Firefox 'Exploits' Blown out of Proportion

[Anti-Trend]

Several major IT security firms have disclosed the existance of two highly-critical '0-day' exploits which can lead to the compromise of the Firefox web browser. Unfortunately, the information is somewhat misleading, as the exploits were not actually bugs in the Firefox software at all. In fact, it was a bug in the Mozilla.org website which maintains the whitelist of Firefox plugins. The whitelist bug, had it been exploited, would have allowed malicious websites to force downloads of malformed code to Firefox browser. However, this flaw was mitigated with a work-around just minutes after the exploit was reported.

The bottom line is that Firefox is not currently suffering from any exploitable bugs, and Mozilla.org is working on a permanent fix for this issue. Beware of sensationalistic journalism which longs to report, "See? Firefox is just as insecure as Internet Explorer." These same reporters neglect to mention that over 30% of Internet Explorer's known exploits remain unpatched as of this writing. Some of the more critical ones have even been around for more than a year. See for yourself.

-AT

 

[Sniper]

thanks for that Anti-Trend, it seems theres people out there who need to do more research before making such claims.

 

[ninja fetus]

gaahaaaa knew it. Thanks for clearing it all up

 

[Anti-Trend]

No problem at all. I truly support the widespread acknowledgment of security vulnerabilities, especially critical ones. But sensationalistic garbage like this only serves to exacerbate me.

 

[Nic]

Lol I knew you'd be quick to defend firefox ;) Thanks for clearin tht up btw

 

[Anti-Trend]

Lol I knew you'd be quick to defend firefox ;) Thanks for clearin tht up btw

In all fairness, if there really was a critical vulnerability in Firefox I'd likely be the first to report it here. Part of my job is knowing about vulnerabilities in the software that my organization runs, and handling the problem appropriately. In this case, it's pure knee-jerk yellow press, and it really pisses me off. Certain members of our news crew, I'll mention no names, should get their facts straight before posting the first thing that comes across their screens. Yes, I'm pissed, so I apologize if I sound like a slathering lunatic. It's just that this isn't the first time that such exploitative journalism has been posted on this website. What's the difference between half-truths and outright lies?

-AT

 

[syngod]

This story was on quite a few sites so I posted it here as well just as I would if a major IE flaw came up.

However their is still a script injection vulnerability. Mozilla rates it as critical and even reccomends disabling javascript on unknown sites. Link here.

I'm not trying to start a flame war, but can you tell me if this came out about IE you wouldn't be all over it saying yet another MS security hole? No software is 100% secure, be it IE, Opera, Firefox. This is an actual vulnerability the Mozilla team has rated as critical therefore I'd say it's worthy of being reported, just as any serious IE vulnerabilty should.

 

[Anti-Trend]

No software is 100% secure, be it IE, Opera, Firefox. This is an actual vulnerability the Mozilla team has rated as critical therefore I'd say it's worthy of being reported, just as any serious IE vulnerabilty should.

OK, I never, ever claimed Firefox was the end-all, be all browser that won't ever have a security vulnerability. To do so would not only be outright stupid, but totally unrealistic. Of course any human-written code will contain flaws, and some of those flaws will have the potential for exploit. Some code is written better than others of course, but that's beside the point. Believe it or not, I don't take it personal when any software is found to have security flaws, be it FOSS or proprietary. It happens sometimes. What deeply bothers me is that specifically Microsoft code is simply expected to have tons of unresolved security issues, and that's supposed to be OK. Right? But a possible limited script injection is found in Firefox, which is hardly a critical exploit in this case I might mention, and the media jumps all over it. My problem with you is that you didn't do anything besides reproduce the original article, perpetuating the sensationalism without question or hesitation. Had you read the Secunia report, you would have noticed that the critical bugs had been already been negated with a temporary work-around.

I'm not trying to start a flame war, but can you tell me if this came out about IE you wouldn't be all over it saying yet another MS security hole?

Well, if you insist. Here's a list of unresolved security issues which currently exist in a fully patched and updated copy of Internet Explorer 6:

