Firefox Exploit Adds Fuel to Browser Security Feud

An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."

Browser shmouser

[BWJones]

Browser, shmouser..... What I want is a secure OS! Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....

As an interesting aside: We just went through a two day outage at the university here because of a worm that infected a series of Windows systems. My question to IT guy#1 was: "Dude, why did you guys switch from Solaris to Windows?" His reply was that "the Windows solution was cheaper". I said "Dude, you guys need Macs!", to which he replied "yeah, no $#!t" when he caught himself and said something unintelligible. Guy #2 that I spoke to today gave me some song and dance about how Macs are really hard to integrate into mixed platform networks and then said something to the effect of "if Macs had greater market share, we would be in the same boat". I said something to the effect of "Bull$#1t". It comes down to management and OS design. Windows can be secure, but it requires much more oversight than do other alternatives. But fundamentally, all of the calls direct to the kernel that are available to applications are a problem that will not be solved until (hopefully) the next MS OS.

Re:Browser shmouser

[AKAImBatman]

Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions.

Eh, it's multi-faceted. The problem is that many of the greatest security threats today are from buffer overflow attacks. (Or heap overflow in this case.) This is frustrating because we've had the technology for more than 20 years to write code that is invulnerable to these sorts of attacks. Unfortunately, the majority of OS and Desktop software has continued to rely on C and C++, making these holes not only possible, but probable.

If the buffer overflow attack were solved once and for all, then attackers would have to move higher up the stack. e.g. Embedded scripts in emails that run with full permission. This sort of attack is why Java has a built-in security manager that can prevent access to secure resources. Should our security problems ever escalate to this level, I'm sure you'll see a lot of similar security managed environments showing up.

Re:Browser shmouser

[jacksonj04]

You talk as if you need it ;-)

Re:Browser shmouser

[Quantam]

Utter nonsense. Do you use Azureus? Perhaps you've played WURM Online? Do you need to clean up your hard drive?

The Java is slow myth is a load of hogwash that opponents of the technology use to justify their stance against it. It's simply not true, and hasn't been true for a very long time. And if you don't believe me, talk to NASA.

In fact I do use Azureus regularly (it's my primary BitTorrent client). But in all seriousness, it's horribly slow (enough to literally make your reference to it laughable). Try benchmarking creation of a torrent, and compare it to a native implimentation of the hash algorithm (SHA-1, I think it was). It's mind-bogglingly slow. Not only that, but it's mind-bogglingly bloated. It's not unusual for it to take 60-80 megs when I'm downloading one torrent (and runs some 3 threads or so per connected peer). A friend (who downloads way more stuff on BT than I do) says it's not unusual for Azureus to take hundreds of megs of RAM on his computer.

As for myself, I did some benchmarking of my own. When .NET first came out, I assumed it (specifically the JITed MSIL) would be slow, probably as slow as Java (although at the time I didn't have a clear idea of how fast Java was; just that it was "slow" - i.e. the stereotype). So I did some benchmarks. Compared to a native implementation of ZLib in C, the same code compiled to MSIL (managed C++) was 2/3 as fast (that is, it took 1.5x as long to compress the same data). The Java version (this was an actual Java port of the ZLib source, not the built-in, native implementation in the Java runtime), on the other hand, was half as fast (2x as long to compress). This actually raised my opinion of .NET, as it proved a fair bit faster than my expectations (while Java was also faster than my expectations, it fell unambiguously below .NET in terms of speed).

Woo! Finally!

[daniil]

Firefox is finally catching up with the market leader! Woo!

Security through obscurity?

[gbulmash]

It's interesting that this comes on the heels of Opera eliminating the ad-supported version and offering their browser free.

The sad thing is that it also comes on the heels of zdnet.com claiming that Firefox is having significantly more security issues than IE.

I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased. And if that's the case, can we expect to see these issues become even more frequent if Firefox adoption continues to grow?

All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.

Given, I still trust MSFT as far as I can throw a Volkswagen, but my laughs at their FUD aren't so loud or haughty today.

- Greg

Re:Security through obscurity?

