There Is No Safe Web Browser

Michael writes "David Sheets has up an interesting article on browser security, and I have to agree with his conclusion: no web browser is safe. The article details the recent Netscape fiasco, and touches on the whole Firefox/Internet Explorer debate. From the article: 'So if it sounds as if we're all at the mercy of hackers just looking for some new challenge, that's partially true. As law enforcement officers will tell you, crime finds you if it wants you bad enough, no matter what preventative measures you take. But the vast majority of criminals have an Achilles' heel: They prefer convenience to challenge. For now, it's more convenient for them to pick on Internet Explorer.'"

Dictionary Security Definition

[Crimson+Dragon]

While I understand the point that Mr. Sheets is making, however, I disagree with his definition of safe.

The implication of this article stems in the absolutes of security: can it ward off intruders or not. This is a flawed approach, and while seemingly a logical one, denounces another reality of this level of breach: the lion's share of these breaches are not of the most malicious sort (read: that stupid data miner which causes popups, search bars from hell, etc). These kind of easily hackable sections of Internet Explorer are less prevalent in Firefox. Market forces of the sheer user base would dictate that if this were not so, more spyware would have been ported to Firefox by now. 25 million downloads, right? That's a sizable chunk for any malware vendor, or aspiring intruder, to infiltrate.

One must acknowledge the reality of security by statistics alongside security by absolutes.

Re:Dictionary Security Definition

[dgatwood]

True. However, I would contend that the majority of the -interesting- breaches (as opposed to relatively harmless things like site tracking software that does targetted pop-ups) are not technological at all, but sociological.

IMHO, the biggest security threat on the web today is the prevalence of phishing expeditions, intentional spyware downloads, and the general naiveté of the users. When is the last time somebody's SSN was stolen through cross-site scripting or other browser holes? Probably just about never. When is the last time somebody's SSN was stolen through somebody emailing them an official-looking email message asking them to verify their information? I'm guessing some time in the last minute. An identity theft occurs every 60 seconds in the U.S. alone.

That said, I still blame a Microsoft product for all of this... just not MSIE. Their zeal in getting us hooked on "pretty" email with HTML content all those years ago is the root cause for almost every phishing expedition ever conceived. If the user had to hand-type the URL from a text screen like they used to, there's no way that most of them would mistake http://gophish.ru/skankyurl?setmenubarname=www.was hingtonmutual.com for https://www.wamu.com./

Now, I'll admit that there are exceptions---phishing expeditions in which somebody registers a URL that really looks like a legit site, e.g. ebay-secure.com. That said, those sites are more likely to get busted, since they're easier to track back to a real person.

Just my $0.02.

Re:Dictionary Security Definition

[l2718]

Parent makes a good point.

Absolute security is impossible. Not even NASA of the 60s and 70s has been able to write large pieces of bug-free software, and they had one of the best QA systems ever. Moreover, the costs were incredible (you wouldn't really want to pay for the development costs of bug-free Windows, would you?). However, the kind of absolute reliability NASA was aiming for is only relevant for software that will be used for a limited time, in a controlled environment. For modern-day web browsers that are supposed to be in contiuous use (and when you can't delay the mission to rewrite the code), the important question is how long vulnerabilities last -- not just how many there are. Now this is based on anecdotal evidence, but I strongly believe that Mozilla/Firefox has a better record of quick bug-fixes than Microsoft/Internet Explorer.

This just in!

[Enigma_Man]

Newsflash! There's no such thing as perfect security, who would have thought it? Whether it be through a flaw in the code (which we all try to fix, when they are found), or stupid users running crap they oughtn't.

I for one use Firefox, because it is MUCH more secure than IE. It may not be perfect, but it's by far good enough for regular use.

That's like saying that houses aren't secure, even the new model homes with electronic alarm systems. No crap, but that doesn't mean sell the alarm systems and leave your front door unlocked (like IE).

-Jesse, disliking alarmist poop articles.

Re:I want you to meet my little friend

[Mr2cents]

Nobody is perfect => there is no perfectly safe browser, or any other type of application. What app, besides maybe "hello world", has never ever needed a security patch?

http://www.vrlteam.org/home.asp?vrl=advisories&adv =270

patch turnaround time

[dyscant]

It strikes me that the turnaround time for patches to Firefox is significantly quicker than many other options. After these little bugs were found, they had patches out in short order. While it may not be impregnable, at least they are plugging the holes faster.

Re:No browser is safe?

[dougmc]

For TOTAL protection go [check out netcat]

Even netcat isn't perfectly safe. It just dumps network traffic directly to the terminal, and with the right characters in this code, it could very well remap the keyboard or cause your terminal emulator to execute certain commands.

This sort of thing may have already happened to you. Have you ever accidently just catted a binary file, and then discovered that your command history had all sorts of garbage commands in it? Same thing.