• Microsoft Java Implementation Multiple Vulnerabilities
  Partial Fix. Secunia Advisory 12 of 16 in 2002
• Internet Explorer .MHT Denial of Service
  Unpatched. Secunia Advisory 21 of 24 in 2003
• Internet Explorer Exposes Sensitive Information
  Partial Fix. Secunia Advisory 15 of 24 in 2003
• Internet Explorer Custom HTTP Error Script Injection Vulnerability
  Partial Fix. Secunia Advisory 13 of 24 in 2003
• Microsoft MCIWNDX.OCX ActiveX Plugin Buffer Overflow
  Unpatched. Secunia Advisory 11 of 24 in 2003
• Microsoft Internet Explorer Exposure of Installed Components
  Unpatched. Secunia Advisory 5 of 24 in 2003
• Internet Explorer File Identification Variant
  Unpatched. Secunia Advisory 31 of 34 in 2004
• Internet Explorer Cross Frame Scripting Restriction Bypass
  Unpatched. Secunia Advisory 30 of 34 in 2004
• Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing
  Unpatched. Secunia Advisory 28 of 34 in 2004
• Windows Explorer / Internet Explorer Long Share Name Buffer Overflow
  Unpatched. Secunia Advisory 26 of 34 in 2004
• Microsoft Internet Explorer and Outlook URL Obfuscation Issue
  Partial Fix. Secunia Advisory 25 of 34 in 2004
• Internet Explorer File Download Error Message Denial of Service Weakness
  Unpatched. Secunia Advisory 22 of 34 in 2004
• Microsoft Internet Explorer Multiple Vulnerabilities
  Partial Fix. Secunia Advisory 20 of 34 in 2004
• Internet Explorer Address Bar Spoofing Vulnerability
  Unpatched. Secunia Advisory 18 of 34 in 2004
• Internet Explorer Cross-Domain Cookie Injection Vulnerability
  Unpatched. Secunia Advisory 15 of 34 in 2004
• Microsoft Internet Explorer Disclosure of Sensitive XML Information
  Unpatched. Secunia Advisory 14 of 34 in 2004
• Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing
  Partial Fix. Secunia Advisory 11 of 34 in 2004
• Microsoft Internet Explorer "res:" URI Handler File Identification Vulnerability
  Partial Fix. Secunia Advisory 9 of 34 in 2004
• Internet Explorer Flash/Excel Content Status Bar Spoofing Weakness
  Unpatched. Secunia Advisory 8 of 34 in 2004
• Microsoft Internet Explorer Two Vulnerabilities
  Unpatched. Secunia Advisory 7 of 34 in 2004
• Microsoft Internet Explorer Cookie Path Attribute Vulnerability
  Partial Fix. Secunia Advisory 6 of 34 in 2004
• Microsoft Internet Explorer "Save Picture As" Image Download Spoofing
  Unpatched. Secunia Advisory 5 of 34 in 2004
• Microsoft Internet Explorer "sysimage:" Local File Detection Weakness
  Partial Fix. Secunia Advisory 4 of 34 in 2004
• Microsoft Internet Explorer Window Injection Vulnerability
  Unpatched. Secunia Advisory 3 of 34 in 2004
• Microsoft Internet Explorer FTP Command Injection Vulnerability
  Unpatched. Secunia Advisory 2 of 34 in 2004
• Internet Explorer FTP Download Directory Traversal
  Partial Fix. Secunia Advisory 6 of 6 in 2005
• Internet Explorer Global Variables Local File Detection Weakness
  Unpatched. Secunia Advisory 5 of 6 in 2005
• Internet Explorer/Outlook Express Status Bar Spoofing
  Unpatched. Secunia Advisory 3 of 6 in 2005
• Microsoft Internet Explorer Popup Title Bar Spoofing Weakness
  Unpatched. Secunia Advisory 2 of 6 in 2005

By the way, I would without hesitation report legitimate security info about Firefox, which history will clearly show you.

 

[syngod]

Mozilla has fixed the problem with their update servers, but have they fixed the hole allowing a malicious site to do the script inject? I'd say until they come out with a new version this would still be rated as a critical security risk.

Microsoft by no means has a great security record however their have been posts that I would say sensationalize IE flaws alot more than I say the link to my article would.

For some reason there people on this board seem to feel as though Mozilla is bulletproof which isn't the case, actually going by the amount of security updates issued I'd say Opera is the most secure browser. In fact if you look at Mozilla's security announcements, they tend to be about the same as MS with security updates at the once a month rate.

Firefox is a great browser and I don't want anyone to think I'm trying to trash it, however I think everyone should be security concious and know that there is issues to be had with all browsers. If a major IE alert was to come out today that I found out about I would be willing to post it as well.

 

[Anti-Trend]

For some reason there people on this board seem to feel as though Mozilla is bulletproof which isn't the case, actually going by the amount of security updates issued I'd say Opera is the most secure browser. In fact if you look at Mozilla's security announcements, they tend to be about the same as MS with security updates at the once a month rate.

I can't believe you decided to draw a parallel there. The only exploitable bug that even exists for Firefox is the script injection vulnerability we've already discussed, and that's been worked around already. Did you even look at the list I posted? Those are current vulnerabilities in IE, not past ones. Some of those have been around since 2002 without any attention from Microsoft, and you want to say it's equivalent security-wise? How in the world can you substantiate that idea? I'm seriously interested to know.

P.S. - Agreed that Opera does have a very good track record for security, and I actually enjoy using it. I just can't rationalize spending $40/US on a web browser.

 

[Anti-Trend]

Mozilla has fixed the problem with their update servers, but have they fixed the hole allowing a malicious site to do the script inject? I'd say until they come out with a new version this would still be rated as a critical security risk.

