Slashdot Mirror
New Vulnerabilities Discovered in Firefox 1.0
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
It's open source so it will get fixed quickly post.
Today, the security firm Secunia has released 8 more security bugs it has discovered in Mozilla products, including Firefox and Thunderbird. [......] If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about
Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?
Rock that crushes, Paper & Scissors that don't matter.
Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 has already been covered on Slashdot, and these vulnerabilites were announced then.
If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.
No worries, just keep your browser updated.
you can find the patch here. ;)
Marge, get me your address book, 4 beers, and my conversation hat.
At least with FireFox they'll be patched up within a few days. Unlike Microsoft which waits until half the world has been screwed over...
Oh my God! I'm switching back to Internet Explorer right away!
I still feel safer than when I use IE.
Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.
Jerry
http://www.syslog.org/
Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P
UNIX? They're not even circumcised! Savages!
I was actually expecting this. Firefox is an immature fork. One vulnerability eliminated is one less to be discovered later. It is inconvenient now, but should expedite relative maturity in the base. I am, however, still awaiting an automatic update for my installation of Firefox 1.0... ;-)
Do you like German cars?
The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1
I'd say let's start the clock and see how long this takes to get fixed but...
I actually got an email from a friend of mine on the redmond campus warning me to be careful since I use that dangerous firefox browser about 3 hours ago. I told him I wouldn't believe it until I saw it on slashdot! :D
RTFA
Your bank can and will ask you to confirm your password at random intervals via email.
If in doubt about who sent the email, click on the link they provide in the email to get to your bank's website to make sure it's them.
And remember, even banks sometimes forget to get their ssl certificates in order. No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....
That's why I use Firef... uhhh what???
Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..
They want it to look more like "news".
1's and 0's should be free.
Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.
well.
whatever you recommend them to use, anything that fondles with data that's downloaded from random sites should be updated frequently.
i'm not entirely sure, but doesn't firefox's default start page mention if there's a new version available?
world was created 5 seconds before this post as it is.
Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.
Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?
Everytime I load a page on Slashdot in Firefox it shows two prompts for passwords to these ad sites. Pretty annoying...
Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.
Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.
I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.
Three Squirrels
You know the MS PR warmachine will make the most of this, don't you?
Microsoft Firefox is vulnerable.. what else is new?? wait a second... /confused
I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...
You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.
Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.
*blinking cursor*
I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?
/. front page and no other page that I frequent.
I only have this problem is only with the
Does anyone have an explanation as to why firefox's online update feature doesn't upgrade to 1.0.1?
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
this really /. or a clever spoof that will steal my credit-card numbers, drain my bank accounts and kill my grandma?
Arrrrrrrrrrrrrrrrgh......
What's the use of having an update feature if you never enable it or get it in a working state? I have never been able to update firefox through the built-in feature.
...Funny how Slashdot is the only site I have ever seen that renders so poorly as to make it unreadable at times under Firefox ...
What?
I never had a problem with slashdot. What exactly makes it "unreadable"?
is so good the bugs are fixed before theyre found! :D
The problem I have (and no doubt you will all tell me if I am wrong) is that I am running Firefox 1.0 and in my preferences I have the box checked to 'download updates to Firefox'. However, Firefox has never told me about 1.01 so I feel that disregarding the original posting because 1.01 is available is not really so smart, particularly as it is not obvious to the average user that the update is available. Having the option to automatically download updates gives users a false sense of security if the updates are never downloaded.
Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?
Creative Demolition
firescrolling exploit example.... caution exploit code
been out for atleast 2 weeks..... just because the media does not cover something does not mean it doesn't exist.
What?
I never had a problem with slashdot. What exactly makes it "unreadable"?
Sometimes the stories or comments get shoved into the left nav. Sometimes the tables don't render at all leaving a largely blank page. This has been a problem since Netscape 7.0 came out (whatever version of mozilla that was.) In fact, when Slashdot put up the story about NS7 being release, I immediately downloaded it and just as quickly found the problem. I don't use windows much, but under linux, this has been a problem for quite a while. There are work arounds like ctrl +-, but the fact is that Slashdot does not render the same way every time. I have not seen this behavior to this extreme on any other website. If I were a slashcoder, I'd be extremely embarrassed. Then again, it seems that one quality required to be a Slashdot editor/coder is to be able to publicly make a complete fool out of yourself repeatedly for years and not give a shit.
NB
I wonder if these major flaws that are discovered are reported to Mozilla for their Bug Bounty program...
