| This 38 message thread spans 2 pages: 38 (  2 ) > > || |
|New Firefox 1.0.3 Vulnerabilities|
Cross-site scripting attacks use iframes plus update function
haven't seen it here but only did a quick search so dismiss if already posted. Two vulnerabilities have been discovered in Firefox that can compromise a user's system.
No patch as of yet, more info at
Thanks, much. The Secunia page says Mozilla has made a temporary fix to stop the combination attack - they've redirected the [update.mozilla.org...] address.
Note - we had two threads going on this topic, so I've
spliced them together, leading with the one that has
a link to the story.
[edited by: tedster at 6:51 pm (utc) on May 9, 2005]
I didn't see this posted anywhere else.
|Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them. |
The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings Sunday.
As one headline put it, this is "IEerily familiar"
MS take a lot of flack for security issues etc.
I would love to know how some of the other companies would stand up to the level of 'interest' from these hackers etc.
I think we are finding out -- there has been a LOT of interest in FF from the dark side in recent months.
Yes, there will be vulnerabilitities - this IS software after all. But I doubt that there will be the number and severity of problems in FF that we have seen in IE, because the Firefox browser is not married to the operating system the way IE is. There's just not as much raw material there for hackers to exploit.
What we already see a good bit of, and will probably see even more as FF grows in market share, is a crazy info-war that attempts to spin propaganda out of every flaw uncovered in FF. To Mozilla Org's credit, their responses have been extremely prompt to date. Much better than monthly patches.
IE security has definitely suffered from Microsoft's decision (actually, a business strategy rather than a technically savvy idea) to integrate the browser so deeply. I rarely use IE except for testing - but I can see from the little that I do that the security fixes they have added in make the browser extremely awkward to use.
I mean, who really understands what all those Internet Options do? Microsoft even refused to use established terminology. Not "Bookmarks", but "Favorites". Not "Reload", but "Refresh". They wanted their browser to be a business weapon, and they let that purpose overshadow its security and usability.
do firewalls like the Fortigate 100 which have built in AV combat these browser vulnerabilities?
|I mean, who really understands what all those Internet Options do? Microsoft even refused to use established terminology. Not "Bookmarks", but "Favorites". Not "Reload", but "Refresh". They wanted their browser to be a business weapon, and they let that purpose overshadow its security and usability. |
IE's terminology makes more sense though. A "bookmark" is for books, not the internet, but people usually "bookmark" their "Favorite" pages, so "favorites" makes more sense since bookmarks should not technically apply to internet pages.
"Reload" does not explicity imply that the code will be taken fresh from the server, it could mean to reload the page inside the browser window only (to resolve temp display issues perhaps?), but not necessarily with fresh code - "Refresh" on the other hand explicitly implies that the page will be "Freshened".
Anyway, I use FF myself (on OS X), but I am glad to see this since FF users have been long bragging the system is super secure, when in fact it's just not super tested, but is being tested more everyday.
Very good browser though!
|do firewalls like the Fortigate 100 which have built in AV combat these browser vulnerabilities? |
In some cases a firewall might offer protection. But a browser vulnerability can act like an open door that allows malicious code to bypass your protection. In this case, for instance, exploits can make use of an auto-update function and most likely your firewall is configured to allow access to the server involved. That's one reason why Mozilla redirected the update url as a quick fix.
Whatever payload the malicious script installs could be blocked in the future when it tries to execute. For instance, if it's part of ploanned ddos attack and tries to spread itself. But then again, it might NOT be blocked. Only looking at each individual case could say for sure. Some of these payloads go right to the AV or firewall software these days and either disable it or install their own permissions.
So it's best to keep your browsers patched and stay tuned into the latest information.
So is 'page', right? It's just a metaphor. And to get a bit picky about the language, I often 'bookmark' pages during research that are definitely not my 'favorites'.
As I saw it unfold, these shifts in vocabulary were not benevolent "improvements" on the part of Microsoft. They were part of an intentional strategy to hold their users close and to make it more challenging for average joe to change to something else. In other words, they aim at market dominance and were part of the first browser wars against Netscape. And those strategies clearly worked. Market dominance did not go to the "best" product in some Darwinian manner - dominance went to the browser that locked in a spot in the supply chain instead.