This sort of vulnerability has been around for decades. People used to trigger it via `talk' requests or by using the `write' command, and while talk eventually learned to filter things better, as for write eventually everybody just did a `mesg n', because all write does is write text to your tty, so changing write won't help. Of course, fixing xterm and other terminal emulators is another fix, but these features can be useful too. Still, I'm surprised that they haven't been disabled by default, but even today, xterm seems to have this `problem'.

Many vulnerabilities are caused by this sort of mixmash of different utilities -- in this case, netcat doesn't really have the vulnerability, but it would allow text to come in that could affect your terminal emulator.

Yes, with the right filtering of the output this could be safe, but not with netcat by itself. Still wouldn't make it a non-crappy browser though.

Re:I want you to meet my little friend

[Penguinshit]

if you don't do proper bounds-checking on your "hello world" array, then you need a security patch...

[ducks and runs...]

This is a tired subject (please read on)

[betelgeuse68]

All these "IE vs. Mozilla" or "IE vs. FireFox" or "Netscape vs. IE" or "Opera vs. IE" discussions (pick your poison) are irrelevant.

First off, it amazes me that I have run across paranoid *NIX sys admin friends who are very mindful of what runs as "root" on servers they control but then turn around and operate day to day on Windows desktops as an administrator.

Well, gee dip sh*ts, no wonder you're screwed if rogue code enters your system.

If people used limited accounts and then used impersonation (ever hear of "runas") under Windows, all of these discussions would go the way of the dodo bird.

More to the point they would be TRULY irrelevant. Sure send me to some baddie site, won't do much on my system. Whatever malware sent down the pipe to me can't do anything to change my system (C:\WINDOWS).

This is how I operate, i.e. a limited account desktop. The admin account is just that, for ADMINISTRATION, e.g., setting up new apps.

Amazingly, this approach is "novel" among even tech types since I keep hearig these discussions even on Slashdot.

The principle of least privilege is ANCIENT. Impersonation is part of Windows. Just as it is with other OSes.

The Windows NT kernel has had security since its inception. On the file system, registry as well as synchronization mechanisms such as mutexes, semaphores, etc.

Do you want to know why MS doesn't leverage it? Cost. Plain and simple. If WinAmp (which doesn't work under a limited account) stops working for someone on account of MS automatically setting up limited accounts for people, guess who is likely to start receiving support calls? "But it always worked on Windows 9x!!!"

Yes, it boils down to money. This is NOT a technical problem. MS alongside companies peddling its wares (Dell, Gateway et al) simply do not want to deal with the potential legacy costs of supporting misbehaved apps and/or apps whose designers were myopic and assumed the ability to write to any part of the file system and/or registry.

The great thing is, even with a limited account desktop you can still readily run WinAmp. You just have to know how.

All of this seems like "rocket science" to everyone. And I guess it is, since this discussion keeps rearing its head, namely browser security. The point is, a browser is another app that inherits default credentials from your login. Don't operate as administrator geniuses (sarcasm in case you didn't figure that out).

In the case of WinAmp. I simply defined an admin account that I leverage to run that application on my limited desktop (use the command line "runas" facility or change the properties on the shortcut through the "Advanced" button). I might mention that Shoutcast servers are capable of sending URLs (think JavaScript) that WinAmp will readily execute via IE totally disrespecting your browser choice. So taking another page from what Windows has offered from the start, I changed the ACLs for the IE executable such that my "WinAmp User" has absolutely no rights to the IE executable. Not even the ability to read that file. In this manner I short circuit this potential threat vector. In addition I changed the ACLs on C:\WINDOWS and some other directories so that this "WinAmp User" could only read from these directories.

Here's the moral of the story folks, use a limited account. Plain and simple. End of story. End of this not very worthwhile discussion (among tech people).

Yes I use LINUX, I use Cygwin's X server and readily use LINUX Mozilla complements of the latter. Not just a little, a lot. This IN ADDITION to the fact that I use a limited account for day to day activities.

I have never had spyware or a virus on my system. EVER.

-M

Re:OS's in the same boat?

[ssj_195]

Well, it's not that clear-cut - I don't see why people always have to think "Windows is a target solely because it is popular" or "No, Windows is a target purely because it is poorly designed". The truth, as is almost invariably the case, is somewhere in between. For instance, I browsed (under Linux) to a site demonstrating a Firefox 1.0.3 vulnerability. Two Konsoles instantly popped-up and did a ls -R, with no action taken by myself. I'd imagine under Windows, where people tend to be running as administrator, that the results could be very severe (the exploit was OS-agnostic). And yet, there were no exploits for this vulnerability out in the wild (and yes, I know it was patched extremely rapidly, but whole hoards of people always fails to upgrade).

Why was this? Here is a demo site that gives sample code for exploiting a Firefox vulnerbility to execute arbitrary code, and no malware purveyors are biting. I mean, come on, it's right there in front of them, practically handed to them on a silver platter! I can't think of any other explanations except that malware writers simply considered Firefox's relatively small installed base, and decided not to bother. If it had been IE, there would have been an epidemic!

