Slashdot Mirror
Firefox Exploit Adds Fuel to Browser Security Feud
An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."
Browser, shmouser..... What I want is a secure OS! Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....
As an interesting aside: We just went through a two day outage at the university here because of a worm that infected a series of Windows systems. My question to IT guy#1 was: "Dude, why did you guys switch from Solaris to Windows?" His reply was that "the Windows solution was cheaper". I said "Dude, you guys need Macs!", to which he replied "yeah, no $#!t" when he caught himself and said something unintelligible. Guy #2 that I spoke to today gave me some song and dance about how Macs are really hard to integrate into mixed platform networks and then said something to the effect of "if Macs had greater market share, we would be in the same boat". I said something to the effect of "Bull$#1t". It comes down to management and OS design. Windows can be secure, but it requires much more oversight than do other alternatives. But fundamentally, all of the calls direct to the kernel that are available to applications are a problem that will not be solved until (hopefully) the next MS OS.
Visit Jonesblog and say hello.
I for one welcome our new Firefox hacking overlords.
Firefox is finally catching up with the market leader! Woo!
Man is a slave because freedom is difficult, whereas slavery is easy.
The sad thing is that it also comes on the heels of zdnet.com claiming that Firefox is having significantly more security issues than IE.
I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased. And if that's the case, can we expect to see these issues become even more frequent if Firefox adoption continues to grow?
All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.
Given, I still trust MSFT as far as I can throw a Volkswagen, but my laughs at their FUD aren't so loud or haughty today.
- Greg
Start a happiness pandemic
At least it doesn't cost money to be rooted.
Publicity was the demise, the great browser begged for mainstream attention, got the show but caught the eye of the bad guys.
No software is universally perfect.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Also on the plus side, the Washington Post link crashes my IE, so I can't even read the anti-Firefox news. Score another for Mozilla!.
What I'm listening to now on Pandora...
Follow this thread on Mozilla Forums for more information. But don't be complacent if you're running the new Beta and be sure to upgrade.
should be the exploit (and only the exploit). The browser feud is really becoming a pointless exercise in arguing. See here.
Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?
Pardon, but rather than using this exploit as some kind of evidence that Firefox is on-par, security-wise, with IE, shouldn't we be viewing this as a victory for the patch/version-release cycle of the Mozilla foundation?
There will always be new security holes found. The difference is that patched versions of the browser, fixing the security hole in question, are not always released before the hole is announced.
Two cents.
B
"We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer? In the last year, maybe if it is actually affecting some media companies. Otherwise no.
.... Microsoft's PR firm?
So why the constant drumbeat of breathless stories about bugs (flaws) and exploits in Firefox? Could it be that the MSM is being seeded by someone? Say
sPh
Intron: the portion of DNA which expresses nothing useful.
I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?
I'm going to stop hitting those pr0n, warez and gambiling sites on my work computer. I'm going to stop opening those emails saying I have to apply the latest hotfixes. I'm going to disable javascript, images, and popups.
Wait - maybe I should just use Lynx. Naahh.
I cannot believe that exploits are coming so fast and furious.
The Kai's Semi-Updated Website Thingy
The specific response: It's already patched. A released exploit that's already had a patch released for it is nowhere near as scary as one that hasn't.
The general response: As always with open source, if the Mozilla guys drop the ball and you know what you're doing, you can patch it yourself. With closed source, you're kinda at the mercy of the makers (usually Microsoft).
Anecdotal evidence: Yes, this is in the past, but I let two total newbies use a box of mine for about a year, with the only relevant modifications being: Installed Firefox, Deleted shortcuts to IE, Spybot's resident protection, Spyware Blaster, Windows autoupdates on, and Nod32 (not even a firewall). They never had ANY problem until they figured out how to open IE, at which point they managed to get a bit of spyware in.
How do you put an open source browser "out of business". If IE7 is all it's cracked up to be, and has some features Firefox doesn't, the Mozilla team can add them to Firefox fairly rapidly. But to say that a closed source, proprietary, bundled browser is going to "put out of business" an open source, cross platform browser is just plain dumb.
If there is anything more important than my ego around here, I want it caught and shot now.
...because we all know that no self-respecting hacker would attack a friend of open-source such as FireFox. These exploit discoveries are being secretly funded by Microsoft!
...that PwnScape is SkyLined's ported version of Internet Exploiter. That's why it looks so polished, it was refined attacking IE, and there are a scary-huge number of unpatched IE bugs that MS knows about (over 50 now).
It's becoming a target of technical attacks because it's becoming higher profile. However, it's doing a very good job of fixing vulnerabilities overall, at least compared to IE.
Yeah, there are response time problems and masked bugzilla bugs, but being open about a bug before a patch is available isn't always the best idea; just because it's open source doesn't mean the discoverer is going to come up with, or be able to come up with, a patch immediately, but one generally turns up; the team is being pretty damn good. It may have been patched properly yesterday, but it was very quick to release a mitigation (disabling IDN).
IE, meanwhile, has a YEARS old vulnerability that MSRC are trying to keep under wraps (even from their partners), because it's a SERIOUS design fault hidden in IE/Shell integration that allows a way of launching ActiveX controls that completely ignores the killbit. Seen Illwill laughing about it, so I know I'm definitely not the only person to independently discover it, and he's been gloating on F-D. And, if you do it right, the 'sploit ignores security zones and settings entirely; you can 0wn a fully patched, fully locked down IE, just by viewing a webpage, with no prompts.
I have a working exploit for it. I won't release it, 'cause if I did, that's a million Windows boxes 0wned by Istbar and some scummy affiliate.
Firefox is an excellent browser overall. If you don't like it, might I suggest Opera 8.50, which is now ad-free, registration-free freeware and also has an extremely responsive security team.
Practically speaking I guess this means we should all stay away from questionable (*cough*pr0n*cough*) sites for a few days. Seriously, we all know where these exploits are likely to show up first...
To the making of books there is no end, so let's get started
I wonder how many weeks it'll be...oh, yea, they released it yesterday. If only all web browsers had these sorts of exploits -- that is, the already-patched type.
It's certainly true that root access causes the most headaches, but there's a lot that can be done without root access.
.rc files to re-run itself when you boot (and check to see if you've altered them and re-modify them as soon as you're done.)
Even with just user-level access, it can erase all of your files or set up a spam relay. It may even be able to set up a keystroke logger or install a modified version of your browser (for you alone) that slurps up your credit card numbers. And it can modify your local
It's a heck of a lot easier to remove than a root-level exploit (you can log in as root and remove the code, which you can't necessarily do to a rootkit). But even though the lack of root can limit the damage, considerable damage can be done without it.
The solution? Well, partly it would be nice to have the OS provide fine-grained control, so that even if malicious code gets to execute it could be prevented from modifying your files without explicit permission or accessing the Internet to act as a spam relay. But such fine-grained controls are incredibly tedious; they exist in Java but they're rarely used.)
Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully.
I'd just like to know how it is that Opera has so many features and it takes the firefox team relatively forever to patch a seemingly serious security flaw. Opera has voice already and a slew of other features plus it's faster! It seems to be taking the firefox team forever to do anything. At this point they're just ripping off Opera now. This is ridiculous. Get your act together firefox team.
