Linked by Thom Holwerda on Fri 6th Mar 2009 15:48 UTC
Mozilla & Gecko clones We've got two bits of good news, and one bit of bad news about Mozilla's Firefox web browser. Starting with the bad news - in 2008, Fiefox suffered from considerably more security holes than Internet Explorer and Safari. However, the first bit of good news is that Mozilla was much faster at patching zero-day exploits, according to a report by Secunia. The zero-day flaws of Firefox were also less severe than those of IE. The other bit of good news is that Firefox' upcoming Tracemonkey JavaScript engine is so good, the next Firefox release has been bumped from 3.1 to 3.5.
Order by: Score:
Firefox 3.5
by TaterSalad on Fri 6th Mar 2009 16:17 UTC
TaterSalad
Member since:
2005-07-06

Does anyone have a release date for Firefox 3.5? I'm liking the betas in that they are faster but I have ran into a few problems. Give me that faster script engine!

Reply Score: 3

...
by Hiev on Fri 6th Mar 2009 16:19 UTC
Hiev
Member since:
2005-09-27

About java script parsers, In an enterview with one of the main java evangelist (sorry, I don't remember the name) he gave his opinion about the optimization of JS in browsers, his answer was that it was a good thing, but it wouldn't really make much of the difference because the botleneck is in the DOM and is in the DOM optimizations where users would note the difference in speed.

Edit: I don't remember the name but he is the creator of JSON.

Edited 2009-03-06 16:28 UTC

Reply Score: 2

RE: ...
by Kroc on Fri 6th Mar 2009 16:33 UTC in reply to "..."
Kroc Member since:
2005-11-10

Douglas Crockford. http://www.crockford.com/

Reply Score: 1

RE: ...
by google_ninja on Fri 6th Mar 2009 19:08 UTC in reply to "..."
google_ninja Member since:
2006-02-05

It still makes a big difference for javascript as a platform, rather then javascript as a front end. The new engines make things like sproutcore and cappucino seem like the way web development is going, rather then stuff like flash, java, or silverlight.

Reply Score: 2

Slightly deceiving...
by Piranha on Fri 6th Mar 2009 16:35 UTC
Piranha
Member since:
2008-06-24

Remember guys....

Firefox is also Open Source (yes, safari's engine is, but it's still proprietary). Firefox's all know vulnerabilities are announced publicly, without hesitation. The same cannot be said about Microsoft or Apple and that has been proven.

I really don't like these types of 'reports', as they generally reward closed applications, *ahem* Microsoft products, who enjoy hiding known vulnerabilities and patch the ones THEY deem appropriate. At least the report wasn't totally in Microsoft/Apple's favor, but still seems one-sided to me.

Reply Score: 7

RE: Slightly deceiving...
by red_devel on Fri 6th Mar 2009 17:41 UTC in reply to "Slightly deceiving..."
red_devel Member since:
2006-03-30

Yeah, I totally agree. And I'm sorry, you could throw all the numbers at me you wanted about how many security flaws were found, and blah blah blah, but it will be a cold day in hell when I actually FEEL or BELIEVE I am more secure browsing in IE than Firefox (or Opera, Safari, Chrome, Konqueror, ..., for that matter).

Reply Score: 3

RE: Slightly deceiving...
by Thom_Holwerda on Fri 6th Mar 2009 18:24 UTC in reply to "Slightly deceiving..."
Thom_Holwerda Member since:
2005-06-29

At least the report wasn't totally in Microsoft/Apple's favor, but still seems one-sided to me.


I specifically mentioned the open source argument and what it could mean for the skewedness of the report. What more you have me do?

Reply Score: 3

RE[2]: Slightly deceiving...
by quodlibetor on Sat 7th Mar 2009 20:49 UTC in reply to "RE: Slightly deceiving..."
quodlibetor Member since:
2009-03-07

I specifically mentioned the open source argument and what it could mean for the skewedness of the report. What more you have me do?


read this: http://blog.mozilla.com/security/2009/03/06/beware-the-security-met... .

