Mozilla confirms critical Firefox bug

Thank God i just switched to Internet Explorer 8 - i should be safe

 

Thank heavens for Opera and Chrome.

 

Yeah, thank God for only 11 patches for Chrome in one day and a security flaw right out of the gate the day after Opera releases its newest browser.

 

Secunia's latest comments:

http://secunia.com/blog/90

 

Thank goodness some of our setups protect against such vulnerabilities

 

None of them as critical as flaws being discovered on daily basis for FF. It has the highest number of severely critical flaws of any browser out there, IE included.

http://www.internetnews.com/security/article.php/3847461

Firefox Tops Vulnerability List

New study places Firefox at the top of vulnerability list for for the first half of 2009.

 

The key word you left out was "reported".

You might want to check out this document:
www.javaop.com/~ron/documents/362-paper.pdf
Especially Case Study 3. It's a few years old but the Browser vendor climate is pretty much the same. Mozilla.org has full disclosure on all vulnerabilities, even those discovered in-house. That policy tends to inflate their numbers.

 

Secunia is independent outfit and reports on all browsers out there period so no one has to worry about the report aspect.

 

And as the guy above said, IE and Opera do not disclose all vulnerabilities, so it doesn't matter what Secunia does or does not do. Moreover, IE and Opera are closed-source software. Firefox and Chrome are both completely open-source.

 

Users should reconsider Firefox. I say it often that its value is overestimated and my opinion is that Firefox rappresents a serious problem, since "somebody" convinced millions of users that they are safer online using firefox. These users that start their browsing sessions thinking that they are safe with their browser rappresent a danger for their systems and the internet. Firefox historically takes the credits for creating a competition between browsers, but also takes the credits for the biggest security "fraud" ever. If they are serious they should educate their users and inform them that their browser is not safer than others and it should be used with the same attention, like any other browser.

All browsers should be sandboxed, virtualized. This is the way to go.

 

Thanks, voice of reason.

 

That don't mean there are organizations trying to find holes in IE and Opera but the number of holes in FF eclipses those of IE, Opera and Chrome combined. Just because its open source don't make it holier than thou. This is another issue with FOSS, they would dutifully bundle FF with their distros and no one will object to that but if MS buncles their IE, the world goes in a tizz.

 

Yes, the linux distros should be taken to court and all have browser ballot screens implemented, right?

 

I thought Linux was about freedom of choice, not about dictum.

 

How is the situation any different from Microsofts? They both bundle a specific browser with the "freedom of choice" to go download a different one. Anyway, I was just being sarcastic.

 

And I was just responding to your sarcasm

 

Well, guess I failed

 

And at least with Firefox, all their bug and vulnerability tracking is also open.

It's analogous to saying North Korea has less crime than Iceland simply because NK doesn't announce crime stats. Folks are either going to get it or not.

As a thumbnail, just looking at the ongoing Blade testing stats (http://www.blade-defender.org/eval-lab/) and it still looks like any version of IE is more vulnerable than FF.

 

You know, instead of looking at and comparing each browsers number of vulnerabilities, let's look at why. Here is my thought, could it be that Firefox/Chrome/Opera are getting less secure due to the, what I call, "feature race"? IE has ALWAYS had problems, there's no getting around that no matter how much Microsoft has made improvements (and they have, whether haters want to admit it or not).

Along comes Firefox to try and knock them from their place. Firefox added extensions and themes. Both adding on to memory usage, opening up holes in security, and adding instability over time due to extension conflicts/crashes. Opera adds widgets and now, that completely idiotic idea of a web server. Chrome shows up, decides it needs extensions too. Everyone thought Chrome was the most secure out there, then, yesterday, 11 vulnerabilities, 6 major, need patching.

This didn't get as detailed as I planned because I'm in a bit of a hurry. But, my point is, I think the more that browsers try to out-do each other, the worse their security gets. I also think that the recent obsession for them to make their browsers the fastest is causing them to not pay enough attention to other areas. That's my opinion on the matter.

 

I don't think an extra 30 infections in IE over FF makes FF look real good. That shows FF is getting worse. Speaking of those stats though, it shows two things. 1. AV programs might look pretty spiffy with their 96/97/98/99% rates on these tests we all argue over and waiting twitching for. But in the real world, clearly AVs are getting their behinds kicked all up and down the street.

The other thing is where all this malware is coming from. The Ukraine is blowing the supposedly "evil China" right out of the freaking water with malware serving. Some eye-openers in those stats for sure.

Edit: By the way, where is Chrome and Opera in their malware blocking graph? I really hope their exclusion doesn't give people the false impression that either browser is invulnerable or extremely secure.

 

dw426, yeah I pretty much agree. But as Charlie Miller says, it's really less about the browser than the plugins and the underlying operating system.

On that particular testing note that the most targeted apps aren't the browsers (some for IE, none listed for FF), mostly it's Adobe Reader, Flash, and Java.

They also see the Eleonore kit more often than any other, so you may find this interesting:
http://www.krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/

As for where these are coming from, at least as far as hosting I found these 2 recent articles extremely informative:

http://www.krebsonsecurity.com/2010/03/researchers-map-multi-network-cybercrime-infrastructure/

http://www.krebsonsecurity.com/2010/03/naming-and-shaming-bad-isps/

And yes, I agree, Opera and Chrome by themselves aren't going to be significantly more secure and the Blade group I assume just limited their testing to the 2 most popular browsers.

 

Interesting links, thank you. I was actually surprised at the amount of Java exploits still ongoing. I don't recall the last time I even needed Java. I'm also surprised that Flash exploits weren't as huge of a factor as some media and others make them to be. Adobe Reader, what can I say, PDF exploits I guess are the "in thing".

 

I was too. Here's some info on another popular exploit kit:
http://malwareint.blogspot.com/2009/11/justexploit-new-exploit-kit-that-uses.html
and it looks like java and acrobat are big with them also.

And I just found this article on drive-byes that I found interesting
http://www.viruslist.com/en/analysis?pubid=204792056

 

That's ridiculous. Just updated to 3.6.2, and everything is fine again

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/