Slashdot Mirror
Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014
darthcamaro writes "Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year's Pwn2own hacking challenge as Mozilla Firefox. A fully patched version of Firefox was exploited four different times by attackers, each revealing new zero-day vulnerabilities in the open-source web browser. When asked why Mozilla was attacked so much this year, Sid Stamm, senior engineering manager of security and privacy said, 'Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users.' The Pwn2own event paid researchers $50,000 for each Firefox vulnerability. Mozilla now pays researcher only $3,000 per vulnerability."
Oh, wait...
Or not that I saw. I wonder if, like usual, they depend on running malicious code from the attacking site, rather than being sensible and turning off javascript, running ghostery, and the like.
Once you start running code from attackers, you're just asking to be pwned.
Check the bugzilla and the security update the next day for full details on Firefox.
Firefox is unstable when many windows and tabs are open, even when using NoScript, Adblock, and Ghostery, as mentioned above.
Many crashes do not start the Crash Reporter.
See for yourself. Go to this URL:
https://crash-stats.mozilla.com/home/products/Firefox/versions/27.0#duration=14
(Mozilla does not allow links from Slashdot.)
Those are NOT ALL the crashes! Those are just the crashes that don't also crash the Crash Reporter.
The earlier version, 26.0 is crashy, also:
https://crash-stats.mozilla.com/home/products/Firefox/versions/26.0
Yes. Someone makes this comment every time, for the last 9 years, since version 1.0.
Most people don't open a lot of windows and tabs at the same time. The people who do that are usually those doing serious research. For example, what to do about the changes in Google Voice coming in May, 2014?
The problem is much worse when many windows and tabs are open under the Windows OS and Windows is hibernated several times.
That's my experience, also. Version 20 was considerably more stable than the latest version 27.01.
Just saying, I use Firefox as my primary browser. It last crashed.....I can't remember when. Is it maybe possible there's something wrong with your computer?
I use it because IE...though I don't have anything specifically against the new versions, I just don't like it. Chrome, beyond not trusting it being a google product (I assume it logs every keystroke, it wouldn't be out of character for them, though I will grant they probably don't log password fields, but all others...), is there honestly a more bloated browser out there? Firefox right now has 19 tabs open for me, using 950 megs of RAM (a bunch of those tabs have plugins running such as PDF viewers or video viewers). Chrome, 3 tabs, using a grand total of a bit over 500 megs of RAM (hard to say exactly how much since I don't want to pull out a calculator and add together the I believe 8 different processes), and all just displaying simple web pages.
Even with lots of tabs open, it's stable for me on Linux. Maybe it's your OS.
I do my browsing in an untrusted or disposable Qubes domain, which is about as strong security as you can get for a functional desktop system. Still, it would be awesome if pwn2own made it one of their target OS's... now for *that* I would get out the popcorn!
That's odd, I keep literally dozens of tabs open in it all the time and haven't had it crash on me for as long as I can remember.
Are agnostics skeptical of unicorns too?
Had the same problems with FF crashing, switched to Opera next, works great for me.
Everything above is my opinion....YMMV
Funny that you mention Linux. Firefox crashes about twice a week here, most often with multimedia content. Linux and 8GB of memory. And yes, I am one of those that keeps 50+ tabs open.
Perl Programmer for hire
15 years ago, Internet Explorer had just won the browser wars, and all we had on Linux was an old version of Netscape Navigator that barely worked. Even Netscape had abandoned it and no one had any idea if and when Mozilla would ever be ready.
Compared to that I think 2-3 options is pretty good, especially when all of the browser vendors respect web standards (even Microsoft), Firefox is completely open source and so is nearly all of Chrome and a large chunk of Safari too.
I do, too, and I have almost never had FF crash on me. Since you mention multimedia content, perhaps its your GPU drivers or some other config.
Yes, but don't you think we have enough crime? If God really loves us, he'll keep us in the dark as always!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
They can upgrade to Microsoft Windows 8.1, that's what about them!
My record on FF, thought this was a few versions ago, was just over 1 GB for 4 tabs (no multimedia, just two wiki-type pages and 2 work pages with no flash). I might still have a screenshot of it laying around somewhere.
