Posted on 05/09/2005 7:00:15 AM PDT by holymoly
Firefox seems to be heading Internet Explorer's way with security research company Secunia stating on its website that two vulnerabilities found in the popular browser can be exploited to conduct cross-site scripting attacks and compromise a user's system.
The Mozilla Foundation is aware of the two potentially critical Firefox security vulnerabilities. They maintain that there are currently no known active exploits of these vulnerabilities though a "proof of concept" has been reported.
Mozilla stated that it is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves by temporarily disabling JavaScript.
According to Secunia the problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
It seems that input passed to the "IconURL" parameter in "InstallTrigger.install" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
A combination of the vulnerabilities can be exploited to execute arbitrary code.
Secunia also claims that the exploit code is publicly available. So far the vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
A temporary solution has been added to the sites "update.mozilla.org" and "addons.mozilla.org" where requests are redirected to "do-not-add.mozilla.org". This will stop the publicly available exploit code using a combination of the vulnerabilities to execute arbitrary code in the default settings of Firefox.
(Denny Crane: "Sometimes you can only look for answers from God and failing that... and Fox News".)
Opera has a great "magnify" feature that allows you to increase the size of the page, not just text. Unfortunately, Opera crashes too much.
Still, it's 16 vulnerabilites for Firefox vs. 80 vulnerabilities for Internet Explorer...
16 vulnerabilites for Firefox vs. 80 vulnerabilities for IE...Firefox is sure going the way of IE... - sarcasm. Microsoft publishes 8 security fixes at a time!
80? That was last week.........I'm sure it's more than doubled that by now......
The ONLY reason Firefox and the Mac browsers are "safer" is simply because they are not used extensively enough for hackers to bother with them! If and when they come into broader use they will suffer the same security issues as Microsoft IE.
Why should a hacker spend any time hacking only 7 percent of web browsers (Firefox & Mac) when he can spend the same amount of time and hack into 93 percent of everyone's computers?
Oh yeah? Well my Firefox can kick your IE's butt! LOL
It really is a nice browser with a fuller feature set (not just the tabs.. people go ga-ga over the tabs). The extentions are what make Firefox awesome. Well.. that and the fact that it ain't Microsoft. ;)
"Well, there's always...
Opera"
As I understand it, Opera uses IE's engine, it's got all the vulnerability of IE. Not that it's not a nice browser, but it's no more secure than Firefox and most likely a lot less.
Firefox security ping
The numbers you cite are TOTALS of PATCHED and unpatched vulnerabilities discovered so far for browsers of DIFFERING ages.
The Secunia security service lists as UNPATCHED 19 of 80 threats for the several-YEAR-old Internet Explorer 6.x, 5 of 16 for the several-MONTH-old Firefox 1.x, and 0 of 0 for the serveral-WEEK-old Opera 8.x.
I've used Opera for quite a while now and have very few crashes. Have you tried the new Opera 8 that is just out? These old eyes love the magnify feature.
I bought 6 at the end of the cycle and they offered me (a paying cutomer) no discount for 7. I would think they would treat their non-adware customers better. I don't want adware, and I am not willing to pay full-freight for an upgrade when the last one crashed too much and was disagreeable with some web pages. I wish them well, but I'm okay with Firfox.
"As I understand it, Opera uses IE's engine, it's got all the vulnerability of IE." - Shadow Deamon
That's false. Unlike many "alternative" browsers, Opera has it's own engine. And, for whatever reasons, Opera's current and past versions have consistently had fewer UNPATCHED security problems than IE and Firefox.
Yes, let's completely ignore the quality of the code and design principles that were involved because we know that all programs inherently equal...
Sounds like the IT version of the post modernist view that all truth systems are ultimately equally valid and invalid.
Yes, that is clearly a benefit! I am simply bothered that people who know better always report how much "safer" these browsers are. They are not inherently safer, they are safer only because they are simply not in wide enough use - yet.
"The ONLY reason Firefox and the Mac browsers are "safer" is simply because they are not used extensively enough "
That is a lie, and you guys know it. IE is tied into the complete operating system, no way any other browser has that many vulnerabilities.
you've seen the IE code?
The numbers speak for themselves...
"That's false. Unlike many "alternative" browsers, Opera has it's own engine."
Oh, thanks for setting me straight on that. I'll have to take a more serious look at Opera then. It looks like a very nice browser but I was leary about the engine.
I currently use Firefox and have for several years with no problems at all.
Who cares why? I just want safe more hassle-free computing. The rest is theoretical esoterica: interesting to debate, irrelevant when choosing a computer/browser.
Yeah, really. Somebody flunked headline writing class at journalism school.
Bush2000, you're alive! I thought you were banned by now :)
It wasn't a non-sequitir, but I did leave myself open. Let me put it this way, an equivalent set of programmers writing a Firefox, or an IE, will inherently end up with more vulnerabilities with an IE because there is so much more going on at a lower level in the operating system. That's just a logical fact.
