Weekly Edition
Return to the Security page
| |||||||||||
Mozilla and security
It looks like yet another in a series of bad weeks for Internet Explorer;
exploitable bugs seem to come out more quickly than security firms can
write up advisories about them. The web browser is an important piece of
software from a security perspective; it has direct contact with random,
external sites, some of which are almost certainly hostile. Web browsers
are also large, complex programs, and thus hard to audit in any sort of
thorough way. So it is not surprising that problems are found and
exploited.
Linux users, as usual, sit back and feel smug. We don't run Internet Explorer, and our browsers, being free software and thus inherently more secure, will not present us with this sort of unpleasant surprise. Right? As free browsers continue to grow in popularity, they will also attract more attention from the inhabitants of the darker side of the net. So it is worth looking at how Mozilla, which is the core of many free browsers, deals with security incidents. Linux users may well have missed this security advisory that went out on July 7, because only Windows users are affected. For those users, however, the impact of this bug could be large. Essentially, Mozilla-based browsers (including Firefox and Thunderbird) pass "shell:" URIs directly to the operating system, which happily runs the command included in the URI. It is a direct path to a command interpreter on the local system; all it requires is getting the user to click on the wrong link. Some commenters have said that this is really a Windows bug; Mozilla is just passing on the URI and Windows decides how to deal with it. But that is an evasive answer; a security-conscious application must sanitize any externally-supplied data that it passes on to the system. This vulnerability is a Mozilla bug; it was closed by having Mozilla do the checking it should have done in the first place. Others have complimented Mozilla for its quick response: a patch was available about one day after the vulnerability was posted. This response time has been favorably compared with the rather slower pace characteristic of Internet Explorer fixes. The only problem with this point of view is that the Mozilla developers have known about this issue since 2002; Mozilla bug 163767 suggested the addition of a preference which would disable the use of external protocol handlers. The bug remained open for almost two years, however, until the project had no alternative to fixing it. It seems that developers of free software are entirely capable of sitting on a vulnerability in the absence of an immediate exploit threat. The point here is not to flame the Mozilla project for shipping code with a vulnerability, or even for not realizing the importance of a known hole. These things happen, and Mozilla's record is better than that of many other projects. The point is that we cannot assume that, by accessing the web with a free browser, we are immune from exploits. Vulnerabilities are a fact of life, and the incentives for finding and exploiting vulnerabilities in free browsers are growing. In that context, it is encouraging to see this MozillaZine article which talks about some recent changes made by the Mozilla hackers. The Mozilla extension mechanism is a powerful way of adding new capabilities to the browser, but it could also become a mechanism by which attackers load hostile code directly into target systems. It should, thus, be hard to add an extension; it shouldn't happen automatically. The Mozilla hackers have noticed an increase in attempts to load unwanted extensions, and have responded with some new mechanisms designed to block those attempts. These include a whitelist of sites allowed to propose the addition of extensions. One should also note this vulnerability which could be of use to the perpetrators of the increasing number of "phishing" attacks out there. Through the use of some Javascript and frames trickery, an attacker can falsify somebody else's page while having the location bar show a legitimate URL. Internet Explorer is vulnerable, but so is Mozilla. (Thanks to Chester Young for the pointer). With luck, the Mozilla hackers (and khtml hackers too) will increasingly keep security in mind as they write their code. And we know they will fix problems quickly when they become apparent. But we cannot assume that our free browsers are immune from security problems; the world is, sooner or later, going to prove otherwise. (Log in to post comments)
Mozilla and security Posted Jul 15, 2004 10:54 UTC (Thu) by gjvo (subscriber, #951) [Link] A point where mozilla very much lags the commercial browsers is forcing the updates to the users. Closing a hole and putting the new version on the ftp server is not enough. When Safari has a security hole, within one week my Mac will beep and one click later the hole is closed. For Mozilla, I am forced to read LWN and download the bug fix myself. I do, but many others don't. Some kind of automatic security update mechanism is needed if a world dominated by free browsers is also to be a safe world.
Mozilla and security Posted Jul 15, 2004 11:32 UTC (Thu) by pointwood (subscriber, #2814) [Link] Latest version of Firefox actually do have something like that implemented. It checks for updates when you start it.