I keep many, many tabs open all the time in osx and windows and have no issues. Are you sure you don't have a problematic plugin.
On ubuntu, on my home machine, I find firefox unusable even after much tweaking.
I also notice that chrome handles bad javascript much better than firefox. Other than that I think firefox is a fine browser.
I'm sure most of the security exploits have to do plugins. Its a common trade off, lock it down and make it more secure or open it up and make it potentially more usable.
I found it but I'm wrong. It was 4 tabs, but it was 2 slashdot pages (old UI) and wiki-type pages.
I think the 'crashy' people are installing huge numbers of questionable plugins. I have good luck with Firefox but only install a few well selected plugins (noscript, better privacy, adblock, flash block, littlefox, and self destructing cookies). Because many of those plugins block crud like flash ads I get even better stability.
I've just not found that to be the case since the M days. And that's with usually 3-4 windows with lots of tabs open. I actually like and use both Chrome and Firefox. I think to say one is oh so much better than the other just doesn't fly from what I've seen and what my users have said. They both work very well.
If you wanna get rich, you know that payback is a bitch
Both Chrome and IE (yes slashdotters I did say IE) support lowrights mode.
This means it has no access to the file system at all, no access to processes or threads and %appdata is its prison ... assuming you are on Windows 7 or greater on Windows. XP users will get hacked regardless of browser because the OS does not support kernel level sandboxing.
I left Firefox for IE 9 in 2011 after it won rewards on tomshardware.com. Then switched to Chrome. Firefox like Netscape before it is a sad shell of its former self. I do admit the later firefox releases are much more lenient on ram usage and have improved drastically.
But I have an older Phenom II x6. Nice 6 core with virtualization support for VMWare .. but it is 2.6 ghz and is showing its age at only 2.6 ghz. My machine needs multi processing/threading apps to run close to modern and they provide greater security. One tab does not interfere with another and can be assigned for each core.
To prevent my fan from going high and causing high usage both IE 10+ and Chrome utilize my system fine and still display pages as fast as those reading this on an icore5 or later. But Firefox puts +20 tabs on one cpu with no lowrights mode and as you can image when firebug is on it slows down all the tabs and it is a security risk.
Like netscape it was the lack of funding that killed it agaisn't IE 6 onslaught. I wonder if the same is true? I used Netscape 4.7 before succumbing to IE 6 and then Firefox 1.5 to IE 9 and later Chrome today.
http://saveie6.com/
I left firefox after 4.0 debuncle. Yes it was the first release to really support HTML 5 but it was freaking HORRIBLE. Bad UI, sloooow, and on older hardware it was unusable. IE 9 won rewards on tomshardware.com which was released march 2011. I held my nose and gave it a try. It supported hardware acceleration, html5 (I admit it was more limited at the time), and was great on my 6 core system as it has per process tab. Since 2001 it ran circles on gecko web engines??!
Many slashdotters said ewww no thanks based on IE 6 memories.
I then played with Chrome. Yes it is spyware somewhat but it too has important features and has less hardware acceleration but it is more secure and frankly a much better browser than Firefox.
My father got hacked with Firefox. It is a shitty browser with no lowrights mode. It is frome the XP era and has no concept of %appdate and uses the filesystem and has access rights to some processes and threads. Bad security wise but that is what XP era software did.
Chrome and IE 9+ have separate code bases for this with XP vs Windows 7 and greater with sandbox support. Many here use Comodo Dragon which is based off of Chrome but has no privacy issues. However, be warned it based off the previous version of Chromium with some security holes.
Switch my friend!
Until Firefox goes to a processing model and supports lowrights mode I will not go back. This may change hopefully as Firefox is improving with performance and ram requirements since 2011 but on a 6 core system it is stupid not to multitask!
http://saveie6.com/
I had trouble with youtube playing music as soon as you use flashblock or adblock. No issue at all with other browsers.
