Firefox a Growing Target for Hackers

Discussion in 'other security issues & news' started by ronjor, Aug 1, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Article
     
  2. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    We knew it was bound to happen. As the popularity grows, so grows the bullseye on your back. Sad situation.
     
  3. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    But we still have opera.:D
     
  4. dog

    dog Guest

    Almost amazing that this article like springs off of this one ... while no doubt as popularity increases, so to will the targeting of FF. But being realistic we haven't seen anything really yet (no direct attacks that I'm aware of), and FF will never have the market share IE enjoys, so it'll never represent as large of target IE does. FF evolves fairly rapidly covering any holes (unlike the rather stagnant IE6/7) ... it also has the benefit of security type extensions that can fill voids in the mean time. While extensions are likely the easiest attack vector against FF ... anything unbecoming would be discovered rather quickly IMO. The issue remains M$'s OS, no matter the browser.
     
  5. Tobe404

    Tobe404 Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    10
    Location:
    South Australia, Australia
    Opera will no doubt be next though.
     
  6. Lamehand

    Lamehand Registered Member

    Joined:
    Mar 2, 2006
    Posts:
    428
    Location:
    the Netherlands,very near to the North sea
    It isn't even a vulnerability of firefox, it's more an attempt to discredit firefox by using a phony extension as a way in.
    In fact it has nothing to do with firefox but more with the way people treat an E-mail from an unknown source,clicking on attachments that's the trouble.
    The real 'vulnerability' is sitting behind the keyboard doing stupid things without thinking twice what could happen.

    Lamehand
     
  7. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    PEBKAC. [Problem Exists Between Keyboard and Computer]

    That is the biggest security vulnerabilities for all software.

    But, isn't there a fundamental difference between "extension" and "activex" and how much access it has to one's computer?
     
  8. Lamehand

    Lamehand Registered Member

    Joined:
    Mar 2, 2006
    Posts:
    428
    Location:
    the Netherlands,very near to the North sea
    The difference is that activeX can do an install without the intervention of the user, if not properly set up.An extension on the other hand can't do this, it must be the choice of the user to install it.
    Once a trojan or other piece of malware is installed it can do anything it wants with the system, that has nothing to do with the way it got there in the first place.
    This extension-malware needs 'social engineering' to entice the user to install it because it can't install automatically.

    Lamehand
     
  9. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    To be honest "PEBKAC" and similar statements are not an explanation but a design principle. Desktop PC software, especially software targeting residential users, has to be designed so that it can be safely driven by people who not only don't have Computer Science degrees but have grown up in an era before computers and never worked in an office environment (he says thinking of his father who worked in physical world security for the Government).

    This is why the mass market security software tries to have simple, easy to follow user interfaces.

    Operating systems and software cannot rely on the user as the main form of defence. Sure we are probably all the biggest obstacle (after our firewalls) to malware. However the non-computer literate user with no desire to become computer literate needs intelligent protection. The user needs software that is self healing, updates regularly, and makes intelligent decisions about protecting the PCs integrity. How often has a user struggled to know if they should let services.exe connect to the internet or not? There is a clear market need for software which doesn't confuse "the man on the Clapham omnibus" (Joe Public for Americans) with questions that they lack the knowledge to answer.

    To return to the main point of the thread. This is but the beginning. The enemy will come in increasing numbers. The test for Firefox will be how it reacts and more importantly pre-empts the coming threats.

    As for the timeframes, who knows. It may be sooner than we think. It may be a really slow burner like Mac Malware. I suspect it will ramp up faster as more malware authors are PC owners and their is a lot of sick kudos from exploiting FF.

    Fairy
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes, just like Linux. Once the bad guys put their claws in Linux, we can call it Winux.
    Each OS and software is vulnerable and there is always a brilliant bad guy somewhere in the world, who will find a way to do it.
     
  11. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Some softwares are much more vulnerable than others, believe me.
     
  12. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    While this is true, just like I said in a couple of posts here about this time a year ago, vulnerabilities will be discovered, and then exploited through the creation of new malware targeted towards those vulnerabilities. This ulitmately depends upon WHO the hackers target. And as Firefox's popularity has continued to rise, it was inevitable that this would be the result. Here are the two posts I made on this subject last year....primarily mentioning that marketshare and popularity/usage would dictate who the malware authors went after to exploit browser vulnerabilities:

    https://www.wilderssecurity.com/showpost.php?p=511209&postcount=9

    https://www.wilderssecurity.com/showpost.php?p=567351&postcount=23
     
  13. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Vulnerability through popularity?

