Mozilla First To Patch Pwn2Own Browser Vulnerability

Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."

First post.

[cbiltcliffe]

And good to see Mozilla patching things this quickly.

Re:First post.

[MightyYar]

Yeah, but internet browsing just doesn't feel as exciting without the risk. Back to unpatched XP with IE6 for me...

Re:First post.

[purpledinoz]

You finish installing Windows XP. You connect to the internet and fire up your browser. 4 minutes later, additional processes start appearing in your task manager. You've been pwnd! You frantically try to close the security holes by going to the Windows Update website, but all you get are ads for penis enlargement and free porn. As your PC slows to a crawl, the excitement fades...

Re:First post.

[Vu1turEMaN]

It would have been funny son, but the sad fact of the matter is that probably half of the XP systems out there are unpatched and use IE6...

Re:First post.

[0xygen]

Although I do notice the Firefox 3.1 Beta 3 has no update yet - I just tried the PoC, it is definitely vulnerable.

Maybe it's time to start using nightlies if you are a 3.1 beta user?

Re:First post.

I misread the final line as "the excrement fades". :)

Re:First post.

[RiotingPacifist]

untrusted extentions are the way of the future. they let YOU choose how much you get pwned.
Only want a mild risk? install a few 3rd party extentions,
Fancy taking your chances? look for ones with spelling mistakes in the discriptions,
Unprotected sex with the internet? well start installing them from 3rd party sites
Fuck it, pwn me already? install greasemonkeys and look for scripts that have the discription written in 1337 sp3/\k

Re:First post.

The excitement fades? Are you nuts?
I just got links for penis enlargement and free porn! OH SWEET

Re:First post.

[iminplaya]

That's because they're bootlegs, and updating will just install WGA

Re:First post.

Nope, I use a pirated Windows, and it cheerfully passes WGA and updates just fine.

It's because those people using vanilla WinXP + IE6 can barely change their Yahoo Messenger status, or load a list into Winamp.

Re:First post.

[Thinboy00]

The whole point of Betas is that they have bugs etc. and haven't been tested. If you care about security, you shouldn't use a Beta. If you don't care, why are you asking?

Re:First post.

That is nothing. Once, during the second stage of a Windows XP installation, as soon as Windows brought up the network interface to configure the DHCP it got slammed by the blaster worm right in the middle of the installation! (The box was connected to a DOCSIS cable network.) I had to power off the modem, reformat, and restart the install. That is why I no longer use windows.

Re:First post.

[asdfx]

It's like unprotected sex! How do you know you're alive if you're certain she doesn't have herpes! Or something...

Re:First post.

[asdfx]

You restarted the install, but you don't use windows anymore? So, is there a computer sitting somewhere with windows on it that you don't need? I could use a new server....

Re:First post.

[asdfx]

Nah, they probably have automatic updates on. I'd wager it's massive computer labs at high schools or colleges where there either isn't an administrator, the administrator is a fool, or the administrator is lazy. The need doesn't seem all that pressing, but ironically they have some of the strongest internet connections for worms to use.

Re:First post.

[maxume]

Putting 'son' in your posts makes you come off as a dildo. Just sayin'.

Re:First post.

[0xygen]

The officially released point betas actually have had testing.

Security and stability are two very different things.

Betas do not have deliberate mistakes - once an issue is known, it would seem sensible to fix it in active branches with an update mechanism, which notably includes the official beta.

Fair enough, nightlies and stuff don't have such an update mechanism and I would not expect one.

Re:First post.

[PNutts]

all you get are ads for penis enlargement and free porn

For the love of Gods folks, cite your fracking references. So say we all!

Re:First post.

[jonaskoelker]

look for ones with spelling mistakes in the discriptions

Is this some new kind if iriny?

Re:First post.

[Vu1turEMaN]

I know what it makes me sound like, otherwise I wouldn't have said it.

Re:First post.

[DavoMan]

all you get are ads for penis enlargement and free porn

For the love of Gods folks, cite your fracking references. So say we all!

Hook me up on that too. I can't for the life of me find anything about 'girls' or 'penis enlargement' on google.

wouldnt mind a cheap rolex watch too.

Re:First post.

[DavoMan]

anyone hear a dildo?

that's quick

[siriuskase]

If I want to have Firefox download my exploit, umm, contribution to thousands of users worldwide, could I get such fast service and minimal vetting if I called it a security patch?

