Mozilla/Firefox Bug Allows Arbitrary Program Execution 940
treefort writes "An article at eWeek has the lowdown. The article also has a link to the bug report which addressed this issue some time ago. Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000." New releases are already available on mozilla.org that fix this. Update: 07/09 00:41 GMT by CN : I removed the bum link to Bugzilla, since I guess they don't like us. Also I discovered that OSDN's own NewsForge has more on the situation.
Yes, but releases are available already (Score:2, Insightful)
Note how fast it was patched compared to the fact that IE still doesn't have tabbed browsing.
bias (Score:2, Insightful)
Seriously.
Here we go again... (Score:5, Insightful)
Just how does Mozilla/FireFox think it's going to keep malware from tricking the users into granting permission when the clueless masses come over from IE?
So who's going to tell all the recent converts? (Score:1, Insightful)
Open Source Collaboration (Score:3, Insightful)
Nobody in their right mind can expect a product to be perfect, but what makes Mozilla different is that bugs are fixed instantly. And that's because of the open source community, which is far more reliable than the competition.
People might disagree with me, but I still think these bugs (and their immediate fixes) only show how great open source really is.
Re:Just to be fair... (Score:3, Insightful)
Re:bias (Score:4, Insightful)
Um, Seriously, if you think that's not true, you need to get your head examined - of course people are much less likely to target these vulnerabilities, because a much larger percentage of people currently use IE than firefox, not to mention that those who do use firefox are more likely to be at least slightly more savvy web users that their IE using conterparts. Hence there is less insentive for those with malicious intentions to target firefox (for now at least.)
So, how is the truth bias?
Re:And now for some helpful links: (Score:2, Insightful)
Re:Just to be fair... (Score:5, Insightful)
Re:A clear advantage (Score:5, Insightful)
Re:Only recent Mozilla bug. (Score:2, Insightful)
Re:Congratulations (Score:3, Insightful)
I don't hear the OSS community pretending their software has no bugs or holes.
Re:A clear advantage (Score:2, Insightful)
Re:bias (Score:5, Insightful)
It's just frustrating to hear people whine about security via lower market share, but then excuse serious flaws using that logic when it's convenient.
I don't, however, refute the point. I'm just of the camp that would prefer stories to at least feign subjectivity, and leave the opinion for the comments.
Monoculture, my ass. (Score:2, Insightful)
Personally I'm still going to use FireFox. It's a better browser than IE and I'm happy that they patched it in a single day. It's a little worrisome that this issue sat around on Bugzilla, hopefully this will motivate the Mozilla team to figure out some procedures to keep security bugs from slipping through the cracks.
Re:No, it doesn't. (Score:1, Insightful)
By that argument if someone asked Mozilla to delete some files, but rather than deleting them through unlink() it passed it off to the shell to do through rm, that would be Linux's fault? C'mon. At best, its passing unvalidated input to a secure user context (which Mozilla needs to allow its users to do things like save files, delete cache entries, etc).
This just goes to show that Microsoft makes insecure software, and that insecurity often bleeds into otherwise trustworthy programs
Hey, I like Firefox as much as the next guy (especially its DOM explorer), but there's no need to join the FUD camp to bash its rivals.
Re:Two beefs... (Score:3, Insightful)
And this is beta software. It's supposed to be buggy. The fact that IE is in it's 6.x series and still an open porthole to the world while today MozOrg fixed this issue in one day should say enough.
If you think there are any browsers out there that are totally secure, you're bleeding insane.
Re:A clear advantage (Score:5, Insightful)
But some people [technewsworld.com] seem to be of the opinion that too many patches would be confusing.
If this other vendor is right that people want no more than monthly patches, such a fix may have to wait weeks.Update system (Score:5, Insightful)
Even better, take a leaf out of Norton's liveupdate program.
Re:Only recent Mozilla bug. (Score:3, Insightful)
Re:Firefox pass unknown protocol handlers to the O (Score:5, Insightful)
Yup. Because Mozilla, as a local application, has a much higher set of privs than a remote website does. This is basically taking code (high-level instructions, but code) from a known insecure zone and telling the OS to run it without any built-in safeguards. And what do you know: we have an exploit.
