Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Mozilla The Internet Security

Firefox Exploit Adds Fuel to Browser Security Feud 510

Posted by Zonk
from the patch-early-patch-often dept.
An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."
This discussion has been archived. No new comments can be posted.

Firefox Exploit Adds Fuel to Browser Security Feud

Comments Filter:
  • Browser shmouser (Score:5, Insightful)

    by BWJones (18351) * on Thursday September 22, 2005 @02:40PM (#13624025) Homepage Journal
    Browser, shmouser..... What I want is a secure OS! Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....

    As an interesting aside: We just went through a two day outage at the university here because of a worm that infected a series of Windows systems. My question to IT guy#1 was: "Dude, why did you guys switch from Solaris to Windows?" His reply was that "the Windows solution was cheaper". I said "Dude, you guys need Macs!", to which he replied "yeah, no $#!t" when he caught himself and said something unintelligible. Guy #2 that I spoke to today gave me some song and dance about how Macs are really hard to integrate into mixed platform networks and then said something to the effect of "if Macs had greater market share, we would be in the same boat". I said something to the effect of "Bull$#1t". It comes down to management and OS design. Windows can be secure, but it requires much more oversight than do other alternatives. But fundamentally, all of the calls direct to the kernel that are available to applications are a problem that will not be solved until (hopefully) the next MS OS.

    • by jfengel (409917) on Thursday September 22, 2005 @02:49PM (#13624111) Homepage Journal
      It's certainly true that root access causes the most headaches, but there's a lot that can be done without root access.

      Even with just user-level access, it can erase all of your files or set up a spam relay. It may even be able to set up a keystroke logger or install a modified version of your browser (for you alone) that slurps up your credit card numbers. And it can modify your local .rc files to re-run itself when you boot (and check to see if you've altered them and re-modify them as soon as you're done.)

      It's a heck of a lot easier to remove than a root-level exploit (you can log in as root and remove the code, which you can't necessarily do to a rootkit). But even though the lack of root can limit the damage, considerable damage can be done without it.

      The solution? Well, partly it would be nice to have the OS provide fine-grained control, so that even if malicious code gets to execute it could be prevented from modifying your files without explicit permission or accessing the Internet to act as a spam relay. But such fine-grained controls are incredibly tedious; they exist in Java but they're rarely used.)

      Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully.
      • by raddan (519638) on Thursday September 22, 2005 @03:31PM (#13624518)
        It's not tedious at all:

        http://www.citi.umich.edu/u/provos/systrace/ [umich.edu]

        It shouldn't be that hard to figure out what a simple program like a browser needs.

        • by caspper69 (548511) on Thursday September 22, 2005 @04:51PM (#13625197)
          Tell that to my grandmother who doesn't even know how to select text in a text box or push the backspace key. You really think that anyone, much less a technophobe, can figure out that a browser needs the ability to send and receive data on tcp port 80, while it needs access to its configuration files in /etc, etc.... Give me a break... It's exactly this attitude that is the problem. Users of a product should not have to figure out what the program needs. The OS and the application should work hand in hand to ensure this is done correctly. As far as I'm concerned Linux and Windows are both pieces of shit from an era gone by.
        • It shouldn't be that hard to figure out what a simple program like a browser needs.

          It needs to be able to talk to X server to render graphics. If some webpage takes over the browser, and makes it execute arbitrary code, can it be made to hack the X server to delete the files in your home directory - for example, by launching xterm (or finding a running instance) and sending the neccessary commands to it ? Or, worse yet, can it use some X buffer overflow to insert code that runs at root privileges - afte

      • But such fine-grained controls are incredibly tedious

        Hogwash. The grsecurity [grsecurity.net] patches to the Linux kernel provide one approach to fine-grained access control that greatly eases the tedium of managing fine-grained rulesets. In short, grsecurity's approach is based on automatic learning -- let the system run in a permissive mode doing the things it's supposed to do, then generate a ruleset based on that activity. The system then runs with the generated permissions ruleset. The admin may need to tweak the
    • by Sneftel (15416)
      A computer may be considered "hacked" even if the hacker doesn't have root control. Sending out two million penis enlargement spams per day... serving as a proxy to hack other computers... scanning subnets for vulnerabilities... none of these things require root access.