Re:that's quick

[cbiltcliffe]

Could you get such fast service? Certainly.

With such minimal vetting? I doubt it. Only if you're a trusted submitter to the Mozilla tree. And if you were, you'd only get to pull a stunt like that once.

Re:that's quick

Here, I've found this tinfoil hat just around the corner. You must have misplaced it.

What's needed is Slashdot to be coded better

In other news, Slashdot have announced an update to version 0.03 alpha.

This version doesn't fix the Javascript Slowdown that causes the browser window to turn grey on Linux systems, for spinning beachballs on Mac OS X, and Windows thinking the application isn't responding.

However it alters something that was working into something that doesn't. Also there's a "Prefs" button on the bottom of the page.

Re:And this is a surprise?

I really don't understand your logic. Just because Apple happens to be a decent software company, and quickly fixes exploits *that have been reported to them*, open source is less secure?

This says nothing negative about open source, IMO. The exploits that were patched here were found because someone took the time to try to find them. When all you get is a binary blob, that's obviously going to be harder than if you've got is source code. So your point is moot.

And yes, exploits submitted to open source packages generally get included quickly. Look at the lkml, this happens daily.

is the patch also in 3.5b4pre ?

Because I like to use the JIT javascript compiler in 3.5 (aka 3.1)

Re:And this is a surprise?

[drinkypoo]

I also thought that open source had a built in Plan B that if a hole was found, anyone could submit a patch and it would get folded in as soon as it was reviewed and approved.

That's funny, this is a story about the Open Source browser being patched before every other browser, and you're not seeing a benefit?

Re:And this is a surprise?

[Yetihehe]

Yeah, and this resulted in them being first to patch. I already have patched version, it downloaded automatically. Even if microsoft patched ie8 today it probably wouldn't update automatically till next patch tuesday. And did closed source helped ms to make more secure browser?

zero-day flaw disclosed earlier this week

[Dan9999]

and I finally used that good-for-only-one-month coupon that I got last year for a free oil change on my car yesterday.

if it's not still day zero, don't call it a zero-day flaw.

Re:zero-day flaw disclosed earlier this week

[maxume]

It might not be the best terminology, but it is describing how many days a patch has been available for the vulnerability.

Re:And this is a surprise?

Why is this marked flame-bait?

The remark is rhetorical and underlines open-source's strange!

Silly me too!

Seen how insecure web browsers are...

Seen how insecure web browsers are, what would be a good way to surf under Linux?

I have an account that I use only for GMail and my bank's website (the latter using a physical device answering cryptographic challenge so nobody is abusing that [when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that]).

Then I have an account only for browsing. The user owning this account on my machine has user ID 1007.

This user is not even allowed to connect to localhost. I don't want to know. All he can do is surf the web, using iptables like this:

iptables -I OUTPUT -m owner --uid-owner 1007 -j REJECT
iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 443 -j ACCEPT
iptables -I OUTPUT -m owner --uid-owner 1007 -p udp --dport 53 -j ACCEPT

Are there others simple things I could do to deal with security hazard that these browsers are?

Things I could do about this user's home directory permissions? Disable his SSH? etc.

Basically I think I'd like to have an account that can "do nothing but run Firefox".

Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

In other words, I consider the "security" of all the browsers to be a bad joke and I regard running a browser basically the same as executing "omgWindozeServer2012Crack.exe" on my machine and I'd like any hint from people who are surfing in a "safer" way.

Re:Seen how insecure web browsers are...

[iminplaya]

when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that

Very confident you are.

I'd like any hint from people who are surfing in a "safer" way.

Use somebody else's computer.

Re:Seen how insecure web browsers are...

[siride]

You could try not freaking the fuck out about browser security, unless you plan on visiting Russian spam sites and whatnot. I use Firefox on Linux and I've never had an issue. I use Flashblock, Adblock and occasionally Noscript. Just exercise reasonable caution and you should be fine. Heck, even under Windows I never got viruses or spyware, and I used IE!

Re:Seen how insecure web browsers are...

[0xFCE2]

Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

Have a look at the Linux extensions like SELinux or AppArmor. At least the latter one can be set up comparatively easy, and is useful to protect a few selected processes such as FF from doing harm. Certainly not perfect, but it should be able to stop an exploit from taking over the whole account.

However, the weak link will then probably be X and your window environment (KDE/gnome), so full virtualization is still much better. Of course, even that doesn't offer perfect protection.

Re:Seen how insecure web browsers are...

