Slashdot Mirror
Firefox Exploit Adds Fuel to Browser Security Feud
An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."
Browser, shmouser..... What I want is a secure OS! Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....
As an interesting aside: We just went through a two day outage at the university here because of a worm that infected a series of Windows systems. My question to IT guy#1 was: "Dude, why did you guys switch from Solaris to Windows?" His reply was that "the Windows solution was cheaper". I said "Dude, you guys need Macs!", to which he replied "yeah, no $#!t" when he caught himself and said something unintelligible. Guy #2 that I spoke to today gave me some song and dance about how Macs are really hard to integrate into mixed platform networks and then said something to the effect of "if Macs had greater market share, we would be in the same boat". I said something to the effect of "Bull$#1t". It comes down to management and OS design. Windows can be secure, but it requires much more oversight than do other alternatives. But fundamentally, all of the calls direct to the kernel that are available to applications are a problem that will not be solved until (hopefully) the next MS OS.
Visit Jonesblog and say hello.
I for one welcome our new Firefox hacking overlords.
Firefox is finally catching up with the market leader! Woo!
Man is a slave because freedom is difficult, whereas slavery is easy.
The sad thing is that it also comes on the heels of zdnet.com claiming that Firefox is having significantly more security issues than IE.
I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased. And if that's the case, can we expect to see these issues become even more frequent if Firefox adoption continues to grow?
All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.
Given, I still trust MSFT as far as I can throw a Volkswagen, but my laughs at their FUD aren't so loud or haughty today.
- Greg
Start a happiness pandemic
Publicity was the demise, the great browser begged for mainstream attention, got the show but caught the eye of the bad guys.
No software is universally perfect.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Also on the plus side, the Washington Post link crashes my IE, so I can't even read the anti-Firefox news. Score another for Mozilla!.
What I'm listening to now on Pandora...
Follow this thread on Mozilla Forums for more information. But don't be complacent if you're running the new Beta and be sure to upgrade.
should be the exploit (and only the exploit). The browser feud is really becoming a pointless exercise in arguing. See here.
Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?
Pardon, but rather than using this exploit as some kind of evidence that Firefox is on-par, security-wise, with IE, shouldn't we be viewing this as a victory for the patch/version-release cycle of the Mozilla foundation?
There will always be new security holes found. The difference is that patched versions of the browser, fixing the security hole in question, are not always released before the hole is announced.
Two cents.
B
"We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer? In the last year, maybe if it is actually affecting some media companies. Otherwise no.
.... Microsoft's PR firm?
So why the constant drumbeat of breathless stories about bugs (flaws) and exploits in Firefox? Could it be that the MSM is being seeded by someone? Say
sPh
Intron: the portion of DNA which expresses nothing useful.
I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?
The specific response: It's already patched. A released exploit that's already had a patch released for it is nowhere near as scary as one that hasn't.
The general response: As always with open source, if the Mozilla guys drop the ball and you know what you're doing, you can patch it yourself. With closed source, you're kinda at the mercy of the makers (usually Microsoft).
Anecdotal evidence: Yes, this is in the past, but I let two total newbies use a box of mine for about a year, with the only relevant modifications being: Installed Firefox, Deleted shortcuts to IE, Spybot's resident protection, Spyware Blaster, Windows autoupdates on, and Nod32 (not even a firewall). They never had ANY problem until they figured out how to open IE, at which point they managed to get a bit of spyware in.
How do you put an open source browser "out of business". If IE7 is all it's cracked up to be, and has some features Firefox doesn't, the Mozilla team can add them to Firefox fairly rapidly. But to say that a closed source, proprietary, bundled browser is going to "put out of business" an open source, cross platform browser is just plain dumb.
If there is anything more important than my ego around here, I want it caught and shot now.
...because we all know that no self-respecting hacker would attack a friend of open-source such as FireFox. These exploit discoveries are being secretly funded by Microsoft!
