Slashdot Mirror
Spyware for Firefox Coming This Year?
EvilCowzGoMoo writes "One of the main reasons for the Firefox browser's successful seizure of market share from Microsoft's Internet Explorer is the desire to escape the inundation of PC-slowing spyware. However, spyware experts indicate that with its increased popularity, Firefox itself will become a target for spyware creators." From the article: "Basically, if you use Firefox today, you're not susceptible to any spyware, other than what you download when you're on Kazaa...The spyware writers target mostly Explorer users because that's the most fertile feeding ground for piranha-like (spyware) attacks. They'll watch as Firefox becomes mainstream, they'll see opportunity there and start targeting them."
Spyware already exists for firefox in XPI form. Please lookout of malicious XPI's More information on this can be found here. http://forums.mozillazine.org/viewtopic.php?t=6434 1
IE's spyware problems were largely due to exploits. Someone not up to date with patches could visit a website and have something remotely installed pretty easily.
For Firefox, though, it'll take social engineering. The place to look for the spyware threats is in the brand new extension you WANT to install. Most Firefox users have at least one extension, and many have a dozen. How do you know what each of those is doing behind your back? Most people don't bother to scan the code, and while some may do so and report problems publicly, will you find out about them? A firewall won't even help you in this situation since you've probably given Firefox free access to port 80 (plus 443, etc).
Mozilla should probably create some sort of permission system for extensions. Can it connect to a remote server? Can it write to disk?
because I use linux.
How is this news? If Linux was the #1 desktop operating system in the world, spyware authors would be targeting it, too.
Since xpi's are blocked by default, they're going to get there how? By a javascript dialogue that says "You must allow this installation to continue."?
:(
Hmm. That's probably exactly how it'll happen.
Karma: Chameleon (mostly due to the fact that you come and go).
Can someone explain how this is possible?
On IE there is the mess that is called ActiveX. Are we talking up XUL? Or perhaps malicious plug-ins?
good, help to improve it
Imagine a whole company full of coders looking into code to find loopholes to exploit. [Tt]hat's what they'll end up doing! Sure, the firefox developers will be fast about plugging holes the minute they find them, but people are bound to get a little upset by getting hammered (ie) once every week, then having to patch their browser weekly...
Yeah, I'm a Republican AND a geek. It is possible.
While the spyware makers may initially try to target Firefox... the fact is, Firefox is written to prevent just these sort of things. Is it possible there will be bugs that allow unauthorized code to run? Yeah... but they will be patched, and patche quickly.
Overall, no matter how you slice it, Firefox is more secure and is designed from the ground up to prevent the "fertile feeding ground" that IE offers Spyware writers.
So no, you aren't going to see the same rampant irresponsibility that you see with IE, and the threat is a tempest in a teapot.
Of course, nothing is going to protect your computer from your own stupidity when opening executables, etc... that's all on the user whether or not they authorize code to run or not.
As soon as Firefox supports ActiveX, it supports spyware.
Solution: don't enable ActiveX (duh)
Security is a process, not a product. There is no magical one product or suite of products that will protect you while online. Security is risk mitigation, plain and simple. Far less people would be vulnerable to the tricks of the miscreants out there trying to do people harm if they would just employ a little common sense. But, alas, common sense isn't that common.
While there've been a few complaints about the default install of firefox 1.0 having some unpatched holes, I don't believe firefox is as vulnerable as IE to spyware in the first place. Sensible defaults, coupled with things like popup blocking (which will prevent accidental clicks which may install spyware..I know IE has this now) and image/site blocking will help as well.
I haven't used IE at all in months. Never once clicked it. Yesterday I ended up with a piece of spyware called "ISTbar". I don't know how it could have got there other than through Firefox.
Oh boy I can't wait. :) But I don't think FireFox is going to have anywhere near the problems of spyware that IE has. But I think the bigger threat is phishing attacks. I have already received e-mails from spammers trying to give my information to PayPal. And this was only announced yesterday. What is this world comming too. Can't anybody make an honest dollar anymore.
The more I follow the world of computing, the more repetitive it gets. I've heard this argument for Linux and Mac and others, as well. "They're only safe because they're such a small target."
While this is no doubt true, I think it vastly underestimates the community reactions to combat the malicious hackers. One of the reason Firefox, for example, is so strong is that it can fix a loophole within 24 hours of finding it. There are enough eyeballs to catch the problem, as it were. An open source project can have a patch to fix a problem inside of a day. Something like Windows is a giant security hole because nobody's updating it nearly that fast, if ever at all.
The issue isn't really how many people are using it. That certainly does figure into it, but the very basic design philosophy of IE allows spyware to propogate easily.
Firefox has far better controls on what programs can be installed and can't be. Also, the very multi-platform nature of the code makes it harder to write an app that will work well.
I'm not worried. On the IE side, the only people who can fix the code are microsoft drones, and they won't do it. On the firefox side, the people who fix the code are the people who use it, namely us.
Planet-GeekEvent Management Solutions : http://www.stonekeep.com/
... from the "no shiat" department.
"The only reason why X has $BAD_THING is because the system is popular. I'm 100% certain when Y has such popularity it too will have such problems." -- while ignoring any design differences that make Y less suceptable to $BAD_THING. Firefox is better designed from the ground up. Not saying that it's bullet-proof (it's not...), just less suceptable and less desirable to target. Would you rather target a locked door with an alarm system, or a door that's wide open and no security measures taken?
Karma whorin' since 1999
What about all those signed java applets out there all ready?
The user only needs to press 'OK'(which they usually do) and the applet gets full system access(because of the signing).
Doesn't look very safe to me.
I know you can configure this, but normal users doesn't do that
Ever saw one of those nice signed applets from toolbarz.foo.com which requested UtterAndCompleteControlOverComputerPermission when browsing with firefox?
Have you noticed how easy it is to click 'ok' without even reading the dialog box?
The JRE plugin should include a time-delayed OK button, just as firefox does when installing plugins.
This is why it is important to have default settings that do not even ask you to install something unless you put the site in an allow list.
Dvorak on Doomtech
How about a program that takes the cryptohash of the virgin final installed code, and checks against that hash periodically (every 5 minutes, every new website, every app launch)? When spyware strikes, it changes the app fingerprint, and this sentinel could keep a log of recent traffic for analysis, and offer to reinstall. Our desktop immune system should take advantage of our "known good" info to detect these cancers when they start, and track them to their source.
--
make install -not war
...being a 100% full time user of Firefox, I was surprised to find a site in a random web search a week or two ago that actually got a pop-up window going, but also appeared to attempt to execute some code as Firefox popped open a dialog asking me what I wanted to do with the file that was being downloaded. Thankfully, I have it ask me what I want to do, but if I was a typical user, I would have already associated the *.DOT file with MS Word and god knows what would have happened. Keep in mind that I didn't actually click on any links that indicated a download, I only clicked on a Google search result which took me to a site that displayed a blank screen and then the pop-up. I have to wonder what would have happened if I had associated OpenOffice.org with the *.DOT file since I run Linux. Probably not much... but it definitely indicates that Firefox will be targetted. The real question is: will the Mozilla project be able to keep up any better than MS has with IE? I'm guessing that they will.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Luckily they're very easy to block with the adblock plugin. Just click the underlined adblock keyword down to the right, and select it from the list.
This months browser stats:
Firefox No 1231 50.4 %
Mozilla No 953 39 %
MS Internet Explorer No 237 9.7 %
Safari No 10 0.4 %
Opera No 7 0.2 %
Unknown ? 2 0 %
Starting to look like a tempting target, no?
(FWIW the same month last year was 72% IE for rougly the same number of hits.)
Beep beep.
The presumption in the article is that, from a security standpoint, the only thing separating IE from Firefox is popularity. Doesn't ActiveX, etc. etc. etc. represent a serious qualitative difference in security problems?
Overall, no matter how you slice it, Firefox is more secure
Prove it. If you're going to make a grand sweeping statement like that, I want specific examples and logical arguments that don't rely on Firefox being a niche product. Otherwise I, we, have no reason to believe you.
The Mozilla Foundation has a very big opportunity to prove WHY people should switch to Firefox from IE by making security the number one priority.
If the Firefox development community responds quickly to these threats as they arise, they will continue to win away informed users from the headaches of IE through word of mouth among other avenues.
There is always going to be a war going on between spyware makers and browsers. The browser maker who can respond quickly will continue to grow marketshare.
Features aren't enough, and complacency is dangerous. They need to respond to security vulnerabilities and spyware exploits in a rapid manner to stay ahead of M$.
If they don't already have one in place, I think the Mozilla Foundation should form a rapid response SWAT team to patch vulnerabilities and battle spyware with truth and justice for all!
as it's bound to be a less frequent occurance and a faster more effective response. So when it's all said and done, "Viva la Firefox!"
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
Spyware is often propagated through holes in ActiveX or other pieces of Internet Explorer. Gecko (Mozilla Core) was designed from the ground up with security in mind. With few security vulnerabilities hitting Mozilla, and the fact that even the NSA recommends using an alternative to IE such as Mozilla, wouldn't it mean that there would be less spyware for it?
