> If you can have buffer over-run vulnerabilities > in your C++ app, then you are potentially > vulnerable to absolutely anything.
Not really true.
1) If it's a *read* overrun, it's probably not exploitable. Could possibly be an information leak.
2) If it's a write overrun by at most 1 byte, it probably won't be exploitable.
3) A variety other restrictions may apply that make it not exploitable.
4) The browser might have a buffer overrun bug that cannot be triggered by a remote Web page unless the user does some other actions than just viewing the page (e.g., save an image). Although this is still technically exploitable, it's much a less dangerous bug than something that leads to a "view this page and you're 0wned" attack.
This is a good example of why "IE only looks bad because it has the most market share" is at best dubious, and why IE is going to continue to struggle with problems that don't affect other browsers.
In particular, here we have problems in a scriptable ActiveX control for presenting Windows Help files. It's nice to have that available for Windows integration, and maybe for intranet Web applications (though regular Web pages are fine for the vast majority of online help), but people don't need it for regular Web surfing. There have been tons of flaws in these preloaded ActiveX controls, but Microsoft seems unwilling to change its policy to reduce this attack surface.
> Perhaps the fact that Firefox has already had > several security exploits out despite its > extremely small userbase in comparison to IE
That doesn't prove anything other than that people are looking at it. You are relying on an assumption that the number of security bugs found is proportional to the user base.
> I'm still questioning why every single widget is > reimplemented and loaded up into memory when we > have desktops that provide widgets for their > apps to use.
You're aware that IE also reimplements its widgets, right? Anyway, a full answer is here: http://ocallahan.org/mozilla/why-no-native- widgets.html
> Thank goodness for Opera.
Opera is a fine piece of work. I won't bash it.
> Okay...then why are the comments tables in > Slashdot spilling over onto the navigation bar > in Gecko?
That was fixed a long time ago, unfortunately too late for the Firefox 1.0 branch.
> Oh, gee, your impression? Well, hey, that proves > it.
Without access to the IE source code, it's hard to be sure, but there have been a number of bugs related to string buffer overflows in different parts of IE.
> In SP2, they recompiled all system libraries, > including IE, using the VS2005 compiler with > overflow detection.
That approach is not perfect, and would have been less necessary if they were using a safe string library. Still, it probably would be a good idea for Mozilla.org to build Firefox with the same options if they don't already.
> Has Mozilla done a code audit?
Mozilla.org has not done a systematic code audit, as far as I know, other than the regular code reviews that happen before checkin. I do know that people have studied the code, some using automated tools, others by hand, but we only know if people choose to tell us. (Which they often do to claim money under the bugs bounty program.)
> Today, Firefox's security advantage lies in one > single factor: The very little attention it is > getting from the people who write exploits.
People keep saying that, but you can't prove it until we get equal market share with IE. I'm looking forward to that.
In fact there are lots of other reasons why Firefox is more secure than IE. For example: -- We use a string class library for almost all strings that flat-out prevents buffer overflows associated with those strings. My impression is that the IE code mostly does not. -- IE is designed to be lax in its interpretation of the HTML, CSS, HTTP headers etc that it receives. Gecko is designed to be strict --- well, as strict as possible while making it possible to view 99% of the Web. IE's approach leads to confusion, which leads to security bugs. A great example is the raft of security bugs where different parts of IE guess the MIME type of incoming data and the guesses are inconsistent. -- The IE-Windows integration means IE supports a lot of magic features such as special protocols that Gecko doesn't support or just blocks. So IE has more attack surface.
SP2 has improved things for IE a lot but they started from a bad position.
It's not the many windows that bother me. It's first of all the crazy menu system. Then it's the weird interaction gotchas like how to cancel selection or stop adding points to a path. Then it's deeper issues like the fact that channels, layers, alpha channels and layer masks all do nearly but not quite exactly the same thing.
The fact is that the GIMP UI sucks and the developers don't care. Therefore it's inevitable that GIMP will eventually be replaced by something whose UI doesn't suck. It might be some evolution of Inkscape, or it might be a port of Paint.NET, but it must happen, and the sooner the better as far as I'm concerned.
