2 Firefox Security Flaws Lead to Exploit Potential

Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."

Re:sorry..

[ViperG]

Well, I would agree, but then why does slashdot post every IE bug that comes up?

Mozilla's Security?

[sterno]

Mozilla and Firefox have been recommended as alternatives to IE for security reasons. Yet, lately, it seems that there's quite a lot of security problems being uncovered in Firefox. So I'm trying to figure out how to read this.

I suspect that Firefox is somewhat more secure on the simple basis that it is not as tightly integrated with the rest of the operating system as IE is. What makes IE exploits so nasty is that they tend to become email and other exploits too.

My concern is that if Firefox gains some more ground and does become a more active target for exploits, that it may become a poster child Microsoft can use to point out that open source software's "many eyes" theory is hogwash. Maybe it is hogwash.

Re:Mozilla's Security?

[Uruk]

A few points to consider when you're evaluating the security of software:

• Security issue visibility is not the same thing as security. Just because IE has more exploits publicized (or Firefox has more) doesn't actually mean they're more or less secure, it means they're getting more public attention about their security. Important difference. If someone has an objective, quantitative, and verifiable way of measuring a piece of software's security so that we can actually make these comparisons, I'd love to see it
• The more users use a piece of software, the more it will be targeted. But again, that's not the same thing as saying "the more it will be exploited"
• Most users ultimately decide based on personal experience, which typically trumps abstract reporting. Have you ever had a problem with Firefox? Have you ever had a problem with IE? I'd suspect most people who switched to Firefox did it because they actually experienced a problem with IE, not because it was more ideologically pure.

What Firefox needs is...

[turbofisk]

What Firefox (and the rest of the suite) is a good way to upgrade the software, without installing everything as a new user would... This is something they really should fix...

It was expected

[mpontes]

With the spotlight on Firefox, it's obvious a lot more crackers and hackers are going to start looking at Mozilla Foundation's code. While previously there was little incentive for crackers to exploit vulnerabilities in MoFo's code, you can't say that now, with all the attention Firefox caught.

It's up to MoFo to fix their software as soon as vulnerabilities are reported now. The play time is over, from now on it's going to be Browser Wars II: The Security Menace.