I still find those IE "Internet Options" to be almost opaque in some cases. Even the Security Zones thing is overly complex. What I want is a way to cleanly toggle jscript, css, activex, iframes and so on - and to know exactly what results come from each action I take. Transparency, not opacity! This is one area where I'd say Firefox does it better...but Opera is even better still.
Tedster, you made some very good points. I have doubts about the OS-integration argument, though. FF runs with the privileges of the currently logged on user. The above vulnerabilities allow code to be executed with the privileges FF runs at. If the user has admin rights, an exploit could launch payload that can do everything an admin can. In this case FF's lack of OS integration does not offer increased security.
Only in case the user does not have admin right, IE's tighter coupling with the underlying Windows OS can make it easier for an exploit to obtain admin privileges.
My biggest problem with FF is that everyone has access to the sources. This makes it easier to find vulnerabilities. Of course it also makes it easier to fix them. But put yourself into the position of a FF developer/contributor. Would you sit down and assess the source code for security breaches, especially considering that you'd want to find as many as possible. A hacker only needs to find one. That makes FF an easy target.
My prediction is that once FF's market share has reached a critical mass, it will become an attractive target as well.
FF needs an auto-updater à la Windows Update Service that fixes vulnerabilities within hours.
It always cracked me up when ignorant people always bashed IE for having periodic exploits and then sprewed the whole "switch to FF, its inpenetrable compared to IE".
It's easy to see when you have a 90%+ market share all the hackers are going to focus their attentions on the product that will give them the best ROI. Switch roles, give FF 90% share and I GUARANTEE the ignorant rants would be exact opposites.
"FF needs an auto-updater à la Windows Update Service that fixes vulnerabilities within hours."
Re the open source nature of the code, people who fix this are often not the same as those who develop it, so far firefox has gotten fixes out very fast, no waiting for this months cumulative service pack, no need to download XP SP 2 to get some of the latest fixes. Some people like finding and fixing bugs, others like hacking out new code.
There comes a times when you have to release a product into the wilds, then you start getting real testing, probing, search for weaknesses etc. Don't be deceived into believing that having closed source offers you any protection at all, crackers know how to test weaknesses, they don't need to see the source code to do that, Windows has been a security canyon for most of its existence, Linux and freeBSD have consistently been far more secure, by design, even with their source code open, there's no comparison at all.
Active X is and always has been the biggest hole in MSIE, the access it gives to the OS is deep level. If you've followed most of the recent Firefox security holes, most are relatively trivial compared to MSIE security holes, although they use the same term for both products, security hole, but a security hole is not a single thing, it's widely varying in what it exposes the user to.
The only potential problem I've seen first hand was a java thing, made me turn off my java support permanently, easy since I don't like java anyway, and I doubt many of you would visit a site like that in the first place ;-)
Stepping back to reality and not hype, just had to sadly inform an aquaintance that no, sorry, I wouldn't spend the 5-10 hours required to extract coolwebsearch from her son's computer. That's XP, IE 6. Nobody I've set up with Firefox has had any significant malware problems since I've set them up, end of story.
Re controls: web developer tool bar, disable whatever you want, right there, can't get much easier than that.
FF's new update function has crippled more installations of FF on my machines than anything else. Although this might be a good idea in theory I would switch off any auto-update function in FF if it were introduced.
When the next version of FF comes out I would advise you to un-install your current version of FF and then do a fresh install of the new version. Your extensions, themes and settings will be preserved.
One thing I hope is becoming clear to all browser developers, whether at Moz, MS, Opera, Safari or anywhere else. What is needed is a much tighter alliance between the browser makers and a strong understanding that the hackers (outlaws, thieves, scum, terrorists) are the enemy -- not other developers who are trying to create products that help users and companies.
One place such cooperation could bear fruit would be to help law-making bodies and law-enforcement bodies deal with the criminal behavior that hurts the benefits of the web. Most exploitation of browser holes is not just a prank or an academic exercise. We need to spend energy toward strong and enforceable technology laws, rather than wasteful browser warring and spin doctoring.
