Slashdot Mirror

← Back to Stories (view on slashdot.org)

Germany Warns Against Using Firefox

Posted by timothy on from the fuer-ihre-sicherheit dept.

jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.

25 of 509 comments (clear)

  1. 3.6.2 released by Anonymous Coward · · Score: 5, Informative

    Yup

    1. Re:3.6.2 released by Z00L00K · · Score: 3, Insightful

      And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:3.6.2 released by gzipped_tar · · Score: 5, Insightful

      > No ability to view pr0n.

      I doubt that.

      --
      Colorless green Cthulhu waits dreaming furiously.
    3. Re:3.6.2 released by Anonymous Coward · · Score: 5, Informative

      http://www.asciipr0n.com/

    4. Re:3.6.2 released by impaledsunset · · Score: 4, Funny

      http://secunia.com/advisories/search/?search=lynx

  2. Free software in action by Statecraftsman · · Score: 4, Insightful

    As soon as I read about this on /. I realized Firefox is downloading an update to 3.6.2. This is why free software is our best tool against malware. Reaction time can scale with importance. And (shameless free software plug alert) it's why I wrote what's in my sig.

    1. Re:Free software in action by Anonymous Coward · · Score: 5, Funny

      That is a really poor standard you have. I don't want software that patches exploits quickly, I want software that was correctly written and had no exploits to begin with.

    2. Re:Free software in action by Zontar+The+Mindless · · Score: 3, Insightful

      I want software that was correctly written and had no exploits to begin with.

      And I want Anonymous Cowards to start making /. posts that are insightful, useful, and realistic.

      And WHERE'S MY PONY?!

      --
      Il n'y a pas de Planet B.
    3. Re:Free software in action by Zoidbot · · Score: 5, Interesting

      You know it's taken over a month to fix this right? The exploit was discovered 18-02-2010 according to securina.

      Opera takes less than a week usually (and the occurrence of exploits is less also).

      The argument that Open Source allows anyone to fix things and thus making patches quicker does not work, as clearly it also opens up your code for hackers to review looking for new exploits. I don't believe in security by obscurity, but the fact remains, Opera is closed source and the most secure (and fastest) web browser out there.

    4. Re:Free software in action by DNS-and-BIND · · Score: 5, Insightful

      A sad day on Slashdot when someone saying "programming correctly is the right response" and he's ridiculed by at least 4 replies and modded +3 Funny. What the hell happened to this place?

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    5. Re:Free software in action by chthon · · Score: 4, Funny

      They where probably all reactions from people who program for a living.

    6. Re:Free software in action by Jurily · · Score: 4, Funny

      OpenBSD seems to do just fine, with a bigger codebase, written in C.

      Wanna guess what the difference is? They have security-obsessed people in charge.

      Nobody gets credit for fixing a bug. Instead, we celebrate the people who get a fix out fastest. We don't care about flammable buildings, but we watch the response time of the fire department like a hawk.

    7. Re:Free software in action by selven · · Score: 5, Insightful

      Because "don't set this place on fire" is not a fire escape plan. Bugs and vulnerabilities will happen either way, and you still need a plan for dealing with them.

    8. Re:Free software in action by TheLink · · Score: 3, Insightful

      > OpenBSD seems to do just fine, with a bigger codebase, written in C.

      They just ship OpenBSD with most services disabled by default, and then claim it is safe by default.

      That's similar to Microsoft's shipping IE on their server O/S with most stuff disabled by default, and then claiming that IE is not vulnerable
      on their server O/Ses by default.

      Yes they are safe by default just like a car with its wheels, engine and battery "disabled" by default is safe from most carjackers.

      --
    9. Re:Free software in action by Aceticon · · Score: 3, Insightful

      Creating 100% secure software is like trying to prove an absolute statement (as in "All X have Y") - to prove it right, every single one of the subjects of your statement have to comform to it, while proving it wrong only takes one that does not.

      Or in more specific terms: no matter how good the team developing a piece of software is and how long they have to do it, all it takes is one of them doing a single mistake and the results is not 100% secure.

