f13.net

Linkage (http://news.yahoo.com/s/pcworld/120756)

Somehow I hadn't heard about this yet- consider it a PSA from your friendly F-13 staff.

It was only a matter of time.  I like and use Firefox pretty much exclusively, but I'm under no illusions that it's "safer" than IE.  It's just that no one was targetting it until now.

I hate when I see people on teh intarnets saying that, and I even saw a local TV news story on it.  It makes about as much sense as Mac zealots stating that Mac OS X is invulnerable.

I disagree, a little.  I think Firefox is safer than IE.  But no software is perfect, nor safe in the absolute sense.  Firefox will [continue to] have vulnerabilities, but I guarantee you they won't be anywhere near the alien gangprobing that is IE.

Ah another great prediction!


Edit: because even copy & paste is too hard for some.

WTG on not getting the good Bill Gates quote there. Wasn't the actual quote like 16KB or something?

Actually, that Bill Gates quote should say '640kbytes of RAM', not 128 megs.

Alkiera

I was closer.

Between the dishwasher and the armoire, I choose the crotchpheasant.

Mace can always take Brother Bill's approach - Gates denies to this day he ever said any such thing.  :evil:

Does anyone have video or proof that he did say it? I mean, i don't doubt it, but he can probably get away with denying it.

Actually it seems Gates is still making interesting statements. (http://news.bbc.co.uk/2/hi/business/4508897.stm)

I'll never deny it :)  It's patently obvious that IE is the least safe browser out there, unless you're an M$ fanboi or shill.  Anyone who thinks otherwise should be forced to write the list of Microsoft products that have major exploits on a blackboard over and over again, possibly while being slapped with a printout of M$ Office's EULA, until they realize the error of their thinking.

Just remember to quote me accurately:  I did say Firefox will continue to have vulnerabilities.

I don't think any of it matters. More often than not, the least safe connection is the person. It doesn't matter what browser they're using. I've gotten one virus in my life, and it was my fault and it was a dummy virus.

I feel dirty defending the man, but he never said that: The 640k usable from a 1MB address space was an IBM decision, not anything Microsoft affected other than supporting it in their tweaks of the $50,000 bootstrap loader they bought from some other company.

I don't use Firefox because it is more secure than IE, that is just a bonus.  As to security, if you can't find a hole in the system, you probably haven't looked enough.

Right, I use Firefox because of built-in popup blocking, and tabbed browsing.  And a more useful page search feature.  And themes.  And the common name for it doesn't sound like "Aaaaiii!"

Alkiera

It is safer, precisely because fewer grubby little hackers are targetting it. It doesn't matter why it is safer, only that it is, and you understand why.

Edit: this whole thread is in the wrong fucking forum. Modera.. oh.

Heh.

It is a PC software-related thread, so I figured this was as good a spot as any.

Firefox has had its share of "critical" security holes as you can see here:

http://www.mozilla.org/projects/security/known-vulnerabilities.html

This new one was a little more "exciting" than some of the others since a working exploit was posted by a security company. However mozilla.org fixed things on their end quickly to minimize the risk to users (though there is still a risk).

Edit: fixed typos

Personally, I use NS, and only IE when neccessary (mainly when a video needs to be streamed with WMP, and Netscape won't do it correctly).

Only gotten about 1 virus in my life, and I knew exactly how I did it, and it was with IE.

I suppose that that's true.  Linux, MacOS, Firefox, Opera etc are all safer in a general sense because they are not where the pay dirt is for virus writers/hackers, and for that matter, many virus writers are also Linux fanbois and wouldn't target it out of principle.

But there's no technical reason those platforms are safer.  That's all I'm arguing.

Actually, at least on windows there is.  Third party browsers have to go through a built in paranoia layer on code execution I.E. does not and infact uses the windows API for many of it's system calls.  In other words a security flaw that allows arbitrary code execution in I.E. gives access to protected mode (Operating System) memory, the same flaw in Firefox is still limited to User Mode memory space.   It is inherently less safe by design than 3rd party browsers.

Want proof?  What renders list-boxes in internet explorer?  I bet you it's not internet explorer.

