Firefox Security Flaw

[WayAbvPar]

Linkage

Somehow I hadn't heard about this yet- consider it a PSA from your friendly F-13 staff.

[Jayce]

It was only a matter of time.  I like and use Firefox pretty much exclusively, but I'm under no illusions that it's "safer" than IE.  It's just that no one was targetting it until now.

I hate when I see people on teh intarnets saying that, and I even saw a local TV news story on it.  It makes about as much sense as Mac zealots stating that Mac OS X is invulnerable.

[MaceVanHoffen]

It was only a matter of time.  I like and use Firefox pretty much exclusively, but I'm under no illusions that it's "safer" than IE.  It's just that no one was targetting it until now.

I hate when I see people on teh intarnets saying that, and I even saw a local TV news story on it.  It makes about as much sense as Mac zealots stating that Mac OS X is invulnerable.

I disagree, a little.  I think Firefox is safer than IE.  But no software is perfect, nor safe in the absolute sense.  Firefox will [continue to] have vulnerabilities, but I guarantee you they won't be anywhere near the alien gangprobing that is IE.

[Pococurante]

Ah another great prediction!

The world will never need more than five computers.
Thomas Watson, IBM

A computer will never need more then 640kb of Ram.
Bill Gates, Microsoft

Firefox will [continue to] have vulnerabilities, but I guarantee you they won't be anywhere near the alien gangprobing that is IE.
MaceVanHoffen, f13

Edit: because even copy & paste is too hard for some.

[schild]

WTG on not getting the good Bill Gates quote there. Wasn't the actual quote like 16KB or something?

[Alkiera]

Actually, that Bill Gates quote should say '640kbytes of RAM', not 128 megs.

Alkiera

[schild]

I was closer.

Between the dishwasher and the armoire, I choose the crotchpheasant.

[Pococurante]

Mace can always take Brother Bill's approach - Gates denies to this day he ever said any such thing. 

[schild]

Does anyone have video or proof that he did say it? I mean, i don't doubt it, but he can probably get away with denying it.

[Pococurante]

Ah another great prediction!

Actually it seems Gates is still making interesting statements.

Microsoft's biggest worry, though, should be the huge success of Mozilla Firefox, the open source web browser.

Faster and more secure than Internet Explorer, it is the first browser to seriously challenge Microsoft's dominance.

In just nine months Firefox has chalked up 50 million downloads, although some are admittedly upgrades.

Bill Gates is one of the people with Firefox on his computer, so I asked him for his opinion.

"I played around with it a bit, but it's just another browser, and IE [Microsoft's Internet Explorer] is better," Mr Gates told me, and challenged my assertion that Firefox's 'market share' is growing rapidly.

"So much software gets downloaded all the time, but do people actually use it?" he argued.

[MaceVanHoffen]

Mace can always take Brother Bill's approach - Gates denies to this day he ever said any such thing. 

I'll never deny it :)  It's patently obvious that IE is the least safe browser out there, unless you're an M$ fanboi or shill.  Anyone who thinks otherwise should be forced to write the list of Microsoft products that have major exploits on a blackboard over and over again, possibly while being slapped with a printout of M$ Office's EULA, until they realize the error of their thinking.

Just remember to quote me accurately:  I did say Firefox will continue to have vulnerabilities.

[schild]

I don't think any of it matters. More often than not, the least safe connection is the person. It doesn't matter what browser they're using. I've gotten one virus in my life, and it was my fault and it was a dummy virus.

[AOFanboi]

A computer will never need more then 640kb of Ram.
Bill Gates, Microsoft

I feel dirty defending the man, but he never said that: The 640k usable from a 1MB address space was an IBM decision, not anything Microsoft affected other than supporting it in their tweaks of the $50,000 bootstrap loader they bought from some other company.

[Evangolis]

I don't use Firefox because it is more secure than IE, that is just a bonus.  As to security, if you can't find a hole in the system, you probably haven't looked enough.

[Alkiera]

I don't use Firefox because it is more secure than IE, that is just a bonus.  As to security, if you can't find a hole in the system, you probably haven't looked enough.

Right, I use Firefox because of built-in popup blocking, and tabbed browsing.  And a more useful page search feature.  And themes.  And the common name for it doesn't sound like "Aaaaiii!"

Alkiera

[Righ]

It was only a matter of time.  I like and use Firefox pretty much exclusively, but I'm under no illusions that it's "safer" than IE.  It's just that no one was targetting it until now.

It is safer, precisely because fewer grubby little hackers are targetting it. It doesn't matter why it is safer, only that it is, and you understand why.

Edit: this whole thread is in the wrong fucking forum. Modera.. oh.

[WayAbvPar]

It was only a matter of time.  I like and use Firefox pretty much exclusively, but I'm under no illusions that it's "safer" than IE.  It's just that no one was targetting it until now.