    Sounds like the inverse of security through obscurity.

    These have nothing to do with the reality of the actual number and severity of programming and design flaws.
    One program can be designed with security in mind and still be extremely popular and secure.
    Another program can be designed with all kinds of multimedia features in mind with no thought to security. This program can be so obscure that almost no one knows about it. It doesn't make this program any more secure.

    Popularity does bring the attention of hackers which will help expose vulnerabilities. So far Mozilla has responded quickly to discovered flaws.
    I would still pick FF over IE (both with default settings), all things considered, it is more secure in my opinion.
     
  14. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    This is all good and fine, but my sentence wasn't really targeted at Firefox (though I definitely don't think security-wise it's as bad as the swiss cheese IE 6). And yes, popular softwares are more exposed (usually... but don't forget that high-security systems containing valuable often don't use "popular" software packages because these were not planned with security as the main concern).

    Nevetheless, as I said before, there are softwares that were planned with security as the primary goal: possible security flaws were carefully analyzed, "features" that could have endangered the security were not implemented, hardening features were implemented. Very often the most secure a system is, the hardest it is to use. So it's perfectly natural that a system aimed at newbies won't be as secure as a system that requires time and patience to set up. But really, to claim "every software is vulnerable", while true, doesn't say anything: the aim of security-conscious programmers is not to make an invulnerable system (which would be unusable), but to make the system the most secure possible while maintaining usability for the target "audience".

    On the other hand, not every programmer (and especially not every marketing staff) thinks security is more important than "cool features", especially since most of the target audience of popular products will not be able to evaluate a system's security, but will be able to see cool features right away.
     
  15. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    That's not what I was saying or meant to imply, Devinco.

    Now THAT is what I was saying! That marketshare would ultimately dictate which browser the malware authors went after...not which browser would be more "secure"...just more "under attack"....:)
     
  16. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Actually, I wasn't replying to what you wrote. In fact, at the time I was writing it I didn't see your post. It was just an observation not directed at you or anyone in particular.
     
  17. dog

    dog Guest

    @JR

    Firefox will never enjoy the marketshare IE has. Honestly the majority of Windows users don't know any alternatives exist - IE is just there and they use it. They aren't securing their systems or browsers, many run with outdated AVs if they're running one at all, most don't run a firewall - they're just easy targets - no matter the changes in any future M$ OS or IE 7 ... they will continue to be the easiest target because security isn't even a passing thought to them. I'm not saying firefox won't ever be targeted, but it'll never be the first option in the foreseeable future ... the ends just don't justify the means.
     
  18. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Hey Steve,

    Oh, don't get me wrong.....I completely agree with that premise, and have my reservations about Firefox ever being on par with IE as far as the number of users goes.....but in just 2 years, Firefox has made one incredible dent in IE's numbers!

    I saw this today, and thought it was pretty interesting:

    http://www.w3schools.com/browsers/browsers_stats.asp

    I don't know how accurate it is....but I have no reason not to believe it. That is roughly what I would have estimated or guessed anyway. According to this link, IE now has a little over a 2 to 1 margin over Firefox. Pretty substantial....until one considers that IE "USED TO" have about a 17 to 1 advantage! At the beginning of January of '04, IE had 85% (84.7) of the marketshare (when you combine IE5 and IE6) to Firefox's 5.5%. As of July of '06, IE now has 64% (63.9) of the market (when you combine IE5, IE6, and IE7) where as Firefox now has 25%. So IE went from 85% in Jan. of '04 to 64% in July of '06 (21% loss).....and during that same time, Firefox jumped from 5.5% to 25% (20% gain)! So it's really no wonder why malware authors would target Firefox more frequently these days.....that was really my main point. :D
     
  19. dog

    dog Guest

    Did you notice this comment on that page ...
    I doubt FF has main such in roads with the average user. :doubt:
     
  20. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Yeah, probably so. I know I saw on the world news about a year ago that Firefox had increased to 15% of the marketshare.....so I was just assuming that the growth had continued. I guess that it's probably more likely that it's leveled out somewhere in the mid teen range, though...
     
Loading...
Thread Status:
Not open for further replies.