See my signature. There is no such thing as a completely invulnerable software design. The best we can hope is to design well and prevent most, if not all, security vulnerabilities at the design phase. After that, the cost of repairing the security flaw increases exponentially. It costs 60x as much to fix a security flaw on a release product than it does during design. Let's hope MS remembers that while working on IE7. And that figure does not include the cost of loss due to tarnished reputation, etc. that come about because consumers start to trust your products less and less as more and more security flaws are exposed. It's all about the solid software engineering foundation. As always, though, easier said than done.

I try not to overestimate MSFT too much but the next releases take us into hardware-protected execution regions.  If they're dogfooding themselves (as they increasingly seem to be) they'll conform to their own official APIs.  No reason not to since most of the reasons for backdoor APIs no longer applies and like you observe introduces more potential problems.

It could be frightening. As the recent Dashboard exploit for Safari RSS on OSX Tiger proves that protected "sandboxes" aren't necessarily safe when they interact with other unsafe areas of the OS with permissions. Of course, the exploits demonstrated were more of an annoyance than anything, but crafted properly, can disable a users ability to even access their Dashboard (pending opening a terminal window and fixing the problem via Unix). Pretty shitty. I would like to see IE7 take a similar approach and lock javascript into a protected sandbox with minimal permissions. Wrappers can be used to interact with other processes that may have higher permissions and can easily be written for data validation, etc. against commonly used security flaws. I realize that software engineers under forced time constraints must make some hard decisions about the level of application security and the feasibility based upon deadlines. I also realize that conscientious engineers should be making a concerted effort to program as securely as possible at all times and as appropriate for their project. In the case of programming for the internet, one can never have enough in the way of security, especially since TCP is abhorrent in that regard because the original developers had no idea what their protocol would one day become.

The fact is that it is a red herring that IE is part of the operating system.  All the hooks that IE uses are part of the platform SDK and available to any program.  The fact that IE, itself, provides hooks to other programs is irrelevant. The question is what security context are you running under?  A non-priveleged user can't do certain harmful things no matter what ring the code is running in.  Unfortunately most users are set up as administrators on their computers and any code, ring 3 (user) or ring 0 (kernel) can do harmful things under their security context.

There is a technical reason:  IE is poorly designed, as is its underlying operating system.  Though, admittedly, that is more of a human reason.  But to a user of IE who's just had the latest DCOM exploit ruin his/her work, the distinction is meaningless and appears to be the fault of the software.

Oh, and on the topic of hardware protection regions:  Windows has had them since NT 3.5.1.  Under the guise of "training", Microsoft even marketed these features to those of us with the misfortune of becoming MCSE- and MCSD-certified in the mid-90's.  Any hardware protection M$ comes up with hasn't helped matters thus far.  At some point, you have to stop betting on the horse that keeps losing, even when his jockey insists that he'll win the next race.

Also, M$ resists any change to their business and software models.  So why would anyone expect they would somehow magically stop making the same mistakes again and again?  IE6 was vulnerable to many of the exact same exploits as previous versions, despite those exploits being patched in those same previous versions.  Monopolies don't learn from failure.  They tend to be completely immune to them.

That's like saying that devil worshippers tend to be Democrats. Told you this was in the wrong forum. :P

I see what you are saying, but that's not what I meant.  I meant that virus writers must be uber geeks, and uber geeks tend to be linux fanbois.

Anyway, I have more to say on the subject, but in the interest of keeping this thread out of Politics, I'll just drop it.

For an unpatched system, that is true.  For a patched system, it is not.  Turnaround for security issues are better with Microsoft than Mozilla.  Both systems have crippling security flaws, and measuring any metric as to quantity is fairly pointless; with more people beating on it, I would expect Microsoft's discovered count to be higher.  With money and a larger image on the line, I also expect them fixed quicker.

Patently not true.

Speaking of which, the 1.0.4 update is available now.

The main site (http://www.mozilla.org/products/firefox/) is getting hammered right now so you may want to try a mirror (http://www.mozilla.org/mirrors.html).

I don't believe that MS can spit out fixes faster than the eleventy one jabillion open source community nerds. 

The eleventy one jabillion nerds are knocking at the door - something about script for a play called 'Hamlet' they want us to review.

