Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy) (eweek.com)

Posted by timothy on from the one-hand-behind-back dept.

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."

20 of 288 comments (clear)

  1. Re:what? by sittingnut · · Score: 4, Insightful

    correct that to "open source sell out", for that is what firefox is

  2. This is a big bitchslap to Mozilla by Sax+Russell+5449D29A · · Score: 5, Interesting

    As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers. Many of the security risks can probably be averted by configuring the browser for added privacy and disabling certain features, but this is no excuse for lagging behind.

    Maybe Mozilla will someday focus on its core competencies again and stop fooling around with nonsense like Firefox OS...

    --
    -SR
    1. Re:This is a big bitchslap to Mozilla by Anonymous Coward · · Score: 4, Informative

      Google Chrome does not run every tab in a separate process. It's a little more complicated than that. AFAICT from messing around, it creates a process per visited domain.

    2. Re:This is a big bitchslap to Mozilla by TheRaven64 · · Score: 4, Interesting

      It also scales based on processor resources. They hit serious TLB scalability issues at around 17 processes (varies a bit between CPUs, in some systems - particularly mobile - you'll hit RAM limits sooner), so if you have more tabs open than this, you will start having multiple independent sites share the same renderer process.

      --
      I am TheRaven on Soylent News
    3. Re:This is a big bitchslap to Mozilla by RandomFactor · · Score: 5, Interesting

      "The only advantage Firefox gives is that one can run NoScript to block all scripting completely."

      However, that's a pretty significant advantage.

      I would love to see how firefox compares with that one addon in place since that's how I run.

      Possibly a 'hardened browsers' version of the competition?

      --
      --- Mercutio was right.
  3. Re:what? by sittingnut · · Score: 5, Insightful

    to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc

  4. Re:what? by jellomizer · · Score: 4, Interesting

    Why would the distribution license affect quality and security of the software?

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. Mozilla Foundation's press release in response: by Anonymous Coward · · Score: 5, Funny

    "Yeah, Pwn2own, well.... your MOM is too easy!"

  6. Can't expect Firefox to be secure by Anonymous Coward · · Score: 5, Insightful

    The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.

    It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!

    (I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)

  7. Re:Hey hey hey... by timritzer · · Score: 5, Informative

    Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.

  8. Re:Wait a mintue by TheRaven64 · · Score: 4, Informative
    The former. All modern browsers except Firefox have decomposed their browser into multiple processes, so that a compromise from one site will only gain control over an unprivileged (i.e. isolated from other stuff the user cares about) process. They also run plugins in separate processes and have fairly narrow communication paths between them. Firefox is still a massive monolithic process, including all add-ons, plugins, and so on.

    This basically means that you just need one arbitrary code execution vulnerability in Firefox and it's game over. In contrast, if you have the same in Chrome, Edge, or Safari, then it's just the first step - you now have an environment where you can run arbitrary exploit code, but you can't make (most) system calls and you have to find another exploit to escape from the sandbox. Typical Chrome compromises are the result of chaining half a dozen vulnerabilities together.

    --
    I am TheRaven on Soylent News
  9. Re:what? by Anonymous Coward · · Score: 5, Interesting

    They didn't say Firefox isn't secure, they said it hasn't made many recent security improvements; that's not the same thing. Firefox already had superior security, so it has not had to make many improvements in the last year compared to less secure browsers.

  10. Re:what? by Lunix+Nutcase · · Score: 4, Interesting

    +5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

  11. Re:Wait a mintue by BZ · · Score: 5, Interesting

    Or maybe this is the contest organizers trolling? Because I know for a fact Firefox made serious security improvements in the last year; I reviewed some of those patches.

  12. Re:what? by Carewolf · · Score: 5, Insightful

    +5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

    All the browsers fail every single year.

  13. Re: Then what's the point? by dj245 · · Score: 5, Informative

    Again, though, that misses the point. You offer a prize to hack an insecure browser as a means of shaming the browser's developer. That's how it worked, and more to the point, that's why it worked. Have the Pwn2Own folks perhaps lost sight of that original purpose?

