Firefox Security Flaw

[Soukyan]

MaceVanHoffen - The "M$" was original and funny several years ago. Time to grow up and find a new way to express your distaste for the software giant. ;)

Back on topic, I've noticed that patching Firefox, now and in the future, could be a possible problem for some users. Why? Well, there was a major security patch issued that required the old version to be uninstalled before the new on was installed (I believe it was 1.00 to 1.01). At least when I went to install the upgrade, I was prompted to do so. I thought it rather odd and extremely effing annoying. I had to backup bookmarks, make note of extensions and themes and then wipe it off and do a fresh install of the new version and then re-import/re-install all the extra goodies (just integrate mouse gestures already ffs). Now, my point is not to gather tips and tricks on upgrading without actually following the explicit directions to back everything up and uninstall the old and install the new version. My point is that for non-technical users, this is cumbersome and not very intuitive. Note - I use IE, Firefox, Opera and Safari. I use them all for testing and other purposes, so while I like the idea of being paid large sums of money and stock options to engineer software for the big MSFT, I don't drop my bias onto any particular browser because they all equally suck at the moment. Each is missing something that I want in the complete package. Actually, Safari is the least lacking, but I work on the Mac platform the least. But I digress...

Security updates to Firefox in the form of minor version downloads have the potential to be frustrating for end users. Have the potential. Microsoft got the patching of IE right in that the security patches are applied without requiring the end user to reinstall the entire browser. I realize the difference in architectures, I am simply pointing out the difference in ease of use. Microsoft could take a page from Mozilla's book though and, like Firefox, put a little browser update button in the top right corner so users will know when they need an update and can simply click the button to go to the update site. As it is now, they are relying on users enabling automatic updates or checking the Windows Update site themselves and we all know how well that works. I did notice that occasionally IE will redirect to the IE home page or the Windows Update site when you open it if there is an update for the browser; however, it does not appear to be a consistent or accurate behaviour. I've been redirected when I have had the latest browser. Odd.

That aside, it was good to see Firefox offer the update so quickly, although we don't really know how long they were actually aware of the problem. As they garner a wider user base, we will see more and more vulnerabilities and targeted attacks on the browser. Firefox will most likely remain fairly safe, but I've already seen adware/spyware exploits for it and it is not immune to popups, nor will it prevent malicious web sites from dropping "fun stuff" on a users computer (in the case that the security settings are too low). Also, Firefox has a problem with low privacy settings from the start. Cookies are fairly innocuous, but when allowed to drop all over the system and when they contain sensitive information, one incident of remote access to the users computer can net an attacker some great files chock full of information to use.

As to viruses themselves, it doesn't take a lot of knowledge to write one, and most that circulate are merely variants of a well programmed original. I did an NBC news interview locally on Wednesday evening discussing the recent variant of the Sober worm. Now, the Sober worm has been around since October of 2003. The variant that was discovered on May 2, 2005 was the 14th variant. While it differed some from the original, the most notable difference was delivery method (still email, but more aggressive) and enhanced social engineering. As a matter of fact, the English version email subject and message did not change very much from the original, but the German version is what really got Europeans to open the attachment. The German version of the most recent variant told email recipients that they had won tickets to the 2006 World Cup. Talk about luring people in. What European in their right mind could resist the call of championship soccer? Beautiful social engineering. Find something that will override a users common sense and rational reasoning and you can propagate a virus that accounts for over 70% of infections worldwide and is infecting 1 out of every 22 emails worldwide within 48 hours of release. While it wasn't the most prolific virus ever written, it was fairly effective and even managed to cause some universities near me to close several computer labs in order to clean the infections. Granted, they obviously had poor security or poor AV protection (I managed to keep our administrative network of over 1300 workstations/servers to one infection and that was before the variant was even known by the AV corps. I had the pleasure of submitting one of the first samples. Woo...), but the effect was still felt and the IT cost was incurred.

I'm rambling, but the fact remains that you could write a simple virus with little programming knowledge. As a matter of fact, a very damaging virus would be a program that deletes everything in the My Documents folder and then proceeds to copy itself until it fills up the hard drive. As a matter of fact, there was already a virus that did this and it was one of the most damaging of all time. Also, it would be simple to throw in some additions to the users host file to prevent them from getting to AV and security sites. To cap it all off, you could attempt to issue a couple command lines to shutdown popular AV and firewall services that may be running on the users computer. As long as that user has appropriate rights, then you're all set. The most difficult part is determining a delivery method that will be effective. Yes, virus writers must know their way around, but it doesn't take much to tinker with someone else's virus and repackage and re-release as a new variant.

