Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Exploit Adds Fuel to Browser Security Feud

Zonk posted about 9 years ago | from the patch-early-patch-often dept.

Mozilla 510

An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."

cancel ×

510 comments

Sorry! There are no comments related to the filter you selected.

Browser shmouser (5, Insightful)

BWJones (18351) | about 9 years ago | (#13624025)

Browser, shmouser..... What I want is a secure OS! Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....

As an interesting aside: We just went through a two day outage at the university here because of a worm that infected a series of Windows systems. My question to IT guy#1 was: "Dude, why did you guys switch from Solaris to Windows?" His reply was that "the Windows solution was cheaper". I said "Dude, you guys need Macs!", to which he replied "yeah, no $#!t" when he caught himself and said something unintelligible. Guy #2 that I spoke to today gave me some song and dance about how Macs are really hard to integrate into mixed platform networks and then said something to the effect of "if Macs had greater market share, we would be in the same boat". I said something to the effect of "Bull$#1t". It comes down to management and OS design. Windows can be secure, but it requires much more oversight than do other alternatives. But fundamentally, all of the calls direct to the kernel that are available to applications are a problem that will not be solved until (hopefully) the next MS OS.

Even without root things can get nasty (5, Insightful)

jfengel (409917) | about 9 years ago | (#13624111)

It's certainly true that root access causes the most headaches, but there's a lot that can be done without root access.

Even with just user-level access, it can erase all of your files or set up a spam relay. It may even be able to set up a keystroke logger or install a modified version of your browser (for you alone) that slurps up your credit card numbers. And it can modify your local .rc files to re-run itself when you boot (and check to see if you've altered them and re-modify them as soon as you're done.)

It's a heck of a lot easier to remove than a root-level exploit (you can log in as root and remove the code, which you can't necessarily do to a rootkit). But even though the lack of root can limit the damage, considerable damage can be done without it.

The solution? Well, partly it would be nice to have the OS provide fine-grained control, so that even if malicious code gets to execute it could be prevented from modifying your files without explicit permission or accessing the Internet to act as a spam relay. But such fine-grained controls are incredibly tedious; they exist in Java but they're rarely used.)

Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully.

Re:Even without root things can get nasty (0)

Anonymous Coward | about 9 years ago | (#13624135)

that's why you chroot everything :D

Tip-toe through the TPS. (1, Interesting)

Anonymous Coward | about 9 years ago | (#13624218)

"Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully."

Welcome to the idea of TPS. Only trusted code runs on your machine.

Re:Browser shmouser (2, Insightful)

Sneftel (15416) | about 9 years ago | (#13624123)

A computer may be considered "hacked" even if the hacker doesn't have root control. Sending out two million penis enlargement spams per day... serving as a proxy to hack other computers... scanning subnets for vulnerabilities... none of these things require root access.

And even preventing arbitrary code execution is only a partial step. What is code? It isn't just opcodes that are processed by the CPU's instruction decoder; it's also bytecode which is executed by a virtual machine, or even the FSM generated by a regular expression. No OS can catch that.

Re:Browser shmouser (5, Interesting)

AKAImBatman (238306) | about 9 years ago | (#13624128)

Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions.

Eh, it's multi-faceted. The problem is that many of the greatest security threats today are from buffer overflow attacks. (Or heap overflow in this case.) This is frustrating because we've had the technology for more than 20 years to write code that is invulnerable to these sorts of attacks. Unfortunately, the majority of OS and Desktop software has continued to rely on C and C++, making these holes not only possible, but probable.

If the buffer overflow attack were solved once and for all, then attackers would have to move higher up the stack. e.g. Embedded scripts in emails that run with full permission. This sort of attack is why Java has a built-in security manager that can prevent access to secure resources. Should our security problems ever escalate to this level, I'm sure you'll see a lot of similar security managed environments showing up.

Re:Browser shmouser (1)

uofitorn (804157) | about 9 years ago | (#13624129)

Secure OS or not, many (most?) browser vulnerabilities are at the application level. Though it seems this interesting case is not

Re:Browser shmouser (1)

AKAImBatman (238306) | about 9 years ago | (#13624148)

Secure OS or not, many (most?) browser vulnerabilities are at the application level.

I don't know about that. How many cross-browser vulnerabilities are caused by OS level URL handlers?

Just something to think about. :-)

Re:Browser shmouser (1)

paroneayea (642895) | about 9 years ago | (#13624136)

Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....


Running as root is certainly a bad thing. Of course, even within any reasonable permissions, we'd have to expect that a program has the ability to execute code that might not be desirable. For example, I'd want a python script to _have the ability_ to execute shell commands on a user level, because such a script might be useful. It might not be, and any user could lose a lot of valuable files that way. But then again, that's where we should make sure the applications are secure.