By default, Firefox will only allow extensions (XPIs) to be installed from a whitelist of sites that starts out as (update.mozilla.org).
For you to become infested with spyware by viewing a web site, you either added that site to the whitelist, or you were a victim of an unreported security problem. Did you report the site that infected you to bugzilla.mozilla.org?
You know, had I just said "No worries, just keep your browser updated." in regards to IE and Windows, I would have been modded down for promoting Windows in the first place.
Life is not for the lazy.
I honestly don't mean to be a troll here but here is my word on Opera:
Honestly, after using Opera for a year (7 months with ads) I can say that after a week's worth of use, I hardly ever notice the ads (And almost any user will agree to this). With a minimalistic theme and things minimized and all, it is almost like as if it doesn't matter that ad is there. After buying Opera, I can be certain and say that, the $39 I spent on Opera was the best money I ever spent on a computer software.
- Teja
I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?
No, it's a problem with the way the Gecko engine renders layers.
There is fraud all the time outside the internet. They have not shutdown the banking system yet. It will be a balance of usefulness vs. problems. Internet commerce is not going away.
If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.
If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.
That's unfortunately the mentality that will keep MS in business for a long time yet.
Engineering is the art of compromise.
Just kidding... I use Opera. BTW, try the new Beta of Opera 8. It's quite nice.
I think you saw this as "New Vulnerabilities Discovered in Internet Explorer." The vulnearabilities have been fixed in Firefox 1.0.1 but there hasn't been much press about them until now.
Firefox:
2 7235&tid=154&tid=164&tid=162&tid=1
/. article was brought to you by the firefox marketing campaign:
Update to version 1.0.1.
http://www.mozilla.org/products/firefox/
=
Firefox 1.0.1 Released
http://it.slashdot.org/article.pl?sid=05/02/25/03
The dup firefox
http://www.spreadfirefox.com/
They released their list of major vulnurabilities in IE two days before MS released the update and months after they reported the problems originally.
They're just glory whores.
SSL implementations have been barely usable for real people years with their laughably tiny "padlock" indicator.
Bugs aside things are just starting to look reasonable as far as SSL in browsers is concerned.
Firefox puts the "padlock" where someone will actually stand a chance of seeing it (in the urlbar) and also color codes the URL.
Opera does something similar in it's recent beta but also displays the organisational name of the certificate owner aside the padlock.
The spoofing problem isn't a fundamental flaw that is going to doom the future of browser based commerce. The reinvigoration of browser competition has started making things better for the end user.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Aeiri:
Thanks for the insight. As I said, I am in no way an expert in web design and appreciate the info.
-Nemo
Anyone else notice how now that Firefox has gotten pretty big, you're mostly hearing about firefox issues, rather thant he slew of IE issues that we used to be swarming over. In essence it makes sense as most /.ers have upgraded to Firefox, however it just seems to be working that way. I don't think that M$ could have gotten all of the kinks out of IE, so whats the deal?
Once found, if people want to be malicious about it, they'll release the vulnerability information to black hats, then the public, then the company(if at all). If bugs cause people to switch browsers, all that needs to be done is make sure you find more bugs in your competitors software.
I read an article not long ago questioning whether posting vulnerability information in any public forum was really a good idea and the question still remains.
...new vulnerabilities were also discovered in Internet Explorer 5.5, Netscape 3, Mosaic 1.0... (er, wait a sec...)
I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.
I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.
The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.
...slashdot doesn't display correctly in Firefox 1.0+
More at 11.
Not at all. Even now you have to trust only one site: your credit card company's. Most CC companies now offer one time number you generate on the fly when you make an online purchase.
--Laci
i'm willing to deal with a couple firefox vulnerabilities over that browser that runs activeX controls.
so we are going to get an artical everytime a vun. is found in an app now
If you mod me down, I will become more powerful than you can imagine....
well, for one thing.. these "vulnerabilities" listed in this article have Already been fixed in Firefox 1.0.1. Which is by FAR different from M$'s actions of fixing the vulnerabilities several months (or longer) after the vulnerablites have become widly known about.
I've seen it on other sites as well. Something about table widths being set to 100% or something. On some sites, the main text table cell doesn't show up until there's a reload. The same ctrl- ctrl+ fixes those too or a reload. It's really annoying.
Open Source Java DAO Generator
Because they are so minimalist as to be useless in the face of the MS "feature machine" as well as actual progress in the state of the art. I agree that DJB's stuff is rock solid and is very useful for what it does, but you can't just freeze things in 1999 and pretend that you have created the solution for all time. "For what it does" when applied to DJB's software is becoming less relevant every second.