Mind you, Mozilla is probably as big as IE in terms of codebase, but it probably has more people working on it than IE. But saying that 'if more people use it than more people will want to crack it' isn't neccessarily true - look at OpenBSD. They're used in many places, but have yet to have a single remotely-exploitable security vulnerability in over ten years.
Sure, more people would hack at the code and try to exploit it, but if the software was designed with Security in mind, wouldn't it eliminate most threats by default? Linux may have it's flaws as well, but that doesn't mean that it is any less secure - and 90% of the vulnerabilities come out of third-party (non-core) software, which can be disabled. Windows is a different story, with everything all hardcoded into the kernel. Turn off those services, and Linux can run for up to a year without patching.
is in part a bunch of Hooey. They are attacked because they are vulnerable and buggy. There are sevral products that dominate their respective areas that don't happen to be MS products and they are extremely secure compared to their MS counterpart. Like Apache....
"We are the subject of attacks because we're the biggest" is just so much horn blowing on the part of MS.
Maybe it even does, and I just haven't found it yet.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I'm not completely skeptical of this statement and will actually be interested in seeing how Firefox will hold up. After all, it's not perfect, flaws exist. But, I have to believe that the approach behind the development of the Mozilla/Geko/etc has differed substantially from IE. After all, it's well known how tied to the os IE is and the fact that Moz/FF have (obviously for more than one reason) steered clear of this, I tend to think that user error/judgement will be a more likely cause of any kind of malware installation.
But regardless if there are any kind of infections for now, the OS community will respond with much quicker zeal than MS. However, how long will it take for the vendors to offer patched versions? What good is secure Firefox when Redhat or Novell (or any others) don't offer patched version? Remember, there are more and more comapnies who expect this - expect not to have to go out and fish for a download from some ftp server themselves. So it'll be interesting to see how that plays out.
I am so goddamn sick of the argument that Things Which Are Not Windows are only virus/malware free because they don't have the market share of Windows, and are therefore somehow not as valuable a target!
I didn't believe it about Mac OS, I don't believe it about Linux, and I am excited to see where it's going to go with Mozilla. People will realize that IE isn't just picked on because it's the most popular browser, it's also so easy to exploit, no wonder it's #1.
better than microsoft should be the new goal of firefox. Microsoft left clear holes in their program by giving it too much access in certain unrestricted ways (Cough, Active X, Cough) that made it so vulnerable.
Although Firefox may become popular, if the maintainers and coders do it right, they can keep it spyware-proof. Let's also not forget that most vilanous spyware requires no specific browser and instead is run secretly in the background of the computer's processes. That's a windows problem.
Why isn't spyware legally treated like viruses yet anywhere in the world?
I say that we do some whois queries and walk into those offices with AK-47's and take care of the problem. Guaranteed, a few of these incidents take place, and companies will think twice about making money off of spyware and adware. You can't spend the money in hell!!!
However, its just a suggestion. Otherwise go buy a Mac....Pussy
hahahahaha
how susceptible FireFox turns out to be.
On the one hand, the bad guys can look at the source;
On the other, it wasn't designed by Microsoft several years ago and more or less abandoned since except for fresh eye candy and emergency patches.
If FireFox turns out to be less prone to trouble than IE, it won't tell us anything we don't already know but it will sure be funny the next time Gatesmer says OSS is inherently less secure.
Security holes _will_ be found (some have been found already see the url spoofing). And some firefox users specially non-savvy ones (a portion that will grow as firefox goes mainstream), will not upgrade.
Spywares will exploit this
The security of Firefox is an illusion. Security through obscurity is not a viable plan for security permanence - if your product is good enough and marketed aggressively enough (and I do count word-of-mouth marketing in this), it will spread and be targeted. It is that simple. It's not until you have the full force of virus/spyware writers coming against you that you know whether all your previous big-talking statements about your security will stand up for crap. My belief? Firefox is going to find itself besieged and it will be a huge test for the OSS community, to see if they can really handle these problems as well as they always say they can.
Fact is, things won't be exactly the same if FF gets a bigger market share. It's not the same product. Articles like these are written by Microsoft apologists.
Their expert is the Vice President of Threat Research at Webroot. That much is from the article. The article doesn't take the next logical step, however, and point out that Webroot is in the business of developing and selling software to prevent, detect and eleminate spyware. So it's certainly in this guy's interest for people to think that spyware is still a problem.
Their other expert is also from a company that makes similar software. So people who make anti-spyware software agree: you need anti-spyware software.
I'll be more concerned when independent parties think spyware in Firefox is an issue.
If we posit that Firefox is a more difficult environment for malware, and I believe this to be true; then malware authors will continue to go after the low-hanging fruit of IE, even as its marketshare falls.
Infecting 60% of the population with a small amount of work, is far easier than infecting 40% of the population with an enormous outlay of effort.
Of course I'm living in a fantasy world, because I think that FF will reach 40% market penetration.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
Some sites will try to foist an unsigned xpi on you, and this goes way back... can't remember when I first saw it but I'd wager it was almost a year ago. Example is here (NSFW), try to download a file if you want to see what I mean. It's a cracking site so maybe you deserve what you get, but I've had some seemingly harmless lyrics sites try it as well. Us moz users have had a nice free ride for a while and things are certainly going to get worse - we all know the huge window saying "warning, this might be unsafe" won't do a bit of good - but at least now your mother's spyware-infested wreck of a browser will have proper PNG support!
If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to create viruses, or take over computers for monetary purposes.
What we need is several browsers that each have a significant part of the market. Not just IE and Firefox/Gecko based browsers, but also Opera and KHTML based browsers. Maybe there would be room for even more as well.
It is good that an alternative browser is growing rapidly, but monoculture or duoculture makes life easier for virus makers. With four browsers, it would take four times the effort to get as much "bang for your buck" for virus authors looking to make money by infecting people.
Clever signature text goes here.
There is no magical one product or suite of products that will protect you while online.
I wish people would realize this. Firefox is not a magic bullet, Linux is not a magic bullet. You can't just switch to one thing and assume invulnerability against everything out there. You need to maintain good practices and be aware of incoming threats no matter what OS or browser you use, despite what some zealots would have you believe.
After switching to Firefox for more than a year now, I find IE to be the more stable one in terms of normal daily activity. On average, my Firefox crashes two times a week, as for IE, close to zero if I am not running Java or ActiveX sites. The main reason I am using Firefox: better security and various useful extensions.
Having said that, I completely agree with this article. I fear that Firefox may become more susceptible to worms than IE once it gets started. The only question remains is when...
Don't forget-these dire predictions come from AV software makers, who have an interest in keeping you scared.
Evidently these experts are underestimating the community behind Firefox. One of the big reasons behind spyware in IE is how slow Microsoft is to close up these bugs.
The Firefox decelopers on the otherhand would obviously make patching these types of things a prioity. Without ActiveX and the likes, there are alot fewer potential ways to infect someone running Firefox.
I realize that not everyone is going to be up to date with these patches, but are spyware writers really going to continue to try and come up with new exploits for Firefox when their hard work is sealed up within a day? I honestly can't see huge amounts of Firefox spyware, even if they do start to find a few holes.
will the Mozilla project be able to keep up any better than MS has with IE? I'm guessing that they will.
What's the reasoning behind your guess? The old argument that simply because the open-source community has more coders, they're bound to fix problems more quickly and get it right the first time? What guarantee do we have that the people looking at the code are even qualified to review? What insurance do we have against their work if it goes wrong? Who's accountable?
Comment removed based on user account deletion
As another poster noted, potential spyware will come from an XPI. Someone can easily be social engineered to allow installation of an XPI that installs to one's local profile.
Heh, when spyware makers really do begin to actively target Firefox users en masse, maybe a toast is in order. Pop open the bubbly! Why? Because spyware and spam are playing a numbers game. Of all the spam sent out and machines infested with spyware, only about 1 percent of those are going to make any money for the exploiter. But because we're talking about total numbers in the tens of millions at least, that 1 percent is good money.
So when Firefox becomes worth the effort, the folks in Redmond will really have to worry. In this game, nothing flags success like being the target of abuse! Tens of millions of Firefox users might just mean ten of millions of people considering something other than Windows. And that affects the bottom line for Microsoft. Hmmm, anyone heard of any OpenOffice exploits yet?
To the making of books there is no end, so let's get started
firefox is clearly still safer, there are still open holes in IE6 even if you patch it up!
Let's not get carried away here. I voted for him over the other guy, but I don't think I would describe anything he's ever said as "immortal."
....
Typographical error -- should read "immoral words"
-kgj
-kgj
Comment removed based on user account deletion
IMHO that's a lot of FUD. Firefox is not nearly as vulnerable to spyware as IE is. Firefox by default has XPI installation disabled except by approved sites.
Installing spyware on Firefox would be much more about social engineering (if you want to see this website, follow these instructions: download, choose "save as...". Then double click on it, yadda yadda..."
