|
|
Log in / Subscribe / Register

Firefox buffer overflow and full disclosure

September 14, 2005

This article was contributed by Jake Edge.

Tom Ferris announced a potentially exploitable buffer overflow in Firefox this week and the discussion surrounding the flaw has focused on the nature of the announcement more than the bug itself. Advocates of full disclosure and those opposed to it have clashed on various internet sites.

The bug is in the handling of international domain names (IDN) and the proof of concept released by Ferris is a specially crafted URL that will cause Firefox 1.0.6 and earlier to crash. Unlike other similar bugs, the user does not need to actually follow the link, just parsing the URL in the page will cause Firefox to crash. It is not yet known whether a malicious person can exploit this to execute arbitrary code on the host but Ferris claims that it can be done in his bug report.

A workaround that disables IDN parsing was quickly released by the Mozilla team, and both Red Hat and Fedora released updates to fix the buffer overflow.

Complaints have been heard about the amount of time Ferris gave to the Mozilla team to fix the problem before he announced the flaw on the full-disclosure mailing list. His report states that he reported the problem on September 4, but the entry in bugzilla was made on September 6. He disclosed the problem on September 8 before a fix was available and many people find that to be irresponsible.

Full disclosure is a contentious issue and many people argue that security flaws should be reported to the author of the software, and that they should be given a 'reasonable' amount of time to investigate and fix the problem before it is announced to the world. The presumption is that the delay reduces or eliminates the possibility of an exploit being crafted while the program is vulnerable. The proponents of disclosure point out that it is quite possible that other people, possibly having bad intentions, know about the flaw already and are working on exploits or have already deployed them. Even if there is no known exploit 'in the wild', security conscious users may wish to stop using the affected program until it can be fixed, and without disclosure they do not have the information necessary to take that step.

An additional complication arises because Firefox has been touted as a more secure alternative to Internet Explorer and many less than technically savvy people have installed it. These users do not tend to frequent LWN or other sites that report on security issues and, unfortunately, are likely to ignore the problem even if they do find out about it. This problem is not unique to Firefox, of course, nor to free software in general, but as free software extends its reach, it is a problem that needs to be addressed. A widespread exploit in a free software package, even if the vulnerability has already been fixed, will provide the competition with ample opportunities to suggest that all free software is insecure.


Index entries for this article
GuestArticlesEdge, Jake

to post comments

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 9:14 UTC (Thu) by MathFox (guest, #6104) [Link]

When people start claiming that "you can just as well use IE, because Firefox has bugs too", point them to David Wheeler's Internet Explorer: So insecure, it's only safe 7 days a year. Yes, Firefox could do better than 310 "safe" days, but it shows the order of difference.

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 15:43 UTC (Thu) by RobSeace (subscriber, #4435) [Link] (14 responses)

What people that complain about "irresponsible" full-disclosure seem to
forget is that these people who find security bugs are doing the developers
a favor merely by finding the bug and letting them know about it (either
directly, or indirectly by publicizing it so everyone knows about it)...
They're essentially working as unpaid QA testers or security analysts...
They are under absolutely NO obligation to treat the developers with any
level of deference, or to cut them any slack in getting a patch together
before going public, or even to notify them personally ahead of time at
all! And, it's utterly moronic to berate them for performing a task
which directly results in a more secure and stable product, simply because
you don't like HOW they chose to help you... Just be thankful they're
the ones finding and publicizing such bugs, rather than someone who is a
bit less scrupulous, and might instead keep such knowledge to themselves
and use it to quietly exploit your software instead... It's not full
disclosure that puts users at risk; it's lack of disclosure... And, this
modern trend toward "responsible" disclosure, and labelling anyone who
doesn't give the developers months of quiet time to secretly work on a
patch as bad guys barely a step above script-kiddies, really makes me gag...
All that quiet time is time that users of your software remain vulnerable
to a security hole which you are fully aware of... Who is "irresponsible"
now?? I'd much rather KNOW about the hole myself, so I can either patch it
my damn self, or stop using the app, or do something else to mitigate my
own risks, thank you very much... Not all of us want to rely on being
protected by the all-knowing software-gods, who obviously know better what
is good for us than we ourselves do... ;-/

(And, FTR, I'm a software developer myself... I've been writing Unix/C
code for over 15 years... But, I'm also a heavy user of software, and as
BOTH a user and developer, I see full-disclosure as nothing but a wonderful
thing which should always be encouraged, and I see any attempts at restraining
or limiting it under any guise of "responsibility" to be nothing but
harmful...)

