Germany Warns Against Using Firefox

jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.

3.6.2 released

Yup

Re:3.6.2 released

[Z00L00K]

And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.

Re:3.6.2 released

[gzipped_tar]

> No ability to view pr0n.

I doubt that.

Re:3.6.2 released

http://www.asciipr0n.com/

Re:3.6.2 released

[impaledsunset]

http://secunia.com/advisories/search/?search=lynx

Re:3.6.2 released

[rvw]

And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.

Use Noscript.

Re:3.6.2 released

[nangus]

looking at your list, there was one advisory in 2009, one in 2008, and then one in 2006. I think what is happening here is lynx is just introdusing a minor security flaw about once a year just so they can hang out with all the cool kids. They are just trying to be "edgy" and "hip".

Re:3.6.2 released

[Mister+Whirly]

Gopher is really where it is at. Lynx is too "bloated" with features.

3.6.2 is out.

3.6.2 is out.

A release that has just happened, in fact...

[n6mod]

Firefox 3.6.2 was released earlier tonight: http://www.mozilla.com/en-US/firefox/3.6.2/releasenotes/

Free software in action

[Statecraftsman]

As soon as I read about this on /. I realized Firefox is downloading an update to 3.6.2. This is why free software is our best tool against malware. Reaction time can scale with importance. And (shameless free software plug alert) it's why I wrote what's in my sig.

Re:Free software in action

That is a really poor standard you have. I don't want software that patches exploits quickly, I want software that was correctly written and had no exploits to begin with.

Re:Free software in action

[im_thatoneguy]

What the German government should do is release an open source application which switches your default browser.

A team of German security experts would make a bi-weekly security assessment and then set the default browser for the period. ;)

Of course this browser switcher would also be able to push patches as well. Automate their recommendations!

Re:Free software in action

[Zontar+The+Mindless]

I want software that was correctly written and had no exploits to begin with.

And I want Anonymous Cowards to start making /. posts that are insightful, useful, and realistic.

And WHERE'S MY PONY?!

Re:Free software in action

[Zoidbot]

You know it's taken over a month to fix this right? The exploit was discovered 18-02-2010 according to securina.

Opera takes less than a week usually (and the occurrence of exploits is less also).

The argument that Open Source allows anyone to fix things and thus making patches quicker does not work, as clearly it also opens up your code for hackers to review looking for new exploits. I don't believe in security by obscurity, but the fact remains, Opera is closed source and the most secure (and fastest) web browser out there.

Re:Free software in action

[DNS-and-BIND]

A sad day on Slashdot when someone saying "programming correctly is the right response" and he's ridiculed by at least 4 replies and modded +3 Funny. What the hell happened to this place?

Re:Free software in action

[chthon]

They where probably all reactions from people who program for a living.

Re:Free software in action

[Jurily]

OpenBSD seems to do just fine, with a bigger codebase, written in C.

Wanna guess what the difference is? They have security-obsessed people in charge.

Nobody gets credit for fixing a bug. Instead, we celebrate the people who get a fix out fastest. We don't care about flammable buildings, but we watch the response time of the fire department like a hawk.

Re:Free software in action

The guy who found the bug didn't give details to Mozilla promptly, he sold it in his security product to clients for a few weeks, then told Mozilla. Can't blame Mozilla for not fixing a bug they had 0 details on. Once they were given details they fixed it in a few days, not bad for fixing the bug, making a build, QA'ing and releasing it.

Re:Free software in action

[selven]

Because "don't set this place on fire" is not a fire escape plan. Bugs and vulnerabilities will happen either way, and you still need a plan for dealing with them.

Re:Free software in action

[TheReal_sabret00the]

Seriously? I'm all for the opinion that Firefox is becoming the Winamp of browsers, with that best of the rest feel rather than the best feel. But Opera really doesn't have a snappy UI or a snappy feel. Opera is a great browser but has always felt clunky and dopeish. Not to mention that with the same tabs open in both Opera and Firefox, Opera is the one that feels the most sluggish. I fully agree that Firefox is making some disastrous decisions, taking a month to fix a reported bug is beyond acceptable, but lets not make it out like it's the new IE. By all means let's slap them on the wrists and hope they don't do it again. Lets hope that in Firefox 4, you'll be given an installer screen that will let you choose which features you want, I for example, won't be opting for TaskFox installed. But in no way is it the demon browser from hell sent to rape our mothers.

