Slashdot Mirror
Spyware for Firefox Coming This Year?
EvilCowzGoMoo writes "One of the main reasons for the Firefox browser's successful seizure of market share from Microsoft's Internet Explorer is the desire to escape the inundation of PC-slowing spyware. However, spyware experts indicate that with its increased popularity, Firefox itself will become a target for spyware creators." From the article: "Basically, if you use Firefox today, you're not susceptible to any spyware, other than what you download when you're on Kazaa...The spyware writers target mostly Explorer users because that's the most fertile feeding ground for piranha-like (spyware) attacks. They'll watch as Firefox becomes mainstream, they'll see opportunity there and start targeting them."
Spyware already exists for firefox in XPI form. Please lookout of malicious XPI's More information on this can be found here. http://forums.mozillazine.org/viewtopic.php?t=6434 1
IE's spyware problems were largely due to exploits. Someone not up to date with patches could visit a website and have something remotely installed pretty easily.
For Firefox, though, it'll take social engineering. The place to look for the spyware threats is in the brand new extension you WANT to install. Most Firefox users have at least one extension, and many have a dozen. How do you know what each of those is doing behind your back? Most people don't bother to scan the code, and while some may do so and report problems publicly, will you find out about them? A firewall won't even help you in this situation since you've probably given Firefox free access to port 80 (plus 443, etc).
Mozilla should probably create some sort of permission system for extensions. Can it connect to a remote server? Can it write to disk?
because I use linux.
How is this news? If Linux was the #1 desktop operating system in the world, spyware authors would be targeting it, too.
Since xpi's are blocked by default, they're going to get there how? By a javascript dialogue that says "You must allow this installation to continue."?
:(
Hmm. That's probably exactly how it'll happen.
Karma: Chameleon (mostly due to the fact that you come and go).
Can someone explain how this is possible?
On IE there is the mess that is called ActiveX. Are we talking up XUL? Or perhaps malicious plug-ins?
good, help to improve it
Imagine a whole company full of coders looking into code to find loopholes to exploit. [Tt]hat's what they'll end up doing! Sure, the firefox developers will be fast about plugging holes the minute they find them, but people are bound to get a little upset by getting hammered (ie) once every week, then having to patch their browser weekly...
Yeah, I'm a Republican AND a geek. It is possible.
While the spyware makers may initially try to target Firefox... the fact is, Firefox is written to prevent just these sort of things. Is it possible there will be bugs that allow unauthorized code to run? Yeah... but they will be patched, and patche quickly.
Overall, no matter how you slice it, Firefox is more secure and is designed from the ground up to prevent the "fertile feeding ground" that IE offers Spyware writers.
So no, you aren't going to see the same rampant irresponsibility that you see with IE, and the threat is a tempest in a teapot.
Of course, nothing is going to protect your computer from your own stupidity when opening executables, etc... that's all on the user whether or not they authorize code to run or not.
As soon as Firefox supports ActiveX, it supports spyware.
Solution: don't enable ActiveX (duh)
Security is a process, not a product. There is no magical one product or suite of products that will protect you while online. Security is risk mitigation, plain and simple. Far less people would be vulnerable to the tricks of the miscreants out there trying to do people harm if they would just employ a little common sense. But, alas, common sense isn't that common.
I haven't used IE at all in months. Never once clicked it. Yesterday I ended up with a piece of spyware called "ISTbar". I don't know how it could have got there other than through Firefox.
Oh boy I can't wait. :) But I don't think FireFox is going to have anywhere near the problems of spyware that IE has. But I think the bigger threat is phishing attacks. I have already received e-mails from spammers trying to give my information to PayPal. And this was only announced yesterday. What is this world comming too. Can't anybody make an honest dollar anymore.
The more I follow the world of computing, the more repetitive it gets. I've heard this argument for Linux and Mac and others, as well. "They're only safe because they're such a small target."
While this is no doubt true, I think it vastly underestimates the community reactions to combat the malicious hackers. One of the reason Firefox, for example, is so strong is that it can fix a loophole within 24 hours of finding it. There are enough eyeballs to catch the problem, as it were. An open source project can have a patch to fix a problem inside of a day. Something like Windows is a giant security hole because nobody's updating it nearly that fast, if ever at all.
The issue isn't really how many people are using it. That certainly does figure into it, but the very basic design philosophy of IE allows spyware to propogate easily.
Firefox has far better controls on what programs can be installed and can't be. Also, the very multi-platform nature of the code makes it harder to write an app that will work well.
I'm not worried. On the IE side, the only people who can fix the code are microsoft drones, and they won't do it. On the firefox side, the people who fix the code are the people who use it, namely us.
Planet-GeekEvent Management Solutions : http://www.stonekeep.com/
... from the "no shiat" department.
"The only reason why X has $BAD_THING is because the system is popular. I'm 100% certain when Y has such popularity it too will have such problems." -- while ignoring any design differences that make Y less suceptable to $BAD_THING. Firefox is better designed from the ground up. Not saying that it's bullet-proof (it's not...), just less suceptable and less desirable to target. Would you rather target a locked door with an alarm system, or a door that's wide open and no security measures taken?
Karma whorin' since 1999
What about all those signed java applets out there all ready?
The user only needs to press 'OK'(which they usually do) and the applet gets full system access(because of the signing).
Doesn't look very safe to me.
I know you can configure this, but normal users doesn't do that
Ever saw one of those nice signed applets from toolbarz.foo.com which requested UtterAndCompleteControlOverComputerPermission when browsing with firefox?
Have you noticed how easy it is to click 'ok' without even reading the dialog box?
The JRE plugin should include a time-delayed OK button, just as firefox does when installing plugins.
This is why it is important to have default settings that do not even ask you to install something unless you put the site in an allow list.
Dvorak on Doomtech
How about a program that takes the cryptohash of the virgin final installed code, and checks against that hash periodically (every 5 minutes, every new website, every app launch)? When spyware strikes, it changes the app fingerprint, and this sentinel could keep a log of recent traffic for analysis, and offer to reinstall. Our desktop immune system should take advantage of our "known good" info to detect these cancers when they start, and track them to their source.
--
make install -not war
...being a 100% full time user of Firefox, I was surprised to find a site in a random web search a week or two ago that actually got a pop-up window going, but also appeared to attempt to execute some code as Firefox popped open a dialog asking me what I wanted to do with the file that was being downloaded. Thankfully, I have it ask me what I want to do, but if I was a typical user, I would have already associated the *.DOT file with MS Word and god knows what would have happened. Keep in mind that I didn't actually click on any links that indicated a download, I only clicked on a Google search result which took me to a site that displayed a blank screen and then the pop-up. I have to wonder what would have happened if I had associated OpenOffice.org with the *.DOT file since I run Linux. Probably not much... but it definitely indicates that Firefox will be targetted. The real question is: will the Mozilla project be able to keep up any better than MS has with IE? I'm guessing that they will.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Luckily they're very easy to block with the adblock plugin. Just click the underlined adblock keyword down to the right, and select it from the list.
This months browser stats:
Firefox No 1231 50.4 %
Mozilla No 953 39 %
MS Internet Explorer No 237 9.7 %
Safari No 10 0.4 %
Opera No 7 0.2 %
Unknown ? 2 0 %
Starting to look like a tempting target, no?
(FWIW the same month last year was 72% IE for rougly the same number of hits.)