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
The security of a web-browser is in no way related to the number of vulnerabilities found per year. There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE. Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor metric for security.
This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true, what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.
If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that it is worth making your programs slower to consign buffer overflows to the history book.
For a web-browser on a PC there is really no excuse because we have multi-GHz computers that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:
Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"
Simon.
Slashdot is proof that Sturgeon's Law applies to mankind.
I and my computer for one, welcome our new remote exploiting, script kiddie overloards.
Last I checked, IE7 has a higher memory footprint than Firefox, renders pages more slowly, lacks a bunch of features of Firefox and doesn't have extensibility like Firefox does with its extensions.
With great extensions out there that are evolving and continually being developed (weather, news, RSS, adblock, etc) I don't see how IE7 is going to score 'major' points.
Besides the fact that Microsoft takes its own sweet time patching against spyware and security breaches, IE7 will be a replay of more of the same from Microsoft, only vaulting Firefox further ahead, imo.
It's not what IE7 offers in terms of features that will let it beat Firefox, it's what it LACKS in timely updates to problems that will allow Firefox to continue a healthy growth and eventually, a standardization on par with IE. So when developers write code, they will think of the 'other' browser that takes up a huge chunk of marketshare.
The price is always right if someone else is paying.
I find that firefox is updated much faster than IE. I'm sure this bug will be patched within a couple of days. Also, I'd like to see the firefox bug that as exploitable as activex. ActiveX is the one thing left in IE that makes it truly, the most insecure browser out there.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Security experts agree: Apple makes the most secure computers and you get the best of Unix and Microsoft compatibility when you go with Apple. The native browser for Apple is Safari. Why not just go the safe route and go with Apple? They're haven't been many reports of Safari vulnerabilities continuing Apple's domination of the safety record for the last few years.
;-)
Just buy a Mac
Is this the year of Firefox on the Desktop?
The best thing to do when you visit the "evil site" is to immediately kill and flush firefox from your memory cache, block all outgoing ports with iptables or whatever and as a last resort unplug your computer.
Note that hackers will typically infiltrade existing websites and infect them with their malicious code. Be on the lookout for any of your favourite websites that have recently undergone an overhaul in appearance. It may be, as Ackbar once orated, a trap.
All of these articles on firefox, and how terrible its security seem like bs. I'm no browser security expert, but I will say that I have helped many people eliminate spyware just by having users use Firefox (or any other non IE browser) over IE. What am I going to tell my dad and everyone else now that I finally got them using Firefox? I smell M$, and it stinks...sort of like cheap purfume on rotting Man-Ray. Linux/BSD Gangster Signup ya heard
Microsoft has stopped working on IE7 and has its PhD's working full-time on writing exploits for known holes...
karma police: arrest this man, he talks in maths; he buzzes like a fridge, he's like a detuned radio. [radiohead]
But to say that a closed source, proprietary, bundled browser is going to "put out of business" an open source, cross platform browser is just plain dumb.
You're right! He should have said that IE7 is going to further marginalize Firefox to the point of obscurity because the 90% of users that presently use IE will switch to IE7 and the few that have switched to Firefox will switch back to IE7. This will make Firefox's userbase so infinitesimally small that the developers will, in all likelihood, abandon the project.
You'll scoff at what I have stated but, the above scenario is far more likely than Firefox getting the features necessary to manage it in a large enterprise, like IE has today.
I'm sure you were being sarcastic ... you were being sarcastic, right? Yes? Phew.
If you want to browse the wilder reaches of the web, you really owe it to yourself to ensure that you have Javascript disabled. You really don't want to visit any site that requires that Javascript be enabled if you don't believe it to be safe. The "NoScript" extension allows you to maintain a whitelist of sites that are allowed to use JavaScript and everything else can go hang.
And if you don't require IDN support, you might as well disable it. Go to "about:config", seach for enableIDN and disable it there. IDN seems to be a mix of problems - some implementation issues and some design issues. For anything like that, if I don't need it, it's disabled.
And if you haven't already got a pop-up blocker ... well ....
I'm not going to comment on the opening emails bit. Nobody^WFew People^W^WIdiots^WI give up.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Indeed. I don't understand the hype. I wonder how many holes we can find in the un-patched release of (Insert browser here).
COMON.. If anything the story should should have focused on the amazing release cycle of FF
Losers whine about their best, Winners go home to fuck the prom queen
and hey let's wait for the product to come out before we trash it
Well, I got the Carlin reference.. Still didn't belong in this thread. Er. "Go Firefox" just to avoid getting a -1 off topic.. :D
Tho I gotta say I just switched to Opera yesterday and I'm really loving it. I miss my Firefox extensions but it's just so sluggish.
Why is parent modded as flamebait? All AC was they thought IE7 would do better than Firefox. Most of /. 's users dis IE and they don't get modded down. I hope someone metamod's this mod correctly.
"Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully."
Welcome to the idea of TPS. Only trusted code runs on your machine.
I don't understand, I visit /. day in day out and all I hear about is how the great benefit of OSS is that anyone can read and improve the source code reducing the amount of vulnerabilities. A million zealots can preach the benefits of FLOSS, not many of them seem to practice it though.
Go ahead mark me down as troll but this is something I've been thinking about a lot. I use OSS on my Solaris network when permitted because the benefits are still awesome. Also, please save the canned replies of "but it was fixed quickly because the source was available". It's still a response to the problem that should not have been present to begin with if the zealots were to be believed.
"What kind of music do pirates listen to?" -Paul Maud'dib
"Yeeeaaarrrrr n' Bee!!" -Stilgar, Leader of Sietch Tabr
Let's see them attack my text-based browser!
I'm not a troll, but I play one on Slashdot.
that the actual exploit was released under the GPL... this means that anyone who takes it and modifies it has to release their improvements if they then proceed to distribute it... so if anyone does get infected, please get the person you got it from sued by Gnu for failing to make the source code available as well...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
If I have firefox (win32) check for updates in the Tools, Options menu, it says that there are no updates. WTF?
They do patch stuff fast, but until automatic updates work correctly, it's not going to do much good for the average idiot user. And someone will eventually start trying to take advantage of these exploits. I'm running 1.0.6 and there's no update icon showing. When I say Check Now: "Firefox was not able to find any updates." -paul
It's a figure of speech. Relax. Firefox will lose market share. You satisfied?
I personaly believe that the activeX exploits are the nasty ones. I use to get so much crap on my system when I ran IE, even after the SP2 update. Since I use Firefox almost exclusively, I have had just about none. That's good enough for me.
I'm going to rip Linux out of all my boxes, install WinXP SP2, and do all of my web surfing on IE with ActiveX enabled, just to be safe!
The living have better things to do than to continue hating the dead.
Good and popular isn't always a good thing. When FireFox was released, it was also like a praise to many because finally we had an alternative to the evil big ol Microsoft coming. But once FireFox reached the bigger masses, it also opened its eyes for hackers around the world. Summary: the bigger it is, the bigger risk it will become to use software.
Full Tilt
I have little time for browser wars, but it is notable that despite the 1.0.7 announcement even making Slashdot yesterday, it's not showing up as an automatic download yet. Worse, it doesn't show up even if you manually check for updates.