Of course, with people falling for phishing attacks, it wouldn't surprise me they'd be so stupid to do this. In that case, Firefox should issue a warning about "evil XPI files". At least that way when some moron says "bwaaa they told me firefox was spyware-free", we can ask: "Did you follow the evil website's instructions when they told you to install this XPI?"
Then all we have to do is repeat the worldy-famous Nelson quote.
Predictions like that makes me very wary of the article. Where did he pull out numbers like that? Is there a correlation between the increase in market share and the number of spywares written for Firefox? Or does he think that spyware writers are watching the market share meter and the minute it strikes 10%, they'll start writing spywares for it? 10% is a nice round number but it also make me think he just pull that number out of his head without any thorough research or analysis. Market share increase will draw the attention of spyware writers of course. That's obvious. Yes, at 10%, there will be more spyware than now but so will 13% and 79%.
It just seems to me that he pulled a nice round number out of his head and predicts this year since most of it is still ahead of us and gives his predictions a nice fat margin of error. In other words, the predictions provide no new or key insights.
EvilCON - Made Famous by
If some (evil) site begin to ask repeatly to install an XPI usually people tend to push the install button just to see the dialog go away.
This won't happen to me but this happens to the average joe (who, btw, will never get it).
Something has to be done to prevent this from happening, otherwise people will in the end perceive Firefox to be as insecure as IE.
For example, disable XPI installation be default and perharps don't show the XPI dialog installation again if the user has dismissed the dialog and has not click on a button/url to make it appear again.
With faster updates and better design there's no reason why Firefox can't remain a more secure browsing platform than IE.
Vital updates to IE are only available if you use XP. With Firefox you get updates whatever OS you use.
Better design means the additional plugins bar of Firefox appears at the top of the screeen and doesn't block the users browsing experience. With IE it appears as a dialog and blocks the browser operation until dismissed. Accidentally mispell a URL and you can often go onto a site where a gazillion of these plugin dialogs appear, users often click ok by mistake or out of sheer frustration.
Comment removed based on user account deletion
We've also been seeing Apple becoming more mainstream, increasing their market share (ipods are an Apple Big Thing (ironic!) but aren't particularly targetable by spyware, viruses etc because there's not really anything particular to spy, so we'll ignore them for the moment) - looking at the market share in desktop and laptop computers, surely we shold be drawing the same conclusions as in the main article? Apple and Microsoft do similar things in terms of releasing security updates as and when needed; they rely on the user to actually click the button and download. So why are PCs the main haven for spyware, viruses, and so on, while Apples are traditionally free of these issues? Granted, a hacker will have more of a target and presumably an increased chance of success if the PC media are chosen; but the Apples are still there - is it the difficulty of being written for? Hahaha. I'm not sure of the comparative usage figures for Firefox and for Apple, but Apple's been round a heck of a lot longer - yes, they switched over to a unix base, but a lot of the function and method of use was preserved. Where's the Apple attack? Did it happen and no-one noticed? Is Apple being efficient enough that it's just that much harder to do? Does anyone believe that Apple's market share is still too small to bother with?
Browsing with +2 to insightful posts and a higher threshold makes the average post seen seem a lot more ingenious
That is a very big part of it.
" didn't believe it about Mac OS"
There were Mac OS and Amiga viruses before there were Windows viruses (well, they predated Windows anyway, but the virus writers DID focus on these machines when their market share was a bigger %).
"People will realize that IE isn't just picked on because it's the most popular browser, it's also so easy to exploit, no wonder it's #1."
The answer is: both.
Don't blame Durga. I voted for Centauri.
Microsoft has a dept trying to put out spyware for FF! [/conspiracy theory]
But i think FF has good security measures in place to prevent this, always prompting for extensions, you have to make an effort to add a site to an "allowed" extension provider... they planned well
Nevertheless, Stiennon also indicated the creators, maintainers, and even users of Firefox will quickly and aggressively step up their anti-spyware efforts along with the increased threat. "The people who use Firefox -- their reaction to any spyware-type attacks will be pretty vehement," he said. "There'll be fast reaction from both Firefox developers and users."
;)
I think this part sums up the beauty of Firefox, and the reason why I don't think this is any sort of cause for alarm:
There is a whole community of brilliant frickin' people out there who have taken a personal interest in making sure Mozilla products are secure & as bug-free as possible. I don't think it would be an exaggeration to say that they might look at Firefox as "their baby."
More importantly, some of these individuals are well-versed with the shadier aspects of software...so I predict Firefox security holes being patched as quickly as they're found.
Not only that, but I don't see many Firefox users (especially not those that have used it since its early days) taking spyware/adware lightly...turning the other cheek or throwing hands up in frustration don't seem to be personality traits of bastards like us
Just once I'd like someone to call me 'Sir' without adding 'You're making a scene.'
Atleast we'll finally know the truth about whether or not Microsoft's claim of only having security problems because they're so dominant is true or not. But then again there's that new exploit that DOESN'T AFFECT IE. A proof of concept is at http://www.shmoo.com/idn/ which spoofs the paypal.com site. This exploit basically works on anything but IE. And Opera has stated they believe there is nothing wrong with this and won't be making any current changes. As an Opera user I find this highly disturbing.
Between spyware, adware, monopolies, abuse of IP, and corporate shenanigans, it's almost enough to get me to quit my job as an IT guy and go live in a monastary somewhere.
Remember that the Holy Spirit is the original spyware product.
-- The reason it's called the right wing? Irony.
"I wouldn't be surprised if a couple of Russian spyware writers were turning Firefox inside out," he said. "In the next couple of months, we'll see the first exploits."
Yessss, it's those stinkin' Communists! Everyone knows that spyware and virus writers are all Russians! Oh wait, but 55% of spam comes from within the U.S.
*thinks*
It's those stinkin' Commie sympathizers! Probably all RUSSIAN-Americans!
Why is it acceptable for people to need "Live" updating software for Anti-Virus, OS's, Spyware/Malware programs, but not for browsers?
Why not make a browser where it is the NORM that it updates itself daily/weekly/monthly. I dont see this as a problem for most users.
It just needs to become part of their(non-geek) culture. Most people I work with understand the concept of Virus Definitions. They may not know what they do, but at least they know they need them.
Comment removed based on user account deletion
...water remains wet, bears continue to shit in the woods, and the pope recently announced he was converting to Catholicism.
I use FireFox as my main browser on WinXP, and many times when I visit Mac OS Rumors I get a pop-under window for an ad. Has anybody else experienced this problem on other sites?
Taking guns away from the 99% gives the 1% 100% of the power.
You just said it yourself, Firefox isn't niche. So security through obscurity doesn't work as an argument here. Why's it more secure? Get detailed, get technical, i.e. BACK YOURSELF UP. It's not that much to ask, really.
How is causing a crash the same as allowing remote code execution? No one said Mozilla or Firefox were bug free. Very few programs can claim that. There are differences in severity levels of bugs in terms of system security.
...same old argument: spyware experts indicate that with its increased popularity, Firefox itself will become a target Like when they say Unix/Linux is just as insecure as anything else, it just doesn't have a large enough userbase for viruses/trojans/spyware/whatever to be fashionable.
I don't doubt snippets written to exploit Firefox's vulnerabilities will pop up, eventually in larger numbers. But that does not make the above argumentation any more valid, nor any less stupid. And we've been trhough argumentations about that, so I'll just skip that one.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
In fact, if you pretend to be someone else, and the site first tries known attacks against that browser, put a red flag up on my screen and allow me to easily block any future attempt to re-enter that site without warning me of the previous attack(s) from them first in a pop-up. This way, even re-directs couldn't put me there without giving me a chance to cancel first.
Btw, I truly hate the fact that we have to be so very defensive these days to use the Internet without problems!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The biggest problem for IE is the Active X crap. There are so many expliots for it that it's vitually impossible for MS to fix it. Once an active X control is installed it then has complete access to your PC. With FireFox's white lists and the fact it doesn't support ActiveX immediately makes it more secure. Sure people will find exploits, but so far patches for FireFox have appeared faster the IE.
So Long and Thanks for all the Fish.
Thankfully for us though, it will be done less through exploits, and more through social engineering. Now, I'm not sure if this is whats best for the unwashed masses or not. I've personally always believed that the best way to combat spam/spyware is to EDUCATE people, and if they don't spend money on stupid shit, or let stupid shit get installed, the people making money off them won't get anything, and will stop doing it.
Of course, I will have no problem in the future telling friends/family that the reason their computer got all screwed up was NOT because of a virus, it was because they were not educated enough about using the internet. I will refuse to fix the problem until they agree to be educated.
Buy Steampunk Clothing Online!
Not precisely in line with what you said, but I just got a little bit of a chuckle when I read your post.
...
1995 - Mosaic vs. Netscape
1996 - IE 4 vs. Netscape 4 (Same 2 browsers)
1998 - Netscape's dead, IE rules!
2001 - Mozilla? (I know, it's been around for years)
2002 - Phoenix
2003 - Firebird
2004 - Firefox
2005 - IE 6 vs. Firefox 1.0
I know there are other browsers, but sheesh this has been going on for some time between these two code bases, you know?
