Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy) (eweek.com)

Posted by timothy on from the one-hand-behind-back dept.

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."

16 of 288 comments (clear)

  1. SubjectsInCommentsAreStupidCauseTheSubjectIsTFA by lesincompetent · · Score: 2, Interesting

    I immediately thought about TOR Browser. The horror.

  2. This is a big bitchslap to Mozilla by Sax+Russell+5449D29A · · Score: 5, Interesting

    As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers. Many of the security risks can probably be averted by configuring the browser for added privacy and disabling certain features, but this is no excuse for lagging behind.

    Maybe Mozilla will someday focus on its core competencies again and stop fooling around with nonsense like Firefox OS...

    --
    -SR
    1. Re:This is a big bitchslap to Mozilla by TheRaven64 · · Score: 4, Interesting

      It also scales based on processor resources. They hit serious TLB scalability issues at around 17 processes (varies a bit between CPUs, in some systems - particularly mobile - you'll hit RAM limits sooner), so if you have more tabs open than this, you will start having multiple independent sites share the same renderer process.

      --
      I am TheRaven on Soylent News
    2. Re:This is a big bitchslap to Mozilla by RandomFactor · · Score: 5, Interesting

      "The only advantage Firefox gives is that one can run NoScript to block all scripting completely."

      However, that's a pretty significant advantage.

      I would love to see how firefox compares with that one addon in place since that's how I run.

      Possibly a 'hardened browsers' version of the competition?

      --
      --- Mercutio was right.
    3. Re:This is a big bitchslap to Mozilla by Noryungi · · Score: 3, Interesting

      OTOH, Xen has long touted its security focus and has a really tiny attack surface so I'm happy to be using that in Qubes OS as well.

      Excuse me? Xen had more than 100 security alerts in 2015, some extremely severe.

      And Xen is based on qemu, which has been proved to be fairly insecure in its own right.

      Using Qubes OS, which is based on Xen, which is based on qemu is... How to put it mildly? Maybe not the best idea if you are security conscious.

      In the words of Theo De Raadt: "You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

      I agree with him. It's turtles all the way down.

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  3. Wait a mintue by Anonymous Coward · · Score: 3, Interesting

    One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.

    "We wanted to focus on the browsers that have made serious security improvements in the last year," Gorenc said.

    Read that again.

    Notice serious "security improvements".

    So. am I to take it that Firefox was sitting on their asses and just adding bells and whistles?

    Or their security was so good before and now that there wasn't much improvement necessary?

    1. Re:Wait a mintue by Viol8 · · Score: 1, Interesting

      Firefox used to be multiprocess, in the sense that if you started a new instance a new process would start. But they then heard about threading and decided it must be the solution to everything so now when you kick off a new firefox instance (on linux anyway) when one is already running it checks for some shared memory, and if its there hands over to the current firefox process which kicks off a new thread then the process you started dies. A very complex, inefficient and security poor method of doing things. But probably looked good on some former firefox devs CVs.

    2. Re:Wait a mintue by BZ · · Score: 5, Interesting

      Or maybe this is the contest organizers trolling? Because I know for a fact Firefox made serious security improvements in the last year; I reviewed some of those patches.

  4. Re:what? by jellomizer · · Score: 4, Interesting

    Why would the distribution license affect quality and security of the software?

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. Re:Hey hey hey... by EmeraldBot · · Score: 3, Interesting

    Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.

    Ah, I was looking for something like this when writing my comment. It's rather hard to find an up-to-date review of web browser vulnerabilities, which is curiously strange. Even so though, these results are from beginning of 2014, which was almost two years ago. I'll grant you Firefox doesn't have the same track record, but my point still stands: I think they're mainly doing it because they don't have infinite money and the same web browser again isn't very sexy.

    However, if I may bring up a point here: Firefox isn't super outstanding secure out of the box, but it has great support for extensions, and a few of the right ones can vastly improve its security. I don't know if Chrome can do the same (genuinely not sure, the last time I used it at all was ~2012). Also, because these all seem to depend on certain platforms, I wonder if/how many of these browser insecurities target the underlying OS as opposed to the browser itself?

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  6. Re:what? by Anonymous Coward · · Score: 5, Interesting

    They didn't say Firefox isn't secure, they said it hasn't made many recent security improvements; that's not the same thing. Firefox already had superior security, so it has not had to make many improvements in the last year compared to less secure browsers.