      And even preventing arbitrary code execution is only a partial step. What is code? It isn't just opcodes that are processed by the CPU's instruction decoder; it's also bytecode which is executed by a virtual machine, or even the FSM generated
    • Re:Browser shmouser (Score:5, Interesting)

      by AKAImBatman (238306) * <akaimbatman AT gmail DOT com> on Thursday September 22, 2005 @02:51PM (#13624128) Homepage Journal
      Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions.

      Eh, it's multi-faceted. The problem is that many of the greatest security threats today are from buffer overflow attacks. (Or heap overflow in this case.) This is frustrating because we've had the technology for more than 20 years to write code that is invulnerable to these sorts of attacks. Unfortunately, the majority of OS and Desktop software has continued to rely on C and C++, making these holes not only possible, but probable.

      If the buffer overflow attack were solved once and for all, then attackers would have to move higher up the stack. e.g. Embedded scripts in emails that run with full permission. This sort of attack is why Java has a built-in security manager that can prevent access to secure resources. Should our security problems ever escalate to this level, I'm sure you'll see a lot of similar security managed environments showing up.
    • Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....

      Running as root is certainly a bad thing. Of course, even within any reasonable permissions, we'd have to expect that a program has the ability to execute code that might not be desirable. For

    • Browser, shmouser..... What I want is a secure OS! Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions. Granted, it is a matter of balance, but an OS should never allow root control by an application without specific permission. Of course the default with Windows is root, but hey....

      Why don't you just install OpenBSD [openbsd.org]? Works very fine as a desktop, unless you require hardware accellerated 3D.

    • by Sialagogue (246874) <sialagogue@gBOYSENmail.com minus berry> on Thursday September 22, 2005 @03:45PM (#13624637)

      I'd like to propose a new game here on Slashdot, called "Six Degrees of Microsoft." The objective is to relate *any* story, from browser exploits, to RFID tags, to new features on Google maps back to some oversight, corruption, or other evil perpetrated by Microsoft.

      Understand, I'm not even saying I necessarily disagree with the parent post, I just think that every Slashdot post in the future should have at least one response titled "Six Degrees of Microsoft." Firefox/IE posts are easy, but "GBA SP Updated with Brighter Backlit Screen" might be a bit more of a challenge.

      Good luck...

  • Welcome (Score:2, Funny)

    by Anonymous Coward
    I for one welcome our new Firefox hacking overlords.
  • by daniil (775990) <evilbj8rn@hotmail.com> on Thursday September 22, 2005 @02:40PM (#13624028) Journal
    Firefox is finally catching up with the market leader! Woo!
    • While FireFox may be considered "just as insecure" as IE, the fact is this is not really why people are switching.

      Okay, so now some script kiddie can "pwn j00" in both IE and Firefox. That's bad.

      But simple web browsing is still "safer" in Firefox. Your computer might get pwn3d, but your browser won't! The "exploits" and "security flaws" everyone is talking about completely misses the layman's reason for switching, and that is because (thus far) none of these FireFox exploits turn innocent browsing in

      • by nacturation (646836) <`moc.liamg' `ta' `noitarutcan'> on Thursday September 22, 2005 @04:32PM (#13625008) Journal
        But simple web browsing is still "safer" in Firefox. Your computer might get pwn3d, but your browser won't! The "exploits" and "security flaws" everyone is talking about completely misses the layman's reason for switching, and that is because (thus far) none of these FireFox exploits turn innocent browsing into a spyware, adware, toolbar infested nightmare.

        So you can install anything onto the computer (such as spyware, adware, malware, etc.) but the browser is still safe? I agree with the other poster... what a crock! Also note that it's possible to install extensions into Firefox. Just because nobody has written a spyware/adware extension for Firefox doesn't mean that Firefox is immune. In fact, one of the benefits of Firefox is the ability to extend it. Do you even *know* what you're talking about?
         
  • by gbulmash (688770) <semi_famous@yaho ... m minus math_god> on Thursday September 22, 2005 @02:42PM (#13624045) Homepage Journal
    It's interesting that this comes on the heels of Opera [opera.no] eliminating the ad-supported version and offering their browser free.

    The sad thing is that it also comes on the heels of zdnet.com claiming that Firefox is having significantly more security issues than IE [slashdot.org].

    I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased. And if that's the case, can we expect to see these issues become even more frequent if Firefox adoption continues to grow?