Real software grows over time, and as it gets bigger there will be bugs. You don't accept the bugs, or just say "such is software", but you accept that somehow a mistake was made and fix it.
[Set Cain on fire and steal his lute.]
I've paid for Opera. Twice. Opera software have been kind enough to grant me a license that will let me use it on every computer in the house.
Why do I pay for a browser when FF is free? Because as great and capable as FF/Moz are, I prefer Opera.
Moderation Total: -1 Troll, +3 Goat
If anyone wonders about installing, here's what I did:
:/
The DL link can be found here:
http://www.mozilla.org/
After downloading that I closed all windows and uninstalled 1.0 (winXP) by using add/remove programs and clicked yes on delete folder. My settings/profile/chrome stuff is not in that folder, but here in my case:
C:\Documents and Settings\My puter name\Application Data\Mozilla\
Then I installed 1.01 by clicking the exe
Done. My extensions, chrome, bookmarks seem to be intact, which of course was my biggest worry. My start menu just turned black though
The update thing in 1.0 just checked/updated my extensions, and my flash blocker stopped working. I took a look in about:config and the build and version number was still old, so that thing definately didn't update to 1.01
The Chair Corp. comic(*00-12)
Because SSL protects no one against key loggers.
Investigator1: We noticed that the 25 credit card fraud victims each shopped at The Gap five months ago. We talked to the store manager and interviewed the employees. One pimply faced teenager broke down in his interview and admitted he gave the credit card numbers to a member of a well-known, local crime syndicate. We arrested five people in our fair city. We recommend people carefully read their credit card statements each month and report any unauthorized purchases.
Investigator2: We noticed that the 5000 credit card fraud victims had hard drives choking on pornography and had several key loggers. The key loggers were programmed to access an IRC channel that hasn't been active in five months. As the fraudulent purchases all took place in Eastern Europe, it is unlikely we will ever catch the perps. We recommend you do your shopping locally and avoid using the Internet for any financially sensitive activities.
How's that?
This exploit doesn't work for me in Firefox 1.0.1 on Linux Just because the site is still up doesn't mean it haven't been fixed
Yes, but the pimply faced kid at the Gap can't do this with hundreds or thousands of cards at a time from halfway around the world.
You have two hands and one brain, so always code twice as much as you think!
I use Internet Explorer.
Doesn't work for Firefox 1.0 on XP SP2. I had AdBlock disabled.
I'm not even running a firewall. The only security measures are my adblocking hosts file and AVG.
So unless hitting the adservers was a mandatory part of that... I see no working exploit code.
It was all in the MOzilla advisory and if you looked at it you would it there. Secunia is just taking advantage of the situation claiming they've "discovered" 8 new items. F'ing profiteers.
I have updated firefox under MS in the past.
Funny thing happened today, though. The update icon showed up, I clicked on it, and it said there were no updates. I'm still not on 1.0.1
...dumber than a deck of cards. Hey, some of us make a good living from that deck... oh never mind.
This issue is a bit more complicated than you think.
I think you mean, you won't believe until you have seen the dupe on slashdot.
meh
duh.... The point was there was an exploit out for 1.0 and had been fixed in 1.0.1
I wasn't surprised... let me rephrase that: "Vulnerabilities hit the news and it turns out the application has already been patched for a while? I'll take that over the alternative, anyday."
MS Spokeperson:
Firefox is really not enterprise ready. Just look at the rate of patches. Why in the product's entire lifecycle, they've only had one patch to a production release. Only one!!! Compare that to Internet Explorer, which not a day used to go by that we'd patch something, or make a fix of some form. We've produced more IE patches and fixes than Firefox can ever dream of.
Thusly, we must be much more focused on security. If Firefox/Mozilla were, don't you think they'd have to patch their software as much?
(for me) isn't really the technology or the security. IE and firefox are really not that far apart in terms of bugs/features (yet).. the main difference to me is that one on hand, you have a greedy, monopolistic company working outside proper market forces - allowing it to decide when and how it improves its software (IE 6.0 released in Aug 2002 - what major sw app can get away with a 3 year major release cycle?) vs. Firefox/Mozilla - a grass-roots colaboration of people who are trying to make something significant and have fun at the same time.
The choice for me is not a lot different than choosing to live in the Soviet Union or the United States. I'd rather not eat the gruel (or browser) someone else thinks is all I deserve.