The main takeaway is that Mozilla publishes every security problem that they fix, whereas the other players only release the ones that are discovered and published by third parties. So that's 115 security issues discovered by mozilla compared to 35 (or whatever) issues discovered and published by secunia/white hats/etc.

It's an absurd metric and should only be brought up to be disparaged.

Reply Score: 2

RE: Slightly deceiving...
by smashIt on Fri 6th Mar 2009 18:26 UTC in reply to "Slightly deceiving..."
smashIt Member since:
2005-07-06

Remember guys....

Firefox's all know vulnerabilities are announced publicly, without hesitation. The same cannot be said about Microsoft or Apple and that has been proven.


somehow i have a hard time to believe that just because something is opensource only good people are searching for bugs in it...

Reply Score: 3

RE[2]: Slightly deceiving...
by Hiev on Fri 6th Mar 2009 18:39 UTC in reply to "RE: Slightly deceiving..."
Hiev Member since:
2005-09-27

somehow i have a hard time to believe that just because something is opensource only good people are searching for bugs in it...

Exactly, and the speed of reaction doesn't really do nothing for the whole time the hole was there undetected.

Edited 2009-03-06 18:39 UTC

Reply Score: 2

RE[3]: Slightly deceiving...
by sbergman27 on Fri 6th Mar 2009 19:10 UTC in reply to "RE[2]: Slightly deceiving..."
sbergman27 Member since:
2005-07-24

and the speed of reaction doesn't really do nothing for the whole time the hole was there undetected.

As time goes on, and more and more faults float down the OSS stream, I find myself starting to come around to Daniel Bernstein's way of looking at things. The authors shouldn't get off the hook for fixing it fast. They should get a big black eye for having released the flawed software in the first place. The situation will not change as long as they can release crap and then get a big public pat on the back for fixing those things that happen to be found and reported to them. How about the stuff that doesn't get reported to them? Remember when, years after we had been bragging about how "many eyes make all bugs shallow", Michal Zalewski demonstrated just how unbelievably poorly Firefox was actually doing?

http://www.securityfocus.com/archive/1/378632

http://it.slashdot.org/article.pl?sid=04/10/19/0236213&tid=113

It took literally *years* to patch that one, because it was the result of a general problem with their process and focus, and not some particular detail that could be patched.

And yet the steady flow of FF exploits continues; The process and focus have, apparently, not changed.

Edited 2009-03-06 19:16 UTC

Reply Score: 5

RE[4]: Slightly deceiving...
by vitae on Fri 6th Mar 2009 19:40 UTC in reply to "RE[3]: Slightly deceiving..."
vitae Member since:
2006-02-20

Michal Zalewski demonstrated just how unbelievably poorly Firefox was actually doing?

http://www.securityfocus.com/archive/1/378632

http://it.slashdot.org/article.pl?sid=04/10/19/0236213&tid=113



Yeah, except all browsers but IE failed that test which means what? That lazy, inept web designers can go on putting out their broken HTML because IE will permit it rather than making these idiots get it done right.

Reply Score: 1

RE[5]: Slightly deceiving...
by sbergman27 on Fri 6th Mar 2009 19:46 UTC in reply to "RE[4]: Slightly deceiving..."
sbergman27 Member since:
2005-07-24

Yeah, except all browsers but IE failed that test which means what?

It means that only Microsoft's browser was doing proper input validation on data originating from untrusted sources. Presumably, the devs of the other browsers did not know that they were supposed to do that, or did not care enough to do it.