Re:Browser shmouser (0, Offtopic)

thebdj (768618) | about 9 years ago | (#13624137)

Yeah the Mac/Windows integration complaint by most sysadmins is total bullshit. They are almost fully integrable now and it really isn't that hard to do. OS X.3 really made this a fairly simple thing to do on a PROPERLY setup ActiveDirectory Domain (if there truly is such a thing). If said company is running a non-AD domain they could keep the headache and save the money buy setting up a domain on a Linux server. But most sysadmins are afraid of what they do not understand which is part of the reason why there are still some places using Novell instead of having switched fully over to Windows based storage servers.

This is sort of the same thing that has happened with large companies sticking with Windows 2k and in some rare cases NT. Sysadmins seem to like to keep things the same and never change, after all if you are MSCE for NT Server why bother getting an updated MCSE for 2003 and upgrade your servers, forget that you'll have a much harder time getting a job without an updated MCSE.

This actually reminds me of a former place of work, and if you are interested on learning more about this former place of work that is part of the public education system, feel free to send me messages, not signing NDAs is such a nice thing. Anyway, are IT manager had a single certification, for of all things Novell. This man does not even know how to reset passwords in an AD domain, and to make things worse takes all the cred from the real employees and of course blames them for what are usually his mistakes.

Let us say that this former place of work was switching to an all AD domain, ridding themselves completely of Novell (including Groupwise), and finally getting Exchange. The problem I have heard is that this change, which was suppose to be done by Feb. or March of this year has halted and is almost moving in reverse. This is by and large because of the lack of knowledge and poor management of not only my individual organization's manager but other managers as well.

So fear of change, this is what keeps them from changing. Back to the topic at hand, can this exploit do anything serious to Linux users who are smart and don't run as root?

Re:Browser shmouser (1)

CorruptMayor (915031) | about 9 years ago | (#13624159)

Technically the default for UNIX is also root, but hey...

Even if you built an operating system around secure principles (removing the insecure instead of adding the secure, principle of least authority, etc), you still have a user who is willing to save an attachment from an email, unzip it, enter a password, and run a program!

The best security software is the person operating the computer.

Re:Browser shmouser (1)

Homology (639438) | about 9 years ago | (#13624173)

Browser, shmouser..... What I want is a secure OS! Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....

Why don't you just install OpenBSD [openbsd.org] ? Works very fine as a desktop, unless you require hardware accellerated 3D.

Re:Browser shmouser (1)

SacredNaCl (545593) | about 9 years ago | (#13624198)

I'm wondering if this is the same 'workaround' fix for this as the last time IDN was exploited..IE: Just turn IDN off.

Anyone know? If that is the case, I'm not vulnerable as I never believed they would get IDN right without a mess of problems & intentionally turned it off.

Welcome (2, Funny)

Anonymous Coward | about 9 years ago | (#13624026)

I for one welcome our new Firefox hacking overlords.

Woo! Finally! (5, Funny)

daniil (775990) | about 9 years ago | (#13624028)

Firefox is finally catching up with the market leader! Woo!

I for one .... (0, Redundant)

winescout (901477) | about 9 years ago | (#13624144)

I and my computer for one, welcome our new remote exploiting, script kiddie overloards.

Security through obscurity? (5, Insightful)

gbulmash (688770) | about 9 years ago | (#13624045)

It's interesting that this comes on the heels of Opera [opera.no] eliminating the ad-supported version and offering their browser free.

The sad thing is that it also comes on the heels of zdnet.com claiming that Firefox is having significantly more security issues than IE [slashdot.org] .

I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased. And if that's the case, can we expect to see these issues become even more frequent if Firefox adoption continues to grow?

All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.

Given, I still trust MSFT as far as I can throw a Volkswagen, but my laughs at their FUD aren't so loud or haughty today.

- Greg

Re:Security through obscurity? (1)

Henry V .009 (518000) | about 9 years ago | (#13624080)

It's the best browser on the market right now. They are probably looking enviously at the rapid growth of Firefox, and want to copy that. But I wonder how they plan to make their money. There can't be that much to be made off of "premium support" for a web browser.

Re:Security through obscurity? (1)

justinhj (601309) | about 9 years ago | (#13624130)

Security is function of how much you can with a system and how many people use it.

Opera is seen as more secure but doesn't allow you to use many useful websites.

Firefox doesn't allow ActiveX which again limits it's utility.

The security of a system at the time of release is not as important as how the publisher of that system reacts to holes and patches them up as they are discovered.

Re:Security through obscurity? (1)

m4dm4n (888871) | about 9 years ago | (#13624247)

They're going to try make their money from opera for the mobile. Not a bad idea, try get as many people as possible using it on their home machines, and then when they buy their new trendy web enabled mobile device, they may just be willing to pay for Opera.