[Jeppe+Salvesen]

I'd consider running the web browsing session inside a virtual machine. That's both more secure and more practical. :)

Re:Seen how insecure web browsers are...

On Windows, i sandbox my browsers using Sandboxie, such a fantastic little program.
The newer versions are much better, more control over what a program can access, file-permissions, network, etc

Not sure of any similar sandboxing programs for Linux, sadly.
I second this request.

Re:Seen how insecure web browsers are...

try running Firefox in its own chroot jail.

Re:Seen how insecure web browsers are...

Getting a life might be a good first step.

Re:Seen how insecure web browsers are...

[RiotingPacifist]

how is X the weak link? the weak link is whatever you let on the internet and whatever network aware daemons you have running. once on your system X MAY be the weak link but the pwm2own vulnerabilities dont need root, so X doesn't even matter (much like it matters little in modern security) where attackers don't need root. while SElinux & AppArmor MAY protect against use of these attacks, e.g killing firefox when it executes malicious code, but a fishing scam doesn't need to do anything malicious to your system (and Firefox has already been 'pwned' in the context of this competition).

Full virtulization is useless, if the attack is advanced enough that it can is keylogging a separate user (has root), modifying your Firefox binaries (has root and then some) or modifying what you see (one hell of an exploit somewhere in your xorg stack), then the chances are the attacker can modify your virtualized os when its mounted,( there's nothing you can do that a kernel recompile cant beat and as the attacker has root, he can do that).

you have 2 choices:
1) stop being paranoid
2) run a livecd and update it regularly enough (from your livecd using toram) that there are no known exploits for it. OFC this HAS to be done on multiple cd-rs as a cd-rw could be patched if its exploited. But wait they could actually exploit you and modify the iso before you managed to get it to the disk, so i refer you to point 1.

Now assuming you that you've stopped being paranoid and just want a bit of extra security the GP post is about as good as you can get it protects against all user level exploits.

Re:Seen how insecure web browsers are...

[TheLink]

Depends on your virtual machine. Lots of virtualization software/hardware has bugs.

See:

http://www.securityfocus.com/bid/32597/discuss

And:
http://www.google.com/search?hl=en&safe=off&q=+site:www.securityfocus.com+vmware+vulnerability

I'm sure the others have problems too.

Re:Seen how insecure web browsers are...

[mcneely.mike]

getting an account and not posting a.c. would be a good first step!

Re:Seen how insecure web browsers are...

[Hurricane78]

Not exactly true. You never got viruses, that you knew of.

Under Windows, with IE, this is no hard thing to achieve. Think of the Sony rootkit. Or about the tons of trash that average people get on their systems, despite having a anti-virus and a firewall software running.
I know of many people who completely turn them both off, when they play games. For performance reasons. Even when the games allow the usage of browsers while running.

Re:Seen how insecure web browsers are...

[siride]

I didn't get viruses. I had no slowdowns, nothing showing up in process explorer, no weird behavior, nothing from ZoneAlarm (worthless though it otherwise be). Of course, if you go the route of "you can't ever truly be sure of xyz", then I suppose you are right. I probably did get viruses. And even though I think I'm running Linux, it's probably actually just a rootkit that's infected my Windows XP installation to make it look like some other OS. How can I really know?

Re:Seen how insecure web browsers are...

If you caught a virus that then installed a rootkit (and why wouldn't it?), then it would erase all trace of itself. Nothing would show up in process explorer, or registry settings, or any logs. Netstat and tcpdump would show no suspicious activity. You'd see no change in available hard drive space either. The rootkit would intercept all system calls and pass on tainted information.

Re:Seen how insecure web browsers are...

[0xFCE2]

how is X the weak link?

Even if SELinux/AA are able to confine the actions of a pwned firefox or it is running as a different user, firefox can get access to keyboard and mouse actions and possible more via X (try xev).

Full virtulization is useless, if the attack is advanced enough that it can is keylogging a separate user (has root), modifying your Firefox binaries (has root and then some) or modifying what you see (one hell of an exploit somewhere in your xorg stack), then the chances are the attacker can modify your virtualized os when its mounted,

If the virtualization is good, the attacker still cannot break out of the VM. In practice there will be exploits allowing to break out, but at least now there are many barriers: the attacker has to exploit firefox, then possibly break out of SELinux/Apparmor and get root, after that it has to modify the kernel and break out of the VM. And depending on the VM and the exploit the attacker may then still only have access to a userspace part of the virtualization environment, running as a normal user on the host. So this is much better than just a single defense.

