It was announced at a recent hacker conference that the latest version of Firefox contains a critical flaw in its Javascript implementation that cannot be patched. Details on the exploit were presented in a slide show at ToorCon.
Mozilla security chief Window Snyder said of the vulnerability, "What they are describing might be a variation on an old attack. We're going to do some investigating." A staffer from the company, Jesse Ruderman was on stage during the presentation.
He said, "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets." One of the presenters laughed, saying their work is beneficial to the internet.
I remember when firefox first came out. The were people critisizing Microsoft Windows and saying how firefox had no flaws and was so much better.The firefox diehards were convinced. HAHAHA...I laugh in their face. The more people use any operating system, the more atrative it is for hackers.
nothing is 'unpatchable'. They write a new segment of code, replace the old and bang fixed, thats called a patch. Its not like they have to forgo firefox now because of this. Also if they are unwilling to explain the hack to firefox staff they are in violation of a number of laws and conventions of a number of different nations. Either that or they are making it up, or making up its severity to try to get themselves press, and im more leaning towards the later.
So you still use Internut Exploder then? Do you like having your machine infected with all kinds of crap because IE is like a slut that opens it's legs for any and every little piece of webcode that want's to run?
if users are too dumb to protect themselves from spyware and such, how is that Microsoft's fault?
The more people who use Firefox, the more hackers are going to target it, the more vulnerabilities will be exposed. It really is that simple. I wouldn't use Firefox if someone paid me to.
It's not a matter of being too dumb, it's a matter of being inconvienced. IE is, for the most part, pretty secure IF you enable all of the java blockers, set your privacy and security settings to high, etc etc etc. Yeah, it's not hard to do and it makes your system pretty damn secure.
BUT
then you have to deal with the un-ending parade of IE warnings that a site is not seucre, that a popup was blocked, that java has been disabled, that the site's certificate isn't updated, etc etc etc.
Frankly, it's a pain in the ass.
Firfox, becuase of its relativly small marketshare, remains largely unexploited so you don't NEED to enable the security features and still be resaonably confident that you aren't infecting yourself with a bucketload of trojans every time you visit a warez site.
It's not that FireFox *can't* be exploited, it's that thus far M$ has been the primary target. There are some things about FIreFox I don't like, but the sheer convience of having a browser that just works, safely, without a lot of hassel far outweighs the relativly minor flaws I see in its design.
some aren't. Depends on the content. Trail and shareware aren't illegal and there is a lot of that. Also a lot of cracked apps or keygens. Course, a lot of the files, no matter their legality, are frequently infected with any number digital invaders. Doesn't matter what browser you prefer if you run an install file from a warez site, it's Russian Roulette and you will eventually lose.
I mention them because of all the sites on the net, warez sites are the most heavily infected with spy-, mal- and ad- wares, trojans, viruses, dailers, installers, tracking cookies, etc. Everything from tricky java scipting that bypasses your browser's failsafes to plain-old brute spamming of install messages (rememeber those from the late-90's? Modern browsers protect you from that sort of thing, but run a Win98 machine with a comparable version of IE and you'll see that such scripts are alive and well out there on the 'net, they just have to wait for a susciptible machine to come along).
On an unsecured machine you can be certain that if you go browsing though a warez network you are going to be infected in very short order, without once trying to actuall download or install a thing.
It's actually a pretty good test of your security protocols, if you don't mind running the risk of screwing your machine beyond repair =P
Hmm.. so.. Firefox has one unpatched dangerous flaw... and suddenly that makes IE all good again? Sorry, it doesn't work that way. For security AND stability, firefox still way outmatches IE.
In addition, IE's security controls are much too cumberson for the average user to comprehend much less operate. Why? Because IE was never designed to be configured by end users, but by system administrators.
Finally, as said before, there is no such thing as unpatchable. It doesn't matter whether the flaw is in the javascript impelementation, or the way it is called, one way or another it is patchable. It might require a fresh update of the browser itself, but it CAN be fixed.
Unlike Microsoft, it wont take a month to get fixed and released, and people will not need to download and install unofficial community made fixes for it out of desperation.
Yeah, they'll just be downloading an ad-hoc patch by a community of people who are mostly only concerned with getting a fix out as quickly as possible. Oh, and it will be downloaded and installed automatically by default. Thanks Geritol.
I wish I could say that there was a good browser out there somewhere, but unfortunately the closest thing suffers from constant rearranging of the GUI. It is to cry.