Beep beep.
The presumption in the article is that, from a security standpoint, the only thing separating IE from Firefox is popularity. Doesn't ActiveX, etc. etc. etc. represent a serious qualitative difference in security problems?
Overall, no matter how you slice it, Firefox is more secure
Prove it. If you're going to make a grand sweeping statement like that, I want specific examples and logical arguments that don't rely on Firefox being a niche product. Otherwise I, we, have no reason to believe you.
The Mozilla Foundation has a very big opportunity to prove WHY people should switch to Firefox from IE by making security the number one priority.
If the Firefox development community responds quickly to these threats as they arise, they will continue to win away informed users from the headaches of IE through word of mouth among other avenues.
There is always going to be a war going on between spyware makers and browsers. The browser maker who can respond quickly will continue to grow marketshare.
Features aren't enough, and complacency is dangerous. They need to respond to security vulnerabilities and spyware exploits in a rapid manner to stay ahead of M$.
If they don't already have one in place, I think the Mozilla Foundation should form a rapid response SWAT team to patch vulnerabilities and battle spyware with truth and justice for all!
as it's bound to be a less frequent occurance and a faster more effective response. So when it's all said and done, "Viva la Firefox!"
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
is in part a bunch of Hooey. They are attacked because they are vulnerable and buggy. There are sevral products that dominate their respective areas that don't happen to be MS products and they are extremely secure compared to their MS counterpart. Like Apache....
"We are the subject of attacks because we're the biggest" is just so much horn blowing on the part of MS.
Maybe it even does, and I just haven't found it yet.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I'm not completely skeptical of this statement and will actually be interested in seeing how Firefox will hold up. After all, it's not perfect, flaws exist. But, I have to believe that the approach behind the development of the Mozilla/Geko/etc has differed substantially from IE. After all, it's well known how tied to the os IE is and the fact that Moz/FF have (obviously for more than one reason) steered clear of this, I tend to think that user error/judgement will be a more likely cause of any kind of malware installation.
But regardless if there are any kind of infections for now, the OS community will respond with much quicker zeal than MS. However, how long will it take for the vendors to offer patched versions? What good is secure Firefox when Redhat or Novell (or any others) don't offer patched version? Remember, there are more and more comapnies who expect this - expect not to have to go out and fish for a download from some ftp server themselves. So it'll be interesting to see how that plays out.
I am so goddamn sick of the argument that Things Which Are Not Windows are only virus/malware free because they don't have the market share of Windows, and are therefore somehow not as valuable a target!
I didn't believe it about Mac OS, I don't believe it about Linux, and I am excited to see where it's going to go with Mozilla. People will realize that IE isn't just picked on because it's the most popular browser, it's also so easy to exploit, no wonder it's #1.
Security holes _will_ be found (some have been found already see the url spoofing). And some firefox users specially non-savvy ones (a portion that will grow as firefox goes mainstream), will not upgrade.
Spywares will exploit this
The security of Firefox is an illusion. Security through obscurity is not a viable plan for security permanence - if your product is good enough and marketed aggressively enough (and I do count word-of-mouth marketing in this), it will spread and be targeted. It is that simple. It's not until you have the full force of virus/spyware writers coming against you that you know whether all your previous big-talking statements about your security will stand up for crap. My belief? Firefox is going to find itself besieged and it will be a huge test for the OSS community, to see if they can really handle these problems as well as they always say they can.
Fact is, things won't be exactly the same if FF gets a bigger market share. It's not the same product. Articles like these are written by Microsoft apologists.
Their expert is the Vice President of Threat Research at Webroot. That much is from the article. The article doesn't take the next logical step, however, and point out that Webroot is in the business of developing and selling software to prevent, detect and eleminate spyware. So it's certainly in this guy's interest for people to think that spyware is still a problem.
Their other expert is also from a company that makes similar software. So people who make anti-spyware software agree: you need anti-spyware software.
I'll be more concerned when independent parties think spyware in Firefox is an issue.
If we posit that Firefox is a more difficult environment for malware, and I believe this to be true; then malware authors will continue to go after the low-hanging fruit of IE, even as its marketshare falls.
Infecting 60% of the population with a small amount of work, is far easier than infecting 40% of the population with an enormous outlay of effort.
Of course I'm living in a fantasy world, because I think that FF will reach 40% market penetration.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
Some sites will try to foist an unsigned xpi on you, and this goes way back... can't remember when I first saw it but I'd wager it was almost a year ago. Example is here (NSFW), try to download a file if you want to see what I mean. It's a cracking site so maybe you deserve what you get, but I've had some seemingly harmless lyrics sites try it as well. Us moz users have had a nice free ride for a while and things are certainly going to get worse - we all know the huge window saying "warning, this might be unsafe" won't do a bit of good - but at least now your mother's spyware-infested wreck of a browser will have proper PNG support!
If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to create viruses, or take over computers for monetary purposes.
What we need is several browsers that each have a significant part of the market. Not just IE and Firefox/Gecko based browsers, but also Opera and KHTML based browsers. Maybe there would be room for even more as well.
It is good that an alternative browser is growing rapidly, but monoculture or duoculture makes life easier for virus makers. With four browsers, it would take four times the effort to get as much "bang for your buck" for virus authors looking to make money by infecting people.
Clever signature text goes here.
Don't forget-these dire predictions come from AV software makers, who have an interest in keeping you scared.
Evidently these experts are underestimating the community behind Firefox. One of the big reasons behind spyware in IE is how slow Microsoft is to close up these bugs.
The Firefox decelopers on the otherhand would obviously make patching these types of things a prioity. Without ActiveX and the likes, there are alot fewer potential ways to infect someone running Firefox.
I realize that not everyone is going to be up to date with these patches, but are spyware writers really going to continue to try and come up with new exploits for Firefox when their hard work is sealed up within a day? I honestly can't see huge amounts of Firefox spyware, even if they do start to find a few holes.
Comment removed based on user account deletion
Heh, when spyware makers really do begin to actively target Firefox users en masse, maybe a toast is in order. Pop open the bubbly! Why? Because spyware and spam are playing a numbers game. Of all the spam sent out and machines infested with spyware, only about 1 percent of those are going to make any money for the exploiter. But because we're talking about total numbers in the tens of millions at least, that 1 percent is good money.
So when Firefox becomes worth the effort, the folks in Redmond will really have to worry. In this game, nothing flags success like being the target of abuse! Tens of millions of Firefox users might just mean ten of millions of people considering something other than Windows. And that affects the bottom line for Microsoft. Hmmm, anyone heard of any OpenOffice exploits yet?
To the making of books there is no end, so let's get started
firefox is clearly still safer, there are still open holes in IE6 even if you patch it up!
Let's not get carried away here. I voted for him over the other guy, but I don't think I would describe anything he's ever said as "immortal."
....
Typographical error -- should read "immoral words"
-kgj
-kgj
Comment removed based on user account deletion
IMHO that's a lot of FUD. Firefox is not nearly as vulnerable to spyware as IE is. Firefox by default has XPI installation disabled except by approved sites.
Installing spyware on Firefox would be much more about social engineering (if you want to see this website, follow these instructions: download, choose "save as...". Then double click on it, yadda yadda..."
