Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy) (eweek.com)

Posted by timothy on from the one-hand-behind-back dept.

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."

47 of 288 comments (clear)

  1. SubjectsInCommentsAreStupidCauseTheSubjectIsTFA by lesincompetent · · Score: 2, Interesting

    I immediately thought about TOR Browser. The horror.

  2. Re:what? by sittingnut · · Score: 4, Insightful

    correct that to "open source sell out", for that is what firefox is

  3. This is a big bitchslap to Mozilla by Sax+Russell+5449D29A · · Score: 5, Interesting

    As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers. Many of the security risks can probably be averted by configuring the browser for added privacy and disabling certain features, but this is no excuse for lagging behind.

    Maybe Mozilla will someday focus on its core competencies again and stop fooling around with nonsense like Firefox OS...

    --
    -SR
    1. Re:This is a big bitchslap to Mozilla by Anonymous Coward · · Score: 4, Informative

      Google Chrome does not run every tab in a separate process. It's a little more complicated than that. AFAICT from messing around, it creates a process per visited domain.

    2. Re:This is a big bitchslap to Mozilla by TheRaven64 · · Score: 4, Interesting

      It also scales based on processor resources. They hit serious TLB scalability issues at around 17 processes (varies a bit between CPUs, in some systems - particularly mobile - you'll hit RAM limits sooner), so if you have more tabs open than this, you will start having multiple independent sites share the same renderer process.

      --
      I am TheRaven on Soylent News
    3. Re:This is a big bitchslap to Mozilla by RandomFactor · · Score: 5, Interesting

      "The only advantage Firefox gives is that one can run NoScript to block all scripting completely."

      However, that's a pretty significant advantage.

      I would love to see how firefox compares with that one addon in place since that's how I run.

      Possibly a 'hardened browsers' version of the competition?

      --
      --- Mercutio was right.
    4. Re:This is a big bitchslap to Mozilla by TheReaperD · · Score: 2

      Yea, Chrome gets a bad rap for how much resources it uses but, it actually has a good reason and, as you pointed out, if it starts hitting your system's ceiling, it starts scaling back. Personally, I'm torn between Chrome and Firefox as there's things I like on each, except on mobile where Firefox wins due to plugins.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    5. Re:This is a big bitchslap to Mozilla by Anonymous Coward · · Score: 2, Informative

      ScriptBlock on Chrome does the same thing, or am I missing something vital?

      NoScript does quite a bit more than just basic script blocking.

    6. Re:This is a big bitchslap to Mozilla by Nemyst · · Score: 2

      It's not even much of an advantage since uMatrix exists on Chrome and is arguably superior. Then again, using either tends to get really aggravating and something only a microscopic proportion of the population will ever do.

    7. Re:This is a big bitchslap to Mozilla by hoggoth · · Score: 2

      Using NoScript is pretty easy if you don't try and micro-manage it. Allow (whitelist) your most trusted and frequently visited sites just once. "Temporarily allow all on this page" for trusted sites you don't frequently visit. Don't allow anything you don't completely trust to run JS.

      This is why I haven't switched to Chrome.

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
    8. Re:This is a big bitchslap to Mozilla by arth1 · · Score: 3, Insightful

      Yea, Chrome gets a bad rap for how much resources it uses but, it actually has a good reason and, as you pointed out, if it starts hitting your system's ceiling, it starts scaling back.

      That's not acceptable. A web browser isn't the only, or even main thing I use my computer for. I don't want my VM to be unable to start because Chrome has used all the memory it could find, less a small bit.

      It's not cooperative. It assumes that all memory available has been made available for it only.
      Chrome is like a self-serve cafeteria where some people are gluttons who hog all the food, and latecomers only get crumbs. It might be legal, but it sure isn't playing nice. We shouldn't have to have guards standing at the food stations to prevent greedy bastards from ruining the experience for others. Taking all the biscuits and putting one or two back isn't generosity.

      Firefox isn't much better. One of my users forgot to close a browser window on a server before going on vacation, and just periodic auto-refresh had caused it to gobble up a quite a few gigabytes of RAM - a large portion of the server's RAM. The server has extra RAM because of disk caching, to the benefit of all users. I ended up having to implement cgroup memory limiting because of Firefox.

    9. Re:This is a big bitchslap to Mozilla by Noryungi · · Score: 3, Interesting

      OTOH, Xen has long touted its security focus and has a really tiny attack surface so I'm happy to be using that in Qubes OS as well.

      Excuse me? Xen had more than 100 security alerts in 2015, some extremely severe.

      And Xen is based on qemu, which has been proved to be fairly insecure in its own right.

      Using Qubes OS, which is based on Xen, which is based on qemu is... How to put it mildly? Maybe not the best idea if you are security conscious.