    Obviously Firefox wasn't shamed last year, or they would have tried to improve security. Instead, they made a bunch of useless UI changes, removed features, etc. They didn't get the message. Spending large amounts of money to send them the same message again would be a wasted effort. By ignoring them this year, Pwn2Own is sending an even stronger message that Firefox is a browser to be avoided. And it doesn't cost them any prize money to send that message.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  14. Thank-you to Slashdot for posting this! by Anonymous Coward · · Score: 4, Interesting

    I want to thank the Slashdot editors for putting stories with realistic analyses of Mozilla and Firefox on the front page of Slashdot, and allowing some real discussion of these issues to take place.

    This just isn't possible at other discussion forums. Take Hacker News, for example. Many people directly involved with Mozilla and Rust spend their time there. That, combined with Hacker News' broken and easily-abused mod system, means that any frank discussion about Mozilla, Firefox or Rust tends to get suppressed. If you dare to question anything Mozilla has done, or if you dare to point out something that may be construed as negative, you will find yourself mercilessly downvoted. My suspicion is that the downvoting is being done by the very people working on these projects, since there are so many of them on that site and their comments show they don't tolerate anything even just resembling dissent.

    Reddit isn't much better. There are a lot of rabid Mozilla and Firefox fanatics there who will actively suppress any comment that doesn't fully support and worship Mozilla or Firefox.

    It's a real shame that we can't openly discuss the various problems affecting Mozilla and Firefox at places like Hacker News and Reddit. Maybe if they pulled their fingers out of their ears, so to speak, and stopped downmodding truthful comments the people behind Firefox would begin to see why their product's market share has slid down to only about 7%, with nearly no (0.04%!) mobile presence. When people say negative things about Firefox, it's because the problems are real, they exist, and they need to be dealt with properly! Silencing such observations doesn't help; it just makes matters worse. It drives more people away from Firefox and Gecko, and typically over to Chrome, which just makes the Blink monoculture stronger and stronger. A Chrome/Blink monoculture is the last thing the web needs!

  15. Re:what? by naris · · Score: 5, Insightful

    Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.

  16. Let's look at the stats by MSG · · Score: 4, Interesting

    I see a lot of comments about Firefox's security but no references so far. So, let's look at cvedetails code execution counts:

    2016:
    Edge: 6
    Chrome: 0
    Safari: 0
    Firefox: 3

    2015:
    Edge: 19 (Nov 12 - Dec 31, a projected rate of 142 per year)
    Chrome: 8
    Safari: 101
    Firefox: 83

    2014:
    Chrome: 4
    Safari: 65
    Firefox: 55

    So while Firefox is getting a lot of hate here today, I think the unbiased view is that Firefox is clearly more secure than any browser other than Chrome, which has by far the best record. I struggle to imagine an objective reason to exclude Firefox from any evaluation while including Safari. Edge hasn't been out very long, but based on the very small amount of data we have so far, it looks significantly worse than Firefox.

    https://www.cvedetails.com/pro...
    http://www.cvedetails.com/prod...
    http://www.cvedetails.com/prod...
    https://www.cvedetails.com/pro...

  17. Re:what? by NotDrWho · · Score: 5, Interesting

    Sorry, but I'll still take Firefox over Chrome, IE, or Opera any day. Here is the dialogue I always have on some message board whenever I try to go over to Chrome:

    Me: Where is the menu bar?

    Them: You don't need a menu bar, the menu button will do everything instead.

    Me: Will it let me open a file?

    Them: Uhm....well...no.

    Can I at least add a stop button and zoom controls to the toolbar?

    Them: Sorry, Chrome doesn't allow any customization. You're supposed to do it the way Google tells you to.

    Me: Okay. Where are the options to automatically clear my history at close, erase all cookies at close, not remember search form histories, etc.?

    Them: Why would you need that?

    Me: For privacy.

    Them: What's "privacy"?

    Me: It's something Google has never, and will never, respect.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.