The main issue isnt that there is a flaw in Firefox. There have been MANY flaws in firefox. The main difference between Firefox and IE is that the people at Mozilla have a fix almost as soon as a flaw is found. And if they do not patch it up instantly well, then the community can do it easily since it is OPEN SOURCE. IE will only update with patches if there are critical errors that have been present for a few months. Does anyone remember that just not to long ago there was a flaw in IE and MS was debating on whether or not release a patch to address the issue or just wait until the next official patch was supposed to come out.
"On an unsecured machine you can be certain that if you go browsing though a warez network you are going to be infected in very short order, without once trying to actuall download or install a thing.
It's actually a pretty good test of your security protocols, if you don't mind running the risk of screwing your machine beyond repair =P "
been there done that wasn't intentional... was looking for a crack and got an unrelenting trojan that multiplied itself more than 1000 times in 2 files (it reached over 300 in alphanumeric string) which is was deleting at the same time as the multiply back and fourth (between IE content and my documents), eventually it trojan just stopped replicating..
and to make matter worse i tried over 10 antivirus's only 1 could detect it (it was a free scan A/V, with no removal features enabled) and none of the A/V's i used could remove, i also ran anti-spyware just for the sake of doing it, of course no help, manually hunting virus can actually be fun... though its usually tedious in cases like i had.
warez site i rarely used, haven't intentionally been to one since 2000 (the site i used to www.icewarez.net , not even sure if its still operational. hated dnl'ing movies and games on there downloading 30-200 miniture between 3-15 MB each and compiling them to the main file.
An extension called NOSCRIPT. Doesnt matter if this is a huge flaw...with that extension running....it wont affect you anyway. INFACT...almost no site with spyware and adware will affect you.....cause it cant load with this extension unless your dumb enough to allow it.
Anyone who supports IE has no clue how powerful Firefox is, and is far from being tech savy. Its those people who get other people in harms way on the internet. The only reason someone using IE that hasnt got a virus yet.....is pure luck.
These people might as well go ahead and say they know more about blues then BB King or Eric Clapton while they are at it.
And to make this even more simple...if your going to bash firefox...tell me why its good to up the "pipeline" in "about:config"
- if you don't understand that...then you don't know enough about firefox to bash it...and your basically a newbie, and need to get out of a discussion that you know nothing about.
with some Sysadmin friends and the general concensus is that it will be patched soon - buffer overflows are usually very easy to patch, and there are plenty of tools to enable those conditions to be identified fairly quickly.
The biggest concern is the intention by these people to stir up fear, uncertainty and doubt around the firefox browser and the build some sort of push back towards IE.
Of course it is in these peoples best interest to trick users into going back to a critically insecure browser that they can exploit at will. IE exploits are their bread and butter.
Some of the language used by the hackers clearly demonstrates their intent - particularly the sensationalist use of the word "unpatchable".
In the last six months Firefox had 47 vulnerabilities documented. IE only had 38. Last year the numbers were 17 and 25 respectively. Granted Firefox fixed theirs a lot more quickly but who knows what had been happening before they were discovered and fixed? Also worth noting that in the same time period Operas exposed vulnerabilities dropped from 9 to 7.
The keyword there is documented. It's along the same vein as MS's definition of a critical exploit. If you look at both browsers using the same definitions, the numbers seriously need adjusting.
Yeah, they're really doing it for the greater good of the internet
"We're setting up communication networks for black hats"
Last time I checked that isn't a good thing... Anywhere.
What they mean is that they are doing this for the greater good of the part of the internet they use. I truly am disgusted that intelligent people can come out with garbage like that. If your going to be a black hat why don't you just admit your an evil, self serving, vindictive, SOB?
When they find a flaw (I.E or FireFox), is it that they (programer) found it or is it that someone got infected(was hacked becasue of the flaw) with something . This alway made me want to know. I wounder if no one said anything, would anything happen?
"If tree falls in the forest and nobody was around, do it make a sound?"
It's a bit of both - sometimes security monitoring organisations pick up an increase in traffic or detect a worm etc, but there are companies that actively scan software with testing tools to locate possible buffer overflows and other exploits. There are also private individuals do the same.
In any case, the principle of concurrent discovery applies - if one person found it and reported it, you can be sure another person found it and didn't. This really means that it would be exploited sooner or later, and with the money and organised crime investment involved in these communication networks - it would be sooner rather than later.