Firefox buffer overflowand full disclosure

Posted Sep 15, 2005 19:49 UTC (Thu) by Duncan (guest, #6647) [Link]

Very well stated.

If I find a security issue, that info is mine. If I'm a blackhat, I can
exploit it myself, or sell it to someone else to exploit. It would only
be due to my /not/ being a blackhat, only due to my sense of ethics, that
I have any reason at all to make the information known, either publicly or
to the author directly, rather than by a zero-day in-the-wild exploit.

In such a situation, the author and users should be /thanking/ the
discoverer for making such problems known, /however/ they chose to do so,
rather than taking illicit gain from the problem, making it known only
with a reverse engineering of the already deployed exploit. We (the
authors and users) are already in their debt, that they considered our
welfare above the possible illicit gains. Additionally, as is commonly
pointed out, there's nothing saying someone else isn't already taking
illicit advantage of the same security flaw. Thus, it makes no sense for
us to be condemning them for /how/ they made the problem public, when we
really /ought/ to be /thanking/ them for the disclosure in the first
place. As you stated, it's not full disclosure that's the problem, but
rather, the lack thereof.

Sure, I probably would have given the devs a bit more notice, say, a week
or two, before going public. I'd have likely stated the date I intended
to go public on the original bug filing: "I will be making this public a
week from today." or the like. That's just the way I am. However, what
I'd do in no way obligates others to do likewise, and it's just as true
that the discoverer is doing the author and the public a favor by turning
it in rather than putting it to illicit use, regardless of /how/ long he
gives the authors to fix it, even if that's /zero/ time. The timing is
entirely up to the discoverer and nothing can change the fact that by
going public with the discovery, he's doing the public a BIG favor.

Duncan

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 15:22 UTC (Fri) by gerv (guest, #3376) [Link] (12 responses)

They are under absolutely NO obligation to treat the developers with any level of deference, or to cut them any slack in getting a patch together before going public, or even to notify them personally ahead of time at all!
Perhaps not; but they are under a moral obligation to the users of the product not to expose them to unnecessary risk. And that means responsible disclosure.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 16:46 UTC (Fri) by RobSeace (subscriber, #4435) [Link] (11 responses)

No, they most certainly are NOT under any obligation to the users of the
software, any more than to the developers of it... Moral, or otherwise...

Besides which, publically releasing the details of the flaw they discovered
is benefiting and protecting the users, NOT exposing them to any kind of
risk... They WERE previously at risk for who-knows-how-long, because they
were using buggy, exploitable software; but, NOW, they've been informed of
the problems with it, and can take action to protect themselves... Therefore,
they are at much LESS risk than they were before the public disclosure!
It's really quite simple... You seem to be laboring under the delusion
that the security hole doesn't exist until it has been publically disclosed...
If that were true, then the "responsible disclosure" people might actually
have a valid point... But, it's not true in any way, shape, or form...
They don't CREATE these security holes merely by discovering their existence...
The holes were pre-existing, and it wouldn't be "responsible" or "moral" to
keep knowledge of their existence private, after they have been discovered...
In fact, it would be extremely dangerous and INCREASE users' risk, unless
you kept it completely to yourself, and you were honorable enough to never
take advantage of the security hole yourself... If you tell ANYONE about
it (even just the developers), you increase users' risk, unless you also
tell all of the users at the same time... Because, you can't vouch for
the ethics of everyone you tell (or everyone they tell, or everyone THEY
tell, or etc.)... Once you tell another living soul, the cat is out of
the bag, and you have to consider the exploit "in the wild", basically...
And, failing to inform the users in that case, and leaving them vulnerable
to being exploited by the hole all that time, is what is truly "irresponsible"
and "immoral"...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 21:20 UTC (Fri) by gerv (guest, #3376) [Link] (8 responses)