FYI this is after I disabled it for the FREAKING SITE. It seems unless they are uninstalled no music or videos can be displayed
http://saveie6.com/
What version of IE did you last use? I use IE as my secondary browser. There are reasons why it's not my primary browser, but clunkiness is not one of them. I find it far less clunky & far more stable than Firefox.
What?!?! Chrome developer tools beat the pants of Firebug, in my opinion. I install Firefox for non-developers, for people who consume content. For developing sites, Chrome saves me gobs of time compared to Firefox.
The tendency of Firefox to preserve its own DNS cach means I cannot use it when hopping from VPN to VPN with split DNS running. unless I configure and install my _own_ local DNS server to auto-reconfigure every time I activate a VPN. I'm afraid it's become unusable for me for real work and testing when switching from internal to external website access as I debug network and configuration issues: it's the only browser that fails this way.
My lady is running less plugins than I am, and literally running a subset of the plugins I am running, and her Firefox crashes fairly frequently while mine crashes only occasionally on a resume from suspend. The notable difference is that she is running Windows (7 x32) and I am running Linux (Ubuntu somethingrecent.) If one of us has more stable hardware, it's her, and not me.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You seem to think Firefox is still at version 4 or something. It is now heavily multithreaded, has sped up considerably (and is now competitive with even Chrome for most users), uses far less RAM (even compared to other browsers), and has even had its process sandboxing improved on most OSes.
Why is it still so much slower at javascript and when, if ever, will this change? I'm still using it, but it's frustrating that loading a webpage often causes the entire browser to choke hard (whether I run it on SSD or not.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I would recommend noscript. Firefox does have a glaring flaw in that all the tabs run in the same process so if one gets wonky, it's game over for everything. It's probably flash that's killing you. I use noscript which blocks everything (like flash) that I don't explicitly want running and it makes Firefox very stable. As a side benefit, it makes browsing much safer. I use Chrome a lot too but when I'm going to any questionable sites, I use firefox just because of noscript.
Are agnostics skeptical of unicorns too?
My gosh, its almost like 3rd party addons can make a product unstable!
And its almost like people have been misunderstanding that about firefox for the last 10 years!
Flash runs in a separate process, and has for quite a while.
God came back recently, through the vehicle of the operating system TempleOS.
You seem to think Firefox is still at version 4 or something. It is now heavily multithreaded, has sped up considerably (and is now competitive with even Chrome for most users), uses far less RAM (even compared to other browsers), and has even had its process sandboxing improved on most OSes.
None of this is an attempt to deter people from switching, but simply to fight your misinformation. It's popular to bash on Firefox lately, while telling users to switch to Chromium. But Opera is probably a better choice for users who don't want to opt into Google's services and just get the faster and leaner browser, and it is better-poised to return to greatness than stagnate like Chrome has lately.
Because it is!
No it is not multithreaded. Don't believe me? Hit control alt delete? Firefox uses 400 megs of ram and has high cpu spikes while 5 of my out of date cpu just sit there. One bad site ruins the rest of the 20+ tabs while javascript and everything else pegs just one core where a single bad script can take down the freaking browser.
Sounds like Windows 3.11 and MacOS classic all over!
It is snappier yes but only if you do not run more than a tab or two. It is time to move on as it is obsolete at this stage and is the new IE 6 of this decade. Stale, obsolete, and insecure.
Firefox while it does work is not the best and it pains me to type this. Chrome works better on my older cpu with mulitcores. Maybe on a shiny new icore3 Firefox might seem snappier on lightloads?
But the architecture is dated, insecure, and can not handle modern gpus and multi core cpus with modern security of per tab processes like IE and Chrome had since freaking 2009.
Shoot even the recent IPhones and Galaxy phones have 4 core systems. It is 2014.
http://saveie6.com/
What distro/environment? In Mepis, Debian, OpenSUSE, and Fedora, it has been rock-solid stable for me using KDE 4, GNOME2, KDE 3/Trinity. I usually only keep 4-10 tabs open and use the Too Many Tabs extension for the rest, and Iusually kill off the Flash plugin via htop an hour or two after watching a video. That's a nine-year-old 2GHz Centrino laptop with 1GB of RAM, running 24/7 with Firefox almost always in use, AdBlock Plus & FlashBlock installed.