There's not much point patching a security issue if you can't distribute the patch and even conscientious users won't find out about it by the expected method.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The fact that Firefox patches faster than M$ doesn't mean it's any safer for the END USER (not the average Slash-dotter, who's immesurably more comfortable with updates and far more current with the latest updates to any software on his PC). For the average user, updating a browser (unless it's automatically pushed), is not something that will occur to them to do. Even when it is pushed to their computer, most users postpone such updates for several days or weeks, exposing their computer to the risk in the meantime.
Firefox cannot win in the consumer market just by saying that it patches quicker than Microsoft. It has to proove that it requires patching far less frequently. That is the burden that an upstart faces when staring down an established monopolist.
In my mind, Firefox hasn't yet suffered a great deal of harm in the marketplace, because most web sites and magazines are still friendly to the browser. That may change though, if exploits become more of a regular occurrance. If that happens, it may be the end of the road for Firefox amongst the vast majority of home users.
Comment removed based on user account deletion
I just removed Firefox from this computer and installed Opera. No problem.
I also just tried to remove IE... no luck.
Firefox is still better.
guns kill people like spoons make Rosie O'Donnell fat.
I am very scared about this turn of events. I used to see unpatched IE all over the place. Thankfully, that is a lot more rare now. Microsoft has made it hard not to patch IE and Windows. Not so with Firefox. I have seen unpatched Firefox installs all over the place. Ostensibly Firefox is there as the secure alternative to IE. People have actually said to me that "unpatched Firefox is more secure than patched IE" and that they aren't worried about it. Firefox Update is way too easy to ignore and a lot of people do. This is going to come back to bite them big time. And Firefox is going to have a PR-nightmare with some big security disasters over the next few months.
Is it really Firefox's fault if users don't patch their systems? The answer to that is yes, because they're trying to be the market-dominant browser. In order to be market-dominant, you have to have a browser equally suited to idiots as well as the technically adept. Firefox Update needs to be to be impossible to ignore and hard to disable unless you really know what you're doing. Because it is a weak feature right now, Firefox puts users at risk.
The issue is how effectively the installed browsers are patched. All 20 million or 60 gazillion, or whatever.
Firefox currently has nothing to offer over IE on that front - and it's missing a huge opportunity. MS have their software update capability, but it's usefulness is limited for two reasons:
* it often bundles IE patches with core OS fixes
* users are suspicious of MS in general (remember those SP EULA changes...)
As (a) an independent app, and (b) it comes from an open source organisation Firefox doesn't have either of those limitations. If it were to add an auto-update capability it would likely be used (sure, tell the user - but make the default to upgrade and the exception not to).
The significance of exploits then changes drastically; Firefox benefits from user acceptance and its ability to patch exploits quickly.
The alternative is to get drawn into a "my browser has less exploits than yours" argument. Oh look, it's already happened.
Please note my comments earlier in the thread: since the patch hasn't hit the auto-updates yet, even if you check for it manually, this patch does not exist for most users. There is an exploit for it in the wild. Hence most Firefox users are not safe from this exploit.
There, I put the actually relevant bits in bold for you, just to make it clear. Firefox is a great product for many reasons, but let's not kid ourselves that its security policy is perfect right now, OK? If my Firefox browser had popped up within a few minutes of the patch being released and invited me to download it, you'd have had a case, but it didn't.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
"re-conquer the web" (or any other catchy firefox slogan) use konqueror ;)
It's also the major reason large numbers of huge companies aren't adopting Firefox, since it's the technology many of them base their Intranets on. It's a security risk when outside sites can use it, but not having it for internal pages is a PITA at times.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I have a distinct feeling that if FireFox continues to have vulnerabilities reported like it has recently, then people will stop using it. If people stop using it, what good is the project? Would all the developers who are working on FireFox right now, still work on it if it lost 90% of it's marketshare? What if people (in general) started to think FireFox just wasn't secure? Would developers want to work on a project that has a reputation for being faulty and insecure? Would funding still come in?
That's worst-case, but if that happened I would consider FireFox "out of business".
So why the hell hasn't the patch shown up on Firefox's automatic updates, even if you manually check for it?
Doesn't do any good to patch it if you don't notify people about it. Not everyone reads Slashdot.
Quidquid latine dictum sit, altum sonatur.
Anyone thinking that this is Microsoft releasing all these exploits? Would be a clever tactic, hiring a group of security consultants to hack away at firefox all day long :)
I clicked "Check Now" in the Software Update section using Firefox 1.0.6, and no update was shown. The Firefox box was checked. Anyone else seeing this, or is this just a proxy issue?
This was well over a day after the release of 1.0.7. What URL is used to check for updates, and do they have appropriate options set on server to prevent long caching?
Every time some open source software, like Firefox or Linux, have an exploit, lots of people scream "see, it's insecure too! it's no better than IE / Windows!".
That has always sounded weird to me. Windows or IE have had dozens, maybe hundreds of holes and exploits, and yet, when Linux or Firefox have one, they're "just as insecure"?!?
Is this thing binary? No holes = secure, one hole = as insecure as a hundred holes?
Fine, Firefox has one now. Not really "exploited", since it's already been patched, but never mind that. So what? How many IE holes have there been? How many PCs are full of spyware, viruses, or sending thousands of spam emails a day because of an IE hole?
Can Firefox even begin to compare to that? I don't think so. It's at least dozens of really bad exploits (not to mention the "less than really bad" ones) behind.
The Tlog - a technology blog
you should not have problems with programs that can start executing code without permissions
;)
By starting your browser, you gave it permission to execute code. It will execute as whatever user the browser is. You comment about the OS keeping the access level as that user is correct.
Keep in mind that the shell code in the exploit will need to be made specific to the CPU and OS of the target system. Of course, this can generally be extracted from the http request header, and the browser can query for it in js. Not that this is a big deal, web developers are accustomed to having to deal with platform incompatibilities
----- If communism is a system where the government owns business, what do you call a system where business owns govern
How many developers do you think Microsoft has working furiously to release exploits into the wild to harm their competitors? Sure, it will never be admitted to, but ya gotta wonder...
Kudos to Firefox for releasing a patch the day before the exploit was announced though.
I figure sooner or later I'll find something that hasn't been hacked to pieces. If not, I'll protest and stop using the Internet! Ha...THAT will get their attention
(Come on...it was a joke!)
I'm not a troll, but I play one on Slashdot.
As someone else pointed out, the quickess of the patch doesn't matter because the end-user who's not the average slashdotter won't know there's a patch and won't install it. So why not forced security?
I play poker at Fulltiltpoker.com. Every time I want to play, the software connects to their server, checks for any updates, and then asks me to login. Granted, the poker software client is not as complicated as a web browser, but how difficult would it be make Firefox check and install updates every time the user ran the program? I imagine it would be pretty simple. Have this enabled by default, and the active security-aware users can disable it if they would rather do it themselves or are if they're paranoid. Think it might cost too much time to check every single time you run the program? Simply solved, a line of code telling it skip the check if it's checked in the past 12 hours.
