Firefox Exploit Adds Fuel to Browser Security Feud

An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."

1.5 Beta 1 is also impacted...beware

[redwoodtree]

Follow this thread on Mozilla Forums [mozillazine.org] for more information. But don't be complacent if you're running the new Beta and be sure to upgrade.

Exploits as remote administration tool?

[Sirfrummel]

"...effectively letting the bad guys control the victim computer from afar."

I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?

Re:Browser shmouser

[AKAImBatman]

Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions.

Eh, it's multi-faceted. The problem is that many of the greatest security threats today are from buffer overflow attacks. (Or heap overflow in this case.) This is frustrating because we've had the technology for more than 20 years to write code that is invulnerable to these sorts of attacks. Unfortunately, the majority of OS and Desktop software has continued to rely on C and C++, making these holes not only possible, but probable.

If the buffer overflow attack were solved once and for all, then attackers would have to move higher up the stack. e.g. Embedded scripts in emails that run with full permission. This sort of attack is why Java has a built-in security manager that can prevent access to secure resources. Should our security problems ever escalate to this level, I'm sure you'll see a lot of similar security managed environments showing up.

Re:Question

[Cyclometh]

Mainstream media outlets report news- an exploit for IE isn't really news, because so many people use it and so many people target it. Firefox has been touted as the secure alternative to IE, so it's pretty newsworthy when the only contender for the browser throne has one of its main claims to superiority knocked out from under it.

Re:Question

[goldspider]

Nope, it's just that Mozilla/Firefox has received a lot of publicity in these news outlets for it's (supposed) security advantages over IE.

I'd say it's most appropriate for these same news outlets to follow up when those claims aren't upheld by reality.

Wouldn't you expect the same if this were a Microsoft app?

Re:Patch

[sochdot]

Exactly! The patch was released yesterday. As in, "Holy shit! Guys, this is bad, we need a patch yesterday!" If this were IE, a patch might be released in a month or two. I've never heard of an IE hole being closed before any exploits were released. The response to the recent Firefox criticism/comparison has pretty much been, "Sure, as we grow, holes will be found. But we're in a far superior position to fix them and fix them fast." I would say this is pretty good proof.

Tip-toe through the TPS.

[Anonymous Coward]

"Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully."

Welcome to the idea of TPS. Only trusted code runs on your machine.

Re:Question

[freaktheclown]

Melinda Gates [wikipedia.org] is on the WaPo board.

Automatic Updates

[Paul Slocum]

They do patch stuff fast, but until automatic updates work correctly, it's not going to do much good for the average idiot user. And someone will eventually start trying to take advantage of these exploits. I'm running 1.0.6 and there's no update icon showing. When I say Check Now: "Firefox was not able to find any updates." -paul

I use Firefox 99% of the time

[PCCybertek]

I personaly believe that the activeX exploits are the nasty ones. I use to get so much crap on my system when I ran IE, even after the SP2 update. Since I use Firefox almost exclusively, I have had just about none. That's good enough for me.

Re:Security through obscurity?

[hkmwbz]

How does Firefox make money? With searches of course. Opera will do the same. [opera.com]

Re:Tip-toe through the TPS.

[Mantrid]

I don't understand how this helps - if you install application "X" you expect to trust it, and I assume you grant it privileges to run on your machine etc. So great, now the app can run on your machine...you trust it...but what's to stop it from having a heyday with your system?

Re:Tip-toe through the TPS.

[Octagon Most]

"I don't understand how this helps - if you install application "X" you expect to trust it, and I assume you grant it privileges to run on your machine etc."

You trust it to perform specific actions. You do not mean to implicitly grant unlimited privileges. You expect, and trust, your web browser to render HTML. You do not grant it permission to delete all your files simply by the action of running it. So there has to be a trust within limits relationship. Applications should be able to execute in a non-destructive manner but require further authorization to do such things as install other apps, delete or modify any files other than its own, etc.

Re:Automatic Updates

[MS_is_the_best]

Parent comment applies only to windows machines, where every program needs his/her own update program (?, what for design is that?).

