Firefox vulnerabilities (split-off thread)

Hi,

In order not to antagonize the poster in his thread, I'm splitting it here.

Original thread:
https://www.wilderssecurity.com/showthread.php?p=1055242

The claims are:

1. Firefox has vulnerabilities that can be exploited.
2. Firefox has plugins that have vulnerabilities that can be exploited.
3. You can get hit by a drive-by using Firefox.

My answers:

1. No. Good people have posted links, showing me how it can be done. But these vulnerabilities do not exploit Firefox - no no. They exploit java installed locally on the computer. Big difference.

Because, without java, no vunlerability! See?

I'm asking for someone to show me a vulnerability such that Firefox actually leaves the boundary of its containment (the folder in which it is installed) and nibbles on system files, dlls etc.

No such thing.

Why this exists in IE, you ask?

Because IE cannot be separated from Windows. IE is Windows. Firefox is a modular add-on. As such, it has no connection to the system, except via plugins, which are NOT Firefox itself.

Therefore, to get convinced, I require an exploit that is fully self-contained in the browser, html for example, or javascript. Again, no proofs of concept.

Reality: they do not exist. They might exist, but they do not.

2. We come to point 2. Take away plugins, you take away vulnerabilities. So how is this a Firefox exploit then? It is the user's responsibility and that of the third party tools to patch their software.

Example: I use flash. So once in a while, I check with Adobe and install a new plugin, myself, manually. No different than updating Windows, for that matter.

This has nothing to do with browsers, because theoretically, if a vulnerability is found in an application, you could exploit it via an email protocol or telnet.

3. Finally, we come to drive-by. A proper drive-by would be visiting a site and leaving with computer / browser compromised. I have covered computer above, which leaves Firefox. There's no such thing as visiting a site, leaving to discover an extension installed all by itself (like a bho in IE) or anything alike. This cannot happen.

This is the end of my rant. Feel free to respond.

Cheers,
Mrk

 

Hi Mrk,

As it's a shame you've had not takers on what could and should be a full featured thread, I'll come out of retirement to start to kick this around a little with you.

You say

That's not entirely true is it? I mean if it had no connection to the system, I wouldn't be able to type the address of local folders into the address bar and Firefox be able to locate and list the files within. How Firefox handles (or passes to another program to handle) these individual filetypes is the important thing here, but isn't that the point of an exploit - to find a way to access and call-up something that wasn't intended ?

As a full-featured browser, it is designed to call up external programs to handle filetypes and this file handling is not always as foolproof as it should be Unescaped URIs passed to external programs.

So isn't it fair to say, that where the browser can navigate to and in some instances open local files - and where there are examples of how Firefox can be made to handle files in an unexpected fashion, then the conditions for exploitation of the system already exist. That Firefox, far from being a detached, modular program, is actually, once defined as the default browser, a conduit for exploitation and as such, programmers/users, can't simply look to the creators of plug-ins when it comes to taking responsibility for system integrity.

 

Now, what's the point in arguing the obvious with a Firefox fanboy? There's loads of evidence out there about Ff's vulnerabilities and how they can be (have been) exploited. All you need is an open mind, rather than an irrational, emotional attachment.

 

I'd be interested in any references you have to "have been" exploited

 

When you lack the intellectual capacity to counter someone's arguments, you resort to the lowest common denominator - insults.
Prove me wrong.
Mrk

 

MrK understands I thiink, that I use Firefox and don't perceive him as being an irrational fanboy.

Many threads like this become a 'ping-pong' game and fail to give respect to the subject matter. It's because I'm sure MrK will seek to conduct this thread fairly and make an effort to illustrate his findings, that it seemed a shame to see this thread go unanswered.

So for instance, drive-by infections - what actually is it that enables MrK to state confidently that Firefox is immune from these silent attacks ?

Is it that MrK says it doesn't happen because it categorically cannot happen as a result of design and that this can be illustrated definitively? Or is that it simply appears not to have happened......so probably won't? What exactly is the strength of this argument? What are the mechanics involved ?

I'm hoping for a thread that challenges and informs ........

 

It would be nice to see the personal insults and jibes set aside, to actually explore the possible, or actual vulnerabilities a browser such as Firefox faces. I will say up front, I use Opera, though have used Firefox on occaision. Also I would say I do not use Opera because I think it is safer than Firefox, but simply because I like the feel of it and look of it better, nothing more than personal taste. My interest therefore in this is a)To make sure I should still recommend Firefox as equally to friends who ask. 2)Vulnerabilities that attack Firefox may well attack others such as Opera, even though they are no doubt very different animals.
So it would be nice if the browser could remain the focus of the discussion.

P.S> I don't actually personally have any vulnerabilities, suspected or proven to share, but I will keep my eyes open and bring any back that I come across.

 

I personally believe that any browser that has not been exploited, is simply that way because it either has not been around long enough, or more importantly it has not become popular enough to warrant the efforts of those who devise these exploits, and in the early days the people who use these browsers do so because they are much more security aware, and thus their systems are harder targets anyway. Why seek to exploit a hard target, when there are an abundance of soft targets available.
I believe if Firefox or Opera, or any other for that matter were to swap places with IE in the popularity stakes, then they would be exploited, not by the same exploits as IE obviously because they are designed differently, and possibly not by as many, but exploits nonetheless, since that's what the folks who devise exploits do.
In the case of Firefox time will give us that answer, as of the non-IE browsers it is by far and away the most popular.

 

Hello,

eyes-open, my (impolite) answer was not directed at you.

Regarding the browser:

1. Proof is needed to show fault; like with anything. Example, you cannot say that a car X will explode in a head-on collision. You must show it to be true. Otherwise, nothing would ever get done.

2. Experience / testing. You cannot say there have been this or that. It's like saying rain in the south of spain... there must be a well-structured, almost mathematical example that counters existing record.

How I see it:

There are potential vulnerabilities in ANY software.
BUT if they are patched before they can be exploited, then they remain pseudo-threats and can be therefore dismissed.

Firefox belongs in the above category:

1. The way it is designed.
2. The way it "sits" in the system - crossplatform modularity helps here tremendously, as well the ability to run stand-alone / not touching the host, from usb key, for example.
3. The speed with which the Mozilla people patch potential holes.

Not for the reasons below:

1. No one smart yet tried to do this.
2. Firefox does not merit attention.

The point 2 has been on since day 3 of Firefox and now that it holds a third of the market (a third), the story still keeps going, a sort of apocalyptic doomsday saying - just wait. Wait for what? 2033?

Today, in this world, for the past 2-3 years, a significant part of the modern era broadband internet, there is a safe, secure and highly multipurpose solution.

Very simple.

Cheers,
Mrk

 

Mrk, I'm not sure if you're talking about the link I provided in this posting. If you are, then you didn't read that site carefully enough. The problem is not only Java related as Giorgio Maone points out: "If you’re using Opera or a Gecko-based browser, a similar full screen evil can be performed with just a few Javascript lines. No need to compile and host any applet, thanks to the LiveConnect technology."

Aside from that I don't have to add anything beyond what I wrote in above mentioned posting which isn't very far away from what you wrote, I think.