And if you think Mac's are invulnerable because anything that requires administrative rights asks the user to enter their password, then you are fooling yourself. Good social engineering combined with an end users desire to cooperate with the computer equals an easy way to infect a Mac should anyone feel like attempting to exploit the rather impenetrable Unix-based OS. Then again, with the appropriate permissions, much damage can be done to Unix. Yada yada yada. There are points in there somewhere and I'm sure a lot to dissect. Enjoy!

[Trippy]

Firefox 1.1 will have a patching system for updates instead of the current "reinstall everything" method.

[Soukyan]

Firefox 1.1 will have a patching system for updates instead of the current "reinstall everything" method.

That's great, great news. Thanks for the info.

[Trippy]

That aside, it was good to see Firefox offer the update so quickly, although we don't really know how long they were actually aware of the problem.

The Mozilla Foundation has a policy of "locking" security bugs in Bugzilla once they've been verified as such to prevent the unwashed masses from reading the details. Sometime after the bug is fixed they unlock it. In this particular case we'll be able to read the Bugzilla details on 5/18. However, you can estimate the time the bugs were originally filed by checking the timestamps of the bugs filed before and after the security ones since we do know their bug numbers. For the "public" security hole (the one that got all the press attention), the original bug submission date was sometime on 5/2. The earliest reported security bug of the 3 that were fixed in 1.04 was reported sometime on 4/18.

[Murgos]

Ah, transparency.  Ya gotta love it.  How long was that bug known about?  Why lets go look!

Ask Microsoft how long an exploit was known about before it was fixed and the answer is likely to be, "That was never a bug, you people just weren't operating with proper security settings.  Why did we change it then?  Err, click! Dial tooooonnnnneeeee..."

I don't care if Microsoft appears to be occaisionally faster with some fixes then thier competition the fact that I can't even begin to evaluate thier overall handling of security with any kind of accuracy is really a serious problem.

[Pococurante]

In further news open source bigots the world over celebrate their first blow against Bill "Borg" Gates.

Those wild and whacky Europeans...

[MaceVanHoffen]

Ah, transparency.  Ya gotta love it.  How long was that bug known about?  Why lets go look!

Ask Microsoft how long an exploit was known about before it was fixed and the answer is likely to be, "That was never a bug, you people just weren't operating with proper security settings.  Why did we change it then?  Err, click! Dial tooooonnnnneeeee..."

I don't care if Microsoft appears to be occaisionally faster with some fixes then thier competition the fact that I can't even begin to evaluate thier overall handling of security with any kind of accuracy is really a serious problem.

You touch on a key issue, really:  M$ deals with any bug as if they were an assault on the company, a threat to be dealt with.  Deny its very existence first, then claim it's not really a bug, then use the press and the legal system to wage war against the bug, and finally when there's no way around it actually fix the bug.  Many bugs go unfixed and unreported because they get stopped earlier in that chain.  M$ behaves more like an organism fighting for its survival instead of a company that should stand behind its product.

That outlook is a throwback to companies of generations past.  It's also, IMHO, a consequence of being a functional monopoly.  It is for that reason that M$ will never be as fast as other companies in fixing bugs.  Why should they be?  What motivation do they have?  Legions of adoring fans slurp up their products, so why change what's working?  It's sad that IT shops still feel the need to do business with them, as there are so many other options out there now.

Open source, free software, other commercial enterprises ... it doesn't matter.  They're all more responsive and more reliable than M$.  I use Firefox not so much because I like it (though, I do) but more because the IT shop behind it is better behaved.

[Pococurante]

Every dev team has patch release cycles.

[MaceVanHoffen]

Every dev team has patch release cycles.

I don't mind patch/release cycles.  Heck, some of M$'s bugs rightfully would take many months to fix.  I've been one of those devs madly trying to patch some low-level security hole that a script kiddie found, so I can empathize.

What I do have a problem with is the policy of "customers who find bugs are the enemy" along with the paternalistic notion that M$ always knows best, when the stellar lack of quality in many of their products clearly indicates that they do not know best.  I trust the judgment of most developers off the street over that of the most skilled of M$ employees.

[Roac]

It is for that reason that M$ will never be as fast as other companies in fixing bugs.  Why should they be?  What motivation do they have?

What motivation?  Money.  Primarilly stemming from one of image; they don't want to be percieved as laying down on security (among other things), and part of that is of course an effective PR front.  The other side is actually delivering. 

Open source, free software, other commercial enterprises ... it doesn't matter.  They're all more responsive and more reliable than M$.

Bullshit.  Volunteer devs are responsive only when it suits them, and far from reliable because you can't hold them accountable to anything.  On the other hand if I have an issue with a Microsoft product that affects my business, I know I can call up a rep and make something happen (have before).  Why?  Because we pay for that level of service.  It would be cheaper to go with an open source solution up front, but ongoing support would be a nightmare (and has been with every type of solution like that we've implimented).  OTOH, there are situations where open communities are beneficial.  We're involved in several projects along those lines, which are of a different scope, and they work well. 