Of course, with people falling for phishing attacks, it wouldn't surprise me they'd be so stupid to do this. In that case, Firefox should issue a warning about "evil XPI files". At least that way when some moron says "bwaaa they told me firefox was spyware-free", we can ask: "Did you follow the evil website's instructions when they told you to install this XPI?"
Then all we have to do is repeat the worldy-famous Nelson quote.
Predictions like that makes me very wary of the article. Where did he pull out numbers like that? Is there a correlation between the increase in market share and the number of spywares written for Firefox? Or does he think that spyware writers are watching the market share meter and the minute it strikes 10%, they'll start writing spywares for it? 10% is a nice round number but it also make me think he just pull that number out of his head without any thorough research or analysis. Market share increase will draw the attention of spyware writers of course. That's obvious. Yes, at 10%, there will be more spyware than now but so will 13% and 79%.
It just seems to me that he pulled a nice round number out of his head and predicts this year since most of it is still ahead of us and gives his predictions a nice fat margin of error. In other words, the predictions provide no new or key insights.
EvilCON - Made Famous by
With faster updates and better design there's no reason why Firefox can't remain a more secure browsing platform than IE.
Vital updates to IE are only available if you use XP. With Firefox you get updates whatever OS you use.
Better design means the additional plugins bar of Firefox appears at the top of the screeen and doesn't block the users browsing experience. With IE it appears as a dialog and blocks the browser operation until dismissed. Accidentally mispell a URL and you can often go onto a site where a gazillion of these plugin dialogs appear, users often click ok by mistake or out of sheer frustration.
Comment removed based on user account deletion
We've also been seeing Apple becoming more mainstream, increasing their market share (ipods are an Apple Big Thing (ironic!) but aren't particularly targetable by spyware, viruses etc because there's not really anything particular to spy, so we'll ignore them for the moment) - looking at the market share in desktop and laptop computers, surely we shold be drawing the same conclusions as in the main article? Apple and Microsoft do similar things in terms of releasing security updates as and when needed; they rely on the user to actually click the button and download. So why are PCs the main haven for spyware, viruses, and so on, while Apples are traditionally free of these issues? Granted, a hacker will have more of a target and presumably an increased chance of success if the PC media are chosen; but the Apples are still there - is it the difficulty of being written for? Hahaha. I'm not sure of the comparative usage figures for Firefox and for Apple, but Apple's been round a heck of a lot longer - yes, they switched over to a unix base, but a lot of the function and method of use was preserved. Where's the Apple attack? Did it happen and no-one noticed? Is Apple being efficient enough that it's just that much harder to do? Does anyone believe that Apple's market share is still too small to bother with?
Browsing with +2 to insightful posts and a higher threshold makes the average post seen seem a lot more ingenious
That is a very big part of it.
" didn't believe it about Mac OS"
There were Mac OS and Amiga viruses before there were Windows viruses (well, they predated Windows anyway, but the virus writers DID focus on these machines when their market share was a bigger %).
"People will realize that IE isn't just picked on because it's the most popular browser, it's also so easy to exploit, no wonder it's #1."
The answer is: both.
Don't blame Durga. I voted for Centauri.
Microsoft has a dept trying to put out spyware for FF! [/conspiracy theory]
But i think FF has good security measures in place to prevent this, always prompting for extensions, you have to make an effort to add a site to an "allowed" extension provider... they planned well
Nevertheless, Stiennon also indicated the creators, maintainers, and even users of Firefox will quickly and aggressively step up their anti-spyware efforts along with the increased threat. "The people who use Firefox -- their reaction to any spyware-type attacks will be pretty vehement," he said. "There'll be fast reaction from both Firefox developers and users."
;)
I think this part sums up the beauty of Firefox, and the reason why I don't think this is any sort of cause for alarm:
There is a whole community of brilliant frickin' people out there who have taken a personal interest in making sure Mozilla products are secure & as bug-free as possible. I don't think it would be an exaggeration to say that they might look at Firefox as "their baby."
More importantly, some of these individuals are well-versed with the shadier aspects of software...so I predict Firefox security holes being patched as quickly as they're found.
Not only that, but I don't see many Firefox users (especially not those that have used it since its early days) taking spyware/adware lightly...turning the other cheek or throwing hands up in frustration don't seem to be personality traits of bastards like us
Just once I'd like someone to call me 'Sir' without adding 'You're making a scene.'
Atleast we'll finally know the truth about whether or not Microsoft's claim of only having security problems because they're so dominant is true or not. But then again there's that new exploit that DOESN'T AFFECT IE. A proof of concept is at http://www.shmoo.com/idn/ which spoofs the paypal.com site. This exploit basically works on anything but IE. And Opera has stated they believe there is nothing wrong with this and won't be making any current changes. As an Opera user I find this highly disturbing.
Between spyware, adware, monopolies, abuse of IP, and corporate shenanigans, it's almost enough to get me to quit my job as an IT guy and go live in a monastary somewhere.
Remember that the Holy Spirit is the original spyware product.
-- The reason it's called the right wing? Irony.
What about those guys who offered $15,000 to anybody who could hack their Mac web server back in the 90s? Nobody ever collected the prize.
Real security is something which can be accomplished.
*BSD is secure because it was designed to be secure, not simply because it's less common than other solutions. Likewise, if Internet Explorer 6.0 only represented about 15% of the market, it would still be hacked with shocking regularity, because Microsoft's security is a joke.
I'm not saying that all this means Firefox is as secure as some of the other technolgies I just mentioned. I'm no expert on the codebase for Firefox. It might be downright vulnerable. I will say, however, that it's hard to imagine it being worse than IE.
Information wants to be anthropomorphized.
Comment removed based on user account deletion
I use FireFox as my main browser on WinXP, and many times when I visit Mac OS Rumors I get a pop-under window for an ad. Has anybody else experienced this problem on other sites?
Taking guns away from the 99% gives the 1% 100% of the power.
...same old argument: spyware experts indicate that with its increased popularity, Firefox itself will become a target Like when they say Unix/Linux is just as insecure as anything else, it just doesn't have a large enough userbase for viruses/trojans/spyware/whatever to be fashionable.
I don't doubt snippets written to exploit Firefox's vulnerabilities will pop up, eventually in larger numbers. But that does not make the above argumentation any more valid, nor any less stupid. And we've been trhough argumentations about that, so I'll just skip that one.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
In fact, if you pretend to be someone else, and the site first tries known attacks against that browser, put a red flag up on my screen and allow me to easily block any future attempt to re-enter that site without warning me of the previous attack(s) from them first in a pop-up. This way, even re-directs couldn't put me there without giving me a chance to cancel first.
Btw, I truly hate the fact that we have to be so very defensive these days to use the Internet without problems!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The biggest problem for IE is the Active X crap. There are so many expliots for it that it's vitually impossible for MS to fix it. Once an active X control is installed it then has complete access to your PC. With FireFox's white lists and the fact it doesn't support ActiveX immediately makes it more secure. Sure people will find exploits, but so far patches for FireFox have appeared faster the IE.
So Long and Thanks for all the Fish.
Thankfully for us though, it will be done less through exploits, and more through social engineering. Now, I'm not sure if this is whats best for the unwashed masses or not. I've personally always believed that the best way to combat spam/spyware is to EDUCATE people, and if they don't spend money on stupid shit, or let stupid shit get installed, the people making money off them won't get anything, and will stop doing it.
