wouldn't you rather be the bigger person?
Personally, I'd rather have intelligent discussion about the strong and weak points of various OS/software/languages/etc. here than stupid name calling. Maybe it's just my own prejudices, but when I see a post with that kind of crap, I assume I'm as likely to get reasonable discourse out of the post as I am to get a fair and balanced opinion about non-Causasians from a member of the KKK. I skip to the next post.
(I also assume the poster lives in their parents' basement and has never touched a real girl, but I keep that to myself. That'd be unfair and non-constructive name-calling, too.)
IMHO, desktops (GNOME, KDE) are crossing the line and even X itself has some "features" that may lead to exploits if developers aren't careful - remember the window manager is just a program that can actually control other programs on the machine. No application should ever tell another what to do based on untrusted data, that's reserved for the user (clicking a link doesn't count as approval - the link may not do what it claims).
When you add a feature, consider what a criminal might use it for and who the burden will land on to prevent it. With shell: the burden lands on any application you might possibly launch and that's just unacceptable. With a window manager, consider that I may want to offer my display server to some untrusted application (airline reservation system) running on a remote machine - great possibilities and a great security risk. Because so much is accessible through X we don't use it that way.
I'm rambling now trying to gather too many thoughts in too little time.
Are you serious? You're saying that an operating system that let anybody use it by simply selecting 'Cancel' on the login screen (if even enabled), is more secure than Windows 2000/XP. Madness.
I don't believe OSS has ever encountered the concentrated, unrelenting targeting Microsoft has to endure.
You're mistaken in your belief.
People argue that Microsoft's getting unfairly blamed becauise they're the majority of the targets. And yet in areas where they haven't been the primary target they have still often had a significantly larger number of exploits for extended periods of time.
For example, for years IIS had a consistent 30% share in the webserver market, yet over the same period IIS served the vast majority of defaced websites.
Folks - this is not just a Mozilla/Windows problem. Just a few short weeks ago, a lot of noise was made about a very similar URI exploit on Mac OS X, both through any browser that runs on OS X (noise was made about Safari, and I verified that the exploit was also present in Camino) and OS X's help system.
Because of the seemingly general nature of this type of exploit - why are we letting browsers run code ?? The web SHOULD primarily be to exchange information (text, images, audio, video). Why are we allowing remote program execution?
Since Mozilla doesn't like people on Slashdot being able to trash-talk their browser by linking to bug reports, you'll have to copy the links to actually visit them, but:
2002-08-20 - http://bugzilla.mozilla.org/show_bug.cgi?id=163767 - root of all these bugs, Mozilla passes unknown protocols to Windows8 - same bug, spefically could launch IE and allow the execution of VBScript (possibly in the local security zone)8 - same bug, hcp: protocol could delete any file on your computer (wildcards allowed)0 - requested a whitelist to avoid future instances of the same bug
2002-08-20 - http://bugzilla.mozilla.org/show_bug.cgi?id=16364
2002-10-03 - http://bugzilla.mozilla.org/show_bug.cgi?id=17249
2002-10-07 - http://bugzilla.mozilla.org/show_bug.cgi?id=17301
This bug has been known about for two years. It still hasn't been fixed. When SP2 adds the "delete:" protocol or similar, then Mozilla is going to be vulnerable to that, too. And it looks like the developers have decided not to bother fixing it.
This isn't a triumph of open source - it's an example of how open source falls prey to exactly the same problems closed source does. Except publically, so you can point to these discussions to demonstrate that they knew about the issues for two years.
You are in a maze of twisty little relative jumps, all alike.