News Firefox is critically flawed

[Tim S]

http://www.bit-tech.net/news/2006/10...ically_flawed/

[DougEdey]

No biggie in my view, I reckon "some time" to Mozilla is two weeks. It'd take that long for some annoying **** to devise a virus to attack this section.

And I don't go on nefarious websites.

[BioSniper]

Ooooohhh dear. Thats really not good
Shame that a good chunk of people using firefox possibly won't know how to turn Javascript off.
Guess I best do that..

[specofdust]

Quote:

Originally Posted by article

"I think it is unfortunate because it puts users at risk, but that seems to be their goal."

What a stupid person. Hackers release info like this to the general public all the time, it's not uncommon, and seems pretty much de rigueur for OSS. For her to say that shows a clear lack of apreciation, which she should have; the hackers showed the firefox devs, and the entire community, that there is a problem with the browser and that it needs to be fixed.

edit: should add, there's a fix here

[Tim S]

Quote:

Originally Posted by specofdust

What a stupid person. Hackers release info like this to the general public all the time, it's not uncommon, and seems pretty much de rigueur for OSS. For her to say that shows a clear lack of apreciation, which she should have; the hackers showed the firefox devs, and the entire community, that there is a problem with the browser and that it needs to be fixed.

Well, I think she wanted them to use Firefox's 'report a bug' function and discuss the flaws directly with the Mozilla team. However, I guess that there would be no time pressure for Mozilla to fix the bug in that way. It's horses for courses.

[BioSniper]

Worst part though spec is if you read the whole article on Zdnet they apparently know of 30 unpatched issues but they aren't willing to disclose them to the Mozilla team and instead wish to use them to their own advantage when they could be earning $500 per exploit under the bounty system the team has..
Kinda sad really.

[specofdust]

Quote:

Originally Posted by Tim S

Well, I think she wanted them to use Firefox's 'report a bug' function and discuss the flaws directly with the Mozilla team. However, I guess that there would be no time pressure for Mozilla to fix the bug in that way. It's horses for courses.

But as you say, with no time pressure they could have taken as long as they felt like to get around to it, and in that time other people could have found and exploited the problem. It may be wide open right now, but at least users can turn javascript off, the firefox team have to fix it as a priority, and black hats are aware that whatever nefarious deeds they do are going to be negated by the users turning javascript off and the firefox team shortly fixing the problem.

[airchie]

NoScript is a great extension for FF which should help with this issue.
Its basically white-listing for javascripts.
You only run the ones from site you trust.

[steveo_mcg]

Quote:

Originally Posted by BioSniper

Worst part though spec is if you read the whole article on Zdnet they apparently know of 30 unpatched issues but they aren't willing to disclose them to the Mozilla team and instead wish to use them to their own advantage when they could be earning $500 per exploit under the bounty system the team has..
Kinda sad really.

Am i mistaken or did Mozilla.com not report profits in the millions of dollars last year? $500 per exploit seems fair, we would all do the same to MS if the situation were different.

[Salazaar]

Quote:

Originally Posted by airchie

NoScript is a great extension for FF

NoScript is a fantastic extension, every Firefox user should have it.

[Laitainion]

Given that the problem is a stack overflow, wouldn't turning on DEP (in Windows) or the appropriate feature for every other program prevent this from actually working? Assuming that a stack overflow is similar to a buffer overflow, which is what Data Execution Prevention is meant to prevent.

[Emon]

At first glance I would have to call BS, since it's not possible for something to be "impossible to patch." It just doesn't make sense. Yes, difficult, perhaps not feasible in the face of a complete rewrite, but impossible? What?

Without knowing the details of this exploit, which I'm too lazy to look into, I can't say anything assuredly. However I'd like to point out that just because an exploit exists, doesn't mean it's ever been used or that your previous browsing experiences haven't been more secure for using Firefox. Afterall, if the exploit was just recently discovered, and is quickly patched, what's the harm?

I'm sure pro-MS zealots will use this as ammo against Mozilla, which I think is just a mistake. As is so often pointed out, it's not just the issue of exploits, but how well known they are and how quickly they are patched. OSS has a much better history of that than Microsoft.

Oh, and for the record, I'm not some anti-MS or Linux zealot. MS makes some great products. .NET is completely amazing. I use Ubuntu Server on my personal web server and XP for all my workstations. Just trying to put myself in the clear to avoid possible derailination of this thread.

[ajack]

Window Snyder is the best name ever.

[DougEdey]

There's a difference between patching and rewriting the javascript implementation, since this appears to be a fundamental flaw, its like having a problem with research, you have to restart from the beginning.

[trailblazer]

There is an interesting article at http://arstechnica.com/news.ars/post/20060925-7818.html. Looks like opera is the clear winner, although not perfect.

[Cthippo]

Sounds to me like growing pains in the open source community. They have gone from being a nieche product to mainstream and are having trouble adjusting to all the attention, both from users and from attackers. I think in the end Open source is the best model for software develpment, especially from a security standpoint, but because of it's more diffuse organization it will take longer for the development base to change and adapt.

[trailblazer]

The general perception was that while Firefox had a small user base it would be left alone by hackers, but, if/when it started to become popular they would look for vulnerabilitys in the software. Looks like they are tearing it to bits, worse still, saying that the code is a mess and may be a challenge to fix. Until then,I will use Opera, if it works and is reasonably secure, that's fine by me. I am no fan of any particular web browser.

[sadffffff]

as much as i would love to point at this and be all like "hahahah, take that firefox fanboys, browser's not so secure now is it!" i really cant. i mean, my attitude has always been, "youre too paranoid" these exploits will never get you unless youre visiting some very questionable sites... IE hasnt failed me yet. never get any adware/spyware/viruses etc etc.. just be carefull and about any browser will work, despite SECURITY ISSUES OMG NO!!! so basically, meh...

i assume that by "unpatchable" they mean that patching it would actually have to be a total rewrite.. like the way they implemented java is wrong in the way they wrote it, so to fix it they have to write it differently.

[Cobalt]

I have never faced any of these kind of attacks with any browser. I really don't see where the attacks come from because I don't know of anyone who has been attacked. Even if hackers write the attacks, who is going to use them? Any sites that wish to cause harm will still be attacking IE becuase it is used by more people. Added to that, the type of people who use FF are more careful in their browsing habits anyway. Technology isn't the only factor to consider when looking at security. The human side of things is much more important.

[Lazarus Dark]

if i turn off javascript, how will that affect my browsing?