And while most users don't have to be this paranoid, the good thing about virtualization is that it's easy: you can get all this security with very little effort - the "cost" is much lower than e.g. configuring Apparmor, and the protection is much better.

Re:Seen how insecure web browsers are...

Don't rely on that. Just a month ago I had to fix a website that had been heavily infected with an iframe virus. Iframe's had been injected into the end of every html file on the site, causing visitors to load the contents of that iframe unknowingly. What was the payload? Yup, a virus that installed just nicely if you happened to be using IE. The point is, just because you don't visit Russian porn sites don't be thinking your invulnerable.

Re:Seen how insecure web browsers are...

Correction: should be you're invulnerable.

Re:Seen how insecure web browsers are...

On my Windows box, I use Comodo Firewall and Defense+ (both are free, as in beer). Defense+ runs in Paranoid mode. This automatically prevents any app (except a few Windows system apps) from doing pretty much anything unless you specifically allow it to. This means no accessing other processes' memory, launching new processes, modifying files, modifying the registry, etc. unless you allow it. So if Firefox is compromised, the exploit would have to know how to break out of Defense+ as well in order to do any damage.

AFAIK, you have done basically the same thing with your Linux box by creating a separate account for browsing. Just make sure that your browsing account can't modify any files on your system other than those required for browsing (make only your download directory writable and only firefox executable). I believe the OS prevents any inter-process memory access automatically.

Re:Seen how insecure web browsers are...

[AmiMoJo]

This is a bit like asking how you can ever know if you are living the the Matrix or not (or being fooled by evil demons for those who prefer the Descartes version).

In the end it's really just a distraction from far more real and more likely assaults on your private data, like the random guy in India who gets to see all your bank records, or the government agency who looses a CD full of your unencrypted details in the post.

Re:Seen how insecure web browsers are...

[Hurricane78]

You can't. And that is why you should state something like "I did not notice any virus-like behavior. And I do/run X, Y and Z." and never "I did not get viruses."

Same thing as the difference between "This program has no bugs." (impossible to prove) and "There are no known bugs in this program." (Suffices, if you or your users actually searched for them for some time.)

Re:Seen how insecure web browsers are...

[siride]

I kind of assumed that was implicit, since the alternative is impossible. There's no need to explicitly state that I can't know 100% for sure. People who complain about that are just annoying pedants.

Re:Seen how insecure web browsers are...

[bruceslog]

Seen how insecure web browsers are, what would be a good way to surf under Linux?

I have an account that I use only for GMail and my bank's website (the latter using a physical device answering cryptographic challenge so nobody is abusing that [when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that]).

Then I have an account only for browsing. The user owning this account on my machine has user ID 1007.

This user is not even allowed to connect to localhost. I don't want to know. All he can do is surf the web, using iptables like this:

iptables -I OUTPUT -m owner --uid-owner 1007 -j REJECT iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 80 -j ACCEPT iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 443 -j ACCEPT iptables -I OUTPUT -m owner --uid-owner 1007 -p udp --dport 53 -j ACCEPT

Are there others simple things I could do to deal with security hazard that these browsers are?

Things I could do about this user's home directory permissions? Disable his SSH? etc.

Basically I think I'd like to have an account that can "do nothing but run Firefox".

Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

In other words, I consider the "security" of all the browsers to be a bad joke and I regard running a browser basically the same as executing "omgWindozeServer2012Crack.exe" on my machine and I'd like any hint from people who are surfing in a "safer" way.

Wow, if you're that paranoid, here's something you might want to try.
Install PCLinuxOS 2007 onto a hard drive. Now update it, install your your favorite programs, tune your personal settings, add your bookmarks, email accounts, software updates, and such. When you get it to where you like it, then ( in PCLinuxOS ) do a remaster onto a CD or DVD. ( sudo, remasterme )
When finished, remove your remastered CD/DVD and shut your machine down.

You now have a live cd version of your operating system, WITH all of your personal settings and preferences.

For all subsequent boots and browsing sessions, you can now just pop your remastered CD/DVD into your machine, boot into the LiveCD ( or DVD ), and browse to your hearts content. You'll have your bookmarks, email account settings and all right there on the CD / DVD, which can't be over written. Viruses and trojans have not figured out how to write to a burn once CD or DVD yet, so anything you get exposed to will not infect your system, As long as you do not mount any of your hard drives.