[m50d]

Just like MS, firefox focuses more on features, and quickly. Many of the problems with firefox have come from the extension system, or from fairly experimental new features that firefox rushes to adopt, like this. A little more conservatism is needed when dealing with remote data, and I really think an extension system for an application that deals with remote data - be it activex or firefox extensions - is asking for trouble. You can find more secure browsers than either firefox or IE, and I don't think this is solely due to their obscurity, but also due to not including these dangerous technologies.

Re:Security through obscurity?

[Saxerman]

All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.

I hear this is a lot, and it often leads to a misrepresentation of what makes OSS 'more secure'. The more eyes/hands claim doesn't assert that there will be less bugs, it means they are suppose to be spotted and corrected more quickly.

Security isn't a state of being, it's a state of mind. I believe there are more white hats than black hats, so OSS leads to better code. If you believe otherwise, you will probably feel more secure using closed source software (but that won't necessarily mean you ARE more secure.)

Publicity

[improfane]

Publicity was the demise, the great browser begged for mainstream attention, got the show but caught the eye of the bad guys.

No software is universally perfect.

Good news!

[Otter]

On the plus side, the exploit is released under the GPL. This just goes to show the superiority of open-source over proprietary exploits!

Also on the plus side, the Washington Post link crashes my IE, so I can't even read the anti-Firefox news. Score another for Mozilla!.

The story here...

[op12]

should be the exploit (and only the exploit). The browser feud is really becoming a pointless exercise in arguing. See here.

Patch

[brettlbecker]

Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?

Pardon, but rather than using this exploit as some kind of evidence that Firefox is on-par, security-wise, with IE, shouldn't we be viewing this as a victory for the patch/version-release cycle of the Mozilla foundation?

There will always be new security holes found. The difference is that patched versions of the browser, fixing the security hole in question, are not always released before the hole is announced.

Two cents.

B

Question

[sphealey]

Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer? In the last year, maybe if it is actually affecting some media companies. Otherwise no.

So why the constant drumbeat of breathless stories about bugs (flaws) and exploits in Firefox? Could it be that the MSM is being seeded by someone? Say .... Microsoft's PR firm?

sPh

Re:Question

[tktk]

Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer?

No... because it's hideously expensive to print 10lb newspapers every day.

Exploits as remote administration tool?

[Sirfrummel]

"...effectively letting the bad guys control the victim computer from afar."

I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?

Menh

[gid13]

The specific response: It's already patched. A released exploit that's already had a patch released for it is nowhere near as scary as one that hasn't.

The general response: As always with open source, if the Mozilla guys drop the ball and you know what you're doing, you can patch it yourself. With closed source, you're kinda at the mercy of the makers (usually Microsoft).

Anecdotal evidence: Yes, this is in the past, but I let two total newbies use a box of mine for about a year, with the only relevant modifications being: Installed Firefox, Deleted shortcuts to IE, Spybot's resident protection, Spyware Blaster, Windows autoupdates on, and Nod32 (not even a firewall). They never had ANY problem until they figured out how to open IE, at which point they managed to get a bit of spyware in.

Re:IE7 will doom Firefox

[sgar]

How do you put an open source browser "out of business". If IE7 is all it's cracked up to be, and has some features Firefox doesn't, the Mozilla team can add them to Firefox fairly rapidly. But to say that a closed source, proprietary, bundled browser is going to "put out of business" an open source, cross platform browser is just plain dumb.

Commence the Microsoft conspiracy theories...

[slashdotnickname]

...because we all know that no self-respecting hacker would attack a friend of open-source such as FireFox. These exploit discoveries are being secretly funded by Microsoft!

Reality Check (Hand Check Too)

[blueZhift]

Practically speaking I guess this means we should all stay away from questionable (*cough*pr0n*cough*) sites for a few days. Seriously, we all know where these exploits are likely to show up first...

Even without root things can get nasty

[jfengel]

It's certainly true that root access causes the most headaches, but there's a lot that can be done without root access.