Karma: Chameleon (mostly due to the fact that you come and go).
That's interesting because around here it seems that Microsoft is to blame when aunt Tilly opens and executes a password-protected ZIP file that contains a worm with Outlook or IE.
But when aunt Tilly does it with Firefox and Thunderbird, "security is a process, not a product".
The double standard is indeed amazing. We can't very well have the open-source people admitting any actual technical flaws in their output, can we? Or if they do, oh, they're "always patched quickly," so who cares?
You all know when google browser launches we will all switch to that and be invulnerable to attacks. mozilla/firefox/IE will be a thing of the past.
Real security cannot be accomplished by Firefox alone. As long as other vulnerabilities exist in an operating system (e.g. e-mail attacks, etc.), your Firefox code can literally be rewritten on your harddrive to be as vulnerable as the attacker wishes, and has the talent to achieve.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I loves to use firefox for almost all of my browsing. However, some site such as MSN news video, you have to use IE to see the video or the page, there is no way to get around it. Also there are some site won't display the page properly with overlapping text on firefox but looks perfect with IE.
..isn't the malware authors. It isn't the browser authors. It's the web designers.
Sorry, but it is. The direction is toward more whiz-bang on pages. Flash. Shockwave. More stuff that makes people say "ooh...pretty."
And it all runs off of plugins. So users get used to seeing popups for "hey, this needs a plugin to run. Click here to get it" or warning messages "hey, this site is trying to run scripts. You OK with that?" And they get numb to it.
Sure, a more secure and harder-to-exploit-without-explicit-consent browser is a good thing. But until people stop writing pages that REQUIRE you to run code locally to view them, there will be exploits. The users are always the weak point--this is why e-mail viruses continue to exist.
And until page authors start toning down the whiz-bang stuff, users will continue to "get used to" these warnings and either turn them off because they're annoying, or simply click "OK" without reading them.
Wow, it seems I got that very wrong:
;)
Geek Philosopher
Then again he got it wrong too.
Karma: Chameleon (mostly due to the fact that you come and go).
Nobody has made any claims of perfection, simple of a superior process and architecture coupled with a much faster response time. So far, that has proven to be true.
Evidence? Explain yourself. What is the "superior process and architecture"? Especially the architecture. Get technical here. Show examples of the "much faster response time" - and by this I don't mean take the longest period MS has ever taken to respond to something and compare it with the OSS community's shortest, as some people do. Do a random selection. General statements like yours prove nothing - only lots of specifics, coupled with logical arguments, do. Less will not slide.
Firefox is better designed from the ground up.
HOW HOW HOW? God's death I am tired of this shit. Blah-blah is better! HOW? Don't you people DARE mod this guy up "Insightful" without asking him to back himself up.
Trust me if/when *nix/firefox/apple gains the same market share that windows/IE has, you'll start to see the same thing. No matter how hard the system developers try, the malware developers will be one step ahead, and you'll have a similar situation.
The problem isn't that Windows is so insecure (even though it is), it's simply this: If I am a malware developer, I want my malware to have the biggest possible target audience (or if I write viruses, or exploits, the same is true, otherwise I'm exerting my effort for a small effect). Right now IE/Windows is the largest possible target, so all malware developers are targeting their efforts there.
I bet that if the situation were reversed and *nix was on the top with a 90% market share, we'd see tons of viruses and malware for *nix. It's only common sense.
But that's just the way I see things....
I find that most often I end up learning from necessity, rather than for enjoyment.
Obviously you underestimate what exactly the "Print" function does. And you've forgotten bugs in the compiler. And interpriter.
So, ha.
Fire Fox will become even better... no scare here.
Sure, but people just don't think along these lines when they aquire a browser. Do you? Personally, I would rather use the best browser for my purposes, and I think most people would. Your example is a portrait of a perfect world avoiding spyware, malware etc., but what about standards? Surely you would now have to make sure your webpage displays well in four different browsers, which results in a lot more testing. Yes, I know - you should code to standards, but browsers will always have their little quirks, and so you still need to do testing.
Firefox itself will become a target for spyware creators.
And that's why there's an option to "Allow websites to install software (extensions)." Just be sure you limit these sites to Mozilla-related sites (like mozilla.org and mozdev.org) and you will be fine.
I've actually had some borderline-illegal sites try to install Mozilla extensions (XPI's) as well, and the built-in protection scheme stopped it cold.
Just be thankful that there's no "code" to exploit (like the ActiveX component in IE) in Firefox.
The security of Firefox *has* been tested, and in fact holes have been found, and patched.
It has simply NOT been tested to the degree that IE has. That is a fact. IE holds 90% of the market and it has been slammed, punched, kicked around by every virus and spyware author out there you can think of. Firefox has not yet undergone this gauntlet.
As long as other vulnerabilities exist in an operating system (e.g. e-mail attacks, etc.), your Firefox code can literally be rewritten on your harddrive to be as vulnerable as the attacker wishes, and has the talent to achieve.
Gosh. That must be hell to live with. Maybe you should run Firefox on a more secure operating system.
Spyware in IE is largely due to its tenticle like fingers grasping every aspect of the OS. IE is integrated--Firefox is not. Firefox runs on top of the Operating System--IE does not. I very much doubt that, if and when spyware makes an introduction to firefox users, it will be anywhere near as rampantly destructive as it is for IE users.
Firefox running on my Mac with a Linux firewall will be targetted by virus and spyware authors, and will suddenly be infested and unusable.
Any day now.
Just as soon as Mac OS X has 97% market share, and Firefox has 90% market share, and Linux has 90% market share.
When that happens, I better watch out. Yessiree.
Well, Netscape was killed in the late nineties, and nothing has even come close to threatening IE, until now. So IE has definitely been one huge, solid target for crackers. The only viable one, really.
Clever signature text goes here.
This is fearmongering based on idle speculation. The message being communicated amounts to "Don't feel safe". What's the point?
Military experts think it's inevitable that a nuclear device will eventually be maliciously exploded inside a major US city -- when will "Nuclear winter for New York coming this year?" be featured on politics.slashdot.org?
Everyone reading and posting here will most likely (throwing that in for the transhumanists) one day die. I think "Mass geek dieoff expected soon" would make a thrilling article title and subject, don't you?
Are you nuts?
Clever signature text goes here.
>the very multi-platform nature of the code makes it harder to write an app that will work well.
.0000001% of Firefox users run it on OpenBSD doesn't make an exploit not work on Windows.
That's kind of funny in itself - somewhere, Microsoft is agreeing with you. "Cross platform code sucks, it makes apps worse!"
Seriously, though... how does the fact that Firefox also runs on something other than Windows make it harder to exploit a vulnerability in Firefox x.y.z for Windows? If the vulnerability is there, it's there. Just because
Let's let them continue to forget, so that I can browse the web in peace, huh?
If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to create viruses, or take over computers for monetary purposes.
This is very true, that our security is well served by heterogeneity. And not just in browsers, but in platforms. I'd bet we'll find that some of the attempts to infect Firefox are targeted specifically at Windows exploits, and even don't work on Linux/OSX. Maybe they'll come up with an extension/toolbar that reports searches and browsing habits back to some marketing team, but that in itself doesn't bother me so much.
The shear fact of spyware, that some software reports some kind of information back to someone, that's one issue, but at least users can choose that for themselves. It's the self-installing programs, impossible to remove, inflicting damage on your system as you force-remove them, installing other spyware as it goes, reinstalling itself as it's removed, etc.-- those facets of spyware are what trouble me. And I doubt it will be terrifically easy to create platform-agnostic spyware that exhibits those properties, even if you have a common browser.
I have to say we are in good hands for the time being. Mozilla has been pretty quick to release patches and fixes to bugs that were found. Additionally we have to consider one important thing -- Firefox does not integrate with your operating system, like IE does. This is why when you log onto the net 'unpatched', you can get infected just by being online (which is amazing to me). The future of spyware may be aimed more towards Firefox but in a way, it's helpful to Firefox for spyware/malware writers to target it -- it helps them close security holes that aren't known about and help prevent and protect against other things. And since the Mozilla community (oh yea, open source!) is very good in turnaround time to support the browser, the patches will be relatively swift.
So while the author may be right that malware and spyware authors may target Firefox as it gains popularity -- Mozilla and its hordes of programming legions (the open source community) will work together to close the holes that open and see they can't be opened in different ways. In IE, if you closed one hole, you opened another, very similar one. Not that IE is bad, but it was really just abandoned and now that Firefox has the head start -- it's going to stay ahead for the foreseeable future. We will see what Longhorn brings to the table, with the next iteration of IE though.
Either way, I am the type of person that's convinced we will see the end of SPAM in the foreseeable future... I don't see why continual development can stop spam entirely.
The price is always right if someone else is paying.
You are a shill. Sod off.
You're only jealous cos the little penguins are talking to me.
Firefox, like Linux, will always have an advantage as they're both designed from the ground up with security in mind.
Windows and IE will ALWAYS be trivially easy to compromise because they were designed with ease of use in mind.
