Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: incrediBILL
"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.
Hackers claim zero-day flaw in Firefox [news.com.com]
If you are running Firefox as a standard user (no administrator privileges), in what sense does the bad guy "commandeer the computer" with this exploit?
I suppose "commandeer the user account running the application" doesn't sound nearly as sexy.
good enough. that's a big flaw.
Yes, it's a big flaw.
The point is that firefox runs as a user-space application. Another browser that is regarded as being a part of the operating system, might be FAR MORE vulnerable if it had this kind of vulnerability.
Given the choice, I'd prefer a user-level compromise to a root-level compromise on a workstation hooked to my corporate network. I assume we all would.
I would say 99% of home users run with admin rights...
You're probably right.
What percentage of cyclists wear a cycle helmet? Not that many, but strangely there aren't many cyclists who'd argue that they're prefer to be knocked off their bike WITHOUT a helmet vs. WITH a helmet.... so just because not many people do 'X' doesn't mean that 'X' is a bad idea.
Put another way, if MSFT were writing the security bulletin for this issue, they'd say something like:
"Mitigating factors: In an attack of this exploit, customers would have to be running Firefox with Administrator rights. Best Practice and the MSFT blah-blah-blah deployment guides would ALWAYS suggest running with least privilege. Yes, it's a real pain, and No, most of our own applications won't work, but our lawyers say if suggest running with least privilege and you decide not to, it's your problem not ours."
Go check out [microsoft.com...] if you don't believe me :-)
Gaining user access gains access to the machine, and then the person can hide out and take their time looking for permission and configurations that will gain root access.
In any case, I don't think any one is discounting the fact that all browsers have security problems. The fact remains that FF and other are far more secure than IE and the developers are constantly working on improvements which can be issued at any time while IE developers can take years.
EDIT: And now PC World reports that iDefense, a division of VeriSign, does not consider this exploit critical and found the exploit to be 'unreliable'.
If the user is running as an user in Linux this isn't a major problem (compared to others), running as a user in the Windows world is probably not the norm, so it can really hurt.
All software has gotchas, some gotchas can cause more problems than others.
The golden rule is:
while (not the end of the universe)
Please note there is no test for found last bug.
[edited by: theBear at 1:54 am (utc) on Oct. 3, 2006]
If you load up a program with constant memory overflow checks it starts to crawl.
The difference is that IE is on a fixed 30 day cycle so the black-hats know they can release a deadly bug into the wild 24 hours after patch Tuesday and get a full month out of it (or more). Unless it's a DRM bug, and that will get fixed within a day or two.
Firefox responds much quicker once there is a threat. It's also far more customizable.
When IE has a bug like this they say to entirely disable the feature and you are stuck for at least a month like that (or more).
I don't use Firefox because I hate IE, I use Firefox because I don't know how I got anything else done before I used it!
[ LOL - At long last - payback for all the annoying "switch to Firefox" posts that Firefox users insist on posting whenever there's an (all too frequent) IE flaw :) ]
There is a book out that studies and discounts the 'more popular more attacks' theory. It addressed open source, particularly, and said it would not happen because open source is considered created by the proverbial 'we' and 'us'.
Another thought on this is to consider attacks on Firefox or Opera on Linux vs Windows systems. Many vulnerabilities are the result of weaknesses in the OS and not the browser.