      It's reasonable to expect that all first order mistakes (i.e. the blindingly obvious) are caught, it is however not reasonable to expect that higher-order mistakes (for example: "unexpected interactions with a different version of a certain library installed in the same system in the 64 bit version of the OS") are caught, expecially those relating to external factors (which can change after the release is done).

      Also there are economic limits to the level of security in a piece of software: more specifically, time is money, getting only the top best professionals to do it is a lot of money and (suprise, suprise) people are not willing to pay the higher price that such a product would require to break-even.

    10. Re:Free software in action by Rockoon · · Score: 3, Insightful

      While its true that Mozilla got the fix out pretty fast once someone pointed right at it for them, it is often claimed that Open Source is more secure because there are thousands of eyes looking at the source code.

      None of those Mozilla-loving eyes found this bug, yet a researcher unaffiliated with Mozilla but certainly looking for exploits, found it. Now what about all the researchers looking for exploits in order to driveby firefox users.. that will just keep the damn thing a secret?

      Yeah.. they got the fix out fast. Bravo. Look at the real significance of these events, tho..

      ..exploit found
      ..went unpatched for a month
      ..only got patched because the person who discovered it pointed right at it.

      --
      "His name was James Damore."
  3. To add some information to the void.. by Seth+Kriticos · · Score: 4, Informative

    The vulnerability *only* affects the current 3.6 branch. Patch is complete and will be pushed on the 30th of March.

    Here is the Mozilla blog entry on the topic:
    http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608

    Here is the original bug report:
    http://secunia.com/advisories/38608

    Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??

  4. This just in by Rijnzael · · Score: 3, Insightful

    German government warns against use of the internet and software that has bugs.

    Software is inevitably going to have bugs in it and try as we might, it's something we'll always have to deal with. There are always mitigation strategies, such as running Firefox in a virtualized environment a la Sandboxie or a full virtual machine, but we'll never be privy to using only bug-free software day to day. I'm glad to see the German government taking an active approach to notifying people in regard to vulnerabilities in an attempt to mitigate them, but as TFA states, what's the point in suggesting users quit using Firefox when the alternatives are potentially just as vulnerable?

  5. Bah by tsotha · · Score: 3, Insightful

    The take-away from this is Germans are never happy.

    1. Re:Bah by beh · · Score: 3, Insightful

      So, what would you rather have?

      That they warn you about vulnerabilities in IE6, but ignore vulnerabilities in open source browsers?

      I think they've done the right thing - there was a security hole (in the 'current' 3.6), and they warned about it. Their warning DID include that it affected the 'current' 3.6 version and that it should be fixed in 3.6.2.

      That's fair comment, and it's their job to report it and not lull people into a false sense of security that the (then current 3.6) version of firefox was safe.

      If they had NOT warned, it might have damaged their reputation for NOT covering it, and it might also have helped MS lobbying efforts if they could have been shown to be biased by reporting on IE issues, but not Firefox ones...

  6. First by Beelzebud · · Score: 4, Funny

    First they came for IE, and I didn't speak up because I didn't use IE.

    Then they came for Firefox, and I didn't speak up because I didn't use Firefox.

    1. Re:First by pagaboy · · Score: 4, Funny

      Then they came for Windows ME...

  7. It ain't over till the fat lady sings by Hognoxious · · Score: 4, Funny

    Opera. As any fule kno, Germans are really keen on opera. They have some that go on for weeks.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  8. Re:Google Chrome. by muckracer · · Score: 3, Informative

    > That's true, as long as you turn off Google as the default search, disable cookies

    And don't forget about LSO cookies (Flash directory), that do NOT get deleted by FF's cookie deletion on exit. Extra add-on is needed (BetterPrivacy) to do so.

    Oh...and MozDevs...please restore the 'Clear History on Exit' window on browser exit. Thanx!

  9. Re:governments warn us about exploits by Rockoon · · Score: 3, Informative

    ..and if you have actually used it on Windows, you know that its really bad.

    Unresponsive, with a non-conforming UI, and the installer carries a payload of other apple software.

    --
    "His name was James Damore."