Slashdot Mirror
Firefox Exploit Adds Fuel to Browser Security Feud
An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."
Browser, shmouser..... What I want is a secure OS! Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....
As an interesting aside: We just went through a two day outage at the university here because of a worm that infected a series of Windows systems. My question to IT guy#1 was: "Dude, why did you guys switch from Solaris to Windows?" His reply was that "the Windows solution was cheaper". I said "Dude, you guys need Macs!", to which he replied "yeah, no $#!t" when he caught himself and said something unintelligible. Guy #2 that I spoke to today gave me some song and dance about how Macs are really hard to integrate into mixed platform networks and then said something to the effect of "if Macs had greater market share, we would be in the same boat". I said something to the effect of "Bull$#1t". It comes down to management and OS design. Windows can be secure, but it requires much more oversight than do other alternatives. But fundamentally, all of the calls direct to the kernel that are available to applications are a problem that will not be solved until (hopefully) the next MS OS.
Visit Jonesblog and say hello.
The sad thing is that it also comes on the heels of zdnet.com claiming that Firefox is having significantly more security issues than IE.
I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased. And if that's the case, can we expect to see these issues become even more frequent if Firefox adoption continues to grow?
All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.
Given, I still trust MSFT as far as I can throw a Volkswagen, but my laughs at their FUD aren't so loud or haughty today.
- Greg
Start a happiness pandemic
Publicity was the demise, the great browser begged for mainstream attention, got the show but caught the eye of the bad guys.
No software is universally perfect.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
should be the exploit (and only the exploit). The browser feud is really becoming a pointless exercise in arguing. See here.
Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?
Pardon, but rather than using this exploit as some kind of evidence that Firefox is on-par, security-wise, with IE, shouldn't we be viewing this as a victory for the patch/version-release cycle of the Mozilla foundation?
There will always be new security holes found. The difference is that patched versions of the browser, fixing the security hole in question, are not always released before the hole is announced.
Two cents.
B
"We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer? In the last year, maybe if it is actually affecting some media companies. Otherwise no.
.... Microsoft's PR firm?
So why the constant drumbeat of breathless stories about bugs (flaws) and exploits in Firefox? Could it be that the MSM is being seeded by someone? Say
sPh
Intron: the portion of DNA which expresses nothing useful.
The specific response: It's already patched. A released exploit that's already had a patch released for it is nowhere near as scary as one that hasn't.
The general response: As always with open source, if the Mozilla guys drop the ball and you know what you're doing, you can patch it yourself. With closed source, you're kinda at the mercy of the makers (usually Microsoft).
Anecdotal evidence: Yes, this is in the past, but I let two total newbies use a box of mine for about a year, with the only relevant modifications being: Installed Firefox, Deleted shortcuts to IE, Spybot's resident protection, Spyware Blaster, Windows autoupdates on, and Nod32 (not even a firewall). They never had ANY problem until they figured out how to open IE, at which point they managed to get a bit of spyware in.
How do you put an open source browser "out of business". If IE7 is all it's cracked up to be, and has some features Firefox doesn't, the Mozilla team can add them to Firefox fairly rapidly. But to say that a closed source, proprietary, bundled browser is going to "put out of business" an open source, cross platform browser is just plain dumb.
If there is anything more important than my ego around here, I want it caught and shot now.
...that PwnScape is SkyLined's ported version of Internet Exploiter. That's why it looks so polished, it was refined attacking IE, and there are a scary-huge number of unpatched IE bugs that MS knows about (over 50 now).
It's becoming a target of technical attacks because it's becoming higher profile. However, it's doing a very good job of fixing vulnerabilities overall, at least compared to IE.
Yeah, there are response time problems and masked bugzilla bugs, but being open about a bug before a patch is available isn't always the best idea; just because it's open source doesn't mean the discoverer is going to come up with, or be able to come up with, a patch immediately, but one generally turns up; the team is being pretty damn good. It may have been patched properly yesterday, but it was very quick to release a mitigation (disabling IDN).
IE, meanwhile, has a YEARS old vulnerability that MSRC are trying to keep under wraps (even from their partners), because it's a SERIOUS design fault hidden in IE/Shell integration that allows a way of launching ActiveX controls that completely ignores the killbit. Seen Illwill laughing about it, so I know I'm definitely not the only person to independently discover it, and he's been gloating on F-D. And, if you do it right, the 'sploit ignores security zones and settings entirely; you can 0wn a fully patched, fully locked down IE, just by viewing a webpage, with no prompts.
