Submitted by The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer’s Mac OS X, and Linux, they said.
So does them discovering a flaw automatically make it zero-day… Doesn’t it actually have to be released & actively be exploited in order to be a zero-day exploit?
So does them discovering a flaw automatically make it zero-day… Doesn’t it actually have to be released & actively be exploited in order to be a zero-day exploit?
“Snyder said she isn’t happy with the disclosure and release of an apparent exploit during the presentation. “It looks like they had enough information in their slide for an attacker to reproduce it,” she said. “I think it is unfortunate because it puts users at risk, but that seems to be their goal.”
By definition a zer-day flaw is one that is actively being exploited with no patch.
Well, according to wikipedia you are right: http://en.wikipedia.org/wiki/Zero_day
But I always though “Zero-Day” refers to some form of countdown to the day and minute when malware (which installed itself in the interim) takes advantage of the flaw and all computers running the software blow up.
Proclaim your browser is “secure by design”.
Attract some market share.
Attract some attention from hackers.
64 security patches in 2006 alone.
Bingo! Zero-day flaws discovered.
All software has flaws. These ‘hackers’ are just playing a game of spin. The IE flaws are often sold on the underground, massively exploited and almost always day zero.
That is the worst excuse for errors EVER! Yes MOST software has flaws, but that does not excuse the amount of errors found in browsers.
Even the totally clueless users use the browsers on the internet extensively. Maybe security should be a really big priority when programming browsers. I am still looking forward to the day when security critical applications are programmed in a language which does not allow buffer overflows etc.
Security should be a big priority for ANY piece of software, especially those that connect to the network in any way. I wholeheartedly agree that anachronisms such as buffer overflows should be stomped on at the core. Secure by design should be more than a catchy phrase.
But in the meantime, I believe that the Firefox developers are doing a good job. Sure, bugs creep up, nothing’s perfect. But they get patched as fast as possible, which is more than I can say about a certain other browser.
Anybody who claims that either open or closed source methodology is superior to the other is kidding himself. The fact of the matter is that software engineering, like everything around us, follows certain universal laws. For example, all software has defects. The cost of removing defects increases exponentially over time. If you think you can wait until your product has zero bugs prior to releasing it, you’ll never ship. Having more eyeballs available to look at code doesn’t mean (a) they’re looking at the right code and/or (b) they’re looking at all; if they were, all software would have fewer defects. The fact that you think your software is “secure by design” doesn’t make it so. You can have secure software, as long as you’re willing to permanently unplug all of your I/O devices. 😉
Well, everything shows that open source tends to be much better than closed source. But of course, nothing is completely safe.
It does not make your statement less valid though. However, to be completely secure, I recommend not having a computer at all (incl. cellulars and PDA’s). It will however make it harder to write, read, send and receive emails (and what not).
Well, everything shows that open source tends to be much better than closed source. But of course, nothing is completely safe.
What’s “everything”?
While most software has flaws, this is not exactly a universal law. It SHOULD be possible to create applications without flaws. However, as long as the industry thrives on more features rather than more security, this will hardly change.
Security Advisories from secunia.dk in 2006 only:
Internet Explorer 6.0x – Windows Only:
http://secunia.com/product/11/?task=advisories_2006
Mozilla Firefox 1.x – All Platforms:
http://secunia.com/product/4227/?task=advisories_2006
Total number of advosories:
Internet Explorer: 14
Mozilla Firefox: 10
Unpatched advosories:
Internet Explorer: 36%(5 out of 14) – the most severe is rated “extremely critical”.
Mozilla Firefox: 10% (1 out of 10) – the most severe is rated “less critical”.
Firefox 1.x has had no extremely critical advosories in 2006. Internet Explorer 6.0x has had several.
Conclusion: Firefox is a lot safer than Internet Explorer. Its 100% safe, but it’s much safer.
It’s just like sex (if you’ve ever had that.. I sincerely doubt it – but anyway): Sex with rubber is not 100% safe, but it’s much safer than sex without rubber.
But then again. How would you know?
If you care about security: use Open Source – the rubber of software.