So with IE you get sites that can remotely install crap all over your machine with minimal (or no) user intervention and with Windows you get all the spyware/trojan/worm/virus problems because of the myriad ways things can get themselves automatically started when Windows starts.
But if it came down to it I'm sure it would be trivial to add a configuration setting to Firefox that allowed you to prevent all XPI/Plugin installation full stop. And I for one would welcome it.
Personally I'm quite happy using my browser simply to browse. If I want to play audio streams I'll use an audio player. If I want to play video streams I'll use a video player. I really do have have zero need for plugins.
You have a point. However, I would think they will only target one browser anyway, or at most two since it is not wise to attack every browser. Having more browser would reduce their income and make them target the easiest browser (both security wise and easier for social engineering).
I am harvesting funny/good quotes. Please help by putting them in your sigs
the more we move backwards. I think I go back to lynx. Say goodbye to all the flash, java and all the noisey bloated webpages, which all seem to be just selling junk anyway. Security should be #1 on a browsers agenda, then adding fancy adware. It seems as the least used browser tends to be the best security...
Danger Will Robinson! You are now entering a condescending Unix user zone!
It appears that the instruction language for extensions is Javascript. So you can theoreticaly control extension behavior with your browser's javascript settings.
http://kb.mozillazine.org/Extension_development
That would be the operating system whose default web browser with the default settings will automatically install an application if you go to a link that results in it downloading, right?
Nope. It will decompress and mount a disk image for you, but it's still up to you to decide what to do with the installer on that image.
Nice attempt at FUD though, Mister Balmer.
Wait, maybe it's the all-shit department. Hmm..
Oh, updating every week, big problem there.
I have seen such ads that are quite deceptive. They say "Potential security vulnerability found on your computer. Click next to scan it and find out more." And clicking next, of course, installs their crapware.
This sort of thing fools the uninitiated into thinking that they actually NEED to click next in order to maintain current functionality. Not that it matters, clicking the "cancel" button still installs their crapware. So does clicking the "x" in the corner. The only to not install their crapware is to alt-f4.
Of course, this is just one of many varieties...but I am most intrigued by your statement: It would be interesting to see a permission based system for this...maybe even registering approved plugins with a crypto signature/hash.
Hmmm...
*I* would like to configure my relatives' computers to bark at them whenever they try to install anything. It gives them this message: "This item is not on your current approved list. Would you like to submit it for approval now?" If they click yes, it just sends ME an email with the URL, so I can check it out for them.
No, I am not a network admin from hell (nor even a network admin at all). I am, however, tired of cleaning up my relatives' computers. I know that every single one of them would jump at the opportunity to put this level of protection on their systems. There just isn't any easy way to do it.
Can't you read?
I want specific examples and logical arguments that don't rely on Firefox being a niche product.
This is a call to make arguments besides the one of obscurity - technical ones, to flesh them out. No one seems to be willing to do this, to actually back themselves up. Easier just to swallow propaganda I guess.
97% + 90% =? 100% Hmm. And 2 + 2 = 7.48. :)
http://forums.mozillazine.org/viewtopic.php?t=6434 1
Using the magic of the < url: blah.com/ > tags...
We should tell Bill and M$ to step back and let the market share fall...This way when Firefox gains popularity, he can watch his "rock-solid" OS and browser not take soo many hits. Does that make sense or does that make sense?
Also, the very multi-platform nature of the code makes it harder to write an app that will work well.
Actually, doesn't that make it easier to write an exploit that will work on all platforms?
when using Firefox or Mozilla is the Java virtual machine, most often the Sun JRE is used. There are some security holes in the JRE and this has nothing to do with Firefox. I mean, if you think you're safe with Firefox - update your JVM first. Or don't use any. Bizarrely, nobody ever talks about the Sun JRE. It's very far from perfect though, and must certainly be taken into account.
I know this is going to sound like flaimbait, but I beg of you, hear me out on this one. In windows, its a known fact that very few people know how to use the automatic updates. Thankfully, when SP2 came around it became much easier. Now, whenever security holes are found, they eventually find their way onto a windows user's machine and thus patching IE. Now, lets take it for granted that there WILL be, at some point in the future, an exploit for firefox. Maybe not a huge one, but we all know that no program is perfect. How many people, when this bug comes out, will know to update firefox? I would venture to say that the same people who had troubles with windows's automatic updates are going to have a much more difficult time getting firefox to update. For the record, I use firefox exclusively, but I'm a bit cautious about switching my clients over for this very reason. Just my $0.02
Has no mention of spyware for firefox, perhaps it has been delayed. If you could contact the publishers and ask for a timeframe it would be nice.
Seriously, FUD: hey, if you use FireFox it will end up pig-shit like IE!
FireFox has some neat features, like, erm, not having active X. Yes I bet there are expoits, but I bet they get patched.
If people can have a solid, transparent auto-update, that would PWN!
just make sure it uses a 1 time auth system to stop people spoofing dns or some shizzle.
belch.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
...Microsoft begins developing spyware for FireFox.
Mike van Lammeren
It will challenge your head, your brain, and your mind.
Yea, like that plugin that supposedly extracted all the graphics form a web site, saved them to disk, and tried to "guess" what other images MIGHT be there based on the file name patterns.
Seemed like a great idea, right?
That's when I found out it was infected with that nasty "Piss off your wife" virus. The one where you're denied "marital benefits" for a while when she finds out what happened to all that hard drive space.
"Live Free or Die." Don't like it? Then keep out of the USA
Details here: http://www.shmoo.com/idn/homograph.txt
Watch the exploit in action here: http://www.shmoo.com/idn/
To patch this (in most browsers):
1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo (above) again and notice it no longer works.
It also can make things more difficult for legitimate developers.
haha.
mac.
Sure, Firefox will be attacked. But the implications of a successful attack are much less likely to disrupt the whole system - Firefox is a self-contained application with pretty good controls for avoiding non-trusted XPIs from being installed. IE is really just the front-end for a whole series of system-level tools that are, for better or for worse, completely linked in to the OS itself.
So the consequences of an IE exploit are typically far worse than the consequences of a Firefox exploit. This is just how it works with modular applications instead of system-level everything.
Of course, if you run ActiveX within Firefox, all bets are off...
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Terrorist = Bully, and the only way to deal with bullies is to stand up to them and fight.
You have this backwards. It should read:
World Power = Bully
And Terrorists are the kids who got tired of the bullying and decided to stand up and fight. Except they are smaller, and weaker. So the only way they can fight is to do underhanded and sneaky attacks.
The Solution? Stop bullying.
Don't ask how to stop the Terrorists, ask how to stop the *making* of Terrorists.
When someone writes one, or pays for one to be written.
That give the Open Source community a chance to prove it's salt. Look and see how quickly Firefox will get fixed in comparison to IE. Not only that but even if there never is a full system wide fix, individuals can fix theirs personally if they want. Try doing that with IE. Computer use is going to move to that point someday, in which everyone will be capable of at least small changes in the software. All it takes is a few generations learning simple programming and getting used to the idea.
My sig is as boring as you...
Seriously, when are the old farts going to make some laws to put some teeth into these scum?
For starters, they can concentrate on any program or procedure that does not allow itself to be removed completely from a system, period. There should be multi million dollar minimum penalties for this. (yes, this would include IE) Every single process on the computer should be able to be uninstalled at the whim of the user - unstability notwithstanding. You'll only need to enforce a small percentage if the penalty is high enough.
Then, they can crack down on programs designed to specifically defeat user preferences such as pop-up blockers. Again, multi-million dollar penalties here... Although this may be a little difficult to enforce.
Finally, unsolicited email needs to be dealt with. There should be a complaint threshold - say if 50 out of 200 persons (25%) report a certain corporation's product as being delivered by spam, they investigation starts. They would be subject to, you guessed it, multi-million dollar penalties if found guilty, and on top of that, receive lifetime bans from doing such things as registring domain names, buying hosting services, certain categories of ISP services, etc.
You could take a different tack and perhaps saw that in order to send the same email to more than 100 people you need a "bulk advertisers" license.
Sure it'll force the rest of us to go through some hoops, but it'll make life on "the internets" a lot more livable.
But, I went to a Lutheran HS in Chicago. We had chapel every Thursday. One day, a girl I had had a crush on forever (she went to my grade school as well), a well-perceived, good-faithed, honor roll student, was giving the sermon at chapel. :)
The service was supposed to be decrying sexual immorality, but the entire 20 minute sermon, she unknowingly used the term
"sexual immortality."
Every time. And everyone laughed. Every time.
A lot of us were suprised they didn't cut her short. Just thought I'd share
put the what in the where?
The big hole is that you could still have another app modify Firefox's settings externally, and install a spyware extension that way.
And you know what? It wouldn't seem at all out of place to most people.
On Windows, application makers have this horrible idea that it's okay for applications to put themselves all over your computer. Desktop icons, search items, control panel entries, top-level start menu icons, Internet Explorer bars, etc. And not just spyware, but legitimate apps. And it's all stuff that no-one is ever going to care about.