Of course, I will have no problem in the future telling friends/family that the reason their computer got all screwed up was NOT because of a virus, it was because they were not educated enough about using the internet. I will refuse to fix the problem until they agree to be educated.
Buy Steampunk Clothing Online!
Not precisely in line with what you said, but I just got a little bit of a chuckle when I read your post.
...
1995 - Mosaic vs. Netscape
1996 - IE 4 vs. Netscape 4 (Same 2 browsers)
1998 - Netscape's dead, IE rules!
2001 - Mozilla? (I know, it's been around for years)
2002 - Phoenix
2003 - Firebird
2004 - Firefox
2005 - IE 6 vs. Firefox 1.0
I know there are other browsers, but sheesh this has been going on for some time between these two code bases, you know?
Karma: Chameleon (mostly due to the fact that you come and go).
Real security cannot be accomplished by Firefox alone. As long as other vulnerabilities exist in an operating system (e.g. e-mail attacks, etc.), your Firefox code can literally be rewritten on your harddrive to be as vulnerable as the attacker wishes, and has the talent to achieve.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I loves to use firefox for almost all of my browsing. However, some site such as MSN news video, you have to use IE to see the video or the page, there is no way to get around it. Also there are some site won't display the page properly with overlapping text on firefox but looks perfect with IE.
..isn't the malware authors. It isn't the browser authors. It's the web designers.
Sorry, but it is. The direction is toward more whiz-bang on pages. Flash. Shockwave. More stuff that makes people say "ooh...pretty."
And it all runs off of plugins. So users get used to seeing popups for "hey, this needs a plugin to run. Click here to get it" or warning messages "hey, this site is trying to run scripts. You OK with that?" And they get numb to it.
Sure, a more secure and harder-to-exploit-without-explicit-consent browser is a good thing. But until people stop writing pages that REQUIRE you to run code locally to view them, there will be exploits. The users are always the weak point--this is why e-mail viruses continue to exist.
And until page authors start toning down the whiz-bang stuff, users will continue to "get used to" these warnings and either turn them off because they're annoying, or simply click "OK" without reading them.
Wow, it seems I got that very wrong:
;)
Geek Philosopher
Then again he got it wrong too.
Karma: Chameleon (mostly due to the fact that you come and go).
That and OSS has coders that aren't being hamstrung by marketing weasels. If something is awesome, but would take too long to develop ("cost too much"), an OSS developer can still do it if he wants.
What guarantee do we have that the people looking at the code are even qualified to review? What insurance do we have against their work if it goes wrong?
None, same as closed source developers. No company will pay you, either voluntarily or in a lawsuit, for bugs in their code; neither will OSS. Read your EULAs.
Who's accountable?
Nobody, same as closed source developers. Both have reputations to uphold, but commercial developers only care about their reputation as a means to profit. If they can make money without bothering to have a good reputation, they will.
One advantage is that OSS developers have a reputation they would like to uphold. If they write crappy/insecure code, people stop using their code. Closed source developers will often say "well, it works, and it sells, so.." and let the developer stay on, making more bugs.
Trust me if/when *nix/firefox/apple gains the same market share that windows/IE has, you'll start to see the same thing. No matter how hard the system developers try, the malware developers will be one step ahead, and you'll have a similar situation.
The problem isn't that Windows is so insecure (even though it is), it's simply this: If I am a malware developer, I want my malware to have the biggest possible target audience (or if I write viruses, or exploits, the same is true, otherwise I'm exerting my effort for a small effect). Right now IE/Windows is the largest possible target, so all malware developers are targeting their efforts there.
I bet that if the situation were reversed and *nix was on the top with a 90% market share, we'd see tons of viruses and malware for *nix. It's only common sense.
But that's just the way I see things....
I find that most often I end up learning from necessity, rather than for enjoyment.
Firefox itself will become a target for spyware creators.
And that's why there's an option to "Allow websites to install software (extensions)." Just be sure you limit these sites to Mozilla-related sites (like mozilla.org and mozdev.org) and you will be fine.
I've actually had some borderline-illegal sites try to install Mozilla extensions (XPI's) as well, and the built-in protection scheme stopped it cold.
Just be thankful that there's no "code" to exploit (like the ActiveX component in IE) in Firefox.
Firefox running on my Mac with a Linux firewall will be targetted by virus and spyware authors, and will suddenly be infested and unusable.
Any day now.
Just as soon as Mac OS X has 97% market share, and Firefox has 90% market share, and Linux has 90% market share.
When that happens, I better watch out. Yessiree.
Well, Netscape was killed in the late nineties, and nothing has even come close to threatening IE, until now. So IE has definitely been one huge, solid target for crackers. The only viable one, really.
Clever signature text goes here.
Clever signature text goes here.
>the very multi-platform nature of the code makes it harder to write an app that will work well.
.0000001% of Firefox users run it on OpenBSD doesn't make an exploit not work on Windows.
That's kind of funny in itself - somewhere, Microsoft is agreeing with you. "Cross platform code sucks, it makes apps worse!"
Seriously, though... how does the fact that Firefox also runs on something other than Windows make it harder to exploit a vulnerability in Firefox x.y.z for Windows? If the vulnerability is there, it's there. Just because
Let's let them continue to forget, so that I can browse the web in peace, huh?
If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to create viruses, or take over computers for monetary purposes.
This is very true, that our security is well served by heterogeneity. And not just in browsers, but in platforms. I'd bet we'll find that some of the attempts to infect Firefox are targeted specifically at Windows exploits, and even don't work on Linux/OSX. Maybe they'll come up with an extension/toolbar that reports searches and browsing habits back to some marketing team, but that in itself doesn't bother me so much.
The shear fact of spyware, that some software reports some kind of information back to someone, that's one issue, but at least users can choose that for themselves. It's the self-installing programs, impossible to remove, inflicting damage on your system as you force-remove them, installing other spyware as it goes, reinstalling itself as it's removed, etc.-- those facets of spyware are what trouble me. And I doubt it will be terrifically easy to create platform-agnostic spyware that exhibits those properties, even if you have a common browser.
I have to say we are in good hands for the time being. Mozilla has been pretty quick to release patches and fixes to bugs that were found. Additionally we have to consider one important thing -- Firefox does not integrate with your operating system, like IE does. This is why when you log onto the net 'unpatched', you can get infected just by being online (which is amazing to me). The future of spyware may be aimed more towards Firefox but in a way, it's helpful to Firefox for spyware/malware writers to target it -- it helps them close security holes that aren't known about and help prevent and protect against other things. And since the Mozilla community (oh yea, open source!) is very good in turnaround time to support the browser, the patches will be relatively swift.
So while the author may be right that malware and spyware authors may target Firefox as it gains popularity -- Mozilla and its hordes of programming legions (the open source community) will work together to close the holes that open and see they can't be opened in different ways. In IE, if you closed one hole, you opened another, very similar one. Not that IE is bad, but it was really just abandoned and now that Firefox has the head start -- it's going to stay ahead for the foreseeable future. We will see what Longhorn brings to the table, with the next iteration of IE though.
Either way, I am the type of person that's convinced we will see the end of SPAM in the foreseeable future... I don't see why continual development can stop spam entirely.
The price is always right if someone else is paying.
You have a point. However, I would think they will only target one browser anyway, or at most two since it is not wise to attack every browser. Having more browser would reduce their income and make them target the easiest browser (both security wise and easier for social engineering).