...that PwnScape is SkyLined's ported version of Internet Exploiter. That's why it looks so polished, it was refined attacking IE, and there are a scary-huge number of unpatched IE bugs that MS knows about (over 50 now).
It's becoming a target of technical attacks because it's becoming higher profile. However, it's doing a very good job of fixing vulnerabilities overall, at least compared to IE.
Yeah, there are response time problems and masked bugzilla bugs, but being open about a bug before a patch is available isn't always the best idea; just because it's open source doesn't mean the discoverer is going to come up with, or be able to come up with, a patch immediately, but one generally turns up; the team is being pretty damn good. It may have been patched properly yesterday, but it was very quick to release a mitigation (disabling IDN).
IE, meanwhile, has a YEARS old vulnerability that MSRC are trying to keep under wraps (even from their partners), because it's a SERIOUS design fault hidden in IE/Shell integration that allows a way of launching ActiveX controls that completely ignores the killbit. Seen Illwill laughing about it, so I know I'm definitely not the only person to independently discover it, and he's been gloating on F-D. And, if you do it right, the 'sploit ignores security zones and settings entirely; you can 0wn a fully patched, fully locked down IE, just by viewing a webpage, with no prompts.
I have a working exploit for it. I won't release it, 'cause if I did, that's a million Windows boxes 0wned by Istbar and some scummy affiliate.
Firefox is an excellent browser overall. If you don't like it, might I suggest Opera 8.50, which is now ad-free, registration-free freeware and also has an extremely responsive security team.
Practically speaking I guess this means we should all stay away from questionable (*cough*pr0n*cough*) sites for a few days. Seriously, we all know where these exploits are likely to show up first...
To the making of books there is no end, so let's get started
I wonder how many weeks it'll be...oh, yea, they released it yesterday. If only all web browsers had these sorts of exploits -- that is, the already-patched type.
It's certainly true that root access causes the most headaches, but there's a lot that can be done without root access.
.rc files to re-run itself when you boot (and check to see if you've altered them and re-modify them as soon as you're done.)
Even with just user-level access, it can erase all of your files or set up a spam relay. It may even be able to set up a keystroke logger or install a modified version of your browser (for you alone) that slurps up your credit card numbers. And it can modify your local
It's a heck of a lot easier to remove than a root-level exploit (you can log in as root and remove the code, which you can't necessarily do to a rootkit). But even though the lack of root can limit the damage, considerable damage can be done without it.
The solution? Well, partly it would be nice to have the OS provide fine-grained control, so that even if malicious code gets to execute it could be prevented from modifying your files without explicit permission or accessing the Internet to act as a spam relay. But such fine-grained controls are incredibly tedious; they exist in Java but they're rarely used.)
Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully.
The security of a web-browser is in no way related to the number of vulnerabilities found per year. There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE. Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor metric for security.
This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true, what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.
If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that it is worth making your programs slower to consign buffer overflows to the history book.
For a web-browser on a PC there is really no excuse because we have multi-GHz computers that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:
Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"
Simon.
Microsoft has stopped working on IE7 and has its PhD's working full-time on writing exploits for known holes...
karma police: arrest this man, he talks in maths; he buzzes like a fridge, he's like a detuned radio. [radiohead]
Let's see them attack my text-based browser!
I'm not a troll, but I play one on Slashdot.
that the actual exploit was released under the GPL... this means that anyone who takes it and modifies it has to release their improvements if they then proceed to distribute it... so if anyone does get infected, please get the person you got it from sued by Gnu for failing to make the source code available as well...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
They do patch stuff fast, but until automatic updates work correctly, it's not going to do much good for the average idiot user. And someone will eventually start trying to take advantage of these exploits. I'm running 1.0.6 and there's no update icon showing. When I say Check Now: "Firefox was not able to find any updates." -paul
I personaly believe that the activeX exploits are the nasty ones. I use to get so much crap on my system when I ran IE, even after the SP2 update. Since I use Firefox almost exclusively, I have had just about none. That's good enough for me.
