2 Firefox Security Flaws Lead to Exploit Potential

Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."

sorry..

[rootedgimp]

i dont mean to be trolling/flaimbait, but please
mod me accordingly if i am.

do we really need to see it posted here, every time
a firefox sploit is found?

gettin me all excited for nothing :/

See! See!

[Anonymous Coward]

Exploits rise with popularity. Watch out desktop linux.

asdasd

[securehack5]

Seriously this Is getting repetitive. There are always flaws. Just update your browser and hope it doesn't become the next iexplore.

Don't downplay it

[Anonymous Coward]

Come on, timothy. This is hardly the time to be downplaying the severity, even though we all like Firefox. There are undoubtedly people using the posted code, and they wouldn't be likely to tell News.com about it. Everyone should upgrade immediately.

Re:sorry..

[ViperG]

Well, I would agree, but then why does slashdot post every IE bug that comes up?

Mozilla's Security?

[sterno]

Mozilla and Firefox have been recommended as alternatives to IE for security reasons. Yet, lately, it seems that there's quite a lot of security problems being uncovered in Firefox. So I'm trying to figure out how to read this.

I suspect that Firefox is somewhat more secure on the simple basis that it is not as tightly integrated with the rest of the operating system as IE is. What makes IE exploits so nasty is that they tend to become email and other exploits too.

My concern is that if Firefox gains some more ground and does become a more active target for exploits, that it may become a poster child Microsoft can use to point out that open source software's "many eyes" theory is hogwash. Maybe it is hogwash.

What Firefox needs is...

[turbofisk]

What Firefox (and the rest of the suite) is a good way to upgrade the software, without installing everything as a new user would... This is something they really should fix...

It was expected

[mpontes]

With the spotlight on Firefox, it's obvious a lot more crackers and hackers are going to start looking at Mozilla Foundation's code. While previously there was little incentive for crackers to exploit vulnerabilities in MoFo's code, you can't say that now, with all the attention Firefox caught.

It's up to MoFo to fix their software as soon as vulnerabilities are reported now. The play time is over, from now on it's going to be Browser Wars II: The Security Menace.

Balanced?

[PDHoss]

"no known cases have yet emerged where an attacker took advantage of the public exploit code."

I appreciate this clarification. And I'm sure such a clarification will be included in the next IE bug report posted on Slashdot... Right?

PDHoss

Re:Bug Details - Poison DNS

[Chairboy]

So combine this with a poisoned DNS attack. update.mozilla.org resolves as your malware server, then you use this exploit.

Sure, it makes it a little harder to execute then, say, something like Nimda that could run free across the internet, but it's still a valid security issue.

Re:Balanced?

[Uruk]

Where does Slashdot say that it will provide a fair and balanced view of technology? Where does the site claim to be a source of unbiased journalistic excellence?

Isn't it incumbent upon all readers of all internet media to identify bias and understand what they're reading, and the viewpoint that it's coming from? Even when people do claim to be impartial that's necessary to do.

It's a tech site that's provided for tidbits of information, and to furnish and environment where we can all pick on each other. It ain't the New York Times. Welcome to Infotainment.

Re:asdasd

[Dionysus]

Hmmm... this bug affects Firefox 1.0.3. Going to mozilla.org, there are no update to 1.0.3. The browser hasn't notified me that there is an update available. So where is the update? Or do you expect people to download the nightly?

Re:See! See!

[ProfaneBaby]

There was another critical hole that didn't require the whitelist addition.

Yes, Firefox will be updated.
No, not everyone who runs Firefox will update.
Yes, the hole will be used to install viruses and spyware.
No, installing Firefox once is not a single solution to surfing the internet safely - you still have to update, just like Windows Update/IE.

Re:Mozilla's Security?

[Uruk]

A few points to consider when you're evaluating the security of software:

• Security issue visibility is not the same thing as security. Just because IE has more exploits publicized (or Firefox has more) doesn't actually mean they're more or less secure, it means they're getting more public attention about their security. Important difference. If someone has an objective, quantitative, and verifiable way of measuring a piece of software's security so that we can actually make these comparisons, I'd love to see it
• The more users use a piece of software, the more it will be targeted. But again, that's not the same thing as saying "the more it will be exploited"
• Most users ultimately decide based on personal experience, which typically trumps abstract reporting. Have you ever had a problem with Firefox? Have you ever had a problem with IE? I'd suspect most people who switched to Firefox did it because they actually experienced a problem with IE, not because it was more ideologically pure.

no known cases?

[digitalsatori]

"no known cases have yet emerged where an attacker took advantage of the public exploit code."

Interesting. I have to wonder if because so many people want to see Firefox take off, they have a tendancy to leave the explots alone. After all, the people who take advantage of the exploits are more-than-likely techie people and know that if Firefox had bad press about exploits, and people taking advantage of them, Firefox would take a nose dive. Eh.. just a thought.

