| Author |
Message |
    
Frodo Lives
Citizen
Username: Mfpark
Post Number: 1609
Registered: 9-2001
| | Posted on Tuesday, May 10, 2005 - 8:28 am: |     |
This was passed on to me by our in-house IT geek because I am always showing him chat logs from MOL touting alternatives like Firefox and Mozilla. Not that I understand any of this, but I thought you might find it interesting.
Critical Flaw Found in Firefox Matthew Broersma, Techworld.com
Mon May 9,11:00 AM ET
Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.
The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.
A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.
The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.
In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.
Two Vulnerabilities Found
The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.
The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.
Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.
"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.
Copyright © 2005 PC World Communications, Inc
|
monster
Supporter
Username: Monster
Post Number: 749
Registered: 7-2002
| | Posted on Tuesday, May 10, 2005 - 10:11 am: | |
It's still nothing compared to IE.... |
Tom Reingold
Supporter
Username: Noglider
Post Number: 6685
Registered: 1-2003
| | Posted on Tuesday, May 10, 2005 - 10:54 am: | |
Mozilla may be playing its political cards foolishly by admitting flaws more readily than MS does. I hate to say that. |
kevin
Citizen
Username: Eloso
Post Number: 19
Registered: 12-2004
| | Posted on Tuesday, May 10, 2005 - 12:25 pm: | |
Actually the last gartner group study I saw showed that MS releases security patches faster than any other vendor. They have obviously devoted alot of money and people to testing and releasing patches. I just hope that firefox releases stable patches, because there is nothing worse for a software companies rep than to release patches that do more harm than good.
Kevin
|
Rastro
Citizen
Username: Rastro
Post Number: 1059
Registered: 5-2004
| | Posted on Tuesday, May 10, 2005 - 12:31 pm: | |
Kevin, can you give a reference for that Garnter report? (date/author) I'm interested in seeing their analysis.
Given that MS seems to have moved to a monthly patch cycle, there is a known window of opportunity for hackers from when the exploit is detected to when it will be patched.
And as a snide (and inaccurate) comment, I guess when you have lots of experience with patching your product, you get better at it (patching).
 |
Dave
Supporter
Username: Dave
Post Number: 6310
Registered: 4-1997
| | Posted on Tuesday, May 10, 2005 - 12:39 pm: | |
The Firefox security hole is a proof of concept, which means there are no reports of actual malice. Compare that to MSIE's boatload of security issues and long track record of people having to reinstall Windows when things go wrong. While this is mostly due to MS being the market leader, it is also because MSIE is simply bad software. |
kevin
Citizen
Username: Eloso
Post Number: 20
Registered: 12-2004
| | Posted on Wednesday, May 11, 2005 - 9:17 am: | |
Rastro,
No luck in finding that report. I'm pretty sure I saw it on slashdot but their search engine is broken so I will have to try later.
I did find a story about how Microsoft's investment in security has improved their security reputation here: http://www.newsfactor.com/story.xhtml?story_id=12100002ES8V
IW has a good story about the pros and cons of firefox here: http://informationweek.com/story/showArticle.jhtml?articleID=160900911 |
kevin
Citizen
Username: Eloso
Post Number: 21
Registered: 12-2004
| | Posted on Wednesday, May 11, 2005 - 9:22 am: | |
Dave,
Many security holes are conceptual first and then once announced hackers create exploits. It is a big debate in the IT security field wether to announce the exploits before or after the patch is created. When I talked to the guys from CERT about it they felt that the bigger problem was getting users to patch at all. |
Dave
Supporter
Username: Dave
Post Number: 6332
Registered: 4-1997
| | Posted on Wednesday, May 11, 2005 - 9:28 am: | |
Good point. |
Rick B
Citizen
Username: Ruck1977
Post Number: 669
Registered: 8-2003
| | Posted on Wednesday, May 11, 2005 - 11:56 am: | |
The opportunity exists to announce their flaw and fix it. They may lose credibility in a certain "potential" customer base, but I don't think they lose face with their existing base. That being said, I think one of their biggest draws will be the existing customer base bringing in those from that "potential" base. |
Rick B
Citizen
Username: Ruck1977
Post Number: 686
Registered: 8-2003
| | Posted on Friday, May 13, 2005 - 8:34 am: | |
This is fixed, go download your updates! |
Closed: New threads not accepted on this page