There's plenty of money to be made along the way without any one company trying to take home all the marbles. But if we don't put a lid on the lawlessness, no browser will be as successful as they all can be,
[quote="Hanu"]My biggest problem with FF is that everyone has access to the sources. This makes it easier to find vulnerabilities. Of course it also makes it easier to fix them. But put yourself into the position of a FF developer/contributor. Would you sit down and assess the source code for security breaches, especially considering that you'd want to find as many as possible. A hacker only needs to find one. That makes FF an easy target.[/quote]
I think open source actually does the opposite. Since there are a ton more honest programmers reading through the source, odds become naturally much higher that an exploit or vulnerability will be found by a honest coder who will report it instead of abusing it.
Hackers who want source code are going to get source code, just the same as criminals who want guns are going to get guns.
Security through obscurity is not security.
I'm not trying to underplay this, but:
Successfully implementing the 2 exploits would gain the cracker;
1 - access to cookies
2 - arbitary code (if the user goes through the installation dialog for an unknown plugin)
Rated - _extremely_ critical.
Comparing this to past IE exploits... is it not being rated too highly?
(mainstream media are picking up that this is an extremely critical flaw)
|troels nybo nielsen|
gethan, I found these semi-official comments from an Opera representative in a forum in My Opera:
|Even with these critical flaws in Firefox, it hasn't even begun to approach IE's level of insecurity. |
|Firefox is still a safer choice than IE. |
If Firefox is defended by a competitor it cannot be all that bad.
|But put yourself into the position of a FF developer/contributor. Would you sit down and assess the source code for security breaches, especially considering that you'd want to find as many as possible. |
Yes, because of Mozilla's Bug Bounty [mozilla.org] program.
For those that are comparing Firefox' security to Internet Explorer's security... the server portion of the vulnerability was fixed over the weekend... so you're not vulnerable unless you alter the whitelist. As to the vulnerabilities, let's see how long it takes for them to be fixed. Bear in mind, of course, that Microsoft usually leaves vulnerbilities sitting there for months even when full details are public and multiple spyware and worms are actively using them to infect people's PCs.
Mozilla Firefox has 5 out of 16 security advisories listed as unpatched at Secunia. Only 1 -- the one we are discussing here -- could allow system access (and it would take multiple steps and a confirmation click to install on the part of the user).
Mozilla Internet Explorer has 19 out of 80 security advisories listed as unpatched at Secunia. Another 10 security advisories are listed as only partially patched. 3 of the completely unpatched vulnerabilities allow system access and date back to August 2003.
So, we have one product which has a single remote code exploit which is no longer exploitable on 95% of the systems it is installed on and will have a patch available within days. And another product which has 3 different ways it can be used to install random software using vulnerabilities that have gone unpatched for as long as a year and a half.
Which product do you choose?
> Which product do you choose?
Great points CritterNYC - it would be nice to see the same common sense applied to some of the press reports at the moment.
|troels nybo nielsen|
Journalists helped building Firefox up because of the good story. Now journalists help picking Firefox down because of the good story. Nothing new in this. Seen many times before.
|FF needs an auto-updater à la Windows Update Service that fixes vulnerabilities within hours. |
>Sorry, but MSIE vulnerabilities don't get fixed 'within hours', if you believe that you'll believe anything MS throws your way.
Your're right, SUS or WUS don't fix anything withing hours but that's not what I meant. I admit my wording was ambigous so let me rephrase: FF needs an auto-updater that A) works, B) fixes downloads and installs hotfixes (i.e. delta patches instead of the whole package), C) can be redirected to a proxy update server and D) looks for updates on a daily or even hourly basis. SUS and WUS offer features B), C) and to some extend D). The problem with D) is that MS simply doesn't issue hotfixes more than once a month usually. Once the hotfix is available, SUS will download it within 24 hours.
|I think open source actually does the opposite. Since there are a ton more honest programmers reading through the source, odds become naturally much higher that an exploit or vulnerability will be found by a honest coder who will report it instead of abusing it. |
I think that's a myth. I also think you should read my post again because it will tell you why I think it's a myth. Also, how do you know that there is "a ton" more honest programmers reading the source than there are dishonest ones? Do you know how many skillful enough hackers there are?
|Security through obscurity is not security. |
Another myth. Of course obscurity can provide security to some extend. Security is not a black-and-white subject. There is no 100% security and obscurity can provide for a weak type of security which might be sufficient in some situations.