Re:Security through obscurity? (1)

MightyYar (622222) | about 9 years ago | (#13624127)

"I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased."

Then I'm pretty safe with links [mff.cuni.cz] on Mac? :)

Re:Security through obscurity? (5, Insightful)

m50d (797211) | about 9 years ago | (#13624147)

Just like MS, firefox focuses more on features, and quickly. Many of the problems with firefox have come from the extension system, or from fairly experimental new features that firefox rushes to adopt, like this. A little more conservatism is needed when dealing with remote data, and I really think an extension system for an application that deals with remote data - be it activex or firefox extensions - is asking for trouble. You can find more secure browsers than either firefox or IE, and I don't think this is solely due to their obscurity, but also due to not including these dangerous technologies.

Re:Security through obscurity? (1)

DigitumDei (578031) | about 9 years ago | (#13624188)

The best security is to be found in using the less popular browsers that no one bothers to take the time to hack.

Re:Security through obscurity? (0)

Anonymous Coward | about 9 years ago | (#13624207)

I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased.

Well, sure. This, combined with all the previous well-publicised Firefox exploits, makes a grand total of... uh... one well-publicised Firefox exploit, ever. And there's no evidence that anyone has made use of this for any nefarious purposes, or that they will. And the patch is out already.

Let's just say I'm not ditching Firefox yet.

Re:Security through obscurity? (4, Insightful)

Saxerman (253676) | about 9 years ago | (#13624261)

All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.

I hear this is a lot, and it often leads to a misrepresentation of what makes OSS 'more secure'. The more eyes/hands claim doesn't assert that there will be less bugs, it means they are suppose to be spotted and corrected more quickly.

Security isn't a state of being, it's a state of mind. I believe there are more white hats than black hats, so OSS leads to better code. If you believe otherwise, you will probably feel more secure using closed source software (but that won't necessarily mean you ARE more secure.)

Firefox (-1, Troll)

Anonymous Coward | about 9 years ago | (#13624047)

Fuck Taco. Fuck 'im in the asshole with a big rubber dick!

Re:Firefox (1)

Rikkochet (910226) | about 9 years ago | (#13624215)

Well, I got the Carlin reference.. Still didn't belong in this thread. Er. "Go Firefox" just to avoid getting a -1 off topic.. :D Tho I gotta say I just switched to Opera yesterday and I'm really loving it. I miss my Firefox extensions but it's just so sluggish.

Well... (0)

Anonymous Coward | about 9 years ago | (#13624053)

At least it doesn't cost money to be rooted.

IE7 will doom Firefox (-1, Flamebait)

Anonymous Coward | about 9 years ago | (#13624055)

IE7 is probably going to put Firefox out of business next year. It's more secure and it's faster. Firefox is my default browser now, but after toying around with IE7, I don't see much reason for Firefox. Tabs and security have been the reasons I've used Firefox. IE7 has nice tabs, it's more secure and faster.

Re:IE7 will doom Firefox (5, Insightful)

sgar (859603) | about 9 years ago | (#13624097)

How do you put an open source browser "out of business". If IE7 is all it's cracked up to be, and has some features Firefox doesn't, the Mozilla team can add them to Firefox fairly rapidly. But to say that a closed source, proprietary, bundled browser is going to "put out of business" an open source, cross platform browser is just plain dumb.

Re:IE7 will doom Firefox (0)

Anonymous Coward | about 9 years ago | (#13624185)

But to say that a closed source, proprietary, bundled browser is going to "put out of business" an open source, cross platform browser is just plain dumb.

You're right! He should have said that IE7 is going to further marginalize Firefox to the point of obscurity because the 90% of users that presently use IE will switch to IE7 and the few that have switched to Firefox will switch back to IE7. This will make Firefox's userbase so infinitesimally small that the developers will, in all likelihood, abandon the project.

You'll scoff at what I have stated but, the above scenario is far more likely than Firefox getting the features necessary to manage it in a large enterprise, like IE has today.

Re:IE7 will doom Firefox (1)

go007go (578347) | about 9 years ago | (#13624240)

It's a figure of speech. Relax. Firefox will lose market share. You satisfied?

That's news to me... (1)

HerculesMO (693085) | about 9 years ago | (#13624145)

Last I checked, IE7 has a higher memory footprint than Firefox, renders pages more slowly, lacks a bunch of features of Firefox and doesn't have extensibility like Firefox does with its extensions.

With great extensions out there that are evolving and continually being developed (weather, news, RSS, adblock, etc) I don't see how IE7 is going to score 'major' points.

Besides the fact that Microsoft takes its own sweet time patching against spyware and security breaches, IE7 will be a replay of more of the same from Microsoft, only vaulting Firefox further ahead, imo.