Anything, whether Microsoft or otherwise, are just tools.  It gets old dealing with people who are bigots for either side; either join the MS borg or treasure your independance.  Whatever.  People can play that game if they want, meanwhile the rest of the world is solving problems.

[Roac]

What I do have a problem with is the policy of "customers who find bugs are the enemy"

Is that speaking from personal experience, or hearsay?  If the former, find a better rep.  I've never had that problem.  If you get lip like that, you should be carrying it up the chain, because it doesn't take long to get to someone who values you as a customer and will shitcan the rep who treats you like that.  We had to do that once, but with Unisys; it went from "we can't help you" to "well give you x, y and z for free" after we put the possibility of switching vendors on the table.  Of course, it helps that you spend money at least in the neighborhood of millions to get that kind of response (because at this level, that kind of decision will directly affect jobs in the company). 

along with the paternalistic notion that M$ always knows best,

That's how any company operates, and it should be obvious why they take that stance; no company is going to tell you that a compeditor provides better services than they do.  If you talk to Sun, they'll tell you they're the best, etc, etc. 

[Righ]

MS FUD vs OSS FUD. How rare. 

Way, you are a troll of the first order.

[WayAbvPar]

MS FUD vs OSS FUD. How rare. 

Way, you are a troll of the first order.

I have worked hard to become so. 

[MaceVanHoffen]

MaceVanHoffen - The "M$" was original and funny several years ago. Time to grow up and find a new way to express your distaste for the software giant. ;)

It's still funny.  Riproaring hilarioius in fact.  But then, I'm a simple simple man :)

[Jayce]

One thing I don't get is how people say MS is a monopoly on one hand, but then point out how many other options are out there for anyone who wants them.  For free even.

I thought a monopoly was the lack of more than one option?

[Signe]

Anyway... what does all this have to do with... yada yada yada.

[MaceVanHoffen]

One thing I don't get is how people say MS is a monopoly on one hand, but then point out how many other options are out there for anyone who wants them.  For free even.

I thought a monopoly was the lack of more than one option?

I used the term functional monopoly, as in the concept of being functionally equivalent to a monopoly in certain respects.  Microsoft (there, I spelled it out, happy Soukyan!?) certainly aren't a monopoly in the sense that Standard Oil was, for example.  However, they are a monopoly in the sense that cable companies and local phone companies were at one time (and still are in certain parts of the country).  Admittedly, that is changing for the better.  However, the legacy of Microsoft's agreements with PC manufacturers is still with us, as are other things.

[Jayce]

I used the term functional monopoly, as in the concept of being functionally equivalent to a monopoly in certain respects.  Microsoft (there, I spelled it out, happy Soukyan!?) certainly aren't a monopoly in the sense that Standard Oil was, for example.  However, they are a monopoly in the sense that cable companies and local phone companies were at one time (and still are in certain parts of the country).  Admittedly, that is changing for the better.  However, the legacy of Microsoft's agreements with PC manufacturers is still with us, as are other things.

I see where you're coming from, but it smells like FUD.  People like to throw the term around, but the fact is, MS has just been smart enough to concentrate on what sells operating systems.  Remember OS/2?  Barely?

I remember a time when MS was pretty seriously deficient in some areas like security, stability, etc - I'm not an MS fanboi.  But at the same time I'm not an OSS fanboi, Mac fanboi, or any other kind of fanboi.  I think they have come a long way, and with the ascendance of OS X, Linspire and other (relatively) user friendly Linuxes, and of course Firefox, I think there's a healthy level of competition out there.  At the same time, MS is predominant on the desktop.  It's good that SOMEONE is predominant in that area though, IMO, because it saves a lot of time that would be wasted authoring niche products for multiple platforms.

Anyway, as Signe pointed out, this has nothing to do with Shadowbane, so I'll leave it at that...

[AOFanboi]

I see where you're coming from, but it smells like FUD.  People like to throw the term around, but the fact is, MS has just been smart enough to concentrate on what sells operating systems.  Remember OS/2?  Barely?

You mean that OS that IBM and Microsoft cooperated on, that Bill Gates said was the future for DOS, until IBM wouldn't replace the superior Presentation Manager with Microsoft sucky Windows desktop? That OS/2?

Yes, we do remember it - it's even still alive somewhere. We also remember all the other "could have been" contenders like DesQview, GEM, GEOS... hell, with an earlier adaption of TCP/IP in the DOS world we could even have seen X11 becoming the windowing system for DOS as well as for Unix.

Then we remember who pressured manufacturers into putting Windows on top of DOS at the exclusion of competitors, and the law stepping in at a later point (1995?) when it was moot whether the practice was stopped or not because Microsoft had "won" the market.

[Jayce]

http://forums.f13.net/index.php?topic=3290.0