Firefox has "Unfixable" Flaw

[Mike F]

The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. . . . The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure,". . . .

The hackers claim they know of about 30 unpatched Firefox flaws.

Full Story

[Bobblehead]

Good to know.

While I still contend IE is less secure, I don't believe any browser is totally secure.

[ricosuave]

LOL cant wait to see how the firefox people defend this one...

[Bobblehead]

Quote:

Originally Posted by ricosuave

LOL cant wait to see how the firefox people defend this one...

I'll take a shot at it.

Quote:

Weafer acknowledged that by pointing out that the attacks aimed at IE outnumbered those targeting Mozilla's browsers by more than 2 to 1. "The lion's share of the attacks were against Internet Explorer," said Weafer.

Quote:

Weafer also noted that the open-source browser had a decided advantage over Microsoft's on a time-to-patch criteria. Firefox rivals such IE, Safari, and Opera were patched considerably faster in the first half of 2006 than they were in the last half of 2005, but Mozilla's beat them all. IE, for instance, had an average window of exposure, the time between an exploit appearing and a fix released, of 9 days, while Mozilla patched in 1 day. (Safari's window was 5 days, Opera's was 2.)

Sept. 25 Information Week article

So IE has twice the number of attacks, and takes longer to patch.

[Hack&Lube]

I use Opera to snub all those Firefox users.

The owner of Opera said he'd swim from Norway to England or something if enough people downloaded Opera. That's good enough for me.

[MattyK]

...and if Opera gains a large enough user base, it'll gain more attention. Especially from people looking for exploits.

Firefox went through the same cycle. It was the perfect browser...then it gained popularity...then security holes were found.

Some part of me wants OSX to gain a ton of popularity just so enough people put effort into finding exploits for that OS. Shut up all those Mac fanboys for good.

[Barnes]

Quote:

Originally Posted by Bobblehead

I'll take a shot at it.




Sept. 25 Information Week article

So IE has twice the number of attacks, and takes longer to patch.

Here's another good example of this. Apple releases a patch on Friday and the exploit shows up today. Run your 10.4.8 update people.

http://www.techweb.com/showArticle.j...SSfeed_TechWeb

[JohnnyFlame]

I tried Opera for awhile and was disspointed. Firefox is my favorite for the moment no matter what vulnerabilities it has. It cost me nothing and improves my Internet experience -- that's ALL that counts as far as I'm concerned!!

[underGRADFlame]

Quote:

Originally Posted by MattyK

...and if Opera gains a large enough user base, it'll gain more attention. Especially from people looking for exploits.

Firefox went through the same cycle. It was the perfect browser...then it gained popularity...then security holes were found.

Some part of me wants OSX to gain a ton of popularity just so enough people put effort into finding exploits for that OS. Shut up all those Mac fanboys for good.

It almost sounds like your jealous of OS X

[jar_e]

Is it really a surprise? Like somebody said, more users = more popularity = more people trying to hack.

[arsenal]

Quote:

Originally Posted by underGRADFlame

It almost sounds like your jealous of OS X

OSX has alot of flaws in it, Apple has even stated as much.
Alot of them are similar to flaws that windows patched years ago, but Apple has not fixed them.
Every software has bugs, exploits etc, no software is "perfect". Use what you like.

[kermitology]

Quote:

Originally Posted by arsenal

OSX has alot of flaws in it, Apple has even stated as much.
Alot of them are similar to flaws that windows patched years ago, but Apple has not fixed them.
Every software has bugs, exploits etc, no software is "perfect". Use what you like.

Yeah, that's why I get annoyed with the people who babble on about how Mac's are so amazing for never getting hit. Anything will be exploited if more people work to exploit it. The more popular Mac's become, the more viruses and security holes will pop up for them. It's not that any of these things are really crappy, it's just that more time and effort is put into targetting Microsoft.

[Ironhorse]

Quote:

Originally Posted by kermitology

It's not that any of these things are really crappy, it's just that more time and effort is put into targetting Microsoft.

###.

Plus, most everyone loves to hate Micro$oft...

[fanforever1986]

macs rule.

[Barnes]

Quote:

Originally Posted by kermitology

Yeah, that's why I get annoyed with the people who babble on about how Mac's are so amazing for never getting hit. Anything will be exploited if more people work to exploit it. The more popular Mac's become, the more viruses and security holes will pop up for them. It's not that any of these things are really crappy, it's just that more time and effort is put into targetting Microsoft.