publically releasing the details of the flaw they discovered is benefiting and protecting the users, NOT exposing them to any kind of risk...
That's clearly not true. The more black hats know about the flaw, the more at risk users are. Claiming that releasing details while there's no patch available does not expose users to any extra risk at all is a ridiculous position, not even generally held by advocates of immediate disclosure (who normally say: "Yes, there's an extra risk, but it's worth it to kick the vendor into action"). In a few types of flaw, users can take action to protect themselves, but normally they are at the mercy of the vendor to provide a patch. So revealing the information to the user does not benefit them at all, because they are in exactly the same position as previously - waiting for their vendor. Except now there are more people who know how to attack them.
You seem to be laboring under the delusion that the security hole doesn't exist until it has been publically disclosed...
I don't think my comments say that at all. I am merely making the point that the risk associated with a hole is equal to the severity of the problem multiplied by the number of people with evil intent who know about it. There are probably 100 holes in [pick-a-product-name] right now which are zero risk, because 0 people know about them - they haven't been discovered by anyone yet. Again, in a limited number of cases, a hole has to be revealed when there's no patch because either the vendor is uncooperative or has made it clear they aren't going to produce a fix. But neither of those things was true in this case.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:05 UTC (Fri) by RobSeace (subscriber, #4435) [Link] (7 responses)

> The more black hats know about the flaw, the more at risk users are.

Only if the users remain ignorant of it, as well... Using analogies for
stuff like this never works well, but: every "black hat" on the planet
knows about the flaw inherent in windows (the glass kind, not the OS):
namely, that they're easy to break, and thereby can provide unintended
access to a house/car/whatever... However, every "user" of windows also
knows about that flaw, and chooses to either live with the risk, or
invest in better protection (barred windows, security system, whatever)
if they need it... But, suppose the "users" didn't know about this, and
believed windows to be utterly impenetrable and perfectly safe... Do you
think these ignorant users are somehow safer in their ignorance than the
informed users?? Even if less "black hats" know about the flaw, the fact
is they are at risk from those few that do (and any future ones who figure
it out on their own, as "black hats" are wont to do)... And, in their
ignorance, they may be exposing highly sensitive and important stuff that
they dearly wish to protect, and think they ARE protecting via the use of
what they think are impenetrable windows... Compared to the real informed
"users", who know better than to rely on windows to protect anything
important... So, tell me again, how keeping users ignorant protects them,
or is somehow for their own good??

> In a few types of flaw, users can take action to protect themselves, but
> normally they are at the mercy of the vendor to provide a patch.

That's just not true... Users can ALWAYS take some action to protect
themselves: stop using the vulnerable product until it's fixed! Yes, that
may be a dramatic and unrealistic choice for many users in many cases, but
the fact is that it IS an option, and all users deserve to be informed of
the problem so they can exercise that option if they choose to... But,
there are usually much less drastic options users can take, as well... Such
as firewalling off ports (assuming network attack), or tweaking config
settings to disable the buggy feature (such as in this Firefox IDN case),
etc... No one is "at the mercy of" any vendor, to that extent... They
always have some choice in the matter... But, keeping them ignorant robs
them of that choice, and leaves them vulnerable...

To use another unworkable analogy: if Consumer Reports learned of a flaw
in all Ford cars, whereby someone could easily unlock the doors by tapping
them in just the right spot (or something similar), would you rather they
quietly just tell Ford about it and wait for them to take months/years to
do anything about it, or would you rather know about it yourself, so you
can replace the locks on your Ford your own damn self?? I think being
informed is ALWAYS a good thing, and being kept ignorant is NEVER a good
thing, no matter what the situation or scenario... So, I can't fathom how
people buy into this "responsible disclosure" nonsense, that basically says
"Yes, please, keep me entirely in the dark about the gaping security holes
in the software I'm using, while my software vendor takes their sweet time
to twiddle their thumbs and maybe throw together a patch, all the while
leaving me vulnerable to this now increasingly well-known exploit, which
who-knows-how-many people now know about!"... THAT, is what I call being
"at the mercy of the vendor" (and, all of the countless people they and
the original bug-reporter have informed, either directly or indirectly)...
And, it's NOT something I want to be...