As you use your LiveCD/DVD, Put any changes you want to keep ( emails you want to keep, new bookmarks, etc ) onto a flash drive.
Once a week, or once a month, update your LiveCD/DVD with the info you've been saving on the flash drive, and then remaster a new CD/DVD with your updates.

So now you have a Operating System that works well, has all of your personal settings, bookmarks, emails and account settings, is portable ( you can most likely boot your LiveCD/DVD in most any other computer with a reboot ), can't be over written by malware since it's burned onto a CD/DVD, can be updated as often as you like, or not, and if you do update and remaster weekly, you now have weekly backups on the older remasters.

Just an option for you that should keep your browser and OS fairly safe.

Re:And this is a surprise?

(Same coward as parent...)

Heh, I just got done reading an Apple story, and here I am thinking we were talking about them.

Anyways, I still don't get this guys point.

Re:And this is a surprise?

[maxume]

See what sarcasm gets ya?

Re:And this is a surprise?

This is in reply to all of this post's brothers and sisters:

*whoosh*

Re:And this is a surprise?

[TinBromide]

I'm seeing the benefit, just not the surprise.

Re:And this is a surprise?

Exactly! The siblings to parent's post should re-read the GP. Slowly this time.

Re:And this is a surprise?

[TinBromide]

I know, I just wish that people read the subject before firing off a reply.

MS already patched in IE8 final build

MS patched this on IE8 on Vista already before it published Mar 19. http://blogs.iss.net/archive/chicksdigIE8.html

XP hasn't been patched yet. Doesn't support DEP, so will be a bit more work.

Re:MS already patched in IE8 final build

Doesn't support DEP, so will be a bit more work.

DEP is supported on Windows XP since SP2.

Re:MS already patched in IE8 final build

[thisispurefud]

but it's not enabled by default in IE7. And XP hasn't ASLR.

Seamonkey too?

Is Seamonkey affected by the same bugs? Are the updates ready?

Re:Seamonkey too?

[dryeo]

MFSA 2009-13: Security researcher Nils reported via TippingPointâ(TM)s Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victimâ(TM)s computer. This vulnerability does not affect Firefox 2, Thunderbird 2, or released versions of SeaMonkey.

Don't know about the dailies though.

Re:And this is a surprise?

Actually the IE8 exploit used during Pwn2Own contest wouldn't work on the final release of IE8 published one day later on the 19th of March.

http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure

Re:And this is a surprise?

What about the post's parents, grandparents, aunts and uncles, children and what-not: don't they get a *whoosh* too?

What about cousins?

BAH!

[iminplaya]

The contestants already have next year's winning exploit waiting in the wings. Maybe we should have these contests every month instead of once a year.

Re:BAH!

[v1]

That's what I was thinking too. It'd be a bit like that Month of Bugs, quite a lot of progress was made in those 30 days.

Though they'd start running out quick I bet. But for us, that's a good thing.

Re:BAH!

[iminplaya]

Unfortunately, it's the market that will decide how to deal with exploits. They will always go to the highest bidder. White hat, black hat, it doesn't mattah.

Re:BAH!

[kwabbles]

I dunno, I think there are enough script kiddie contests. I want to see more real hacker contests - like where the winner actually finds a new exploit, or even one where the winner fixes an exploit and provides a patch.

Re:And this is a surprise?

How many stories on Slashdot are surprising?

Re:And this is a surprise?

And did closed source helped ms to make more secure browser?

umm, yes.
the person who cracked safari on osx said that ie8 on vista was the toughest to exploit.

MS already fixed this in IE8 gold.

http://blogs.iss.net/archive/chicksdigIE8.html

MS already fixed this in Vista when IE8 was published on March 19. XP hasn't been patched yet - doesn't support DEP.

Re:MS already fixed this in IE8 gold.

[makomk]

Not exactly. They fixed a hole in DEP+ASLR, first reported in August 2008, that made it possible to exploit the IE8 vulnerability (by disabling the functionality the hole was in) - but only for internet sites; intranet sites can still exploit it. The underlying vulnerability is also still there, and there are probably other ways of exploiting it to get code execution.

Re:And this is a surprise?

seven

Any patch applied before I read about it on /. ...

...is a good patch! Cheers to all involved.

Not only that

[Idiot+with+a+gun]

But Ubuntu has already reviewed it, and pushed it out through the repositories, marking it as critical. I love open source.