Of course, Microsoft is to blame for this as well. They're constantly inventing new ways to break consistency all over, integrating their own applications in ways that don't scale. Third party makers imitate it, badly, and you end up with a cluttered, unusable desktop.
... that all Firefox malware/exploits is created by Microsoft!
> It also can make things more difficult for legitimate developers.
Not if there are enough different browsers, with enough marketshare each, that everyone follows the Web standards. Once there isn't a single dominant browser maker rewriting the standards for its own benefits, developers will have an easier time of it than they do today.
IDN Allows Bypass of Mozilla's "Allowed Sites" List
Background:
DN[International Domain Name] support in Mozilla allows bypass of 'Allow Sites'. Problem is caused in the way Mozilla handles IDN when used to handle checking of the list of allowed sites.
Example:
<a href='http://update.xn--mozill-8nf.org/ malicious.xpi'>Friendly Extension Name</a >Update.mozilla.org will be checked against the whitelist instead of update.xn--mozill-8nf.org.
Threat:
Exploit could be used to trick users into installing malicious extensions.
Solution:
Don't trust 'Software Install Prompts' Use a different browser
Author: Todd Lehr
Have you ever been to a turkish prison?
See, Firefox is more secured because it's OPEN SOURCE. They've got this thing called a bugzilla (just msn search for it) and when dudes try to pull bogus shit on the bugzilla it's all like oh HELL no you're not putting that bullshit code in my grill. Also, when something sucky gets by (I don't know, maybe the bugzilla has bugs or something) it's always discovered by developers first and they fix it just hella fast. There's dudes there that can fix bugs in like .0002 seconds and everybody automatically knows to go get that update. With microsoft they have bugs that are like fifty years old and they're just all hell no we're not fixing that shit, we already got the money.
It's the same thing with linux. Did you know that linux is impossible to hack? It's true. One time these guys set up this linux box and were offering hella money if somebody could hack it, but nobody could and it just goes to show that open source is for the win!
Compare that with Windows where as soon as it boots up it's all "Initializing all kinds of spywares and shit cause you got hella hacked up just for using your browser."
--
the strongest word is still the word "free"
I agree that browsing at the same priv. level as a software installer is a big problem.
In addition to the "Let's all run as Admin" scenario, MS also makes it all too easy for IE users to unintentionally install things. I have seen numerous examples where a Windows 2K spyware infection went well beyond the user's profile. If your entire TCP/IP stack is hijacked, you need to do more than trash the users profile. It always amazes me to see how we can peform all of these administrative lockdowns to prevent Windows users from installing software, and along comes the spyware and it plays right through. Hmmmm....
As you say, it the user's habits contributing to the problem, compounded by OS and programs that make it easy to do unsafe things. One easy way for Firefox to defend itself make sure that XPI installation requires an active step that neither the program nor the user can bypass or click through. If you must download the file, and click "Tools...Extensions...Install" as opposed to getting a "Click OK to enhance your browser" prompt out of the blue, then the bar is raised to a level where newbies are not likely to jump. Anyone who can't figure out how to manually install an XPI is probably best served by skipping extensions altogether.
I have nothing more to say
Security is a priority for Firefox. For M$, it isn't. The Firefox folks won't deliberately leave obvious unpatched security holes the way His Billness does.
You can trust your system implicityly (unless you get a rootkit, in which case tripwire will tell you where it is). With windows, you cannot. The functions could be installed in Windows/System. How do you know which ones to nuke? If you are running as admin (common on windows), you could overwrite ANY executeable and be unable to remove it. deltree could be patched to leave the virus alone, dir futzed to hide the file(s).
./ at the head of your path....
If all you can install into is $HOME, then you can log in as someone else and know you're fine. Or nuke HOME and sorted. That is if you have done something as silly as putting
In a flurry of stupidity I clicked "yes" on a dialog box asking me whether to execute an untrusted Java Applet or not. I figured this would probably be some graphical gizmo that makes the website render prettier.
But, surprise, the applet instantly installed a bunch of spyware onto my PC, part of which AntiVir (www.free-av.de) recognized as Java based trojans. It took several hours and various cleaning tools to remove all the software that was installed as part of that package.
The web site that infected me through Firefox was a referral based online game that credits you with ingame currency for referring other users to the game. Online message boards keep getting spammed with referal links. Now I know why.
Never trust Java applets, no matter what browser youre surfing with! It can be just as disastrous as blindly trusting ActiveX controls.
--- Eat my sig.
XPI's should be digitally signed. Period.
FF should not allow xpi's to install without significant headaches to the end user if no sig exists. And the trusted CA should probably be a Mozilla cert
I've had spyware installed automatically with no warning with Firefox 1.0. Twice actually on two different Windows XP SP2 machines. I don't remember offhand what the site was (some link off google) but after running Ad-Aware and Spybot I got rid of it. And i'm not the kind of user who would click "yes" on a web page prompt. I click cancel or the x in the corner. It's already started...
At least on Windows, Firefox has Java enabled by default, and also the "allow web sites to install software" option. If you don't turn those off, you're be vulnerable to a lot of stuff. I have both off. When I need to install a Firefox update, extension, or theme, I just turn on "allow installs" to do it, then turn it back off. Same for making use of Java applets that I trust.
I'm certain that we'll see FF exploits sooner rather than later. While FF is immune to a few specific attack vectors used to install malware via IE, it has it's own, unique vectors. Extensions are one.
As well (some may dismiss this as FUD), but the very nature of OSS makes it vulnerable, as well. Consider if someone contributes code that (intentionally) contains a well-hidden vector for spyware attacks. Consider also that the blackhats will probably exploit the open bugtracking system and open access to the code to come up with exploits.
I am the maverick of Slashdot
I've been trying to tell people this for years. Whatever browser is the most popular will have the most software attack it. Same with your operating system.
Mike @ The Geek Pub. Let's Make Stuff!
Ok, few things: First of all, ever notice how IE and Windows Explorer (the shell for the Windows operating system since win95) are functionally interchangeable? If an exploit gives you significant control over IE, it gives you that level of control over Windows as a whole. Firefox is separate from the operating system and doesn't have this level of integration. If you control Firefox, you control Firefox, not Windows. This doesn't mean its invincible, it just means less options for an attacker to use to wreck your system.
Next off, Firefox doesn't support AciveX (without plugins, which you shouldn't have anyway), which is the way just about all the worst malware gets itself into your system. There's an option to disable AciveX in IE, but it seems to do anything, since I've done it on computers and they still end up with shit like ISTBar, which is ActiveX.
Firefox doesn't let everything do whatever it wants. It could go farther in some places, but it does a good job of not letting websites screw with your computer. IE will let just about anything install just about anything if it asks permission, and 90% of users click Yes because if they click No, the box pops up two seconds later and won't let them do anything until they click Yes. Maybe they just installed Japanese Text support, maybe they just installed a dialer that sends their internet connection through a $55/minute line to Mongolia. Firefox just doesn't let programs do that.
Next, the open source advantage comes: Because lots of people have the source code, it is true that a hacker can use that code to find an exploit. However, a hacker can do the same thing without the source code. Look at Windows: Lack of source code hasn't slowed them down one bit hacking it, whereas with Linux, they have the source code and very rarely does a Linux system get hacked. When they do, it's almost always something that could have been easily prevented. On the other hand, there are far more developers than hackers looking at the code (and even many of the "hackers" are not the usual malicious type and are actually out to find holes that they might be patched), and they're also looking for holes. They find them, they fix them. Microsoft has a time delay. An exploit is reported, but then it has to be found by inside programmers. This means waiting until the next business day at least, and then limited man-hours to fix the problem.
Firefox, however, when the problem is found, there's a good chance the finder will have a fix. If not, no matter what time or day, there are lots of people who will take a look. The best analogy might be with a distributed computing network. Microsoft is like a supercomputer - lots of potential power, but there's only one of it, and it's not always running, since the programmers all live in the same place and sleep at the same times. Open source is like a distributed network. Not as much potential in any single location (Lots of single developers, instead of large-scale, well-funded firms like Microsoft), but there are a LOT of them. When half of them are asleep, the other half are up and about, so there's always somebody available to look at a problem.
Then there are intangible advantages: The developers of Firefox are strongly driven to make a browser that is so superior to Microsoft's in every aspect, many of them just for the sake of making Microsoft look bad. Microsoft hasn't had that kind of drive with IE in years, and it shows. Heck, I remember getting three or four major upgrades to IE in under a year and a half, but then for almost five years accross three computers, it's been just small patches here and there and the same otherwise.
Lastly, and probably least important: Firefox was made with good old 20/20 hindsight. They saw what was wrong with IE and how it was exploited and abused, and they rebuilt Mozilla from the ground up to counter those shortcommings.
None of this makes Firefox invincible, but it does make it much harder to break into than IE. Any way that is found to break Firefox will be something new, and probably something that hasn't been seen before anywhere.
Dousnt matter. They will never be able to exploit Firefox to the degree that Explorer has simply because its not integrated into the OS. End of Story.