OTOH it crashed or froze up fairly often when I was using Ubuntu (roughly May 2008-Jan 2010) on a very similar laptop.
Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
I'm curious: if God had appeared to someone, say 2500 years ago, could that person have recorded the event in any way that would convince you?
Correction: 24/7 with Firefox almost always in use when I'm actively interacting with the system (6-12 hours/day, maybe). I didn't mean that there's always somebody using Firefox at all hours of day and night.
Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
Odd. I use YouTube relatively often, and always have AdBlock Plus &Flashblock enabled/installed. The biggest problem I've run into with the combo is that ABP thus far can't get rid of the smallish semi-collapsing ad that appears within the video and is sponsored by the account holder.
From what I recall, though, the main difference between Firefox and other browsers is that it's the only one that lets ABP block sites from even requesting a resource; on other browsers, all ABP can do is hide elements from view once they're downloaded. That might somehow tie into the problem you're having.
FWIW I'm using Firefox 22 (I dislike the changes made as of 23) in Mepis Linux, on an old 2GHz Centrino laptop with 1GB of RAM.
Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
I think it depends on the nature of the evidence. If the person had significant knowledge imparted to them that would be extremely unlikely for them to know any other way, then that would be far more interesting.
Imagine if a prophet included a page of maths leading up to e=m*c*c or the chemical formula of a cancer cure (although I don't see why a god would invent cancer and then want the cure to be known) or maybe even a work of art that is so inspirational that people are struck with awe? However, if a god wanted to be widely known, it'd be easy to write commandments into the side of a mountain or even create a new bird species whose songs were the different commandments.
The problem with a human testifying about contact with a god is that they should have extraordinary evidence. Third hand reports of turning water into wine or walking on water are too easy to be faked when specific knowledge of the future cannot be faked (unless it's retroactively).
If I ever meet a god, I'm gonna take a bunch of photos, get him to post on my facebook and ask him some specific questions. If he doesn't want to impart knowledge (apart from wishy-washy "be good to others"), then I'm going to suspect that he's a hallucination. There's a lot more evidence throughout history that humans easily hallucinate and make up shit.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
What are you taking about?
http://www.pcmag.com/article2/...
Entia non sunt multiplicanda praeter necessitatem.
I think the more concerning thing is that people were probably waiting with their exploits to cash in 50.000USD instead of 3.000 USD and thus lowering security over the bragging rights that Pwn2own is the bestest in finding vulnerabilities. Indirectly they did what closed source does and that was to tell the people NOT to give out their exploits, but instead wait.
Indirectly is the word here. Now they are aware, they should NOT do it again, because then must take resposability. If you give people an incentive to NOT reveal something, you can nt blame later that it was only THEIR resposability. You have to take yours as well. It is not OR/OR it is AND/AND. Both are equally resposible. Not even sharing the resposabilty, equaly.
Don't fight for your country, if your country does not fight for you.
Released? None.
Sold to the highest bidder? Most.
Nice to see security-research becoming a racketeering operation.
someone forgot Opera? Just asking. www.opera.com
... that open source is superior. owait...
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
IE9 onwards is an entirely different beast to previous versions. If you haven't used IE since version 9 came out, it is worth at least testing (if you're on windows at least). There isn't really a major browser out there at the moment which doesn't suck in various ways, but in terms of suckage recent versions of IE aren't actually bad.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I'd be more concerned about the severity of the exploit than the number of them.
Wow, this is shocking they were able to pull this off! I would have thought that by the time the first or second one was found, they would be too caught up with the next version of firefox being rolled out or the browser simply locking up over and over and over due to the flash plugin spinning in a loop. It's really hard to find vulnerabilities when the browser doesn't even work and they keep changing the playing field.
At least Firefox can be altered to become what you want it to be because Firefox respect's a users software freedom. Far more important than vagaries like "fast" and "not bloated" is how a program treats its users. Proprietary browsers leave users no opportunity for improving the program. Thus security issues in proprietary programs go unfixed and are exploited for years. This, in turn, allows others to invade people's computers and leaves users helpless. This is exactly what happened with Apple's iTunes for over 3 years. I would not be surprised to learn that software proprietors including Microsoft, Google, and Apple are doing similar things with proprietary web browser programs as well.
