Welcome to WebmasterWorld Guest from 23.20.215.116

Forum Moderators: incrediBILL

Message Too Old, No Replies

Mozilla and Firefox flaws exposed

     
7:32 pm on Jan 7, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 3, 2003
posts:961
votes: 0


SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

For more, read
- Mozilla and Firefox flaws exposed [theregister.co.uk]
- Firefox flaw sparks a fiery debate [news.zdnet.co.uk]

8:51 pm on Jan 7, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


Thanks Imaster. It comes as no surprise that there are vulnerabilities (any browser IS software, after all) and I'm glad they're being uncovered. And given the Moz developers' track record, they'll be patched in short order, I hope.

From the 2nd link above - the ZDNet article:

One reader even took issue with the claim that Firefox is inherently more secure than IE. "Firefox may offer some 'security through obscurity', but once it gets to any sort of critical mass then it will be targeted. Since the hackers have the source code their lives will be that much easier, and when a patched version is released it will be easy for them to see where the vulnerability is and target older versions," said one London-based IT worker.

I've heard this argument before - in this very forum. It sounds right, on the surface, but I don't think it is. Time will tell, of course, but the kinds of liabilities IE has given us, where just visiting a web page downloads a worm and so on, are not likely to be found in Moz/Firerox.

Of necessity any non-MS browser is not so tightly tied to the operating system the way IE is - and that "integration" is the source of many vulnerabilities. So while it is true that a higher market share will bring more attempted exploits, I still doubt we'll see the same severity of security problems that have plagued Internet Explorer.

9:02 pm on Jan 7, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 27, 2001
posts:2548
votes: 0


Hackers don't need access to the source code to exploit vulnerabilities (if they did IE would be totally safe) so the argument that this makes Firefox weaker than IE is completely false.
9:13 pm on Jan 7, 2005 (gmt 0)

New User

10+ Year Member

joined:Dec 17, 2004
posts:13
votes: 0


I've used FireFox exclusively for the past few months and I love it. I've only had a couple of sites that won't work because of it, but other than that it's great!

With regards to hackers, whadaya gonna do? No browser is gonna stop 100% of it.

9:15 pm on Jan 7, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 19, 2004
posts:505
votes: 0


Moz and FF will start getting some heat as they gain popularity and will understand first hand what IE has had to endure all these years.

The true test of quality will be the speed at which a problem is recognized and corrected.

9:42 pm on Jan 7, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


Also a factor in market success - which organization is better at spin and playing the media. Here's where mediocre products can still previal despite the fact that there are better alternatives. We've seen it over and over, in technology and elsewhere in the market.

So, here's where it gets interesting to me. Whatever I read, I like to look under the surface a bit for the hidden motivation, the roots.

I'm hoping this forum can be a place where do exactly that, and sort out the spin for what it is - wherever it originates.

9:45 pm on Jan 7, 2005 (gmt 0)

New User

10+ Year Member

joined:Apr 22, 2004
posts:15
votes: 0


justgowithit, there have been security holes in Mozilla/FF in the past, so it's not like no one has been looking for them before. How secure a browser is doesn't depend on how widely used it is. And with the $500 bounty on security flaws found in Mozilla, I'm sure more people than ever before are trying to find new ways to compromize Firefox. Money is always a nice incentive.

These two new ones aren't exactly critical vulnerabilities either...

2:09 am on Jan 8, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 1, 2004
posts:812
votes: 0


every serious coder I know is willing to go to great lengths for the $500 *and* the claim of having submitted/been-paid for a Mozilla bug. It's a nice bounty.
3:58 pm on Jan 8, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 2, 2002
posts:792
votes: 0


but these are both bugs from older versions. They were removed by Mozilla themselves.

Mozilla, should add an "auto-update" feature to their browsers that automatically update to the latest versions.

5:59 pm on Jan 8, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Jan 3, 2004
posts:333
votes: 0


Hackers don't need access to the source code to exploit vulnerabilities (if they did IE would be totally safe) so the argument that this makes Firefox weaker than IE is completely false.

Totally agreed. After all, Apache seem to be doing quite nicely.

2:52 am on Jan 9, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:May 20, 2003
posts:493
votes: 0


They don't NEED the source code, but wouldn't having it make it easier - assuming you know how to read it, of course?

Jennifer

2:25 pm on Jan 9, 2005 (gmt 0)

New User

10+ Year Member

joined:Mar 21, 2004
posts:39
votes: 0


Mozilla, should add an "auto-update" feature to their browsers that automatically update to the latest versions.

This is already there in firefox 1.0

9:19 pm on Jan 11, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:July 1, 2003
posts:68
votes: 0


I dont know wether this is related to this thread but Firefox (Mac OSX version) seems to have a bug regarding 301 redirects.

Once the browser reads the redirect, there is no way to load the old page, even if the redirect instruction is no longer there on the server.

If you are testing htaccess files it can be a nightmare!

Maybe some other user could corroborate this problem in another platform.

12:18 am on Jan 12, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


If I understand you correctly, clearing the cache would probably work.

Kaled.

3:15 pm on Jan 12, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:July 1, 2003
posts:68
votes: 0


It does! What a fool I am.

However, perhaps a simple reload should be enough for this..?