It is safer, precisely because fewer grubby little hackers are targetting it. It doesn't matter why it is safer, only that it is, and you understand why.

Edit: this whole thread is in the wrong fucking forum. Modera.. oh.

Heh.

It is a PC software-related thread, so I figured this was as good a spot as any.

[Trippy]

It was only a matter of time.  I like and use Firefox pretty much exclusively, but I'm under no illusions that it's "safer" than IE.  It's just that no one was targetting it until now.

Firefox has had its share of "critical" security holes as you can see here:

http://www.mozilla.org/projects/security/known-vulnerabilities.html

This new one was a little more "exciting" than some of the others since a working exploit was posted by a security company. However mozilla.org fixed things on their end quickly to minimize the risk to users (though there is still a risk).

Edit: fixed typos

[Strazos]

Personally, I use NS, and only IE when neccessary (mainly when a video needs to be streamed with WMP, and Netscape won't do it correctly).

Only gotten about 1 virus in my life, and I knew exactly how I did it, and it was with IE.

[Jayce]

It was only a matter of time.  I like and use Firefox pretty much exclusively, but I'm under no illusions that it's "safer" than IE.  It's just that no one was targetting it until now.

It is safer, precisely because fewer grubby little hackers are targetting it. It doesn't matter why it is safer, only that it is, and you understand why.

I suppose that that's true.  Linux, MacOS, Firefox, Opera etc are all safer in a general sense because they are not where the pay dirt is for virus writers/hackers, and for that matter, many virus writers are also Linux fanbois and wouldn't target it out of principle.

But there's no technical reason those platforms are safer.  That's all I'm arguing.

[Murgos]

But there's no technical reason those platforms are safer.  That's all I'm arguing.

Actually, at least on windows there is.  Third party browsers have to go through a built in paranoia layer on code execution I.E. does not and infact uses the windows API for many of it's system calls.  In other words a security flaw that allows arbitrary code execution in I.E. gives access to protected mode (Operating System) memory, the same flaw in Firefox is still limited to User Mode memory space.   It is inherently less safe by design than 3rd party browsers.

Want proof?  What renders list-boxes in internet explorer?  I bet you it's not internet explorer.

[Soukyan]

See my signature. There is no such thing as a completely invulnerable software design. The best we can hope is to design well and prevent most, if not all, security vulnerabilities at the design phase. After that, the cost of repairing the security flaw increases exponentially. It costs 60x as much to fix a security flaw on a release product than it does during design. Let's hope MS remembers that while working on IE7. And that figure does not include the cost of loss due to tarnished reputation, etc. that come about because consumers start to trust your products less and less as more and more security flaws are exposed. It's all about the solid software engineering foundation. As always, though, easier said than done.

[Pococurante]

Let's hope MS remembers that while working on IE7.

I try not to overestimate MSFT too much but the next releases take us into hardware-protected execution regions.  If they're dogfooding themselves (as they increasingly seem to be) they'll conform to their own official APIs.  No reason not to since most of the reasons for backdoor APIs no longer applies and like you observe introduces more potential problems.

[Soukyan]

Let's hope MS remembers that while working on IE7.

I try not to overestimate MSFT too much but the next releases take us into hardware-protected execution regions.  If they're dogfooding themselves (as they increasingly seem to be) they'll conform to their own official APIs.  No reason not to since most of the reasons for backdoor APIs no longer applies and like you observe introduces more potential problems.

It could be frightening. As the recent Dashboard exploit for Safari RSS on OSX Tiger proves that protected "sandboxes" aren't necessarily safe when they interact with other unsafe areas of the OS with permissions. Of course, the exploits demonstrated were more of an annoyance than anything, but crafted properly, can disable a users ability to even access their Dashboard (pending opening a terminal window and fixing the problem via Unix). Pretty shitty. I would like to see IE7 take a similar approach and lock javascript into a protected sandbox with minimal permissions. Wrappers can be used to interact with other processes that may have higher permissions and can easily be written for data validation, etc. against commonly used security flaws. I realize that software engineers under forced time constraints must make some hard decisions about the level of application security and the feasibility based upon deadlines. I also realize that conscientious engineers should be making a concerted effort to program as securely as possible at all times and as appropriate for their project. In the case of programming for the internet, one can never have enough in the way of security, especially since TCP is abhorrent in that regard because the original developers had no idea what their protocol would one day become.

[Jayce]

But there's no technical reason those platforms are safer.  That's all I'm arguing.

Actually, at least on windows there is.  Third party browsers have to go through a built in paranoia layer on code execution I.E. does not and infact uses the windows API for many of it's system calls.  In other words a security flaw that allows arbitrary code execution in I.E. gives access to protected mode (Operating System) memory, the same flaw in Firefox is still limited to User Mode memory space.   It is inherently less safe by design than 3rd party browsers.

