Discussion in 'Article Discussion' started by Gareth Halfacree, 7 Sep 2015.
All fixed now, thankfully.
So in other words, ditch all Mozilla software unless it's a new project that doesn't share the exisiting codebase.
Huh? Not quite sure how you're reaching that conclusion, there...
Whilst they claim they have fixed the exploits and holes (we've heard that before), those holes are likely to be found littered in other parts of their applications, which the script kiddies could use as spring boards and vectors to find other holes that they will definitely not be reporting to Mozilla.
Plus they are only now letting us know about the breach? I know it's kind of hard to say, don't visit dodgy sites whilst we fix this, but I wonder if the majority of the drive by malware that has been getting onto mainstream sites was because of this breach?
I have been a long time Firefox user, but the crashing and memory leakage once you go over n tabs by n windows is just plain annoying.
Do you apply this same rule to EVERY piece of software with a known exploit? Because one wonders what kind of computer you're running.
There is such thing as open source, where finding repeat code is a thing along with decent refactoring.
There is a reason less and less people run JRE and flash these days, and more installing NoScript and various Adblocking tools. Do you like leaving the door open when you leave your house?
I still don't understand your point of view, I'm afraid. The attackers gained access to a private portion of the bug-tracking system, which gave them knowledge of security vulnerabilities that had been discovered and reported but not yet patched. Mozilla says (and we have no reason to doubt them) that the latest patch to Firefox closed the last of the vulnerabilities that the attackers had access to, meaning that the information the attackers gained through their access to the bug-tracking system is now obsolete.
From your comments, you appear to be suggesting that the attackers had access to the Firefox source code, and can scan it for vulnerabilities that even Mozilla doesn't know about. The attackers, of course, did have access to the source code. Everyone does. Even you. It's open source. You can also read the self-same bug reports the attackers did: when the flaw is patched, the originally-private bug report is opened to the public.
As for script kiddies finding new vulnerabilities, that's not going to happen: the name "script kiddie" refers to an immature cracker ("kiddie") with little to no technical knowledge and who just downloads an attack tool ("script") written by somebody else and runs it. Script kiddies - or to use my preferred variant, s'kiddiots - don't discover jack.
Are you saying that a hardened Debian install has no vulnerabilities? Boy, do I have bad news for you...
Ah, I didn't know they moved the fixed security vulns back into the visible closed section.
The majority of those security updates are server and media playback related. Usually when one hardens their OS, they uninstall anything not needed there and then. Heck Server Core was touted as more secure because there was hardly any GUI installed.
I thought you might argue that, if you hadn't looked closely at the list of security bulletins. Here's a list of nine vulnerabilities in the Linux kernel shipped with Debian, including privilege escalation and information leakage attacks. Here's another six. Another three. Another ten. Another eleven. Another five.
Sure, hardening involves removing unecessary packages to reduce the attack surface - but you're not going to get very far if you remove the Linux kernel... (That said, your system would be entirely immune to attack, I guess: you can't attack a system that can't be booted up in the first place.)
On the subject of removing and avoiding historically vulnerable packages, as well as not being able to use your system as a server or a media playback machine you wouldn't be able to print anything, use SSL/TLS encryption, mount filesystems using FUSE, install new packages including security updates, use sudo, use the ext2, ext3, or ext4 filesystems, have a graphical user interface, upgrade Debian to a new release...
All these vulnerabilities, incidentally, are from this year alone. No software is entirely secure: hell, there have been bug reports filed against 'true,' a command-line application whose only job is to return 1 and quit.
And now he can't ever use Linux again, because once there's a security vulnerability found he abandons the software entirely.
Separate names with a comma.