I have a working exploit for it. I won't release it, 'cause if I did, that's a million Windows boxes 0wned by Istbar and some scummy affiliate.
Firefox is an excellent browser overall. If you don't like it, might I suggest Opera 8.50, which is now ad-free, registration-free freeware and also has an extremely responsive security team.
Practically speaking I guess this means we should all stay away from questionable (*cough*pr0n*cough*) sites for a few days. Seriously, we all know where these exploits are likely to show up first...
To the making of books there is no end, so let's get started
I wonder how many weeks it'll be...oh, yea, they released it yesterday. If only all web browsers had these sorts of exploits -- that is, the already-patched type.
It's certainly true that root access causes the most headaches, but there's a lot that can be done without root access.
.rc files to re-run itself when you boot (and check to see if you've altered them and re-modify them as soon as you're done.)
Even with just user-level access, it can erase all of your files or set up a spam relay. It may even be able to set up a keystroke logger or install a modified version of your browser (for you alone) that slurps up your credit card numbers. And it can modify your local
It's a heck of a lot easier to remove than a root-level exploit (you can log in as root and remove the code, which you can't necessarily do to a rootkit). But even though the lack of root can limit the damage, considerable damage can be done without it.
The solution? Well, partly it would be nice to have the OS provide fine-grained control, so that even if malicious code gets to execute it could be prevented from modifying your files without explicit permission or accessing the Internet to act as a spam relay. But such fine-grained controls are incredibly tedious; they exist in Java but they're rarely used.)
Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully.
The security of a web-browser is in no way related to the number of vulnerabilities found per year. There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE. Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor metric for security.
This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true, what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.
If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that it is worth making your programs slower to consign buffer overflows to the history book.
For a web-browser on a PC there is really no excuse because we have multi-GHz computers that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:
Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"
Simon.
Security experts agree: Apple makes the most secure computers and you get the best of Unix and Microsoft compatibility when you go with Apple. The native browser for Apple is Safari. Why not just go the safe route and go with Apple? They're haven't been many reports of Safari vulnerabilities continuing Apple's domination of the safety record for the last few years.
;-)
Just buy a Mac
I have little time for browser wars, but it is notable that despite the 1.0.7 announcement even making Slashdot yesterday, it's not showing up as an automatic download yet. Worse, it doesn't show up even if you manually check for updates.
There's not much point patching a security issue if you can't distribute the patch and even conscientious users won't find out about it by the expected method.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Comment removed based on user account deletion
I am very scared about this turn of events. I used to see unpatched IE all over the place. Thankfully, that is a lot more rare now. Microsoft has made it hard not to patch IE and Windows. Not so with Firefox. I have seen unpatched Firefox installs all over the place. Ostensibly Firefox is there as the secure alternative to IE. People have actually said to me that "unpatched Firefox is more secure than patched IE" and that they aren't worried about it. Firefox Update is way too easy to ignore and a lot of people do. This is going to come back to bite them big time. And Firefox is going to have a PR-nightmare with some big security disasters over the next few months.
Is it really Firefox's fault if users don't patch their systems? The answer to that is yes, because they're trying to be the market-dominant browser. In order to be market-dominant, you have to have a browser equally suited to idiots as well as the technically adept. Firefox Update needs to be to be impossible to ignore and hard to disable unless you really know what you're doing. Because it is a weak feature right now, Firefox puts users at risk.
So why the hell hasn't the patch shown up on Firefox's automatic updates, even if you manually check for it?
Doesn't do any good to patch it if you don't notify people about it. Not everyone reads Slashdot.
Quidquid latine dictum sit, altum sonatur.
Every time some open source software, like Firefox or Linux, have an exploit, lots of people scream "see, it's insecure too! it's no better than IE / Windows!".
That has always sounded weird to me. Windows or IE have had dozens, maybe hundreds of holes and exploits, and yet, when Linux or Firefox have one, they're "just as insecure"?!?
Is this thing binary? No holes = secure, one hole = as insecure as a hundred holes?
Fine, Firefox has one now. Not really "exploited", since it's already been patched, but never mind that. So what? How many IE holes have there been? How many PCs are full of spyware, viruses, or sending thousands of spam emails a day because of an IE hole?