Here's a fun example of how IE gets it right. Take the URI file:///c:/windows/system32/mspaint.exe from another example on this discussion. Type that into start/run on a Windows box - it works. Type it into the Address bar of IE - it works. Toss it into a webpage on the local machine and click on it - it works. Toss that webpage onto a remote server and click on it - it doesn't work any more. Different behaviors for different levels of trust. Mozilla defeats this by passing things to the shell with the same level of trust as the user has given it, the local program, which includes the (necessary) ability to mess with the filesystem.
Re:A clear advantage (Score:5, Insightful)
What moron put in "shell:"? (Score:2, Insightful)
Hello? Browsers must not execute arbitrary programs on client machines. Is there anybody who doesn't get this yet?
And why aren't we running browsers in jails yet, anyway?
Blacklisting vs. Whitelisting (Score:5, Insightful)
Duh.
I have been saying this for some time now: Never use blacklists. Always use whitelists.
If you forget to put an insecure operation on a security blacklist, you have a security hole. If you forget something on a whitelist, you just have an inconvenience.
I am disappointed that the Mozilla developers did not have enough common sense to use whitelists in the first place. But then, it seems like most computer security schemes are blacklist-based, which explains why computers are so insecure.
Re:A clear advantage (Score:5, Insightful)
However much developer attention it received (and actually it wasn't much - see my comments below), it doesn't change the fact that this exploit was present for almost two years
The speed with which a fix was issued after the general public was made aware of the problem was good
The specific comments you cite are indicative of this lack of concern- Comment #2 basically claims that it's not worth fixing security issues that are initiated without any form of user intervention whatsoever. And why? because it's easy enough to get a luser to click on a malicious link, so why should we worry about sites that just bypass the malicious click?? I don't know about everyone else here, but that sort of logic concerns me!
Just looking at the amount of interest in this bug after 2002 (only brief two comments in 2003 and another two in 2004; no patches submitted or even thought about) seems to suggest that if this had not been reported by the internet media this would never have been fixed. Or at least, not until exploits of it became commonplace.
And with the recent internet-banking trojans using a similar exploit (i.e. download and run malicious code without any user prompting) in IE, the issue seems serious enough to me to have warranted a quicker fix.
Re:A clear advantage (Score:5, Insightful)
Webpage should highlight the patch more (Score:5, Insightful)
Re:A clear advantage (Score:3, Insightful)
Re:A clear advantage (Score:1, Insightful)
Even if that were true (trivial or very expensive software can be 100% bug free), it does not follow that all systems are equally buggy. There's a lot of percentages that are not 100%, and they aren't all equal.
No software is 0% bug free (whatever that might mean...) either, it's all about choosing the lightest shade of gray. Do you want a program with 10,000 bugs or one with 100, all else being equal?
Mac, Linux, Mozilla etc. simply aren't targets for obvious reasons that are frequently brought up here.
And while this is probably true, it's not a very interesting point. If you're looking for secure software, heteronomy is a valid strategy to minimize vulnerability.
If you're trying to say "you just wait till it gets popular!"... who cares? But more importantly, if the code really is less buggy, even if it isn't perfect, you're still better off.
Re:What moron put in "shell:"? (Score:5, Insightful)
Re:A clear advantage (Score:1, Insightful)
Re:Incorrect bug link (Score:2, Insightful)
1) The problem is due to the shell: function, which passes the arguments to Windows XP for handling. The function was disabled in IE6 for the same reason it's being disabled in Moz/Fox now. In short, it's a hole in the Moz codebase caused by an insecure Windows capability. Thank you, well-paid Microsoft programmers.
2) The bug was opened on July 7. Today is July 8. One day.
Nice.
No problem for that other alternative browser... (Score:4, Insightful)
Lesson of today: there is always a danger in presenting yourself as 'the save alternative'. Proper engineering can reduce risks, but there are never garantees. Not that this example was especially worrying imho: you'd still have to be tricked to visit a specific website that plans to harm you. Not that likely unless you to tend to visit the bowels of the web...
Re:A clear advantage (Score:1, Insightful)
OK, you know you can always go back to Netscape 1.22 [evolt.org] - Simple, secure
Browsers (Score:3, Insightful)
Some of the issues I pondered was if I spent a lot of time ripping out the user access to the none removable IE, and installing either Firefox, Mozilla, or another browser, or a combination of that or similar.