Mozilla and security Posted Jul 15, 2004 11:34 UTC (Thu) by mwh (subscriber, #582) [Link] Hmm, restarting applications. An interesting idea :-)
Mozilla and security Posted Jul 16, 2004 17:34 UTC (Fri) by im14u2c (subscriber, #5246) [Link] Yeah, no kidding. I restart Moz on my workstation once every couple months, just as a hygenic measure.Granted, on my corporate 'doze box, I restart my browser every time I bring up the OS.
Mozilla and security Posted Jul 16, 2004 18:21 UTC (Fri) by pointwood (subscriber, #2814) [Link] The feature isn't quite ready AFAIK. In other words, it's still a work in progress and it should be better when FF reaches 1.0.
Mozilla and security Posted Jul 15, 2004 15:45 UTC (Thu) by lacostej (subscriber, #2760) [Link] You can also subscribe to the mozilla mailing lists to get news of security problems.And the latest firefox (and maybe thunderbird) have a feature to automatically install fixes / upgrade the app. Note that if you use linux, all your security updates are handled by your distribution, which I prefer.
That's to me the biggest advantage of Linux. Single point of distribution.
IE and Word/MSN Messenger also vulnerable Posted Jul 15, 2004 13:43 UTC (Thu) by pflugstad (subscriber, #224) [Link] It seems that IE and Word and MSN Messenger also likely vulnerable to this shell: exploit.Who thought a shell: URI was a good idea again? And if it's a legal URI, wouldn't other platforms have the same problem for basically the same reason?
IE and Word/MSN Messenger also vulnerable Posted Jul 15, 2004 14:43 UTC (Thu) by mmarsh (subscriber, #17029) [Link] The shell: URI actually fits in well with MS's strategy of claiming that IE is basically a front-end to built-in features of the OS, rather than a separate browser. After all, the DOS shell and command prompt are _so_ five years ago. Now everything is done through the browser unless it's explicitly another application such as Word or Grand Theft Auto.I don't know the history behind the shell: URI, so it might be that it predates this post-monopoly-conviction tack, but it makes some amount of sense for them to keep it around.
Mozilla and security Posted Jul 15, 2004 21:33 UTC (Thu) by dbreakey (guest, #1381) [Link] It seems that version 0.9.2 of Mozilla Firefox is immune to the phishing vulnerability mentioned in the next-to-last paragraph of this article; using the test page found by following this link, I found absolutely no response to the attempt to load a different page into the center frame of a Microsoft MSDN page. However, Galeon 1.3.12, relying on Mozilla 1.6, and Internet Explorer 6.0 both proved vulnerable. A good point in favor of Galeon, although minor, was that the address bar updated the URL to point to the newly loaded page; Internet Explorer cheerfully continued to display the old MSDN URL. This suggests that Mozilla 1.7, and all derived and/or hosted browsing environments, are not vulnerable to this particular attack. Can anyone verify?
Mozilla and security Posted Jul 16, 2004 17:39 UTC (Fri) by im14u2c (subscriber, #5246) [Link] Mozilla 1.8a on MacOS X seems vulnerable. It even helpfully showed the old MSDN URL.
Mozilla and security Posted Jul 17, 2004 12:16 UTC (Sat) by Duncan (guest, #6647) [Link] Unfortunately, Konqueror (khtml) thru 3.2.3 is ALSO vulnerable, as long asit's the same browser instance. (Tho I checked with tabs in the same window, additional windows of the same instance I expect will also be affected.) The solution here is to ensure I run a SEPARATE instance whenever I do online banking or whatever. (Hmm.. that got me thinking.. KDE now has the IE-like option of starting instances with the environment, and keeping one or more unused ones available for instant use, at any time. Do these ready instances die and get replaced when a browsing session is closed, or just go into the background, coming back on summons, thus potentially allowing a previous browsing session to take advantage of the SAME crack? I'll certainly rest easier when this one's fixed, but I don't see fixes forthcoming as of yet, unfortunately.) Duncan
Mozilla and security Posted Jul 20, 2004 16:34 UTC (Tue) by xorbe (guest, #3165) [Link] Yes, with banking just play it safe. Clear the histories/cache, restart, do various banking things online, clear and quit. It's worth the few extra clicks I think. Or just make another login for financial purposes.
|
|||||||||||