> There are probably 100 holes in [pick-a-product-name] right now which are
> zero risk, because 0 people know about them - they haven't been
> discovered by anyone yet.

Yeah, sure, if literally NO ONE has discovered them, then yes there is zero
risk... But, in the scenarios we are discussing, that is NOT the case...
At least ONE person has discovered them, already... And, he's probably
told the vendor, which in turns means probably more than one developer
there has been informed of it... And, any of them may offhandedly tell a
friend or two about it... And, so on...

Not to mention the fact that you never KNOW whether or not anyone else
might have already previously discovered any given hole, and simply haven't
told anyone about it, because they'd rather keep it their own little
secret weapon...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:29 UTC (Fri) by gerv (guest, #3376) [Link] (6 responses)

To use another unworkable analogy: if Consumer Reports learned of a flaw in all Ford cars, whereby someone could easily unlock the doors by tapping them in just the right spot (or something similar), would you rather they quietly just tell Ford about it and wait for them to take months/years to do anything about it, or would you rather know about it yourself, so you can replace the locks on your Ford your own damn self??
I'd tell Ford: "You have two weeks to make sure all of your dealerships around the world have a decent stock of replacement locks. Then I'm going public." Which is the exact equivalent of responsible disclosure.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:49 UTC (Fri) by RobSeace (subscriber, #4435) [Link] (5 responses)

But, why is that more "responsible" than immediately going public? (Which,
I believe, is what Consumer Reports usually actually does...) And, why
two weeks? Who made up that number, and deemed it to be the "responsible"
time-frame? What if the vendor really can't possibly get a fix out in
less than 6 months? Is it "responsible" to inform the public 5.5 months
early? If so, then why exactly wasn't it to do so 2 weeks earlier than
that?? (It's clearly NOT "responsible" to cave to the vendor, and sit
on the issue for 6 months... But, what I'm curious about is what is it
that distinguishes the 2 weeks from the 6 months for you?? In this day
and age, can't 2 weeks of being vulnerable to a known security hole be
just as dangerous as 6 months? So, why not simply inform the users right
from the start, so they can protect themselves until the vendor takes
however long it needs to to fix the issue?)

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 0:38 UTC (Sat) by giraffedata (guest, #1954) [Link] (4 responses)

I'd be interested to know what Consumer Reports' policy on this is. I'm not sure it has ever faced the situation. I know Consumer Reports doesn't give any advance warning to manufacturers of defects and other weaknesses in their products that CR intends to publicize, but that's a statement about CR not owing the manufacturer anything. Are these ever defects where some consumers would be hurt just by the publication? Like the Ford lock analogy?

I read all the time about journalists withholding information for the public good, and I suspect Consumer Reports really would withhold that Ford lock story until Ford had plenty of time to mitigate the problem.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 15:35 UTC (Sat) by RobSeace (subscriber, #4435) [Link] (3 responses)

> Are these ever defects where some consumers would be hurt just by the
> publication?

Once again, I don't buy that the "publication" would be responsible for
anyone getting "hurt"... The flaw already exists; merely remaining silent
about it doesn't change the fact... In fact, as I've stated, remaining
only 'partially' silent (ie: informing the vendor, and thereby indirectly
who-knows-how-many people, whose morals and ethics you know nothing about)
is definitely worse... Remaining COMPLETELY silent (as in telling NO ONE
at all, and not using the info yourself) is safe enough, for now... Until
someone else comes along and discovers the same flaw... (If one person can
find it, so can another... In fact, in all likelihood, the chances are good
that someone else has previously already discovered the flaw, and simply
haven't told anyone yet...) So, the only rational course that I can see is
to inform the public at large, so they can protect themselves...

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 22:29 UTC (Sat) by giraffedata (guest, #1954) [Link] (2 responses)

I don't buy that the "publication" would be responsible for anyone getting "hurt"

I assume "responsible" is the key word here. I think it's obvious that many people would have their cars broken into if the flaw became common knowledge early who would not have their cars broken into if Ford had time to prepare before it became common knowledge. It's equally clear that there are many people in the opposite situation -- they would avoid the breakin by having the flaw become common knowledge earlier.