If IE were split off from the operating system, it would be less vulneerable to system destroying exploits. Why would I write a crappy Firefox virus when I could destroy western civilization by driving a core through Internet Explorer on every machine?
OK. Post #8 in this very thread.
He not only used the word "Only," but he bolded it and used all-caps.
That pretty much means that he considers all code to be equally insecure.
Almost every single thread about software, someone will bring up some variation of the above line. I've gotten so sick of seeing it, that I have a preformatted reply that exposes it for the FUD that it is.
Oh, I don't know. Perhaps as someone else already said on this thread, it might be done for the bragging rights of having created the first successful virus/worm to attack Macs.
I've seen this charge that the small market share that Mac and Linux have is what keeps them safe. It is repeated often enough and seems reasonable enough until you actually look at the history of some other worms/viruses.
Consider: the spread of the Witty Worm.
Quoth the poster:
Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. While Witty took 30 minutes longer than SQL Slammer to infect its vulnerable population, both worms spread far faster than human intervention could stop them. In the past, users of software that is not ubiquitously deployed have considered themselves relatively safe from most network-based pathogens. Witty demonstrates that a remotely accessible bug in any minimally popular piece of software can be successfully exploited by an automated attack.
I suspect there are more than 12,000 Linux and/or Mac hosts out there on the internet.
Also, consider that the folks who were hit with this were also among the more security-concious users:
The vulnerable host population pool for the Witty worm was quite different from that of previous virulent worms. Previous worms have lagged several weeks behind publication of details about the remote-exploit bug, and large portions of the victim populations appeared to not know what software was running on their machines, let alone take steps to make sure that software was up to date with security patches. In contrast, the Witty worm infected a population of hosts that were proactive about security -- they were running firewall software. The Witty worm also started to spread the day after information about the exploit and the software upgrades to fix the bug were available.
Show me a successful worm/virus against Macs and I'll listen. Until then, your talking point is FUD.
A full discussion of the 'witty' worm can be found Here
Source: http://news.yahoo.com/s/pcworld/120756
Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.
The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.
A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.
The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.
In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.
Two Vulnerabilities Found
The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.
The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.
Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.
"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.
Very good, but IMHO you should add the even better example of the web servers. I forget which two servers we're talking about (I want to say Apache and IIS, but don't hold me to that), but in any case one of the servers has a far lower market share than the other, yet gets successfully attacked far more. Somebody made a great post about it on FR somewhere not too long ago.
Apache is definitely one of the best examples, but it is somewhat lessened in impact since Apache runs on Windows as well as Unix. Perhaps I'll be able to find some good stats that breaks usage down by OS.
Thanks for the suggestion. I'll see what I can do. If you happen to locate any other posts with similar stuff, feel free to ping me to the threads.
My wishes are here now.
Get ready to start patching.
I run software update about once a month or when necessary. That's it. No other malware, virus protection, hassles, costs involved.
But at least you won't have M$ to kick around, eh?
I'm happy with Microsoft now - it keeps our support people quite busy. But if a user can do without them, they'll have less hassle and more safety.
Dunno why anyone would wish otherwise.
I'm curious: Why do you think we are forever doomed to the current status quo of internet computing? Do you think things will never get better in terms of security cost, hassle and safety?
Actually they do -- thanks for pointing that out. You neglected TIME (length of each app on the market, and time taken to isolate and fix the vulnerabilities.) The numbers says that 80 vulnerabilities in Explorer and only 16 have been fixed in Firefox. This pops the myth "that open source is more secure" because Firefox has been around a lot less then Explorer and still major vulnerabilities have been found. It would be an interesting data point to discover how many vulnerabilities Explorer had in the same time period as Firefox.
I believe Firefox is based on the Mozilla/Netscape code and has been around for quite a while...
I recently downloaded Firefox and now find that if I close it I cannot reopen it without rebooting. Does anyone else have this problem with Firefox? Am I doing something wrong?
Sorry, I misunderstood. I thought you were using antivirus, anti-spyware, multiple firewalls, and on the multiple OS, app upgrades... etc. train.
these series of patches are just your imagination.
Sorry again. I didn't mean to imply that absolutely nothing was required after buying the 'puter - only that an almost hassle-free secure computing environment exists today.
Good to hear you say. I think the same will be true for security eventually. It may be the major software vendors or it may be with extending the security fence by ISPs or some combination. But I don't think the current security cost/vulnerability situation will continue indefinitely.
I fail to see the downside of using Firefox right now...If you are stating that it will be as insecure as the product that most users are using right now (IE), that does little to champion IE usage.
IE users:"Don't worry, Firfox will be as bad as us soon. So, use IE now and despair with us."
Which version are you using?
That's odd. It sounds like the process isn't terminating properly for some reason. The first thing I would suggest is disabling any extensions you've added and returning to the default skin if you've changed it. If that solves the problem, you can re-enable the extensions one at a time until you find the offender. If that doesn't fix it, or you don't have any extensions/skins in the first place, I would suggest uninstalling it and reinstalling it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.