LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Hackers claim zero-day flaw in Firefox (ZDNet)

[Posted October 1, 2006 by corbet]

ZDNet reports from ToorCon, where a pair of presenters disclosed a remotely exploitable JavaScript vulnerability in Firefox. "The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. 'What they are describing might be a variation on an old attack,' she said. 'We're going to do some investigating.'" The presenters claim to know about another 30 undisclosed Firefox vulnerabilities.

Update: it seems that the presenters' claims may have been a little overblown, if not entirely fraudulent.

(Log in to post comments)

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 1, 2006 14:02 UTC (Sun) by cartman (subscriber, #11404) [Link]

I hope this will get people to realize: Firefox is NOT secure, nothing is fully
secure. Saying Firefox is secure is just a blind lie.

What is worse that Mozilla Foundation's security policy, which they make
security bugs non-public , and even not timely fixing them. There was even a
security bug many-years old which got fixed after someone discovered the bug
and posted to bugtraq.

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 1, 2006 16:53 UTC (Sun) by job (subscriber, #670) [Link]

I really have a problem with the "nothing is fully secure" mantra. Of course everything can be abused in some way, but the design of a particular software may be more or less secure. Very well designed software is "secure" in a practical sense, such as QMail, Postfix or vsftpd. I'd be very surprised to see a hole in any of those, while not so much with Firefox.

Sorry, I probably don't disagree with you at all, I'm just allergic to that expression. A lot of people use it as an excuse to choose obviously insecure software. While most software is not fully secure, the odds of finding holes as well as the impact of them is what's interesting.

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 1, 2006 17:17 UTC (Sun) by jfj (guest, #37917) [Link]

I'd like to second this comment. There is a general tendency these days "there is no security, just give it up. You'll never be secure and just trust your software provider". Well, wrong. If the code is well-written and small, people really can make a secure system. Part of mozilla's insecurities (which are probably more than IE) are due to the extreme complexity of the project. Ahh, welcome to the invasion of the *.Orgs: A couple of people controlling a huge code base through extreme complexity, in the hope to make a profit.

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 2, 2006 14:56 UTC (Mon) by gerv (subscriber, #3376) [Link]

"Part of mozilla's insecurities (which are probably more than IE) are due to the extreme complexity of the project."
Are you volunteering to write a web browser for today's web which isn't extremely complex? Gerv

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 2, 2006 15:02 UTC (Mon) by gerv (subscriber, #3376) [Link]

To elaborate: yes - small, simple and well designed makes things much more secure. We could tell everyone to stop using the web for five years while site owners go away and write sites in valid, semantic, easy to parse HTML and other web standards, while a free software group writes a small and simple browser for this new web from the ground up. The end result would be a lot more secure than Firefox.

However, back in the real world, if you want to experience the full web, Firefox (on Linux ;-) is the safest option.

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 1, 2006 18:27 UTC (Sun) by AJWM (subscriber, #15888) [Link]

> I really have a problem with the "nothing is fully secure" mantra.

Probably because you're smart enough to recognize that that is the mantra of someone pushing insecure products. (So you might as well buy theirs).

Security is not a binary "is or is not" property. Security is a contiuum, and it depends on the value (to someone else) of what you're trying to secure and how much effort they're willing to go to to get it or damage it. So while Firefox may not be absolutely secure (as indeed, nothing is), it's more secure than a certain widely used other browser out there. There may well be other browsers that are more secure than Firefox -- or at least more secure in some aspects, perhaps less so than others.

It's like the old joke about two hikers who encounter an engraged grizzly bear, and one stops to put on sneakers. "Are you crazy? You'll never run faster than the bear" his buddy says. "I don't need to run faster than the bear, I just need to run faster than you." Unless you've got something of unique value on your system, your system just needs to be secure enough to encourage crackers to go elsewhere. (And yes, that's a moving target.)

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 2, 2006 10:20 UTC (Mon) by drag (subscriber, #31333) [Link]

Woot for Virtual Machines, I guess.

What is that.. VM FTW? (stupid saying, ftw)

Here is what you do: Set up one of the multitude of low resource vm/container-like items for linux. Like Linux-Vserver or OpenVZ or whatnot. There are at least 3 or 4 good options.

Take Debootstrap and setup a bare-bones install in a directory for Debian. Apt-get install Firefox. Whatever. Maybe busibox. Name your poison, the goal is to get a minimal Linux install in there seperate from your system to prepare the way to running your browser.

Setup that as a read-only portion for a UnionFS file system. Setup a shared directory so that files you want to download off the internet are made aviable to a specific directory in your home directory. That way you end up with a read-only base you can update as you feel like it, and a read-write portion that allows everything to function well, but is easily deleted.

Run Firefox from that container via X forwarding. (although that has it's own issues, doesn't it?) Every once in a while blow the 'read/write' directory away and update the 'read-only' portion. Hell automate it. Do it every third time you start a new browser session or something.