It's not what IE7 offers in terms of features that will let it beat Firefox, it's what it LACKS in timely updates to problems that will allow Firefox to continue a healthy growth and eventually, a standardization on par with IE. So when developers write code, they will think of the 'other' browser that takes up a huge chunk of marketshare.

Re:IE7 will doom Firefox (0)

Anonymous Coward | about 9 years ago | (#13624217)

Why is parent modded as flamebait? All AC was they thought IE7 would do better than Firefox. Most of /. 's users dis IE and they don't get modded down. I hope someone metamod's this mod correctly.

Publicity (5, Insightful)

improfane (855034) | about 9 years ago | (#13624064)

Publicity was the demise, the great browser begged for mainstream attention, got the show but caught the eye of the bad guys.

No software is universally perfect.

Re:Publicity (0)

Anonymous Coward | about 9 years ago | (#13624182)

No software is universally perfect?

BULLSHIT

I have this program that adds 1 to any number you input.

10 INPUT X
20 PRINT X+1
30 END

It works perfectly every time I run it. /HAND

Re:Publicity (0)

Anonymous Coward | about 9 years ago | (#13624258)

What if i put in a char or overflow it?the better example would be a helloworld

Re:Publicity (1)

goldspider (445116) | about 9 years ago | (#13624262)

Uh oh! Looks like somebody needs a little RE-EDUCATION!!

Good news! (5, Funny)

Otter (3800) | about 9 years ago | (#13624065)

On the plus side, the exploit is released under the GPL. This just goes to show the superiority of open-source over proprietary exploits!

Also on the plus side, the Washington Post link crashes my IE, so I can't even read the anti-Firefox news. Score another for Mozilla!.

Blame it on MS (-1, Flamebait)

Anonymous Coward | about 9 years ago | (#13624066)

Just blame it on Microsoft...as usual on slashdot and then move on next topic without ever worrying about holes in Firefox/Mozilla products.

1.5 Beta 1 is also impacted...beware (2, Interesting)

redwoodtree (136298) | about 9 years ago | (#13624070)

Follow this thread on Mozilla Forums [mozillazine.org] for more information. But don't be complacent if you're running the new Beta and be sure to upgrade.

The story here... (5, Insightful)

op12 (830015) | about 9 years ago | (#13624075)

should be the exploit (and only the exploit). The browser feud is really becoming a pointless exercise in arguing. See here [slashdot.org] .

Re:The story here... (1)

AKAImBatman (238306) | about 9 years ago | (#13624200)

The browser feud is really becoming a pointless exercise in arguing.

Welcome back to 1997. Shall we start using little buttons that say, "Best Viewed in FireFox" or "Best Viewed in Internet Explorer?"

On second thought, never mind. [mozilla.org]

Not quite... (5, Insightful)

Anonymous Brave Guy (457657) | about 9 years ago | (#13624270)

I have little time for browser wars, but it is notable that despite the 1.0.7 announcement even making Slashdot yesterday, it's not showing up as an automatic download yet. Worse, it doesn't show up even if you manually check for updates.

There's not much point patching a security issue if you can't distribute the patch and even conscientious users won't find out about it by the expected method.

Patch (4, Insightful)

brettlbecker (596407) | about 9 years ago | (#13624078)

Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?

Pardon, but rather than using this exploit as some kind of evidence that Firefox is on-par, security-wise, with IE, shouldn't we be viewing this as a victory for the patch/version-release cycle of the Mozilla foundation?

There will always be new security holes found. The difference is that patched versions of the browser, fixing the security hole in question, are not always released before the hole is announced.

Two cents.

B

Re:Patch (2, Interesting)

sochdot (864131) | about 9 years ago | (#13624184)

Exactly! The patch was released yesterday. As in, "Holy shit! Guys, this is bad, we need a patch yesterday!" If this were IE, a patch might be released in a month or two. I've never heard of an IE hole being closed before any exploits were released. The response to the recent Firefox criticism/comparison has pretty much been, "Sure, as we grow, holes will be found. But we're in a far superior position to fix them and fix them fast." I would say this is pretty good proof.

Nothing to see here (1)

Chaotic Spyder (896445) | about 9 years ago | (#13624208)

Indeed. I don't understand the hype. I wonder how many holes we can find in the un-patched release of (Insert browser here).

COMON.. If anything the story should should have focused on the amazing release cycle of FF

Re:Patch (0)

Anonymous Coward | about 9 years ago | (#13624234)

The big thing is if Firefox ever reached market penetration like IE, where you have all the people currently using IE using Firefox. A lot of the time when an exploit is in the wild for IE you'll see that a patch was released already, but people haven't installed the update, so they're vulnerable. The same thing will happen with Firefox. It doesn't matter if the Firefox team fixes the flaw it 24 hours when you have users that don't update for months.