    All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.

    Given, I still trust MSFT as far as I can throw a Volkswagen, but my laughs at their FUD aren't so loud or haughty today.

    - Greg

    • It's the best browser on the market right now. They are probably looking enviously at the rapid growth of Firefox, and want to copy that. But I wonder how they plan to make their money. There can't be that much to be made off of "premium support" for a web browser.
    • "I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased."

      Then I'm pretty safe with links [mff.cuni.cz] on Mac? :)

    • by m50d (797211) on Thursday September 22, 2005 @02:53PM (#13624147) Homepage Journal
      Just like MS, firefox focuses more on features, and quickly. Many of the problems with firefox have come from the extension system, or from fairly experimental new features that firefox rushes to adopt, like this. A little more conservatism is needed when dealing with remote data, and I really think an extension system for an application that deals with remote data - be it activex or firefox extensions - is asking for trouble. You can find more secure browsers than either firefox or IE, and I don't think this is solely due to their obscurity, but also due to not including these dangerous technologies.
    • by Saxerman (253676) * on Thursday September 22, 2005 @03:05PM (#13624261) Homepage
      All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.

      I hear this is a lot, and it often leads to a misrepresentation of what makes OSS 'more secure'. The more eyes/hands claim doesn't assert that there will be less bugs, it means they are suppose to be spotted and corrected more quickly.

      Security isn't a state of being, it's a state of mind. I believe there are more white hats than black hats, so OSS leads to better code. If you believe otherwise, you will probably feel more secure using closed source software (but that won't necessarily mean you ARE more secure.)

  • Publicity (Score:5, Insightful)

    by improfane (855034) on Thursday September 22, 2005 @02:44PM (#13624064) Journal
    Publicity was the demise, the great browser begged for mainstream attention, got the show but caught the eye of the bad guys.

    No software is universally perfect.
  • Good news! (Score:5, Funny)

    by Otter (3800) on Thursday September 22, 2005 @02:44PM (#13624065) Journal
    On the plus side, the exploit is released under the GPL. This just goes to show the superiority of open-source over proprietary exploits!

    Also on the plus side, the Washington Post link crashes my IE, so I can't even read the anti-Firefox news. Score another for Mozilla!.

    • Meanwhile, we Opera [opera.com] users just keep chuggin' along. I got sick of this crap months ago and went to Opera which is faster, takes half the memory, and offers more features in a 5MB download.

      Sorry to shill, but hey, Opera got dumped on for so long on Slashdot just for having banner ads (you know, just like Slashdot's banner ads...), and now that it's free, there's no reason not to use it full-time. Your tabbed browsing came from Opera, after all...
  • by redwoodtree (136298) * on Thursday September 22, 2005 @02:44PM (#13624070)
    Follow this thread on Mozilla Forums [mozillazine.org] for more information. But don't be complacent if you're running the new Beta and be sure to upgrade.
  • The story here... (Score:5, Insightful)

    by op12 (830015) on Thursday September 22, 2005 @02:45PM (#13624075) Homepage
    should be the exploit (and only the exploit). The browser feud is really becoming a pointless exercise in arguing. See here [slashdot.org].
    • Not quite... (Score:5, Insightful)

      by Anonymous Brave Guy (457657) on Thursday September 22, 2005 @03:05PM (#13624270)

      I have little time for browser wars, but it is notable that despite the 1.0.7 announcement even making Slashdot yesterday, it's not showing up as an automatic download yet. Worse, it doesn't show up even if you manually check for updates.

      There's not much point patching a security issue if you can't distribute the patch and even conscientious users won't find out about it by the expected method.

  • Patch (Score:5, Insightful)

    by brettlbecker (596407) on Thursday September 22, 2005 @02:45PM (#13624078) Homepage
    Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?

    Pardon, but rather than using this exploit as some kind of evidence that Firefox is on-par, security-wise, with IE, shouldn't we be viewing this as a victory for the patch/version-release cycle of the Mozilla foundation?

    There will always be new security holes found. The difference is that patched versions of the browser, fixing the security hole in question, are not always released before the hole is announced.

    Two cents.