One of the simplest ideas in security is that if the end-user has to do it themselves, like not opening random e-mail attachments, then it's likely going to get fucked up. It's that simple. Take it out of their hands.
For those of you that are paranoid about Firefox contacting servers on it's own, how do you think it knows when there are updates? It certainly didn't find out through telepathy.
Just my two cents.
Aero
Please stop hurting America -- Jon Stewart
"Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?"
Did it occur to you the patch may have been reverse engineered, and the exploit created from the patch? There is a reason MS doesn't like to patch holes that haven't been exploited.
The version of firefox I'm using is unpatched and vulnerable since the IT guy here hasn't bothered to patch it yet.
Vote for Pedro
What's the latest Lynx exploit? Even that's too risky. I telnet straight to the web server and hand-request all the documents and parse the html via the ol' eye ball. No root exploits for my optic nerve, bitches.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
>The specific response: It's already patched.
Check out comments on this story - the FF update indicator shows nuthin' and I believe at least 80% of active FF users out there have no freaking clue that they're exposed.
"Sounds like damn good response time to me! When was this first discovered? How many days total did it take for the patch to be released? Yes, it sucks that the vulnerability was there to begin with, but you have to admit that this is a good demonstration of how well an open source community project can respond."
Yes, the open source community did a great job showing hackers exactly what the problem was, so an exploit could be developed for the unpatched systems. Great work guys.
Vote for Pedro
Off Topic My Orifice!
Face it, its just a matter of time until the masses storm the Bastille of Open Source and render it obsolete. Its happening now as hackers turn their attention away from the generic resident evil MS.
I'd like to propose a new game here on Slashdot, called "Six Degrees of Microsoft." The objective is to relate *any* story, from browser exploits, to RFID tags, to new features on Google maps back to some oversight, corruption, or other evil perpetrated by Microsoft.
Understand, I'm not even saying I necessarily disagree with the parent post, I just think that every Slashdot post in the future should have at least one response titled "Six Degrees of Microsoft." Firefox/IE posts are easy, but "GBA SP Updated with Brighter Backlit Screen" might be a bit more of a challenge.
Good luck...
The only acceptable defense of scientific results is to say that they were the product of the Scientific Method.
36,000 people a year die from the flu according to the CDC, this gets rare news coverage.
People die every single day on the hiway.
People are murdered just about every day.
Thousands of people are starving to death in Africa.
A plane with a busted nose gear makes huge news.
Reporting about an IE exploit would be as excting as reporting a flu death. The rare events make for more drama. The news is about drama, not NEWS.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
The Pulling it out of my ass exploit. Or the Dancing monkeyboy exploit.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
No thanks, I'm quite happy with my Opera 8.5
FanFictionRecs.net
Your computer might get pwn3d, but your browser won't!
Amazing. You managed to try to turn that into a positive point. I'm not pro or anti anything, the right tools for the job is my motto, but wow.
What he can't kill, he has sex on. Trent.
Well, aren't you lucky. The company I work for has a secure OS. And not only is it secure, it can secure other OS's (at least that's what we expect). We have just gone out the door for Alpha and we should be out the door in the next few weeks for Beta and should announce by the beginning of the year.
Wouldn't it be nice to have an OS that can verify the code before you execute it?
Of course, it's not open source and so people are going to bleat about that, but we have some big brains behind it, so I'm not too worried. We may release a portion for review, but not the complete OS.
Low and behold, it's not Linux, *BSD, Solaris or even Windows. It's new.
Somebody gets it.
The post is an anti-mac troll.
The poster is mocking Apple fanbois.
The only secure web browser is less...
Please, for the good of Humanity, vote Obama.
I agree. This is a huge difference.
:)
Not to downplay the seriousness of this exploit -- it's a true, critical flaw. Glad there's a patch available already, and even though Firefox has had fewer critical vulnerabilities than IE over the years (even now, IE has two critical bugs that have been around for over a year), I'd very much like to see the frequency of FF security holes go down.
Sadly, I'm not a coder, so I'll just have to hope for the best
Kythe
Mandra-driva are still stuck on 1.0.4.
They still haven't provided updates. boohoo.
maybe its time to get the cooker RPM's and break some dependencies.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Amazing. You managed to try to turn that into a positive point.
It's far easier to format and reinstall Windows than it is to try to repair a broken install of IE without a total reformat. Oh wait...
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
You can choose to have an OS that gives you power and control or you can choose to have one that acts like your nanny, not both. The power to install software on a system is also the power to install bad software on the system. The power to modify system settings to be how you want is the power to fuck them all up. Etc.
The scary, Orwellian view of Trusted Computing offers what you want. The processor and OS will enforce security. Apps will only run if blessed by the signing company, probably the OS provider. You will not be the administrator of your system. You will use only approved software and data, etc. Well, that'll keep you safe. However I don't like the cost.
People put WAAAAAAY too much stock in the "not running as root" thing. Yes, I agree it's a good idea, I am glad MS is chaning to be that way, but if you think it's protection, think again. The only thing that helps is to remind a person who knows what they are doing to check and see if something really needs root. It does not protect against:
1) Remote exploits to services running as root.
2) Evil shit that can run as the user (spam bots and so on).
3) Programs that use a local privledge escalation exploit to gain root.
4) Programs that install for the user, wait till the elevate privledge, grab the password and use it.
5) Evil programs that piggy back on top of other software that needs root to install (as spyware often does with P2P programs).
6) Dumb users that simply enter their password whenever asked, without checking what it's for.
That's probably not an exhaustive list either.
Remember: As it stands, when you download software in Windows with IE it warns you, on every download, that the software might be evil. When you run it, it again warns you and you have to click ok. You really think a password will change anything? Users see them as hoops to jump through and simply do it without thinking.
The only way to protect people form themselves is to take away administrative control from them. At work, we can keep users safe, since they do not administer their comptuers, we do. They do not have the necessary access to do any damage. However I don't want that at home, I do not want Microsoft, Apple, Linux Torvalds, or any other person or entity to decide for me what I can and can't do on my own PC.
Now you may not feel the same, but do recognise you have a choice: You either choose a system you control, or one that protects you from yourself. Don't demand that OS makers make an OS that prevents bad styff form happening, while still giving you total control because they can't.
From: Berend-Jan Wever
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: [Full-disclosure] Internet Exploiter meets FireFox
Hi all,
Since I stopped releasing browser exploits, development on them seem to have slowed to a halt. For the latest FireFox vulnerability, I decided to finally port Internet Exploiter and thus PwnZilla was born.
Technical details and documentation are all inline.
FireFox 1.0.7 is out which seems to patch the vulnerability, I could find no release information in the website so far, but that may change in the near future.
Get the exploit at http://www.milw0rm.com/
Cheers,
SkyLined
Defense In Depth - Should your browser fail to be secure, one should have additional layers of security in place. Personal Firewalls, firewall/router combos, IDS (for the geek) or IDS for the corproation. One should never rely on any single piece of software (even if it was blessed by holy penguin pee) for their security.
Get a life, not a lifestyle. - Hikem Bey
No, it's quite to the point provable and true. For example, I use Azureus because I haven't found another suitable client under Linux. I would never run it under Windows because the UI is slower, the startup is horrid, and it takes more resources than other programs. It is responsable for 60MB of RAM and a 380MB VM footprint. It is consuming 1.3% of my Athlon 2600, and 7% of my total 768MB of RAM.