Actually, some of the most prolific virii, like the old I Love You virus, were just lame VB Script hacks, built to take advantage of some pretty silly default actions in MS's LookOut(er, Outlook) email program, which is used in a LOT of businesses and Universities... for some reason.  We never had this problem when people just used telnet and VMSMail.

Alkiera

Majority of viruses that hit MS are just exploits of OLD vulnerabilities that haven't been patched.  Similar issues with router/firewall hardware; stay patched and you'll stop the vast majority of issues.  Beyond that, a network design that layers security will prohibit most attacks by uber hackers who are beyond that stage.  After that point you'll be getting better returns by focusing on application security (minimizing privledges of accounts, pushing for strong PW policies, etc).

MaceVanHoffen - The "M$" was original and funny several years ago. Time to grow up and find a new way to express your distaste for the software giant. ;)

Back on topic, I've noticed that patching Firefox, now and in the future, could be a possible problem for some users. Why? Well, there was a major security patch issued that required the old version to be uninstalled before the new on was installed (I believe it was 1.00 to 1.01). At least when I went to install the upgrade, I was prompted to do so. I thought it rather odd and extremely effing annoying. I had to backup bookmarks, make note of extensions and themes and then wipe it off and do a fresh install of the new version and then re-import/re-install all the extra goodies (just integrate mouse gestures already ffs). Now, my point is not to gather tips and tricks on upgrading without actually following the explicit directions to back everything up and uninstall the old and install the new version. My point is that for non-technical users, this is cumbersome and not very intuitive. Note - I use IE, Firefox, Opera and Safari. I use them all for testing and other purposes, so while I like the idea of being paid large sums of money and stock options to engineer software for the big MSFT, I don't drop my bias onto any particular browser because they all equally suck at the moment. Each is missing something that I want in the complete package. Actually, Safari is the least lacking, but I work on the Mac platform the least. But I digress...

Security updates to Firefox in the form of minor version downloads have the potential to be frustrating for end users. Have the potential. Microsoft got the patching of IE right in that the security patches are applied without requiring the end user to reinstall the entire browser. I realize the difference in architectures, I am simply pointing out the difference in ease of use. Microsoft could take a page from Mozilla's book though and, like Firefox, put a little browser update button in the top right corner so users will know when they need an update and can simply click the button to go to the update site. As it is now, they are relying on users enabling automatic updates or checking the Windows Update site themselves and we all know how well that works. I did notice that occasionally IE will redirect to the IE home page or the Windows Update site when you open it if there is an update for the browser; however, it does not appear to be a consistent or accurate behaviour. I've been redirected when I have had the latest browser. Odd.

That aside, it was good to see Firefox offer the update so quickly, although we don't really know how long they were actually aware of the problem. As they garner a wider user base, we will see more and more vulnerabilities and targeted attacks on the browser. Firefox will most likely remain fairly safe, but I've already seen adware/spyware exploits for it and it is not immune to popups, nor will it prevent malicious web sites from dropping "fun stuff" on a users computer (in the case that the security settings are too low). Also, Firefox has a problem with low privacy settings from the start. Cookies are fairly innocuous, but when allowed to drop all over the system and when they contain sensitive information, one incident of remote access to the users computer can net an attacker some great files chock full of information to use.

As to viruses themselves, it doesn't take a lot of knowledge to write one, and most that circulate are merely variants of a well programmed original. I did an NBC news interview locally on Wednesday evening discussing the recent variant of the Sober worm. Now, the Sober worm has been around since October of 2003. The variant that was discovered on May 2, 2005 was the 14th variant. While it differed some from the original, the most notable difference was delivery method (still email, but more aggressive) and enhanced social engineering. As a matter of fact, the English version email subject and message did not change very much from the original, but the German version is what really got Europeans to open the attachment. The German version of the most recent variant told email recipients that they had won tickets to the 2006 World Cup. Talk about luring people in. What European in their right mind could resist the call of championship soccer? Beautiful social engineering. Find something that will override a users common sense and rational reasoning and you can propagate a virus that accounts for over 70% of infections worldwide and is infecting 1 out of every 22 emails worldwide within 48 hours of release. While it wasn't the most prolific virus ever written, it was fairly effective and even managed to cause some universities near me to close several computer labs in order to clean the infections. Granted, they obviously had poor security or poor AV protection (I managed to keep our administrative network of over 1300 workstations/servers to one infection and that was before the variant was even known by the AV corps. I had the pleasure of submitting one of the first samples. Woo...), but the effect was still felt and the IT cost was incurred.