Re:Free software in action

[data2]

Yes, but there is this little detail, which, if you had read http://secunia.com/advisories/38608, you would know. It was not clear that this was a real bug, there were no details known.
A fairly unknown researcher claimed there was a zero day in firefox, without giving enough details to tell where the bug is.
So what happened was that somebody, who we not know if he is to be trusted, claimed there was a bug. Imagine!
Reaction time from knowing the details to roll-out was far better, at least in this case. This is probably not the best bug to be making a point against patching policy with OSS.

Re:Free software in action

[TheLink]

> OpenBSD seems to do just fine, with a bigger codebase, written in C.

They just ship OpenBSD with most services disabled by default, and then claim it is safe by default.

That's similar to Microsoft's shipping IE on their server O/S with most stuff disabled by default, and then claiming that IE is not vulnerable
on their server O/Ses by default.

Yes they are safe by default just like a car with its wheels, engine and battery "disabled" by default is safe from most carjackers.

Re:Free software in action

[Aceticon]

Creating 100% secure software is like trying to prove an absolute statement (as in "All X have Y") - to prove it right, every single one of the subjects of your statement have to comform to it, while proving it wrong only takes one that does not.

Or in more specific terms: no matter how good the team developing a piece of software is and how long they have to do it, all it takes is one of them doing a single mistake and the results is not 100% secure.

It's reasonable to expect that all first order mistakes (i.e. the blindingly obvious) are caught, it is however not reasonable to expect that higher-order mistakes (for example: "unexpected interactions with a different version of a certain library installed in the same system in the 64 bit version of the OS") are caught, expecially those relating to external factors (which can change after the release is done).

Also there are economic limits to the level of security in a piece of software: more specifically, time is money, getting only the top best professionals to do it is a lot of money and (suprise, suprise) people are not willing to pay the higher price that such a product would require to break-even.

Re:Free software in action

[Rockoon]

While its true that Mozilla got the fix out pretty fast once someone pointed right at it for them, it is often claimed that Open Source is more secure because there are thousands of eyes looking at the source code.

None of those Mozilla-loving eyes found this bug, yet a researcher unaffiliated with Mozilla but certainly looking for exploits, found it. Now what about all the researchers looking for exploits in order to driveby firefox users.. that will just keep the damn thing a secret?

Yeah.. they got the fix out fast. Bravo. Look at the real significance of these events, tho..

..exploit found
..went unpatched for a month
..only got patched because the person who discovered it pointed right at it.

Re:Free software in action

[natehoy]

No matter how clever you think you are, no matter how hard you work to prevent vulnerabilities, they will be in the release code in something as complex as a web browser (or an Operating System).

"I want software that is written correctly and has no exploits" is an unrealistic expectation. It's like saying "I want my power tools to be built in such a way that they cannot possibly harm me"

Most (certainly not all) software is built with very careful reviews, trying to figure out ways that black hats might exploit the software and code against it. But it's an arms race - the black hats are constantly working on ways to get by the software.

So, yeah, while I agree with GP that "I want software that is written correctly", this is the real world, where there are bad people who will think of things you didn't and break your software. So this cannot possibly be an "either/or" decision.

I want people who write software as correctly as feasibly possible, understanding that humans make mistakes and that other people are out there who are just as clever as the software authors and who do nothing but try to break it. I accept, in return, that I have to take a role in securing my system if I want control over my system.

More importantly, I want people who are open and honest about those flaws when they happen, acknowledge the flaws quickly, and fix them very rapidly. I can't defend myself against a flaw I do not know exists, and I want that flaw to go away very quickly once it is discovered. I have seen precious few teams who crank out fixes faster than Team Firefox.

So far, in the browser world, I have yet to find a team that releases consistently higher-quality (not perfect, but high-quality) code, is more open about their vulnerabilities, and responds to defects more quickly than the Firefox team. That's not to say that all other browsers out there are bad, or that Firefox is 100% secure, but the Firefox team appears to be doing about the best job one could realistically expect. And yet, it's still all free.

To add some information to the void..