Market share does not increase the number of viruses and security holes. Anyone who says this knows nothing of operating systems. Unix/Linux systems have less viruses/security holes because they are more secure.

[mykalberta]

HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

The Linux crowd is one of the most annoying crowds there are with their M$ hates users because of the security flaws and blah blah blah. I will sazy this for firehazard, alot of the plugins for it are quite nifty. I am more of a Slimbrowser man myself though.

Name one product as dynamic as a web browser that is flawless, you cant find one because people will always find a way to break things, plain and simple.

MYK

[Bobblehead]

Quote:

Originally Posted by Barnes

Market share does not increase the number of viruses and security holes. Anyone who says this knows nothing of operating systems. Unix/Linux systems have less viruses/security holes because they are more secure.

Sure it does. If I'm writing some sort of malware, do I target it at a) the app with the largest install base and least savvy users or b) the smaller market share with more advanced (on average) users?

Unix/Linux is more secure, not necessarily because it is "better", but because it was built on a better security model. If all Linux users were to log in as administrator all the time, it would probably be just as dangerous as Windows.

My beef with MS is with how they use their market share to bully competitors and even customers. Many of their products are really good, working in IT, I can't imagine how difficult it is to do many of the things they are asked to do. But when they start doing things like saying the OS is tied to the computer, and you are not allowed to transfer it to another computer; or they patent .doc formats to try and lock in users/freeze out competitors; then they have gotten too greedy and pushed too far (I blame the marketing weasels).

I think things like Firefox has pushed MS to work on IE7 after allowing IE6 to stagnate. If all browser makers are vying to be more secure than the others, then the public using those browsers wins.

[Flames0910]

No product is free of security holes, Macs, Firefox or Linux.

However, some are more secure than others, and some are a LOT more secure than others.

Windows was built before the Internet existed. PCs were designed to be standalone systems, the whole idea of user privledges is poorly implemented in XP meaning most people run as administrators so programs can do anything. On the other hand, Mac OS X is based off of Unix which was designed with the internet in mind. You run as a user in your own private world and can't touch the core of the operating system without a password prompt. The same is true for Linux. Also, OS X and Linux don't have tonnes of legacy code from the last decade to support every 10 year old program. Legacy code by its very nature is full of security holes because there are tonnes of things that the developers could never have seen coming.

The other advantage firefox has over internet explorer is that it isn't integrated. If IE is comprimised it can take down your whole system, its built into the kernel of windows xp, the very core of the operating system (you can't even uninstall it if you want to). Firefox runs on its own, its not integrated with the operating system, and it is based on a much more simplistic architecture - meaning there are less chances for bugs.

The arguement that any operating system or program is entirely secure is BS. However, there are no known viruses for OS X (there are a few proof of concept things, however all require a password prompt which should set off warning bells for any user and none have been distributed. windows viruses can gain access to the root level of the OS) and far fewer exploits for firefox than for IE. Security through obscurity is a nice arguement, but by now there should be at least one exploit that takes advantage of OS X because anybody who found it would be famous. I am sure there are some exploits to be found in OS X, as in Linux...but I'm also sure there are a LOT fewer than there are in windows.


(i'm just rambling and typing what i think as i think it, so i hope i made my point but maybe i didn't....god i need sleep )

Also, I think its a stretch to say its unfixable. You'd be surprised what the open source community can do. Besides, if MS can fix up xp and make vista secure than anything is possible!

[MattyK]

Market share may not increase the number of security holes, but it can certainly increase awareness and exploitation of existing security holes.

And it certainly has an effect on the number of viruses. Like it's been said before...what is a malicious person going to do? Write a virus for a widespread OS, or one for an OS with a 5% market share (or less?).

[Barnes]

Quote:

Originally Posted by Bobblehead

Unix/Linux is more secure, not necessarily because it is "better", but because it was built on a better security model. If all Linux users were to log in as administrator all the time, it would probably be just as dangerous as Windows.

True. Windows Vista does come on par with OS X in so much as requiring an Admin password before running an installer even if you are logged in as an admin. I do have to admit, I am really liking Vista from what I have seen firsthand.