I am harvesting funny/good quotes. Please help by putting them in your sigs
It appears that the instruction language for extensions is Javascript. So you can theoreticaly control extension behavior with your browser's javascript settings.
http://kb.mozillazine.org/Extension_development
I didn't know Bill Gates posted on Slashdot!
Also, the very multi-platform nature of the code makes it harder to write an app that will work well.
Actually, doesn't that make it easier to write an exploit that will work on all platforms?
when using Firefox or Mozilla is the Java virtual machine, most often the Sun JRE is used. There are some security holes in the JRE and this has nothing to do with Firefox. I mean, if you think you're safe with Firefox - update your JVM first. Or don't use any. Bizarrely, nobody ever talks about the Sun JRE. It's very far from perfect though, and must certainly be taken into account.
I know this is going to sound like flaimbait, but I beg of you, hear me out on this one. In windows, its a known fact that very few people know how to use the automatic updates. Thankfully, when SP2 came around it became much easier. Now, whenever security holes are found, they eventually find their way onto a windows user's machine and thus patching IE. Now, lets take it for granted that there WILL be, at some point in the future, an exploit for firefox. Maybe not a huge one, but we all know that no program is perfect. How many people, when this bug comes out, will know to update firefox? I would venture to say that the same people who had troubles with windows's automatic updates are going to have a much more difficult time getting firefox to update. For the record, I use firefox exclusively, but I'm a bit cautious about switching my clients over for this very reason. Just my $0.02
Has no mention of spyware for firefox, perhaps it has been delayed. If you could contact the publishers and ask for a timeframe it would be nice.
Seriously, FUD: hey, if you use FireFox it will end up pig-shit like IE!
FireFox has some neat features, like, erm, not having active X. Yes I bet there are expoits, but I bet they get patched.
If people can have a solid, transparent auto-update, that would PWN!
just make sure it uses a 1 time auth system to stop people spoofing dns or some shizzle.
belch.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
...Microsoft begins developing spyware for FireFox.
Mike van Lammeren
It will challenge your head, your brain, and your mind.
Yea, like that plugin that supposedly extracted all the graphics form a web site, saved them to disk, and tried to "guess" what other images MIGHT be there based on the file name patterns.
Seemed like a great idea, right?
That's when I found out it was infected with that nasty "Piss off your wife" virus. The one where you're denied "marital benefits" for a while when she finds out what happened to all that hard drive space.
"Live Free or Die." Don't like it? Then keep out of the USA
Details here: http://www.shmoo.com/idn/homograph.txt
Watch the exploit in action here: http://www.shmoo.com/idn/
To patch this (in most browsers):
1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo (above) again and notice it no longer works.
It also can make things more difficult for legitimate developers.
Sure, Firefox will be attacked. But the implications of a successful attack are much less likely to disrupt the whole system - Firefox is a self-contained application with pretty good controls for avoiding non-trusted XPIs from being installed. IE is really just the front-end for a whole series of system-level tools that are, for better or for worse, completely linked in to the OS itself.
So the consequences of an IE exploit are typically far worse than the consequences of a Firefox exploit. This is just how it works with modular applications instead of system-level everything.
Of course, if you run ActiveX within Firefox, all bets are off...
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Terrorist = Bully, and the only way to deal with bullies is to stand up to them and fight.
You have this backwards. It should read:
World Power = Bully
And Terrorists are the kids who got tired of the bullying and decided to stand up and fight. Except they are smaller, and weaker. So the only way they can fight is to do underhanded and sneaky attacks.
The Solution? Stop bullying.
Don't ask how to stop the Terrorists, ask how to stop the *making* of Terrorists.
When someone writes one, or pays for one to be written.
That give the Open Source community a chance to prove it's salt. Look and see how quickly Firefox will get fixed in comparison to IE. Not only that but even if there never is a full system wide fix, individuals can fix theirs personally if they want. Try doing that with IE. Computer use is going to move to that point someday, in which everyone will be capable of at least small changes in the software. All it takes is a few generations learning simple programming and getting used to the idea.
My sig is as boring as you...
Seriously, when are the old farts going to make some laws to put some teeth into these scum?
For starters, they can concentrate on any program or procedure that does not allow itself to be removed completely from a system, period. There should be multi million dollar minimum penalties for this. (yes, this would include IE) Every single process on the computer should be able to be uninstalled at the whim of the user - unstability notwithstanding. You'll only need to enforce a small percentage if the penalty is high enough.
Then, they can crack down on programs designed to specifically defeat user preferences such as pop-up blockers. Again, multi-million dollar penalties here... Although this may be a little difficult to enforce.
Finally, unsolicited email needs to be dealt with. There should be a complaint threshold - say if 50 out of 200 persons (25%) report a certain corporation's product as being delivered by spam, they investigation starts. They would be subject to, you guessed it, multi-million dollar penalties if found guilty, and on top of that, receive lifetime bans from doing such things as registring domain names, buying hosting services, certain categories of ISP services, etc.
You could take a different tack and perhaps saw that in order to send the same email to more than 100 people you need a "bulk advertisers" license.
Sure it'll force the rest of us to go through some hoops, but it'll make life on "the internets" a lot more livable.
But, I went to a Lutheran HS in Chicago. We had chapel every Thursday. One day, a girl I had had a crush on forever (she went to my grade school as well), a well-perceived, good-faithed, honor roll student, was giving the sermon at chapel. :)
The service was supposed to be decrying sexual immorality, but the entire 20 minute sermon, she unknowingly used the term
"sexual immortality."
Every time. And everyone laughed. Every time.
A lot of us were suprised they didn't cut her short. Just thought I'd share
put the what in the where?
The big hole is that you could still have another app modify Firefox's settings externally, and install a spyware extension that way.
And you know what? It wouldn't seem at all out of place to most people.
On Windows, application makers have this horrible idea that it's okay for applications to put themselves all over your computer. Desktop icons, search items, control panel entries, top-level start menu icons, Internet Explorer bars, etc. And not just spyware, but legitimate apps. And it's all stuff that no-one is ever going to care about.
Of course, Microsoft is to blame for this as well. They're constantly inventing new ways to break consistency all over, integrating their own applications in ways that don't scale. Third party makers imitate it, badly, and you end up with a cluttered, unusable desktop.
IDN Allows Bypass of Mozilla's "Allowed Sites" List
Background:
DN[International Domain Name] support in Mozilla allows bypass of 'Allow Sites'. Problem is caused in the way Mozilla handles IDN when used to handle checking of the list of allowed sites.
Example:
<a href='http://update.xn--mozill-8nf.org/ malicious.xpi'>Friendly Extension Name</a >Update.mozilla.org will be checked against the whitelist instead of update.xn--mozill-8nf.org.
Threat:
Exploit could be used to trick users into installing malicious extensions.
Solution:
Don't trust 'Software Install Prompts' Use a different browser
Author: Todd Lehr
Have you ever been to a turkish prison?
See, Firefox is more secured because it's OPEN SOURCE. They've got this thing called a bugzilla (just msn search for it) and when dudes try to pull bogus shit on the bugzilla it's all like oh HELL no you're not putting that bullshit code in my grill. Also, when something sucky gets by (I don't know, maybe the bugzilla has bugs or something) it's always discovered by developers first and they fix it just hella fast. There's dudes there that can fix bugs in like .0002 seconds and everybody automatically knows to go get that update. With microsoft they have bugs that are like fifty years old and they're just all hell no we're not fixing that shit, we already got the money.