Java is slow to start and requires more memory than an equally competently written native code program. This is always going to be the case, because it imposes both the overhead of the C libraries and the overhead of the JVM itself.
The case where Java is *not* slower is where it can do run-time optimizations. Then it is sometimes faster than native code. In the other cases, Java is just not *as* slow as it used to be, that's what has changed.
It could be said that the "Java is fast" people are being equally unreasonable because they're ignoring many of the more important places that Java is slower in. The right answer is that Java is faster than C for some things, slower than C for others. During execution, they are comparable. In shutdown and startup, Java is slower. Java also has the issue of the UI handling, which is not as nice as the established UI toolkits available to other languages. The UI response is also not as good as a native program.
Also, this is the same NASA that is known for so many inefficiency and poor choices. Are you meaning to imply that Java is another of these? The thing is that NASA could have chosen almost any language and accomplished the same thing. They just decided to use Java. Is that supposed to prove something? Or was that supposed to be that you named three apps that were written in Java, and have better native equivalents on many OS'? I already mentioned Azureus, WURM is OpenGL with Java logic, and jdiskreport is yet another program that solves a solved problem.
That's like my saying "No, C/C++ is just the right answer, because Windows, Linux, OSX, BSD, QNX, BeOS, Firefox, Gaim, Office, etc. is written with them." It has no bearing on anything.
If you want counterpoint, fine, I don't think I've ever used a Java app where the UI was decently responsive. That includes Azureus, LDAP Browser, Dell OpenManage, HP WebAdmin, parts of OpenOffice (like the DB portion in 2.0 beta), the Java control panel, and the Solaris installer.
So no, Java is still slow enough to be impractical on the desktop. The Java UI toolkits suck, and the whole language suffers as a result. Fix the UI, fix the load times, and fix that you need another instance of the JVM for each app. Then you have it good for desktop apps.
*starts firefox 1.06*
:)
Hu hu hum....
(enters www.slashdot.org)
Firefox exploit released! An exploit for the just-patched Firefox has been released...
"Uh oh." (enters www.getfirefox.com) - click... click
Done! So, you were saying?
Comment removed based on user account deletion
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
I cant hear you ! lalalalalalalalalalala!
Wait a couple of years more, while all the Firefox vulnerabilities get patched. Meanwhile, Microsoft's browser keeps going and going and going...
In other words, Firefox's model converges to security. Microsoft's doesn't.
Your prediction has a snowball's chance in Hell of coming true if, and only if, Microsoft release an open-source IE7 for Linux.
Good thing I just switched to Opera. :)
language precompiled to bytecode which runs on a virtual machine != interpreted language
But people keep saying that good programmers can avoid buffer overflows in C and C++ because they know what they are doing. Well, I guess neither Microsoft nor Firefox programmers are good enough...
One of my friends told me that after several large scale worm/virus outbreaks and one prolonged FBI investigation about a hacking of NASA from their IP address, (which turn out to be via their IP), the IT guy of that company only agree to buy Mac and unix machines.
There is a spark in every single flame bait point.
*Opera*...
end of discussion...
Buy a Mac and be done with it :)
Opera is now free, you know. Only OSS zealots would say no, now.
But simple web browsing is still "safer" in Firefox. Your computer might get pwn3d, but your browser won't! The "exploits" and "security flaws" everyone is talking about completely misses the layman's reason for switching, and that is because (thus far) none of these FireFox exploits turn innocent browsing into a spyware, adware, toolbar infested nightmare.
So you can install anything onto the computer (such as spyware, adware, malware, etc.) but the browser is still safe? I agree with the other poster... what a crock! Also note that it's possible to install extensions into Firefox. Just because nobody has written a spyware/adware extension for Firefox doesn't mean that Firefox is immune. In fact, one of the benefits of Firefox is the ability to extend it. Do you even *know* what you're talking about?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I've got 1.5a comfortably installed here, and I'm reluctant to switch back. Just wondering what the rest of you is doing, and for what reasons.
News for merdes. Shit that matters.
Ask me about my sig.
Sign me up for your newsletter. Seriously.
kurzweil_freak
5th Kyu Genbukan Ninpo/KJJR student
Be the darkness that allows the light to shine.
Why yes, yes I do. I love its features, but the interface is incredibly sluggish. Same goes for Eclipse. I've used it on Windows, Linux, and FreeBSD with various JDKs. It's slow. I'd go crazy if all the GUIs I use were the same way.
LOAD "SIG",8,1
The user priviledge model is designed for many-user computers for work or kiosk purposes.
For the typical home desktop, it doesn't make any sense at all. The danger is not malicious users, but malicious programs (spyware or viruses). Running as a limited user will prevent these programs from damaging the root system but it IS an annoyance. I do want to have control over MY computer. Just because I'm root shouldn't mean that anything I run should get root priviledges. I should be able to set permissions on programs.
well......
I started out....as i think did most people.....with netscape. i was forced...through my own ignorance...into the cold embrace of brain-death xp, simply because it was on the laptop that i had bought (i gave my tower away....ironicy....to an employee of microsoft). my this stage i was and soon after started to use firefox. i have to say that i do like firefox. i liked the way it worked, but i do have to say that having so many extensions remainds me of a xmas tree........
i am now using suse 9.3 pro....it's a big brighter day of screaming at your computer coz it's not windows..actually in a lot of ways it exactly like windows except that you've done it and your praying to the gods of the bits to fix it and not let everything be lost....oh wait...no..it's o.k.....
i'm with opera now...it's exactly what i was looking for.....something that i ues to look at webpages. the updates were quick...read it one minute, next it was screaming for me to update.....,little pushy.....hemmmmm
sorry....first post....kinda rambeling......hello...:>
"no no no no.....don't do that....please i need to go to bed! it's four o'clock in the morning!!!!" me to my computer..
This, of course presumes that (1) the original exploit author is a proper white-hat, and (2) we catch the person who creates the worm.
Free Software: Like love, it grows best when given away.
Firefox versus IE,
...oh too bad guess you don't have a choice do you. Some Mega Corporation who gobbled up the company that made the second rate browser only updates through "their" browser. Well don't feel bad the combined might of the US government couldn't get the Browser out either.
;-)
Its not the point which is one is more secure and which isn't, though I disagree that a 3 month string of quickly released patches compares to the decade of the Bataan death march of Internet Explorer Vulnerabilities. What is the underlying issue, that goes to the heart of all issues when you compare them and its not open source or proprietary software or which is more secure or who's the market leader and who's the rising star of the browser wars.
FREEDOM OF CHOICE
With one of the above mentioned browsers you have it, and the other you don't.
You don't like Firefox, delete it, try and do the same with IE, its like cancer you can't get it all but I will feel like its gone. That is till you have to update your operating system
I hope someday I will be able to rip it out so I can get rid of the 3 other programs I installed because of IE.