In 2005 there will be more full-time Mozilla developers than we've had for years. Development is going to speed up. We all know we have keep extending our lead, put as much distance between ourselves and IE as possible to drive Firefox conversions and revitalize the Web.
They are banging away. There is a bug bounty program, remember. And since everyone says Firefox is a more secure browser, isn't it cooler to take down FF than IE?
H1B WORKERS: go home. Leave the United States and return to your home countries. Build up your local high-tech industries. Corporations will send the jobs to you, and the USA will slide into oblivion.
It's maddening to read countries complaining about the all-to-real "brain drain" of their best and brightest talent to the USA, and to also read people in the USA complaining about receiving that talent.
I say this as someone who is going back home to New Zealand after 3 years of H1B-hood, to do my bit to reverse the brain drain. Fortunately my job is portable and I'm taking it home with me.
If Firefox and OpenOffice were only availble on non-Windows platforms, almost no-one would ever switch to Linux, because everyone would be fully locked into IE-specific HTML and Word documents.
A better strategy is to get some Windows users to start using Firefox and OpenOffice --- much easier than forcing them to switch everything at once --- and because of network effects, that will lower everyone's cost of switching to Linux.
For non-XP users the bar to updating to SP2 includes 1) Spending $$$ to upgrade to WinXP 2) Possibly spending $$$$$ to upgrade their hardware so they can actually run WinXP 3) Possibly spending $$$ to update software that doesn't work right on WinXP
Leaving all these customers without any free path to being secure is not a very good option: not for the customers, and not for Microsoft because it's driving users to Firefox. But that's fine with me.
Wow, this is maximally evil. A pure parasite company extracting monopoly rents for patents on the obvious, AND a cartel to exclude non-members from developing any useful software without paying an arbitarily high tax.
That this company obtains decades-long monopolies based on the results of an afternoon's "gabfest" shows how incredibly unjust the current system is.
BTW the difference between these kinds of parasitic lawyers and a real research operation like IBM or Microsoft Resarch is that real researchers tend to evaluate their ideas and patent only the good ones, also publishing them in ways that advance science. So they're at least adding some value to the community. Patenting the entire flood of ideas that any competent researcher's mind spews out every day adds nothing, simply steals. Especially when the "results" (I use the term loosely) are available only in obfuscated lawyer-ese. (It breaks my heart how lawyers take scientific publications which people have worked hard to make consise and clear, and smear them into untelligible legal gibberish, thus defeating the ENTIRE ORIGINAL POINT of the patent system.)
I wouldn't quite call it technical leadership; fuzz testing is old and lots of people do it on all kinds of projects. But sure, they did a better job on this than Mozilla.
In the case of Mozilla it's really a resource and prioritization issue more than anything else: see http://it.slashdot.org/comments.pl?sid=126192&cid= 10564332 Not that that's an excuse.
On any given day we know of many HTML inputs that will crash Mozilla, and many that will crash IE, and ditto for other browsers. Which ones get fixed is simply a matter of priorities. And we prioritize by looking at the crash to see if it looks like it could be turned into a security hole; looking at talkback data to see which crashes people are hitting most frequently; focusing on the ones that occur on actual real websites, and maybe after that when there's nothing else to do we fix the ones exposed by artificial testcases.
No-one has enough resources to fix every bug, not even Microsoft.
The reason IE did well is probably because Microsoft did this kind of fuzz testing on it a while back and fixed the bugs. AFAIK no-one has done this kind of fuzz testing on Mozilla.
Slashdot Mirror
> If you can have buffer over-run vulnerabilities
> in your C++ app, then you are potentially
> vulnerable to absolutely anything.
Not really true.
1) If it's a *read* overrun, it's probably not exploitable. Could possibly be an information leak.
2) If it's a write overrun by at most 1 byte, it probably won't be exploitable.
3) A variety other restrictions may apply that make it not exploitable.