It's the same thing with linux. Did you know that linux is impossible to hack? It's true. One time these guys set up this linux box and were offering hella money if somebody could hack it, but nobody could and it just goes to show that open source is for the win!
Compare that with Windows where as soon as it boots up it's all "Initializing all kinds of spywares and shit cause you got hella hacked up just for using your browser."
--
the strongest word is still the word "free"
I agree that browsing at the same priv. level as a software installer is a big problem.
In addition to the "Let's all run as Admin" scenario, MS also makes it all too easy for IE users to unintentionally install things. I have seen numerous examples where a Windows 2K spyware infection went well beyond the user's profile. If your entire TCP/IP stack is hijacked, you need to do more than trash the users profile. It always amazes me to see how we can peform all of these administrative lockdowns to prevent Windows users from installing software, and along comes the spyware and it plays right through. Hmmmm....
As you say, it the user's habits contributing to the problem, compounded by OS and programs that make it easy to do unsafe things. One easy way for Firefox to defend itself make sure that XPI installation requires an active step that neither the program nor the user can bypass or click through. If you must download the file, and click "Tools...Extensions...Install" as opposed to getting a "Click OK to enhance your browser" prompt out of the blue, then the bar is raised to a level where newbies are not likely to jump. Anyone who can't figure out how to manually install an XPI is probably best served by skipping extensions altogether.
I have nothing more to say
Security is a priority for Firefox. For M$, it isn't. The Firefox folks won't deliberately leave obvious unpatched security holes the way His Billness does.
In a flurry of stupidity I clicked "yes" on a dialog box asking me whether to execute an untrusted Java Applet or not. I figured this would probably be some graphical gizmo that makes the website render prettier.
But, surprise, the applet instantly installed a bunch of spyware onto my PC, part of which AntiVir (www.free-av.de) recognized as Java based trojans. It took several hours and various cleaning tools to remove all the software that was installed as part of that package.
The web site that infected me through Firefox was a referral based online game that credits you with ingame currency for referring other users to the game. Online message boards keep getting spammed with referal links. Now I know why.
Never trust Java applets, no matter what browser youre surfing with! It can be just as disastrous as blindly trusting ActiveX controls.
--- Eat my sig.
XPI's should be digitally signed. Period.
FF should not allow xpi's to install without significant headaches to the end user if no sig exists. And the trusted CA should probably be a Mozilla cert
At least on Windows, Firefox has Java enabled by default, and also the "allow web sites to install software" option. If you don't turn those off, you're be vulnerable to a lot of stuff. I have both off. When I need to install a Firefox update, extension, or theme, I just turn on "allow installs" to do it, then turn it back off. Same for making use of Java applets that I trust.
I'm certain that we'll see FF exploits sooner rather than later. While FF is immune to a few specific attack vectors used to install malware via IE, it has it's own, unique vectors. Extensions are one.
As well (some may dismiss this as FUD), but the very nature of OSS makes it vulnerable, as well. Consider if someone contributes code that (intentionally) contains a well-hidden vector for spyware attacks. Consider also that the blackhats will probably exploit the open bugtracking system and open access to the code to come up with exploits.
I am the maverick of Slashdot
I've been trying to tell people this for years. Whatever browser is the most popular will have the most software attack it. Same with your operating system.
Mike @ The Geek Pub. Let's Make Stuff!
Ok, few things: First of all, ever notice how IE and Windows Explorer (the shell for the Windows operating system since win95) are functionally interchangeable? If an exploit gives you significant control over IE, it gives you that level of control over Windows as a whole. Firefox is separate from the operating system and doesn't have this level of integration. If you control Firefox, you control Firefox, not Windows. This doesn't mean its invincible, it just means less options for an attacker to use to wreck your system.
Next off, Firefox doesn't support AciveX (without plugins, which you shouldn't have anyway), which is the way just about all the worst malware gets itself into your system. There's an option to disable AciveX in IE, but it seems to do anything, since I've done it on computers and they still end up with shit like ISTBar, which is ActiveX.
Firefox doesn't let everything do whatever it wants. It could go farther in some places, but it does a good job of not letting websites screw with your computer. IE will let just about anything install just about anything if it asks permission, and 90% of users click Yes because if they click No, the box pops up two seconds later and won't let them do anything until they click Yes. Maybe they just installed Japanese Text support, maybe they just installed a dialer that sends their internet connection through a $55/minute line to Mongolia. Firefox just doesn't let programs do that.
Next, the open source advantage comes: Because lots of people have the source code, it is true that a hacker can use that code to find an exploit. However, a hacker can do the same thing without the source code. Look at Windows: Lack of source code hasn't slowed them down one bit hacking it, whereas with Linux, they have the source code and very rarely does a Linux system get hacked. When they do, it's almost always something that could have been easily prevented. On the other hand, there are far more developers than hackers looking at the code (and even many of the "hackers" are not the usual malicious type and are actually out to find holes that they might be patched), and they're also looking for holes. They find them, they fix them. Microsoft has a time delay. An exploit is reported, but then it has to be found by inside programmers. This means waiting until the next business day at least, and then limited man-hours to fix the problem.
Firefox, however, when the problem is found, there's a good chance the finder will have a fix. If not, no matter what time or day, there are lots of people who will take a look. The best analogy might be with a distributed computing network. Microsoft is like a supercomputer - lots of potential power, but there's only one of it, and it's not always running, since the programmers all live in the same place and sleep at the same times. Open source is like a distributed network. Not as much potential in any single location (Lots of single developers, instead of large-scale, well-funded firms like Microsoft), but there are a LOT of them. When half of them are asleep, the other half are up and about, so there's always somebody available to look at a problem.
Then there are intangible advantages: The developers of Firefox are strongly driven to make a browser that is so superior to Microsoft's in every aspect, many of them just for the sake of making Microsoft look bad. Microsoft hasn't had that kind of drive with IE in years, and it shows. Heck, I remember getting three or four major upgrades to IE in under a year and a half, but then for almost five years accross three computers, it's been just small patches here and there and the same otherwise.
Lastly, and probably least important: Firefox was made with good old 20/20 hindsight. They saw what was wrong with IE and how it was exploited and abused, and they rebuilt Mozilla from the ground up to counter those shortcommings.
None of this makes Firefox invincible, but it does make it much harder to break into than IE. Any way that is found to break Firefox will be something new, and probably something that hasn't been seen before anywhere.
Dousnt matter. They will never be able to exploit Firefox to the degree that Explorer has simply because its not integrated into the OS. End of Story.
This is not a very well documented reply. Linux-based servers are very common, especially for web servers. And they are being attacked all of the time! The fact that the impact is usually minimal is due to both good administration practices and timely patches when needed. And slightly better security models implemented in the OS.
I'd bet money MSFT was behind that little gem of of market droid spin doctoring.
Windows wasn't designed with security in mind because it was never designed to be a networking platform. That functionality was bolted on later for both the server and client pieces. Take an OS that's designed to be easy and compatible, wire up some networking tools and then expect it to be secure? Riiiiight.
