Firefox Exploit Adds Fuel to Browser Security Feud 510
An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."
1.5 Beta 1 is also impacted...beware (Score:3, Interesting)
Exploits as remote administration tool? (Score:5, Interesting)
I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?
Re:Browser shmouser (Score:5, Interesting)
Eh, it's multi-faceted. The problem is that many of the greatest security threats today are from buffer overflow attacks. (Or heap overflow in this case.) This is frustrating because we've had the technology for more than 20 years to write code that is invulnerable to these sorts of attacks. Unfortunately, the majority of OS and Desktop software has continued to rely on C and C++, making these holes not only possible, but probable.
If the buffer overflow attack were solved once and for all, then attackers would have to move higher up the stack. e.g. Embedded scripts in emails that run with full permission. This sort of attack is why Java has a built-in security manager that can prevent access to secure resources. Should our security problems ever escalate to this level, I'm sure you'll see a lot of similar security managed environments showing up.
Re:Question (Score:3, Interesting)
Re:Question (Score:3, Interesting)
I'd say it's most appropriate for these same news outlets to follow up when those claims aren't upheld by reality.
Wouldn't you expect the same if this were a Microsoft app?
Re:Patch (Score:2, Interesting)
Tip-toe through the TPS. (Score:1, Interesting)
Welcome to the idea of TPS. Only trusted code runs on your machine.
Re:Question (Score:3, Interesting)
Automatic Updates (Score:5, Interesting)
I use Firefox 99% of the time (Score:2, Interesting)
Re:Security through obscurity? (Score:2, Interesting)
Re:Tip-toe through the TPS. (Score:3, Interesting)
Re:Tip-toe through the TPS. (Score:3, Interesting)
You trust it to perform specific actions. You do not mean to implicitly grant unlimited privileges. You expect, and trust, your web browser to render HTML. You do not grant it permission to delete all your files simply by the action of running it. So there has to be a trust within limits relationship. Applications should be able to execute in a non-destructive manner but require further authorization to do such things as install other apps, delete or modify any files other than its own, etc.
Re:Automatic Updates (Score:3, Interesting)
Most linuxes/bsd's etc. come with centralised automatic updates for all programs, which are inheritely easier. I expect to see a flashing warning next morning, telling me a security update had been downloaded for firefox and if I want to install the patch.
I regard automatic program updates on application level as clutter on my machine, so please do not advocate these methods!
Azureus (Score:4, Interesting)
Why yes, yes I do. I love its features, but the interface is incredibly sluggish. Same goes for Eclipse. I've used it on Windows, Linux, and FreeBSD with various JDKs. It's slow. I'd go crazy if all the GUIs I use were the same way.
Re:Even without root things can get nasty (Score:4, Interesting)
GPL Exploits -- interesting side effects. (Score:5, Interesting)
This, of course presumes that (1) the original exploit author is a proper white-hat, and (2) we catch the person who creates the worm.
FireFox team is loathe to change the update model (Score:2, Interesting)
Re:Browser shmouser (Score:2, Interesting)
Oh, and before I stop, may I point out that Java's GUI responsiveness problem is one entirely of its own making? There are plenty of cross-platform languages out there with cross-platform GUIs that are decent. This is not an impossible problem, in fact, it's a solved problem. It just seems that Sun hasn't gotten around to solving it.
Re:Browser shmouser (Score:2, Interesting)
1. Eclipse does a lot more than either Visual Studio or KDevelop: it keeps a parse tree of all your code in memory, which allows it to do some very advanced refactoring, also on the fly compilation and checking for errors. Now Xcode also does this, which brings me to the next point.
2. Eclipse, for all its benefits, is really a poorly written beast, with very little thought given to performance or GUI usability as opposed to cramming features incessantly. You pick one poor application written in Java (and one which isn't even using Swing, the standard Java GUI toolkit), then proclaim that the language must suck.
How many C/C++ applications are there that are trully horrible? Those languages must be positively evil by that measure.
Try using IntelliJ IDEA sometimes, which does all that Eclipse does, and then some, yet is very snappy and takes up only a fraction of the memory. Hopefully it will change your opinion of what a Java application written using Swing can really do. Java is just another tool, and as any complex tool it requires somewhat capable hands to wield it properly.