"<<Security through obscurity is not security.>>
Another myth. Of course obscurity can provide security to some extend. Security is not a black-and-white subject. There is no 100% security and obscurity can provide for a weak type of security which might be sufficient in some situations."
Sorry, this isn't a myth, find me one security expert who would agree with your statement, one competent one that is. What is a myth is that security through obcurity is an effective security practice. As I noted, all MS products have used this method since MS was born, and they have had untold numbers of massive vulnerabilities.
As I noted, there is simply no comparison between an OS like BSD/FreeBSD and Windows, none, and its source code has been open for decades. Firefox is fundamentally more secure than IE, I'm not sure where you get your ideas from, but they don't have much to do with documented history or real security.
The overwhelming majority of crackers do not sit and read the source code, all million lines or whatever, that's a fantasy, most of them can't even read complex code. What they do is push and probe using established tools and methods, get on cracker irc channels, share information, test, use tweaks and modifications of existing methods to locate new combinations that might gain them some access.
Maybe a miniscule percent might be able to, and be willing to, read a massive amount of source code to find a security hole, but in most cases they'd be better off just spending some time creating test exploits. Most really serious crackers end up working in security, a majority of security alerts are found by these types of security analysis organizations, who do have the skill and resources to study the source to find vulnerabilies.
Most of the recent Firefox security patches by the way were released before any actual exploits were released, which of course means that their bug and security testing system is working quite well, with source code open it's very easy for pros to find the source of the vulnerability as well as for the bug fixers to issue repairs.
There is no way you can anticipate every possible thing when you create a major app like Firefox, or any other app, so there comes a time when you have to expose it to testing at this level. Remember, every security hole found and fixed is one less to exploit, especially on packages as relatively small as firefox and opera. IE is I think a 15-20 mB package, 4 - 5 times as much code, and that many more areas it can be cracked. Plus the active x junk.
Personally I'd like to see active x and java dropped completely, java has security issues too, and it's very unlikely the average user is ever going to download the very latest java runtime environment because they'v been reading secunia every week to keep up on alerts.
Re the update issues on firefox, most of those are extensions breaking, definitely an area that needs improving, it's gotten much better since pre 1.0 firefox, but there is a way to go, 1.3 broke a few extensions quite seriously, luckily not ones that average users have installed, but it's an issue anyway.
tedster: re crackers being 'the enemy', I don't agree, they aren't the enemy, they are doing massive amounts of free vulnerability testing that can only improve the products that they target. Plus of course they keep my clients in a state of terror, which can be quite profitable, LOL.... kids will be kids, at least curiousity hasn't died completely. And the more security is brought front and center, the more pressure there is to get security better. Imagine no cracker script kiddies pushing at MS, that would just leave the russians and their ilk to quietly develop ways to take over systems at will with almost no publicity ever , no broadcasts like you iz owned, hakerzkru2110 to wake up the industry.
I hear your angle on this, but it ain't all kids working these exploits - there's some very serious stuff going on. To me, your argument is a bit like saying diseases are good because they strengthen your immune system.
"is a bit like saying diseases are good because they strengthen your immune system."
Yes, that's exactly right tedster, diseases are in fact good because they strengthen your immune system. If you had been raised in a bubble and I dropped you anywhere in the world, you'd be dead in a few months. That's one of the big things that the Native americans experienced when the euros came to visit, they simply had no immunity at all to the bag of diseases we carry around with us.
The script kiddies are like the common cold, or mild flus, they help innoculate your systems against the really dangerous guys out there, but more importantly, they wake you up to realize what the potential for exploits are.
Well, not really against the true enemies, who we let into our computers because they have a smiling face and a 'user friendly' interface. Last quarter MS posted results, windows division, something like 2.7 billion income, 2 billion profit, about the same for Office. If the seriousness of the 'enemy' is gauged by how much they steal from you, MS wins this one hands down. Forget coolwebsearch etc, those are just amateurs in this game, make a consumer os monopoly and you'll be raking in the big bucks, why think small?