Question (5, Insightful)

sphealey (2855) | about 9 years ago | (#13624079)

Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer? In the last year, maybe if it is actually affecting some media companies. Otherwise no.

So why the constant drumbeat of breathless stories about bugs (flaws) and exploits in Firefox? Could it be that the MSM is being seeded by someone? Say .... Microsoft's PR firm?

sPh

Re:Question (2, Interesting)

Cyclometh (629276) | about 9 years ago | (#13624134)

Mainstream media outlets report news- an exploit for IE isn't really news, because so many people use it and so many people target it. Firefox has been touted as the secure alternative to IE, so it's pretty newsworthy when the only contender for the browser throne has one of its main claims to superiority knocked out from under it.

Re:Question (5, Funny)

tktk (540564) | about 9 years ago | (#13624177)

Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer?

No... because it's hideously expensive to print 10lb newspapers every day.

Re:Question (2, Interesting)

goldspider (445116) | about 9 years ago | (#13624178)

Nope, it's just that Mozilla/Firefox has received a lot of publicity in these news outlets for it's (supposed) security advantages over IE.

I'd say it's most appropriate for these same news outlets to follow up when those claims aren't upheld by reality.

Wouldn't you expect the same if this were a Microsoft app?

Re:Question (1)

Lisandro (799651) | about 9 years ago | (#13624196)

Exactly. Can we dispense with the conspiracy theories? It's a bug, and it will be patched soon enough knowing how the Firefox developers work. It's software; it always have bugs.

Re:Question (1)

Haeleth (414428) | about 9 years ago | (#13624263)

Nope, it's just that Mozilla/Firefox has received a lot of publicity in these news outlets for it's (supposed) security advantages over IE.
I'd say it's most appropriate for these same news outlets to follow up when those claims aren't upheld by reality.


Not upheld by reality? Wait, you're saying that Firefox no longer has any security advantages over IE, because one high-profile exploit has been released, and that after the vulnerability it exploits has been patched?

When more people have had their computers owned as a result of using Firefox than as a result of using IE, then you can start saying that the claim that Firefox is more secure than IE has "not been upheld by reality". Here's a clue for you: there are several tens of millions of infections to go before you have anything to gloat about.

Re:Question (3, Interesting)

freaktheclown (826263) | about 9 years ago | (#13624229)

Melinda Gates [wikipedia.org] is on the WaPo board.

Where's the beef? (3, Insightful)

Intron (870560) | about 9 years ago | (#13624085)

So when are the Fedora update directories going to see 1.0.7???
# rpm -q firefox
firefox-1.0.6-1.2.fc4
# yum update firefox
...
Could not find update match for firefox
No Packages marked for Update/Obsoletion

Re:Where's the beef? (1)

RobertF (892444) | about 9 years ago | (#13624154)

Mozilla staggers new releases to avoid downing there servers. The Mozilla foundation does not have the resources that a company like Microsoft has, so its usually several days before everyone can download the latest firefox.

Re:Where's the beef? (1)

Intron (870560) | about 9 years ago | (#13624237)

yum doesn't download from mozilla.org. That's the point. Mozilla.org does have 1.0.7 on their website. The problem is that the Fedora update mirrors don't have it yet. Its wonderful to release a fix right away, but you still have to distribute it somehow. I could go get it from mozilla.org, but I'll be interested to see how quickly the different distros pick it up.

Exploits as remote administration tool? (5, Interesting)

Sirfrummel (873953) | about 9 years ago | (#13624088)

"...effectively letting the bad guys control the victim computer from afar."

I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?

Re:Exploits as remote administration tool? (2, Funny)

thedustbustr (848311) | about 9 years ago | (#13624199)

Yup. I'm currently purposefully remote administering your machine as we speak.

What's a net guy to do? (1)

filesiteguy (695431) | about 9 years ago | (#13624090)

Okay, that's it.

I'm going to stop hitting those pr0n, warez and gambiling sites on my work computer. I'm going to stop opening those emails saying I have to apply the latest hotfixes. I'm going to disable javascript, images, and popups.

Wait - maybe I should just use Lynx. Naahh.

I cannot believe that exploits are coming so fast and furious.

Re:What's a net guy to do? (0, Troll)

October_30th (531777) | about 9 years ago | (#13624165)

It's time to stop using the internet and just pull the plug. The spammers and hackers have won. Usenet's already useless, e-mail's getting close to it and web's getting there as well. Game over.

I don't want to maintain a firewall just to prevent some dickhead trashing my home computer. I don't want to keep updating browsers and patching the operating system in an obsessive-compulsive manner so that I can browse the net.

Oh well. It was great as long as it lasted.

Re:What's a net guy to do? (1)

plover (150551) | about 9 years ago | (#13624246)

Obligatory Monty Python quote:

Right! Uhh... so can I have your PC then?