Even with just user-level access, it can erase all of your files or set up a spam relay. It may even be able to set up a keystroke logger or install a modified version of your browser (for you alone) that slurps up your credit card numbers. And it can modify your local .rc files to re-run itself when you boot (and check to see if you've altered them and re-modify them as soon as you're done.)

It's a heck of a lot easier to remove than a root-level exploit (you can log in as root and remove the code, which you can't necessarily do to a rootkit). But even though the lack of root can limit the damage, considerable damage can be done without it.

The solution? Well, partly it would be nice to have the OS provide fine-grained control, so that even if malicious code gets to execute it could be prevented from modifying your files without explicit permission or accessing the Internet to act as a spam relay. But such fine-grained controls are incredibly tedious; they exist in Java but they're rarely used.)

Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully.

Re:Even without root things can get nasty

[raddan]

It's not tedious at all:

http://www.citi.umich.edu/u/provos/systrace/

It shouldn't be that hard to figure out what a simple program like a browser needs.

Vunerability counts say nothing.

[Ckwop]

The security of a web-browser is in no way related to the number of vulnerabilities found per year. There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE. Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor metric for security.

This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true, what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.

If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that it is worth making your programs slower to consign buffer overflows to the history book.

For a web-browser on a PC there is really no excuse because we have multi-GHz computers that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:

1. Did you actually compile the program with the switch and profile it against the compiled program without the switch? Was the performance degradation even noticeable?
2. You may think slowing the program down is unacceptable but is leaving your customers at risk from an easily preventable class of vulnerabities more acceptable?

Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"

Simon.

Screw it...I'm moving to Lynx!

[PenguinBoyDave]

Let's see them attack my text-based browser!

Automatic Updates

[Paul+Slocum]

They do patch stuff fast, but until automatic updates work correctly, it's not going to do much good for the average idiot user. And someone will eventually start trying to take advantage of these exploits. I'm running 1.0.6 and there's no update icon showing. When I say Check Now: "Firefox was not able to find any updates." -paul

Well that tears it!

[dpilot]

I'm going to rip Linux out of all my boxes, install WinXP SP2, and do all of my web surfing on IE with ActiveX enabled, just to be safe!

Not quite...

[Anonymous+Brave+Guy]

I have little time for browser wars, but it is notable that despite the 1.0.7 announcement even making Slashdot yesterday, it's not showing up as an automatic download yet. Worse, it doesn't show up even if you manually check for updates.

There's not much point patching a security issue if you can't distribute the patch and even conscientious users won't find out about it by the expected method.

No Meh!

[Henry+V+.009]

A released exploit that's already had a patch released for it is nowhere near as scary as one that hasn't.

In every compromised computer that I have ever seen, there was already a patch out that would have avoided the problem. I know that that every now and then a compromise occurs which is an exception to that rule: but it is very rare, and I have never actually seen a case of it.

I am very scared about this turn of events. I used to see unpatched IE all over the place. Thankfully, that is a lot more rare now. Microsoft has made it hard not to patch IE and Windows. Not so with Firefox. I have seen unpatched Firefox installs all over the place. Ostensibly Firefox is there as the secure alternative to IE. People have actually said to me that "unpatched Firefox is more secure than patched IE" and that they aren't worried about it. Firefox Update is way too easy to ignore and a lot of people do. This is going to come back to bite them big time. And Firefox is going to have a PR-nightmare with some big security disasters over the next few months.

Is it really Firefox's fault if users don't patch their systems? The answer to that is yes, because they're trying to be the market-dominant browser. In order to be market-dominant, you have to have a browser equally suited to idiots as well as the technically adept. Firefox Update needs to be to be impossible to ignore and hard to disable unless you really know what you're doing. Because it is a weak feature right now, Firefox puts users at risk.

What patch?

[Anonymous+Brave+Guy]

Please note my comments earlier in the thread: since the patch hasn't hit the auto-updates yet, even if you check for it manually, this patch does not exist for most users. There is an exploit for it in the wild. Hence most Firefox users are not safe from this exploit.