I'm going to rip Linux out of all my boxes, install WinXP SP2, and do all of my web surfing on IE with ActiveX enabled, just to be safe!
The living have better things to do than to continue hating the dead.
I have little time for browser wars, but it is notable that despite the 1.0.7 announcement even making Slashdot yesterday, it's not showing up as an automatic download yet. Worse, it doesn't show up even if you manually check for updates.
There's not much point patching a security issue if you can't distribute the patch and even conscientious users won't find out about it by the expected method.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Comment removed based on user account deletion
I just removed Firefox from this computer and installed Opera. No problem.
I also just tried to remove IE... no luck.
Firefox is still better.
guns kill people like spoons make Rosie O'Donnell fat.
I am very scared about this turn of events. I used to see unpatched IE all over the place. Thankfully, that is a lot more rare now. Microsoft has made it hard not to patch IE and Windows. Not so with Firefox. I have seen unpatched Firefox installs all over the place. Ostensibly Firefox is there as the secure alternative to IE. People have actually said to me that "unpatched Firefox is more secure than patched IE" and that they aren't worried about it. Firefox Update is way too easy to ignore and a lot of people do. This is going to come back to bite them big time. And Firefox is going to have a PR-nightmare with some big security disasters over the next few months.
Is it really Firefox's fault if users don't patch their systems? The answer to that is yes, because they're trying to be the market-dominant browser. In order to be market-dominant, you have to have a browser equally suited to idiots as well as the technically adept. Firefox Update needs to be to be impossible to ignore and hard to disable unless you really know what you're doing. Because it is a weak feature right now, Firefox puts users at risk.
Please note my comments earlier in the thread: since the patch hasn't hit the auto-updates yet, even if you check for it manually, this patch does not exist for most users. There is an exploit for it in the wild. Hence most Firefox users are not safe from this exploit.
There, I put the actually relevant bits in bold for you, just to make it clear. Firefox is a great product for many reasons, but let's not kid ourselves that its security policy is perfect right now, OK? If my Firefox browser had popped up within a few minutes of the patch being released and invited me to download it, you'd have had a case, but it didn't.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
where have you been during this entire conversation? why is FF getting more exploits?? because more people are useing it.. do you really think that your browser/OS of choice is really that much better? maybe.. but I am willing to bet just as many holes will be found.
Losers whine about their best, Winners go home to fuck the prom queen
It's also the major reason large numbers of huge companies aren't adopting Firefox, since it's the technology many of them base their Intranets on. It's a security risk when outside sites can use it, but not having it for internal pages is a PITA at times.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
So why the hell hasn't the patch shown up on Firefox's automatic updates, even if you manually check for it?
Doesn't do any good to patch it if you don't notify people about it. Not everyone reads Slashdot.
Quidquid latine dictum sit, altum sonatur.
I don't understand how this helps - if you install application "X" you expect to trust it, and I assume you grant it privileges to run on your machine etc. So great, now the app can run on your machine...you trust it...but what's to stop it from having a heyday with your system?
I clicked "Check Now" in the Software Update section using Firefox 1.0.6, and no update was shown. The Firefox box was checked. Anyone else seeing this, or is this just a proxy issue?
This was well over a day after the release of 1.0.7. What URL is used to check for updates, and do they have appropriate options set on server to prevent long caching?
Every time some open source software, like Firefox or Linux, have an exploit, lots of people scream "see, it's insecure too! it's no better than IE / Windows!".
That has always sounded weird to me. Windows or IE have had dozens, maybe hundreds of holes and exploits, and yet, when Linux or Firefox have one, they're "just as insecure"?!?
Is this thing binary? No holes = secure, one hole = as insecure as a hundred holes?
Fine, Firefox has one now. Not really "exploited", since it's already been patched, but never mind that. So what? How many IE holes have there been? How many PCs are full of spyware, viruses, or sending thousands of spam emails a day because of an IE hole?