Re:And to think...

[mattstorer]

There is nothing in FireFox's architecture which makes it a more secure alternative to IE

except that IE is tied very tightly (I was going to say "securely," but really, it's not that secure) into Windows, whereas Firefox is not. The more levels of separation you can have between the app and the OS, the better.

the benefit of using Firefox also has to do with response times - the Moz. Foundation has been extremely quick to patch holes once detected, while critical holes in IE, if history is our guide, stay open way longer than they should.

IMHO, much of this has to do with Mozilla being far more invested in the well-being of Firefox than Microsoft is in the well-being of IE. Think about it - how many products does Microsoft have to maintain, versus the Mozilla Foundation? To Mozilla, the well-being of Firefox is not just a minor detail to contend with; it's much much bigger, so gets all the swifter attention.

-matt

Re:sorry..

[Anonymous Coward]

Because this is Slashdot, an extremely biased site that often reports opinions as news, and where the editors do all they can to promote flaming and bashing by adding inaccurate titles to the articles they post.

The articles here _aren't_ supposed to be impartial and the user comments _aren't_ supposed to be insightful. Slashdot is all about preaching to the choir - if you want something else, I suggest you find a legimate news site.

Re:Mozilla's Security?

[buhatkj]

I dunno, I just use firefox because I like it better. The tabbed browsing is awesome and it feels a little faster on my PC than IE. A little experience in network administration has showed me that the best security is physical security, and even that sucks. The web is not safe...nothing is really. "safe" is kind of a subjective and largely meaningless term anyway, without a qualifier of "more" or "less". eg. "Wearing a seatbelt is more safe than not wearing one." Either way, there's a good chance that if you crash bad enough you're toast ;-)

SO, not to get too wierd on anyone...really, it's all probably hogwash, the whole bloody pursuit of "safety and security". Take the obvious precautions yes(update your software, use a firewall...), but don't get all surprised and indignant when somebody figures out how to break them!

Re:Mozilla's Security?

[Blkdeath]

I don't run Firefox because I find it inferior to IE in rendering pages as they were intended (yes, we live in an IE world, deal with it).

I used to think the same thing, but I stuck it out and just dealt with the incorrectly rendered pages. Of course there have always been / will always be people who think like you, but the fact is many (most) pages now render correctly in FireFox.

As alternate browsers are again being recognized as statistically significant companies and even hobbyist webmasters are starting to realize their value. If you see a site that isn't rendering correctly, contact the site owner and inform them. Your message might not turn the tide, but perhaps combined with the 5-6 they received last week yours will be enough to convince them of the advantage of compliance.

Please, though, don't send a nasty-gram espousing the virtues of open source, criticizing Microsoft (no need to even mention MS/IE) as it destroys all of our credibility.

Re:And to think...

[AviLazar]

Think about it - how many products does Microsoft have to maintain, versus the Mozilla Foundation?

Don't you think this is a bit of a skewed statement? MS has departments, many of them. There is probably an IE department and it's sole purpose is IE. It may not have any conversations with any other departments with the exception of "Will IE still work with the rest of Windows? It does? Great, going back to my cave."

Re:SANS Institute declares Firefox 'Unsafe'

[Anonymous Coward]

Linux already supports automatic updates. No sense putting it at the application layer. In fact I'd go as far as to say that the application layer is the worst place for updates.

Re:And to think...

[mattstorer]

MS has departments, many of them. There is probably an IE department and it's sole purpose is IE. It may not have any conversations with any other departments with the exception of "Will IE still work with the rest of Windows? It does? Great, going back to my cave."

you raise a good point. MS does certainly have many more employees than the Mozilla Foundation. However, something else you said, namely the part about separate departments not communicating with each other (much), that is more salient. And also a good point, btw.

Because MS ties into Windows via ActiveX, etc., the IE team needs to be aware of what the ActiveX team is doing, and what every other team that IE touches is doing, and vice versa. There HAS to be that kind of communication, really really good communication, for things to work the way they should (e.g., without opening security holes).

so, while MS may be bigger and have many more employees to deal with issues, they have that many more employees to create the issues in the first place (too many cooks in the kitchen?), and a much larger world in which those bugs can reside and hide.

simplicity is beautiful. if I want a hammer, I'll buy one that pounds nails into wood better than any other hammer I can find. I don't need it to julienne fries and wake me up at 6:00 in the morning as well.

-matt

Re:Mozilla's Security?

[xENoLocO]

Actually, it's hard to find a site that *doesn't* render correctly with firefox. The problem is that IE doesn't render sites correctly and/or they're too freeform in allowing things to get by. They dont fully comply with standards. Then when a correct site renders improperly in IE, the author changes the site to accomodate, breaking it in standards compliant browsers, like firefox.

