Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Not Worried about FireFox

Posted by CmdrTaco on from the taking-the-back-seat dept.

didde writes "It seems like our friends in Redmond are quite happy about IE. According to this article, they won't be updating it until Longhorn. My favorite quote would be [We have a very, very innovative set of capabilities that we're putting in the next version. And in the meantime it's an extensible platform, and there will be a set of extensions that Microsoft does as well as others.] Oh boy, are they actually working side by side with the virusmakers and phishers?" That just gives the MozBoys a year head start.

8 of 674 comments (clear)

  1. browser security check by exhilaration · · Score: 5, Informative
    If you're still using an older (more than 6 months since you've patched) web browser, I suggest you check out this browser security check, which will test it for exploits.

    At your own risk, of course. Firefox 1.0PR passed with flying colors.

    1. Re:browser security check by stratjakt · · Score: 3, Informative

      No it didnt, I just tried.

      Firefox 1.0 has 1 high risk vulnerability.


      High Risk Vulnerabilities
      Sun Java Plugin Arbitrary Package Access Vulnerability (idef20041123)
      Description

      Java Plugin allows web browsers to run Java applets. Java plugin may be used by Internet Explorer, Mozilla (and Mozilla-base browsers, such as Firefox), Opera and other browsers.

      When a browser opens a web page that contains a Java applet the browser automatically downloads the applet and runs it locally. To protect the user from malicious applets all the applets run in so called "sandbox". The sandbox restricts what an applet can do. For example, the sandbox will not allow an applet to open local files or start programs.

      This bug in Sun Java Plugin allows a web site to bypass the sandbox and execute Java code that the sandbox will normally not allow and possibly gain control over the client computer.
      Technical Details

      Sun Java Virtual Machine contains sun.* packages that are only supposed to be used internally, by the virtual machine itself. Some private classes allow direct access to memory or modifying private fields of Java objects. If an applet attempts to load one of those packages a security exception is thrown. If an applet could load those classes it could turn off Java Security Manager and break out of Java sandbox.

      JavaScript can access properties and methods of Java applets embedded on the page. It is possible to load a private package from JavaScript as shown in the code below:

      var c=document.applets[0].getClass().forName('sun.text .Utility');
      alert('got Class object: '+c)

      Java Reflection API allows objects to examine their own structure (for example, find out the class of the object or the available methods). Reflection API defines getClass() function that returns the object's class. forName method of Class object loads the named class. The same operation done from the Java applet instead of JavaScript would fail.
      Recommendations

      Upgrade Java Environment to version 1.4.2_06 or later. It can be downloaded from http://java.sun.com/j2se/1.4.2/download.html

      Sure, it's a Java vulnerability, but a vulnerability nonetheless.

      Why hasnt FireFox automatically updated Java for me?

      At the end of the day, every time one of you sticks FireFox on some clueless' machine, and tell them they're "safe", you're lying (or just ignorant).

      --
      I don't need no instructions to know how to rock!!!!
  2. Opera 7 passed. by eddy · · Score: 3, Informative

    Opera 7.54u1 build 3918 passed.

    The Browser Security Test is finished. Please find the results below:
    High Risk Vulnerabilities 0
    Medium Risk Vulnerabilities 0
    Low Risk Vulnerabilities 0

    --
    Belief is the currency of delusion.
  3. Re:We're heard this line before by Haydn+Fenton · · Score: 5, Informative

    I think the grandparent is referring to the story about an MS article reviewing MSN Search which features a screenshot of MSN Search in the Firefox browser. Microsoft, being Microsoft, denied it completely, even though we all had the evidence on many websites.
    Of course I may be wrong.

  4. Re:We're heard this line before by Eric+Giguere · · Score: 4, Informative

    Here are some articles I wrote related to this topic:

    Eric
  5. Re:We're heard this line before by upsidedown_duck · · Score: 3, Informative

    has MS EVER lost a market once they came to dominate it?

    They will. Every single market that Microsoft currently dominates has solid gaining competitors, because the technology is becoming commoditized more and more. Office suites are something people should not have to pay a lot of money for, any longer, as are operating systems. That could be a big one-two punch for Microsoft.

    When in history has there been such a broad line of software products with a common base? Sun JDS, Xandros, Linspire, Red Hat, SuSE, etc. all have the same overall source base plus their value added goodies for their target markets. This should be making Microsoft very very nervous about the future of Windows. No one can really take Windows, customize it, call it their own, and sell it, like people can with open source systems.

    --
    -- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
  6. Go-faster tweak for Firefox by Valiss · · Score: 4, Informative

    Yet ANOTHER reason Firefox is a great browser is the great plug-ins and tweaks the community produces!

    [ from boingboing.net ]

    Here's a great go-faster tip for Firefox, the free, rock-solid, secure browser from the Mozilla Foundation:

    1.Type "about:config" into the address bar and hit return. Scroll down
    and look for the following entries:

    network.http.pipelining network.http.proxy.pipelining
    network.http.pipeli ning.maxrequests

    Normally the browser will make one request to a web page at a time. When you enable pipelining it will make several at once, which really speeds up page loading.

    2. Alter the entries as follows:

    Set "network.http.pipelining" to "true"

    Set "network.http.proxy.pipelining" to "true"

    Set "network.http.pipelining.maxrequests" to some number like 30. This
    means it will make 30 requests at once.

    3. Lastly right-click anywhere and select New-> Integer. Name it
    "nglayout.initialpaint.delay" and set its value to "0". This value is the
    amount of time the browser waits before it acts on information it receives.

    If you're using a broadband connection you'll load pages MUCH faster now!

    Enjoy!

    --

    -Valiss
  7. Re:Mozilla, Viruses and Exploits by roca · · Score: 3, Informative

    > Oh, gee, your impression? Well, hey, that proves
    > it.

    Without access to the IE source code, it's hard to be sure, but there have been a number of bugs related to string buffer overflows in different parts of IE.

    > In SP2, they recompiled all system libraries,
    > including IE, using the VS2005 compiler with
    > overflow detection.

    That approach is not perfect, and would have been less necessary if they were using a safe string library. Still, it probably would be a good idea for Mozilla.org to build Firefox with the same options if they don't already.

    > Has Mozilla done a code audit?

    Mozilla.org has not done a systematic code audit, as far as I know, other than the regular code reviews that happen before checkin. I do know that people have studied the code, some using automated tools, others by hand, but we only know if people choose to tell us. (Which they often do to claim money under the bugs bounty program.)