Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy) (eweek.com)

Posted by timothy on from the one-hand-behind-back dept.

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."

28 of 288 comments (clear)

  1. Re:what? by sittingnut · · Score: 4, Insightful

    correct that to "open source sell out", for that is what firefox is

  2. This is a big bitchslap to Mozilla by Sax+Russell+5449D29A · · Score: 5, Interesting

    As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers. Many of the security risks can probably be averted by configuring the browser for added privacy and disabling certain features, but this is no excuse for lagging behind.

    Maybe Mozilla will someday focus on its core competencies again and stop fooling around with nonsense like Firefox OS...

    --
    -SR
    1. Re:This is a big bitchslap to Mozilla by Anonymous Coward · · Score: 4, Informative

      Google Chrome does not run every tab in a separate process. It's a little more complicated than that. AFAICT from messing around, it creates a process per visited domain.

    2. Re:This is a big bitchslap to Mozilla by TheRaven64 · · Score: 4, Interesting

      It also scales based on processor resources. They hit serious TLB scalability issues at around 17 processes (varies a bit between CPUs, in some systems - particularly mobile - you'll hit RAM limits sooner), so if you have more tabs open than this, you will start having multiple independent sites share the same renderer process.

      --
      I am TheRaven on Soylent News
    3. Re:This is a big bitchslap to Mozilla by RandomFactor · · Score: 5, Interesting

      "The only advantage Firefox gives is that one can run NoScript to block all scripting completely."

      However, that's a pretty significant advantage.

      I would love to see how firefox compares with that one addon in place since that's how I run.

      Possibly a 'hardened browsers' version of the competition?

      --
      --- Mercutio was right.
    4. Re:This is a big bitchslap to Mozilla by arth1 · · Score: 3, Insightful

      Yea, Chrome gets a bad rap for how much resources it uses but, it actually has a good reason and, as you pointed out, if it starts hitting your system's ceiling, it starts scaling back.

      That's not acceptable. A web browser isn't the only, or even main thing I use my computer for. I don't want my VM to be unable to start because Chrome has used all the memory it could find, less a small bit.

      It's not cooperative. It assumes that all memory available has been made available for it only.
      Chrome is like a self-serve cafeteria where some people are gluttons who hog all the food, and latecomers only get crumbs. It might be legal, but it sure isn't playing nice. We shouldn't have to have guards standing at the food stations to prevent greedy bastards from ruining the experience for others. Taking all the biscuits and putting one or two back isn't generosity.

      Firefox isn't much better. One of my users forgot to close a browser window on a server before going on vacation, and just periodic auto-refresh had caused it to gobble up a quite a few gigabytes of RAM - a large portion of the server's RAM. The server has extra RAM because of disk caching, to the benefit of all users. I ended up having to implement cgroup memory limiting because of Firefox.

    5. Re:This is a big bitchslap to Mozilla by Noryungi · · Score: 3, Interesting

      OTOH, Xen has long touted its security focus and has a really tiny attack surface so I'm happy to be using that in Qubes OS as well.

      Excuse me? Xen had more than 100 security alerts in 2015, some extremely severe.

      And Xen is based on qemu, which has been proved to be fairly insecure in its own right.

      Using Qubes OS, which is based on Xen, which is based on qemu is... How to put it mildly? Maybe not the best idea if you are security conscious.

      In the words of Theo De Raadt: "You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

      I agree with him. It's turtles all the way down.

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  3. Wait a mintue by Anonymous Coward · · Score: 3, Interesting

    One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.

    "We wanted to focus on the browsers that have made serious security improvements in the last year," Gorenc said.

    Read that again.

    Notice serious "security improvements".

    So. am I to take it that Firefox was sitting on their asses and just adding bells and whistles?

    Or their security was so good before and now that there wasn't much improvement necessary?

    1. Re:Wait a mintue by TheRaven64 · · Score: 4, Informative
      The former. All modern browsers except Firefox have decomposed their browser into multiple processes, so that a compromise from one site will only gain control over an unprivileged (i.e. isolated from other stuff the user cares about) process. They also run plugins in separate processes and have fairly narrow communication paths between them. Firefox is still a massive monolithic process, including all add-ons, plugins, and so on.