Edited 2009-03-06 19:48 UTC

Reply Score: 3

RE[4]: Slightly deceiving...
by google_ninja on Fri 6th Mar 2009 23:01 UTC in reply to "RE[3]: Slightly deceiving..."
google_ninja Member since:
2006-02-05

I ran across this one reading a gnome article awhile back, blew my mind. It was a non trivial fix for a highly visible, very annoying issue, and it took 7 years for the gnome team to fix it.
http://bugzilla.gnome.org/show_bug.cgi?id=56070

Reply Score: 1

RE[3]: Slightly deceiving...
by groversonus on Sat 7th Mar 2009 00:28 UTC in reply to "RE[2]: Slightly deceiving..."
groversonus Member since:
2009-03-07

I would like for everyone to know that just because there is a flaw in the code and the code is open, doesn't mean you will ever find it viewing the code casually. First you must understand the code and be able to successfully look for flaws. And you need to find them before the good guys that do know the code do!

As an example check out the 25 year old UNIX bug!!!

http://osnews.com/story/19731/The-25-Year-Old-UNIX-Bug

So I wouldn't get all paranoid yet!

Reply Score: 2

RE[4]: Slightly deceiving...
by Hiev on Sat 7th Mar 2009 02:40 UTC in reply to "RE[3]: Slightly deceiving..."
Hiev Member since:
2005-09-27

If they can find holes in closed source, then they will more likely to find them in open source, don't understimate those guys.

Reply Score: 1

RE[3]: Slightly deceiving...
by lemur2 on Sat 7th Mar 2009 13:12 UTC in reply to "RE[2]: Slightly deceiving..."
lemur2 Member since:
2007-02-17

somehow i have a hard time to believe that just because something is opensource only good people are searching for bugs in it...

Exactly, and the speed of reaction doesn't really do nothing for the whole time the hole was there undetected.


As soon as any attack actually surfaces (meaning that someone "nasty" has found a bug, and written an exploit) ... there are literally thousands upon thousands of people who can see and test the source code of Firefox, who know how it works, and who can see how it was attacked, and whose own strong self-interest is to find a way to fix the vulnerability.

It wouldn't surprise me if tens of solutions were offered overnight, in many cases. It would than be a matter of testing to decide which of them was the best one.

Reply Score: 3

RE[4]: Slightly deceiving...
by Hiev on Sat 7th Mar 2009 16:13 UTC in reply to "RE[3]: Slightly deceiving..."
Hiev Member since:
2005-09-27

there are literally thousands upon thousands of people who can see and test the source code of Firefox, who know how it works

Where do you get those stats? those aren't even the number of commiters to the source manager three, most of them are translators and not developers.

Reply Score: 2

RE[5]: Slightly deceiving...
by lemur2 on Sun 8th Mar 2009 09:12 UTC in reply to "RE[4]: Slightly deceiving..."
lemur2 Member since:
2007-02-17

there are literally thousands upon thousands of people who can see and test the source code of Firefox, who know how it works

Where do you get those stats? those aren't even the number of commiters to the source manager three, most of them are translators and not developers.


There are an estimated 1.5 million OSS developers worldwide.

Many of them are testers, and as you say translators, or artistic designers, not all of them commit code.

The figure of thousands for firefox is a guesstimate ... but not at all an unreasonable one for firefox to have input from say 0.3% of those 1.5 million OSS developers.

Reply Score: 2

RE[6]: Slightly deceiving...
by Thom_Holwerda on Sun 8th Mar 2009 12:12 UTC in reply to "RE[5]: Slightly deceiving..."
Thom_Holwerda Member since:
2005-06-29

There are an estimated 1.5 million OSS developers worldwide.


And across how many open source projects are they spread? ;)

Reply Score: 2

RE[7]: Slightly deceiving...
by lemur2 on Mon 9th Mar 2009 04:32 UTC in reply to "RE[6]: Slightly deceiving..."
lemur2 Member since:
2007-02-17

"There are an estimated 1.5 million OSS developers worldwide.


And across how many open source projects are they spread? ;)
"

Good question.

Debian has something like 23,000 (or so) packages.