Re:Not only that

[blackest_k]

yes intrepid updated firefox earlier today for me, Hardy is downloading the updated version as I type this, my fault for not allowing it to update till now.

Re:Not only that

[rHBa]

Ubuntu had this update before the article appeared on /.

Re:And this is a surprise?

42

There is a second benefit

[Colin+Smith]

Of having discrete components, and of modular operating systems.

Mozilla isn't integrated into the OS, so they can just fix bugs. IE is "integrated into the OS" which means they can't simply fix bugs, they've got to make sure the rest of the big ball of mud OS continues to work as well.

 

Re:And this is a surprise?

[makomk]

Well, it wouldn't work on Vista on the final release of IE8, except on Intranet pages. Apparently, it still works on IE8 running under XP, still works on Intranet pages. The underlying vulnerability is still present on IE8 on all platforms, it's just that there's not currently any way to exploit it thanks to DEP and ASLR.

Telnet too?

what about telnet 80?

that's how I do all my browsing

When I find an exploit, I patch it using cat > /usr/bin/telnet

that's how I keep it real

Re:And this is a surprise?

[Svippy]

See what sarcasm gets ya?

And that, ladies and gentlemen, is the surprise.

old news

hmm, this is like 3 days old news

Re:old news

[Computershack]

Not up to 24hrs ago. Yesterday I downloaded FF for a client and it was still punting Ver 3.0.7 on Mozillas website.

Re:And this is a surprise?

[icebraining]

On the other hand, Firefox on Linux wasn't exploited at all.

Re:And this is a surprise?

On the other hand, Firefox on Linux wasn't exploited at all.

Yes, but there wasn't a Linux box. IE 4 on Windows 95 wasn't exploited during the contest either... does that prove anything?

Re:And this is a surprise?

I love how this is being spun as some great thing for Firefox. Google Chrome didn't even need a patch because it was unaffected by the exploit. Also, as someone else mentioned, IE8 is unaffected, therefore it was patched before Firefox.

Firefox hasn't come first at all. If anything it came pretty damned close to last place, ahead of Safari only.

BULLSHIT.

[Computershack]

Article is bullshit. Microsoft patched IE8 in under 24hrs. Pwn2Own targetted IE8RC1. The full IE8 was released the following day and was immune to the exploit used.

Re:BULLSHIT.

It was only immune in the internet zone, due to MS disabling .net controls in that zone. The bug still exists and is fully exploitable in the intranet zone. Also, IE has had a long history of cross-zone-scripting bugs which allow an attacker to run js code in a different protection zone than it really exists in. If you trick IE into thinking your code is in the intranet zone, this vulnerability opens right up.

Noscript

I wonder how good in bloacking all these new attacks is Noscript.

Re:And this is a surprise?

"Charlie: The NX bit is very powerful.When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me."

That has nothing to do with it being closed source.

Re:And this is a surprise?

[rs232]

'Actually the IE8 exploit used during Pwn2Own contest wouldn't work on the final release of IE8 published one day later on the 19th of March'

According to this only when .NET controls have been disabled

I feel comfortable

I use Firefox with NoScript on Sandboxie and I feel comfortable.

OSX 10.3 blues

[Dog135]

That's funny, this is a story about the Open Source browser being patched before every other browser, and you're not seeing a benefit?

I'm not. I can't download the upgrade. I'm running OSX 10.3.9, and Firefox 2.0.0.1. Firefox 3.x requires 10.4.

OSS developers should think about those of us that are still happy with their older software! (or can't upgrade) I'm only 1 major version behind the current Firefox.

I'm not sure if I'm in danger of a drive-by download though. I do remember getting a few "exe" programs downloaded to my HD while visiting some shadier sites. I just laugh, delete it, and move on.

Re:OSX 10.3 blues

[644bd346996]

Don't blame Mozilla. Blame Apple for not retrofitting 10.3 with Universal Binary support. That way, you can be right, and also make the unreasonableness of your request apparent.

Re:OSX 10.3 blues

Just run your program under a sandbox if you can, this tends to solve the problems of most crash-based virii. (they can still run, though)

Re:OSX 10.3 blues

[Ant+P.]

If you're worried about security at all, why are you running a browser 19 security patches out of date?

Re:OSX 10.3 blues

[Chemicalscum]

It's open source compile it yourself, gcc still runs on OSX 10.3.9. That's the sort of fun project you get stuck doing if you don't update your software.