The line: “Conclusion: Firefox is a lot safer than Internet Explorer. Its 100% safe, but it’s much safer.” should read “Conclusion: Firefox is a lot safer than Internet Explorer. It’s not 100% safe, but it’s much safer.”
“If you care about security: use Open Source – the rubber of software.”
Opera is closed source, and blows Firefox away in terms of security.
It does not “blow Firefox away” in terms of security. But they’re both secure browsers. So use Opera. Use whatever browser tickles you fancy.
Just don’t use a browser like IE, whose maker values his own development and backwards-compatibility agenda more than your privacy and the safety of your computer and your personal data.
“Security Advisories from secunia.dk in 2006 only:”
Maybe Secunia has a counting problem if they only think there are 10 Firefox vulnerabilities in 2006.
Mozilla thinks there are 64 patches for 100+ vulnerabilities (many of the patches are for multiples vulnerabilities) for Firefox in 2006 alone.
http://www.mozilla.org/projects/security/known-vulnerabilities.html
ANd over 30 are critical with Mozilla’s definition of critical: “Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”
And some of the bugs (the rest are secret) are over 300 days old before they are patched. Some are 6 months old.
It bothers me then an “open” project like Mozilla keeps most of the bugs secret for months after a patch is released.
Edited 2006-10-01 23:54
Keyword: advisories
Each advisory can, and in the case of firefox does, contain multiple vulnerabilities. Some of these advisories for firefox even contain up to 12 separate vulnerabilities.
So the 64 number is correct, or at least close.
Hmm… seems the anti-FLOSS gang is around
How so? What you posted was misleading and not in line with what the OP posted. You used the misleading advisories number when vulnerabilities is more important than advisories.
I was responding to the claim, and was perfectly in line. Number of vulnerabilities as well as number of patches are irrelevant, since there can be several vulnerabilities due to one flaw, and several patches to one vulnerability.
It would be more correct to say that there is only misleading numbers – but that is almost always the case with statistic.
The 64 vulnerabilities are no less misleading than the numbers of advisories.
What’s important are how critical they are.
Yes, how critical is most important. But # of advisories is VERY misleading.
I agree.
The campaign to ‘Spread Firefox’ also spread a lot of lies about it to gain market share.
* Firefox is not a ‘lite’ web browser
* Firefox, like all complex pieces of software with large amounts of legacy code, is not secure.
I use firefox because it’s the only usable Free web browser that doesn’t require KDE.
I wish there was something better.
“””The campaign to ‘Spread Firefox’ also spread a lot of lies about it to gain market share.”””
As a long time OSS advocate, the SpreadFirefox community was a bit of a wakeup call to me.
One of the main selling points used by advocates, when I was a member, was Firefox’s standards compatibility, unlike “that other browser maker” that didn’t care about standards.
I pointed out that the spreadfirefox.com site had hundreds of validation errors on the w3c validator.
The answer from the spreadfirefox website guys was that their time was limited. They had kids. And that their main goal was to Spread Firefox, not to be W3C compliant.
Ummm. OK.
Then, when they did the New York Times advertisement, they did it with Adobe tools. All of us who contributed money to make the ad possible got a private link to the finished product.
I got mine, and it wasn’t viewable in *any* OSS pdf viewer that I was able to find. I mentioned this on the SpreadFirefox site, and was told to “Get A Life” and to “Just Download Adobe Acrobat”.
(I should stress that this sentiment came from some members of the spreadfirefox community and *not* from the proprietors of the site.)
I truly didn’t know how to respond.
The official SFF guys said that it had something to do with their needing transparency and that you can’t make an omelette without breaking some eggs, or some such.
So I quietly disassociated myself, and haven’t been back.
As OSS becomes more popular, I suppose we have to get used to the fact that it’s not just “our” community anymore.
I guess this is probably more than a bit off-topic, here. And for that, I appologize.
Edited 2006-10-02 00:20
Excuse me, but was it ever “your” community (you and the grandparent poster)? Have you contributed code to Firefox? Have you helped build spreadfirefox.com? Helped write a PDF viewer that compares to Acrobat?
Or are you just a user? Because that’s not exactly part of the community. Members of the community give back something more than complaints and feature requests.
What exactly do you think OSS software is? A completely free and magical solution to your every software need?
No. It is software done by volunteers, mostly for free, and for fun. Take it or leave it. IF the developers want to go the extra mile and listen to people bitch than it’s their prerogative, NOT something to be taken for granted.
I guess this is probably more than a bit off-topic, here. And for that, I appologize.
I think your comment was very interesting. I was, though, very relieved that it did not in any way hit on the Firefox developer community – but rather the community of browser-facists that usually include a large number of Windows users. I think that what we can learn from your story is to keep away from one-sided propaganda and marketing… as always.
“The hackers claim they know of about 30 unpatched Firefox flaws. They don’t plan to disclose them, instead holding on to the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla’s bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
“I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets,” Ruderman said.
The two hackers laughed off the comment. “It is a double-edged sword, but what we’re doing is really for the greater good of the Internet, we’re setting up communication networks for black hats,” Wbeelsoi said.”
Maybe Mozilla should take some of the 70+ million they’ve recieved from Google ads and up the bounty amount.
I’m impressed at Jesse’s restraint. In the face of such rampant arrogance and idiocy, I would probably have had a great deal of trouble refraining from simply beating the snot out of the smug little bastards as they so rightly deserve.
Spare the rod…
The two hackers laughed off the comment. “It is a double-edged sword, but what we’re doing is really for the greater good of the Internet, we’re setting up communication networks for black hats,” Wbeelsoi said.”
I’d really like to see the reaction of these idiots if their bank accounts were drained or their identities stolen, as a direct result of their activities. But, hey, it will probably happen. Karma has an odd way of correcting the ills of the universe.
Well if they are setting up “communication networks” for blackhats they will have to host the payload somewhere. It’s only a matter of time before others learn of this and then the cat will be out of the bag.
These browser hackers aren’t too wise, assuming that their private use of the vuln is better. The only way one can hope for an even playing field is by allowing everyone to participate.
Also, how do we know this wont turn into another John Elch vs. Apple scenario.
What ever happened to full disclosure?
I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets,” Ruderman said.
The two hackers laughed off the comment.
$500? Ha. Microsoft would offer them 10x that much for getting the negative press out about Mozilla.
You just made that up. Aren’t conspiracy theories fun though! Not.
No Microsoft would take legal action and have them arrested.
“It is a double-edged sword, but what we’re doing is really for the greater good of the Internet, we’re setting up communication networks for black hats,” Wbeelsoi said.”
I have read that “The ends does not justify the means.” In this case, the hackers impose their ethics under a greater good facade. It’s clear that the greater good is their own. Shame on them.
[quote]
Maybe Mozilla should take some of the 70+ million they’ve recieved from Google ads and up the bounty amount.
[/quote]
Why should scum profit from from their deeds?
To keep you and everyone else who uses Mozilla Firefox safer and more secure on the web. There’s very little incentive to disclose the bugs. They could make more doing presentations of the bugs they’ve found.
By using that logic, you’d be in favour of paying car thiefs to steal cars so that the car manufacturers build better locks
No matter what way you twist it, they are scum, always will be and reward them for doing what they are doing is not the correct course of action
That’s a poor comparison. Nobody is paying anybody to steal anything. They should be paid for discovering something which makes a for-profit product via advertising, better. It’s their discovery and if they wish to sell it or keep it, that’s their choice. Morals are a different issue and something that is way beyond the scope of this forum.
Further to your point, I’d certainly pay car thieves to tell me how, if they figured out how to beat my car lock. It’d make my cars better.
As for describing them as “scum”… personal attacks such as that are typical in the absence of a more objective criticism.
Edited 2006-10-02 01:00
I see you regard people who try to exploit security holes for there own gain as upstanding citizens. Another comparrison
If a House door is unlocked, it does not legalise a robbery
As for your comment, on that “scum” is a personal attack, sorry, please get it correct, for a attack to be personal, it has to be personal and unless you are one of the members hacking firefox then it cannot be “PERSONAL”
It is a comment on the deeds of a minority who for their own immature ends cause damage, and sorry that you don’t like it, but they are SCUM
“””I see you regard people who try to exploit security holes for there own gain as upstanding citizens. Another comparrison
If a House door is unlocked, it does not legalise a robbery”””
Well… what if the maker of the lock knew it had lots of little problems, but gave it to you, free of charge and for their own reasons, claiming it was secure… and figured they could just fix the problems later if word got out that the lock had a lot of little problems?
And how does that make heros of the people who then decide to take the invitation to enter through said door? Answer it doesn’t they, as still as bad as if smashed the door the in.
Whether their actions help security or not, no praise should be heaped on these people.
Why are you focusing on the two guys?
Who is doing more damage? The two guys, or the maker of the lock, who knows it has lots of little problems, but is distributing it, for his own reasons, to millions of people, figuring that he can just fix the problems as they are made public?
I don’t care about the two guys. No one should.
If the “little problems” hadn’t been there in the first place, the troublesome punks wouldn’t have been able to exploit them to boost their own notoriety.
You are shooting the messenger. That cliche’ usually implies that the messenger has no blame. But it doesn’t always.
It’s just that the messenger’s blame is pretty much irrelevant in the overall scope of things.
Edited 2006-10-02 02:12
and them with holding that information and telling house theives that this brand of lock is easy to open is akin to aiding and abetting crimanls. Hand over the information so the Mozilla team can fix it. Don’t act like a bunch of snotty teenagers and be adult about it. They are lucky or smart enough not to disclose this type of loop hole to Microsoft. They’d be in jail right now and be waiting for a interrogation with a couple of tough looking and sounding FBI agents.
===
[quote]
Maybe Mozilla should take some of the 70+ million they’ve recieved from Google ads and up the bounty amount.
[/quote]
Why should scum profit from from their deeds?
===
Now, now. Mozilla Corporation made that deal with Google in a perfectly legal fashion.
I can hardly see how one could call them “scum” for doing it.
Edited 2006-10-02 01:19
Now, now. Mozilla Corporation made that deal with Google in a perfectly legal fashion.
I can hardly see how one could call them “scum” for doing it.
That was a good one!
Why should scum profit from from their deeds?
Mozilla says: “The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence. Reporters of valid critical security bugs will receive a $500 (US) cash reward and a Mozilla T-shirt.
Many thanks to Linspire and Mark Shuttleworth for providing start-up funding for this endeavor.”
http://www.mozilla.org/security/bug-bounty.html
Communication network for black hats? Through vulnerable browsers? Some people really need to learn to get a life outside of computers…
Communication network for black hats? Through vulnerable browsers? Some people really need to learn to get a life outside of computers…
Agreed. You’d think with all that the world has to offer, these people would shove away from their desks and actually go do something positive. Volunteer time in a soup kitchen, teach somebody to read, coach a Little League team, or become a Big Brother/Sister, if you want to help the world. Maybe even get laid every once in a while. Sheez.
Come now, I think it’s patently obvious $WORLD is not a global variable to these people.
From what I’ve seen, Firefox takes a very *reactive* approach to security. They carelessly allow a lot of security problems into the code base, come out with patches quickly *after* the problem has been reported, and sit back and accept the praise for being so on top of things.
I started losing faith in Firefox’s interest in taking a proactive approach to security when the mangler.cgi script came out and demonstrated how easily FF, which was already being widely acclaimed as “secure”, could be crashed with random html input compared the the much more resilient IE.(!) That was a lack of basic input validation, for goodness sake!
Not all *hats are nice enough to play the FF developers’ game and report problems to them first. Sometimes they’re going to take it public, or just use it for their own purposes without reporting it at all.
The Firefox devs need to accept that and take steps to prevent sloppy coding practices in the first place.
(Remember that when OpenBSD does code audits, they are *not* looking for security holes; They are looking for sloppy coding practices. Sloppy coding is what *breeds* security holes.)
A few public embarrassments and we might start seeing a better, more secure Firefox in the future.
And that would benefit us all.
Edited 2006-10-01 20:12
From what I’ve seen, Firefox takes a very *reactive* approach to security. They carelessly allow a lot of security problems into the code base, come out with patches quickly *after* the problem has been reported, and sit back and accept the praise for being so on top of things.
This is one of the more laughable aspects of open source development. I could really care less how fast people can patch their code. I’d be more impressed if they had fewer vulnerabilities in the first place.
I fail to see your point. There are open source based companies/communities who have a *reactive* approach to security and there are some who don’t.
Also, there are closed source based companies/communities who have a *reactive* approach to security and there are some who don’t.
Your point is?
Edited 2006-10-01 20:28
“””I fail to see your point. There are open source based companies/communities who have a *reactive* approach to security and there are some who don’t.”””
I believe his point is that some in our community like to proclaim that OSS is hands-down better at proactive security, when the reality is more in line with what you are describing.
To put it another way, approximately the same number of ostriches have their heads in the sand on this side of the fence as do on that side of the fence.
But only the ostriches with their heads in the open air can see that.
Actually open source does have fewer vulnerabilities in the first place.
Go check secunia.dk and compare closed source products with open source products, and not only numbers but also the time it takes to close them, and the number of unpatched holes and the severity of these holes.
“””Go check secunia.dk and compare closed source products with open source products, and not only numbers but also the time it takes to close them, and the number of unpatched holes and the severity of these holes.”””
I have. Well, I have looked over secunia.com.
And Opera has far fewer vulnerabilities reported, and patches the few they have in a time slightly greater than, but comparable to, FF.
If you multiply “vulnerabilities” by “days unpatched” to get the unit “vunerability days”, Opera kills FF outright.
I’m an OSS fan. And I dislike Opera. But spades is spades, ya know?
Edited 2006-10-01 22:52
It all depends… there are so few users of Opera, that they are no target. And being closed source means virtually nothing pops up.
I doubt Opera is any safer – it’s just not a target. Like any truely alternative choice (read: obscure).
It all depends… there are so few users of Opera, that they are no target. And being closed source means virtually nothing pops up.
Argument doesn’t hold water. Early versions of IIS had far fewer users than Apache, but IIS was riddled with bugs.
I thought this was precisely one of the supposed benefits of open source? Fixing something after the fact makes it no better than closed source reactive patching. Talk about speed? It shouldn’t have been there in the first place with the code being so open and available as beta beforehand.
http://scan.coverity.com/ CTRL F Firefox
The developers have quite a few known issues they are working on. Some of those are whitenoise and not exploitable, but that doesn’t mean they aren’t bad. If you look at the Firefox development team, sadly, it is very small. Mozilla should hire some more developers to address these concerns.
Actually most Firefox security issues are known long before a patch is issued. They make the flaws public one day before the patch to give the impression that they are fast patching… The reality is that these errors have been known in black hat forums for months. Mozilla does nothing.
Bugzilla entries have date stamps, its very easy to see when the bug was reported and when it was fixed. That’s a pretty transparent process.
Are you saying they file new bugs for old security issues, just to get the fix date close to the report date? What happens to the original bugzilla entry?
>> Are you saying they file new bugs for old
>> security issues, just to get the fix date close
>> to the report date? What happens to the original
>> bugzilla entry?
It goes ‘unconfirmed’… Like the ‘memory leak’ that was revealed to be a ‘feature’ and has multiple bug entries dating back all the way to FF 0.89
That it seems even 2.0 RC1 STILL HAS.
Of course, if it’s a feature, why do other browsers lack it?
Well, be it open or closed source, there aren’t that much people who really understand security ptoblems.
But there is some very special aspect in Firefox development – security bugs at bugzilla are private/secret/non-public.
So, curious programmers can see code changes, but cannot see explanation and discussions, even bug name and summary is unavaliable.
Maybe it is reasonable to prevent hax0rz from creating exploits for discovered vulnerabilities, but it also may prevent those “non-VIP” programmers to learn about security more. And thus it may prevent wider coder community from learning just that better coding practice.
Ah, the romance of black hattery! I guess these two fellows should be careful in their chosen career lest they find themselves in a federal penitentiary having zero-day exploits performed on their butts by some decidedly non-geeky types.
In the meantime, stripping out the incidentals, one or more flaws have been discovered in Firefox. This is hardly the end of the world. The Mozilla team have a good record of fixing exploits in a timely manner and there’s no reason to think that won’t happen here.
Worried about Javascript and Firefox? Then use the excellent NoScript extension.
Other than the arrogant manner in which these black hats chose to present the exploits. What exactly were they trying to achieve? The problem they chose to highlight seems to be more of a problem with javascript itself. While some browsers may implement javascript better than others, they’re still just implemenations of a poorly designed scripting language. I suspect they could’ve chose from thousands of javascript exploits for any number of web browsers. So, why just Firefox? Does it really have to come down to a clash of cultures?
sadly every day the comments on osnews get worse. Everyone pointing stupid things like “they release the bug report only after fixing the security bug just to make then look good”. Seriously, do you think before posting? Let just see some of then:
* “they release the bug report only after fixing the security bug just to make then look good”: What do you want? Release the bug report to everyone on the internet? it would be easier to distribute backorifice with each firefox download then.
* “Some tool found 1 million bugs on firefox, and they don’t do anything about it”. As rightly pointed out most of then is a false positive, and the firefox dev team is working on the others.
* “They have a reative aproach to security”: Yep this is the area that they could do better, but then, making a webbrowser is very very hard. What we should do is trying to use what IE 7 will be doing, run the browser as a less priviliged user, maybe in some kind of chroot.
* “they fixed 60 bugs on 2006 alone” yep, how many lines of code does firefox have, 1 or 2 million? so 60 security bugs aren’t that much, and they released the patches fast.
And just be reasonable, they are doing better than the biggest software company in the world when it comes to security, so give then a break.
What do you want? Release the bug report to everyone on the internet?
Moziila’s paractical policy is to have a semi-public bugzilla database to make you think Firefox is “open”. But it seems that only certain people get to see the bug database of bugs that result in patches. I wonder how many “Black Hat” hackers have Mozilla Bugzilla accounts?
it would be easier to distribute backorifice with each firefox download then.
As of this article, that isn’t necessary it seems.
Edited 2006-10-02 02:43
Moziila’s paractical policy is to have a semi-public bugzilla database to make you think Firefox is “open”. But it seems that only certain people get to see the bug database of bugs that result in patches. I wonder how many “Black Hat” hackers have Mozilla Bugzilla accounts?
I have a Mozilla Bugzilla account, and I don’t get to see the security bugs of firefox. You have to be part of a security team that is associated with Mozilla (debian, suse, ubuntu and others sec. teams probably can see those bugs).
You can’t also see security bugs on gnome, ubuntu probably not in debian nor suse nor redhat. So why complain about it? Whant to see them? Join a security team, best of all, join firefox security team, or go home.
“I have a Mozilla Bugzilla account, and I don’t get to see the security bugs of firefox.”
Not anymore. But they were open at the beginning … until the patch count rose too high. Then they started plastering “embargoed” on everything.
Edited 2006-10-02 06:31
Democracy is based on the presumption that citizens will act as a check on the government machinery.
Open source is somewhat similar, and to be successful, requires users and other developers to devote some part of their time in helping it improve,
Firefox would go a long way if a few hundred capable people took some time to look at the source and check for exploits when the software is in RC stage than bitch about security issues after a stable release.
Just give me a link to click on (javascript allways disabled).
Basically I’d get ready to file legal action at those two if anyone claims that their private information was stolen and identity fraud commited due to this expliot and it turns out someone used the same techniques. These two are not being responible but being smug so they can gloat about how show off their e-peens. The responsible course of action any adult would follow would be to report this and give the information to the Firefox team so they could patch their software. If this was Microsoft these two would be in jail by now.
Edited 2006-10-02 06:13
An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here.
Here lies a problem. This kind of exploit attempt willt be useless against Firefox with extensions like noscript and adblock. As for controlling computer running on system like OS X and most Linux distros, the damage will be limited to the user account stupid enough to enable all executable files. Extras layers of security such as AppArmor and SELinux prevent these exploits to propagate.
It speaks for itself that most people who reply here did very few or no coding at all.
If you once worked on a complex program, finding and fixing bugs, you will look very different at this situation.
If you only have a couple of hands who really know the code to make a secure fix, and the bugreports keep streaming in, then it’s more than normal that some bugs take more time to fix.
It’s not always as easy as “Hey this thing doesn’t work correctly, lets take five minutes and fix it”.
That’s a very naive interpretation of reality.
Finding the bug is already a huge task, even if it is reported in detail.
Fixing it is even more difficult in some cases as it might break other things which need to be tested too.
So you see, it takes a while to fix bugs.
Those who claim that Firefox “sells/releases software where they explicitly know about grave bugs” are naive too. Try it: check out a complex program like Firefox or OpenOffice and subscribe to the commit lists. Review each patch and find the bugs in them. Do it. Then tell if you knew it was that hard.
Even the best programmers make mistakes.
The best thing about open source is that YOU can help find the bugs. So, instead of being an ass on forums like this, actually HELP out with fixing things. If you don’t know how to do that, then you have, in my opinion, no right to speak bad about people who actually do help out but don’t have time enough to fix most of the problems in time.
for taking pot-shots at Mozilla and Firefox, as buggy to the point of unusable and flawed in not just code, but philosophy…
But this is the THIRD TIME in the past five weeks I’ve seem what could be considered as little more than PR grandstanding instead of something supported by fact.
Yes, the javascript engine in Firefox IS a trainwreck, it’s abysmal performance at the simplest of tasks (some of which point the finger more at the rendering engine than the page itself) and horrible timer innacuracies being self evident to anyone who’s actually tried to write anything javascript intensive… BUT:
The moment I see “The hackers claim they know of about 30 unpatched Firefox flaws. They don’t plan to disclose them” that’s a warning sign akin to McCarthyism… I hold in my hand the names of thirty confirmed members of the communist party…
That they come up with the notion of ‘impossible to patch’ is the icing on the cake, as flat out there is NO SUCH THING… It’s called effort and work…
Besides, Spiegelmock and Wbeelsoi – Do I need to say it?!? What’s next, security reports from Searsparody and Mxyzptlk?
Thanks for putting it in perspective, those rather excellent metaphors made my morning.
Does anyone know if this effects Firefox in Zeta 1.2?
Edited 2006-10-02 14:04
It appears the argument in favor of open-source development with all those eyes on the code to make it safer and such is just a bunch of cr*p. A zero-day exploit is as bad as it gets folks.
Ofcourse they laughed at the $500 bounty. Microsoft is paying them infinitly more to come up with and publicly expose these “security holes”
Microsoft is paying them
Do you have any evidence for that assertion or are you just spreading FUD in a poor attempt at damage control?
for some unkown reason i belived the garble about firefox and started usinging, now i have seen the fire from the fart and have sacked it and reinstalled opera.
up the irons!
So the guys who made the claim are now recanting their story about Mozilla’s sero day vulnerabilities. Check this link in an official Mozilla developer’s site
http://developer.mozilla.org/devnews/index.php/2006/10/02/update-po…
I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.
Looks like the troublemaker wants to give some hackers and browser a bad reputation. When the claim said about “taking control of Mac OSX and Linux distribution”, this statement looks suspicious.
Edited 2006-10-03 05:41
Check this link in an official Mozilla developer’s site
http://developer.mozilla.org/devnews/index.php/2006/10/02/update-po…
I wonder why this link isn’t posted by OSNews?
Well, not to be too overly paranoid… but isn’t this exactly the statement Mozilla Corp would want him to make publicly if he decided to accept the $500 per vulnerability report, after all?
Sorry to bring it up, but… well… isn’t it???
Wait.
Shouldn’t they have just patched the code, like good open-sourcites?
Unbelievable. OSNews, please correct your news or publish a new one. Many thanks beforehand.
See also:
http://www.heise-security.co.uk/news/78970