For instance, a zero-day exploit means that an exploit for a flaw has been discovered in the wild on the same day the flaw has been discovered (or within maybe two days after)
I was just stating the truth. If Firefox started to dominate and was the browser of choise, firefox would have a huge problems. They would be targeted by every hacker, trogen writting geek, virus writers, ect. It takes months to years to finally start penitrating newley written code\software effectly. Firefox is still fairly new.
If I was going to try to cause the most damage to the computer industry, I would target MS operating systems and browsers. Why? Because the majority of the people use it! Too bad most people cant figure that one out.
I haven't used Firefox, im sure its good browser...but then again, it's nothing but a copy cat trying to make Microsoft (who by the way basicly crated it in the first place and should get the money) look bad so they can make millions from their customers. I'd rather give my money to the person/creators who took the risk finacially to crate such a great software. Rather than pay a copy cat that thinks thier crap dont stink by saying "this software is not hackable!" Wich leads to my first post and my first paragraph on this post! Get my point? Sorry for the long post.
What money? FireFox is free and open source. They aren't getting paid millions by their customers. They get money because they get paid by google whenever you use the Firefox homepage google search engine.
I'd also point out that if you use your logic, that I.E. is nothing but a clone of Netscape, who released Mosaic Netscape 0.9 (later Netscape Navigator) on Oct 13, 1994. Not to be outdone, M$ retaliated in June 1995 with IE 1.0, bundled free with win95 in an attempt to drive Netscape to its knees. Why? Because Netscape refused to play ball with M$ -- M$ wanted exclusive rights to the browser for all windows machines and wanted Netscape, the first attempt at a multi-OS web browser, to stay out of the windows environment.
And thus started the browser wars, M$ bundling IE free, also offering ISS and other services free in an attempt to squash Netscape. It almost worked too. Unable to compete with M$ directly Netscape was driven more or less out of the limelight and was sold to AOL where they provide the browser for AOL's engine.
Interestingly, Netscape/AOL largely funded the Mozilla group, which eventually generated the Firefox browser, which was something of a direct competitor to the netscape browser. The latest versions of the Netscape browser are based on re-written FireFox code.
Anyway, the rambling point is that neither you the IE user nor I the Firefox user actually pay for the browser we use. They are freely provided, IE with windows and Firefox via download. If anything, supporting Firefox supports netscape, the little guy that M$ tried to squash during the Browser Wars of the 90's. Personally I think the Browser Wars were bad for us the consumers. In the rush to out do each other and to patch last week's bugs and exploits, the releases of both browsers were, frankly, pieces of soiled refuse. There was no time to really test the security of the never-ending parade of releases, instigated IMO, by M$ in their attempt to assume compelte dominace over the browser industry.
yep, your right.The netscape navagator thing totally slipped my mind. Im sure the MS users sorta pay for the browser when we buy the OS, we just dont know it. Just look at the prices of Retail WinXP, the oem is a joke....temperary license but alot cheaper.
never liked netscape... was the only program i've ever seen that crashes more than IE 5 and 6 and more than windoze/winblows 98... i like mozilla but i still primarily use IE, far more sight friendly... the primarily reason i have it is just incase IE goes off the deep end.
netscape navigators 3-6(?) were buggy pieces of crap. but then so were the equivalent versions of IE. Both sucked in their own way for the reasons I listed. M$ won the browser wars simply because netscape couldn't continue to compete with the free services M$ could offer.
I'm sure we all technically pay for IE in some way when we buy windows since the browser isn't just a bundled program but an intergrated part of the OS, but I'd certainly hope the R&D costs for IE is dwarfed by the general R&D of the OS (IE being only a tiny part of the overall whole)
I think the way it probably works is M$ just writes off the labor costs of the IE department, kinda like how they write off the XBOX sales losses.
What do they care that they lose million in certain sectors when the flagship products bring in billions? Especially when writing off those loses helps them maintain dominace across both the "free" and purchased product sectors?
the versions of netscape i used were between dec. 1999 and about 2001/2002... i think i remember netscape navigator 4, if thats the one in particular version i remember crashed an average of every 10-30 minutes of usage... although to netscapes credit when IE crashes sometimes it just doesn't stop crash beyond rebooting or reinstalling... and when FUBAR, a format. though oft time it would go days or weeks without a single problem whereas netscape crashes were as predictable as needing to reboot during the dreaded blue screen of death on win98.
So if i'm a hacker that can't effectively attack FireFox users, i'd want to scare the FireFox users into running back to IE where I COULD more easily attack them... Does this make sense to you now? -np-