Can Firefox even begin to compare to that? I don't think so. It's at least dozens of really bad exploits (not to mention the "less than really bad" ones) behind.
The Tlog - a technology blog
How many developers do you think Microsoft has working furiously to release exploits into the wild to harm their competitors? Sure, it will never be admitted to, but ya gotta wonder...
Kudos to Firefox for releasing a patch the day before the exploit was announced though.
I figure sooner or later I'll find something that hasn't been hacked to pieces. If not, I'll protest and stop using the Internet! Ha...THAT will get their attention
(Come on...it was a joke!)
I'm not a troll, but I play one on Slashdot.
As someone else pointed out, the quickess of the patch doesn't matter because the end-user who's not the average slashdotter won't know there's a patch and won't install it. So why not forced security?
I play poker at Fulltiltpoker.com. Every time I want to play, the software connects to their server, checks for any updates, and then asks me to login. Granted, the poker software client is not as complicated as a web browser, but how difficult would it be make Firefox check and install updates every time the user ran the program? I imagine it would be pretty simple. Have this enabled by default, and the active security-aware users can disable it if they would rather do it themselves or are if they're paranoid. Think it might cost too much time to check every single time you run the program? Simply solved, a line of code telling it skip the check if it's checked in the past 12 hours.
One of the simplest ideas in security is that if the end-user has to do it themselves, like not opening random e-mail attachments, then it's likely going to get fucked up. It's that simple. Take it out of their hands.
For those of you that are paranoid about Firefox contacting servers on it's own, how do you think it knows when there are updates? It certainly didn't find out through telepathy.
Just my two cents.
Aero
Please stop hurting America -- Jon Stewart
"Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?"
Did it occur to you the patch may have been reverse engineered, and the exploit created from the patch? There is a reason MS doesn't like to patch holes that haven't been exploited.
The version of firefox I'm using is unpatched and vulnerable since the IT guy here hasn't bothered to patch it yet.
Vote for Pedro
Ideally you install Firefox once as Admin (coz we trust those Firefox developers not to put anything nasty in the installer), then login to a user account. The user account has permission to run Firefox, but not as Admin, so won't have permission to modify Firefox, the kernel, or whatever. In case of an exploit, you can still destroy your own user files though.
Unix, traditionally having a less granluar permissions model than NT, has a lot of programs that when run as a user, change themselves to run as Admin. An example is traceroute, which is SUID root. An exploit in one of those, and the game is up.
All this is largely academic though, as Windows doesn't use its permissions model properly by default. Explorer for example is usually run as Admin, allowing a single exploit to destroy your files, the kernel, whatever.
I'd like to propose a new game here on Slashdot, called "Six Degrees of Microsoft." The objective is to relate *any* story, from browser exploits, to RFID tags, to new features on Google maps back to some oversight, corruption, or other evil perpetrated by Microsoft.
Understand, I'm not even saying I necessarily disagree with the parent post, I just think that every Slashdot post in the future should have at least one response titled "Six Degrees of Microsoft." Firefox/IE posts are easy, but "GBA SP Updated with Brighter Backlit Screen" might be a bit more of a challenge.
Good luck...
The only acceptable defense of scientific results is to say that they were the product of the Scientific Method.
36,000 people a year die from the flu according to the CDC, this gets rare news coverage.
People die every single day on the hiway.
People are murdered just about every day.
Thousands of people are starving to death in Africa.
A plane with a busted nose gear makes huge news.
Reporting about an IE exploit would be as excting as reporting a flu death. The rare events make for more drama. The news is about drama, not NEWS.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
"I don't understand how this helps - if you install application "X" you expect to trust it, and I assume you grant it privileges to run on your machine etc."
You trust it to perform specific actions. You do not mean to implicitly grant unlimited privileges. You expect, and trust, your web browser to render HTML. You do not grant it permission to delete all your files simply by the action of running it. So there has to be a trust within limits relationship. Applications should be able to execute in a non-destructive manner but require further authorization to do such things as install other apps, delete or modify any files other than its own, etc.