There is light at the end of the tunnel, however; even though perfectly secure software is impossible (and even degrees of security are not much of an issue, as you only need one exploitable vulnerability in your software to be pwned), if developers can patch and deploy fixes faster than exploiters can...exploit, then eventually the would-be exploiters will give up and target lower-hanging fruit. There's already some evidence of this occurring - I think an article was posted a few months ago that stated that even though the Linux installed base is growing rapidly, exploit attempts were actually decreasing; like the script-kiddies etc were giving up and moving on to something else.

Doesn't make sense

[Colin+Smith]

The source code for Firefox and Netscape are available. How much more convenient could it get for the hackers?

Re:C/C++ the problem?

[ssj_195]

Less drastically, there are compiler options that employ techniques to greatly reduce the possibilty of buffer overflows. Why people don't compile with these (and accept the small performance hit) is beyond me.

Mail

[gmuslera]

The same could be said about mail clients... why? because for safe that is the reader software you have, most security concerns are related to the user that reads it (think in the most commons scams out there, from nigeria and earlier to this days).

Now, if well we can say that no matter how unsafe is to climb the himalaya with beach clothes compared with staying in your house (a meteor could fell over you, after all) you are not complelely safe, these are very different kind of probabilities, and experience tolds us that in average you are i.e. far unsafe playing with MS IE/Outlook/Windows than with Firefox/Opera/Thunderbird/Linux.

Firefox with Linux/OS X IS secure

[onlyjoking]

Isn't this missing the point. Just because the Windows/Firefox combination has some insecurities does not mean Firefox is equally insecure on Linux/OS X. How can it be? The exploits attributed to Firefox so far are largely confined to the Windows platform. That's the real issue. I'm tired of listening to claims that OSS is insecure simply because there are problems with the Windows version. OSS should be evaluated in its natural environment - Linux/*BSD/OS X.

No safe browser?

[Junior+J.+Junior+III]

What about lynx?

Safari?

[5n3ak3rp1mp]

Is anyone aware of any Safari (OS X web browser) vulnerabilities, especially exploited ones?

I think the fact that OS X throws up an auth login whenever any app tries to access a directory that the current user doesn't own, pretty much makes casual takeover difficult, even by an insecure web browser...

Re:OK, so Windows, *in theory*, is secure.

[betelgeuse68]

I agree with you, you shouldn't need tons of experience for running various appslications. However you can BLAME companies such as Nullsoft, Trillian and even Intuit for not taking into consideration the platform their software is operating on and adjusting accordingly.

These misbehaveed applications is the critica reason MS doesn't push the use of limited accounts more (easy enough to setup when a contemporary version of Windows was being installed).

It all goes back to what I said in my original posting, MS and PC companies do not want to absorb the cost of supporting legacy and/or misbehaved applications.

Plain and simple.

This computer "weenie" makes his living educating the uninitiated about this stuff... and Lord knows, there's no shortage of laziness in this world (generally speaking). Getting people to learn anything (not just computers) seems to always be a challenge, e.g., the USA still suck under the English system of weights distances, volumes. And yes I live in the USA.

-M

PS: The gene pool could use some chlorine.

Re:I use

[khallow]

If you visit a web page that has a png file encoded with a buffer overrun, you will be infected. The owner of the script will be root on your computer.

That's not what the security alert says. As I read it, if you load such a png and have an unpatched version of Mozilla or Konqueror and are using the unpatched version of libpng, it is possible for someone to run hostile code on your machine. In theory the code could then exploit security holes in your system to get access to root.

So access to root via this route is a possibility, but it isn't a certainty. And if you patch Konqueror and Mozilla then that hole isn't open.

Re:OS's in the same boat?

[drsmithy]

It would affect far more than 5% of the internet. At least 30% of servers are linux based.

Servers are very much a minority presence on the internet.

And these are far more interesting target than desktop for crackers.

Not in general, they're not (there are exceptions, of course, but the following caveats apply to them even more). Servers are far more likely to have competent people running them, be up to date with security fixes and have abnormal behaviour quickly identified.

In short, a Linux server is generally *not* an attractive target for crackers. A home-user Windows box is *far* more useful.

Windows is an easy target (just consider how many worms are based on activex).

And most of them are utterly useless if the user isn't running as Administrator. Windows is not the problem here.

Re:Come on

[drsmithy]

Firefox is small, light, [...]

For all things Firefox is, "small and light" isn't one. It chews up a lot of memory and (depending on what the pages loaded are doing) CPU time.

I don't know what standard you're measuring Firefox against to call it "small and light", but it sure as hell isn't IE.

[...] NOT built into the OS, [...]

This point gets belaboured all the time like it's some major design flaw or abnormality. In fact, IE is no more "built into the OS" than khtml is into KDE, Quicktime is into OS X, or glibc is into Linux. "Part of the OS" just means it's a shared library distributed with the OS - hardly something that sets it apart from the pack.

Microsoft has the ability to fix IE properly, but realistically it's just easier to blow it up and start over.

No it doesn't. The only *major* problem in IE is ActiveX - which in more recent versions has been significant curtailed.