-1 Insulting Mods
This is fixed on the trunk, so the issue should finally go away when 1.1 comes out.
With my credit card, in event of fraud - it's NOT my money that's gone.
I just have to inform the card company that the transaction was not good. And I don't have to pay for it. And since it's not MY money, it's someone else's problem.
At worst, I can't use the affected card and the card company issues me a new card.
That's OK - I have more than one credit card.
I'm far more puzzled by the popularity of debit cards. If stuff happens it's YOUR money that's gone, so YOU have to be the one working your butt off trying to get your money back.
Even cash isn't as safe. You buy something with your credit card and the merchant cheats you, it's a lot easier to fix.
The online merchants AND banks are the ones who should be worried. Too many customers tricked/exploited and their business would be affected.
Firefox, a version 1.0 product, has minor defects?
OMG, I demand a full refund now!
(But I sure am glad that people smarter than I am are able to inspect the code, find and expose the bugs before disaster strikes.)
What would Groucho do?
"Real software grows over time, and as it gets bigger there will be bugs."
Yes but it shouldn't neccesarily. Commercial software in particular grows because it has to grow to produce new versions to sell. All applications eventually stagnate. As was pointed out in an article I'm too lazy to look up and link to, this is where open source catches up when cloning a commercial product, the commercial product stops adding new useful features because it has matured (read office suites/desktops/webservers/etc) at this point open source software will catchup with the feature machine except with a rock solid and efficient implementation.
Look at office, they haven't added much of anything worthwhile since office 97. The only thing they do now is bloat it. Just because the MS Feature machine is producing features doesn't mean those features are worth a damn.
Sounds like Visa's problem. Fraudulent charges are their problem not mine. If an actual human being can scam a "paper person" I say more power to him. And if you consider the number of shoppers on the web compared to the potential audience of the local gap, you'd likely find that proportionately the gap crime was bigger.
This is my creditcard not my workplace. It doesn't matter if shit slides downhill and there is someone to punish when something goes wrong.
I don't think so, automatic update has been on the works since/before the full FF 1.01 release.
By Tuntematon
I FOUND NEMO! Phew.
I would love to see how they actually find some of these vulnerabilities. Direct from secunia : "The vulnerability is caused due to missing URI handler validation when dragging an image with a "javascript:" URL to the address bar. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging an image to the address bar." Dont think ive ever dragged anything from a web page in my life.. I maybe a newbie though (only been on the net since 1992..
Got a question about UNIX ask it here : Unix/xBSD Forum
You need your fix, huh? How abot trying something.. a little stronger. Sure it's been around a while, and yeah it can be dangerous... but have you ever thought about trying some of.. this. First taste is free.
I never had a problem with slashdot. What exactly makes it "unreadable"?
I'm sorry, I just can't respond to that in any meaningful, intelligent manner.
I don't know, links2 seems to work better than lynx in my experience. But I do still make sure that the few web pages I code are text browser friendly.
See how fast this is getting fixed..
Whoa! slow down there, you should gradually ease youre way up to the more powerful experiences. that's why the scale is IE, Operal , Firefox/Mozilla, lynx, telnet, links2. Skipping steps can lead to not having the tolerance to handle it and overdoses can be fatal.
Except I am immediately suspicious of the exploit site because the scrollbar does not behave like a normal scrollbar.
The cursor turns to a hand (like over links) which immediately tells me something is wrong so I wouldn't even try to scroll using it.
No, in practice, debit cards are not covered by the zero liability plan. From VISA's site:
*Covers U.S.-issued cards only. Visa's Zero Liability policy does not apply to commercial card or ATM transactions, or to PIN transactions not processed by Visa. See your Cardholder Agreement for more details.
**Cardholders should always regularly check their monthly statements for transaction accuracy. Financial institutions may impose greater liability on the cardholder if the financial institution reasonably determines that the unauthorized transaction was caused by the gross negligence or fraudulent action of the cardholder--which may include your delay for an unreasonable time in reporting unauthorized transactions.
Before you think 'I can keep my PIN secret, so what's the problem?', try to figure out how a transaction was processed by looking at your bank statement. Was it credit or debit? What network processed the transaction?
I recently had my VISA card used fradulantly, and was stuck footing the bill.
The 'call this number if your card is lost or stolen' number on the back of the card didn't work. Apparently, the organization that I contacted does not handle debit cards.
The charge was for $40; the zero liability plan applies to the first $50 of fradulant transactions.