Want proof?  What renders list-boxes in internet explorer?  I bet you it's not internet explorer.

The fact is that it is a red herring that IE is part of the operating system.  All the hooks that IE uses are part of the platform SDK and available to any program.  The fact that IE, itself, provides hooks to other programs is irrelevant. The question is what security context are you running under?  A non-priveleged user can't do certain harmful things no matter what ring the code is running in.  Unfortunately most users are set up as administrators on their computers and any code, ring 3 (user) or ring 0 (kernel) can do harmful things under their security context.

[MaceVanHoffen]

But there's no technical reason those platforms are safer.  That's all I'm arguing.

There is a technical reason:  IE is poorly designed, as is its underlying operating system.  Though, admittedly, that is more of a human reason.  But to a user of IE who's just had the latest DCOM exploit ruin his/her work, the distinction is meaningless and appears to be the fault of the software.

Oh, and on the topic of hardware protection regions:  Windows has had them since NT 3.5.1.  Under the guise of "training", Microsoft even marketed these features to those of us with the misfortune of becoming MCSE- and MCSD-certified in the mid-90's.  Any hardware protection M$ comes up with hasn't helped matters thus far.  At some point, you have to stop betting on the horse that keeps losing, even when his jockey insists that he'll win the next race.

Also, M$ resists any change to their business and software models.  So why would anyone expect they would somehow magically stop making the same mistakes again and again?  IE6 was vulnerable to many of the exact same exploits as previous versions, despite those exploits being patched in those same previous versions.  Monopolies don't learn from failure.  They tend to be completely immune to them.

[Righ]

many virus writers are also Linux fanbois

That's like saying that devil worshippers tend to be Democrats. Told you this was in the wrong forum. :P

[Jayce]

many virus writers are also Linux fanbois

That's like saying that devil worshippers tend to be Democrats. Told you this was in the wrong forum. :P

I see what you are saying, but that's not what I meant.  I meant that virus writers must be uber geeks, and uber geeks tend to be linux fanbois.

Anyway, I have more to say on the subject, but in the interest of keeping this thread out of Politics, I'll just drop it.

[Roac]

It is safer, precisely because fewer grubby little hackers are targetting it. It doesn't matter why it is safer, only that it is, and you understand why.

For an unpatched system, that is true.  For a patched system, it is not.  Turnaround for security issues are better with Microsoft than Mozilla.  Both systems have crippling security flaws, and measuring any metric as to quantity is fairly pointless; with more people beating on it, I would expect Microsoft's discovered count to be higher.  With money and a larger image on the line, I also expect them fixed quicker.

[Righ]

Turnaround for security issues are better with Microsoft than Mozilla.

Patently not true.

[Trippy]

Turnaround for security issues are better with Microsoft than Mozilla.

Patently not true.

Speaking of which, the 1.0.4 update is available now.

The main site is getting hammered right now so you may want to try a mirror.

[Signe]

I don't believe that MS can spit out fixes faster than the eleventy one jabillion open source community nerds. 

[Pococurante]

I don't believe that MS can spit out fixes faster than the eleventy one jabillion open source community nerds.

The eleventy one jabillion nerds are knocking at the door - something about script for a play called 'Hamlet' they want us to review.

[Alkiera]

many virus writers are also Linux fanbois

That's like saying that devil worshippers tend to be Democrats. Told you this was in the wrong forum. :P

I see what you are saying, but that's not what I meant.  I meant that virus writers must be uber geeks, and uber geeks tend to be linux fanbois.

Anyway, I have more to say on the subject, but in the interest of keeping this thread out of Politics, I'll just drop it.

Actually, some of the most prolific virii, like the old I Love You virus, were just lame VB Script hacks, built to take advantage of some pretty silly default actions in MS's LookOut(er, Outlook) email program, which is used in a LOT of businesses and Universities... for some reason.  We never had this problem when people just used telnet and VMSMail.

Alkiera

[Roac]

Actually, some of the most prolific virii, like the old I Love You virus, were just lame VB Script hacks, built to take advantage of some pretty silly default actions in MS's LookOut(er, Outlook) email program, which is used in a LOT of businesses and Universities... for some reason.  We never had this problem when people just used telnet and VMSMail.

Majority of viruses that hit MS are just exploits of OLD vulnerabilities that haven't been patched.  Similar issues with router/firewall hardware; stay patched and you'll stop the vast majority of issues.  Beyond that, a network design that layers security will prohibit most attacks by uber hackers who are beyond that stage.  After that point you'll be getting better returns by focusing on application security (minimizing privledges of accounts, pushing for strong PW policies, etc).