The problem with this is laziness. OpenBSD and NetBSD both include Systrace, a facility that allows every system call made by a program to have its inputs validated and then run either as the user or as root (so, for example, you can allow a web server to bind to port 80, but not do anything else as root). The problem is that very few people get around to creating the required rule sets. Eventually they may grow some useful pre-defined setups for common apps, but it's going to take a lot of effort for someone.
I am TheRaven on Soylent News
No, it's quite to the point provable and true. For example, I use Azureus because I haven't found another suitable client under Linux. I would never run it under Windows because the UI is slower, the startup is horrid, and it takes more resources than other programs. It is responsable for 60MB of RAM and a 380MB VM footprint. It is consuming 1.3% of my Athlon 2600, and 7% of my total 768MB of RAM.
Java is slow to start and requires more memory than an equally competently written native code program. This is always going to be the case, because it imposes both the overhead of the C libraries and the overhead of the JVM itself.
The case where Java is *not* slower is where it can do run-time optimizations. Then it is sometimes faster than native code. In the other cases, Java is just not *as* slow as it used to be, that's what has changed.
It could be said that the "Java is fast" people are being equally unreasonable because they're ignoring many of the more important places that Java is slower in. The right answer is that Java is faster than C for some things, slower than C for others. During execution, they are comparable. In shutdown and startup, Java is slower. Java also has the issue of the UI handling, which is not as nice as the established UI toolkits available to other languages. The UI response is also not as good as a native program.
Also, this is the same NASA that is known for so many inefficiency and poor choices. Are you meaning to imply that Java is another of these? The thing is that NASA could have chosen almost any language and accomplished the same thing. They just decided to use Java. Is that supposed to prove something? Or was that supposed to be that you named three apps that were written in Java, and have better native equivalents on many OS'? I already mentioned Azureus, WURM is OpenGL with Java logic, and jdiskreport is yet another program that solves a solved problem.
That's like my saying "No, C/C++ is just the right answer, because Windows, Linux, OSX, BSD, QNX, BeOS, Firefox, Gaim, Office, etc. is written with them." It has no bearing on anything.
If you want counterpoint, fine, I don't think I've ever used a Java app where the UI was decently responsive. That includes Azureus, LDAP Browser, Dell OpenManage, HP WebAdmin, parts of OpenOffice (like the DB portion in 2.0 beta), the Java control panel, and the Solaris installer.
So no, Java is still slow enough to be impractical on the desktop. The Java UI toolkits suck, and the whole language suffers as a result. Fix the UI, fix the load times, and fix that you need another instance of the JVM for each app. Then you have it good for desktop apps.
But simple web browsing is still "safer" in Firefox. Your computer might get pwn3d, but your browser won't! The "exploits" and "security flaws" everyone is talking about completely misses the layman's reason for switching, and that is because (thus far) none of these FireFox exploits turn innocent browsing into a spyware, adware, toolbar infested nightmare.
So you can install anything onto the computer (such as spyware, adware, malware, etc.) but the browser is still safe? I agree with the other poster... what a crock! Also note that it's possible to install extensions into Firefox. Just because nobody has written a spyware/adware extension for Firefox doesn't mean that Firefox is immune. In fact, one of the benefits of Firefox is the ability to extend it. Do you even *know* what you're talking about?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Why yes, yes I do. I love its features, but the interface is incredibly sluggish. Same goes for Eclipse. I've used it on Windows, Linux, and FreeBSD with various JDKs. It's slow. I'd go crazy if all the GUIs I use were the same way.
LOAD "SIG",8,1
This, of course presumes that (1) the original exploit author is a proper white-hat, and (2) we catch the person who creates the worm.
Free Software: Like love, it grows best when given away.