On the browser side, removal of Active X and the IE gubbins brings security, but also none working websites. Perhaps a lot of companies aare going to move back to the standards that form web rather than MS specific technology. I can't blame them, as most people outside tech areas like slash tend to use or aim for market leading pitches. The bulk of users use IE.
That will continue to be the issue, however, looking deeper into this, I looked at machines and figiured I would have to keep IE patched, but in addition, if I role another product or more, I merely add quite possible extra vectors of concern and attack.
All the browsers go through security and exploit issues, at least from time to time. What I settled on was continuing with IE. Its built into windows, there is'nt an easy undo for that.
Somewhere between Sunday/Monday, MS got a patch out. IMHO while this is not perhaps upto the highest levels of OSS error and fix correction, it is'nt bad or horrific.
In the main, so long as they deal with issues quickly and provide answers, I can tolerate them. They are not as bad as some make out.
The history of Mozilla is not as bug free and exploit free as much of the recent comments try to indicate. In truth, we will continue to have security issues with software, and it is how the vendor responds that should be critiqued.
AdmV
Serendipity! Vindication in under one day! (Score:1, Insightful)
Either go all the way to changing the OS AND the browser, do the right thing, all the way,or don't bother, it's naieve wishful thinking and at best a finger in the dike stopgap measure to try and make windows "secure" on the internet, and at best an incredible waste of time and resources in the OPEN source coding community. You either support open source, or you don't. You either support windows closed source and their dismal OS and their mafia like business practices or you do not. If you are working for free for Redmond you are nuts, and are doing no one any sort of long term service. You aren't a "little bit pregnant", you either ARE or you AREN'T.
And even with this evidence, no one will admit the huge mistake in making a windows port of moz/firefox. They will keep doing it until they get BURNT BAD.
Re:A clear advantage (Score:4, Insightful)
When you're writing cross platform code, and it that works perfectly fine on other platforms, and Microsoft keeps saying it's going to fix the bug, but stumbles around like a drunken barfly instead of releasing a fix... this is Mozilla's fault?
Microsoft says "Yeah, we're aware of that, we're going to fix it in SP2, it should be out Real Soon Now." and Mozilla takes them at their word, since it's their OS, and all applications on their OS are vulnerable to the bug, so it's in their best interest to get a fix out - and quick. Yet here's an OS bug that's been around since 2002 that Microsoft has made 0 public progress on.
And this is Mozilla's fault. For not making a hack to close an OS bug that the OS manufacturer should patch in a reasonably timely fashion. Yet doesn't. Yes, I agree, Mozilla is horrible, and Bill Gates is a saint. Yes.
BTW, could I have some of the pills you're taking? They sound wonderful.
Re:A clear advantage (Score:4, Insightful)
The longer known bugs are out there (and hell, even documented) the more time there is for someone to go out and actually write the exploit. Of course there won't be any exploits available when the bug is first found- unless the person who found the bug is the one who wrote the exploit (a rare case). I doubt in 2002 there was enough attention directed at mozilla to warrant a speedy bugfix, but since so many people are using it now it's under a lot more scrutiny. Now that mozilla is on the "radar" of crackers and other ne'er do wells out there, the exploits of known-but-not-fixed critical bugs are likely to start showing up more often.
Re:A clear advantage (Score:2, Insightful)
Then how did code from Mozilla that presumably didn't change anything in the OS fix the hole?
I know it is a problem in Windows. BUT MOZILLA EXPOSED SAID KNOWN HOLE TO MALICIOUS WEBSITES.
When you're writing cross platform code, and it that works perfectly fine on other platforms, and Microsoft keeps saying it's going to fix the bug, but stumbles around like a drunken barfly instead of releasing a fix... this is Mozilla's fault?
If it's propagated by Mozilla's code (which it is), yes. In part.
Microsoft says "Yeah, we're aware of that, we're going to fix it in SP2, it should be out Real Soon Now." and Mozilla takes them at their word, since it's their OS
You're telling me that 1) Mozilla devs were relying on MS to fix the hole (something I saw no mention of on the Bugzilla page) AND that 2) the Mozilla devs believed MS saying it'll be released soon?
Yes, I agree, Mozilla is horrible, and Bill Gates is a saint. Yes.