Ad aware, Spywareblaster and Spybot search and destroy
Don't get me wrong I love the programs but in the the last 2 years I have used them I have yet to have to rip out any Spyware from any version of Mozilla. Which is funny because I only used Mozilla to surf how could Spyware infect the browser I wasn't EVEN using. I just wish I could uninstall it, but sure is nice that if I am pissed at Firefox I can.
I would just like to see a writer do an article on that. How many windows users after the frustration of having their computer turned into a virus factory tried the to go the the ADD and REMOVE WINDOWS COMPONENTS and try to uninstall IE only to still find on their system and that is still gets infected. Not much fun in that article, no controversy, no flames from the Slashdot crew, no interest.
"Mankind is at its best when it is most free. This will be clear if we grasp the principle of liberty. We must recall that the basic principle is freedom of choice, which saying many have on their lips but few in their mind."
-- Dante - "Monarchy" (1309)
"and even fewer of us have it with our software"
sfabkk
That is if Microsoft is involved
Aw hell. I guess I'm going to have to use AOL then. Do they run on Linux? HA HA HA
I'm not a troll, but I play one on Slashdot.
I see many here saying that the FireFox security update system is inadequate because it's too easy to ignore, not in your face, too easy to go unnoticed (and many times doesn't even work; my FireFox is giving no indication that it needs updating). What you don't understand is that the FireFox team *wants* the update notifications to be easily unnoticed, not in your face, easy to ignore. If they became "in your face", then the user would eventually think, "Damn, I sure do have to update this thing a lot. Guess it's not really that secure after all."
-- "I never gave these stories much credence." - HAL 9000
So how does Lynx compare to the rest of the browser world security-wise? I've been using it for years, and haven't seen any reports of any Lynx-specific exploits. Or am I missing something?
1.Netcraft confirms:In Soviet Russia all your base welcomes a beowolf cluster of CowboyNeal overlords. 2.? 3.Profit!!1!
I wouldn't worry too much. There will be a big upswing of exploits as Firefox becomes mainstream and with that should come more diligent effort to address the exploits and likely an automated system for patching. That's the same as Microsoft had to do and that's not where Firefox and IE differ. Where they differ is in the fact that Firefox is opensource and can be fixed by any person willing to contribute (and in this case, fixing exploits is very much motivated by self-interest which is doubly good). With Firefox you won't have to hear "Oh, it's just too hard for us to fix the codebase; you have to wait for Vista" and then when marketshare dips, suddenly it's fixable.
If anything, the more scrutiny Firefox is subjected to, the more open source has an opportunity to outshine closed source, so bring it on. As far as updates, I play several online games and patching is automatic and not optional when the time comes. This does not bother me at all. Personally, I would be completely happy with Firefox automatically downloading and installing security updates. I'm as partial to allowing people to run an un-updated Firefox as I am to putting a loaded .357 in a child's hand. "Oh, I just really needed to run my browser without the latest security updates. It was an emergency!" Yeah, right. Try reprioritizing your life so it can sustain an occasional 10 minute download and install that will save you hours of grief when some malicious application brings your computer and every computer on your network to its knees.
(Sure there are expections here and my analogy is a bit extreme, but the basic principal is the same. Don't let people do stupid things that endanger them and everyone else. "But it's my right to blow my head off with a gun." Ok, whatever: *takes the gun away and chucks it in a river*. Go find it if you want it so badly.)
Opera is seen as more secure but doesn't allow you to use many useful websites.
I challenge you to supply links to three "useful websites" that Opera "doesn't allow you to use" and state what the problem(s) are. Otherwise retract the comment.
(And if I wasn't at work, I'd use some colorful language in this post.)
"The company I work for has a secure OS."
Where have I heard that before...
Oh yeah I remember, every new OS since the beginning of operating systems. Incidentally we're bringing out a car that never breaks down. Real soon now, just you wait and see.
Under Windows there isn't any indication you need an upgrade; and
nowhere on the FireFox website does it show how you can download.
This is really really poor organization.
I can settle this for anyone confused....Lets take a poll...who has had their firefox hijacked? Who has had to spend countless hours removing malware from their users firefox installation?
Nobody?
Huh,
Thats why I mandated Firefox in my office.
I don't think there really is a debate at this point. I love mozilla, but it's obviously not the iron tank many of us thought it was. I think talk about ie vs. mozilla with security is more bickering at this point - both have tried, both have failed. But it really goes to show that it's not trivial to make a highly functional browser and to predict all of the possible exploits and insecurities. That's not to say that we should give up.
ôó
.. They need to prove to large corporations that its worth switching. Right now nearly all major businesses do not even allow the installation of Firefox on systems they own. Why? Even if Firefox had fewer exploits, you are still introducing more security risks with IE+Firefox rather than just IE. Things like this will give the suits just enough evidence to stay with IE. If the average user has Windows/Office/IE at work, he/she will use it at home.
I said use less, not AOL... :P
Please, for the good of Humanity, vote Obama.
Note that users of Fx 1.5b1 can just go into about:config and set network.enableIDN to false (and restart Firefox) to be protected against this exploit.
Have there actually been any successful exploits using a web browser as an attack mechanism. The ones that have had the worst effects seem to have been the ones which email an executable with a message saying "Oy dumbass run this executable". They seem to work far better than any thought out technical exploit.
Of you course you cannot make a secure OS based on the 40 year old model of dual-priviledge. This is part of the reason why OS's like Linux or Windows can never be secure.
In order to make your car to never break down would require significant engineering advances in both the drive train and electrical systems. If you stick with current OS theory, you are going to have the same problem of the dual-priviledge model.
We can compare notes this time next year and we can see if we actually do have a secure OS or you have a car that never breaks down.
The only thing anybody could ever prove is that Firefox's security is about as bad as IE's, and that still doesn't make it a worse choice. Right now, with Firefox making up less than 10% and IE making up about 80%, the majority of the exploits that are marketable are IE exploits.
So people should keep using alternate browsers based on their merit up until they stop becoming alternate browsers. Then, maybe IE's GLORIOUS interface and GLORIOUS functionality can Lure Us Back.
Oh, please.
Please stop stalking me, bro.
"We can compare notes this time next year and we can see if we actually do have a secure OS or you have a car that never breaks down.""
Aaah, but we have a new technology, a total paradigm shift. If you thought your whites were white before, you'll think you have been walking around in filth when you see our new radical breakthrough!! Our surveys show our miracle breakthrough is up to 15 percent better.
*Whew* I was almost worried.
Ignore this signature. By order.
Yes, someone could create a malicious extension, but the user still has to install it. That's a big difference. With IE you can get infested just by browsing the web, and clueless people just throw away their computer and buy a new one because of this. Not to mention you should be safe as long as you download extensions from trusted sites, like the official addon page.
That looks pretty cool. Seems to be a bit of work, but with all the arguments over root-user vs. regular user security, it'd be nice to lock things down per app. This will be great for my system and other techs, but does anyone know of a similar application for windows? Would be nice in a controlled environ (work, etc) to be able to lock things down, super tight like.
J
Thanks for the intelligent discourse. I guess you don't know what you're talking about.
"The only secure web browser is less..."
The Secunia website lists open security issues for:
http://secunia.com/product/4932/ Opera (0 issues),
http://secunia.com/product/4227/ Mozilla 1.x (3 issues) and
http://secunia.com/product/11/ IE (19 issues).