So I assume you're just saying that spreading the word isn't responsible for any breakins, even though it is obviously a contributing cause. Like the idea that if you leave a pair of glasses on the floor and someone steps on them, the stepper is not responsible for the damage.

There are plenty of people who would argue either side of the responsibility question. I still believe in the Consumer Reports analogy, CR would assume responsibility and not publish immediately. It seems to be the prevalent view in journalism, and especially among social good organizations like Consumer's Union (publisher of CR).

Firefox buffer overflow and full disclosure

Posted Sep 18, 2005 15:40 UTC (Sun) by RobSeace (subscriber, #4435) [Link] (1 responses)

> So I assume you're just saying that spreading the word isn't responsible
> for any breakins, even though it is obviously a contributing cause. Like
> the idea that if you leave a pair of glasses on the floor and someone steps
> on them, the stepper is not responsible for the damage.

Well, more in the way that someone who informs you the building is on
fire isn't responsible for setting it... Instead, he's warning you of it,
so you can take action to protect yourself... Or, I suppose a more apt
analogy would be one who notices that the room where everyone gathers to
smoke is actually filled with barrels of gas and boxes of dynamite, which
no one else has ever spotted before... Should he quietly tell management,
so they can silently remove the dangerous items, or should he warn the
smokers so they don't accidentally blow themselves up?? Even if it does
mean that a malicious smoker among them might use the opportunity to blow
up the building just because he hates the place, or something...

> CR would assume responsibility and not publish immediately.

I'm not so sure that's correct... I don't really know for sure, but I
actually suspect they would be more concerned with informing the public
ASAP, since that basically seems to be their core mission... *shrug*

But, regardless of what they would really do, I certainly don't think it
would be "irresponsible" or "immoral" of them to inform the public ASAP...
Nor, do I see any increased "responsibility"/"morality" in any orgination
that would keep the info secret from the public for any length of time...
I can see how they might be trying to do good and protect people, but I
really think they'd be deluding themselves, because being informed is
always the best way of protecting oneself, and will always be far better
than being kept ignorant while those-who-think-they-know-better-than-you
decide your fate...

Firefox buffer overflow and full disclosure

Posted Oct 10, 2005 1:47 UTC (Mon) by turpie (guest, #5219) [Link]

That's a very poor analogy. Such a fire hazard could result in legitimate users accidently creating a life threatening disaster. Hardly similar to a security bug in a web browser.

Most users would be unable to create their own patches to fix a security hole, and unlikely to want to go to the hassle of swapping to another program if their preferred choice of program is likely to be fixed in a couple of days. I believe developers should be notified of the bug and told that they would have no more than 14 days to fix the problem before it is made public. The developers would then have time to fix or workaround the bug, test and release an update before the blackhats were informed. If the developers didn't respond in time then that fact should be a part the security disclosure so the users may be better informed and can then change their software preferences.

Relation between disclosure and risk

Posted Sep 17, 2005 3:08 UTC (Sat) by vonbrand (subscriber, #4458) [Link] (1 responses)

It is not so simple... The risk is a growing function of how many black hats know about the problem. So, the disclosure increases risk, as black hats as a whole are rather secretive about their exploits. On the other hand, knowing about the risk helps taking countermeasures, so decreases risk. It simply isn't clear which of the two tendencies wins out. I'd wager that most users just rely on the "automatic upgrade" of their software, so public disclosure (somewhat) synchronized with the patch release schedule of the vendors should minimize risk.

Relation between disclosure and risk

Posted Sep 17, 2005 15:39 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

Sure, most users are lazy/ignorant, and may not do anything to protect
themselves even when informed... But, does that mean those of us who are
NOT lazy and ignorant, and who are willing to take whatever measures
necessary to protect ourselves should be kept in the dark, and put at
increased risk, simply to protect the lazy and ignorant users?? I'm sorry,
but I don't accept that... I think everyone should be given the chance
to protect themselves, and if they fail to take it, well that's their own
choice...