[Seth+Kriticos]

The vulnerability *only* affects the current 3.6 branch. Patch is complete and will be pushed on the 30th of March.

Here is the Mozilla blog entry on the topic:
http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608

Here is the original bug report:
http://secunia.com/advisories/38608

Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??

Re:To add some information to the void..

[n6mod]

Seth, scroll up one post in the blog. 3.6.2 was released tonight.

This just in

[Rijnzael]

German government warns against use of the internet and software that has bugs.

Software is inevitably going to have bugs in it and try as we might, it's something we'll always have to deal with. There are always mitigation strategies, such as running Firefox in a virtualized environment a la Sandboxie or a full virtual machine, but we'll never be privy to using only bug-free software day to day. I'm glad to see the German government taking an active approach to notifying people in regard to vulnerabilities in an attempt to mitigate them, but as TFA states, what's the point in suggesting users quit using Firefox when the alternatives are potentially just as vulnerable?

Bah

[tsotha]

The take-away from this is Germans are never happy.

Re:Bah

[beh]

So, what would you rather have?

That they warn you about vulnerabilities in IE6, but ignore vulnerabilities in open source browsers?

I think they've done the right thing - there was a security hole (in the 'current' 3.6), and they warned about it. Their warning DID include that it affected the 'current' 3.6 version and that it should be fixed in 3.6.2.

That's fair comment, and it's their job to report it and not lull people into a false sense of security that the (then current 3.6) version of firefox was safe.

If they had NOT warned, it might have damaged their reputation for NOT covering it, and it might also have helped MS lobbying efforts if they could have been shown to be biased by reporting on IE issues, but not Firefox ones...

Responsible reporting

[AmiMoJo]

The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.

The government is simply trying to keep people informed about this rather important topic, and has done so in a reasonable and proportional way. Not every warning put out is a damning condemnation of flawed security that mandates switching to Lynx you know.

Re:Responsible reporting

[mysidia]

Yeah... that's actually encouraging, it means they are actually providing meaningful distinctive advise/suggestions, and not merely copy and pasting vendor vulnerability lists and activating pretty 'alert level' colors...

not like the US government, who yanked up what used to be the wonderful somewhat independent [but gov sponsored] organization called 'CERT', absorbed them into the department of homeland security, and turned them into US-CERT a mere vacant shadow of their former selves, just another clearinghose that lists every bloody little Windows vulnerability the earth has ever known, nothing too interesting, nothing too distinctive or useful anymore.

That is, ever since, CERT's usefulness has plummeted by orders of magnitude, nowadays they typically just parrot all the major commercial vendors' security advisories, even ridiculously minor ones --- I suppose this is great if you are a Windows user, it should convince you to switch, but for the rest of us it sucks.....

CERT has made what, 1 activity incident report based on actual events or compromises, intrusion patterns, intrusion details, or reports on new types of threats since 2001?

Governments don't know what to do about security, I guess... their efforts at 'reporting' just degenerate into vulnerability listing, and other mundane non-intelligence-requiring activity.

Either that or they think it's too dangerous to tell the public what direction attacks/bad guys seem to be heading.

First

[Beelzebud]

First they came for IE, and I didn't speak up because I didn't use IE.

Then they came for Firefox, and I didn't speak up because I didn't use Firefox.

Re:First

[pagaboy]

Then they came for Windows ME...

Re:First

[SmilingBoy]

They also recommended against the original Google Chrome Beta:

https://www.bsi.bund.de/ContentBSI/Presse/Pressearchiv/Kurzmit2008/090908chrome_htm.html

And they also recommended against Opera 10.50:

http://www.buerger-cert.de/newsletter_suche.aspx?param=HGf116Hsnmjdg%2B95Lx4xLVfgHeBWpfgcdyqiMrbjzdH9yQ4jIcV6TY4STnzgjITQ%2BhD3uF8Dgn3F1%2BDy1Synkw%253d%253d#anchor1

So, nothing to see here.

German government warns:

[dushkin]

* against the use of Opera!
* against the use of Chrome!
* against the use of internets!

Re:governments warn us about exploits

[clarkkent09]

Well they warned against IE and Firefox. On Windows that narrows it down to Chrome and Opera. I'm just waiting for one more announcement so I'll know which one is the winner.

