Hackers: Firefox more secure than IE? Fuggeddaboudit!

[thatcrazycajun]

Two hackers at San Diego's just-completed ToorCon conference claim to have proven that computers running the Mozilla Foundation's hugely popular Firefox Web browser, regardless of whether they use WinBlows, Mac OS X or Linux operating systems, can be commandeered by hostile hackers simply by ginning up a Webpage of malicious JavaScript. The story is reported by ZDNet here.

Am I the only one who notices the irony in this, Firefox having originally been conceived as an alternative to what its creators considered the hopelessly-insecure Micro$oft browser, Internet Exploder Explorer? That a browser designed deliberately to be more secure than IE should now be shown to actually be less secure -- and unfixable short of rewriting its decade-old base code from line one -- is hugely amusing to me. Or would be, if I didn't already find myself using Firefox way more often on both my XP and Mac machines...

Comments

[autographedcat.livejournal.com]

It shouldn't be.

1) All software has bugs. All software has security flaws. If you go out on the net, you're taking a risk, every time.

2) That Firefox has flaws (which precept 1 tells us is inevitable) does not automaticaly make it *less* safe than IE.

3) JavaScript is inheritly dangerous, as anyone using the web should konw. There is a Firefox extention called NoScript that allows you to block Javascript by default and selectively allow it on pages you visit that you trust, and any sensible Firefox user will install it and use it.

4) The article you link to indicates that while the fix will be very large, the hackers who presented the information have likely given them enough information to solve the problem.

5) The real irony is that the head of security for Mozilla is named "Window". (Ok, it's not really ironic, but it's very very funny).

In short, I really see nothing here that's especially alarming or revealing. it's good information, and a good reminder that if you're running JavaScript indescriminately, you're putting your computer at risk. But we've known that for years.

[thatcrazycajun.livejournal.com]

1. Yes, Rob, I know that all software has bugs and security flaws. But Firefox has been (heavily) sold by its creators and proponents from day one as being more secure; go back and read all the early articles about it if you don't believe me. Reading them led me to believe that this was FF's primary selling point over IE. That it is (so the hackers claim) not only not as secure as advertised, but in fact has not been from day one if their claims are true, seems to me still worth noting, despite your valid points.

2. Mozilla, for its part, claims the exploit can be fixed with only a new patch, at least based on its investigation of the problem so far. The hackers dispute this claim, saying that the program must be rewritten completely to fully eliminate the exploit, partly because the base code, however much it's been refined by its open-source participants, is still over ten years old. That's an eternity in software, as you know. I don't know enough about coding myself to authoritatively say who's right, but I tend to put more trust in individuals over organizations or companies, the latter of which are more subject to groupthink and solidarity against outside assertions.

But thanks for the tip about NoScript; now how about a link?

[thatcrazycajun.livejournal.com]

Never mind; I found it at noscript.net on my own.

[autographedcat.livejournal.com]

1. I have read the early articles. I've been using Firefox since it came out, and Mozilla Suite before it. Even with this flaw, I'd still wager that Firefox is *more* secure than IE. That's a comparative term. You seem to be saying that because Firefox isn't *perfectly* secure, it's a terrible product and all its claims are false.

2. Mozilla says that it can be patched, but it won't be a quick or easy fix, becuase of the nature of the particular vulnarability. Firefox is a huge project, and has an awful lot of code.

2a. Your notion that you'd trust individuals over organizations is nonsense, given that the individuals in question claim they have over 30 known bugs which they are refusing to submit to the developers to be fixed. I'm sorry, but that sort of indivudal is *not* someone who gets trusted. If could get them up into orbit, I'd shove them out the airlock. (That is, btw, my *professional* opinion. Remember, I do this for a living.)

NoScript can be found in the Firefox extentions archives:

https://addons.mozilla.org/extensions/moreinfo.php?id=722

You can get more info about the extenstion at the developer's page:

http://www.noscript.net/whats

You might also want to look into Adblock Plus and Adblock Filterset.G

https://addons.mozilla.org/firefox/1865/ for Adblock Pluss
https://addons.mozilla.org/firefox/1136/ for Filterset.G

[redaxe.livejournal.com]

While this particular vulnerability may be a serious issue to fix, Firefox has one major advantage over M$IE in terms of security: When a vulnerability is demonstrated in Firefox, a fix comes out ASAP. When a vulnerability is demonstrated in IE, unless the press has forced expedient action, a fix waits for the next scheduled MS patch releases, which is to say, as much as a month. (MS does monthly fix releases; recently, malware creators seem, for some reason, to be releasing stuff into the wild the day after a release is done. I can't imagine why they'd do it that way! </sarcasm>)

[cellio]

All network-connected software is vulnerable if people decide to work hard enough at it. I'm not surprised that people are going after Firefox now, given its popularity.

I use NoScript and find it vastly superior to IE's answer, which is "turn off javascript globally". NoScript lets me decide on a case-by-case basis and it remembers what I tell it, so I don't have to keep turning it on and off.