Slashdot Mirror
Firefox Exploit Adds Fuel to Browser Security Feud
An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."
Browser, shmouser..... What I want is a secure OS! Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....
As an interesting aside: We just went through a two day outage at the university here because of a worm that infected a series of Windows systems. My question to IT guy#1 was: "Dude, why did you guys switch from Solaris to Windows?" His reply was that "the Windows solution was cheaper". I said "Dude, you guys need Macs!", to which he replied "yeah, no $#!t" when he caught himself and said something unintelligible. Guy #2 that I spoke to today gave me some song and dance about how Macs are really hard to integrate into mixed platform networks and then said something to the effect of "if Macs had greater market share, we would be in the same boat". I said something to the effect of "Bull$#1t". It comes down to management and OS design. Windows can be secure, but it requires much more oversight than do other alternatives. But fundamentally, all of the calls direct to the kernel that are available to applications are a problem that will not be solved until (hopefully) the next MS OS.
Visit Jonesblog and say hello.
Firefox is finally catching up with the market leader! Woo!
Man is a slave because freedom is difficult, whereas slavery is easy.
The sad thing is that it also comes on the heels of zdnet.com claiming that Firefox is having significantly more security issues than IE.
I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased. And if that's the case, can we expect to see these issues become even more frequent if Firefox adoption continues to grow?
All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.
Given, I still trust MSFT as far as I can throw a Volkswagen, but my laughs at their FUD aren't so loud or haughty today.
- Greg
Start a happiness pandemic
Publicity was the demise, the great browser begged for mainstream attention, got the show but caught the eye of the bad guys.
No software is universally perfect.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Also on the plus side, the Washington Post link crashes my IE, so I can't even read the anti-Firefox news. Score another for Mozilla!.
What I'm listening to now on Pandora...
should be the exploit (and only the exploit). The browser feud is really becoming a pointless exercise in arguing. See here.
Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer? In the last year, maybe if it is actually affecting some media companies. Otherwise no.
.... Microsoft's PR firm?
So why the constant drumbeat of breathless stories about bugs (flaws) and exploits in Firefox? Could it be that the MSM is being seeded by someone? Say
sPh
I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?
How do you put an open source browser "out of business". If IE7 is all it's cracked up to be, and has some features Firefox doesn't, the Mozilla team can add them to Firefox fairly rapidly. But to say that a closed source, proprietary, bundled browser is going to "put out of business" an open source, cross platform browser is just plain dumb.
If there is anything more important than my ego around here, I want it caught and shot now.
...because we all know that no self-respecting hacker would attack a friend of open-source such as FireFox. These exploit discoveries are being secretly funded by Microsoft!
Practically speaking I guess this means we should all stay away from questionable (*cough*pr0n*cough*) sites for a few days. Seriously, we all know where these exploits are likely to show up first...
To the making of books there is no end, so let's get started
It's certainly true that root access causes the most headaches, but there's a lot that can be done without root access.
.rc files to re-run itself when you boot (and check to see if you've altered them and re-modify them as soon as you're done.)
Even with just user-level access, it can erase all of your files or set up a spam relay. It may even be able to set up a keystroke logger or install a modified version of your browser (for you alone) that slurps up your credit card numbers. And it can modify your local
It's a heck of a lot easier to remove than a root-level exploit (you can log in as root and remove the code, which you can't necessarily do to a rootkit). But even though the lack of root can limit the damage, considerable damage can be done without it.
The solution? Well, partly it would be nice to have the OS provide fine-grained control, so that even if malicious code gets to execute it could be prevented from modifying your files without explicit permission or accessing the Internet to act as a spam relay. But such fine-grained controls are incredibly tedious; they exist in Java but they're rarely used.)
Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully.
The security of a web-browser is in no way related to the number of vulnerabilities found per year. There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE. Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor metric for security.
This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true, what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.
If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that it is worth making your programs slower to consign buffer overflows to the history book.
For a web-browser on a PC there is really no excuse because we have multi-GHz computers that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:
Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"
Simon.
Let's see them attack my text-based browser!
I'm not a troll, but I play one on Slashdot.
They do patch stuff fast, but until automatic updates work correctly, it's not going to do much good for the average idiot user. And someone will eventually start trying to take advantage of these exploits. I'm running 1.0.6 and there's no update icon showing. When I say Check Now: "Firefox was not able to find any updates." -paul
I'm going to rip Linux out of all my boxes, install WinXP SP2, and do all of my web surfing on IE with ActiveX enabled, just to be safe!
The living have better things to do than to continue hating the dead.
I have little time for browser wars, but it is notable that despite the 1.0.7 announcement even making Slashdot yesterday, it's not showing up as an automatic download yet. Worse, it doesn't show up even if you manually check for updates.
There's not much point patching a security issue if you can't distribute the patch and even conscientious users won't find out about it by the expected method.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I am very scared about this turn of events. I used to see unpatched IE all over the place. Thankfully, that is a lot more rare now. Microsoft has made it hard not to patch IE and Windows. Not so with Firefox. I have seen unpatched Firefox installs all over the place. Ostensibly Firefox is there as the secure alternative to IE. People have actually said to me that "unpatched Firefox is more secure than patched IE" and that they aren't worried about it. Firefox Update is way too easy to ignore and a lot of people do. This is going to come back to bite them big time. And Firefox is going to have a PR-nightmare with some big security disasters over the next few months.
Is it really Firefox's fault if users don't patch their systems? The answer to that is yes, because they're trying to be the market-dominant browser. In order to be market-dominant, you have to have a browser equally suited to idiots as well as the technically adept. Firefox Update needs to be to be impossible to ignore and hard to disable unless you really know what you're doing. Because it is a weak feature right now, Firefox puts users at risk.
So why the hell hasn't the patch shown up on Firefox's automatic updates, even if you manually check for it?
Doesn't do any good to patch it if you don't notify people about it. Not everyone reads Slashdot.
Quidquid latine dictum sit, altum sonatur.
But simple web browsing is still "safer" in Firefox. Your computer might get pwn3d, but your browser won't! The "exploits" and "security flaws" everyone is talking about completely misses the layman's reason for switching, and that is because (thus far) none of these FireFox exploits turn innocent browsing into a spyware, adware, toolbar infested nightmare.
So you can install anything onto the computer (such as spyware, adware, malware, etc.) but the browser is still safe? I agree with the other poster... what a crock! Also note that it's possible to install extensions into Firefox. Just because nobody has written a spyware/adware extension for Firefox doesn't mean that Firefox is immune. In fact, one of the benefits of Firefox is the ability to extend it. Do you even *know* what you're talking about?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.