      In the words of Theo De Raadt: "You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

      I agree with him. It's turtles all the way down.

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    10. Re:This is a big bitchslap to Mozilla by mujadaddy · · Score: 2

      uMatrix exists on Chrome and is arguably superior

      No, it is inarguably not the same thing. uMatrix does nothing for first-party scripts. (I use both in Firefox!)

      --
      Populus vult decipi, ergo decipiatur...
      "Force shits upon Reason's back." - Poor Richard's Almanac
  4. Wait a mintue by Anonymous Coward · · Score: 3, Interesting

    One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.

    "We wanted to focus on the browsers that have made serious security improvements in the last year," Gorenc said.

    Read that again.

    Notice serious "security improvements".

    So. am I to take it that Firefox was sitting on their asses and just adding bells and whistles?

    Or their security was so good before and now that there wasn't much improvement necessary?

    1. Re:Wait a mintue by TheRaven64 · · Score: 4, Informative
      The former. All modern browsers except Firefox have decomposed their browser into multiple processes, so that a compromise from one site will only gain control over an unprivileged (i.e. isolated from other stuff the user cares about) process. They also run plugins in separate processes and have fairly narrow communication paths between them. Firefox is still a massive monolithic process, including all add-ons, plugins, and so on.

      This basically means that you just need one arbitrary code execution vulnerability in Firefox and it's game over. In contrast, if you have the same in Chrome, Edge, or Safari, then it's just the first step - you now have an environment where you can run arbitrary exploit code, but you can't make (most) system calls and you have to find another exploit to escape from the sandbox. Typical Chrome compromises are the result of chaining half a dozen vulnerabilities together.

      --
      I am TheRaven on Soylent News
    2. Re:Wait a mintue by BZ · · Score: 5, Interesting

      Or maybe this is the contest organizers trolling? Because I know for a fact Firefox made serious security improvements in the last year; I reviewed some of those patches.

    3. Re:Wait a mintue by NotInHere · · Score: 2

      Its not quite how you describe it. Yes, when you start firefox it checks first whether the current profile is currently opened. That's not done because of "parralel" (or "threading", which doesn't have anthying to do with this), but to the contrary, it is meant so that only one instance of firefox has write access to the profile.

      If you want to start multiple firefox processes, you'll need multiple profiles. When you start the separate firefox process you must then specify the --no-remote -P command line args, where ProfileName is the name of the firefox profile you want to start (you can create profiles with the --ProfileManager param).

  5. Re:what? by sittingnut · · Score: 5, Insightful

    to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc

  6. Re:what? by Anonymous Coward · · Score: 3, Insightful

    move those goalposts...

  7. Re:what? by jellomizer · · Score: 4, Interesting

    Why would the distribution license affect quality and security of the software?

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  8. Mozilla Foundation's press release in response: by Anonymous Coward · · Score: 5, Funny

    "Yeah, Pwn2own, well.... your MOM is too easy!"

  9. Can't expect Firefox to be secure by Anonymous Coward · · Score: 5, Insightful

    The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.

    It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!

    (I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)

    1. Re:Can't expect Firefox to be secure by Anonymous Coward · · Score: 3, Insightful

      Removing cookie management features was the last straw for me. That is an essential feature for browsing the modern web. It's simply bewildering they would remove a critical ability while simultaneously adding weird social media things.

    2. Re:Can't expect Firefox to be secure by EnsilZah · · Score: 2

      Heh, the UI is one thing, but there's also the bit where they went:
      Ok, so let's take a bunch of features that by any right should be an external plugin a few people would use and integrate them into the browser.
      Then let's take a bunch of basic features out so people have to replicate them in plugin form.
      Oh, and then obviously, let's deprecate our plugin API and replace it with Chrome's, so that after the UI changes the only thing differentiating us from Chrome will be how much our browser crashes and leaks memory.

  10. Re:Hey hey hey... by timritzer · · Score: 5, Informative

    Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.

  11. Re:Hey hey hey... by EmeraldBot · · Score: 3, Interesting

    Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.

    Ah, I was looking for something like this when writing my comment. It's rather hard to find an up-to-date review of web browser vulnerabilities, which is curiously strange. Even so though, these results are from beginning of 2014, which was almost two years ago. I'll grant you Firefox doesn't have the same track record, but my point still stands: I think they're mainly doing it because they don't have infinite money and the same web browser again isn't very sexy.

    However, if I may bring up a point here: Firefox isn't super outstanding secure out of the box, but it has great support for extensions, and a few of the right ones can vastly improve its security. I don't know if Chrome can do the same (genuinely not sure, the last time I used it at all was ~2012). Also, because these all seem to depend on certain platforms, I wonder if/how many of these browser insecurities target the underlying OS as opposed to the browser itself?