4) The browser might have a buffer overrun bug that cannot be triggered by a remote Web page unless the user does some other actions than just viewing the page (e.g., save an image). Although this is still technically exploitable, it's much a less dangerous bug than something that leads to a "view this page and you're 0wned" attack.
This is a good example of why "IE only looks bad because it has the most market share" is at best dubious, and why IE is going to continue to struggle with problems that don't affect other browsers.
In particular, here we have problems in a scriptable ActiveX control for presenting Windows Help files. It's nice to have that available for Windows integration, and maybe for intranet Web applications (though regular Web pages are fine for the vast majority of online help), but people don't need it for regular Web surfing. There have been tons of flaws in these preloaded ActiveX controls, but Microsoft seems unwilling to change its policy to reduce this attack surface.
> Perhaps the fact that Firefox has already had
- widgets .html
> several security exploits out despite its
> extremely small userbase in comparison to IE
That doesn't prove anything other than that people are looking at it. You are relying on an assumption that the number of security bugs found is proportional to the user base.
> I'm still questioning why every single widget is
> reimplemented and loaded up into memory when we
> have desktops that provide widgets for their
> apps to use.
You're aware that IE also reimplements its widgets, right? Anyway, a full answer is here:
http://ocallahan.org/mozilla/why-no-native
> Thank goodness for Opera.
Opera is a fine piece of work. I won't bash it.
> Okay...then why are the comments tables in
> Slashdot spilling over onto the navigation bar
> in Gecko?
That was fixed a long time ago, unfortunately too late for the Firefox 1.0 branch.
> Oh, gee, your impression? Well, hey, that proves
> it.
Without access to the IE source code, it's hard to be sure, but there have been a number of bugs related to string buffer overflows in different parts of IE.
> In SP2, they recompiled all system libraries,
> including IE, using the VS2005 compiler with
> overflow detection.
That approach is not perfect, and would have been less necessary if they were using a safe string library. Still, it probably would be a good idea for Mozilla.org to build Firefox with the same options if they don't already.
> Has Mozilla done a code audit?
Mozilla.org has not done a systematic code audit, as far as I know, other than the regular code reviews that happen before checkin. I do know that people have studied the code, some using automated tools, others by hand, but we only know if people choose to tell us. (Which they often do to claim money under the bugs bounty program.)
> Today, Firefox's security advantage lies in one
> single factor: The very little attention it is
> getting from the people who write exploits.
People keep saying that, but you can't prove it until we get equal market share with IE. I'm looking forward to that.
In fact there are lots of other reasons why Firefox is more secure than IE. For example:
-- We use a string class library for almost all strings that flat-out prevents buffer overflows associated with those strings. My impression is that the IE code mostly does not.
-- IE is designed to be lax in its interpretation of the HTML, CSS, HTTP headers etc that it receives. Gecko is designed to be strict --- well, as strict as possible while making it possible to view 99% of the Web. IE's approach leads to confusion, which leads to security bugs. A great example is the raft of security bugs where different parts of IE guess the MIME type of incoming data and the guesses are inconsistent.
-- The IE-Windows integration means IE supports a lot of magic features such as special protocols that Gecko doesn't support or just blocks. So IE has more attack surface.
SP2 has improved things for IE a lot but they started from a bad position.
In India the salaries are already at first-world levels, if you adjust for the cost of living.
Why is it a failure of laissez-faire economics? It's an overall win for the planet.
> We as a nation often stand aghast when cultures
> are destroyed in the name of profit in other
> lands.
Well, no, you don't much. As often as not it's Americans doing the destroying.
The idea that rewriting something from scratch is de facto exciting and a good thing is a disease for which we have yet to discover a cure.
It's not the many windows that bother me. It's first of all the crazy menu system. Then it's the weird interaction gotchas like how to cancel selection or stop adding points to a path. Then it's deeper issues like the fact that channels, layers, alpha channels and layer masks all do nearly but not quite exactly the same thing.
The fact is that the GIMP UI sucks and the developers don't care. Therefore it's inevitable that GIMP will eventually be replaced by something whose UI doesn't suck. It might be some evolution of Inkscape, or it might be a port of Paint.NET, but it must happen, and the sooner the better as far as I'm concerned.