I like having a secure browser/email client, since that's what I use to access the web, the os doesn't worry me, it takes a relative foolish action to catch any malware nowadays, I use the lightest av stuff out there on windows, just for those odd sites that might try something funny, nothing on linux, the only way it will get secure is for the holes to get found, then fixed, and the people most interested in finding them aren't you or me.
Plus of course since I switched to gecko powered stuff years ago I have zero, count them zero, problems with malware, and once I switched to thunderbird, I have no real issues with email born stuff, both were designed for security, and they work much better year in and year out than anything MS offers when it comes to security, there is no comparison, which is why the argument about security through obscurity is so silly, we can all see the results first hand, the result, based on our experience. Anything else is just a repetition of spin and marketing hype taken in uncritically then regurgitated as 'fact'.
I've been getting strange errors on a couple of sites that use SSL for security. Something like that Firefox is not compatible with the security certificate or the authentication has expired.
This has happened on the following setups:
Firefox 1.0.2 on Windows 2000 Professional
Firefox 1.0.3 on Windows XP
Please note that there have been no reports of anyone exploiting the "extreme" vulnerability reported by the "pat-myself-on-the-back-for-reading-bugzilla" Secunia (which, by the way, is simply trying to leverage its media contacts for its own benefit).
The FF team of volunteers put out their temp fix before any exploit had been launched. And this is all happening in the space of a few days. Bugzilla put out the word on the vulnerability so anyone could see it ... and help fix it.
When there's an IE security flaw, it is always kept quiet as long as MS can do so, and it is usually months before any kind of fix is available ... as the real exploits kick into gear and start trashing machines. August 2003? Boy, that's a speedy response by MS's team of professional, full-time programmers.
Re FF automatic updates: the biggest hassle with those working perfectly has always been extensions ... which can be written by anyone who wants to. That does open the door to sub-standard programming, and almost always there are extensions written by folks who simply do not think past whatever version they have installed on their own system, and their own OS. When an update to the mother app is performed, it conflicts with that poorly designed bit of code contained in the extension(s).
And FF does check regularly for updates, all by itself. You can see the little "update available" icon up next to the "waiting" icon in the upper right corner of the browser. Click it, you're updating. If you haven't gone nuts with questionable extensions, it's a smooth transition.
I have heard of people (like my Dad) who had troubles with updates after "upgrading" to WinXPSP2 ... but who hasn't? As long as FF is "forced" to run on its amazingly bit**y competitor's platform, it will encounter speed bumps, road blocks, and downright hamstringing.
BTW: As anyone in the non-MS world could tell you, it's not a good idea to run your daily operations as the root user. NT/XP users take note: set up a second, "normal" user without root privileges and do your daily computing as that user. You can always switch to root/admin when you need to install something.
stupidscript, you've been reading the wrong stuff, you need to go to technet or the other kissa## MS sites that blindly repeat the latest MS press releases more so you can find the truth, haha, your stuff actually has something to do with reality, you've got to fix that fast or you could have problems...
Nice points, all exactly right, although I'd differ slightly re the extensions, Firefox 1.0.3 had an internal change that broke a few extensions, wasn't the extension author's fault, and it was fixed fast. But they are the main issue still, but that will get better and better as time goes by, remember also that the vast majority of users don't download anything or change anything, so these issues tend to impact power users much more.
Keep the eyes on the goal, you have had a more secure browser since you switched to Opera or Gecko based ones. There is no time this has not been true, the browser you use in the present is more secure than MSIE, and always has been. Same with Thunderbird.
Thanks for the FF 1.0.3 adjustment, 2by4.
And to give MS programmers a break (because they really are pretty good at what they do), it is so much more complicated to issue a patch for IE because of its integration with the OS. Fix a bug ... break a feature. Very tough balancing act for them, and no team up in Redmond has all of the pieces ... they are all working on subsets of the whole while not talking to each other. A piece of programming is released by one team only to be sent back because of something another team was doing that conflicted with it.
So they do try, but they're working in a difficult environment.
|Mozilla Firefox 1.0.4 Release Candidates |
Tuesday May 10th, 2005
...release candidate builds of Mozilla Firefox 1.0.4 are now available. Firefox 1.0.4 includes security fixes for the two security flaws that can lead to arbitrary code being executed....
| This 38 message thread spans 2 pages: 38 (  2 ) > > |