Did I say that? I am posting from Mozilla. I dual boot with FreeBSD, on which I use Firefox. I'm not going "oh look at the almighty MS, it isn't their fault, it's Mozilla's." I'm simply not blinded (like some people apparently are *cough*) by the misconception that Mozilla devs can't make a mistake and leave a remote exploit hole it.
Damn straight it's a bug in Windows! (Score:5, Insightful)
Mozilla and Firefox should NOT be using this functionality, they should be doing ALL their own URL parsing and handling on Windows, Linux, Mac OS X, and so on, because they can *not* depend on the native OS to do security right.
Even Apple doesn't do it right (see how they 'fixed' the help: problem), and Microsoft has refused to fix it on their side even under threat of judicial dismemberment.
From the article:
Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows.
The only way to deal with this is ONLY use external handlers you know are safe, rather than using all but the handlers you know have holes in them. Anything else is just following Microsoft's lead into a decade of virus-mania.
Re:Blacklisting vs. Whitelisting (Score:5, Insightful)
One of the big disadvantages to the whole blacklist/whitelist things is, indeed, inconvenience. But you seem to be thinking it's just a minor inconvenience where, to a lot of people, it's major.
Example: A while ago (I don't know if they still do, but it wouldn't surprise me) Unreal registered unreal:// to open games. You didn't have to do anything, it just worked. A lot of sites relied on this (click hyperlink, open unreal, badabing badaboom).
Now, if the web browser used a whitelist, there's a few options. First off, it could be utterly impossible for Unreal to register even with user assistance - bzzt, this is bad. Remember, users want things to be easy.
Second, it could require the user to go through the steps to add unreal:// to their settings. Also bad, because the Unreal coders don't want to have to change their installer every time the interface changes. Plus it's irritating for users. Bzzt.
Third, it could ask the browser/OS to register itself, and the browser/OS could pop up a confirmation box. But we already know users can be duped into clicking just about anything ("You MUST click Yes for real 100% hardcore xxx porn!") and so this wouldn't exactly be a rock-hard barrier. Bzzt.
Fourth, it can do what it does now, which is also flawed. Bzzt.
I personally think solution 3 is the best one - but if Windows doesn't already have hooks for things like this, it might not be practical for Mozilla to add a happy little dialog. There might be a way to query the system about what it *would* do it if we happened to pass it an unreal:// url, then prompt the user to see if that's what they really want to happen, but I bet that's exploitable also ("What's this rundll thing? Oh, the line says 'free porn'! I'll click yes")
I'd agree that more security = better (and more convenience = better too - the trick lies in balancing the two), but just saying "we should use a whitelist" leaves so much undecided that it's almost useless.
This IS 100% Mozilla's fault (Score:5, Insightful)
I am shocked that everyone here is sticking on Mozilla's side. I love Mozilla, and have used it since the beta versions. I install it on mom & pop computers all the time for security. But this is definitely Mozilla's fault. Mozilla should not pass unknown protocols to explorer. IMHO, that defeats the purpose of Mozilla. That would be like coding Mozilla to pass ActiveX controls to Internet Explorer since it doesn't support them.
I treat Mozilla as a standalone app, and I consider that an advantage. I'm not vulnerable to scripting exploits, MS Office exploits, etc. But now I am told it passes some work to Explorer. I consider that a bug. I don't want it to pass everything except shell: to IE. I want it to pass nothing to IE.
This is a Mozilla problem (Score:2, Insightful)
I disagree. I feel this is a Mozilla problem. (It may be a Windows problem, too, but that's not the issue here.)
Let me explain in terms of Linux, another Slashdot favorite:
I run mainly Linux on my home and work PCs. The Linux OS looks at the start of any executable file to determine how to run said file. If it recognizes a particular "magic number", it invokes the appropriate handler (ELF, a.out, Java, etc.). If it recognizes a she-bang line (first line starts with "#!" followed by the path to a program), it will run that program. Otherwise, Linux feeds the executable to the default shell (/bin/sh) and hopes for the best.
The fact that my OS can do all of these things does not mean I want Mozilla to do them. If I click a link that leads to an executable file on the web, I do not want Mozilla to hand-off the executable to the host OS (Linux) to see if Linux can find a way to run said executable.
Make sense?
