Mozilla confirms critical Firefox bug

Discussion in 'other security issues & news' started by ronjor, Mar 19, 2010.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,752
    Location:
    Texas
    Article
     
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Thank God i just switched to Internet Explorer 8 - i should be safe :eek:
     
  3. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Thank heavens for Opera and Chrome.
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Yeah, thank God for only 11 patches for Chrome in one day and a security flaw right out of the gate the day after Opera releases its newest browser.
    :cautious:
     
  5. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  6. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thank goodness some of our setups protect against such vulnerabilities :cool:
     
  7. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    None of them as critical as flaws being discovered on daily basis for FF. It has the highest number of severely critical flaws of any browser out there, IE included.

    http://www.internetnews.com/security/article.php/3847461

    Firefox Tops Vulnerability List

    New study places Firefox at the top of vulnerability list for for the first half of 2009.
     
  8. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    The key word you left out was "reported".

    You might want to check out this document:
    www.javaop.com/~ron/documents/362-paper.pdf
    Especially Case Study 3. It's a few years old but the Browser vendor climate is pretty much the same. Mozilla.org has full disclosure on all vulnerabilities, even those discovered in-house. That policy tends to inflate their numbers.
     
    Last edited: Mar 20, 2010
  9. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    Secunia is independent outfit and reports on all browsers out there period so no one has to worry about the report aspect.
     
  10. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    And as the guy above said, IE and Opera do not disclose all vulnerabilities, so it doesn't matter what Secunia does or does not do. Moreover, IE and Opera are closed-source software. Firefox and Chrome are both completely open-source.
     
  11. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Users should reconsider Firefox. I say it often that its value is overestimated and my opinion is that Firefox rappresents a serious problem, since "somebody" convinced millions of users that they are safer online using firefox. These users that start their browsing sessions thinking that they are safe with their browser rappresent a danger for their systems and the internet. Firefox historically takes the credits for creating a competition between browsers, but also takes the credits for the biggest security "fraud" ever. If they are serious they should educate their users and inform them that their browser is not safer than others and it should be used with the same attention, like any other browser.

    All browsers should be sandboxed, virtualized. This is the way to go.
     
    Last edited: Mar 20, 2010
  12. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    Thanks, voice of reason.
     
  13. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    That don't mean there are organizations trying to find holes in IE and Opera but the number of holes in FF eclipses those of IE, Opera and Chrome combined. Just because its open source don't make it holier than thou. This is another issue with FOSS, they would dutifully bundle FF with their distros and no one will object to that but if MS buncles their IE, the world goes in a tizz.
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Yes, the linux distros should be taken to court and all have browser ballot screens implemented, right?
     
  15. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    I thought Linux was about freedom of choice, not about dictum.
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    How is the situation any different from Microsofts? They both bundle a specific browser with the "freedom of choice" to go download a different one. Anyway, I was just being sarcastic.
     
  17. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    And I was just responding to your sarcasm :D
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Well, guess I failed :p
     
  19. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    And at least with Firefox, all their bug and vulnerability tracking is also open.

    It's analogous to saying North Korea has less crime than Iceland simply because NK doesn't announce crime stats. Folks are either going to get it or not.

    As a thumbnail, just looking at the ongoing Blade testing stats (http://www.blade-defender.org/eval-lab/) and it still looks like any version of IE is more vulnerable than FF.
     
  20. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    You know, instead of looking at and comparing each browsers number of vulnerabilities, let's look at why. Here is my thought, could it be that Firefox/Chrome/Opera are getting less secure due to the, what I call, "feature race"? IE has ALWAYS had problems, there's no getting around that no matter how much Microsoft has made improvements (and they have, whether haters want to admit it or not).

    Along comes Firefox to try and knock them from their place. Firefox added extensions and themes. Both adding on to memory usage, opening up holes in security, and adding instability over time due to extension conflicts/crashes. Opera adds widgets and now, that completely idiotic idea of a web server. Chrome shows up, decides it needs extensions too. Everyone thought Chrome was the most secure out there, then, yesterday, 11 vulnerabilities, 6 major, need patching.

    This didn't get as detailed as I planned because I'm in a bit of a hurry. But, my point is, I think the more that browsers try to out-do each other, the worse their security gets. I also think that the recent obsession for them to make their browsers the fastest is causing them to not pay enough attention to other areas. That's my opinion on the matter.
     
  21. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I don't think an extra 30 infections in IE over FF makes FF look real good. That shows FF is getting worse. Speaking of those stats though, it shows two things. 1. AV programs might look pretty spiffy with their 96/97/98/99% rates on these tests we all argue over and waiting twitching for. But in the real world, clearly AVs are getting their behinds kicked all up and down the street.

    The other thing is where all this malware is coming from. The Ukraine is blowing the supposedly "evil China" right out of the freaking water with malware serving. Some eye-openers in those stats for sure.

    Edit: By the way, where is Chrome and Opera in their malware blocking graph? I really hope their exclusion doesn't give people the false impression that either browser is invulnerable or extremely secure.
     
  22. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    dw426, yeah I pretty much agree. But as Charlie Miller says, it's really less about the browser than the plugins and the underlying operating system.

    On that particular testing note that the most targeted apps aren't the browsers (some for IE, none listed for FF), mostly it's Adobe Reader, Flash, and Java.

    They also see the Eleonore kit more often than any other, so you may find this interesting:
    http://www.krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/

    As for where these are coming from, at least as far as hosting I found these 2 recent articles extremely informative:

    http://www.krebsonsecurity.com/2010/03/researchers-map-multi-network-cybercrime-infrastructure/

    http://www.krebsonsecurity.com/2010/03/naming-and-shaming-bad-isps/

    And yes, I agree, Opera and Chrome by themselves aren't going to be significantly more secure and the Blade group I assume just limited their testing to the 2 most popular browsers.
     
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Interesting links, thank you. I was actually surprised at the amount of Java exploits still ongoing. I don't recall the last time I even needed Java. I'm also surprised that Flash exploits weren't as huge of a factor as some media and others make them to be. Adobe Reader, what can I say, PDF exploits I guess are the "in thing".
     
  24. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    I was too. Here's some info on another popular exploit kit:
    http://malwareint.blogspot.com/2009/11/justexploit-new-exploit-kit-that-uses.html
    and it looks like java and acrobat are big with them also.

    And I just found this article on drive-byes that I found interesting
    http://www.viruslist.com/en/analysis?pubid=204792056
     
    Last edited: Mar 20, 2010
  25. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
Loading...
Thread Status:
Not open for further replies.