It's also interesting to look at the past history of issues and maybe take a peek at those pie charts near the bottom of the page.
Mmmm... Pie!
What? With this crowd?
Here's how it'll look:
from the million-to-one dept.
Anonymous reader writes: "They've found life under the surface of Mars[nasa.gov]! What's more, they can communicate with us (but only in Swahili)!" Update: 10/22 22:20 GMT by Zonk: Really sorry about this dupe - thanks for all the hate emails though.
To which TrollingBot2000 replies with:
As you can see, no matter what the topic - it becomes abundantly clear that Microsoft some evil hand to play with only ONE degree of seperation. I'm really surprised you thought six degrees would be a challenge here.
This is not my sig.
This looks like the IDN hole that was reported a bit ago. My understanding is that no patch was needed, just type "about:config" into the URL bar, find the "network.enableIDN" entry and change the setting to "false". Once you do that, the buffer overrun the exploit uses never happens, so the bug can't be exploited anymore.
From reading the summary, it sounded like there was no patch. The article itself is not as bad as the summary makes it... it's simply a update your browser message. It's in no way an antifirefox article.
...then p0wnz your machine....
This sounds kinda like the mirror image of Slashdot. Normally with Slashdot, it's your browser being redirected to a website that Slashdot then p0wnz.
This is plain BS, if someone placed a post saying "Firefox will put Microsoft out of business because of better functionality" it will be modded down just as easely. Even if the statement "more secure, faster page loading or better functionality can be discussed, the part "put out of business" is just a clear flamebait and almost impossible.
Now about the "more features in IE7" discussion, I think this aint going to happen. Maybe in the eyes of a user does IE7 seems perfect. But for a developer IE7 (roadmap) has several shortcomings in multiple standards like XML, ecmascript, DOM, SVG and don't forget CSS. I think FF is much more in the right direction supporting these standards _correctly_ withouth 3rd party plugins like adobe svg and DOM-spy. For things there need to be a plugin, because many users don't need it by default, mozilla hands a much better development environment then IE properly ever will.
so IMHO is Mozilla Firefox or any other gecko based browser the future!
check out http://blogs.msdn.com/ie/ and compare it with FF 1.5 features
The alternative seems to be subject to the whim of the vendor. If they fold/close down buisness you are done. If they ignore you, you are done. If you have the source and need something to be fixed you can, as a last resort, fix it yourself. Without the source you have less options. Which is more desirable?
Years ago, Microsoft declared security job one. It looks like their Linux labs are finally paying off.
What's that? I think I hear a fanboy saying that M$ is not funding research like that. It must have been a collection of gifted script kiddies with no connection to M$, they say. OK, I'll agree, free software will always run circles around the few people Microsoft can afford to throw at any single problem.
Let the layoffs begin! It's not going to work anyway. If this is a real problem, I'm going to apt-get myself a fix in a day or two. In the mean time, I'm going to simply keep using Konqueror.
Friends don't help friends install M$ junk.
I've never heard the term before, but I find it strangely pleasing.
It's not wasting time, I'm educating myself.
the user can't install any extensions from a site other than update.mozilla.org without jumping through a few hoops first.
This has got to be the 3rd slashdot article about this one event. And no one cares.
simple web browsing is still "safer" in Firefox. Your computer might get pwn3d
than to have a hacker gain any kind of control over your machine.
Do you even know what the word "pwn" means? It is "to seize total control, almost as if the legal owner". A pwn3d PC must be assumed to have a bo2k install or even worse.
Sorry I don't know much about html scripting.
I copied the entire exploit (everything between and including the <HTML><SCRIPT>) into a file and tried loading it into Firefox as file:/filename. All I get is a blank page. I would think that even if my Firefox is patched, I would see the "Click here if you want to run the actual exploit" button.
Guess I am too incompetent to be a script kiddie...
more vulnerabilities != more vulnerabilities exploited
As long as IE is the vastly more popular browser whatever vulnarabilities it has will be at greater risk for exploit.
That depends entirely on whether it's more likely that the supplier of your closed source product gives up or that you won't realistically be able to find your way around the source and fix a problem. Which do you think is the greater danger to an average user?
The big advantage of open source is that someone, somewhere probably has that skill and knowledge, and as long as one person is prepared to use it to benefit the community, everyone else is safe. Of course, if you lose the person/people who are willing to do this, you're no better off practically than you were losing a commercial supplier, source code or not.
Take a quick look around the major OSS projects, and you can see that this reliance on good samaritans works very well in some cases, but very poorly in others. In general, Joe User has to place a bet, and the best he can do is bank on the software he thinks will be safest.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
You DO realize that you have to first *whitelist* the extension in order to install it, and only certain Mozilla controlled sites are whitelisted by default, right?
Oh, and it's not an easy pushbutton thing, either. You have to find the setting in your browser (probably under about:config or somewhere) and add it that way. Should be more than enough to intimidate someone who isn't bright enough to know better than to install a spyware extension.
I think the last upgrade was the first one I've done where
most of my extensions still worked. Ionly use a handful,
but I hate having to wait for them to show up and then
reload them each time. I expect that in the 0.x releases,
but after that, it shouldn't happen with most extensions
until you jump major level numbers.
I don't remember if I had to reload the theme I use or not,
because that's pretty minor to me. But it's a huge deal for
Joe and Jane User, so it needs to work the same way extensions
should.
I'd like to know when these bugs are a gecko exploit, or when they are because of the xul overheard of ff or because of extensions etc. I've used in galeon a lot in gnome. Would it be susceptible to these recent exploit.
I'd like to congradulate and welcome those whom have just now realized that no software is ever completely secure: Glad to have you on board. Seriously though, we were getting worried you would never be showing up.
And to the rest of you who were dumb enough to buy into the dream: Kindly go stick a sharp stick somewhere unpleasant for jumping ship. This isn't indicative of any major tide-turning; Firefox as a "more secure alternative" has not ceased to exist.
Thanks, goodbye!
I just ryed the exploit on too of my machines, one 2Ghz Debian machine and an old PII Gentoo, my browser where not patched and on both machines i got a very high cpu load, i did not even got to the point to click the butten which rins the eval shell code, so i guess i'm save without patched Firefox, i'm not sure but all i know about heap overflows is that they don't work on every machine the same way and that it's difficult to exploit them anyway.
No only are my whites whiter, my blues are now pale green!
If corporations are people, aren't stockholders guilty of slavery?
You meant 10:23pm EDT, and really you should just say "ET" or "Eastern time" and avoid the mistake altogether. I am amazed how often technical people get this wrong. A favorite website of mine won't fix their code to correct this ... it's sloppy, lazy, et cetera.
One simple rule for its versus it's
I'm sick of hearing of these obscure exploits.
Has anyone every reported a problem with a Firefox browser? How many documented cases of compromised users have there been as a result of these discovered vulnerabilities?
We shouldn't forget that bad press for FF is in the interests of the Black Hats who make money off of IE exploits. FF is harder to crack than IE. Not impossible just harder. Their aim is most likely to maintain the "good times" of IE. So we shouldn't be surprised that not only is an exploit released but a nasty application of it as well. The black hats wouldn't release the app for the IE version because it would be too useful, but by releasing the FF one they support their investment in IE.