Mind you, there is no reason why any given developer couldn't be involved in several projects at the same time.

Reply Score: 3

RE[4]: Slightly deceiving...
by sbergman27 on Sat 7th Mar 2009 16:45 UTC in reply to "RE[3]: Slightly deceiving..."
sbergman27 Member since:
2005-07-24

there are literally thousands upon thousands of people who can see and test the source code of Firefoxp

So where were they during the years of Mozilla development, and later Firefox development, before Zalewski's simple random mangling demonstration showed just how unbelievably chock-full of buffer overflow bugs the codebase was? And for all those years, none of the devs had a clue. Everyone was too busy bragging about how "secure" Firefox was to notice.

Here we have what is likely the most well known FOSS project in the world. (As many eyes as you're going to get.) And we also have pretty much the ultimate evidence debunking the whole "many eyes makes all bugs shallow" myth.

In the pattern of many myths, it sounds reasonable on the surface. And people have certainly parroted it quite a lot. But upon closer inspection, the actual evidence reveals it to be false.

New Flash! Reliable sources report that the Emperor has been arrested on charges of indecent exposure on the palace grounds.

P.S. There's no point in directing me to the CaTB site yet again. I read it back when it was new. And the parts of it that were crap then are still crap now.

Edited 2009-03-07 17:01 UTC

Reply Score: 2

RE[5]: Slightly deceiving...
by lemur2 on Sun 8th Mar 2009 09:27 UTC in reply to "RE[4]: Slightly deceiving..."
lemur2 Member since:
2007-02-17

And we also have pretty much the ultimate evidence debunking the whole "many eyes makes all bugs shallow" myth.

In the pattern of many myths, it sounds reasonable on the surface. And people have certainly parroted it quite a lot. But upon closer inspection, the actual evidence reveals it to be false.


To call this a myth is to be completely and utterly blind to the track record of open source.

It is more than just "many eyes makes all bugs shallow" also ... open source brings far more benefits than that over closed, proprietary, written-for-big-business-interests software.

Here are some of them:
http://www.linfo.org/reasons_to_convert.html

Having many eyes on the code does a heck of a lot more than just make bugs shallow.

Reply Score: 2

RE[2]: Slightly deceiving...
by jabbotts on Fri 6th Mar 2009 20:39 UTC in reply to "RE: Slightly deceiving..."
jabbotts Member since:
2007-09-06

"Firefox's all know vulnerabilities"

I read that to mean "known to the project" or "posted to the bug reports site". Exploitable vulnerabilities found by those with criminal intent kinda remain unknown vulnerabilities until they choose to make use of them. I'd give all platforms and software that same grace; if it's only known by the criminally inclined then it's still an unused 0day.

Reply Score: 0

RE[3]: Slightly deceiving... hm...
by jabbotts on Mon 9th Mar 2009 13:16 UTC in reply to "RE[2]: Slightly deceiving..."
jabbotts Member since:
2007-09-06

wow.. seems this comment was not liked by the masses.. anyone spot the specific reason. I'm not here counting thumb-ups, just curious as to why pointing out that developers can not fix bugs they are not aware of (hence, 0day and stockpiled bugs) is so off topic or offensive to others.

I extend the same opinion to any other software branding as I did here with Firefox; If the bug is not known to the publisher (eg. not reported by malicious cracker saving it for criminal intent), why is it not an unknown vulnerability still?

The vulnerabilities that concern me are the ones known by the people with the skill or access to correct the flaw but are left unpatched for whatever reason the software developers believes justifies such negligence.

I guess we'll see with the IE/Firefox vulnerabilities sprayed across Ebay over the last few weeks. FF hasn't a once-a-month release schedule and MS patch Tuesday is tomorrow; Let's see who corrects the issue first.

Anyhow, thumb-down the comment all you like. I'd just be curious to know why so as to at least be given the chance to defend my opinion.