      This basically means that you just need one arbitrary code execution vulnerability in Firefox and it's game over. In contrast, if you have the same in Chrome, Edge, or Safari, then it's just the first step - you now have an environment where you can run arbitrary exploit code, but you can't make (most) system calls and you have to find another exploit to escape from the sandbox. Typical Chrome compromises are the result of chaining half a dozen vulnerabilities together.

      --
      I am TheRaven on Soylent News
    2. Re:Wait a mintue by BZ · · Score: 5, Interesting

      Or maybe this is the contest organizers trolling? Because I know for a fact Firefox made serious security improvements in the last year; I reviewed some of those patches.

  4. Re:what? by sittingnut · · Score: 5, Insightful

    to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc

  5. Re:what? by Anonymous Coward · · Score: 3, Insightful

    move those goalposts...

  6. Re:what? by jellomizer · · Score: 4, Interesting

    Why would the distribution license affect quality and security of the software?

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  7. Mozilla Foundation's press release in response: by Anonymous Coward · · Score: 5, Funny

    "Yeah, Pwn2own, well.... your MOM is too easy!"

  8. Can't expect Firefox to be secure by Anonymous Coward · · Score: 5, Insightful

    The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.

    It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!

    (I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)

    1. Re:Can't expect Firefox to be secure by Anonymous Coward · · Score: 3, Insightful

      Removing cookie management features was the last straw for me. That is an essential feature for browsing the modern web. It's simply bewildering they would remove a critical ability while simultaneously adding weird social media things.

  9. Re:Hey hey hey... by timritzer · · Score: 5, Informative

    Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.

  10. Re:Hey hey hey... by EmeraldBot · · Score: 3, Interesting

    Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.

    Ah, I was looking for something like this when writing my comment. It's rather hard to find an up-to-date review of web browser vulnerabilities, which is curiously strange. Even so though, these results are from beginning of 2014, which was almost two years ago. I'll grant you Firefox doesn't have the same track record, but my point still stands: I think they're mainly doing it because they don't have infinite money and the same web browser again isn't very sexy.

    However, if I may bring up a point here: Firefox isn't super outstanding secure out of the box, but it has great support for extensions, and a few of the right ones can vastly improve its security. I don't know if Chrome can do the same (genuinely not sure, the last time I used it at all was ~2012). Also, because these all seem to depend on certain platforms, I wonder if/how many of these browser insecurities target the underlying OS as opposed to the browser itself?

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  11. Re:what? by Anonymous Coward · · Score: 5, Interesting

    They didn't say Firefox isn't secure, they said it hasn't made many recent security improvements; that's not the same thing. Firefox already had superior security, so it has not had to make many improvements in the last year compared to less secure browsers.

  12. Re:what? by Lunix+Nutcase · · Score: 4, Interesting

    +5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

  13. Re:what? by Carewolf · · Score: 5, Insightful

    +5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

    All the browsers fail every single year.

  14. Re: Then what's the point? by dj245 · · Score: 5, Informative

    Again, though, that misses the point. You offer a prize to hack an insecure browser as a means of shaming the browser's developer. That's how it worked, and more to the point, that's why it worked. Have the Pwn2Own folks perhaps lost sight of that original purpose?

    Obviously Firefox wasn't shamed last year, or they would have tried to improve security. Instead, they made a bunch of useless UI changes, removed features, etc. They didn't get the message. Spending large amounts of money to send them the same message again would be a wasted effort. By ignoring them this year, Pwn2Own is sending an even stronger message that Firefox is a browser to be avoided. And it doesn't cost them any prize money to send that message.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  15. Thank-you to Slashdot for posting this! by Anonymous Coward · · Score: 4, Interesting

    I want to thank the Slashdot editors for putting stories with realistic analyses of Mozilla and Firefox on the front page of Slashdot, and allowing some real discussion of these issues to take place.