Most linuxes/bsd's etc. come with centralised automatic updates for all programs, which are inheritely easier. I expect to see a flashing warning next morning, telling me a security update had been downloaded for firefox and if I want to install the patch.

I regard automatic program updates on application level as clutter on my machine, so please do not advocate these methods!

Azureus

[Nasarius]

Do you use Azureus?

Why yes, yes I do. I love its features, but the interface is incredibly sluggish. Same goes for Eclipse. I've used it on Windows, Linux, and FreeBSD with various JDKs. It's slow. I'd go crazy if all the GUIs I use were the same way.

Re:Even without root things can get nasty

[caspper69]

Tell that to my grandmother who doesn't even know how to select text in a text box or push the backspace key. You really think that anyone, much less a technophobe, can figure out that a browser needs the ability to send and receive data on tcp port 80, while it needs access to its configuration files in /etc, etc.... Give me a break... It's exactly this attitude that is the problem. Users of a product should not have to figure out what the program needs. The OS and the application should work hand in hand to ensure this is done correctly. As far as I'm concerned Linux and Windows are both pieces of shit from an era gone by.

GPL Exploits -- interesting side effects.

[Stephen Samuel]

If someone uses the exploit code to build a worm and doesn't include the full source code with the 'distribution', the originl worm writer could sue them for copyright violation.

This, of course presumes that (1) the original exploit author is a proper white-hat, and (2) we catch the person who creates the worm.

FireFox team is loathe to change the update model

[I'm Don Giovanni]

I see many here saying that the FireFox security update system is inadequate because it's too easy to ignore, not in your face, too easy to go unnoticed (and many times doesn't even work; my FireFox is giving no indication that it needs updating). What you don't understand is that the FireFox team *wants* the update notifications to be easily unnoticed, not in your face, easy to ignore. If they became "in your face", then the user would eventually think, "Damn, I sure do have to update this thing a lot. Guess it's not really that secure after all."

Re:Browser shmouser

[rmdir -r *]

The Java is slow myth is a load of hogwash that opponents of the technology use to justify their stance against it. It's simply not true

Erm. Bullshit. You're using the wrong performance metric. An end user includes in the speed of a program:

• Startup time
• GUI responsiveness
• Execution time
• Shutdown time

The only area where Java is 'fast enough' is execution time. Java desktop apps are slow to start, have unresponsive GUIs, and are often sluggish when it comes to stopping. To the end user, there have been very few improvements in Java over the past ten years.

Oh, and before I stop, may I point out that Java's GUI responsiveness problem is one entirely of its own making? There are plenty of cross-platform languages out there with cross-platform GUIs that are decent. This is not an impossible problem, in fact, it's a solved problem. It just seems that Sun hasn't gotten around to solving it.

Re:Browser shmouser

[Ivan Todoroski]

It is hyperbole. Eclipse is a development environment, not a regular desktop app. Comparing footprints there is just silly. I can find you plenty of "native" development environments with very similar footprints.

What? Its an ide, arguably a glorified text editor, it is an order of magnitude less complicated then say a web browser, office suite, or other "desktop applications". And incidently visual studio dosen't have that kind of footprint, not Xcode, not Kdevelop ...

1. Eclipse does a lot more than either Visual Studio or KDevelop: it keeps a parse tree of all your code in memory, which allows it to do some very advanced refactoring, also on the fly compilation and checking for errors. Now Xcode also does this, which brings me to the next point.

2. Eclipse, for all its benefits, is really a poorly written beast, with very little thought given to performance or GUI usability as opposed to cramming features incessantly. You pick one poor application written in Java (and one which isn't even using Swing, the standard Java GUI toolkit), then proclaim that the language must suck.

How many C/C++ applications are there that are trully horrible? Those languages must be positively evil by that measure.

Try using IntelliJ IDEA sometimes, which does all that Eclipse does, and then some, yet is very snappy and takes up only a fraction of the memory. Hopefully it will change your opinion of what a Java application written using Swing can really do. Java is just another tool, and as any complex tool it requires somewhat capable hands to wield it properly.