When Firefox’s Mozilla came onto the scene four months ago it looked like an end to the constant struggle against Microsoft’s Internet Explorer security vulnerabilities was finally in sight. The promise was almost too good to be true: a viable alternative that had been designed with a security conscious approach, no pop-ups and none of IE’s vulnerabilities. read more
Wow, it’s those little things that let you notice that a real expert is talking here…
People are more familiar with Firefox than with Mozilla. Maybe the author, Roy Tuvey, wanted to make known to a wider audience what the firefox-mozilla relationship is.
“the choice between insecure and a little less insecure.”
“Maybe someone will develop a secure browser.”
Not to be in favor of Microsoft’s Palladium, but might this be a solution, even given the costs?
I wish I could say that Firefox has a strong security focus, but from what I see it is not the case. A couple serious problems (not necessarily code vulnerabilities) have gone unfixed for some time. For example, the recent URL-spoofing technique that used IDS. This was NOT a vulnerability in the code, yet it was a gaping security hole for users because of their lack of behavioral protection against such techniques.
A project that cares about the security of the people using the product should care deeply about such issues. Firefox generally takes over a week to fix even single issues like that. And the whole time you have devs claiming it isn’t their responsibility. On the one hand, Firefox devs pay tribute to the fact that user behavior is a big deal in security, e.g. adding the yellow background to secure URLs. On the other, they say “who cares that people can spoof secure URLs… we just coded to the IDS standard!”
Author: Roy Tuvey, Co-founder and president, ScanSafe
…
The number of vulnerabilities has risen dramatically in the last quarter and ScanSafe has noticed a rise in the number of exploits it is stopping on Mozilla.
…
Some of the common Mozilla exploits ScanSafe is stopping include…
…
Maybe a secure browser will be developed. In the meantime the only way to guarantee network integrity is proactive threat management by scanning and filtering.
Well, at least he had enough good taste to not hawk his company’s product by name in the concluding paragraph.
…is as responsible for what their users can do with their products as the software industry? I mean, it’s constantly reiterated that software is vulnerable to these esoteric tricks and hacks that I, honestly, have yet to see in action or be caught by. Who are the people that get caught up in these vicious spyware/virus circles? How should we (as intermediate/expert users) help those who are tricked in this manner? Just some thoughts…
Ooh, nice catch.
“People are more familiar with Firefox than with Mozilla. Maybe the author, Roy Tuvey, wanted to make known to a wider audience what the firefox-mozilla relationship is.”
Amazing the lengths some people will go to actually excuse mediocrity. Maybe the article’s author just had no clue what he was talking about?
That was a fine example of a lack of journalistic integrity. A vendor writes a fear inspiring piece to pump his own company’s services, but slants it a little in a direction that will drum up some more controversy publicity. I’ll try to dispel some of the more dangerous misinformation.
The JVM issue affects any browser (including IE) using Sun’s JVM. Someone above brought up the IDN issue, which multiple browser vendors were trying to address with the registrars before they finally were forced to implement their own workarounds. And of course, anyone using an IDN plugin in IE was also affected.
Just to wrap it up, Palladium has nothing to do with security, it is about content controls. Unless you are talking about registering and monitoring all content on the web, then you can say it’s a security measure and selectively white/black list content.
Security holes in a web browser wouldn’t be an issue if Microsoft made their Operating System more secure. This gentleman had no information about insecurity in any other platform.
…and we still have to download, uninstall and reinstall the whole application for a 1.0.x security patch, which may break compatibility with your extensions.
Failure to follow this advice will leave unremovable (except by editing the registry) entries in your ‘Add or Remove Programs’ file list.
The shame here is that until updating Firefox is as simple as ‘click on the update icon and re-start’, people will become increasingly frustrated.
Can we please stop posting articles that are nothing more then thinly veiled pieces of advertisments.
bobobob : Firefox 1.0.3 solves the add/remove duplicate entries problem for windows users, please don’t spread more FUD than is already spread currently by companies who want to exploit Firefox current press coverage.