Can Firefox even begin to compare to that? I don't think so. It's at least dozens of really bad exploits (not to mention the "less than really bad" ones) behind.
The Tlog - a technology blog
How many developers do you think Microsoft has working furiously to release exploits into the wild to harm their competitors? Sure, it will never be admitted to, but ya gotta wonder...
Kudos to Firefox for releasing a patch the day before the exploit was announced though.
I figure sooner or later I'll find something that hasn't been hacked to pieces. If not, I'll protest and stop using the Internet! Ha...THAT will get their attention
(Come on...it was a joke!)
I'm not a troll, but I play one on Slashdot.
As someone else pointed out, the quickess of the patch doesn't matter because the end-user who's not the average slashdotter won't know there's a patch and won't install it. So why not forced security?
I play poker at Fulltiltpoker.com. Every time I want to play, the software connects to their server, checks for any updates, and then asks me to login. Granted, the poker software client is not as complicated as a web browser, but how difficult would it be make Firefox check and install updates every time the user ran the program? I imagine it would be pretty simple. Have this enabled by default, and the active security-aware users can disable it if they would rather do it themselves or are if they're paranoid. Think it might cost too much time to check every single time you run the program? Simply solved, a line of code telling it skip the check if it's checked in the past 12 hours.
One of the simplest ideas in security is that if the end-user has to do it themselves, like not opening random e-mail attachments, then it's likely going to get fucked up. It's that simple. Take it out of their hands.
For those of you that are paranoid about Firefox contacting servers on it's own, how do you think it knows when there are updates? It certainly didn't find out through telepathy.
Just my two cents.
Aero
Please stop hurting America -- Jon Stewart
"Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?"
Did it occur to you the patch may have been reverse engineered, and the exploit created from the patch? There is a reason MS doesn't like to patch holes that haven't been exploited.
The version of firefox I'm using is unpatched and vulnerable since the IT guy here hasn't bothered to patch it yet.
Vote for Pedro
Meanwhile, we Opera users just keep chuggin' along. I got sick of this crap months ago and went to Opera which is faster, takes half the memory, and offers more features in a 5MB download.
Sorry to shill, but hey, Opera got dumped on for so long on Slashdot just for having banner ads (you know, just like Slashdot's banner ads...), and now that it's free, there's no reason not to use it full-time. Your tabbed browsing came from Opera, after all...
"Sufferin' succotash."
36,000 people a year die from the flu according to the CDC, this gets rare news coverage.
People die every single day on the hiway.
People are murdered just about every day.
Thousands of people are starving to death in Africa.
A plane with a busted nose gear makes huge news.
Reporting about an IE exploit would be as excting as reporting a flu death. The rare events make for more drama. The news is about drama, not NEWS.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
I read your comment the first time, but after a second reading, your point is still invalid. The patch was released by Mozilla before this particular hole was announced. Read *my* first comment again, and see that this is the point that I was making. Mozilla had already fixed this particular issue before the hole was known.
It is not up to Mozilla, any more than it is up to Microsoft, to ensure that every person using their browser has a fully upgraded/patched version in front of them. The users must take some responsibility. If you have an issue with the update process, then fine, that point is valid, and to some extent I share your view. However, that point does not relate to the fact that Mozilla's efforts vis-a-vis the patching cycle are directly responsible for the fact that a patched version of the browser was released prior to the discovery of this security problem.
It is no different for a user of Firefox than it is for a user of IE as far as responsibility for keeping updated is concerned -- the difference is that when people are using IE, they often do not even have a newer, patched version of the browser that they can, in any way and by any means, install to correct a known issue.
You can keep arguing about the problems with the automatic update mechanism employed by Firefox, and that's fine, but it isn't the issue that I was dealing with.
B
"We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
But simple web browsing is still "safer" in Firefox. Your computer might get pwn3d, but your browser won't! The "exploits" and "security flaws" everyone is talking about completely misses the layman's reason for switching, and that is because (thus far) none of these FireFox exploits turn innocent browsing into a spyware, adware, toolbar infested nightmare.
So you can install anything onto the computer (such as spyware, adware, malware, etc.) but the browser is still safe? I agree with the other poster... what a crock! Also note that it's possible to install extensions into Firefox. Just because nobody has written a spyware/adware extension for Firefox doesn't mean that Firefox is immune. In fact, one of the benefits of Firefox is the ability to extend it. Do you even *know* what you're talking about?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I would never run it under Windows because the UI is slower, the startup is horrid, and it takes more resources than other programs.