Bitter and proud of it.
(Note: I am not a shill/user of his software but am a fellow coder always on the lookout for good, elegant, useful code and ideas to use in future projects....)
From
http://www.slproweb.com/download/ProtoNova_ID.chm
Discussion on Security
[snip]
Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Microsoft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in:
(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).
The example above is extremely dangerous. Why? It is because there is only room reserved for 256 places in the computer's memory. What happens if the user enters data for 1000 places? This is where the danger comes in. The stack is where function calls like "main" are stored. When 1000 memory locations are copied from the user to str, the stack beyond the 256 is overwritten with whatever the user has entered. Typically, this will result in a crash when the function "main" "return"s...however, if those 1000 places in memory are carefully crafted, they can execute arbitrary code when "main" "return"s. This could be anything from a virus to a complete system takeover.
So, what is the solution to this? It should be obvious: Don't put anything the user enters, even remotely related, onto the stack...ever:
Wish I had mod points today...
Doesn't it get tiresome to listen to people talk about how insecure windows is every time a new bug in Mozilla/Firefox is found? Then we get to hear countless posts on how its windows fault. First off I would like to state that no matter what OS you run (windows, Linux, Mac...) the all have security holes. This has been and always will be the case. It gets old to listen to how its "Easy" to make secure software...hell we have so many "Experts" on Slashdot that I'm surprised that we don't have "Slashdows" the most secure, easy to use OS available. It would be nice to hear an intelligent post on how this is just the nature of the beast. Windows is the most popular OS on the market....yes Microsoft may have bad business practices but the fact remains that they make a product that most people use. Some may argue that they are "Forced" to use it. Personally if someone wants something different...they will make a change. I wanted to try something different than windows...no other reason that just to try other things. It didn't take 1 month to get me to realize that Linux (red hat, gentoo, suse, mandrake..) Wasn't for me. I had nothing but problems the entire time I ran it as my OS. I never got "all" my drivers installed on any version that I tried. Countless crashes and hell I even got a kernel panic. This doesn't mean that Linux is shit...just means that no matter how hard I tried, I couldn't make it work for me. Windows on the other hand I can make work like a champ and have never in my 10 years of working with Microsoft operating systems had malware/virus issues. This doesn't mean they don't exist...just means that an intelligent computer user knows that when you go to a webpage and it asks you to agree to an active x plug-in...That you say no if you don't know what it's for. I truly believe that one day Microsoft will not be the dominate OS around...and whatever the next mainstream OS may be (Linux, Mac, Sun...) it will suffer virus's and malware and security exploits just like windows does not....its pure numbers. If you stand in the middle of a 4 lane highway and there is only 10 cars coming down the interstate, there is a good chance you can dodge them and not get hit...if you are standing in the same highway with 200 cars coming down the interstate...you chances are much more slim. Simple math. The real fix is not to force people to switch from IE to Firefox or any other browser. Let people know there are alternatives but then educate people on why the web is unsafe...and no you don't want to download the screen saves that also comes with "Free" weather bug and "My search" tool bar. The real fix is education on why things are bad and not to drive people to other software. If people want other software...they will do like me and go out on there own and try to find a new solution...and maybe they will find something they like and have better luck than me...I'm sure that it was my configuration of Linux or lack of knowledge on how to do so that led me to failure. Someone with more knowledge than me probably would have made it work.
"We help those, who help themselves."
God & Sons, Inc.
The Leading OSS vendor.
You should be uninstalled as well
Have you checked that the problem with your company's timecard page isn't that your company's certificate is incorrectly built?
We have that problem, but not enough motivation to fix it yet. Safari is also useable on the page.
Apropros of nothing in particular, I notice that there are now a lot of popups that get thru the Mozilla blocker. I'm using 1.7.8. I'm aware thats somewhat behind the times, but not drastically so.
For every expert, there is an equal and opposite expert. - Arthur C. Clarke
Give it some time. I'll be pretty surprised if Firefox's rate of security flaws doesn't fall way below IE's over time.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
The rare events make for more drama. The news is about drama, not NEWS.
:)
If something is not a rare event, in what way is it news? I mean, what are you expecting?
ECONOMIC NEWS: Businesses Exchanging Goods and Services for Money
FASHION NEWS: Fashion Elite Wear Warmer Clothes in Winter than Summer
HEALTH NEWS: Ageing Linked to Death
SCIENCE NEWS: Earth Revolving Around Axis Once Per Day
News tends to be about things that don't happen every day. Except news about Paris Hilton's latest scandal, but some things never get old.
Solaris is free and runs in out of the shelf machines (several big companies, like HP, are happy to provide harwdare support in their boxes running Solaris).
If you don'w want support, the cost to you is zero (I wonder how much support they will get from MS if they are a small shop).
And Solaris 10 is now perhaps the most advanced (and resilient) OS you can get for free (you get easy to configure quasi virtual machines out of the box).
IANAL but write like a drunk one.
Couldn't there be a guy that has a number of exploits on a stack, that he picks one from each time a bug is fixed?
the user can't install any extensions from a site other than update.mozilla.org without jumping through a few hoops first.
Let's keep in mind the context here. Vulnerabilities in the browser allow for execution of arbitrary code. That arbitrary code can install itself, auto-whitelist itself, run itself... you get the picture. It's even easier since Firefox is open source, the malware author just needs to run the same code that Firefox would have run, skipping over the user confirmation hoops so that it happens transparently to the user.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
On a slight tangent, what's the best way to push out Firefox updates out to users? Our patch management software will push out Windows and IE updates, but doesn't have Firefox in there. Our Windows guy is a useless idiot, so I probably need to dive into learning how to do this stuff. I did some Googling but didn't find anything that looked straightforward (it was all about making your own .msi file and doing group policy stuff...)
Is that as easy as it gets, or is there an easier way?
I'm not sure what open source software has to do with things. We're talking about buffer overflows here not replacing Firefox, and buffer overflows are actually easier to spot if you don't look at the source (this isn't a programming strategy, just common sense. If buffer overflows were so easy to spot don't you think the programmer could just look through the code looking for buffer overflows?). The argument here however is that extensions can be installed to the machine and do malicious activities. I'm just saying that this can't be done or isn't feasable simply because there's only one site that you can install extensions from, http://update.mozilla.org/ in a default firefox install.
You're not understanding what I said. What having the source code does is allow the malware author to craft their code to automatically install and run the extension without any user intervention -- basically, take the Firefox code which installs extensions and automate all of the parts that users have to do themselves. Your argument is like saying "Ah, but you get prompted if you want to delete a file in Windows Explorer", ignoring the fact that malware can delete files without user interaction.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I still don't get what the problem is. Why on earth would they even bother to do that? Say they already have code running on the machine so why bother installing a firefox extension of all things? They can just install their spyware and hope the user doesn't notice.
Maybe they wish to track your Firefox browsing habits or capture your passwords similar to spyware embedded in IE. Who cares... the only reason I continued this thread was to get you to that point where you're no longer arguing that it can't be done.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.