  7. Re:what? by Lunix+Nutcase · · Score: 4, Interesting

    +5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

  8. Thank-you to Slashdot for posting this! by Anonymous Coward · · Score: 4, Interesting

    I want to thank the Slashdot editors for putting stories with realistic analyses of Mozilla and Firefox on the front page of Slashdot, and allowing some real discussion of these issues to take place.

    This just isn't possible at other discussion forums. Take Hacker News, for example. Many people directly involved with Mozilla and Rust spend their time there. That, combined with Hacker News' broken and easily-abused mod system, means that any frank discussion about Mozilla, Firefox or Rust tends to get suppressed. If you dare to question anything Mozilla has done, or if you dare to point out something that may be construed as negative, you will find yourself mercilessly downvoted. My suspicion is that the downvoting is being done by the very people working on these projects, since there are so many of them on that site and their comments show they don't tolerate anything even just resembling dissent.

    Reddit isn't much better. There are a lot of rabid Mozilla and Firefox fanatics there who will actively suppress any comment that doesn't fully support and worship Mozilla or Firefox.

    It's a real shame that we can't openly discuss the various problems affecting Mozilla and Firefox at places like Hacker News and Reddit. Maybe if they pulled their fingers out of their ears, so to speak, and stopped downmodding truthful comments the people behind Firefox would begin to see why their product's market share has slid down to only about 7%, with nearly no (0.04%!) mobile presence. When people say negative things about Firefox, it's because the problems are real, they exist, and they need to be dealt with properly! Silencing such observations doesn't help; it just makes matters worse. It drives more people away from Firefox and Gecko, and typically over to Chrome, which just makes the Blink monoculture stronger and stronger. A Chrome/Blink monoculture is the last thing the web needs!

    1. Re: Thank-you to Slashdot for posting this! by Kishin · · Score: 1, Interesting

      Maybe reduced odds of submissions but your comment seems false in general. I post as nickpsecurity on HN. I started by taking on their top commenter, tptacek, in INFOSEC discussions where fanboys maxed out at -4 downvoting. I called bullshit on claims of Rust team, esp pcwalton the compiler guy, plenty of times. We're still civil as it's a great project/community but they get overzealous with claims. Being from high assurance, anti-fads, anti-cloud... I'd be long gone if your HN claims were true. Instead, I mostly get upvotes with posts that have sound analysis esp with references. Sometimes kind emails to grateful for a different perspective. So, no, your problem was probably from how you said it or backed it up. HN has biases & moderation but no censorship. Even Paul Graham took tons of shit on the inequality thing with all messages plain to read on front page. Feel free to come back and try a different style of dissent.

  9. Let's look at the stats by MSG · · Score: 4, Interesting

    I see a lot of comments about Firefox's security but no references so far. So, let's look at cvedetails code execution counts:

    2016:
    Edge: 6
    Chrome: 0
    Safari: 0
    Firefox: 3

    2015:
    Edge: 19 (Nov 12 - Dec 31, a projected rate of 142 per year)
    Chrome: 8
    Safari: 101
    Firefox: 83

    2014:
    Chrome: 4
    Safari: 65
    Firefox: 55

    So while Firefox is getting a lot of hate here today, I think the unbiased view is that Firefox is clearly more secure than any browser other than Chrome, which has by far the best record. I struggle to imagine an objective reason to exclude Firefox from any evaluation while including Safari. Edge hasn't been out very long, but based on the very small amount of data we have so far, it looks significantly worse than Firefox.

    https://www.cvedetails.com/pro...
    http://www.cvedetails.com/prod...
    http://www.cvedetails.com/prod...
    https://www.cvedetails.com/pro...

  10. Re:what? by NotDrWho · · Score: 5, Interesting

    Sorry, but I'll still take Firefox over Chrome, IE, or Opera any day. Here is the dialogue I always have on some message board whenever I try to go over to Chrome:

    Me: Where is the menu bar?

    Them: You don't need a menu bar, the menu button will do everything instead.

    Me: Will it let me open a file?

    Them: Uhm....well...no.

    Can I at least add a stop button and zoom controls to the toolbar?

    Them: Sorry, Chrome doesn't allow any customization. You're supposed to do it the way Google tells you to.

    Me: Okay. Where are the options to automatically clear my history at close, erase all cookies at close, not remember search form histories, etc.?

    Them: Why would you need that?

    Me: For privacy.

    Them: What's "privacy"?

    Me: It's something Google has never, and will never, respect.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.