Windows is insecure by design.
I hardly think that they sat down in year whatever and said "alright, we need to make an operating system. We'll call it Windows but we are going to be careless about security."
The Microsoft programmers were taught in college how to write programs about some things but they didn't teach embedding security protection. When those programmers were taking the bulk of programming classes, the biggest problem for computers were actual viruses and the newest technology to come out were Gopher servers. These people didn't grow up on security like the folks today that contribute to Unix and Unix-based systems every day. So, go back to your dead-end IT job and stop poisoning everyones beliefs with your inaccuracies.
This is not a very well documented reply. Linux-based servers are very common, especially for web servers. And they are being attacked all of the time! The fact that the impact is usually minimal is due to both good administration practices and timely patches when needed. And slightly better security models implemented in the OS.
They sat down those many years ago and said, "We're going to make an OS to sell. What do we need to make this OS sell?" They figured out it needed to be usable, and that security wasn't a priority for the market they were targeting, so that's how they wrote. In the many rewrites since, Windows has become better with security, but it still doesn't have the same level of control that was written into Unix systems pretty early on. It's not a difference in the programmer's schooling, it's a difference in the company/community goals. And whatever the reason, it absolutely is fair to point that difference out.
I'd bet money MSFT was behind that little gem of of market droid spin doctoring.
Windows wasn't designed with security in mind because it was never designed to be a networking platform. That functionality was bolted on later for both the server and client pieces. Take an OS that's designed to be easy and compatible, wire up some networking tools and then expect it to be secure? Riiiiight.
People were hacking on Unix years before MSFT ever came along. The *nixes are like the kids who grew up in tough neighborhoods. They've been suspicious of anyone from outside for a long time.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I'm a Firefox fan and long-time user of the Mozilla family. I, too, have seen several significant weaknesses in Firefox's security. Those include web sites popping up new windows despite my settings supposedly preventing that, and seeing incorrect information about links in the status bar, again despite my settings supposedly preventing that.
Firefox may still be better in this area than the competition based on performance to date, but the problems cited by the GP do exist, and calling someone a shill because you disagree with them is not a very convincing argument.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I've seen some signed Java Applet based spyware which will popup annoying dialogs (look around on http://cracks.am)
Your hybrid is not saving the environment. Its purpose is to make you feel good about buying something.
The GP AC was calling the "accountability" asshat the schill, not the post talking about pop-ups getting through. The AC the AC was replying to was, if not a schill, a troll bringing-up the strawmaniest arguments ever. "Who's accountable" indeed.
I'm glad you think it's been tested.
Now, go over to Secunia and check out the list of exploits for Internet Explorer and Firefox. Firefox is listed as having 75% of it's vulnerabilities *UNPATCHED*, while IE is listed as only 32%.
You and I can look at this as totaly misleading (most of the Firefox vulnerabilities are fixed in the new version, but Secunia has them listed as unpached because the version tested still doesn't have a patch - bogus because it was in beta until 1.0) - will everyone else? There are also a couple of Firefox 1.0 vulnerabilities that arn't patched.
Please go back and check your facts. IE is a mature product with major issues. Firefox is a newbie with minor issues. I'm sure there will be more things to check and fix in the future.
Thanks!
There really is no way to exploit something like html/scripting if its implemented properly - by properly i mean scripting languages etc must be sand boxed and have absolutely no functionality regarding sensitive commands - creating and editing files etc. HTML on its own is tight, there's just nothing you can do, java/script is also pretty tight (as long as the implementation is good) A virus works by having a decent amount of 'access' to the machine, depending on what sort of access it has it can achieve a varying amount of bad things - requesting more and more memory or cpu priority, deleting files, annoying the user by moving things on the screen etc, Outlook and IE are such a disaster simply because they have scripting features with access to these things and they are turned on and run by default! Firefox is developed by a team thats not under pressure to enable things like this so that the "PHB can have his word files load the macros easily" Buffer overflows etc aside, if your scripting environment cant do what it shouldn't then no script can force it. Now if spyware gets on the machine as an actual executable then it can alter firefox and do whatever but thats a proper virus - browser scripts are not virii simply because they are retarded and anyone who calls a VB script a virus is just playing into the Microsoft FUD: Build millions of houses without doors and expect no-one to get burgled (get it? without doors - windows but no doors... eh? eh?)
This comment does not represent the views or opinions of the user.
Great story! Thanks, worth the OT.
-kgj
-kgj
If you're counting on people not understanding or caring about security, virus protection and adware protection your target audience should be obvious.
Comment removed based on user account deletion
In the context of Firefox security, the joke is that there are a whole lot of easier ways to attack someone's system than Firefox.
Let's consider what the steps are:-
Write an XPI to launch an attack.
Get it onto the Mozilla update site without anyone spotting it.
Hope that no-one spots its behaviour, even though the source code is in there.
Compare that with delivery by email of either a .exe or a .vbs, or putting something on a website that exploits someone and tricks them into downloading. It's a pretty crappy attack that's going to have a limited life. Even if it got through, people would be more wary after, and start checking the content of XPIs more thoroughly.
...insecurity is a product, and it's name last year has been Internet Explorer.
There may be double standards, but this time isn'tone of them.
Sam
blog.sam.liddicott.com
MOD PARENT UP
I would imagine there are publicity and props seeking blackhats, then those who go way out of their way to make sure no one finds out, and are after intelligence, financial records, insider business decsions useful in the "investor" community,etc,etc, things that can be sold for big bucks on the blackmarket or used by competeting governments or corporations. Large crime rings and their handmaidens governmental approved hackers would probably seek to not garner any notice or brag about it on irc channels, etc. Witness the latest FBI email hack, allegedly went unnoticed for months, and publicaly at least they have no clue who did it, why they did it, etc. and I would bet right this second there are any number of sensitive web sites/pages compromised by well beyond normal skilled people, precisely to just get intel of various sorts. And I would also bet quite a few are inside jobs. When you have the ability to really really and skillfully hack, plus the combination of the incentive to do so through bribery and blackmail or some sort of brainwashed in political extremism, then, given human nature, it will happen.
So in essence what I am saying is, I wouldn't be surprised if there are a number of apache and iis exploits out there that aren't noticed now, no one but the originator of the exploit knows about them precisely, although his customers know he gets good stuff, and they are being used to make some serious profit, either financial or political or both. Or web browsers being exploited for that matter, including the latest Firefox, IE, Opera whatever.
Yes, it's speculation, but I learned long ago never to bet against human nature. If there's an illegal buck to be made, it's being made, not that it's just maybe theoretically possible.
the truth gets modded flamebait once again
By the time that they come out with spyware for firefox google will have already came out with their browser continuing their plans for taking over the world.
And don't forget it's up to M$ to respond to the browser war. I'ts their move, the ball is in their court. Will they respond and when and how? That is up to them. But I would definately expect that their reponse will have an effect of some sort whenever they do respond.
I'm sure glad I read
Fscking hilarious.
On a slightly related note, I've noticed that for a while now, the Drudge Report has figured out how to slip a pop-under in on Firefox. I haven't really looked at the code to figure out how he's doing it, but it's a little dismaying that the Firefox folks haven't addressed this yet.
http://shit.slashdot.org/article.pl?sid=05/02/08/1 541241
Who didn't see THIS one coming? I was just afraid to say anything about the eventuality...
So I guess I'm saying that I had been enjoying the security through obscurity of Firefox. Bad me. I'll go stand in the corner now.
You can run but you can't hide, except, apparently, along the Afghan-Pakistani border.
Fear mongering and assumptions.
The author of this article can kiss the widest part of my ass.
Well, it was fun while it lasted. May as well go back to IE >
Vote Democrat: The ass you save may be your own.
I don't believe you. Linus had no formal training in OS security prior to "writing"/copying Unix design. Unix certainly was not designed for security. Show me the design/requirements documents that demonstrate apriori intent for Linux to be any more secure than any other OS. After-the-fact design decisions don't count since you said "designed from the ground up".
Ow, yeah. Duh. There are already tons of "spywares" on update.mozilla.org that are not signed and adds lots of new features to Firefox. Why would a little weather-showing icon bring xxx porn into your desktop? Nonsense.
Since I was trying Gnome recently, some things about firefox were starting to stand out. First off, it uses some of it's own widgets so it's doesnt' fully intergrate nicely with a users current gtk2 theme. Then I realized sesssion management doesn't work with firefox in a gnome environment.
.3 and have always loved it, and thought before that I wouldnt' use/need another browser. But since trying other browsers I thought a little more about what moz/ff gaining market share gives us.
So, I read about epiphany and galeon, two browsers for gnome based on the gecko engine. One is very light and barebones and the latter is a more full featured version, but both intergrate nicely into gnome.
Anyways in trying these browswers, I got a couple of unexpected bonuses. One is that both browsers were just generally snappier and faster than ff. Also an issue I've had for ages on ff in lin is some flash material could really bog down the system, to the point where I could barely click something. I've searched the prob, and as seeing on the moz forums, many others have this problem.
But now I have no flash speed issues whatsoever.