    B
    • Re:Patch (Score:2, Interesting)

      by sochdot (864131)
      Exactly! The patch was released yesterday. As in, "Holy shit! Guys, this is bad, we need a patch yesterday!" If this were IE, a patch might be released in a month or two. I've never heard of an IE hole being closed before any exploits were released. The response to the recent Firefox criticism/comparison has pretty much been, "Sure, as we grow, holes will be found. But we're in a far superior position to fix them and fix them fast." I would say this is pretty good proof.
    • What patch? (Score:5, Informative)

      by Anonymous Brave Guy (457657) on Thursday September 22, 2005 @03:09PM (#13624308)

      Please note my comments earlier in the thread: since the patch hasn't hit the auto-updates yet, even if you check for it manually, this patch does not exist for most users. There is an exploit for it in the wild. Hence most Firefox users are not safe from this exploit.

      There, I put the actually relevant bits in bold for you, just to make it clear. Firefox is a great product for many reasons, but let's not kid ourselves that its security policy is perfect right now, OK? If my Firefox browser had popped up within a few minutes of the patch being released and invited me to download it, you'd have had a case, but it didn't.

    • "Ummm, so basically Mozilla was ahead of the game as far as this hole is concerned, having already released a patched version of the browser before the exploit became known?"

      Did it occur to you the patch may have been reverse engineered, and the exploit created from the patch? There is a reason MS doesn't like to patch holes that haven't been exploited.

      The version of firefox I'm using is unpatched and vulnerable since the IT guy here hasn't bothered to patch it yet.
  • Question (Score:5, Insightful)

    by sphealey (2855) on Thursday September 22, 2005 @02:45PM (#13624079)
    Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer? In the last year, maybe if it is actually affecting some media companies. Otherwise no.

    So why the constant drumbeat of breathless stories about bugs (flaws) and exploits in Firefox? Could it be that the MSM is being seeded by someone? Say .... Microsoft's PR firm?

    sPh
    • Re:Question (Score:3, Interesting)

      by Cyclometh (629276)
      Mainstream media outlets report news- an exploit for IE isn't really news, because so many people use it and so many people target it. Firefox has been touted as the secure alternative to IE, so it's pretty newsworthy when the only contender for the browser throne has one of its main claims to superiority knocked out from under it.
    • Re:Question (Score:5, Funny)

      by tktk (540564) on Thursday September 22, 2005 @02:55PM (#13624177)
      Does the Washington Post, or any other mainstream media outlet, publish a story whenever an exploit is released in the wild for Internet Explorer?

      No... because it's hideously expensive to print 10lb newspapers every day.

      • Re:Question (Score:3, Funny)

        by e2d2 (115622)
        No... because it's hideously expensive to print 10lb newspapers every day.

        Me thinks you've never read the print version of the washington post then.. It really _does_ weigh ten pounds already.
    • Re:Question (Score:3, Interesting)

      by goldspider (445116)
      Nope, it's just that Mozilla/Firefox has received a lot of publicity in these news outlets for it's (supposed) security advantages over IE.

      I'd say it's most appropriate for these same news outlets to follow up when those claims aren't upheld by reality.

      Wouldn't you expect the same if this were a Microsoft app?
    • Re:Question (Score:3, Interesting)

      by freaktheclown (826263)
      Melinda Gates [wikipedia.org] is on the WaPo board.
    • Re:Question (Score:3, Insightful)

      by LurkerXXX (667952)
      So why the constant drumbeat of breathless stories about bugs (flaws) and exploits in Firefox?

      Probably because the Firefox crowd has been very vocal about screaming "Firefox is more secure than IE! Firefox is more secure than IE!" "Switch to Firefox, it's more secure!". If they were more quietly touting it as a good alterative browser (like Opera does), you wouldn't hear as much about it. When is the last time you saw a front page story about an Opera flow? Probably not in a long time. Then again, the

    • drama baby (Score:3, Insightful)

      36,000 people a year die from the flu according to the CDC, this gets rare news coverage.
      People die every single day on the hiway.
      People are murdered just about every day.
      Thousands of people are starving to death in Africa.

      A plane with a busted nose gear makes huge news.