There, I put the actually relevant bits in bold for you, just to make it clear. Firefox is a great product for many reasons, but let's not kid ourselves that its security policy is perfect right now, OK? If my Firefox browser had popped up within a few minutes of the patch being released and invited me to download it, you'd have had a case, but it didn't.

Re:What patch?

[Anonymous+Brave+Guy]

I'm afraid I have been unclear. I am not challenging the facts of your posts. I am simply saying that, for most people, they are irrelevant.

Within the first few minutes of this discussion starting, I lost track of the number of posters making smart-ass comments about how Firefox rocks compared to IE, because the patch was already out when the exploit hit. I nearly suffocated under the smugness coming off the geek brigades.

And yet, they (and, based on your most recent post, you) seem completely ignorant of the fact that nearly all security flaws in IE are patched well before exploits are found in the wild, too. Most (all?) of the major outbreaks that have hit mainstream media headlines in recent months would have been completely avoided if people had patched their systems; sometimes there were months before the exploits appeared.

So, if the Firefox patch was out but not applied, then the fact that it exists on a web site somewhere really doesn't matter to most people, and neither is it a particular advantage of Firefox over any alternative browser. This may not have been the point you were trying to make, and perhaps I picked the wrong initial post to reply to when making mine, but it's certainly a strange thing a lot of people around here today seem to believe.

automatic updates

[syrinx]

So why the hell hasn't the patch shown up on Firefox's automatic updates, even if you manually check for it?

Doesn't do any good to patch it if you don't notify people about it. Not everyone reads Slashdot.

Forced Security

[aero2600-5]

As someone else pointed out, the quickess of the patch doesn't matter because the end-user who's not the average slashdotter won't know there's a patch and won't install it. So why not forced security?

I play poker at Fulltiltpoker.com. Every time I want to play, the software connects to their server, checks for any updates, and then asks me to login. Granted, the poker software client is not as complicated as a web browser, but how difficult would it be make Firefox check and install updates every time the user ran the program? I imagine it would be pretty simple. Have this enabled by default, and the active security-aware users can disable it if they would rather do it themselves or are if they're paranoid. Think it might cost too much time to check every single time you run the program? Simply solved, a line of code telling it skip the check if it's checked in the past 12 hours.

One of the simplest ideas in security is that if the end-user has to do it themselves, like not opening random e-mail attachments, then it's likely going to get fucked up. It's that simple. Take it out of their hands.

For those of you that are paranoid about Firefox contacting servers on it's own, how do you think it knows when there are updates? It certainly didn't find out through telepathy.

Just my two cents.

Aero

Hey, a new game!

[Sialagogue]

I'd like to propose a new game here on Slashdot, called "Six Degrees of Microsoft." The objective is to relate *any* story, from browser exploits, to RFID tags, to new features on Google maps back to some oversight, corruption, or other evil perpetrated by Microsoft.

Understand, I'm not even saying I necessarily disagree with the parent post, I just think that every Slashdot post in the future should have at least one response titled "Six Degrees of Microsoft." Firefox/IE posts are easy, but "GBA SP Updated with Brighter Backlit Screen" might be a bit more of a challenge.

Good luck...

Re:The real problem--SpyWare

[nacturation]

But simple web browsing is still "safer" in Firefox. Your computer might get pwn3d, but your browser won't! The "exploits" and "security flaws" everyone is talking about completely misses the layman's reason for switching, and that is because (thus far) none of these FireFox exploits turn innocent browsing into a spyware, adware, toolbar infested nightmare.

So you can install anything onto the computer (such as spyware, adware, malware, etc.) but the browser is still safe? I agree with the other poster... what a crock! Also note that it's possible to install extensions into Firefox. Just because nobody has written a spyware/adware extension for Firefox doesn't mean that Firefox is immune. In fact, one of the benefits of Firefox is the ability to extend it. Do you even *know* what you're talking about?

GPL Exploits -- interesting side effects.

[Stephen+Samuel]

If someone uses the exploit code to build a worm and doesn't include the full source code with the 'distribution', the originl worm writer could sue them for copyright violation.

This, of course presumes that (1) the original exploit author is a proper white-hat, and (2) we catch the person who creates the worm.