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  12. Re:what? by Anonymous Coward · · Score: 5, Interesting

    They didn't say Firefox isn't secure, they said it hasn't made many recent security improvements; that's not the same thing. Firefox already had superior security, so it has not had to make many improvements in the last year compared to less secure browsers.

  13. Re:what? by Lunix+Nutcase · · Score: 4, Interesting

    +5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

  14. Re:But rust is supersecure? by Thiez · · Score: 2

    Nope, Rust is being used by Mozilla to develop the experimental layout engine Servo, but there are (as far as I am aware) no plans to completely rewrite Firefox in Rust. There are plans to gradually replace some components in Firefox written in C/C++ with Rust, e.g. a url parser and a mp4 parser, but I don't think these are part of the current Firefox release.

  15. Then what's the point? by Millennium · · Score: 2

    I thought Pwn2Own was supposed to be all about shaming vendors into cleaning up their act. If Firefox's security is really so poor, then shouldn't these guys be directing more resources toward it, rather than less?

    Is this not a large part of how Microsoft was pressured into finally making certain decisions which, while clearly necessary, were very inconvenient from its own perspective? Why are we to believe that it would not work again?

    1. Re: Then what's the point? by dj245 · · Score: 5, Informative

      Again, though, that misses the point. You offer a prize to hack an insecure browser as a means of shaming the browser's developer. That's how it worked, and more to the point, that's why it worked. Have the Pwn2Own folks perhaps lost sight of that original purpose?

      Obviously Firefox wasn't shamed last year, or they would have tried to improve security. Instead, they made a bunch of useless UI changes, removed features, etc. They didn't get the message. Spending large amounts of money to send them the same message again would be a wasted effort. By ignoring them this year, Pwn2Own is sending an even stronger message that Firefox is a browser to be avoided. And it doesn't cost them any prize money to send that message.

      --
      Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  16. Re:what? by Carewolf · · Score: 5, Insightful

    +5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

    All the browsers fail every single year.

  17. Thank-you to Slashdot for posting this! by Anonymous Coward · · Score: 4, Interesting

    I want to thank the Slashdot editors for putting stories with realistic analyses of Mozilla and Firefox on the front page of Slashdot, and allowing some real discussion of these issues to take place.

    This just isn't possible at other discussion forums. Take Hacker News, for example. Many people directly involved with Mozilla and Rust spend their time there. That, combined with Hacker News' broken and easily-abused mod system, means that any frank discussion about Mozilla, Firefox or Rust tends to get suppressed. If you dare to question anything Mozilla has done, or if you dare to point out something that may be construed as negative, you will find yourself mercilessly downvoted. My suspicion is that the downvoting is being done by the very people working on these projects, since there are so many of them on that site and their comments show they don't tolerate anything even just resembling dissent.

    Reddit isn't much better. There are a lot of rabid Mozilla and Firefox fanatics there who will actively suppress any comment that doesn't fully support and worship Mozilla or Firefox.

    It's a real shame that we can't openly discuss the various problems affecting Mozilla and Firefox at places like Hacker News and Reddit. Maybe if they pulled their fingers out of their ears, so to speak, and stopped downmodding truthful comments the people behind Firefox would begin to see why their product's market share has slid down to only about 7%, with nearly no (0.04%!) mobile presence. When people say negative things about Firefox, it's because the problems are real, they exist, and they need to be dealt with properly! Silencing such observations doesn't help; it just makes matters worse. It drives more people away from Firefox and Gecko, and typically over to Chrome, which just makes the Blink monoculture stronger and stronger. A Chrome/Blink monoculture is the last thing the web needs!

    1. Re:Thank-you to Slashdot for posting this! by Verdatum · · Score: 2

      I suspect you'll start to see the mob of Mozilla/Firefox fans start getting quieter and quieter on Reddit over the next year or so, and I think it's been declining for awhile now. That said, I've yet to find any sort of decent news-for-nerds type subreddit. I'm a big fan of Reddit for all sorts of other matters, but on pretty much any news-focused sub, the vote system has a nasty habit of pushing the more sensationalist stories to the top. That's why I continue to stick around Slashdot & SoylentNews, even though both have their own well-discussed issues.

  18. Re:what? by naris · · Score: 5, Insightful

    Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.

  19. Re:I'd like to hear Mozilla's response by greggman · · Score: 2

    Mozilla's response is to build a browser that has the same protections as other browsers.

    https://wiki.mozilla.org/Electrolysis

    They're doing that because they know their current tech isn't up to it. It's funny how their fans keep defending their current tech when Firefox themselves are abandoning it as soon as possible.

