Welcome to WebmasterWorld Guest from 107.20.104.161

Forum Moderators: incrediBILL

Message Too Old, No Replies

Mozilla and Firefox flaws exposed

     

Imaster

7:32 pm on Jan 7, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

For more, read
- Mozilla and Firefox flaws exposed [theregister.co.uk]
- Firefox flaw sparks a fiery debate [news.zdnet.co.uk]

tedster

8:51 pm on Jan 7, 2005 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Thanks Imaster. It comes as no surprise that there are vulnerabilities (any browser IS software, after all) and I'm glad they're being uncovered. And given the Moz developers' track record, they'll be patched in short order, I hope.

From the 2nd link above - the ZDNet article:

One reader even took issue with the claim that Firefox is inherently more secure than IE. "Firefox may offer some 'security through obscurity', but once it gets to any sort of critical mass then it will be targeted. Since the hackers have the source code their lives will be that much easier, and when a patched version is released it will be easy for them to see where the vulnerability is and target older versions," said one London-based IT worker.

I've heard this argument before - in this very forum. It sounds right, on the surface, but I don't think it is. Time will tell, of course, but the kinds of liabilities IE has given us, where just visiting a web page downloads a worm and so on, are not likely to be found in Moz/Firerox.

Of necessity any non-MS browser is not so tightly tied to the operating system the way IE is - and that "integration" is the source of many vulnerabilities. So while it is true that a higher market share will bring more attempted exploits, I still doubt we'll see the same severity of security problems that have plagued Internet Explorer.

physics

9:02 pm on Jan 7, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hackers don't need access to the source code to exploit vulnerabilities (if they did IE would be totally safe) so the argument that this makes Firefox weaker than IE is completely false.

gdrumm

9:13 pm on Jan 7, 2005 (gmt 0)

10+ Year Member



I've used FireFox exclusively for the past few months and I love it. I've only had a couple of sites that won't work because of it, but other than that it's great!

With regards to hackers, whadaya gonna do? No browser is gonna stop 100% of it.

justgowithit

9:15 pm on Jan 7, 2005 (gmt 0)

10+ Year Member



Moz and FF will start getting some heat as they gain popularity and will understand first hand what IE has had to endure all these years.

The true test of quality will be the speed at which a problem is recognized and corrected.

tedster

9:42 pm on Jan 7, 2005 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Also a factor in market success - which organization is better at spin and playing the media. Here's where mediocre products can still previal despite the fact that there are better alternatives. We've seen it over and over, in technology and elsewhere in the market.

So, here's where it gets interesting to me. Whatever I read, I like to look under the surface a bit for the hidden motivation, the roots.

I'm hoping this forum can be a place where do exactly that, and sort out the spin for what it is - wherever it originates.

bryholmsen

9:45 pm on Jan 7, 2005 (gmt 0)

10+ Year Member



justgowithit, there have been security holes in Mozilla/FF in the past, so it's not like no one has been looking for them before. How secure a browser is doesn't depend on how widely used it is. And with the $500 bounty on security flaws found in Mozilla, I'm sure more people than ever before are trying to find new ways to compromize Firefox. Money is always a nice incentive.

These two new ones aren't exactly critical vulnerabilities either...

paybacksa

2:09 am on Jan 8, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



every serious coder I know is willing to go to great lengths for the $500 *and* the claim of having submitted/been-paid for a Mozilla bug. It's a nice bounty.

Namaste

3:58 pm on Jan 8, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



but these are both bugs from older versions. They were removed by Mozilla themselves.

Mozilla, should add an "auto-update" feature to their browsers that automatically update to the latest versions.

tenerifejim

5:59 pm on Jan 8, 2005 (gmt 0)

10+ Year Member



Hackers don't need access to the source code to exploit vulnerabilities (if they did IE would be totally safe) so the argument that this makes Firefox weaker than IE is completely false.

Totally agreed. After all, Apache seem to be doing quite nicely.

RammsteinNicCage

2:52 am on Jan 9, 2005 (gmt 0)

10+ Year Member



They don't NEED the source code, but wouldn't having it make it easier - assuming you know how to read it, of course?

Jennifer

paulroberts3000

2:25 pm on Jan 9, 2005 (gmt 0)

10+ Year Member



Mozilla, should add an "auto-update" feature to their browsers that automatically update to the latest versions.

This is already there in firefox 1.0

Kukenan

9:19 pm on Jan 11, 2005 (gmt 0)

10+ Year Member



I dont know wether this is related to this thread but Firefox (Mac OSX version) seems to have a bug regarding 301 redirects.

Once the browser reads the redirect, there is no way to load the old page, even if the redirect instruction is no longer there on the server.

If you are testing htaccess files it can be a nightmare!

Maybe some other user could corroborate this problem in another platform.

kaled

12:18 am on Jan 12, 2005 (gmt 0)

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If I understand you correctly, clearing the cache would probably work.

Kaled.

Kukenan

3:15 pm on Jan 12, 2005 (gmt 0)

10+ Year Member



It does! What a fool I am.

However, perhaps a simple reload should be enough for this..?

 

Featured Threads

Hot Threads This Week

Hot Threads This Month