People were hacking on Unix years before MSFT ever came along. The *nixes are like the kids who grew up in tough neighborhoods. They've been suspicious of anyone from outside for a long time.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
What guarantee do we have that the people looking at the code are even qualified to review? What insurance do we have against their work if it goes wrong? Who's accountable?
All of these questions are equally valid for Microsoft products.
You did read the warranty for IE, right?
"Rocky Rococo, at your cervix!"
I'm a Firefox fan and long-time user of the Mozilla family. I, too, have seen several significant weaknesses in Firefox's security. Those include web sites popping up new windows despite my settings supposedly preventing that, and seeing incorrect information about links in the status bar, again despite my settings supposedly preventing that.
Firefox may still be better in this area than the competition based on performance to date, but the problems cited by the GP do exist, and calling someone a shill because you disagree with them is not a very convincing argument.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I've seen some signed Java Applet based spyware which will popup annoying dialogs (look around on http://cracks.am)
Your hybrid is not saving the environment. Its purpose is to make you feel good about buying something.
But if it came down to it I'm sure it would be trivial to add a configuration setting to Firefox that allowed you to prevent all XPI/Plugin installation full stop. And I for one would welcome it.
There is one to disable that feature already. Go to Tools -> Options and under Web Features, uncheck "Allow websites to install software"
Once that's done, whenever something tries to install from a website, you'll get a little bar at the top telling you what the website tried to do after it blocks the action.
There really is no way to exploit something like html/scripting if its implemented properly - by properly i mean scripting languages etc must be sand boxed and have absolutely no functionality regarding sensitive commands - creating and editing files etc. HTML on its own is tight, there's just nothing you can do, java/script is also pretty tight (as long as the implementation is good) A virus works by having a decent amount of 'access' to the machine, depending on what sort of access it has it can achieve a varying amount of bad things - requesting more and more memory or cpu priority, deleting files, annoying the user by moving things on the screen etc, Outlook and IE are such a disaster simply because they have scripting features with access to these things and they are turned on and run by default! Firefox is developed by a team thats not under pressure to enable things like this so that the "PHB can have his word files load the macros easily" Buffer overflows etc aside, if your scripting environment cant do what it shouldn't then no script can force it. Now if spyware gets on the machine as an actual executable then it can alter firefox and do whatever but thats a proper virus - browser scripts are not virii simply because they are retarded and anyone who calls a VB script a virus is just playing into the Microsoft FUD: Build millions of houses without doors and expect no-one to get burgled (get it? without doors - windows but no doors... eh? eh?)
This comment does not represent the views or opinions of the user.
Great story! Thanks, worth the OT.
-kgj
-kgj
If you're counting on people not understanding or caring about security, virus protection and adware protection your target audience should be obvious.
Comment removed based on user account deletion
My apologies; I hadn't noticed the below-threshold AC reply.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
In the context of Firefox security, the joke is that there are a whole lot of easier ways to attack someone's system than Firefox.
Let's consider what the steps are:-
Write an XPI to launch an attack.
Get it onto the Mozilla update site without anyone spotting it.
Hope that no-one spots its behaviour, even though the source code is in there.
Compare that with delivery by email of either a .exe or a .vbs, or putting something on a website that exploits someone and tricks them into downloading. It's a pretty crappy attack that's going to have a limited life. Even if it got through, people would be more wary after, and start checking the content of XPIs more thoroughly.
...insecurity is a product, and it's name last year has been Internet Explorer.
There may be double standards, but this time isn'tone of them.
Sam
blog.sam.liddicott.com
If you are getting verified XPI from mozila website
there is not need to worry.
I would imagine there are publicity and props seeking blackhats, then those who go way out of their way to make sure no one finds out, and are after intelligence, financial records, insider business decsions useful in the "investor" community,etc,etc, things that can be sold for big bucks on the blackmarket or used by competeting governments or corporations. Large crime rings and their handmaidens governmental approved hackers would probably seek to not garner any notice or brag about it on irc channels, etc. Witness the latest FBI email hack, allegedly went unnoticed for months, and publicaly at least they have no clue who did it, why they did it, etc. and I would bet right this second there are any number of sensitive web sites/pages compromised by well beyond normal skilled people, precisely to just get intel of various sorts. And I would also bet quite a few are inside jobs. When you have the ability to really really and skillfully hack, plus the combination of the incentive to do so through bribery and blackmail or some sort of brainwashed in political extremism, then, given human nature, it will happen.
So in essence what I am saying is, I wouldn't be surprised if there are a number of apache and iis exploits out there that aren't noticed now, no one but the originator of the exploit knows about them precisely, although his customers know he gets good stuff, and they are being used to make some serious profit, either financial or political or both. Or web browsers being exploited for that matter, including the latest Firefox, IE, Opera whatever.
Yes, it's speculation, but I learned long ago never to bet against human nature. If there's an illegal buck to be made, it's being made, not that it's just maybe theoretically possible.
the truth gets modded flamebait once again
By the time that they come out with spyware for firefox google will have already came out with their browser continuing their plans for taking over the world.
On a slightly related note, I've noticed that for a while now, the Drudge Report has figured out how to slip a pop-under in on Firefox. I haven't really looked at the code to figure out how he's doing it, but it's a little dismaying that the Firefox folks haven't addressed this yet.
It is not like people install a new extension or theme every day. And unlike ActiveX, xpi should be used to add features to the browser, not to give more features to webpages. So you won't be denied access to content by not installing something immediately.
Who didn't see THIS one coming? I was just afraid to say anything about the eventuality...
So I guess I'm saying that I had been enjoying the security through obscurity of Firefox. Bad me. I'll go stand in the corner now.
You can run but you can't hide, except, apparently, along the Afghan-Pakistani border.
Well, it was fun while it lasted. May as well go back to IE >
Vote Democrat: The ass you save may be your own.
Ow, yeah. Duh. There are already tons of "spywares" on update.mozilla.org that are not signed and adds lots of new features to Firefox. Why would a little weather-showing icon bring xxx porn into your desktop? Nonsense.
Since I was trying Gnome recently, some things about firefox were starting to stand out. First off, it uses some of it's own widgets so it's doesnt' fully intergrate nicely with a users current gtk2 theme. Then I realized sesssion management doesn't work with firefox in a gnome environment.
.3 and have always loved it, and thought before that I wouldnt' use/need another browser. But since trying other browsers I thought a little more about what moz/ff gaining market share gives us.
So, I read about epiphany and galeon, two browsers for gnome based on the gecko engine. One is very light and barebones and the latter is a more full featured version, but both intergrate nicely into gnome.
Anyways in trying these browswers, I got a couple of unexpected bonuses. One is that both browsers were just generally snappier and faster than ff. Also an issue I've had for ages on ff in lin is some flash material could really bog down the system, to the point where I could barely click something. I've searched the prob, and as seeing on the moz forums, many others have this problem.
But now I have no flash speed issues whatsoever.
At first I was kind of puzzled over this with all browsers using the same rendering engine, but from what I've read it's the xul overhead of firefox that can cause these slow down issues (and give users the extensions functionality).
My point is on this, is that the more popular firefox gets, the more level the playing field is and ultimately it won't matter what browser you are choosing.
I've been using ff since
Joe sixpack needs to think of things as the next big thing. So some people now think 'IE sucks, FF rox!!'. But ff isn't necessarily the next big thing, it's end game for the browser war as it gains market share.