By the way, there's a release candidate for Firefox 1.0.4, which addresses both the whitelist bug and the script injection bug, in addition to a hot workaround for those concerned. However, like I said before, the script injection bug only works in connection with the whitelist bug. Since the whitelist bug has been mitigated, the script injection vulnerability is moot. No non-whitelisted plugin download, no code injection either.

-AT

 

[Dave35k]

Firefox = better than ie pure and simple and any one who complains is wrong ! :good:

 

[ninja fetus]

I guess some people can't accept that firefox is just flat out better. very nice defense there AT *clap*

 

[Anti-Trend]

very nice defense there AT *clap*

It's not a defence, it's just the plain out truth. Firefox has had vulnerabilities in the past, and it will in the future. But these ones are clearly irrelevant. My point is that some people want to talk about problems in Firefox that have already been taken care of, all the while ignoring the inordinate amount of problems in IE which have been around for ages with no fixes. I wonder why that is?

 

[syngod]

I'm not saying IE doesn't have problems, what I was saying by the monthly updates is that Mozilla isn't fixing the problem the day after a problem is discovered. If you look at their security updates they tend to be spread within a day or two of being a month apart, which is what MS's patch policy is unless it is very critical.

IE has quite a few outstanding secuity issues and I'm not saying IE is better than FF, everyone seems to be of the assumption with FF you're safe and don't have to worry about spyware, popups, viruses, etc. when this is not the case.

As for this issue it is not resolved. Mozilla confirms it here that the script injection flaw is still a concern.

I'm not trying to say one browser is better than the other, in fact I use both as well as Opera. There is a security hole here and I posted the article to it as did many other sites. Like I said above if a critical IE flaw is made public tommorrow I'll post a link to it as well.

 

[Anti-Trend]

I don't know why you refuse to understand this, but the exploit has been mitigated. This is from the link that you posted:

...However, as described below, the potential for arbitrary code execution is no longer a threat for most users.

...The server-side change to Mozilla Update and the workarounds described in MFSA 2005-42 (if you still haven't read it, please do) are temporary measures. We understand that the Mozilla Foundation is currently testing builds that include a better fix for this problem, so we expect that a security update will be issued shortly.

You just keep on believing it'll work if you want, but as I've told you half a dozen times already, this exploit won't work anymore since Mozilla has effectively disabled their white lists. When they say that most users aren't at risk, they mean everyone who doesn't have a malicious site already added manually to their custom whitelist in Firefox. In that case it would work, but a user would have to add the malicious sites' URL to their whitelist first, which must be done by hand. Not very critical.

...As opposed to these unpatched beauties in IE6:

Long Share Name Buffer Overflow: http://secunia.com/advisories/11482/
ActiveX Plugin Buffer Overflow: http://secunia.com/advisories/9534/

Both of which are highly critical, neither of which are patched. MS is quick to patch you say? If that's the case, here's something to ponder:

MDK10 vs XP-Pro

...although I hardly expect you to read any of the links I've posted, since you obviously seem to have trouble even being bothered to read the links you post.

-AT

 

[zRoCkIsAdDiCtInG]

but still, it is the safest, and fastest and most reliable thing out there, so even if there was a flaw, i bet mozilla wud release a patch in no time,

and btw
they're all just jealous haha

 

[Anti-Trend]

but still, it is the safest, and fastest and most reliable thing out there, so even if there was a flaw, i bet mozilla wud release a patch in no time...

Actually, the Opera 8 browser has no known vulnerabilities, but that's not what we're discussing here.

 

[syngod]

If your talking temporary solutions the Active X hole in IE was fixed in SP2 with IE blocking all Active X requests. I'm not saying it shouldn't be fixed (as MS should work on releasing patches for all their flaws) but it's essentially the same thing as the Mozilla developers asking you to turn off JS.

Not sure if you read this part in my last link "
Therefore, if you have not added any additional sites to the whitelist, you are not at risk from the code execution exploit and have not been since yesterday. However, you will still be vulnerable to the less serious JavaScript injection flaw."

So yes, if your only getting addons from the default whitelist that vulnerability is gone, but if you've added any sites you could still be at risk and the JS injection flaw is still there. I've heard it's fixed in 1.0.4 which is now up as a download on Mozilla's front page so as long as everyone downloads this it's a moot point.

Anyways I'm done with this.

 

[Anti-Trend]

You're right, it's moot. Sorry I got so worked up, I don't mean to be such an ***hole. The reason stuff like that bothers me so much is because I've had to fight an attitude of "I know MS/Windows/IE/Outlook/Exchange/etc, therefore it's the best and everything else sucks" all the time. Believe it or not, I actually understand this position. The prevailing outlook in the IT/IS industry seems to be knowledge=clout, and ignorance of any kind is considered extreme weakness. I'm MS trained too, and I've only been introduced to the *nix family relatively recently. But there's a lot more to computing than just Microsoft...

-AT