With Firefox share rising, given some time, this kind of problem will go away for most public Web sites.
In 2005 there will be more full-time Mozilla developers than we've had for years. Development is going to speed up. We all know we have keep extending our lead, put as much distance between ourselves and IE as possible to drive Firefox conversions and revitalize the Web.
They are banging away. There is a bug bounty program, remember. And since everyone says Firefox is a more secure browser, isn't it cooler to take down FF than IE?
H1B WORKERS: go home. Leave the United States and return to your home countries. Build up your local high-tech industries. Corporations will send the jobs to you, and the USA will slide into oblivion.
It's maddening to read countries complaining about the all-to-real "brain drain" of their best and brightest talent to the USA, and to also read people in the USA complaining about receiving that talent.
I say this as someone who is going back home to New Zealand after 3 years of H1B-hood, to do my bit to reverse the brain drain. Fortunately my job is portable and I'm taking it home with me.
If Firefox and OpenOffice were only availble on non-Windows platforms, almost no-one would ever switch to Linux, because everyone would be fully locked into IE-specific HTML and Word documents.
A better strategy is to get some Windows users to start using Firefox and OpenOffice --- much easier than forcing them to switch everything at once --- and because of network effects, that will lower everyone's cost of switching to Linux.
We've known about this for months. Why is it news now?
Put it this way: Firefox offers pre-WinXP users a *free* path to being secure. Microsoft forces them to spend a significant amount of money.
For non-XP users the bar to updating to SP2 includes
1) Spending $$$ to upgrade to WinXP
2) Possibly spending $$$$$ to upgrade their hardware so they can actually run WinXP
3) Possibly spending $$$ to update software that doesn't work right on WinXP
Leaving all these customers without any free path to being secure is not a very good option: not for the customers, and not for Microsoft because it's driving users to Firefox. But that's fine with me.
Wow, this is maximally evil. A pure parasite company extracting monopoly rents for patents on the obvious, AND a cartel to exclude non-members from developing any useful software without paying an arbitarily high tax.
That this company obtains decades-long monopolies based on the results of an afternoon's "gabfest" shows how incredibly unjust the current system is.
BTW the difference between these kinds of parasitic lawyers and a real research operation like IBM or Microsoft Resarch is that real researchers tend to evaluate their ideas and patent only the good ones, also publishing them in ways that advance science. So they're at least adding some value to the community. Patenting the entire flood of ideas that any competent researcher's mind spews out every day adds nothing, simply steals. Especially when the "results" (I use the term loosely) are available only in obfuscated lawyer-ese. (It breaks my heart how lawyers take scientific publications which people have worked hard to make consise and clear, and smear them into untelligible legal gibberish, thus defeating the ENTIRE ORIGINAL POINT of the patent system.)
Ximian's Exchange Connector.
I wouldn't quite call it technical leadership; fuzz testing is old and lots of people do it on all kinds of projects. But sure, they did a better job on this than Mozilla.
= 10564332
In the case of Mozilla it's really a resource and prioritization issue more than anything else: see http://it.slashdot.org/comments.pl?sid=126192&cid
Not that that's an excuse.
On any given day we know of many HTML inputs that will crash Mozilla, and many that will crash IE, and ditto for other browsers. Which ones get fixed is simply a matter of priorities. And we prioritize by looking at the crash to see if it looks like it could be turned into a security hole; looking at talkback data to see which crashes people are hitting most frequently; focusing on the ones that occur on actual real websites, and maybe after that when there's nothing else to do we fix the ones exposed by artificial testcases.
No-one has enough resources to fix every bug, not even Microsoft.
The reason IE did well is probably because Microsoft did this kind of fuzz testing on it a while back and fixed the bugs. AFAIK no-one has done this kind of fuzz testing on Mozilla.
They don't. But in this case the law is reasonably aligned with most people's morals: "don't take someone's stuff without their permission"
(Yes I'm aware that copyright is an artifical property right etc etc, but most people don't have a problem with it in principle.)