      Reporting about an IE exploit would be as excting as reporting a flu death. The rare events make for more drama. The news is about drama, not NEWS.
  • Where's the beef? (Score:4, Insightful)

    by Intron (870560) on Thursday September 22, 2005 @02:46PM (#13624085)
    So when are the Fedora update directories going to see 1.0.7???
    # rpm -q firefox
    firefox-1.0.6-1.2.fc4
    # yum update firefox
    ...
    Could not find update match for firefox
    No Packages marked for Update/Obsoletion
  • by Sirfrummel (873953) on Thursday September 22, 2005 @02:46PM (#13624088) Homepage
    "...effectively letting the bad guys control the victim computer from afar."

    I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?
  • Okay, that's it.

    I'm going to stop hitting those pr0n, warez and gambiling sites on my work computer. I'm going to stop opening those emails saying I have to apply the latest hotfixes. I'm going to disable javascript, images, and popups.

    Wait - maybe I should just use Lynx. Naahh.

    I cannot believe that exploits are coming so fast and furious.

    • 'm going to stop hitting those pr0n, warez and gambiling sites on my work computer. I'm going to stop opening those emails saying I have to apply the latest hotfixes. I'm going to disable javascript, images, and popups.

      I'm sure you were being sarcastic ... you were being sarcastic, right? Yes? Phew.

      If you want to browse the wilder reaches of the web, you really owe it to yourself to ensure that you have Javascript disabled. You really don't want to visit any site that requires that Javascript be enabled

  • Menh (Score:5, Insightful)

    by gid13 (620803) on Thursday September 22, 2005 @02:47PM (#13624094)
    The specific response: It's already patched. A released exploit that's already had a patch released for it is nowhere near as scary as one that hasn't.

    The general response: As always with open source, if the Mozilla guys drop the ball and you know what you're doing, you can patch it yourself. With closed source, you're kinda at the mercy of the makers (usually Microsoft).

    Anecdotal evidence: Yes, this is in the past, but I let two total newbies use a box of mine for about a year, with the only relevant modifications being: Installed Firefox, Deleted shortcuts to IE, Spybot's resident protection, Spyware Blaster, Windows autoupdates on, and Nod32 (not even a firewall). They never had ANY problem until they figured out how to open IE, at which point they managed to get a bit of spyware in.
    • Re:Menh (Score:3, Insightful)

      by Otter (3800)
      "A patch has already been released" is indeed a convincing response. "You have the source code so fix it yourself" is, to put it mildly, not.
    • No Meh! (Score:5, Insightful)

      by Henry V .009 (518000) on Thursday September 22, 2005 @03:09PM (#13624298) Journal
      A released exploit that's already had a patch released for it is nowhere near as scary as one that hasn't.
      In every compromised computer that I have ever seen, there was already a patch out that would have avoided the problem. I know that that every now and then a compromise occurs which is an exception to that rule: but it is very rare, and I have never actually seen a case of it.

      I am very scared about this turn of events. I used to see unpatched IE all over the place. Thankfully, that is a lot more rare now. Microsoft has made it hard not to patch IE and Windows. Not so with Firefox. I have seen unpatched Firefox installs all over the place. Ostensibly Firefox is there as the secure alternative to IE. People have actually said to me that "unpatched Firefox is more secure than patched IE" and that they aren't worried about it. Firefox Update is way too easy to ignore and a lot of people do. This is going to come back to bite them big time. And Firefox is going to have a PR-nightmare with some big security disasters over the next few months.

      Is it really Firefox's fault if users don't patch their systems? The answer to that is yes, because they're trying to be the market-dominant browser. In order to be market-dominant, you have to have a browser equally suited to idiots as well as the technically adept. Firefox Update needs to be to be impossible to ignore and hard to disable unless you really know what you're doing. Because it is a weak feature right now, Firefox puts users at risk.
    • Re:Menh (Score:4, Insightful)

      by Anonymous Brave Guy (457657) on Thursday September 22, 2005 @03:13PM (#13624334)
      As always with open source, if the Mozilla guys drop the ball and you know what you're doing, you can patch it yourself.

      Sure. I imagine at least a dozen people in the world have the in-depth knowledge of the relevant area of the Firefox codebase, out of the hundreds of thousands or millions who now use it. Maybe I'll just go spend two weeks finding my way around myself, and become lucky 13.

      Sorry for the sarcasm, but that argument is getting a bit tired these days.