Install NoScript and Disable IDN (1)

tjwhaynes (114792) | about 9 years ago | (#13624194)

'm going to stop hitting those pr0n, warez and gambiling sites on my work computer. I'm going to stop opening those emails saying I have to apply the latest hotfixes. I'm going to disable javascript, images, and popups.

I'm sure you were being sarcastic ... you were being sarcastic, right? Yes? Phew.

If you want to browse the wilder reaches of the web, you really owe it to yourself to ensure that you have Javascript disabled. You really don't want to visit any site that requires that Javascript be enabled if you don't believe it to be safe. The "NoScript" extension allows you to maintain a whitelist of sites that are allowed to use JavaScript and everything else can go hang.

And if you don't require IDN support, you might as well disable it. Go to "about:config", seach for enableIDN and disable it there. IDN seems to be a mix of problems - some implementation issues and some design issues. For anything like that, if I don't need it, it's disabled.

And if you haven't already got a pop-up blocker ... well ....

I'm not going to comment on the opening emails bit. Nobody^WFew People^W^WIdiots^WI give up.

Cheers,
Toby Haynes

Menh (4, Insightful)

gid13 (620803) | about 9 years ago | (#13624094)

The specific response: It's already patched. A released exploit that's already had a patch released for it is nowhere near as scary as one that hasn't.

The general response: As always with open source, if the Mozilla guys drop the ball and you know what you're doing, you can patch it yourself. With closed source, you're kinda at the mercy of the makers (usually Microsoft).

Anecdotal evidence: Yes, this is in the past, but I let two total newbies use a box of mine for about a year, with the only relevant modifications being: Installed Firefox, Deleted shortcuts to IE, Spybot's resident protection, Spyware Blaster, Windows autoupdates on, and Nod32 (not even a firewall). They never had ANY problem until they figured out how to open IE, at which point they managed to get a bit of spyware in.

Re:Menh (2, Insightful)

Otter (3800) | about 9 years ago | (#13624193)

"A patch has already been released" is indeed a convincing response. "You have the source code so fix it yourself" is, to put it mildly, not.

Re:Menh (1)

Negativeions101 (706722) | about 9 years ago | (#13624267)

The point is that there's that option to fix it yourself if you know what you're doing. Even though the option only applies to people in the know at least there is that option. It's not a convincing response on it's own obivously. That's why he coupled it with "a patch has been already released"... or you can couple it with patches get released relatively quickly. It's not a huge deal but at least there is that option unlike with closed source. Having more options can only help, however small that help may be in the big picture, still it's a plus over closed source.

Commence the Microsoft conspiracy theories... (5, Funny)

slashdotnickname (882178) | about 9 years ago | (#13624099)

...because we all know that no self-respecting hacker would attack a friend of open-source such as FireFox. These exploit discoveries are being secretly funded by Microsoft!

Re:Commence the Microsoft conspiracy theories... (1)

saskboy (600063) | about 9 years ago | (#13624168)

I'd actually welcome a team of Microsoft hackers making exploits for Firefox and releasing the discovery of the holes. It would give Mozilla something to work on, and it would essentially be a free testing team doing free work for them.

Re:Commence the Microsoft conspiracy theories... (1)

Negativeions101 (706722) | about 9 years ago | (#13624197)

I'd believe that.

But it's worth pointing out... (3, Insightful)

Anonymous Coward | about 9 years ago | (#13624106)

...that PwnScape is SkyLined's ported version of Internet Exploiter. That's why it looks so polished, it was refined attacking IE, and there are a scary-huge number of unpatched IE bugs that MS knows about (over 50 now).

It's becoming a target of technical attacks because it's becoming higher profile. However, it's doing a very good job of fixing vulnerabilities overall, at least compared to IE.

Yeah, there are response time problems and masked bugzilla bugs, but being open about a bug before a patch is available isn't always the best idea; just because it's open source doesn't mean the discoverer is going to come up with, or be able to come up with, a patch immediately, but one generally turns up; the team is being pretty damn good. It may have been patched properly yesterday, but it was very quick to release a mitigation (disabling IDN).

IE, meanwhile, has a YEARS old vulnerability that MSRC are trying to keep under wraps (even from their partners), because it's a SERIOUS design fault hidden in IE/Shell integration that allows a way of launching ActiveX controls that completely ignores the killbit. Seen Illwill laughing about it, so I know I'm definitely not the only person to independently discover it, and he's been gloating on F-D. And, if you do it right, the 'sploit ignores security zones and settings entirely; you can 0wn a fully patched, fully locked down IE, just by viewing a webpage, with no prompts.

I have a working exploit for it. I won't release it, 'cause if I did, that's a million Windows boxes 0wned by Istbar and some scummy affiliate.