    This just isn't possible at other discussion forums. Take Hacker News, for example. Many people directly involved with Mozilla and Rust spend their time there. That, combined with Hacker News' broken and easily-abused mod system, means that any frank discussion about Mozilla, Firefox or Rust tends to get suppressed. If you dare to question anything Mozilla has done, or if you dare to point out something that may be construed as negative, you will find yourself mercilessly downvoted. My suspicion is that the downvoting is being done by the very people working on these projects, since there are so many of them on that site and their comments show they don't tolerate anything even just resembling dissent.

    Reddit isn't much better. There are a lot of rabid Mozilla and Firefox fanatics there who will actively suppress any comment that doesn't fully support and worship Mozilla or Firefox.

    It's a real shame that we can't openly discuss the various problems affecting Mozilla and Firefox at places like Hacker News and Reddit. Maybe if they pulled their fingers out of their ears, so to speak, and stopped downmodding truthful comments the people behind Firefox would begin to see why their product's market share has slid down to only about 7%, with nearly no (0.04%!) mobile presence. When people say negative things about Firefox, it's because the problems are real, they exist, and they need to be dealt with properly! Silencing such observations doesn't help; it just makes matters worse. It drives more people away from Firefox and Gecko, and typically over to Chrome, which just makes the Blink monoculture stronger and stronger. A Chrome/Blink monoculture is the last thing the web needs!

  16. Re:what? by naris · · Score: 5, Insightful

    Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.

  17. Let's look at the stats by MSG · · Score: 4, Interesting

    I see a lot of comments about Firefox's security but no references so far. So, let's look at cvedetails code execution counts:

    2016:
    Edge: 6
    Chrome: 0
    Safari: 0
    Firefox: 3

    2015:
    Edge: 19 (Nov 12 - Dec 31, a projected rate of 142 per year)
    Chrome: 8
    Safari: 101
    Firefox: 83

    2014:
    Chrome: 4
    Safari: 65
    Firefox: 55

    So while Firefox is getting a lot of hate here today, I think the unbiased view is that Firefox is clearly more secure than any browser other than Chrome, which has by far the best record. I struggle to imagine an objective reason to exclude Firefox from any evaluation while including Safari. Edge hasn't been out very long, but based on the very small amount of data we have so far, it looks significantly worse than Firefox.

    https://www.cvedetails.com/pro...
    http://www.cvedetails.com/prod...
    http://www.cvedetails.com/prod...
    https://www.cvedetails.com/pro...

  18. Re:what? by NotDrWho · · Score: 5, Interesting

    Sorry, but I'll still take Firefox over Chrome, IE, or Opera any day. Here is the dialogue I always have on some message board whenever I try to go over to Chrome:

    Me: Where is the menu bar?

    Them: You don't need a menu bar, the menu button will do everything instead.

    Me: Will it let me open a file?

    Them: Uhm....well...no.

    Can I at least add a stop button and zoom controls to the toolbar?

    Them: Sorry, Chrome doesn't allow any customization. You're supposed to do it the way Google tells you to.

    Me: Okay. Where are the options to automatically clear my history at close, erase all cookies at close, not remember search form histories, etc.?

    Them: Why would you need that?

    Me: For privacy.

    Them: What's "privacy"?

    Me: It's something Google has never, and will never, respect.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
  19. Re:what? by Carewolf · · Score: 3, Insightful

    All the browsers fail every single year.

    Yes but out of Firefox, Edge, Chrome, and Safari, Firefox fails more often every single year. Actually it's typically up with IE, and we all know that IE is a model browser for internet security. /sarcasm

    Safari is the browser the fails the fastest and most regularly. Google Chrome is second.

    It is assumed because it is pwn2own, and people attack Safari first to win a MacBook.

  20. Re:what? by shellbeach · · Score: 3, Insightful

    A true open source project is driven by the community, not by the maintainer alone

    Wait, you just make up definitions on the fly, post as AC, and get modded up for it? A true open source project is a project whose code is freely available. That's all.

    As for community contribution, firefox looks reasonably healthy to me: https://github.com/mozilla/kit...

    Compare that to Pale Moon, which you praise: https://github.com/MoonchildPr... ...

    Pale Moon has fewer contributors and a much higher volume of commits coming from a single dev. Not that this is bad -- they're both true open source projects, and different projects have different numbers of contributors.

    Maybe instead of whinging, you could learn to code and contribute too?