(btw please don't show off your knowledge of esoteric browsers by listing them here. those are the four biggest ones by far)

Bah humbug! mod parent TROLL

[beh]

mod parent TROLL...

Have you looked at the BSI page and linked mozilla blog page?

The mozilla blog entry was dated March 18th (giving March 30th as the release date for 3.6.2). The BSI advisory was dated March 19th (4 days before the story broke on slashdot; and 4 days before the actual release of 3.6.2).

So, you're saying, it was retaliation by BSI against Firefox, for publishing a release date the firefox crew themselves published the day before?

On March 19th - with the projected release date 11 days away, it seems it was perfectly in order for BSI to recommend use of an alternative for those 11 days:

    "empfiehlt das Bürger-CERT die Nutzung alternativer Browser, bis die Mozilla Firefox Version 3.6.2
        veröffentlicht ist."

This has nothing to do with fear-mongering - but simply that during a potential danger period, people might want to watch out. Their article clearly stated it only affected 3.6, and their article stated that their advisory is temporary 'until 3.6.2 is released'.

How is that retaliation?

Re:the way to go

[jim_v2000]

Opera 10.51 Changelog

"Security
Fixed
Fixed an issue where the HTTP Content-Length header could be used to execute arbitrary code; see our advisory (http://www.opera.com/support/search/view/948/).
Fixed an issue where XSLT could be used to retrieve random contents of unrelated documents, as discovered by crazypops; see our advisory (http://www.opera.com/support/search/view/949/)."

OH SNAP SON! So much for those skilled contractors and their superior skills.

Re:And the risk is???

[ewrong]

A WOFF font is a Web Open Font Format font.

http://hacks.mozilla.org/2009/10/woff/

It's basically an extension of the @font-face rule with it's own compression and meta tagging. Please don't tell my designers about it.

It ain't over till the fat lady sings

[Hognoxious]

Opera. As any fule kno, Germans are really keen on opera. They have some that go on for weeks.

Re:Google Chrome.

[muckracer]

> That's true, as long as you turn off Google as the default search, disable cookies

And don't forget about LSO cookies (Flash directory), that do NOT get deleted by FF's cookie deletion on exit. Extra add-on is needed (BetterPrivacy) to do so.

Oh...and MozDevs...please restore the 'Clear History on Exit' window on browser exit. Thanx!

Re:Google Chrome.

[RobbieCrash]

I'm undoubtedly missing something, but why is installing a program in my personal folder a bad idea? It allows non-elevated installs, has no access to files outside of the user dir unless granted, allows each user to have a totally separate installation so fucking one up doesn't fuck up everyone else's, no registry entries aside from ones to HKCU, uninstalls don't mess everyone else's life up, no reboots on uninstall... I don't get it?

Re:Pr0n

[TaoPhoenix]

Rule 34a (or similar numbering).

No such system exists whereby Pr0n cannot be discerned. Bertrand Russell and and Alfred North Whitehead became very upset when Kurt Godel figured that out.

Re:Bah humbug! mod parent TROLL

[Dr.+Evil]

The difference is that Firefox has vulnerabilities like any normal application... Internet Explorer on the other hand has been the forefront infection vector for botnets of hundreds of thousands of machines for the past decade.

Re:governments warn us about exploits

[icannotthinkofaname]

Yeah, but Safari is made by Apple, Chrome is made by Google, they use the same rendering engine, and so if I need to swear loyalty to one of those companies, I'd rather it be Google than Apple.

The BSI is not the Government

[prefec2]

The BSI is not the government. It is a federal agency. BSI = Bundesamt für Sicherheit in der Informationstechnik (engl. Federal Agency for safety and security in Information Technology). They are more something like CERT. Even though the US government thinks the BSI is some sort of NSA, because the NSA also does security in information technology (e.g. seLinux). However, the BSI does not spy on people. This is done by another agency. And the BSI is so much the government as it is the police or judges.

Re:governments warn us about exploits

[Rockoon]

..and if you have actually used it on Windows, you know that its really bad.

Unresponsive, with a non-conforming UI, and the installer carries a payload of other apple software.

Germany warns against using internet... (eom)

[ukemike]

Germany warns against using internet.