I do run it under Windows, and I can't say that I've seen a finer client. The memory footprint is a side effect of what it's doing (caching large amounts of data), not the JVM. Java programs only have ~20% increase in footprint. This increase comes from the fact that running the Java VM requires that an OS be loaded on top of an OS. If the JVM was an OS, there would be no overhead other than the differences in String handling.
The right answer is that Java is faster than C for some things, slower than C for others.
This is almost always the correct answer when comparing technolgies. However, that answer is still quite different from "Java is slow". Java is *not* slow and has a very comparable average execution to C/C++ code. Worst case, we're talking about a 5-10% reduction in performance. Best case, we're talking about a 5-20% increase in performance. (Due mainly to programs that Hotspot can optimize well.) Either way, the performance difference is irrelevant on modern machines.
Java also has the issue of the UI handling, which is not as nice as the established UI toolkits available to other languages. The UI response is also not as good as a native program.
That is a whole other issue independent from the Java itself. FWIW, Swing is provably faster than the native Windows GDI. (Which, BTW, tends to cheat by not performing all updates.) The problem is that Swing has a different update model which can have *percieved* performance problems. This puts a bit more of a requirement on the developer to understand how to avoid those problems.
One other issue that makes Java seem slow is the interaction of the Java Objects with the VMM of many systems. When Java scans the objects to see if they should be collected or not, it creates havoc with the memory that the VMM swapped out (particularly on Windows). A system designed around Java would not have this problem. (Or even a better memory manager like on Linux, FreeBSD, and Solaris.
That's like my saying "No, C/C++ is just the right answer, because Windows, Linux, OSX, BSD, QNX, BeOS, Firefox, Gaim, Office, etc. is written with them." It has no bearing on anything.
No, if you said that "No one will use C because it's slow", using those examples would be a good counterpoint. I never tried to say that Java is "the right answer" because of a few programs. I said, that these are a few examples of programs that easily disprove the "Java is slow" argument.
Javascript + Nintendo DSi = DSiCade
I'm afraid I have been unclear. I am not challenging the facts of your posts. I am simply saying that, for most people, they are irrelevant.
Within the first few minutes of this discussion starting, I lost track of the number of posters making smart-ass comments about how Firefox rocks compared to IE, because the patch was already out when the exploit hit. I nearly suffocated under the smugness coming off the geek brigades.
And yet, they (and, based on your most recent post, you) seem completely ignorant of the fact that nearly all security flaws in IE are patched well before exploits are found in the wild, too. Most (all?) of the major outbreaks that have hit mainstream media headlines in recent months would have been completely avoided if people had patched their systems; sometimes there were months before the exploits appeared.
So, if the Firefox patch was out but not applied, then the fact that it exists on a web site somewhere really doesn't matter to most people, and neither is it a particular advantage of Firefox over any alternative browser. This may not have been the point you were trying to make, and perhaps I picked the wrong initial post to reply to when making mine, but it's certainly a strange thing a lot of people around here today seem to believe.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I can settle this for anyone confused....Lets take a poll...who has had their firefox hijacked? Who has had to spend countless hours removing malware from their users firefox installation?
Nobody?
Huh,
Thats why I mandated Firefox in my office.
The only thing anybody could ever prove is that Firefox's security is about as bad as IE's, and that still doesn't make it a worse choice. Right now, with Firefox making up less than 10% and IE making up about 80%, the majority of the exploits that are marketable are IE exploits.
So people should keep using alternate browsers based on their merit up until they stop becoming alternate browsers. Then, maybe IE's GLORIOUS interface and GLORIOUS functionality can Lure Us Back.
Oh, please.
Please stop stalking me, bro.
The way Firefox handles update notifications is particularly bad. The little red arrow is way too easy to ignore, particularly if you don't already know what it's for.
I wonder how fast Firefox would load if the XUL processor was preloaded. Like XULRunner with the Firefox XULs.
We shouldn't forget that bad press for FF is in the interests of the Black Hats who make money off of IE exploits. FF is harder to crack than IE. Not impossible just harder. Their aim is most likely to maintain the "good times" of IE. So we shouldn't be surprised that not only is an exploit released but a nasty application of it as well. The black hats wouldn't release the app for the IE version because it would be too useful, but by releasing the FF one they support their investment in IE.
Bitter and proud of it.