Firefox is an excellent browser overall. If you don't like it, might I suggest Opera 8.50, which is now ad-free, registration-free freeware and also has an extremely responsive security team.

Reality Check (Hand Check Too) (5, Insightful)

blueZhift (652272) | about 9 years ago | (#13624107)

Practically speaking I guess this means we should all stay away from questionable (*cough*pr0n*cough*) sites for a few days. Seriously, we all know where these exploits are likely to show up first...

When's the patch? Oh, yea... (2, Insightful)

rdwald (831442) | about 9 years ago | (#13624109)

I wonder how many weeks it'll be...oh, yea, they released it yesterday. If only all web browsers had these sorts of exploits -- that is, the already-patched type.

Re:When's the patch? Oh, yea... (1)

Flashbck (739237) | about 9 years ago | (#13624260)

I really dislike this attitude that some of you guys have. The whole: It is not a problem because it has already been patched. The problem is the same with MANY worms that take over computers. The patches may exist to prevent the problem but the bigger problem is getting joe user to apply those patches.

We geeks regularly update our software with the latest patches as soon as they come out. Joe user does not even look at the little circle in the top corner of his browser and know that it even means that an update is available. Hell, I have friends that I made FF converts right when version 1.0 came out. I was at one of their houses recently and lo and behold, they still had version 1.0. The problems that these exploits open up are not a big deal to those of us who regularly install the updates. The problems are for our parents, grandparents, little sisters and brothers who do not care as much about computers as we do. They will have these exploits run on them. They are the ones we need to protect.

Re:When's the patch? Oh, yea... (1)

paradizelost (689394) | about 9 years ago | (#13624272)

But M$ Internet Explorer has those all the time. just because they don't inform people of the vulnerabiltiy for 6 months, release a patch, and then tell everybody should matter, should it?????

Nasty! (-1, Flamebait)

Anonymous Coward | about 9 years ago | (#13624110)

Wow. They really did fool me when they said it was safer. Guess ill be using Opera now.

why (1)

Negativeions101 (706722) | about 9 years ago | (#13624112)

I'd just like to know how it is that Opera has so many features and it takes the firefox team relatively forever to patch a seemingly serious security flaw. Opera has voice already and a slew of other features plus it's faster! It seems to be taking the firefox team forever to do anything. At this point they're just ripping off Opera now. This is ridiculous. Get your act together firefox team.

Vunerability counts say nothing. (5, Insightful)

Ckwop (707653) | about 9 years ago | (#13624117)

The security of a web-browser is in no way related to the number of vulnerabilities found per year. There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE. Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor metric for security.

This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true, what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.

If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that it is worth making your programs slower to consign buffer overflows to the history book.

For a web-browser on a PC there is really no excuse because we have multi-GHz computers that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:

  1. Did you actually compile the program with the switch and profile it against the compiled program without the switch? Was the performance degradation even noticeable?
  2. You may think slowing the program down is unacceptable but is leaving your customers at risk from an easily preventable class of vulnerabities more acceptable?

Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"

Simon.

FireOutFoxed (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13624141)

Looks like Open Source means what Open Orifice do you want it in...yikes!

"is any more security?" (1, Troll)

John Courtland (585609) | about 9 years ago | (#13624143)

FTFA:
Kennedy was referring to the heated debate in the security community over whether Firefox is any more security than IE
Is Taco editing the Washington Post now?

Still safer (1)

CastrTroy (595695) | about 9 years ago | (#13624146)

I find that firefox is updated much faster than IE. I'm sure this bug will be patched within a couple of days. Also, I'd like to see the firefox bug that as exploitable as activex. ActiveX is the one thing left in IE that makes it truly, the most insecure browser out there.

Re:Still safer (1)

klocwerk (48514) | about 9 years ago | (#13624190)

so fast, that it was patched yesterday in fact.
and posted on slashdot.
lazy CastrTroy...

Re:Still safer (1)

99BottlesOfBeerInMyF (813746) | about 9 years ago | (#13624231)

I'm sure this bug will be patched within a couple of days.

I'm sure it won't be since it was patched before this exploit was even released. It has not, however, made it into all distribution channels, some linux distros, for example, will not have new version available to their package management system.

Re:Still safer (1)

paradizelost (689394) | about 9 years ago | (#13624244)

Will be patched?? as the article states, it was patched yesterday.

Just buy a Mac :-) (1, Insightful)

Anonymous Coward | about 9 years ago | (#13624149)

Security experts agree: Apple makes the most secure computers and you get the best of Unix and Microsoft compatibility when you go with Apple. The native browser for Apple is Safari. Why not just go the safe route and go with Apple? They're haven't been many reports of Safari vulnerabilities continuing Apple's domination of the safety record for the last few years.