  20. Let's look at the stats by MSG · · Score: 4, Interesting

    I see a lot of comments about Firefox's security but no references so far. So, let's look at cvedetails code execution counts:

    2016:
    Edge: 6
    Chrome: 0
    Safari: 0
    Firefox: 3

    2015:
    Edge: 19 (Nov 12 - Dec 31, a projected rate of 142 per year)
    Chrome: 8
    Safari: 101
    Firefox: 83

    2014:
    Chrome: 4
    Safari: 65
    Firefox: 55

    So while Firefox is getting a lot of hate here today, I think the unbiased view is that Firefox is clearly more secure than any browser other than Chrome, which has by far the best record. I struggle to imagine an objective reason to exclude Firefox from any evaluation while including Safari. Edge hasn't been out very long, but based on the very small amount of data we have so far, it looks significantly worse than Firefox.

    https://www.cvedetails.com/pro...
    http://www.cvedetails.com/prod...
    http://www.cvedetails.com/prod...
    https://www.cvedetails.com/pro...

  21. Re:what? by macs4all · · Score: 2

    Praytell, when is the last time Apple admitted a security flaw? Windows is plagued by bad design decisions. Open source flaws usually tend to be dealt with fairly rapidly once discovered. I think you're going a little overboard calling people zealots there Chuck.

    Can't say about Windows; but Apple does it regularly, and publicly, after an internal investigation and fix (which is the prudent thing to do, to protect users).

  22. Re:Not buying it by Zaowulf · · Score: 2

    Well I can't speak for everybody but I'd rather have an ugly but functional system than a pretty infested one.

  23. Re:what? by NotDrWho · · Score: 5, Interesting

    Sorry, but I'll still take Firefox over Chrome, IE, or Opera any day. Here is the dialogue I always have on some message board whenever I try to go over to Chrome:

    Me: Where is the menu bar?

    Them: You don't need a menu bar, the menu button will do everything instead.

    Me: Will it let me open a file?

    Them: Uhm....well...no.

    Can I at least add a stop button and zoom controls to the toolbar?

    Them: Sorry, Chrome doesn't allow any customization. You're supposed to do it the way Google tells you to.

    Me: Okay. Where are the options to automatically clear my history at close, erase all cookies at close, not remember search form histories, etc.?

    Them: Why would you need that?

    Me: For privacy.

    Them: What's "privacy"?

    Me: It's something Google has never, and will never, respect.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
  24. Re:what? by Bengie · · Score: 2

    They didn't say Firefox isn't secure

    Nope, they just said they haven't made any meaningful improvements. I guess you assume Firefox has perfect security. "Firefox already had superior security" ahh yes, you do. And superior by what metric? FF has had about 3x more critical critical vulnerabilities than Chrome and about 10% more overall. Not a huge difference, but it definitely puts them at "worse" not "superior".

  25. Re:what? by Carewolf · · Score: 3, Insightful

    All the browsers fail every single year.

    Yes but out of Firefox, Edge, Chrome, and Safari, Firefox fails more often every single year. Actually it's typically up with IE, and we all know that IE is a model browser for internet security. /sarcasm

    Safari is the browser the fails the fastest and most regularly. Google Chrome is second.

    It is assumed because it is pwn2own, and people attack Safari first to win a MacBook.

  26. Re:what? by StikyPad · · Score: 2

    Ctrl+O

    --
    https://www.eff.org/https-everywhere
  27. Re:Not buying it by F.Ultra · · Score: 2

    You say that as if not all browsers will leave Pwn2Own 2016 broken by at least one team.

  28. Re: what? by reve_etrange · · Score: 2

    think they know something other people don't.

    I switched back to Firefox because vertical tabs, dynamic loading/unloading of tabs from memory, and NoScript. I don't just think that Firefox has these nice features...it really does have them (yes, add-on features count as browser features).

    It would be cool to see how Firefox with NoScript does in pwn2own.

    --
    .: Semper Absurda :.
  29. Re:what? by shellbeach · · Score: 3, Insightful

    A true open source project is driven by the community, not by the maintainer alone

    Wait, you just make up definitions on the fly, post as AC, and get modded up for it? A true open source project is a project whose code is freely available. That's all.

    As for community contribution, firefox looks reasonably healthy to me: https://github.com/mozilla/kit...

    Compare that to Pale Moon, which you praise: https://github.com/MoonchildPr... ...

    Pale Moon has fewer contributors and a much higher volume of commits coming from a single dev. Not that this is bad -- they're both true open source projects, and different projects have different numbers of contributors.

    Maybe instead of whinging, you could learn to code and contribute too?

  30. Re:what? by mcswell · · Score: 2

    What's fashion got to do with it? I want to *use* a computer, not pretend it's a fashion show.