Of course, my bank "didn't know" how the charges were made, and ATM/pin transactions are not covered, so I couldn't take advantage of the Zero Liability policy without paying the bank to figure it out for me.
I found that the vendor (McAfee) was totally unresponsive (I never managed to contact a human being after trying for a few hours), so I could not obtain any information about the transaction (I thought I would get an IP address or a shipping address. Yeah, right!)
The bank wanted to charge well over $100 to 'launch an investigation', which would be billed as an initial cost plus an hourly fee, and could drag on indefinitely.
VISA charges vendors a few percentage points of every purchase you make. If the per-transaction fees aren't being used to combat fraud on the network, or even to maintain contact information for a handful of major vendors, what are they for?
If the average amount of a transaction is $5, and Visa takes 1% (two very low estimates), that's costing the vendor $0.05. For what? Sending a few kilobytes of data over an encrypted line? Running a (really expensive!?!) database transaction?
I've been dumping around a bit over 1% of my income into this network for years. If federal tax is 20%, that's roughly as much as I've put into the department of education and department of transportation, combined!
At this point, I think I'll just carry cash, since its less of a hassle. If I get mugged, I'm out $100, and that's it. With a VISA card, I get to negotiate with my bank over who is liable for what, and there is a huge risk of electronic fraud. Besides, using cash keeps prices lower, and most businesses are happy to accept it.
Maybe... but at least the vulnerability no longer exists if you got the latest update, which has been out for a couple of weeks now...
from TFA:
If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about.
Risk minimisation is the most important part of engineering software for security. It involves assuming that your software will eventually be compromised somehow and ensuring through design that the damage will be controlled. Microsoft has largely ignored this, and they rightly take flak for it, because their most crucial security problems could have been minimized or even eliminated through risk minimisation.
LRC, the best-read libertarian site on the web
Not that I am complaining, but I am curious as to why my previous comment was modded up +2 Funny.
Would anyone care to explain to me why, so I can learn from the experience? Thanx!
Nemo
Please don't confuse the Slashdot "editors" with journalists. The two are mutually exclusive: journalists (on the whole) actually care about the accuracy of what they write.
Oh, and journalists (or at least their editors) actually care about things like spelling, punctuation, and grammar, not to mention whether or not they're duplicating the already-published work of a colleague.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.
Just because you won't pay for what many consider to be the best browser out there, or live with the inobtrusive text-based Google ads in the ad-supported version, that doesn't mean that "nobody" will.
To be honest, for 99 percent of users, Opera is a far better browser than FireFox. But because FireFox is F/OSS and Opera isn't, and because this is a F/OSS-focused website, FireFox is put on an altar whilst Opera is constantly bashed.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
That had actually occurred to me. But here is how I would respond---
I would define a security fence as an enforcement mechanism where the rules on either side are relatively similar, but the ability to change things from one side to the other is controlled using enforcement mechanisms.
Ideally, data and programming instructions (from the application's point of view) should be separate. Tying these two together with a security enforcement mechanism between them is a tradeoff which does significantly reduce security. This is the issue with Mozilla. Don't get me wrong, I do appreciate XUL, but I have to say that it is the security weak point of the application (not XPCOM) (as XPCOM "exists" only on one side of the fence).
Regarding root and user--- This is an issue--- look at how many privilege elevation attacks you seen in all operating systems, but again you have to look at it in the absence of any ability to fundamentally separate these privilages. To a large extent, this is a problem that projects like SE-Linux are designed to reduce.
So I think you are right regarding root and user provided that you are looking at a system without MAC. With a MAC framework like SE-Linux, you still have a security fence, but it is far more robust than that which came before.
We have these security enforcement boundaries (fences) because we want to use the same functionality from several points. In doing so, we trade maintainability and speed of development for security. The ideal solution from a security perspective IMO would be one where the user had a virtual environment and was stuck there while the admin could access the whole system including reaching into the user accounts information. This could be done with a clever use of chroot and would provide more than a fence.
Note that I am not saying that it would be cost-effecive to make every user maintain a shadow directory architecture and live in a chrooted jail.
LedgerSMB: Open source Accounting/ERP
"But without JavaScript, verification will have to be done on the server instead of the client..."
Verification is done by something over which you do have control.
Other that fresh malware, you do not necessarily have control over the browser. The browser might be faking it, scripts and all.
I'd be interested to know if some or all of these vulnerabilites were discovered through code inspection? It would be a big feather in OSS' cap if so. (Although it could be spun the other way, were one sufficiently unscrupulous...)
You can't take the sky from me!