I do remember getting a few "exe" programs downloaded to my HD while visiting some shadier sites. I just laugh, delete it, and move on.

On Linux I once had a site try to download a .exe file on me and Wine opened it. Though it started executing a process it just hung, too different environment to do any damage.

Re:OSX 10.3 blues

But you should NOT be happy with older software. you MUST desire the newer shinier model.

Not that quick, actually

[RockMFR]

I'm surprised that nobody has mentioned that the XSL issue was reported 5 months ago, and it had a patch ready to go 4 months ago. Why was a critical issue with a two-line patch not fixed immediately? A better question - if the "bad guys" searched bugzilla for unfixed critical issues, how long would it take them to strike gold?

Re:Not that quick, actually

[BZ]

Thing is, that patch fixes the particular crash but not the vulnerability. And no one at the time recognized that this was a security issue (unlike the numerous non-exploitable crashes)....

It's still a problem, of course. I don't think anyone's happy that that patch didn't land. :(

Re:Not that quick, actually

[dryeo]

Bugzilla won't show certain critical bugs unless you have the right privileges. Hopefully the bad guys aren't developers with those privelages.

Re:Not that quick, actually

[maxume]

The linked bug was not hidden, it wasn't identified as a security issue (it was eventually identified as a duplicate of the bug that was fixed this week, but it was open for months; if you dig in, you will see that Mozilla is examining their processes a bit because of this).

Re:Not that quick, actually

[dryeo]

I guess I should of looked at the bug :) Usually security bugs are hidden from most of us.
I've also seen the opposite, where a bug was hidden even though it was not a security risk.

Re:And this is a surprise?

And they still asked me to download a patch.

Regression testing?

Coming from a big software company, this seems like too fast of a release. Isn't there any significant regression testing that goes on to verify that no other bugs have been caused? Or is it just "verified this bug is closed...ship the release!"

Re:And this is a surprise?

Are you kidding? I patched this exploit BEFORE the pnw2own contest. But my submission of the patch wasn't accepted. But at least my own system is secure.

Opera?

Once again, Opera has been forgotten.

Re:Opera?

[cp.tar]

Who?

Re:And this is a surprise?

[RiotingPacifist]

erm that doesn't answer the question, there are some nice technologies in vista* and ie8 can take full advantage of those, eventually FF will be able to use those on vista and still be more secure than IE on xp (something MS has no intention of doing). It DOESN'T have anything to do with it being closed.

10.3 has universal binaries

[Dog135]

All versions of OSX have universal binary support. Every application is a folder with a ".app" extension. Inside the folder are sub-folders for the binary for each system.

A fast Google search for "os x" 10.3 "universal binary" will show that many applications have universal binary downloads that support 10.3.

If you look at Mozilla's site, however, they say they no longer support Firefox 2.x. Why drop support of their previous major version? They could at least provide security updates.

Re:10.3 has universal binaries

[ion.simon.c]

Why drop support of their previous major version?

'Cause they don't have the manpower and/or money to support the previous major version?

They could at least provide security updates.

I daresay that they did just this for roughly six months after FF 3.0 was released.
https://wiki.mozilla.org/ReleaseRoadmap

Re:10.3 has universal binaries

[Thinboy00]

Why drop support of their previous major version? They could at least provide security updates.

For the same reason Microsoft dropped support of Windows 3.1 a long time ago, and in contrast with the reason Microsoft is now trying to drop support for XP.

Obsolete versions waste time and energy. Firefox 2 was supported for some time after Fx 3 came out, but they can't support it indefinitely.

Think of it another way: Mozilla doesn't have to make Fx (well|free as in beer|free as in speech|at all), so don't bitch about it if they decide to do something you don't like, unless you're paying for Fx, which you're not. Note that "Fx" is the correct abbreviation of "Firefox" ("FF" is wrong).

Re:10.3 has universal binaries

[Mozk]

Obsolete versions? Firefox 3 is supported in Windows XP, which was released in 2001, but not in Max OS X 10.3, which was released in 2003?

Re:10.3 has universal binaries

[talz13]

There was also that little release of OS X 10.4 a few years back, so that makes OS X 10.3 support similar to supporting Win98 or WinME in terms of previous versions (i.e. two major versions ago). Firefox 3 doesn't support Win98 or WinME either.

Re:And this is a surprise?

[ion.simon.c]

What does Fox Mulder's apartment number have to do with this?