At first I was kind of puzzled over this with all browsers using the same rendering engine, but from what I've read it's the xul overhead of firefox that can cause these slow down issues (and give users the extensions functionality).
My point is on this, is that the more popular firefox gets, the more level the playing field is and ultimately it won't matter what browser you are choosing.
I've been using ff since
Joe sixpack needs to think of things as the next big thing. So some people now think 'IE sucks, FF rox!!'. But ff isn't necessarily the next big thing, it's end game for the browser war as it gains market share.
Because in the end it won't matter if a user is browing with moz, ff, gecko based browsers, konq, safari, opera.
And I'm still puzzled at how microsoft is shitting the bed with IE.
Because moz would not have gained market share on 'Look! it's open source and standards compliant!'
It gained market share on two things: no pops and tabbed browsing. If microsoft jumped in and quickly disbaled javascript popups by default and hacked in tabbed browsing, a lot of people wouldn't have switched.
Actually, doesn't that make it easier to write an exploit that will work on all platforms?
No. Next trolling/ignorant question?
Well, I wasn't there when he did it. My reference to the "ground up" refers to the lowest levels of the code, it was NOT a time reference.
Fairly complex file permissions are built into the file system. Windows 9x never had anything except simple attributes for hidden, read-only and system.
The recent breakin that attempted to place a back-door into the kernel was designed to allow a user program to elevate its run-kevel to root, so we know those concepts are built into the kernel.
So the lowest levels (the ground level, if you will) of Linux code are concerned with security issues. It was not something just grafted onto a single-user, insecure OS.
Now, before anyone else flames me, I know that NT was also designed from the ground up with these things in mind. NT based OS's (i.e. win2k and XP) may have 1/2 a chance of someday being secure. But it will also take a change in mindset at Redmond to quit compromising security with "features" that are deliberately designed wrong!
no you're thinking of the previous one with a certain cigar fetish :-)
...
A different typographical error -- should read immoral turds
-kgj
-kgj
I also call bullshit on the Linux kernel exploits mentioned--how many of those were remotely exploitable like almost all Windows vulnerabilities are?
Face it--you're both wrong on this count. Nice try at spreading FUD for Microsoft though. Maybe billg@microsoft.com will give you a cookie.
80% Insightful, 20% Overrated... Er... where's 100% offtopic? Guys, the title is "Spyware for Firefox Coming This Year?" -- the rants are supposed to be about "Micro$oft" and "Intarweb Exploder". Maybe a crack about how in Soviet Russia, only old people use Firefox or a consipracy theory about Bill Gates and SCO secretly paying malware authors to develop Firefox targeted worms. You guys are just way off the page.
I guess response time depends on what platform you are on. Mozilla has not released a single fix for the Mac OS X version of Firefox and so all the known security holes remain unpatched for it. It's not clear to me if there have been any fixes for the Windows version. The only thing I've read is that such do exist for the Linux version. Has the Windows version had "hot fixes"? In any case, at least for Mac OS X, the response time by Mozilla has been truly abysmal.
--- What?
Come on, you really think contributions are not reviewed before being released? If what you claim were true (this is one of the poorest arguments of Microsoft against OSS, by the way...), OSS would be HELL already. This argument just doesn't work. It just proves you don't know OSS.
When a vulnerability is discovered, it will get fixed much more quickly than it will take for a "hacker" to exploit it. One of the reasons is that most "hackers" are much poorer programmers than the people who contribute positively to OSS. This is exactly why they've chosen not to do anything constructive with their skills, but destructive instead. There are a few exceptions here and there, but this is mostly how it all works. And not just in the software either. A thief usually has some "stealing" skills, but doesn't have enough skills to get money and recognition in a positive manner. Ok I'm digressing a little bit here, but you get the idea.
I don't really have a functioning mouse atm, so I'm using the X window system's ability to manouver the pointer with the keyboard, but at times I click on things I don't want to, and it's not as accurate as I'd like(nomatter, soon I will have a mouse, mwhahaha!!) and I accidentally hit the 'install missing plugins' button of a strange website, soon I kept getting force-reloads from currently open tabs forced to some website selling something or other. (Mabye I should have wrote something down instead of being so ambiguous here). I closed firefox, restarted it and cleaned out it's cache and it's been working fine ever since, but it did kind of freak me out.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
IE users are susceptible to spyware. Generally speaking, only experienced computer users and friends of experienced computer users use Firefox. The general public doesn't know what Firefox is and will keep using Internet Explorer. Most users who have converted to Firefox are the same users who will have SpywareBlaster, Ad-Aware and/or SpyBot S&D. What's the point of making spyware for someone who will just remove it over making spyware for the masses? -Viv-
Just because something is reviewed doesn't mean it won't contain flaws.. especially if said flaws are purposefully obfuscated. Has it happened? I don't know. Will it happen? Same answer. The fact remains, though, that this is a vulnerability (however trivial it may be) that OSS has that proprietary software does not.
The speed in which flaws are corrected in OSS is generally commendable - usually better than with proprietary software. HOWEVER, just because a patch is released doesn't mean all of the users will apply it. In fact, the vast majority of exploits are for flaws that have already been patched by the vendor.
And as for skills of the scumbag hackers (or crackers.. whatever term you prefer).. it is social skills that these people lack, not technical skills (except for script kiddies)
I am the maverick of Slashdot
This could go a long way to helping.
Most of those announcements deal with servers, which are in a whole other category than typical desktops, and vunerabilities that require physical access to the machine or an existing account. Like this advisory on how someone with physical access can crash the KDE screensaver, getting access to your session, and this one on how you can cause a buffer overflow in perl, allowing you to overwrite system files with debug logs. Go find some that can root a Linux box with a default installation.
/usr, /usr/bin/, /usr/shared/bin, /usr/local, /usr/local/bin, /opt/bin, /opt/local/bin...and that's just the executable, not even getting into whatever configuration files it might have left which could be in /etc, a .directory in ~, and so on.
/tmp and /var/tmp, and those get deleted upon restart.
witness the stream of security advisories that are announced for each Linux distro, much more than the Windows patches we get on the second Tuesday of each month.
Wtf? That's because people have access to the code used in Linux distributions, and these bugs are getting fixed. Go read the advisories on that site you linked to, and see how many were posted by people looking for bugs to fix. Compare that to Windows, were nobody but Microsoft has access to the code, and its a known fact that Microsoft lets real, known vunerabilties sit unfixed for MONTHS, much less looking for bugs to fix. Do you work for Gardner or something?
People like to compare a single kernel to the entire Windows operating system, and in the next breath argue about how Linux is "just a kernel." So it's all the more amusing when some people argue that there's a difference between a Linux distro and Windows. There's not.
You are easily amused. Only RMS is retentive enough to inisist that Linux is just the kernel, and the whole system is GNU/Linux.
Bollocks. The UNIX "filesystem standard" fragments things way more than Windows does. With Windows, you know a few places to look for a malicious program to get rid of it--\Windows, \Windows\System, \Program Files, and so on.
You bollocks. You think spyware is limited to C:\Windows and C:\Program Files?
Linux, on the other hand? Where do you look?
No, they can't, because a regular user does not have write access to those directories. Seriously, have you ever used Linux? At all? Do you have any concept of priveledge speration? Aside from a users home folder, the only places they ususally have access to are
If Linux was #1, we'd see all kinds of crap getting installed on people's Linux systems
How? Neither OS X or Linux has anything like Active X, which is the primary vehicle for installing spyware behind your back.
No one is saying that the alternatives to Windows are bulletproof, because they're not. But just because there are some vunerabilites, does not make them remotely equivilant to the stinking cesspool that is Windows. The problem is not popularity; Linux could have 100% marketshare and not have but a fraction of the serious problems that Windows has had, due to its massive design flaws, Microsoft's sloppy coding, and their refusal to fix vunerabilities until there is a serious crack in the wild, weeks or months after an advisory has been posted.
"There is no design flaw in the Pinto. A car blowing up in a low speed collision, killing all passengers, is a risk any driver takes when they get behind a wheel. If Honda or Chrysler had our kind of marketshare, their cars would blow up all the time, too." --Made up Ford Exec, 1978
Now, go over to Secunia and check out the list of exploits for Internet Explorer and Firefox. Firefox is listed as having 75% of it's vulnerabilities *UNPATCHED*, while IE is listed as only 32%.
According to their site, Firfox has had eight advisories. Internet Explorer, on the other hand, has 61 advisories . So yes, IE "is listed as only 32%", but it still has over three times as many vunerabilites as Firefox.
Dumbass.
It has simply NOT been tested to the degree that IE has. That is a fact. IE holds 90% of the market and it has been slammed, punched, kicked around by every virus and spyware author out there you can think of.
Firefox doesn't use Active X, and it isn't integrated into Windows at every conceivable point. That and it was built with security in mind, as opposed to being shoehorned on after the fact.
Firefox has not yet undergone this gauntlet.
It wont have to.
This is the uncomfortable truth that people like bonch and his ilk don't want to face.
+5 Insightful!