“Amazing the lengths some people will go to actually excuse mediocrity. Maybe the article’s author just had no clue what he was talking about?”
It’s a press release dressed up as a story “Author: Roy Tuvey, Co-founder and president, ScanSafe”
Waddya know – a scanning company recommends more scanning – astounding!
Not sure what the editorial policy of the IT Observier is; when is a press release not a press release?, or is it editorial?, or is it (as this story presents itself to be) an article?. The site navigation seems to offer the possibility of all three.
“Some of the common Mozilla exploits ScanSafe is stopping include the Java applet spyware installer which uses a Mozilla/Firefox vulnerability to target windows users, and several buffer overflow attacks which can result in damage to the user’s files, changes of data, or disclosure of confidential information. Other vulnerabilities include spoofing of the URL displayed in the address bar.”
This is a problem with Java and some other browsers, not just FF.
————————————————————
“A vulnerability announced on the 1st March showed that Mozilla shares the same drag and drop vulnerabilities. This can be exploited to execute arbitrary code in a user’s browser session by tricking a user into dragging an image to the address bar.”
Requires user intervention. Not just by logging onto a web page.
————————————————————
“ScanSafe is still stopping the vast majority of viruses on IE, the number of viruses it is stopping on Mozilla is growing as the browser gains in popularity. It is a simple fact that virus writers will concentrate their efforts on where there is possibility for more damage.”
What viruses? The author is talking about exploits and some how he got turned around and is not talking about viruses. I don’t believe that this individual should be in technical writing in the least.
————————————————————
“But then it may be asked is it really within the remit of a browser to guarantee Internet security.”
It should have the security controls that have fine grained locking mechinisms.
————————————————————
“Are we asking too much? We don’t expect our browsers to block viruses, spyware or malicious scripts so why should we have such high expectations for their security capabilities.”
1) Browsers have never blocked viruses.
2) Browsers should be able to turn off scripting and have fine grained controls on what is allowed to execute.
This is an article that is completely based on spreading dis-information. Not only has the author confusing issues between:
a) exploits
b) viruses
c) pc security
But in turn blaming it on a product. Remember running as an admin on a box is a no, no. When you encounter a hostile script, it run’s with admin priv’s. How about addressing the real issue, namely:
a) Computer Security
b) Access rights
c) Permissions
d) correctly identifing:
1) Viruses
2) Spyware/malware/adware/scumware
Ok, I have made my rant, feel free to mod me down if necessary.
Amazing… Scansafe AND Linspire advertise for free here?
PLEASE check the sources of your articles.
From now on, I stick to lynx!
No! I’ll take links over lynx anytime! Or w3m!
Seriously though, it’s bad enough this is covert advertising, but they’re also making too much of a drama over the issue.
While we’re on the subject: Firefox users better protected than IE users: see http://www.theinquirer.net/?article=22024
I often wonder if we place too much emphasis on the browser makers to make their browsers secure. Of course they should fix real volnurabilities (like bufferoverflows or whatever) but should they really be responsible for every form of spoofing/phishin? These types of security issues seem like they belong to individual site owners.
It’s the job of the browser makers to provide tools, not to prevent every malicious thing that can be done with a browser. If they do that, they will end up with NetPositive (no plugins, no javascript, etc.).
IT’s impossible to make something that’s connected to a public network 100% secure. There willl alwyas be humans making mistakes in the code, there is alwyas room for error.
The cool thing about firefox is that I can get source code THE NIGHT OF the vunerability being found to fix the problem. I can wait for the maintainter to realse the code, hire a programmer to code it in-house.
I’d much rather have that option than waiting two weeks and following instructions of not to click links.
someone tricked me into putting water into my car’s petrol tank, now the car doesn’t work :o( Damn and blast Ford for not thinking of this and creating an anti water mechanism for the fuel line.
And they should stop me putting custard into the tyres, and Hoover didn’t warn me about manure and….
Maybe the solution is for everyonw to have a minder. we could pay scansafe to check everything we do JUST TO BE ON THE SAFE SIDE. after all we are all too stupid to be alive..aren’t we?
FUD and nothing but FUD
“The cool thing about firefox is that I can get source code THE NIGHT OF the vunerability being found to fix the problem. I can wait for the maintainter to realse the code, hire a programmer to code it in-house.
I’d much rather have that option than waiting two weeks and following instructions of not to click links.”
Great you can get a CVS patch that might or might not patch the issue, might or might not break compatibility with extensions, and may or may not introduce new security flaws…
You really expect people to be excited by this possibility?
The notion of not only patching, but possibly completely recompiling and installing, with a nightly build from CVS that not only has the “new and not yet tested” patch but other “new and not yet stable features” included is some how supposed to make me feel warm, fuzzy, and safe… right…
As for hiring an “in-house coder”… I’m sure this is this a viable option for the “free ISO or die” penguinista community.
Although it’s your site and you can do what you want with it, my two pennies is that it might be better if thinly-veiled adverts like these are left off the news pages. I may as well subscribe to a PR feed for stuff like that. Next a story where an objective Steve Balmer reveals that world poverty will be extinguished if we each donate an Exchange licence to someone in the third world.
Great you can get a CVS patch that might or might not patch the issue, might or might not break compatibility with extensions, and may or may not introduce new security flaws…
Yes but at least you can get the patch! If the alternative is waiting 6 months for Microsoft to bother doing anything about it, I’ll take the slightly dodgy CVS anytime!
Hmm. If Firefox’s Mozilla is having this many problems, I sure am glad that I’m using Mozilla’s Firefox.
“Yes but at least you can get the patch! If the alternative is waiting 6 months for Microsoft to bother doing anything about it, I’ll take the slightly dodgy CVS anytime!”
Archangel, there is a popular saying in the US that goes, “don’t just stand there do something”. Basically what you are saying is that the above practice gives you better security. If you pay attention to what you actually quoted from me you seem to be of the opinion that patching with a patch that isn’t even proven to completely work at fixing the security error much less not break the application itself in subtle ways is better than “just standing there” waiting for a patch to be officially released.
I’m happen to be of a different opinion. I feel it would seem more prudent to wait and think about what you doing first; meaning that you are sure the patch actually completely fixes the problem, and doesn’t in some way break the application or introduce new and obvious flaws. Rather than hysterically any random piece of garbage that happens to back the test case of the security flaw and concluding you’re safe.
@vincent
> Great you can get a CVS patch that might or might not patch
> the issue, might or might not break compatibility with
> extensions, and may or may not introduce new security flaws…
If the security issue is publicly known you can test if the CVS patch works. If it works you can use this patch with a nightly build and be protected from the vulnerability while an official new release is being prepared which won’t break anything (why do you think we’ve already had 6 Release Candidates for Firefox 1.0.3?).
The guy doesn’t even know what he’s talking about… he can’t even figure out that “FIREFOX” is made by “MOZILLA”, not the other way around…
And yes, this lameass is just advertising his company’s product. Firefox is not nearly as insecure as he describes it to be.
I can’t believe OSnews would post this load of bolony.
…and we still have to download, uninstall and reinstall the whole application for a 1.0.x security patch, which may break compatibility with your extensions.
I don’t know if this will happen or not but if it does, I will probably (reluctantly) switch to Opera, because this is getting to be a pain in the ass. I bitched about this in the pre-1.0 days, and people swore this problem would go away after 1.0. I figure after a 3rd minor bugfix release, they SHOULD have this shit ironed out – we’ll see.
If we replaced Firefox and Mozilla with the words Internet Explorer I would imagine the comments here would be a bit different.
The reality is that these vulnerabilities will be protected against with a half decent virus checker and nearly any kind of firewall and the intelligence to not download whatever crap programs are advertised when you click on dodgy websites. Same as for IE.
Some people really need to get out more.
Line one should have read
If we replaced the words Firefox and Mozilla with the words Internet Explorer in that article I would imagine the comments here would be a bit different.
I’m not suggesting anbody replace their browsers.
And in Soviet Russia Internet Explorer’s Microsoft browser Scans You!
An elongated add for the authors company. I thought the main premise of MOZILLA’s FIREFOX was to create a browser that completely conforms to the W3C standards. Security was an added incentive but certainly not the ideology that drove this “little browser that could.”
The author’s grammar and complete bundling of the product offer no comfort in the product he is peddling. The net is home to numerous people who try to make a living but this one needs a pass over. With blogs and news articles a dime a dozen, it is hard to find intelligent and concise material and this “add” lacks both.
A close minded approach to program insight and one based on 0 knowledge and 0 integrity. Programs have bugs and program will always have exploits. Those who believe a program will be written devoid of both are either immense optomists or simple-minded.
MOZILLA’s FIREFOX will always be around. You cannot buy it out, you cannot make it go bankrupt, and you cannot bully it out of existence. Firefox is not about dollars and cents, but rather about much more than that. People like Mr. Roy have no concept of what an open source community is either about or capable of. What Turvey Roy should be aware of is the correct name of the product he is going to discuss and less with slippery slopes and correlation findings from someone with a minimal knowledge in software. Try proof reading Roy–you are representing your product and juding by your article, you certainly are not big on QA.
> Someone above brought up the IDN issue, which multiple browser vendors were trying to address with the registrars before they finally were forced to implement their own workarounds.
Whatever the excuse may be for Mozilla, Apple did try to address the problem instead of just arguing that it is not a bug or disregarding support for IDN altogether: Safari received an automatic update which tries to forbid non-latin-but-latin-look-alike characters in a URL, while still keeping support for IDN (which is indispensable from the POV of a non-English speaker). Wether Apple’s fix is absolutely secure or not is still to be proven, but is at least something in a better direction than what Mozilla did.
More info on Apple’s move at http://docs.info.apple.com/article.html?artnum=301116
I’m so pumped up by this article that i can’t wait to get ScanSafe! Where can i get ScanSafe? I thought i wouldn’t need to run ScanSafe as i was running Firefox’s Mozilla, but now i know better… ScanSafe rules!
It is high time the computer industry grew up. We all think wow, with finger-print recognition for access to your car or laptop, and yet the thief’s solution can be very non-technical cut the bloody finger off!
No browser, will ever be 100% secure period.
Now we can settle down.
OpenSource software showing cracks when under pressure?
FireFox was supposed to be so much better than IE, safer, faster.
Would the exact same thing happen if the «safer» Linux got more popular? Mabe we would find that it has the same amount of problems than Windows… Who knows?
Safari received an automatic update which tries to forbid non-latin-but-latin-look-alike characters in a URL, while still keeping support for IDN (which is indispensable from the POV of a non-English speaker
Nice thing that Apple did, but IDN is FAR FROM INDISPENSABLE.
As a matter of fact, the web grew without IDN, and IDN will
always be a silly gimmick.
As someone living in Korea, I can assure you that IDN is very very far from being a “silly gimmick”. I wouldn’t say it’s indispensable though.
You know how *everybody* here loves when they can type in their own language in the address bar instead of silly, hard-to-remember string in foreign writing system called Roman alphabet?
How many keys does a Korean keyboard have? Is Korean mono-syllabic like Chinese, or polysyllabic like Japanese? I have no idea how the hell the Chinese can type when every character is a word (do they use a keyboard of 1000000000 keys?)
LOL
if you dont pay for good security you dont get good security. i you want to play you got to pay. when i see freeware i think its cra*ware.
Then i have some excellent anti-virus hardware for you, a pair of scissors to cut your ethernet cable from your cable modem–NO MORE VIRII!!! NO MORE SPAM!!! NO MORE HACKERS!!! nothign can beat it!
I only charge $1 for the scissors (yours to keep) and $99999999/hour to perform said service.