Then tell the zero-day'ers to go F- themselves. To me that seems the easiest way to get secure browsing done. Now you don't have to worry about browser hacks giving people access to install scripts, change your bashrc around, pulling sensitive information, or anything else of that nature..

I figure the name of the game with that is: "rm -- the ultimate anti-spyware"

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 1, 2006 14:31 UTC (Sun) by madscientist (subscriber, #16861) [Link]

As one of the comments on the ZDNet article points out, everyone should use the NoScript addon to FF: it lets you allow JS only in the sites you trust and disables them everywhere else. Very nice!

https://addons.mozilla.org/firefox/722/

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 1, 2006 23:58 UTC (Sun) by djabsolut (guest, #12799) [Link]

... everyone should use the NoScript addon to FF: it lets you allow JS only in the sites you trust and disables them everywhere else. Very nice!

Disabling Javascript by default would be silly. Many sites use Javascript to good effect, which allows for a much better layout/navigation/interactivity etc. You can't do everything with HTML/CSS. No Javascript because 0.0000001% of sites may want to exploit some hole is bordering on using a cannon to kill a fly.

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 2, 2006 0:27 UTC (Mon) by Arker (guest, #14205) [Link]

I use it, and I don't think it's silly at all.

Well designed pages normally work fine without it. The few that have a legitimate reason to be using it get whitelisted. When I'm going through dozens of random websites off a google search looking for information, the scripting gets blocked, any attempted exploits of scripting foiled, and braindead pages that don't work without it can be seen for the crap they are very quickly, which saves time.

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 2, 2006 8:15 UTC (Mon) by robdinn (guest, #30753) [Link]

seconded!

I used to to routinely run the browser with javascript
turned off, but turn it on for sites that needed it and
that I wanted to use. The danger is that you forget to
turn it back off again once you leave the site and you
don't learn that you made this mistake until a long time
latter. I made this mistake regularly.

With the noscript extension, I no longer make that mistake.
That's a real security/usablity improvement.

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 2, 2006 17:59 UTC (Mon) by copsewood (subscriber, #199) [Link]

Perhaps this extension could be improved by putting a default timeout on the
permission granted, allowing a user override on the timeout.

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 5, 2006 8:30 UTC (Thu) by robdinn (guest, #30753) [Link]

Good idea, but the extension author already thought of that!
They have an option to temporarily allow a site (domain) to use javascript
for that invocation of the browser. Next time you start the browser
it defaults back to off. You can also permanently enable a site for
java script.

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 2, 2006 5:10 UTC (Mon) by madscientist (subscriber, #16861) [Link]

The same could be said about patching any vulnerability in IE etc.: there is a tiny fraction of people who want to or can exploit them. I doubt anyone would recommend that you not bother.

If you have a site that needs JS, it takes literally two clicks to white list that site. Maybe your usage patterns are different but I tend to go to the same sites a lot, rather than different sites all the time, and most of the sites I use don't need JS enabled anyway.

Where's the downside?

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 1, 2006 16:57 UTC (Sun) by johnkarp (subscriber, #39285) [Link]

An interesting quote at the end of the article:

"It is a double-edged sword, but what we're doing is really for the
greater good of the Internet, we're setting up communication networks for
black hats"

RUN NOSCRIPT (and cookiesafe)

Posted Oct 1, 2006 21:16 UTC (Sun) by b7j0c (subscriber, #27559) [Link]

it is almost impossible to secure javascript...beyond these architectural
flaws, there are endless XSS attacks which are perfectly legal javascript,
yet are likely something you do not want to be executing.

there is a way to deal with this - run the NoScript extension. this lets
you whitelist sites that are allowed to execute javascript. it also lets
you give "temporary" permission to sites you likely just want to use once.
running NoScript will also tell you about little issues like third party
javascript that is running where you wouldn't expect it....like my broker
of all companies, running (or at least TRYING to run) Doubleclick code on
their pages. cookiesafe works the same way, but for cookies. you simply
must run both of these in my opinion.

Interesting bit from the /. discussion

Posted Oct 2, 2006 1:22 UTC (Mon) by tetromino (subscriber, #33846) [Link]

( from http://it.slashdot.org/comments.pl?sid=198519&cid=162... )

<Jesse_> have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns

. . .

<jX> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet

. . .

<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 3, 2006 4:47 UTC (Tue) by notamisfit (subscriber, #40886) [Link]

http://developer.mozilla.org/devnews/index.php/2006/10/02...

Isn't AFD about six months away?

Hackers claim zero-day flaw in Firefox (ZDNet)

Posted Oct 3, 2006 7:02 UTC (Tue) by appie (subscriber, #34002) [Link]

0-day can be dropped from most security related articles as well.
There's bugs, vulnerabilities, no fixes yet, let's call it 0-day, yay !
Looks like the "new" buzz-word atm.

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds