OSNews

So does them discovering a flaw automatically make it zero-day... Doesn't it actually have to be released & actively be exploited in order to be a zero-day exploit?

"Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

By definition a zer-day flaw is one that is actively being exploited with no patch.

Well, according to wikipedia you are right: http://en.wikipedia.org/wiki/Zero_day

But I always though "Zero-Day" refers to some form of countdown to the day and minute when malware (which installed itself in the interim) takes advantage of the flaw and all computers running the software blow up.

All software has flaws. These 'hackers' are just playing a game of spin. The IE flaws are often sold on the underground, massively exploited and almost always day zero.

That is the worst excuse for errors EVER! Yes MOST software has flaws, but that does not excuse the amount of errors found in browsers.

Even the totally clueless users use the browsers on the internet extensively. Maybe security should be a really big priority when programming browsers. I am still looking forward to the day when security critical applications are programmed in a language which does not allow buffer overflows etc.

Security should be a big priority for ANY piece of software, especially those that connect to the network in any way. I wholeheartedly agree that anachronisms such as buffer overflows should be stomped on at the core. Secure by design should be more than a catchy phrase.

But in the meantime, I believe that the Firefox developers are doing a good job. Sure, bugs creep up, nothing's perfect. But they get patched as fast as possible, which is more than I can say about a certain other browser.

Anybody who claims that either open or closed source methodology is superior to the other is kidding himself. The fact of the matter is that software engineering, like everything around us, follows certain universal laws. For example, all software has defects. The cost of removing defects increases exponentially over time. If you think you can wait until your product has zero bugs prior to releasing it, you'll never ship. Having more eyeballs available to look at code doesn't mean (a) they're looking at the right code and/or (b) they're looking at all; if they were, all software would have fewer defects. The fact that you think your software is "secure by design" doesn't make it so. You can have secure software, as long as you're willing to permanently unplug all of your I/O devices. ;-)

Well, everything shows that open source tends to be much better than closed source. But of course, nothing is completely safe.

It does not make your statement less valid though. However, to be completely secure, I recommend not having a computer at all (incl. cellulars and PDA's). It will however make it harder to write, read, send and receive emails (and what not).

Well, everything shows that open source tends to be much better than closed source. But of course, nothing is completely safe.

What's "everything"?

While most software has flaws, this is not exactly a universal law. It SHOULD be possible to create applications without flaws. However, as long as the industry thrives on more features rather than more security, this will hardly change.

Security Advisories from secunia.dk in 2006 only:

Internet Explorer 6.0x - Windows Only:
http://secunia.com/product/11/?task=advisories_2006

Mozilla Firefox 1.x - All Platforms:
http://secunia.com/product/4227/?task=advisories_2006

Total number of advosories:
Internet Explorer: 14
Mozilla Firefox: 10

Unpatched advosories:
Internet Explorer: 36%(5 out of 14) - the most severe is rated "extremely critical".
Mozilla Firefox: 10% (1 out of 10) - the most severe is rated "less critical".

Firefox 1.x has had no extremely critical advosories in 2006. Internet Explorer 6.0x has had several.

Conclusion: Firefox is a lot safer than Internet Explorer. Its 100% safe, but it's much safer.

It's just like sex (if you've ever had that.. I sincerely doubt it - but anyway): Sex with rubber is not 100% safe, but it's much safer than sex without rubber.

But then again. How would you know?

If you care about security: use Open Source - the rubber of software.

The line: "Conclusion: Firefox is a lot safer than Internet Explorer. Its 100% safe, but it's much safer." should read "Conclusion: Firefox is a lot safer than Internet Explorer. It's not 100% safe, but it's much safer."

"If you care about security: use Open Source - the rubber of software."

Opera is closed source, and blows Firefox away in terms of security.

"Security Advisories from secunia.dk in 2006 only:"

Maybe Secunia has a counting problem if they only think there are 10 Firefox vulnerabilities in 2006.

Mozilla thinks there are 64 patches for 100+ vulnerabilities (many of the patches are for multiples vulnerabilities) for Firefox in 2006 alone.

http://www.mozilla.org/projects/security/known-vulnerabilities.html

ANd over 30 are critical with Mozilla's definition of critical: "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
And some of the bugs (the rest are secret) are over 300 days old before they are patched. Some are 6 months old.

It bothers me then an "open" project like Mozilla keeps most of the bugs secret for months after a patch is released.

Edited 2006-10-01 23:54

Keyword: advisories

Each advisory can, and in the case of firefox does, contain multiple vulnerabilities. Some of these advisories for firefox even contain up to 12 separate vulnerabilities.

So the 64 number is correct, or at least close.

Hmm... seems the anti-FLOSS gang is around

How so? What you posted was misleading and not in line with what the OP posted. You used the misleading advisories number when vulnerabilities is more important than advisories.

I was responding to the claim, and was perfectly in line. Number of vulnerabilities as well as number of patches are irrelevant, since there can be several vulnerabilities due to one flaw, and several patches to one vulnerability.

It would be more correct to say that there is only misleading numbers - but that is almost always the case with statistic.

The 64 vulnerabilities are no less misleading than the numbers of advisories.

What's important are how critical they are.

I agree.
The campaign to 'Spread Firefox' also spread a lot of lies about it to gain market share.

* Firefox is not a 'lite' web browser
* Firefox, like all complex pieces of software with large amounts of legacy code, is not secure.

I use firefox because it's the only usable Free web browser that doesn't require KDE.
I wish there was something better.

"""The campaign to 'Spread Firefox' also spread a lot of lies about it to gain market share."""

As a long time OSS advocate, the SpreadFirefox community was a bit of a wakeup call to me.

One of the main selling points used by advocates, when I was a member, was Firefox's standards compatibility, unlike "that other browser maker" that didn't care about standards.

I pointed out that the spreadfirefox.com site had hundreds of validation errors on the w3c validator.

The answer from the spreadfirefox website guys was that their time was limited. They had kids. And that their main goal was to Spread Firefox, not to be W3C compliant.

Ummm. OK.

Then, when they did the New York Times advertisement, they did it with Adobe tools. All of us who contributed money to make the ad possible got a private link to the finished product.

I got mine, and it wasn't viewable in *any* OSS pdf viewer that I was able to find. I mentioned this on the SpreadFirefox site, and was told to "Get A Life" and to "Just Download Adobe Acrobat".

(I should stress that this sentiment came from some members of the spreadfirefox community and *not* from the proprietors of the site.)

I truly didn't know how to respond.

The official SFF guys said that it had something to do with their needing transparency and that you can't make an omelette without breaking some eggs, or some such.

So I quietly disassociated myself, and haven't been back.

As OSS becomes more popular, I suppose we have to get used to the fact that it's not just "our" community anymore.

I guess this is probably more than a bit off-topic, here. And for that, I appologize.

Edited 2006-10-02 00:20

I guess this is probably more than a bit off-topic, here. And for that, I appologize.

I think your comment was very interesting. I was, though, very relieved that it did not in any way hit on the Firefox developer community - but rather the community of browser-facists that usually include a large number of Windows users. I think that what we can learn from your story is to keep away from one-sided propaganda and marketing... as always.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said."

I'd really like to see the reaction of these idiots if their bank accounts were drained or their identities stolen, as a direct result of their activities. But, hey, it will probably happen. Karma has an odd way of correcting the ills of the universe.

I'm impressed at Jesse's restraint. In the face of such rampant arrogance and idiocy, I would probably have had a great deal of trouble refraining from simply beating the snot out of the smug little bastards as they so rightly deserve.

Spare the rod...

Well if they are setting up "communication networks" for blackhats they will have to host the payload somewhere. It's only a matter of time before others learn of this and then the cat will be out of the bag.

These browser hackers aren't too wise, assuming that their private use of the vuln is better. The only way one can hope for an even playing field is by allowing everyone to participate.

Also, how do we know this wont turn into another John Elch vs. Apple scenario.

What ever happened to full disclosure?

I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment.

$500? Ha. Microsoft would offer them 10x that much for getting the negative press out about Mozilla.

You just made that up. Aren't conspiracy theories fun though! Not.

No Microsoft would take legal action and have them arrested.

"It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said."

I have read that "The ends does not justify the means." In this case, the hackers impose their ethics under a greater good facade. It's clear that the greater good is their own. Shame on them.

[quote]
Maybe Mozilla should take some of the 70+ million they've recieved from Google ads and up the bounty amount.
[/quote]


Why should scum profit from from their deeds?

To keep you and everyone else who uses Mozilla Firefox safer and more secure on the web. There's very little incentive to disclose the bugs. They could make more doing presentations of the bugs they've found.

By using that logic, you'd be in favour of paying car thiefs to steal cars so that the car manufacturers build better locks

No matter what way you twist it, they are scum, always will be and reward them for doing what they are doing is not the correct course of action

That's a poor comparison. Nobody is paying anybody to steal anything. They should be paid for discovering something which makes a for-profit product via advertising, better. It's their discovery and if they wish to sell it or keep it, that's their choice. Morals are a different issue and something that is way beyond the scope of this forum.

Further to your point, I'd certainly pay car thieves to tell me how, if they figured out how to beat my car lock. It'd make my cars better.

As for describing them as "scum"... personal attacks such as that are typical in the absence of a more objective criticism.

Edited 2006-10-02 01:00

===
[quote]
Maybe Mozilla should take some of the 70+ million they've recieved from Google ads and up the bounty amount.
[/quote]


Why should scum profit from from their deeds?
===


Now, now. Mozilla Corporation made that deal with Google in a perfectly legal fashion.

I can hardly see how one could call them "scum" for doing it.

Edited 2006-10-02 01:19

Now, now. Mozilla Corporation made that deal with Google in a perfectly legal fashion.

I can hardly see how one could call them "scum" for doing it.

That was a good one!

Why should scum profit from from their deeds?

Mozilla says: "The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence. Reporters of valid critical security bugs will receive a $500 (US) cash reward and a Mozilla T-shirt.

Many thanks to Linspire and Mark Shuttleworth for providing start-up funding for this endeavor."

http://www.mozilla.org/security/bug-bounty.html

Communication network for black hats? Through vulnerable browsers? Some people really need to learn to get a life outside of computers...

Agreed. You'd think with all that the world has to offer, these people would shove away from their desks and actually go do something positive. Volunteer time in a soup kitchen, teach somebody to read, coach a Little League team, or become a Big Brother/Sister, if you want to help the world. Maybe even get laid every once in a while. Sheez.

Come now, I think it's patently obvious $WORLD is not a global variable to these people.

From what I've seen, Firefox takes a very *reactive* approach to security. They carelessly allow a lot of security problems into the code base, come out with patches quickly *after* the problem has been reported, and sit back and accept the praise for being so on top of things.

This is one of the more laughable aspects of open source development. I could really care less how fast people can patch their code. I'd be more impressed if they had fewer vulnerabilities in the first place.

I fail to see your point. There are open source based companies/communities who have a *reactive* approach to security and there are some who don't.

Also, there are closed source based companies/communities who have a *reactive* approach to security and there are some who don't.

Your point is?

Edited 2006-10-01 20:28

"""I fail to see your point. There are open source based companies/communities who have a *reactive* approach to security and there are some who don't."""

I believe his point is that some in our community like to proclaim that OSS is hands-down better at proactive security, when the reality is more in line with what you are describing.

To put it another way, approximately the same number of ostriches have their heads in the sand on this side of the fence as do on that side of the fence.

But only the ostriches with their heads in the open air can see that.

"""Go check secunia.dk and compare closed source products with open source products, and not only numbers but also the time it takes to close them, and the number of unpatched holes and the severity of these holes."""

I have. Well, I have looked over secunia.com.

And Opera has far fewer vulnerabilities reported, and patches the few they have in a time slightly greater than, but comparable to, FF.

If you multiply "vulnerabilities" by "days unpatched" to get the unit "vunerability days", Opera kills FF outright.

I'm an OSS fan. And I dislike Opera. But spades is spades, ya know?

Edited 2006-10-01 22:52

I thought this was precisely one of the supposed benefits of open source? Fixing something after the fact makes it no better than closed source reactive patching. Talk about speed? It shouldn't have been there in the first place with the code being so open and available as beta beforehand.

http://scan.coverity.com/ CTRL F Firefox

The developers have quite a few known issues they are working on. Some of those are whitenoise and not exploitable, but that doesn't mean they aren't bad. If you look at the Firefox development team, sadly, it is very small. Mozilla should hire some more developers to address these concerns.

Bugzilla entries have date stamps, its very easy to see when the bug was reported and when it was fixed. That's a pretty transparent process.

Are you saying they file new bugs for old security issues, just to get the fix date close to the report date? What happens to the original bugzilla entry?

>> Are you saying they file new bugs for old
>> security issues, just to get the fix date close
>> to the report date? What happens to the original
>> bugzilla entry?

It goes 'unconfirmed'... Like the 'memory leak' that was revealed to be a 'feature' and has multiple bug entries dating back all the way to FF 0.89

That it seems even 2.0 RC1 STILL HAS.

Of course, if it's a feature, why do other browsers lack it?

What do you want? Release the bug report to everyone on the internet?

Moziila's paractical policy is to have a semi-public bugzilla database to make you think Firefox is "open". But it seems that only certain people get to see the bug database of bugs that result in patches. I wonder how many "Black Hat" hackers have Mozilla Bugzilla accounts?

it would be easier to distribute backorifice with each firefox download then.

As of this article, that isn't necessary it seems.

Edited 2006-10-02 02:43

Moziila's paractical policy is to have a semi-public bugzilla database to make you think Firefox is "open". But it seems that only certain people get to see the bug database of bugs that result in patches. I wonder how many "Black Hat" hackers have Mozilla Bugzilla accounts?

I have a Mozilla Bugzilla account, and I don't get to see the security bugs of firefox. You have to be part of a security team that is associated with Mozilla (debian, suse, ubuntu and others sec. teams probably can see those bugs).

You can't also see security bugs on gnome, ubuntu probably not in debian nor suse nor redhat. So why complain about it? Whant to see them? Join a security team, best of all, join firefox security team, or go home.

"I have a Mozilla Bugzilla account, and I don't get to see the security bugs of firefox."

Not anymore. But they were open at the beginning ... until the patch count rose too high. Then they started plastering "embargoed" on everything.

Edited 2006-10-02 06:31