PDA

View Full Version : More on Firefox security flaws:



Billy T
21-04-2005, 05:16 PM
Fred Langa responds:

In the current article on Firefox
http://www.informationweek.com/story/showArticle.jhtml?articleID=160900911 my opening argument was "FireFox is a good browser, but not at all the panacea its most ardent fans think it is." My closing argument was "It's great that there are open-source alternatives to try, and it's smart to proactively explore all your options. But go in with your eyes open: All software has flaws. There are no panaceas!"

To me, it's hard to imagine less inflammatory statements. I mean: "All software has flaws." How can anyone disagree with that?

But the froth-on-the-lips crowd is out in force, claiming I'm shilling for Microsoft, or have my head far up a nether orifice. If members of the rabid pro-Firefox crowd admit to any flaws in that software at all, they say that the numbers of flaws are tiny, and the security holes insignificant.

This view, however appealing, is totally false. There is no objective evidence--- zero, zip, nada, nil--- to support that view. Instead, there is a large and growing body of evidence that indeed and of course, there are problems in Mozilla/Firefox, and some of them are quite severe, opening the door to data theft, backdoor infections of your PC, and so on--- exactly the same kinds of problems that Internet Explorer is reviled for!

In fact, in addition to the information originally cited in http://www.informationweek.com/story/showArticle.jhtml?articleID=160900911 , some new info came out this past weekend, after my article was already written: The folks at Mozilla posted advisories on 9 newly-discovered flaws in Mozilla and its offspring (including FireFox):

"Mozilla flaws could allow attacks, data access...Multiple vulnerabilities that could allow an attacker to install malicious code or steal personal data have been discovered in the Mozilla Suite and the Firefox open-source browser." (Full story: http://news.zdnet.com/2100-1009_22-5674883.html?tag=nl.e589 )

Again, these are *exactly* the same types of problems that IE is rightly criticized for.

Does all this mean that Firefox is a bad browser? Not at all. It means it's a normal browser, and will require vigilance to use safely.

Does this mean that Internet Explorer is wonderful? Not at all. It's a normal browser, and requires vigilance to use safely.

If you keep either browser patched, and use the other security tools we discuss here issue after issue, you'll be fine using either IE or Firefox. In point of fact, most of the actual real-life exploits in IE have affected out-of-date, unpatched, and/or unprotected systems. If you keep your software up to date and protected, you'll be fine.

Bottom line: Firefox is a fine tool. If you like it, by all means use it. But don't think that using it will automatically make you safe from serious browser security issues--- in fact, cold, hard facts prove exactly the opposite. So, once again: "It's great that there are open-source alternatives to try, and it's smart to proactively explore all your options. But go in with your eyes open: All software has flaws. There are no panaceas!"


A nice friendly and rational response don't you think?

Cheers

Billy 8-{)

Metla
21-04-2005, 05:32 PM
If he closed his one eye he would be in the dark.

Seriously, None of the criticism I have seen of his article claims that Firefox is above vulnerability, merely that it doesn't have the design flaws that IE has (as in IE is an open door into the OS, with various features that make it easy to wreck havoc...activex, BHO's, Then take into account the attitude displayed by MS,...we own the market so faults don't matter).

In a Firefox vs IE it would take a massive amount of one sidedness to declare them equal, no matter how many people use either, or what personal preference the writer has.

Which makes his entire case nothing but piffle.




And this should have gone in the last thread you made on the subject.

Chilling_Silence
21-04-2005, 05:58 PM
Thats some very interesting and valid points there Billy.

Too right, that all software is vulnerable! There have been numerous Privelage Escelation exploits of late with the linux kernel, however by the time that they have been discovered, they are already being fixed.

I found out about one in a recent kernel where I was using an rc-kernel. Turns out some other amendments that had been made in my performance patchset had already fixed the problem before it was discovered in this testing kernel.

Well said point that all software requires vigilance from the end-user, and being blind to this would be crazy.

Dont get me wrong, I love Firefox & Linux & Openoffice.. Gaim, xmms, K3b and what-not, but its FAR from perfect.

A quick look at the code and you'll see that some of it has been written by inexperienced coders, whilst other code has been written by people who do it for a living, and some by people who've been programming since the dawn of C.

Good to see awareness being raised!

pctek
21-04-2005, 07:44 PM
Yawn.
Nothings perfect. Theres no such thing as perfect. Its ongoing. Theres probably some new hac/vulnerability thing that hasn't even been thought of yet but due soon that they are all open to.
Who worried about spyware 10 years ago? Or 5 even?

Murray P
21-04-2005, 07:45 PM
Whats the/your point. There's nothing new here that hasn't been said or acknowledged before, out there and in here, and nicely summed up in a nutshell here (http://pressf1.pcworld.co.nz/showpost.php?p=344977&postcount=2) and expanded on a little by Chill.

Interesting but, just because Fred can worm with the best of them doesn't make his word gospel or lesson the fact that he's on a bit of a mission himself. Only, Fred manages to hide most of the rabid frothing with an air of urbanity, is that the right word, feel free to insert your own.