Mozilla

This is why I use Firefox and not Chrome/Safari/IE/etc. Firefox is always centered first and foremost on security, then speed, then features.

Besides the browser itself being very secure, it comes with plugins like NoScript, Ghostery, Objection, Adblock Plus + Elements, CookieSafe (I use CS Lite) that combined make it the most powerful browser against potential security vulnerabilities that you can get.

The most important one out of the bunch is NoScript, and I just can't live without it. Until other browser catch up with Mozilla's patching prowess and this particular plugin, they aren't worth my time.

Re:Mozilla

[Computershack]

On Vista and Win7, I'd rather use IE as it runs in a sandbox.

Mac OS X != OSS

[tepples]

I can't download the upgrade. I'm running OSX 10.3.9, and Firefox 2.0.0.1. Firefox 3.x requires 10.4.

OSS developers should think about those of us that are still happy with their older software! (or can't upgrade)

Mac OS X is not open-source software. If you can't install Leopard or even Tiger on your PowerPC Mac, try installing a Linux distribution that supports your Mac model. I'm sure they still exist.

Re:Mac OS X != OSS

[GuldKalle]

I think he was talking about firefox being OSS.

Re:Mac OS X != OSS

[tepples]

The developers of free software such as Firefox have limited resources. They ditched Windows 95 and Windows 98 because compared to Windows 2000 and Windows XP, the Windows 9x codebase made several Gecko features much more difficult to implement robustly. Likewise with Mac OS X, new frameworks in 10.4 that were not in 10.3 made things easier.

Besides, Firefox is free software. Feel free to backport all Firefox 3 security patches to the Firefox 2 series. Just don't expect it to magically happen when you aren't paying anyone to do it.

Re:Mac OS X != OSS

[JackieBrown]

Even Debian gave up on that

http://lists.debian.org/debian-security-announce/2009/msg00063.html

Re:And this is a surprise?

Actually, the cracker said Firefox on Windows would be the hardest to exploit. This is a combination of Firefox being the hardest to hack, and the compilers etc. on Windows making it hardest to crack things there in general.

Windows software is hard to crack not because of closed source, but because Microsoft has spent a lot of effort making things hard to exploit. Mac, Linux and other OSes have quite a bit of catching up to do with Microsoft on this front now.

Opera

opera ftw :P

Re:And this is a surprise?

[Bert64]

Linux on the other hand does have both of those features, and had them long before vista...

http://en.wikipedia.org/wiki/Address_space_layout_randomization

Re:And this is a surprise?

[Bert64]

Linux is actually way ahead, not sure about mac...
The idea of ASLR was implemented on Linux first, and there are other protections like selinux which go way beyond anything available on other platforms...

Wether people/distributions actually use the features is another matter, but they do exist and do work.

Re:And this is a surprise?

[JackieBrown]

Then why does windows 7 keep warning me about not runnung a antivirus?

I don't have any antivirus programs running on linux and have no problems.

I wonder why the system that is hardest to exploit keeps bugging me about this.

Turn the tables

[Cyanara]

Bah. My dodgy dial-up connection is so painfully slow that I find it amusing to install trojans and watch "hackers" try and control my computer.

Re:And this is a surprise?

Then why does windows 7 keep warning me about not runnung a antivirus?

Because you don't know the difference between a browser exploit and a virus?

Re:And this is a surprise?

SE Linux? LOL. Suggest some crap that is useless for average users and claim linux is superior. This is why Linux is a joke on the desktop and will remain as a joke except for basement dwellers who have tons of time to waste trying to fix their toy OS.

Whats more funny is there was a need for SELinux because of the amateur security model of linux. NT has a superior design and will continue to remain a superior design. Linux is stuck in the 70's as a monolithic turd. Keep living in fantasy land or go speak to an OS design expert.

it goes to 11

[cavebison]

"Both issues are rated 'critical,' Mozilla's highest severity rating."

So that's above "ludicrous" then?

Re:And this is a surprise?

[icebraining]

Wrong!

The dust has settled on PWN 2 OWN and Linux FTW! The Ubuntu-equipped Sony VAIO was the only computer to get through the tournament unscathed, managing to elude the assembled hackers. On Thursday the MacBook Air was the first to go, followed the next day by the Vista-running Fujitsu, conquered by Shane Macaulay. No one, but no one, however, was able to bring down the penguin.

http://gizmodo.com/373779/linux-last-man-standing-in-pwn-2-own-thunderdome