I see many here saying that the FireFox security update system is inadequate because it's too easy to ignore, not in your face, too easy to go unnoticed (and many times doesn't even work; my FireFox is giving no indication that it needs updating). What you don't understand is that the FireFox team *wants* the update notifications to be easily unnoticed, not in your face, easy to ignore. If they became "in your face", then the user would eventually think, "Damn, I sure do have to update this thing a lot. Guess it's not really that secure after all."
-- "I never gave these stories much credence." - HAL 9000
I can settle this for anyone confused....Lets take a poll...who has had their firefox hijacked? Who has had to spend countless hours removing malware from their users firefox installation?
Nobody?
Huh,
Thats why I mandated Firefox in my office.
Have there actually been any successful exploits using a web browser as an attack mechanism. The ones that have had the worst effects seem to have been the ones which email an executable with a message saying "Oy dumbass run this executable". They seem to work far better than any thought out technical exploit.
The only thing anybody could ever prove is that Firefox's security is about as bad as IE's, and that still doesn't make it a worse choice. Right now, with Firefox making up less than 10% and IE making up about 80%, the majority of the exploits that are marketable are IE exploits.
So people should keep using alternate browsers based on their merit up until they stop becoming alternate browsers. Then, maybe IE's GLORIOUS interface and GLORIOUS functionality can Lure Us Back.
Oh, please.
Please stop stalking me, bro.
the user can't install any extensions from a site other than update.mozilla.org without jumping through a few hoops first.
You DO realize that you have to first *whitelist* the extension in order to install it, and only certain Mozilla controlled sites are whitelisted by default, right?
Oh, and it's not an easy pushbutton thing, either. You have to find the setting in your browser (probably under about:config or somewhere) and add it that way. Should be more than enough to intimidate someone who isn't bright enough to know better than to install a spyware extension.
We shouldn't forget that bad press for FF is in the interests of the Black Hats who make money off of IE exploits. FF is harder to crack than IE. Not impossible just harder. Their aim is most likely to maintain the "good times" of IE. So we shouldn't be surprised that not only is an exploit released but a nasty application of it as well. The black hats wouldn't release the app for the IE version because it would be too useful, but by releasing the FF one they support their investment in IE.
Bitter and proud of it.
(Note: I am not a shill/user of his software but am a fellow coder always on the lookout for good, elegant, useful code and ideas to use in future projects....)
From
http://www.slproweb.com/download/ProtoNova_ID.chm
Discussion on Security
[snip]
Before I conclude, I have one other thing I wish to mention that defines security. This is the fact that ProtoNova is the only web server in existence guaranteed to be free from Buffer Overflow attacks on the stack at the application level. Let's see you try to get a guarantee like that from Apache or Microsoft. While I can't control problems with the underlying OS or libraries, I can control how I write my own code. Here's my secret to how I can make such a guarantee: Dynamically allocate all memory I use on the heap. 90% of all bug fixes for exploits (potential or otherwise) coming out of various organizations (ahem, Microsoft) are for Buffer Overflow attacks on the stack. A buffer overflow on the heap is far less dangerous than a stack-based overflow. If you don't know the difference, let me show you that I really do know what I'm talking about (whereas most journalists generally have no clue) using some C code - that is, the language most web servers are written in:
(For you programmers out there, please ignore the comments. I realize they are "basic/newbie," but I'm attempting to explain source code to newbies).
The example above is extremely dangerous. Why? It is because there is only room reserved for 256 places in the computer's memory. What happens if the user enters data for 1000 places? This is where the danger comes in. The stack is where function calls like "main" are stored. When 1000 memory locations are copied from the user to str, the stack beyond the 256 is overwritten with whatever the user has entered. Typically, this will result in a crash when the function "main" "return"s...however, if those 1000 places in memory are carefully crafted, they can execute arbitrary code when "main" "return"s. This could be anything from a virus to a complete system takeover.
So, what is the solution to this? It should be obvious: Don't put anything the user enters, even remotely related, onto the stack...ever: