OSNews:

OSNews: http://www.osnews.com/story/21092/Firefox_Faced_More_Flaws_in_2008_But_Fixed_Them_Faster Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Sun, 29 Nov 2009 12:22:45 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Firefox 3.5 http://osnews.com/thread?352010 http://osnews.com/thread?352010 Does anyone have a release date for Firefox 3.5? I'm liking the betas in that they are faster but I have ran into a few problems. Give me that faster script engine! Fri, 06 Mar 2009 16:17:00 GMT donotreply@osnews.com (TaterSalad) Comments ... http://osnews.com/thread?352011 http://osnews.com/thread?352011 About java script parsers, In an enterview with one of the main java evangelist (sorry, I don't remember the name) he gave his opinion about the optimization of JS in browsers, his answer was that it was a good thing, but it wouldn't really make much of the difference because the botleneck is in the DOM and is in the DOM optimizations where users would note the difference in speed.

Edit: I don't remember the name but he is the creator of JSON.Edited 2009-03-06 16:28 UTC Fri, 06 Mar 2009 16:19:00 GMT donotreply@osnews.com (Hiev) Comments RE: ... http://osnews.com/thread?352014 http://osnews.com/thread?352014 Douglas Crockford. http://www.crockford.com/ Fri, 06 Mar 2009 16:33:00 GMT donotreply@osnews.com (Kroc) Comments Slightly deceiving... http://osnews.com/thread?352016 http://osnews.com/thread?352016 Remember guys....

Firefox is also Open Source (yes, safari's engine is, but it's still proprietary). Firefox's all know vulnerabilities are announced publicly, without hesitation. The same cannot be said about Microsoft or Apple and that has been proven.

I really don't like these types of 'reports', as they generally reward closed applications, *ahem* Microsoft products, who enjoy hiding known vulnerabilities and patch the ones THEY deem appropriate. At least the report wasn't totally in Microsoft/Apple's favor, but still seems one-sided to me. Fri, 06 Mar 2009 16:35:00 GMT donotreply@osnews.com (Piranha) Comments so good http://osnews.com/thread?352017 http://osnews.com/thread?352017 The "so good" link is broke

Can someone please fix it?

Tom Fri, 06 Mar 2009 17:30:00 GMT donotreply@osnews.com (twickline) Comments RE: Slightly deceiving... http://osnews.com/thread?352018 http://osnews.com/thread?352018 Yeah, I totally agree. And I'm sorry, you could throw all the numbers at me you wanted about how many security flaws were found, and blah blah blah, but it will be a cold day in hell when I actually FEEL or BELIEVE I am more secure browsing in IE than Firefox (or Opera, Safari, Chrome, Konqueror, ..., for that matter). Fri, 06 Mar 2009 17:41:00 GMT donotreply@osnews.com (red_devel) Comments RE: Slightly deceiving... http://osnews.com/thread?352024 http://osnews.com/thread?352024

At least the report wasn't totally in Microsoft/Apple's favor, but still seems one-sided to me.

I specifically mentioned the open source argument and what it could mean for the skewedness of the report. What more you have me do? Fri, 06 Mar 2009 18:24:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE: Slightly deceiving... http://osnews.com/thread?352025 http://osnews.com/thread?352025

Remember guys....

Firefox's all know vulnerabilities are announced publicly, without hesitation. The same cannot be said about Microsoft or Apple and that has been proven.

somehow i have a hard time to believe that just because something is opensource only good people are searching for bugs in it... Fri, 06 Mar 2009 18:26:00 GMT donotreply@osnews.com (smashIt) Comments RE[2]: Slightly deceiving... http://osnews.com/thread?352026 http://osnews.com/thread?352026 somehow i have a hard time to believe that just because something is opensource only good people are searching for bugs in it...

Exactly, and the speed of reaction doesn't really do nothing for the whole time the hole was there undetected.Edited 2009-03-06 18:39 UTC Fri, 06 Mar 2009 18:39:00 GMT donotreply@osnews.com (Hiev) Comments RE: ... http://osnews.com/thread?352031 http://osnews.com/thread?352031 It still makes a big difference for javascript as a platform, rather then javascript as a front end. The new engines make things like sproutcore and cappucino seem like the way web development is going, rather then stuff like flash, java, or silverlight. Fri, 06 Mar 2009 19:08:00 GMT donotreply@osnews.com (google_ninja) Comments RE[3]: Slightly deceiving... http://osnews.com/thread?352032 http://osnews.com/thread?352032

and the speed of reaction doesn't really do nothing for the whole time the hole was there undetected.

As time goes on, and more and more faults float down the OSS stream, I find myself starting to come around to Daniel Bernstein's way of looking at things. The authors shouldn't get off the hook for fixing it fast. They should get a big black eye for having released the flawed software in the first place. The situation will not change as long as they can release crap and then get a big public pat on the back for fixing those things that happen to be found and reported to them. How about the stuff that doesn't get reported to them? Remember when, years after we had been bragging about how "many eyes make all bugs shallow", Michal Zalewski demonstrated just how unbelievably poorly Firefox was actually doing?

http://www.securityfocus.com/archive/1/378632

http://it.slashdot.org/article.pl?sid=04/10/19/0236213&tid=113

It took literally *years* to patch that one, because it was the result of a general problem with their process and focus, and not some particular detail that could be patched.

And yet the steady flow of FF exploits continues; The process and focus have, apparently, not changed.Edited 2009-03-06 19:16 UTC Fri, 06 Mar 2009 19:10:00 GMT donotreply@osnews.com (sbergman27) Comments RE[4]: Slightly deceiving... http://osnews.com/thread?352033 http://osnews.com/thread?352033

Michal Zalewski demonstrated just how unbelievably poorly Firefox was actually doing?

http://www.securityfocus.com/archive/1/378632

http://it.slashdot.org/article.pl?sid=04/10/19/0236213&tid=...

Yeah, except all browsers but IE failed that test which means what? That lazy, inept web designers can go on putting out their broken HTML because IE will permit it rather than making these idiots get it done right. Fri, 06 Mar 2009 19:40:00 GMT donotreply@osnews.com (vitae) Comments RE[5]: Slightly deceiving... http://osnews.com/thread?352034 http://osnews.com/thread?352034

Yeah, except all browsers but IE failed that test which means what?

It means that only Microsoft's browser was doing proper input validation on data originating from untrusted sources. Presumably, the devs of the other browsers did not know that they were supposed to do that, or did not care enough to do it.Edited 2009-03-06 19:48 UTC Fri, 06 Mar 2009 19:46:00 GMT donotreply@osnews.com (sbergman27) Comments RE: Slightly deceiving... - patch times http://osnews.com/thread?352036 http://osnews.com/thread?352036 I did like that it accounted for patch times. I think a higher reported number of bugs patched faster is well within the expectation.

Its the arguments where the only consideration is announced bug counts that completely ignore any real value. Fri, 06 Mar 2009 20:35:00 GMT donotreply@osnews.com (jabbotts) Comments RE[2]: Slightly deceiving... http://osnews.com/thread?352037 http://osnews.com/thread?352037 "Firefox's all know vulnerabilities"

I read that to mean "known to the project" or "posted to the bug reports site". Exploitable vulnerabilities found by those with criminal intent kinda remain unknown vulnerabilities until they choose to make use of them. I'd give all platforms and software that same grace; if it's only known by the criminally inclined then it's still an unused 0day. Fri, 06 Mar 2009 20:39:00 GMT donotreply@osnews.com (jabbotts) Comments RE: so good http://osnews.com/thread?352038 http://osnews.com/thread?352038 I believe this was a typo. "so good" should actually read "so late". Fri, 06 Mar 2009 21:24:00 GMT donotreply@osnews.com (FishB8) Comments RE: so good http://osnews.com/thread?352041 http://osnews.com/thread?352041 For those interested,

http://www.betanews.com/article/Firefox-31-could-catch-up-to-Safari... Fri, 06 Mar 2009 22:24:00 GMT donotreply@osnews.com (Michael) Comments RE[4]: Slightly deceiving... http://osnews.com/thread?352044 http://osnews.com/thread?352044 I ran across this one reading a gnome article awhile back, blew my mind. It was a non trivial fix for a highly visible, very annoying issue, and it took 7 years for the gnome team to fix it.
http://bugzilla.gnome.org/show_bug.cgi?id=56070 Fri, 06 Mar 2009 23:01:00 GMT donotreply@osnews.com (google_ninja) Comments RE[3]: Slightly deceiving... http://osnews.com/thread?352049 http://osnews.com/thread?352049 I would like for everyone to know that just because there is a flaw in the code and the code is open, doesn't mean you will ever find it viewing the code casually. First you must understand the code and be able to successfully look for flaws. And you need to find them before the good guys that do know the code do!

As an example check out the 25 year old UNIX bug!!!

http://osnews.com/story/19731/The-25-Year-Old-UNIX-Bug

So I wouldn't get all paranoid yet! Sat, 07 Mar 2009 00:28:00 GMT donotreply@osnews.com (groversonus) Comments No mather how you put it http://osnews.com/thread?352050 http://osnews.com/thread?352050 Any flaws found my anyone who would want to share the information about it was fixed fast and updates by users were installed very fast as well.

Just take a look at a graph showing browser share of Firefox 2 and Firefox 3, something like 85% changed from Firefox 2 to Firefox 3 less then a month's time. IE takes 2 years to get people from IE6 to IE7, just imagine how fast updates are being installed as well. Sat, 07 Mar 2009 00:29:00 GMT donotreply@osnews.com (Lennie) Comments RE[4]: Slightly deceiving... http://osnews.com/thread?352064 http://osnews.com/thread?352064 If they can find holes in closed source, then they will more likely to find them in open source, don't understimate those guys. Sat, 07 Mar 2009 02:40:00 GMT donotreply@osnews.com (Hiev) Comments Humm lets recall some!! http://osnews.com/thread?352066 http://osnews.com/thread?352066 Here is what "Auzy" was saying about Safari in a forum related to a different story, just yesterday (http://www.osnews.com/comments/21089):

"Safari isn't really known for its stability.. "

Its seems that the reality is quite different, isn't it? So any comment Auzy or shall we just consider that you were just really trolling?

"Firefox is also Open Source (yes, safari's engine is, but it's still proprietary). "

Wait, why proprietary? It is not because Apple represents 81% of the contribution to the code of webkit that it makes it proprietary. What are you talking about? The development is totally open, the source code is totally open and the contribution is totally open. Where does the proprietary comes in here?

I mean check the fact before you say something.

http://webkit.org/coding/contributing.html
http://webkit.org/building/checkout.html
http://trac.webkit.org/browserEdited 2009-03-07 04:21 UTC Sat, 07 Mar 2009 04:18:00 GMT donotreply@osnews.com (Hakime) Comments Only counting newly discovered flaws... http://osnews.com/thread?352068 http://osnews.com/thread?352068 It appears here, sadly, that the focus is on the count of newly discovered flaws rather than the total outstanding flaw count.

Of course, I can't really find much compiled information regarding total counts of open exploits :-(...

If anyone could come up with this information, it would certainly be more important than newly discovered non-critical exploits.

Of course, I'll take a dozen minor flaws that allow crashing the browser ( virtually all Firefox flaws have been of this nature, or merely reading bookmarks or the like ), over one critical flaw that allows crashing Windows... or hijacking the machine... or installing a virus... or whatever an evil heart should so desired ( like virtually every IE bug of which you may hear ).

This brings me to a unique little observation... how is it that IE has so many critical flaws and so few minor ones? I don't see how a bias would exist here, and I don't think Microsoft would have the sway to hide it...

I simply think it MUST be that Firefox is open source, has many eyes on the code, and is gaining in popularity to the point that it has become a large enough target for the 'big boys.'

Just my thoughts...

--The loon Sat, 07 Mar 2009 06:04:00 GMT donotreply@osnews.com (looncraz) Comments Platforms http://osnews.com/thread?352069 http://osnews.com/thread?352069 Are these Firefox vulnerabilities purely on Windows ?

I dont mean to start a troll about Linux/BSD/Solaris/OSX being secure when Windows is not.....

But,

If Firefox on these platforms is not suffering from the same flaws, then surely the fault is not with the application itself, but with the underlying infrastructure it has to work with ? Sat, 07 Mar 2009 06:51:00 GMT donotreply@osnews.com (raver31) Comments RE: Only counting newly discovered flaws... http://osnews.com/thread?352074 http://osnews.com/thread?352074

This brings me to a unique little observation... how is it that IE has so many critical flaws and so few minor ones?

As far as I know, many security flaws in closed source software are mainly discovered by security researchers and/or people with malice intent, apart from the company itself that develops the software in the first place. Such work is relatively difficult, and it is generally (but not impossible, see http://it.slashdot.org/article.pl?sid=09/02/24/0032201) difficult to fix these problems unless you have the source. Such work by external parties is usually done *only* because of the malicious aspects/impact of the bugs.

Minor ones are therefore not that interesting.

Open source essentially lowers the bar for finding such bugs, but it also invites people to find non-security related flaws as well; this broadens the spectrum of interest immensely (you'll attract more than only the evil exploiters and researchers trying to beat those, but also developers that want to improve things in other ways), and (last but not least) you can fix problems yourself relatively easy by submitting a patch: helping out really matters in that case.

The severity (impact) of the bug is usually not related to the difficulty of finding or solving the bug in question: you can make simple mistakes with a huge security impact, and seemingly subtle mistakes can crash a program when you press some buttons in a weird way but such flaw is not really exploitable. This goes the other way around as well, ofcourse.

The question, indeed. is how many flaws there are in some program (this is difficult to tell), and not how many flaws are *known and reported*. This depends on the intent of the audience that finds those bugs, and the fact that there are many minor/medium issues found in Firefox tells something about the audience of reviewers.Edited 2009-03-07 08:20 UTC Sat, 07 Mar 2009 08:10:00 GMT donotreply@osnews.com (rtehd) Comments RE[3]: Slightly deceiving... http://osnews.com/thread?352100 http://osnews.com/thread?352100

somehow i have a hard time to believe that just because something is opensource only good people are searching for bugs in it...

Exactly, and the speed of reaction doesn't really do nothing for the whole time the hole was there undetected.

As soon as any attack actually surfaces (meaning that someone "nasty" has found a bug, and written an exploit) ... there are literally thousands upon thousands of people who can see and test the source code of Firefox, who know how it works, and who can see how it was attacked, and whose own strong self-interest is to find a way to fix the vulnerability.

It wouldn't surprise me if tens of solutions were offered overnight, in many cases. It would than be a matter of testing to decide which of them was the best one. Sat, 07 Mar 2009 13:12:00 GMT donotreply@osnews.com (lemur2) Comments RE: Only counting newly discovered flaws... http://osnews.com/thread?352101 http://osnews.com/thread?352101

I simply think it MUST be that Firefox is open source, has many eyes on the code, and is gaining in popularity to the point that it has become a large enough target for the 'big boys.'

The more popular it becomes, indeed, the bigger target it becomes (particularly the version that runs on Windows, and hence has a softer infrastructure beneath it) ... but also, in turn, the more popular it becomes, the more people (many times more) who have a strong interest in using it, protecting it, and hardening it to be even more secure.

The first effect is common to all software, but that latter effect is unique to open source, by its very nature.Edited 2009-03-07 13:20 UTC Sat, 07 Mar 2009 13:18:00 GMT donotreply@osnews.com (lemur2) Comments RE: Humm lets recall some!! http://osnews.com/thread?352105 http://osnews.com/thread?352105 I believe he means safari, not webkit.
Webkit is open, and I doubt 81% of the code is from Apple. I believe KHTML was very usable when Apple took it.
But Safari is not Webkit, like MacOS-X is not BSD. They take open source software with a weak license and they proprietarize it. Sat, 07 Mar 2009 14:52:00 GMT donotreply@osnews.com (spiderman) Comments Security is in diversity http://osnews.com/thread?352107 http://osnews.com/thread?352107 The more different browsers, the harder it is to attack.
It's like virii. The more different systems there are, the more difficult it is to propagate. Sat, 07 Mar 2009 15:13:00 GMT donotreply@osnews.com (spiderman) Comments RE[4]: Slightly deceiving... http://osnews.com/thread?352109 http://osnews.com/thread?352109 there are literally thousands upon thousands of people who can see and test the source code of Firefox, who know how it works

Where do you get those stats? those aren't even the number of commiters to the source manager three, most of them are translators and not developers. Sat, 07 Mar 2009 16:13:00 GMT donotreply@osnews.com (Hiev) Comments RE[4]: Slightly deceiving... http://osnews.com/thread?352110 http://osnews.com/thread?352110

there are literally thousands upon thousands of people who can see and test the source code of Firefoxp

So where were they during the years of Mozilla development, and later Firefox development, before Zalewski's simple random mangling demonstration showed just how unbelievably chock-full of buffer overflow bugs the codebase was? And for all those years, none of the devs had a clue. Everyone was too busy bragging about how "secure" Firefox was to notice.

Here we have what is likely the most well known FOSS project in the world. (As many eyes as you're going to get.) And we also have pretty much the ultimate evidence debunking the whole "many eyes makes all bugs shallow" myth.

In the pattern of many myths, it sounds reasonable on the surface. And people have certainly parroted it quite a lot. But upon closer inspection, the actual evidence reveals it to be false.

New Flash! Reliable sources report that the Emperor has been arrested on charges of indecent exposure on the palace grounds.

P.S. There's no point in directing me to the CaTB site yet again. I read it back when it was new. And the parts of it that were crap then are still crap now.Edited 2009-03-07 17:01 UTC Sat, 07 Mar 2009 16:45:00 GMT donotreply@osnews.com (sbergman27) Comments RE[2]: Slightly deceiving... http://osnews.com/thread?352132 http://osnews.com/thread?352132

I specifically mentioned the open source argument and what it could mean for the skewedness of the report. What more you have me do?

read this: http://blog.mozilla.com/security/2009/03/06/beware-the-security-met... .

The main takeaway is that Mozilla publishes every security problem that they fix, whereas the other players only release the ones that are discovered and published by third parties. So that's 115 security issues discovered by mozilla compared to 35 (or whatever) issues discovered and published by secunia/white hats/etc.

It's an absurd metric and should only be brought up to be disparaged. Sat, 07 Mar 2009 20:49:00 GMT donotreply@osnews.com (quodlibetor) Comments RE[5]: Slightly deceiving... http://osnews.com/thread?352170 http://osnews.com/thread?352170

there are literally thousands upon thousands of people who can see and test the source code of Firefox, who know how it works

Where do you get those stats? those aren't even the number of commiters to the source manager three, most of them are translators and not developers.

There are an estimated 1.5 million OSS developers worldwide.

Many of them are testers, and as you say translators, or artistic designers, not all of them commit code.

The figure of thousands for firefox is a guesstimate ... but not at all an unreasonable one for firefox to have input from say 0.3% of those 1.5 million OSS developers. Sun, 08 Mar 2009 09:12:00 GMT donotreply@osnews.com (lemur2) Comments RE[5]: Slightly deceiving... http://osnews.com/thread?352172 http://osnews.com/thread?352172

And we also have pretty much the ultimate evidence debunking the whole "many eyes makes all bugs shallow" myth.

In the pattern of many myths, it sounds reasonable on the surface. And people have certainly parroted it quite a lot. But upon closer inspection, the actual evidence reveals it to be false.

To call this a myth is to be completely and utterly blind to the track record of open source.

It is more than just "many eyes makes all bugs shallow" also ... open source brings far more benefits than that over closed, proprietary, written-for-big-business-interests software.

Here are some of them:
http://www.linfo.org/reasons_to_convert.html

Having many eyes on the code does a heck of a lot more than just make bugs shallow. Sun, 08 Mar 2009 09:27:00 GMT donotreply@osnews.com (lemur2) Comments RE[6]: Slightly deceiving... http://osnews.com/thread?352181 http://osnews.com/thread?352181

There are an estimated 1.5 million OSS developers worldwide.

And across how many open source projects are they spread?

Sun, 08 Mar 2009 12:12:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE[7]: Slightly deceiving... http://osnews.com/thread?352241 http://osnews.com/thread?352241

"There are an estimated 1.5 million OSS developers worldwide.

And across how many open source projects are they spread? "

Good question.

Debian has something like 23,000 (or so) packages.

Mind you, there is no reason why any given developer couldn't be involved in several projects at the same time. Mon, 09 Mar 2009 04:32:00 GMT donotreply@osnews.com (lemur2) Comments RE[3]: Slightly deceiving... hm... http://osnews.com/thread?352273 http://osnews.com/thread?352273 wow.. seems this comment was not liked by the masses.. anyone spot the specific reason. I'm not here counting thumb-ups, just curious as to why pointing out that developers can not fix bugs they are not aware of (hence, 0day and stockpiled bugs) is so off topic or offensive to others.

I extend the same opinion to any other software branding as I did here with Firefox; If the bug is not known to the publisher (eg. not reported by malicious cracker saving it for criminal intent), why is it not an unknown vulnerability still?

The vulnerabilities that concern me are the ones known by the people with the skill or access to correct the flaw but are left unpatched for whatever reason the software developers believes justifies such negligence.

I guess we'll see with the IE/Firefox vulnerabilities sprayed across Ebay over the last few weeks. FF hasn't a once-a-month release schedule and MS patch Tuesday is tomorrow; Let's see who corrects the issue first.

Anyhow, thumb-down the comment all you like. I'd just be curious to know why so as to at least be given the chance to defend my opinion. Mon, 09 Mar 2009 13:16:00 GMT donotreply@osnews.com (jabbotts) Comments Apple Juice http://osnews.com/thread?352341 http://osnews.com/thread?352341 I think what most people take issue with is demonstrated simply by reading the title of this news piece. It should really read:

"Firefox Reported More Flaws in 2008 and Fixed Them Faster"

Its impossible to say who actually "Faced" more bugs, especially when the other browser dev teams don't report internally discovered ones. Maybe it was supposed to read "...Faced-Up to More Flaws..."?

Its like two farmers reporting how many apples they picked to the tax man. The first farmer says "I picked 1000 and here they are". The second says, "Well my neighbors say they saw me pick 500 and there are 500 in these bins here. The tax man says "what's in that big barrel behind you?" "Barrel?" replies the 2nd farmer. "Oh, that barrel! Nothing...at least no apples I mean." "Smells like apple juice" says the tax man. "Must have taken a lot of apples to make all that juice." "Hard to say for sure", says the 2nd farmer. Mon, 09 Mar 2009 21:45:00 GMT donotreply@osnews.com (mawrya) Comments