Because in the end it won't matter if a user is browing with moz, ff, gecko based browsers, konq, safari, opera.
And I'm still puzzled at how microsoft is shitting the bed with IE.
Because moz would not have gained market share on 'Look! it's open source and standards compliant!'
It gained market share on two things: no pops and tabbed browsing. If microsoft jumped in and quickly disbaled javascript popups by default and hacked in tabbed browsing, a lot of people wouldn't have switched.
Actually, doesn't that make it easier to write an exploit that will work on all platforms?
No. Next trolling/ignorant question?
no you're thinking of the previous one with a certain cigar fetish :-)
...
A different typographical error -- should read immoral turds
-kgj
-kgj
I guess response time depends on what platform you are on. Mozilla has not released a single fix for the Mac OS X version of Firefox and so all the known security holes remain unpatched for it. It's not clear to me if there have been any fixes for the Windows version. The only thing I've read is that such do exist for the Linux version. Has the Windows version had "hot fixes"? In any case, at least for Mac OS X, the response time by Mozilla has been truly abysmal.
--- What?
Come on, you really think contributions are not reviewed before being released? If what you claim were true (this is one of the poorest arguments of Microsoft against OSS, by the way...), OSS would be HELL already. This argument just doesn't work. It just proves you don't know OSS.
When a vulnerability is discovered, it will get fixed much more quickly than it will take for a "hacker" to exploit it. One of the reasons is that most "hackers" are much poorer programmers than the people who contribute positively to OSS. This is exactly why they've chosen not to do anything constructive with their skills, but destructive instead. There are a few exceptions here and there, but this is mostly how it all works. And not just in the software either. A thief usually has some "stealing" skills, but doesn't have enough skills to get money and recognition in a positive manner. Ok I'm digressing a little bit here, but you get the idea.
I don't really have a functioning mouse atm, so I'm using the X window system's ability to manouver the pointer with the keyboard, but at times I click on things I don't want to, and it's not as accurate as I'd like(nomatter, soon I will have a mouse, mwhahaha!!) and I accidentally hit the 'install missing plugins' button of a strange website, soon I kept getting force-reloads from currently open tabs forced to some website selling something or other. (Mabye I should have wrote something down instead of being so ambiguous here). I closed firefox, restarted it and cleaned out it's cache and it's been working fine ever since, but it did kind of freak me out.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
IE users are susceptible to spyware. Generally speaking, only experienced computer users and friends of experienced computer users use Firefox. The general public doesn't know what Firefox is and will keep using Internet Explorer. Most users who have converted to Firefox are the same users who will have SpywareBlaster, Ad-Aware and/or SpyBot S&D. What's the point of making spyware for someone who will just remove it over making spyware for the masses? -Viv-
Just because something is reviewed doesn't mean it won't contain flaws.. especially if said flaws are purposefully obfuscated. Has it happened? I don't know. Will it happen? Same answer. The fact remains, though, that this is a vulnerability (however trivial it may be) that OSS has that proprietary software does not.
The speed in which flaws are corrected in OSS is generally commendable - usually better than with proprietary software. HOWEVER, just because a patch is released doesn't mean all of the users will apply it. In fact, the vast majority of exploits are for flaws that have already been patched by the vendor.
And as for skills of the scumbag hackers (or crackers.. whatever term you prefer).. it is social skills that these people lack, not technical skills (except for script kiddies)
I am the maverick of Slashdot
Most of those announcements deal with servers, which are in a whole other category than typical desktops, and vunerabilities that require physical access to the machine or an existing account. Like this advisory on how someone with physical access can crash the KDE screensaver, getting access to your session, and this one on how you can cause a buffer overflow in perl, allowing you to overwrite system files with debug logs. Go find some that can root a Linux box with a default installation.
/usr, /usr/bin/, /usr/shared/bin, /usr/local, /usr/local/bin, /opt/bin, /opt/local/bin...and that's just the executable, not even getting into whatever configuration files it might have left which could be in /etc, a .directory in ~, and so on.
/tmp and /var/tmp, and those get deleted upon restart.
witness the stream of security advisories that are announced for each Linux distro, much more than the Windows patches we get on the second Tuesday of each month.
Wtf? That's because people have access to the code used in Linux distributions, and these bugs are getting fixed. Go read the advisories on that site you linked to, and see how many were posted by people looking for bugs to fix. Compare that to Windows, were nobody but Microsoft has access to the code, and its a known fact that Microsoft lets real, known vunerabilties sit unfixed for MONTHS, much less looking for bugs to fix. Do you work for Gardner or something?
People like to compare a single kernel to the entire Windows operating system, and in the next breath argue about how Linux is "just a kernel." So it's all the more amusing when some people argue that there's a difference between a Linux distro and Windows. There's not.
You are easily amused. Only RMS is retentive enough to inisist that Linux is just the kernel, and the whole system is GNU/Linux.
Bollocks. The UNIX "filesystem standard" fragments things way more than Windows does. With Windows, you know a few places to look for a malicious program to get rid of it--\Windows, \Windows\System, \Program Files, and so on.
You bollocks. You think spyware is limited to C:\Windows and C:\Program Files?
Linux, on the other hand? Where do you look?
No, they can't, because a regular user does not have write access to those directories. Seriously, have you ever used Linux? At all? Do you have any concept of priveledge speration? Aside from a users home folder, the only places they ususally have access to are
If Linux was #1, we'd see all kinds of crap getting installed on people's Linux systems
How? Neither OS X or Linux has anything like Active X, which is the primary vehicle for installing spyware behind your back.
No one is saying that the alternatives to Windows are bulletproof, because they're not. But just because there are some vunerabilites, does not make them remotely equivilant to the stinking cesspool that is Windows. The problem is not popularity; Linux could have 100% marketshare and not have but a fraction of the serious problems that Windows has had, due to its massive design flaws, Microsoft's sloppy coding, and their refusal to fix vunerabilities until there is a serious crack in the wild, weeks or months after an advisory has been posted.
"There is no design flaw in the Pinto. A car blowing up in a low speed collision, killing all passengers, is a risk any driver takes when they get behind a wheel. If Honda or Chrysler had our kind of marketshare, their cars would blow up all the time, too." --Made up Ford Exec, 1978
Now, go over to Secunia and check out the list of exploits for Internet Explorer and Firefox. Firefox is listed as having 75% of it's vulnerabilities *UNPATCHED*, while IE is listed as only 32%.
According to their site, Firfox has had eight advisories. Internet Explorer, on the other hand, has 61 advisories . So yes, IE "is listed as only 32%", but it still has over three times as many vunerabilites as Firefox.
Dumbass.
It has simply NOT been tested to the degree that IE has. That is a fact. IE holds 90% of the market and it has been slammed, punched, kicked around by every virus and spyware author out there you can think of.
Firefox doesn't use Active X, and it isn't integrated into Windows at every conceivable point. That and it was built with security in mind, as opposed to being shoehorned on after the fact.
Firefox has not yet undergone this gauntlet.
It wont have to.
I calculate some aspect of security in software as total amount of time vulnerable * size of the vulnerability.
There are some amounts I am willing to tolerate.
There are some other amounts (100 times more) that piss me off. That's what happens with Firefox and IE.
Firefox actually tells you not to open XPI from people you don't know.
IE might, but it tells you so much useless crap, that you end up dismissing it.