Just buy a Mac ;-)

Re:Just buy a Mac :-) (0)

Anonymous Coward | about 9 years ago | (#13624180)

Just eat me ;-)

The year of Firefox (1)

Frankie70 (803801) | about 9 years ago | (#13624151)

Is this the year of Firefox on the Desktop?

Avoid "visiting the evil site" (0)

Anonymous Coward | about 9 years ago | (#13624155)

The best thing to do when you visit the "evil site" is to immediately kill and flush firefox from your memory cache, block all outgoing ports with iptables or whatever and as a last resort unplug your computer.

Note that hackers will typically infiltrade existing websites and infect them with their malicious code. Be on the lookout for any of your favourite websites that have recently undergone an overhaul in appearance. It may be, as Ackbar once orated, a trap.

This smells (0)

Anonymous Coward | about 9 years ago | (#13624164)

All of these articles on firefox, and how terrible its security seem like bs. I'm no browser security expert, but I will say that I have helped many people eliminate spyware just by having users use Firefox (or any other non IE browser) over IE. What am I going to tell my dad and everyone else now that I finally got them using Firefox? I smell M$, and it stinks...sort of like cheap purfume on rotting Man-Ray. Linux/BSD Gangster [linuxgangster.org] Signup ya heard

Fast. (2, Insightful)

hungrygrue (872970) | about 9 years ago | (#13624176)

has been released for a security hole that Firefox patched just yesterday
Sounds like damn good response time to me! When was this first discovered? How many days total did it take for the patch to be released? Yes, it sucks that the vulnerability was there to begin with, but you have to admit that this is a good demonstration of how well an open source community project can respond.

That can only mean one thing .... (2, Funny)

photonic (584757) | about 9 years ago | (#13624183)

Microsoft has stopped working on IE7 and has its PhD's working full-time on writing exploits for known holes...

ie7 (1)

demon411 (827680) | about 9 years ago | (#13624210)

i heard ie 7 sand boxes the browser from the os? how true is this and will this help with against spyware? at least this way the malware will have to share a sandbox with ie (perhaps they can learn to get along and build a sand castle).

and hey let's wait for the product to come out before we trash it

OSS to the rescue? (1, Troll)

uofitorn (804157) | about 9 years ago | (#13624219)

I don't understand, I visit /. day in day out and all I hear about is how the great benefit of OSS is that anyone can read and improve the source code reducing the amount of vulnerabilities. A million zealots can preach the benefits of FLOSS, not many of them seem to practice it though.

Go ahead mark me down as troll but this is something I've been thinking about a lot. I use OSS on my Solaris network when permitted because the benefits are still awesome. Also, please save the canned replies of "but it was fixed quickly because the source was available". It's still a response to the problem that should not have been present to begin with if the zealots were to be believed.

Screw it...I'm moving to Lynx! (5, Funny)

PenguinBoyDave (806137) | about 9 years ago | (#13624225)

Let's see them attack my text-based browser!

did anyone else notice... (2, Funny)

advocate_one (662832) | about 9 years ago | (#13624226)

that the actual exploit was released under the GPL... this means that anyone who takes it and modifies it has to release their improvements if they then proceed to distribute it... so if anyone does get infected, please get the person you got it from sued by Gnu for failing to make the source code available as well...

My Firefox 1.0.6 says there are no updates. (1, Informative)

Anonymous Coward | about 9 years ago | (#13624230)

If I have firefox (win32) check for updates in the Tools, Options menu, it says that there are no updates. WTF?

Automatic Updates (5, Interesting)

Paul Slocum (598127) | about 9 years ago | (#13624232)

They do patch stuff fast, but until automatic updates work correctly, it's not going to do much good for the average idiot user. And someone will eventually start trying to take advantage of these exploits. I'm running 1.0.6 and there's no update icon showing. When I say Check Now: "Firefox was not able to find any updates." -paul

I use Firefox 99% of the time (2, Interesting)

PCCybertek (915945) | about 9 years ago | (#13624241)

I personaly believe that the activeX exploits are the nasty ones. I use to get so much crap on my system when I ran IE, even after the SP2 update. Since I use Firefox almost exclusively, I have had just about none. That's good enough for me.

Well that tears it! (5, Funny)

dpilot (134227) | about 9 years ago | (#13624268)

I'm going to rip Linux out of all my boxes, install WinXP SP2, and do all of my web surfing on IE with ActiveX enabled, just to be safe!

Interesting to see FireFox take some heat (2)

eebra82 (907996) | about 9 years ago | (#13624269)

Good and popular isn't always a good thing. When FireFox was released, it was also like a praise to many because finally we had an alternative to the evil big ol Microsoft coming. But once FireFox reached the bigger masses, it also opened its eyes for hackers around the world. Summary: the bigger it is, the bigger risk it will become to use software.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?