Re:A clear advantage (Score:5, Insightful)
Well, regardless of the cause of the problem, if there's an exploitable hole it's still a security issue. Yes, it wasn't caused by some bad coding in Mozilla, but from reading the bug description and comments the exploit comes through HTML that has little or no valid use in legitimate, friendly web pages. (Hence it was possible for Mozilla to quickly release an all-blocking fix once it became publicised - disabling this funcitonality is not going to inconvenience anyone)
In that situation, it still seems negligent to me when you're failing to fix an exploitable hole once it's come to your attention and when there's no disadvantage to doing so.
As a very small-scale open-source developer myself, I feel that despite the GPL clauses about no warranty there's still something of a moral duty of care and trust in situations like this. Two years of being aware of this issue and doing little or nothing about it seems a bit worrying, IMO.
Re:This is a Mozilla problem (Score:5, Insightful)
Your analogy isn't quite right... let's think about this another way... you have a plugin you've installed that has a security flaw in it. Is Mozilla (or IE or any other browser) responsible for the security flaw?
The registration of external protocol handlers is common practice across different platforms and browsers. I use OS X primarily at work and at home. I also run Linux here and have a Windows laptop at work. All three platforms use external protocol handlers to register helper applications.
The part that I think is significant is that the OS registered a protocol handler that isn't safe in an internet context. So, you either blame the browser for doing what the OS manufacturer recommends you do... or you blame the fool who wrote the insecure protocol handler (and why the hell would you want a "run any program" protocol handler????)
Sujal
Re:Bad way (Score:5, Insightful)
Not at all. Mozilla falls down by trusting the multiple OSs it supports to securely handle something it doesn't understand. You did notice the part of the story that specifies this as a Mozilla/XP/2K exploit, right? No problem in Linux or *Bsd, etc., so I don't know how this OS intregration angle is relevant at all.
Re:A clear advantage (Score:1, Insightful)
Re:Serendipity! Vindication in under one day! (Score:5, Insightful)
And you also realize that, if Gecko had only been put in Free Computing systems, it would have essentially rotted away to nothingness years ago.
Of course, you're also completely ignoring the amazing PR spin Mozilla is for Open Source. Sure, it has a bugs and holes--but those bugs are publicly filed, honestly reported, and fixed in a VERY timely fashion.
(Then again, you're comparing Free Computing and pregnancy.)
Re:It's not "in" the browser (Score:2, Insightful)
You can. The fact that your either not familiar enough with it or too FUD bound to mention it doesn't change anything.
As long as OSS zealots keep fighting their IMAGE of MS software instead of what is actually out there they will continue to look like morons.
Re:This IS 100% Mozilla's fault (Score:3, Insightful)
How can I disable all external protocols (Score:4, Insightful)
Is there some way I can disable them all?
Re:It's not "in" the browser (Score:4, Insightful)
Yes, blame Microsoft. If you RTFA, you'd notice that Microsoft themselves fixed this bug in the next XP service pack (which won't be released for several more months...)
Mozilla's quickfix was to just turn the protocol off. The Mozilla developer's shouldn't be babysitting the Windows OS. It's an operating system protocol handler, just like any other registered helper app. What do you recommend happen if Flash has an exploit? Have Mozilla not load the flash plugin? No, it's a bug in Flash and we expect Macromedia to fix it. This is not any different. But in the mean time, since this shell handler is not really used, the quick fix is to simply ignore the shell protocol (i.e. don't hand it off to the OS).
The other fix is to dig into the registry and turn off the shell handler yourself.
Re:It's not "in" the browser (Score:5, Insightful)
Linux and Mac do not have such as thing to handle the "shell" protocol, thus it's not possible for them to have this flaw. Windows (in fact just 2000 and XP) are the only OSes that are vulnerable. Why? Because Microsoft wrote a dangerous handler that's not secure. If it was secure, no one would be talking about this right now. That fact that Microsoft themselves have fixed this bug in the next XP service pack doesn't tell you it's an MS bug?
I certainly understand it. It appears, however, that you do not. Mozilla is not arbitrarily launching a shell process merely because someone had a "shell:..." URI. It's asking the OS if it has an application that handles this protocol. Windows says yes and tells it how to launch the program. It passes the parameters to the application (just like any other helper app or plugin) and it's this application's responsiblility to check parameters. How is this any different than, say, registering my XYZ program to handle the "xyz" protocol and the XYZ application has a flaw that is exploitable?