So while I like trustworthy programs like other computer users, I know that I can't ascertain the trustworthiness of proprietary programs like Microsoft's Internet Explorer, Apple's Safari, and Google's Chrome. The extent to which any of them are built from software that respects my software freedom is irrelevant because proprietary programs and their updates are essentially black boxes. I can't possibly inspect or fix all of the software I use, but I can put myself in a position where I stand to benefit from the improvements a lot of programmers make by exclusively running software that respects my freedom to run, inspect, share, and modify—free software—freedoms I value in their own right.
Digital Citizen
Yes. Flash has run in a separate process for 5-6 years now IIRC. When Flash crashes, it doesn't take down Firefox, it just displays a block say that Flash crashed, and I believe it gives you a report link.
"your firefox is faster cause its cached. The apps you don't use often aint..."
Nope. Not on this machine.
I agree that the startup time of Firefox is a bit longer. But the performance is better. So since I have a browser running all the time for my work, startup time is not much of an issue, but performance is.
Further, what I use them for is testing pages that are constantly changing, so caching is not an issue.
Or you could use Chromium
Considering the article, wouldn't it be kinda obvious why firefox got hacked? The source code is available.
So are most parts of Chrome, including the sandbox.
Chrome is just Safari's webkit with slower DOM and more marketing budget...
Interesting, though I've been using DoNotTrackMe which is faster than Ghostery and isn't joined at the hip to the ad industry.
Every can be broken into and some asshole can do arbitrary things on a users machine because...
And on top of those two things there is the ever changing HTML specification, the ever changing CSS specification, and the bit of garbage called DOM.
And cracked by a "carefully constructed URL?!? What!?!?! Can these people simply not write a safe URL parser? I mean WTF?!?!?!?!
TBL dame up with the idea that was essentially Anonymous FTP and a bit of code that used a simple set of tags to format text so it displayed like the author intended it to be seen was pretty cool. Then came the committees with "Wouldn't that be cool" ideas and they implemented them with no regard for the implications.
The whole bloody mess in one huge kludge of hideously bad code, bad definitions, and bad implementations of pure garbage designed by a circle jerk.
We have waited for years for them to clean this fucking mess up and what have we gotten:
It is time for the madness to stop. Lets start over and make it correct this time.
Hey KID! Yeah you, get the fuck off my lawn!
Now everyone uses Windows, hence Linux and OS X users aren't exactly in a position to switch to IE, regardless of its technical merits. This is no longer a Windows-only world, even if it's still the majority.
Besides, IE lacks the useful extensions I rely on in Firefox. Don't tell me said extensions are pointless or useless - I find use in them, so clearly they have worth. Going to IE would mean giving up said extensions or having to do things in a less smooth or capable fashion. Firefox is still the best browser for the power user who wants as much functionality and flexibility as possible. IE is for the conservative user who wants something fast and integrated well with the OS and doesn't have any particular needs or wants outside of what the browser itself supports.
Sure, Firefox has its deficient (the inability of Mozilla to use multiple cores for separate tabs is still worrying), but you take the good with the bad. There is no one good browser.
Account abandoned. I can't fucking spell for shit and Slashdot doesn't even allow time-limited edits of posts. Plus you'
Yes, and even the Gzilt suspected that their religion might be contrived when they met up with other intergalactic species. Having a holy book that imparts top quality information is a lot more difficult to dismiss than a book filled with vague stories.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
I've tried to like Firefox. I even switched to it for a couple of months but the thing that really annoyed me about it was the syncing of bookmarks / plugins / other stuff between machines. I use browsers on my desktop PC, laptop, mobile phone and tablet. With Chrome I have them all synced and they all work perfectly. With Firefox on the other hand I'd have them syncing perfectly for a week or so and then one of the devices would suddenly stop syncing for one reason or another and I could never work out why. I'd have to disable the whole sync configuration on the device in question and then reconfigure it again. What a time wasting exercise.