I'm rambling, but the fact remains that you could write a simple virus with little programming knowledge. As a matter of fact, a very damaging virus would be a program that deletes everything in the My Documents folder and then proceeds to copy itself until it fills up the hard drive. As a matter of fact, there was already a virus that did this and it was one of the most damaging of all time. Also, it would be simple to throw in some additions to the users host file to prevent them from getting to AV and security sites. To cap it all off, you could attempt to issue a couple command lines to shutdown popular AV and firewall services that may be running on the users computer. As long as that user has appropriate rights, then you're all set. The most difficult part is determining a delivery method that will be effective. Yes, virus writers must know their way around, but it doesn't take much to tinker with someone else's virus and repackage and re-release as a new variant.

And if you think Mac's are invulnerable because anything that requires administrative rights asks the user to enter their password, then you are fooling yourself. Good social engineering combined with an end users desire to cooperate with the computer equals an easy way to infect a Mac should anyone feel like attempting to exploit the rather impenetrable Unix-based OS. Then again, with the appropriate permissions, much damage can be done to Unix. Yada yada yada. There are points in there somewhere and I'm sure a lot to dissect. Enjoy!

Firefox 1.1 will have a patching system for updates instead of the current "reinstall everything" method.

That's great, great news. Thanks for the info.

The Mozilla Foundation has a policy of "locking" security bugs in Bugzilla once they've been verified as such to prevent the unwashed masses from reading the details. Sometime after the bug is fixed they unlock it. In this particular case we'll be able to read the Bugzilla details on 5/18. However, you can estimate the time the bugs were originally filed by checking the timestamps of the bugs filed before and after the security ones since we do know their bug numbers. For the "public" security hole (the one that got all the press attention), the original bug submission date was sometime on 5/2. The earliest reported security bug of the 3 that were fixed in 1.04 was reported sometime on 4/18.

Ah, transparency.  Ya gotta love it.  How long was that bug known about?  Why lets go look!

Ask Microsoft how long an exploit was known about before it was fixed and the answer is likely to be, "That was never a bug, you people just weren't operating with proper security settings.  Why did we change it then?  Err, click! Dial tooooonnnnneeeee..."

I don't care if Microsoft appears to be occaisionally faster with some fixes then thier competition the fact that I can't even begin to evaluate thier overall handling of security with any kind of accuracy is really a serious problem.

In further news open source bigots the world over celebrate their first blow against Bill "Borg" Gates (http://www.cnn.com/2005/TECH/internet/05/13/internet.explorer.ap/index.html).

Those wild and whacky Europeans...

You touch on a key issue, really:  M$ deals with any bug as if they were an assault on the company, a threat to be dealt with.  Deny its very existence first, then claim it's not really a bug, then use the press and the legal system to wage war against the bug, and finally when there's no way around it actually fix the bug.  Many bugs go unfixed and unreported because they get stopped earlier in that chain.  M$ behaves more like an organism fighting for its survival instead of a company that should stand behind its product.

That outlook is a throwback to companies of generations past.  It's also, IMHO, a consequence of being a functional monopoly.  It is for that reason that M$ will never be as fast as other companies in fixing bugs.  Why should they be?  What motivation do they have?  Legions of adoring fans slurp up their products, so why change what's working?  It's sad that IT shops still feel the need to do business with them, as there are so many other options out there now.

Open source, free software, other commercial enterprises ... it doesn't matter.  They're all more responsive and more reliable than M$.  I use Firefox not so much because I like it (though, I do) but more because the IT shop behind it is better behaved.

Every dev team has patch release cycles.

I don't mind patch/release cycles.  Heck, some of M$'s bugs rightfully would take many months to fix.  I've been one of those devs madly trying to patch some low-level security hole that a script kiddie found, so I can empathize.

What I do have a problem with is the policy of "customers who find bugs are the enemy" along with the paternalistic notion that M$ always knows best, when the stellar lack of quality in many of their products clearly indicates that they do not know best.  I trust the judgment of most developers off the street over that of the most skilled of M$ employees.