Re:See! See!

[CaymanIslandCarpedie]

Hey, I'm not saying this hole will be expoited by anyone. I'm just saying its not fixed. With your "one down" comment you seemed to imply this issue was fixed. It is not at all!

Mozilla has done a server-side workaround to mitigate this issue but the Firefox (client-side app) has had nothing done to it. The issue is still 100% there. Again not saying this will effect anyone, but to say the bug has been fixed is just WRONG. The bug is in client-side code and that client-side code will need to be fixed, not just a server-side workaround.

Again, most likely nothing will come of this, but I just thought viewers who saw your original comment would be misled into thinking the client-side bug was been fixed (which is not the case).

In other news

[pg110404]

A serious exploit flaw has been found. So severe is the flaw that it spans all hardware and all software. It matters not if your computer is patched or unpatched. This exploit flaw is so serious that any computer that emits power from its power supply is vulnerable. The only security fix to this devastating exploit flaw involves pulling the power plug from the computer.

......Seriously though, there has always been a direct correlation between usability and security. Any time features are added to a piece of software to make it more usable, will make it more vulnerable and open to flaws that can be exploited. Firefox may have started out as a stripped down, no nonsense browser, but with its popularity rising, feature creep sets in and inherent flaws will be discovered and exploited.

The only way to make it 100% secure is to make sure nothing can be done to the system, and that's powered off with no automated way of powering on (i.e. it's unplugged). Once we accept that it MUST be plugged in to be usable, we need to accept the possibility of exploits. Given that, however, we can't accept defeatism, and must strive to fix it.

The typical rhetoric of "There see? product y is just as insecure as product x", and "Well at least the exploit count is 2, not 50!", only serves to distract us from the real goal of getting better and MORE secure software. Like the saying goes, "SHIT HAPPENS". Let's just learn from it and move on.

Security through obscurity is theoretically plausible, but not very practical. What may be firefox's saving grace is that it's open source and is not held as proprietary IP, controlled by a corporation out for profit, thus the evolution of the product is driven by its need to simply be better.

Perhaps microsoft will see these flaws as proof that open source doesn't work and will lower their own standards, making IE7 less secure or shipping earlier with less stability, or maybe they will take this opportunity to make IE7 that much better in the hopes of regaining popularity and claiming vindication. As long as firefox advances and closes those holes, we still have one extra viable choice. This would only result in a fundamentally more secure web surfing experience.

Re:sorry..

[DarkHelmet]

Sure, like the red button that's on my browser now... oh wait.

Big difference between a plugin notifying us of a security vulnerability, and the update button telling us there's a fix.

Hey!

[antoy]

I'm surprised (or maybe I missed something). Why is noone asking the real questions here?

Sure, Firefox had two security flaws. Okay. HOW were those vulnerabilites found? Were they found because Firefox is an open-source program, and has the 'many eyes' advantage? Were the people who found them going through the code, evaluating and auditing it function-by-function is search of flaws?

Or were they testing against it in the traditional way, the way IE vulnerabilities were found? Or maybe a combination of the two?

The article doesn't say, but I believe this is more important to know than the current count on a Firefox/IE vulnerability pissing match. It's the best example (or counter-example) of open-source security in action that we have. If anyone can supply this information, I (and others, perhaps) will be most grateful.

Re:sorry..

[NixLuver]

Um... We *don't* hear about it 'every time IE has an exploit'; just from the fixes I download through windows update on my work laptop described as fixes for security vulnerabilities in IE, I'd have to say that there would be little room for much else besides IE vulnerability posts. As has already been pointed out, we only hear about IE vulnerabilities when they are extremely serious in impact. The rest of the time, it's pretty much 'so what'?

Re:sorry..

[rizzo]

Because this is Slashdot, an extremely biased site that often reports opinions as news, and where the editors do all they can to promote flaming and bashing by adding inaccurate titles to the articles they post.

s/Slashdot/Fox News/

Uh huh

[Myopic]

Can you imagine what would happen if bugs in proprietary software (I'm thinking of Windows or IE) were considered "extremely critical" as soon as an exploit was solidified in code? I mean, if "extremely critical" corresponds to "it is *possible* to exploit this bug" then what is the term to describe a bug which in fact is wreaking havoc on worldwide information infrastructure (as many Windows bugs)?

Re:sorry..

[plover]

Definition of Slashdot: two guys with sticks beating a spot on the ground where a horse died 9 years ago.

After enough time has passed, people think making the drumming sound was the point all along.

Re:Mozilla's Security?

[2short]

"Though I'm still not comfortable writing 'for' loops..."

Which would explain why you think writing a sufficiently full-featured, yet secure, web browser shouldn't be hard.

Re:LINUX USERS DON'T GET VIRUSES

[TerranFury]

Cause and effect: They don't get viruses because they don't get laid.