Mozilla itself doesn't know one handler from another, and it shouldn't care. The system says "this application handles this protocol/content", so Mozilla hands it off.
Re:It's not "in" the browser (Score:5, Insightful)
The question remains: why does Mozilla "hand off" stuff from the Internet to the operating system? It obviously can't determine that doing so is safe, so it shouldn't do it.
If you were able to run Windows with real restricted user accounts, this wouldn't really be such a problem.
Oh, nonsense. Mozilla doesn't run with "real restricted user accounts" on UNIX/Linux either. The responsibility of deciding what is trusted and what is safe to "hand off" to the OS rests firmly with applications on most modern operating systems; every application programmer should know that, and it is not hard to program accordingly.
Re:It's not "in" the browser (Score:2, Insightful)
I expect you might start by not installing Flash by default.
Mozilla doesn't install Flash by default, and it doesn't install Windows by default either.
Seriously, if I was writing a web browser for Windows, no content would be passed straight to Windows without user intervention.
This page wants to display an image of type image/jpg [Ok] [Cancel]
This page wants to display an image of type image/gif [Ok] [Cancel]
This page wants to open an url of type news: [Ok] [Cancel]
This page wants to open an url of type mailto: [Ok] [Cancel]
This page wants to open an url of type irc: [Ok] [Cancel]
This page wants to open an url of type shell: [Ok] [Cancel]
Yeah, that would be an effective way to get people to move to Internet Explorer.
Obviously Windows has flaws and bugs. Is it the job of programmers to gripe and complain about these flaws or is it their job to deal with them?
A programmer is not supposed to sit in his own little closed world working around other peoples bugs without telling them about the bugs. Everyone will get much further with a little cooperation. So, Mozilla people tell everyone about an MS bug, some programmers not related to this story in any way make a workaround in their own software, and Microsoft gets the bug fixed in a few months. Everyone benifits. Your way would have everyone spending all their time working around eachothers bugs, without anything ever getting fixed, and in the end, nothing gets done.
Again I ask, does Opera have this flaw?
Why don't you check it yourself? I'm not putting that destructive piece of junk on my machine again. God know which files it will destroy next time.
Re:It's not "in" the browser (Score:3, Insightful)
This is a function to handle an URL. So, it gets used for handling an URL. Now, who would expect that the function really does "handle an url unless it starts with shell: In that case execute a shell command"? So, don't use that system call.
Which one will behave otherwise than expected/documented next time? Maybe a function to "display an image". It could just as well be "Display an image, unless the upper left pixel is red. In that case execute a shell command". So, we shouldn't pass anything off to Windows. Never use any system call. Back to DOS programming...
Why this is more Microsoft's fault than Mozilla's (Score:3, Insightful)
There are two programs: one is the OS, the other is a user program, connected to the internet. There are four possibilities for (this part of) how they interact:
If you're paranoid, you should have both of them check to see if the data is trusted, otherwise just the OS should check.
My diagnosis is that this is a severe bug in Windows and is Microsoft's fault, however, since it was there, Mozilla should have blocked it from showing up.
The fact that once they realized it could be a problem they did block it is only a good thing.
Re:It's not "in" the browser (Score:3, Insightful)
What about when you click on a 'mailto:' link? Do you want Mozilla to pop up and say it can't handle it? Or do you want it to use your default mail application to start up a compose message window?
plugins vs. ActiveX ? (Score:1, Insightful)
Umm. How does this differ from IE running malicious ActiveX-components, which is considered to be one of the major security flaws in IE?
So, MS is bashed for having a bad security model since IE can run all sorts of bad code without user knowing it. If Mozilla does the same thing, it's again MS's fault? Come on... this smells like double standards to me. One standard for the mean, mean Microsoft, and another one for the good guys of open source.
This particular flaw may be in the Windows, but based on your explanation the security model of Mozilla doesn't seem any better to me than the one implemented in IE.
Re:Bad way (Score:2, Insightful)
Not entirely accurate - IE is bad because parts of it run in ring zero. This gives it a marginal speed boost but is a major security problem. Anything running in ring zero is essentially allowed to do anything - it's less restricted than being root on a linux system. So if one of the parts running in ring zero gets exploted then the exploit can do absolutely anything (wipe your hard drive, install key loggers, etc).