Reply Score: 2

RE: Slightly deceiving... - patch times
by jabbotts on Fri 6th Mar 2009 20:35 UTC in reply to "Slightly deceiving..."
jabbotts Member since:
2007-09-06

I did like that it accounted for patch times. I think a higher reported number of bugs patched faster is well within the expectation.

Its the arguments where the only consideration is announced bug counts that completely ignore any real value.

Reply Score: 3

so good
by twickline on Fri 6th Mar 2009 17:30 UTC
twickline
Member since:
2005-12-31

The "so good" link is broke ;) Can someone please fix it?

Tom

Reply Score: 2

RE: so good
by FishB8 on Fri 6th Mar 2009 21:24 UTC in reply to "so good"
FishB8 Member since:
2006-01-16

I believe this was a typo. "so good" should actually read "so late".

Reply Score: 1

RE: so good
by Michael on Fri 6th Mar 2009 22:24 UTC in reply to "so good"
Michael Member since:
2005-07-01
No mather how you put it
by Lennie on Sat 7th Mar 2009 00:29 UTC
Lennie
Member since:
2007-09-22

Any flaws found my anyone who would want to share the information about it was fixed fast and updates by users were installed very fast as well.

Just take a look at a graph showing browser share of Firefox 2 and Firefox 3, something like 85% changed from Firefox 2 to Firefox 3 less then a month's time. IE takes 2 years to get people from IE6 to IE7, just imagine how fast updates are being installed as well.

Reply Score: 2

Humm lets recall some!!
by Hakime on Sat 7th Mar 2009 04:18 UTC
Hakime
Member since:
2005-11-16

Here is what "Auzy" was saying about Safari in a forum related to a different story, just yesterday (http://www.osnews.com/comments/21089):

"Safari isn't really known for its stability.. "

Its seems that the reality is quite different, isn't it? So any comment Auzy or shall we just consider that you were just really trolling?

"Firefox is also Open Source (yes, safari's engine is, but it's still proprietary). "

Wait, why proprietary? It is not because Apple represents 81% of the contribution to the code of webkit that it makes it proprietary. What are you talking about? The development is totally open, the source code is totally open and the contribution is totally open. Where does the proprietary comes in here?

I mean check the fact before you say something.

http://webkit.org/coding/contributing.html
http://webkit.org/building/checkout.html
http://trac.webkit.org/browser

Edited 2009-03-07 04:21 UTC

Reply Score: 1

RE: Humm lets recall some!!
by spiderman on Sat 7th Mar 2009 14:52 UTC in reply to "Humm lets recall some!!"
spiderman Member since:
2008-10-23

I believe he means safari, not webkit.
Webkit is open, and I doubt 81% of the code is from Apple. I believe KHTML was very usable when Apple took it.
But Safari is not Webkit, like MacOS-X is not BSD. They take open source software with a weak license and they proprietarize it.

Reply Score: 2

Only counting newly discovered flaws...
by looncraz on Sat 7th Mar 2009 06:04 UTC
looncraz
Member since:
2005-07-24

It appears here, sadly, that the focus is on the count of newly discovered flaws rather than the total outstanding flaw count.

Of course, I can't really find much compiled information regarding total counts of open exploits :-(...

If anyone could come up with this information, it would certainly be more important than newly discovered non-critical exploits.

Of course, I'll take a dozen minor flaws that allow crashing the browser ( virtually all Firefox flaws have been of this nature, or merely reading bookmarks or the like ), over one critical flaw that allows crashing Windows... or hijacking the machine... or installing a virus... or whatever an evil heart should so desired ( like virtually every IE bug of which you may hear ).

This brings me to a unique little observation... how is it that IE has so many critical flaws and so few minor ones? I don't see how a bias would exist here, and I don't think Microsoft would have the sway to hide it...

I simply think it MUST be that Firefox is open source, has many eyes on the code, and is gaining in popularity to the point that it has become a large enough target for the 'big boys.'