      • Re:Menh (Score:3, Insightful)

        by stu42j (304634)
        The point is not really that you would patch it yourself but rather that someone who knows how could and then make it publicly available so you can install it.
      • Re:Menh (Score:3, Insightful)

        by bluGill (862)

        At least you have that option. With Internet explorer I do not have that ability. If I want to patch IE, first I have to get Microsoft to hire me (possible, they are hiring all the time, though I don't know if they would hire me personally), then I need to get access to the IE code (I don't know about Microsoft, but most big companies do not give all employees all their source code, you only get access to the parts you will work on), next I need to make my changes, last I need to convince the powers that

  • by slashdotnickname (882178) on Thursday September 22, 2005 @02:47PM (#13624099)
    ...because we all know that no self-respecting hacker would attack a friend of open-source such as FireFox. These exploit discoveries are being secretly funded by Microsoft!
  • by Anonymous Coward on Thursday September 22, 2005 @02:48PM (#13624106)
    ...that PwnScape is SkyLined's ported version of Internet Exploiter. That's why it looks so polished, it was refined attacking IE, and there are a scary-huge number of unpatched IE bugs that MS knows about (over 50 now).

    It's becoming a target of technical attacks because it's becoming higher profile. However, it's doing a very good job of fixing vulnerabilities overall, at least compared to IE.

    Yeah, there are response time problems and masked bugzilla bugs, but being open about a bug before a patch is available isn't always the best idea; just because it's open source doesn't mean the discoverer is going to come up with, or be able to come up with, a patch immediately, but one generally turns up; the team is being pretty damn good. It may have been patched properly yesterday, but it was very quick to release a mitigation (disabling IDN).

    IE, meanwhile, has a YEARS old vulnerability that MSRC are trying to keep under wraps (even from their partners), because it's a SERIOUS design fault hidden in IE/Shell integration that allows a way of launching ActiveX controls that completely ignores the killbit. Seen Illwill laughing about it, so I know I'm definitely not the only person to independently discover it, and he's been gloating on F-D. And, if you do it right, the 'sploit ignores security zones and settings entirely; you can 0wn a fully patched, fully locked down IE, just by viewing a webpage, with no prompts.

    I have a working exploit for it. I won't release it, 'cause if I did, that's a million Windows boxes 0wned by Istbar and some scummy affiliate.

    Firefox is an excellent browser overall. If you don't like it, might I suggest Opera 8.50, which is now ad-free, registration-free freeware and also has an extremely responsive security team.
  • by blueZhift (652272) on Thursday September 22, 2005 @02:48PM (#13624107) Homepage Journal
    Practically speaking I guess this means we should all stay away from questionable (*cough*pr0n*cough*) sites for a few days. Seriously, we all know where these exploits are likely to show up first...
  • by rdwald (831442) on Thursday September 22, 2005 @02:49PM (#13624109)
    I wonder how many weeks it'll be...oh, yea, they released it yesterday. If only all web browsers had these sorts of exploits -- that is, the already-patched type.
  • by Ckwop (707653) * <Simon.Johnson@gmail.com> on Thursday September 22, 2005 @02:49PM (#13624117) Homepage

    The security of a web-browser is in no way related to the number of vulnerabilities found per year. There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE. Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor metric for security.

    This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true, what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.

    If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that it is worth making your programs slower to consign buffer overflows to the history book.

    For a web-browser on a PC there is really no excuse because we have multi-GHz computers that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:

    1. Did you actually compile the program with the switch and profile it against the compiled program without the switch? Was the performance degradation even noticeable?
    2. You may think slowing the program down is unacceptable but is leaving your customers at risk from an easily preventable class of vulnerabities more acceptable?

    Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"

    Simon.

  • FTFA:
    Kennedy was referring to the heated debate in the security community over whether Firefox is any more security than IE
    Is Taco editing the Washington Post now?
  • I find that firefox is updated much faster than IE. I'm sure this bug will be patched within a couple of days. Also, I'd like to see the firefox bug that as exploitable as activex. ActiveX is the one thing left in IE that makes it truly, the most insecure browser out there.
    • so fast, that it was patched yesterday in fact.
      and posted on slashdot.
      lazy CastrTroy...

    • ActiveX (Score:3, Informative)

      ActiveX is the one thing left in IE that makes it truly, the most insecure browser out there.

      It's also the major reason large numbers of huge companies aren't adopting Firefox, since it's the technology many of them base their Intranets on. It's a security risk when outside sites can use it, but not having it for internal pages is a PITA at times.