In contrast, if you're running FireFox under Linux, it is running as _your_ user. If it gets exploited, it's only your files at stake, it can't go look at the files belonging to all the other users and it can't modify system files since they're owned by root. It also means it can't do nasty things like hooking the keyboard interrupt to sniff your keypresses or install the network sniffer to log your network traffic.
Moz bad because it calls the OS because it's not integrated
I'm sorry, but making calls to the OS is absolutely the right thing to do - one of the reasons for having an OS is to provide library functions for common tasks. Otherwise, each piece of software has to implement it's own (lots of work) and they will invariably act in a different way (inconsistency is *BAD*).
The problem here is that the OS was badly designed in the first place - there is absolutely no reason to implement a "shell:" protocol handler. The other problem is that Microsoft has again shown itself to be incapable of resolving problems - the number of times I have seen an MS patch claim to fix a problem and later find out that it never fixed that at all makes me wonder if they test any of these fixes at all or if they just cobble together some code and release it.
Perhaps if Moz just imported the windows URI handlers as a datafile, and stripped out known baddies?
The problem with filtering known exploits is that you have to know about the expolit first - once you know about it the party responsible for the buggy code should fix it instead of every other 3rd party application having to fix it itself. What's worse is that this exploit had been found and Microsoft had told everyone they had fixed it so noone needed to worry anymore.
Re:Serendipity! Vindication in under one day! (Score:4, Insightful)
I really hope that if the mainstream media does stories on this they will make it clear that:
1. This is not a problem with the browser, it is a problem with the OS
2. The problem with the OS was alegedly fixed by a previous MS patch... except it wasn't - MS obviously don't test their patches.
3. Even though it was not Mozilla's own problem they still jumped and fixed it within a day of the report.
4. Microsoft knew about the latest IE hole 10 months before it was exploited and still did nothing about it.
The problem is in both (Score:2, Insightful)
wishful thinking (Score:2, Insightful)
most of the answers modereated up around here are only wishful thinking .. people just love to fool themselves into "firefox is safer", no matter what ...lets see some samples
-- Still, I feel safer using Firefox since malicious persons are much more unlikely to target any vulnerabilites. ... plus this is like saying : i know i eat approximately the same shit as the other party, but im way better because mine gets no attention.
i wont bet a single cent on that
-- This incident underscores why many use or have switched to Firefox: vulnerabilities discovered and promptly fixed. Not weeks and months from their publication--and not by another vendor--this exploit was addressed by those who have made available Mozilla's code for public scrutiny.
as Microsoft demonstrated in maaaaaaany occasions, IT DOES NOT MATTER how fast you release the patch.
-- This isn't really a fix for a security problem in Mozilla, it's a workaround for a security problem in windows. .. but it sounds like : i live in an appartment building and its administrator's fault that any burglar can break into my appartment bare handed... so easy to blame "the other guy"
it may be so
and so on.. and so on. ... i use it since the first version and this week i got the first pop-up and pop-under windows that somehow managed to slip through firefox' block mechanism ... and now this embarrasing flaw .. sadly, it seems that going mainstream its enough to evaporate the "security" of ANY application.
going mainstream was not exactly benefic to firefox
Re:It's not "in" the browser (Score:3, Insightful)
It was also "known" that MS had released a patch that claimed to fix this exact security problem with the OS... shame it didn't actually do that.
Re:A clear advantage (Score:1, Insightful)
Also it's easy to see that this is a bug in BOTH Mozilla and Windows, since if you aren't using either of them then the issue doesn't arise.
Very worrying if this also appears in thunderbird too, as it seems likely to mean that this may be exploitable just by sending a user an email. Which actually would be a security hole right up there with the worst of Outlook holes.
It's also a concern that this went unfixed for years until an exploit was publicised. It should have been obvious that an exploit was a matter of time.
And even now the average user will have no clue that they need to download and install this patch.
I know that these are just "0.9" releases but getting security patches out automatically and the whole "we don't know of an exploit" attitude really needs to be addressed before 1.0.