Just my thoughts...

--The loon

Reply Score: 2

rtehd Member since:
2006-08-02

This brings me to a unique little observation... how is it that IE has so many critical flaws and so few minor ones?

As far as I know, many security flaws in closed source software are mainly discovered by security researchers and/or people with malice intent, apart from the company itself that develops the software in the first place. Such work is relatively difficult, and it is generally (but not impossible, see http://it.slashdot.org/article.pl?sid=09/02/24/0032201) difficult to fix these problems unless you have the source. Such work by external parties is usually done *only* because of the malicious aspects/impact of the bugs.

Minor ones are therefore not that interesting.

Open source essentially lowers the bar for finding such bugs, but it also invites people to find non-security related flaws as well; this broadens the spectrum of interest immensely (you'll attract more than only the evil exploiters and researchers trying to beat those, but also developers that want to improve things in other ways), and (last but not least) you can fix problems yourself relatively easy by submitting a patch: helping out really matters in that case.

The severity (impact) of the bug is usually not related to the difficulty of finding or solving the bug in question: you can make simple mistakes with a huge security impact, and seemingly subtle mistakes can crash a program when you press some buttons in a weird way but such flaw is not really exploitable. This goes the other way around as well, ofcourse.

The question, indeed. is how many flaws there are in some program (this is difficult to tell), and not how many flaws are *known and reported*. This depends on the intent of the audience that finds those bugs, and the fact that there are many minor/medium issues found in Firefox tells something about the audience of reviewers.

Edited 2009-03-07 08:20 UTC

Reply Score: 1

lemur2 Member since:
2007-02-17

I simply think it MUST be that Firefox is open source, has many eyes on the code, and is gaining in popularity to the point that it has become a large enough target for the 'big boys.'


The more popular it becomes, indeed, the bigger target it becomes (particularly the version that runs on Windows, and hence has a softer infrastructure beneath it) ... but also, in turn, the more popular it becomes, the more people (many times more) who have a strong interest in using it, protecting it, and hardening it to be even more secure.

The first effect is common to all software, but that latter effect is unique to open source, by its very nature.

Edited 2009-03-07 13:20 UTC

Reply Score: 3

Platforms
by raver31 on Sat 7th Mar 2009 06:51 UTC
raver31
Member since:
2005-07-06

Are these Firefox vulnerabilities purely on Windows ?

I dont mean to start a troll about Linux/BSD/Solaris/OSX being secure when Windows is not.....

But,

If Firefox on these platforms is not suffering from the same flaws, then surely the fault is not with the application itself, but with the underlying infrastructure it has to work with ?

Reply Score: 1

Security is in diversity
by spiderman on Sat 7th Mar 2009 15:13 UTC
spiderman
Member since:
2008-10-23

The more different browsers, the harder it is to attack.
It's like virii. The more different systems there are, the more difficult it is to propagate.

Reply Score: 2

Apple Juice
by mawrya on Mon 9th Mar 2009 21:45 UTC
mawrya
Member since:
2006-10-06

I think what most people take issue with is demonstrated simply by reading the title of this news piece. It should really read:

"Firefox Reported More Flaws in 2008 and Fixed Them Faster"

Its impossible to say who actually "Faced" more bugs, especially when the other browser dev teams don't report internally discovered ones. Maybe it was supposed to read "...Faced-Up to More Flaws..."?

Its like two farmers reporting how many apples they picked to the tax man. The first farmer says "I picked 1000 and here they are". The second says, "Well my neighbors say they saw me pick 500 and there are 500 in these bins here. The tax man says "what's in that big barrel behind you?" "Barrel?" replies the 2nd farmer. "Oh, that barrel! Nothing...at least no apples I mean." "Smells like apple juice" says the tax man. "Must have taken a lot of apples to make all that juice." "Hard to say for sure", says the 2nd farmer.

Reply Score: 2