  • Fast. (Score:3, Insightful)

    by hungrygrue (872970) on Thursday September 22, 2005 @02:55PM (#13624176) Homepage
    has been released for a security hole that Firefox patched just yesterday
    Sounds like damn good response time to me! When was this first discovered? How many days total did it take for the patch to be released? Yes, it sucks that the vulnerability was there to begin with, but you have to admit that this is a good demonstration of how well an open source community project can respond.
  • by photonic (584757) on Thursday September 22, 2005 @02:57PM (#13624183)
    Microsoft has stopped working on IE7 and has its PhD's working full-time on writing exploits for known holes...
  • by PenguinBoyDave (806137) <david.davidmeyer@org> on Thursday September 22, 2005 @03:01PM (#13624225)
    Let's see them attack my text-based browser!
  • by advocate_one (662832) on Thursday September 22, 2005 @03:02PM (#13624226)
    that the actual exploit was released under the GPL... this means that anyone who takes it and modifies it has to release their improvements if they then proceed to distribute it... so if anyone does get infected, please get the person you got it from sued by Gnu for failing to make the source code available as well...
  • Automatic Updates (Score:5, Interesting)

    by Paul Slocum (598127) on Thursday September 22, 2005 @03:02PM (#13624232) Homepage Journal
    They do patch stuff fast, but until automatic updates work correctly, it's not going to do much good for the average idiot user. And someone will eventually start trying to take advantage of these exploits. I'm running 1.0.6 and there's no update icon showing. When I say Check Now: "Firefox was not able to find any updates." -paul
    • Parent comment applies only to windows machines, where every program needs his/her own update program (?, what for design is that?).

      Most linuxes/bsd's etc. come with centralised automatic updates for all programs, which are inheritely easier. I expect to see a flashing warning next morning, telling me a security update had been downloaded for firefox and if I want to install the patch.

      I regard automatic program updates on application level as clutter on my machine, so please do not advocate these methods!
      • by srleffler (721400)
        Unfortunately, for the vast majority of users automatic intervention-free installation of program updates is the only approach that will ensure good overall security on the network. There are just too many people who neither know nor care about patching, and will never do it. Forced updates should be disable-able, for users like you, but should be turned on by default and idiot-proof.

        The way Firefox handles update notifications is particularly bad. The little red arrow is way too easy to ignore, particula

  • by dpilot (134227) on Thursday September 22, 2005 @03:05PM (#13624268) Homepage Journal
    I'm going to rip Linux out of all my boxes, install WinXP SP2, and do all of my web surfing on IE with ActiveX enabled, just to be safe!
  • by gsfprez (27403) * on Thursday September 22, 2005 @03:08PM (#13624291)
    I just removed Firefox from this computer and installed Opera. No problem.

    I also just tried to remove IE... no luck.

    Firefox is still better.
  • automatic updates (Score:5, Insightful)

    by syrinx (106469) on Thursday September 22, 2005 @03:18PM (#13624384) Homepage
    So why the hell hasn't the patch shown up on Firefox's automatic updates, even if you manually check for it?

    Doesn't do any good to patch it if you don't notify people about it. Not everyone reads Slashdot.
  • Where's the update? (Score:4, Informative)

    by sshore (50665) on Thursday September 22, 2005 @03:23PM (#13624431)
    I clicked "Check Now" in the Software Update section using Firefox 1.0.6, and no update was shown. The Firefox box was checked. Anyone else seeing this, or is this just a proxy issue?

    This was well over a day after the release of 1.0.7. What URL is used to check for updates, and do they have appropriate options set on server to prevent long caching?
  • Weird logic. (Score:4, Insightful)

    by Dehumanizer (31435) on Thursday September 22, 2005 @03:24PM (#13624442) Homepage
    Every time some open source software, like Firefox or Linux, have an exploit, lots of people scream "see, it's insecure too! it's no better than IE / Windows!".

    That has always sounded weird to me. Windows or IE have had dozens, maybe hundreds of holes and exploits, and yet, when Linux or Firefox have one, they're "just as insecure"?!?

    Is this thing binary? No holes = secure, one hole = as insecure as a hundred holes?

    Fine, Firefox has one now. Not really "exploited", since it's already been patched, but never mind that. So what? How many IE holes have there been? How many PCs are full of spyware, viruses, or sending thousands of spam emails a day because of an IE hole?