What motivation?  Money.  Primarilly stemming from one of image; they don't want to be percieved as laying down on security (among other things), and part of that is of course an effective PR front.  The other side is actually delivering. 


Bullshit.  Volunteer devs are responsive only when it suits them, and far from reliable because you can't hold them accountable to anything.  On the other hand if I have an issue with a Microsoft product that affects my business, I know I can call up a rep and make something happen (have before).  Why?  Because we pay for that level of service.  It would be cheaper to go with an open source solution up front, but ongoing support would be a nightmare (and has been with every type of solution like that we've implimented).  OTOH, there are situations where open communities are beneficial.  We're involved in several projects along those lines, which are of a different scope, and they work well. 

Anything, whether Microsoft or otherwise, are just tools.  It gets old dealing with people who are bigots for either side; either join the MS borg or treasure your independance.  Whatever.  People can play that game if they want, meanwhile the rest of the world is solving problems.

Is that speaking from personal experience, or hearsay?  If the former, find a better rep.  I've never had that problem.  If you get lip like that, you should be carrying it up the chain, because it doesn't take long to get to someone who values you as a customer and will shitcan the rep who treats you like that.  We had to do that once, but with Unisys; it went from "we can't help you" to "well give you x, y and z for free" after we put the possibility of switching vendors on the table.  Of course, it helps that you spend money at least in the neighborhood of millions to get that kind of response (because at this level, that kind of decision will directly affect jobs in the company). 


That's how any company operates, and it should be obvious why they take that stance; no company is going to tell you that a compeditor provides better services than they do.  If you talk to Sun, they'll tell you they're the best, etc, etc. 

MS FUD vs OSS FUD. How rare.  :roll:

Way, you are a troll of the first order.

I have worked hard to become so.  :evil:

It's still funny.  Riproaring hilarioius in fact.  But then, I'm a simple simple man :)

One thing I don't get is how people say MS is a monopoly on one hand, but then point out how many other options are out there for anyone who wants them.  For free even.

I thought a monopoly was the lack of more than one option?

Anyway... what does all this have to do with... yada yada yada.

I used the term functional monopoly, as in the concept of being functionally equivalent to a monopoly in certain respects.  Microsoft (there, I spelled it out, happy Soukyan!?) certainly aren't a monopoly in the sense that Standard Oil was, for example.  However, they are a monopoly in the sense that cable companies and local phone companies were at one time (and still are in certain parts of the country).  Admittedly, that is changing for the better.  However, the legacy of Microsoft's agreements with PC manufacturers is still with us, as are other things.

I see where you're coming from, but it smells like FUD.  People like to throw the term around, but the fact is, MS has just been smart enough to concentrate on what sells operating systems.  Remember OS/2?  Barely?

I remember a time when MS was pretty seriously deficient in some areas like security, stability, etc - I'm not an MS fanboi.  But at the same time I'm not an OSS fanboi, Mac fanboi, or any other kind of fanboi.  I think they have come a long way, and with the ascendance of OS X, Linspire and other (relatively) user friendly Linuxes, and of course Firefox, I think there's a healthy level of competition out there.  At the same time, MS is predominant on the desktop.  It's good that SOMEONE is predominant in that area though, IMO, because it saves a lot of time that would be wasted authoring niche products for multiple platforms.

Anyway, as Signe pointed out, this has nothing to do with Shadowbane, so I'll leave it at that...

You mean that OS that IBM and Microsoft cooperated on, that Bill Gates said was the future for DOS, until IBM wouldn't replace the superior Presentation Manager with Microsoft sucky Windows desktop? That OS/2?

Yes, we do remember it - it's even still alive somewhere. We also remember all the other "could have been" contenders like DesQview, GEM, GEOS... hell, with an earlier adaption of TCP/IP in the DOS world we could even have seen X11 becoming the windowing system for DOS as well as for Unix.

Then we remember who pressured manufacturers into putting Windows on top of DOS at the exclusion of competitors, and the law stepping in at a later point (1995?) when it was moot whether the practice was stopped or not because Microsoft had "won" the market.

http://forums.f13.net/index.php?topic=3290.0