Re:Bad way (Score:5, Insightful)
0.9.1 was the same. The release notes were unchanged since 0.9 and there was just a note saying "minor bugfixes" in one place, and another note saying "critical update" somewhere else. Firefox is a great product, but they really need to do something about keeping users informed about their releases. We can't all be expected to browse through Bugzilla to see what has changed between releases.
Re:Only recent Mozilla bug. (Score:3, Insightful)
What it looks to me like is that both sides screwed up. Mozilla/Firefox passing on requests to a known Windows vulnerability is not a smart move.
That said, as much as Mozilla should have looked into this earlier, so should Microsoft.
Now yes, Mozilla really should have done something about this ages ago. Defaulting to let any OS handle arbitrary protocols is a bad move, let alone Windows. However it seems that the moment it was published exactly how severe this vulnerability was they released both an updated version and a patch. That's definitely points in their favour. So old installs can be fixed and fresh installs can be more secure.
So far it looks like Mozilla have handled this well. Yes, they made an initial mistake, but they seem to have handled it well now. I just hope they can learn and not make any more mistakes like this. if they do learn better it will be major poitns in their favour.
TiggsWhat remains to be seen is what they'll do about protocol-handling in general. Have an option in the UI-menu to alter, add and remove protocols would be nice.
Re:A clear advantage (Score:2, Insightful)
"How many people have had their machines turned into spam zombies because of this exploit?"
Wrong question.
How many thunderbird users COULD have their machines turned into zombies because of this kind of exploit?
Until THAT number is zero then saying "it hasn't happened yet" is like a 5 year old saying "but I didn't get run over" when told he shouldn't run across the road because he might get run over.
Re:Mozilla VS IE (Score:3, Insightful)
Y'see, the problem is that statements like that just don't have any credibility left when you're looking at vulnerabilities like this. The bug in question is a "complete wipe-out" style vulnerability. The issue was known by the Moz dev team years ago, and they decided it was WONTFIX. Yet even IE fixed this one a while back.
The problem here is not the specific bug, it's the attitude/lack of awareness demonstrated by the Mozilla dev team when faced with a critical vulnerability. The attitude of so many people in this thread -- "It's a Windows fault, not our precious Mozilla!" -- is almost as scary.
Sorry guys, the honeymoon's over. Mozilla can crash, can take out all your stored e-mail, can be exploited to damage the rest of your system, and doesn't get fatal security flaws fixed for years, just like IE. It may still be a better product, but there's no mileage left in claims that it will always and necessarily be so.
BTW, assuming there are no exploits out there for this vulnerability is staggeringly naive. Just because no widespread worm/virus-style exploits are known doesn't mean it hasn't been used by the geek who disliked the other guy down the hall or by the company emloyee wanting a quiet raise.
Re:This is a Mozilla problem (Score:4, Insightful)
Look though my comment history and see what I think of plugins. (hint, they suck)
Yes, this is a mozilla problem. Here is the deal. When you develop an application where anyone in the world has input to that program you check the input for valid data and reject anything that is not valid. Period.
A uri handler called shell:// is stupid. Thats as if your leaving an open rsh or ssh port with no password. Again, this is the first time I've heard of such a handler, and I don't know exactly what it does or is supposed to do but the fact that its called shell tells me that its not something that belongs on an internet application. Name me one more network application that would accept arbitrary commands without a password to be run on a computer. Just one.
Re:This is a Mozilla problem (Score:4, Insightful)
We agree about the stupidity of a shell:// handler... but Mozilla didn't provide it. I'm not sure what "valid data" they should be checking for here... the only thing I see at this point is that they need to start maintaining a black list of protocol schemes... Of course, if a particular bit of spyware/adware becomes popular, for example, they'll just be chasing down changing schemes.
Sujal
Re:Serendipity! Vindication in under one day! (Score:4, Insightful)
I totally disagree with you. As a user that is stuck on an XP platform because where I work I have no say (and I am far from alone here!), I am absolutely overjoyed that the coding community "wastes" its time and resources to allow me to use my home browser at work. Last time I checked, the community was not out to "make windows 'secure'," but was instead out to make good software for people to use freely. Granted, I am probably starting another flamewar here (which free, blablabla), but I think you need to leave it to the people doing the coding to decide how to spend their time and energy and not foist alternate agendas upon them.
Re:Hypocritical? (Score:3, Insightful)