    Can Firefox even begin to compare to that? I don't think so. It's at least dozens of really bad exploits (not to mention the "less than really bad" ones) behind.
    • Re:Weird logic. (Score:4, Insightful)

      by RzUpAnmsCwrds (262647) on Thursday September 22, 2005 @06:44PM (#13625971)
      I hate to break it to you, but Firefox has had way more than one hole in the last year:

      http://secunia.com/product/4227/ [secunia.com]

      23 since the release of 1.0. We're now on 1.07. Seven major security releases.

      Is it better than IE? Probably. Firefox vulnerabilities tend to be fixed more quickly and are less secure than IE vulnerabilities. That said, IE is considerably easier to update for both corporate users and home users.

      Firefox can do better. Fortunately, the update mechanism is much-improved in 1.5. But, remember, Firefox is supposed to be the darling of the Open Source movement. We can do better.
  • by 99bottles (257169) on Thursday September 22, 2005 @03:29PM (#13624498)
    How many developers do you think Microsoft has working furiously to release exploits into the wild to harm their competitors? Sure, it will never be admitted to, but ya gotta wonder...

    Kudos to Firefox for releasing a patch the day before the exploit was announced though.
  • Forced Security (Score:5, Insightful)

    by aero2600-5 (797736) on Thursday September 22, 2005 @03:32PM (#13624531)
    As someone else pointed out, the quickess of the patch doesn't matter because the end-user who's not the average slashdotter won't know there's a patch and won't install it. So why not forced security?

    I play poker at Fulltiltpoker.com. Every time I want to play, the software connects to their server, checks for any updates, and then asks me to login. Granted, the poker software client is not as complicated as a web browser, but how difficult would it be make Firefox check and install updates every time the user ran the program? I imagine it would be pretty simple. Have this enabled by default, and the active security-aware users can disable it if they would rather do it themselves or are if they're paranoid. Think it might cost too much time to check every single time you run the program? Simply solved, a line of code telling it skip the check if it's checked in the past 12 hours.

    One of the simplest ideas in security is that if the end-user has to do it themselves, like not opening random e-mail attachments, then it's likely going to get fucked up. It's that simple. Take it out of their hands.

    For those of you that are paranoid about Firefox contacting servers on it's own, how do you think it knows when there are updates? It certainly didn't find out through telepathy.

    Just my two cents.

    Aero
  • by Stephen Samuel (106962) <samuel&bcgreen,com> on Thursday September 22, 2005 @04:52PM (#13625207) Homepage Journal
    If someone uses the exploit code to build a worm and doesn't include the full source code with the 'distribution', the originl worm writer could sue them for copyright violation.

    This, of course presumes that (1) the original exploit author is a proper white-hat, and (2) we catch the person who creates the worm.

  • by minus9 (106327) on Thursday September 22, 2005 @05:20PM (#13625445) Homepage
    Have there actually been any successful exploits using a web browser as an attack mechanism. The ones that have had the worst effects seem to have been the ones which email an executable with a message saying "Oy dumbass run this executable". They seem to work far better than any thought out technical exploit.
  • Demographics (Score:3, Insightful)

    by thegnu (557446) <thegnu.gmail@com> on Thursday September 22, 2005 @05:34PM (#13625544) Journal
    The only thing anybody could ever prove is that Firefox's security is about as bad as IE's, and that still doesn't make it a worse choice. Right now, with Firefox making up less than 10% and IE making up about 80%, the majority of the exploits that are marketable are IE exploits.

    So people should keep using alternate browsers based on their merit up until they stop becoming alternate browsers. Then, maybe IE's GLORIOUS interface and GLORIOUS functionality can Lure Us Back.

    Oh, please.
  • by Evil Pete (73279) on Thursday September 22, 2005 @11:07PM (#13626988) Homepage

    We shouldn't forget that bad press for FF is in the interests of the Black Hats who make money off of IE exploits. FF is harder to crack than IE. Not impossible just harder. Their aim is most likely to maintain the "good times" of IE. So we shouldn't be surprised that not only is an exploit released but a nasty application of it as well. The black hats wouldn't release the app for the IE version because it would be too useful, but by releasing the FF one they support their investment in IE.

Be careful when a loop exits to the same place from side and bottom.

Working...