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 16:38 UTC (Thu) by cventers (guest, #31465) [Link] (15 responses)

I like Daniel Bernstein's attitude - publish the bug to punish the lazy
programmer. Sure, we all make mistakes, but if they really bite us in the
ass, we might just learn to be more careful with memory management.

It's possible to write secure software... indeed, the $500 Qmail security
guarantee is still unclaimed...

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 17:24 UTC (Thu) by rfunk (subscriber, #4054) [Link] (12 responses)

An unclaimed $500 bounty is no security guarantee.
http://www-dt.e-technik.uni-dortmund.de/~ma/qmail-bugs.html

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 23:47 UTC (Thu) by cventers (guest, #31465) [Link] (11 responses)

The page you linked points out a memory exhaustion condition and a
so-called "bounce flood". The memory exhaustion attack is addressed here:

http://cr.yp.to/qmail/venema.html

As for the bounce flood, I don't see how you can consider this a security
problem because the size of the input is 1:1 the size of the output...
ie, send a 5 mb message, get 5 mb back.

Qmail is a huge target because of DJB's attitude and security guarantee,
plus its reputation. So far the only "security problems" anyone can point
out are total grabbing-at-the-straws attempts where you don't set ulimits
(the procedure is described all over his site, and all the other Qmail
sites as well), etc.

I'd say that Qmail is the most secure daemon that there ever was, period.
It's in huge and widespread use and despite an entire community of
hackers that hate Dan, no one has actually managed to execute arbitrary
code - or certainly, obtain root privileges.

That's beside the point anyway. My point is that buffer overflows and
other "escalated privileges" bugs are not at all a fact of life...
they're a result of lazy programming and/or cluelessness. Sure, we all
make mistakes... but I think Dan's qmail demonstrates that good design
and careful programming can produce software that doesn't break. Firefox
is certainly way on the other end of the spectrum, second to only
Internet Explorer in its number of exploits.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 11:48 UTC (Fri) by RobSeace (subscriber, #4435) [Link] (8 responses)

> Firefox is certainly way on the other end of the spectrum, second to only
> Internet Explorer in its number of exploits.

Ok, most of your comments were reasonable, but this is just a horrible
exaggeration that is completely out of line with reality... There is a
vast magnitude of difference between the number and severity of exploits
which IE (and, really, ALL Microsoft products) has had over its lifetime
(and continues to still have, steadily, to this day), and those which
Firefox has had... It's either blind ignorance or malicious FUDery to
try to equate them as you just did... Perhaps you should take a look at
the link in the very first post, above... There's a world of difference
between the two, and compared to IE, Firefox is a paragon of security...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 15:06 UTC (Fri) by cventers (guest, #31465) [Link] (7 responses)

Look... I don't dislike Firefox, and I hate Internet Explorer. I'd
recommend Firefox over Internet Explorer to anyone and everyone.
(Personally, I use Konqueror, because I have that option available on my
platform). But there has been a large number of exploitable bugs that
have been reported on Firefox since it became popular.

When the floodgates first opened, I was like a lot of other Firefox users
- I patched and said to myself, "well, it's still more secure than
Internet Explorer". Then there was another volley, and another volley.

Is Firefox more secure than Internet Explorer? Almost certainly. I'm just
objecting to many people's practice of pretending that it's a really
secure browser. Better than the competition? Yes. Really secure? The
track record makes me question that.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 16:49 UTC (Fri) by RobSeace (subscriber, #4435) [Link] (6 responses)

> Better than the competition? Yes. Really secure? The track record makes me
> question that.

Ok, that's a perfectly reasonable stance... But, that's a far cry from
what you originally said, and what I objected to... You seemed to be
equating its security to that of IE, as if there were little or no
difference between them... And, there's a vast ocean of difference...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:44 UTC (Fri) by cventers (guest, #31465) [Link] (5 responses)

Actually, there is a vast ocean of difference. And I was wrong. This is
on /. today:

'From March 2005 to September 2005 10 vulnerabilities were published for
Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September
timespan there were 6 exploits for MSIE, 11 for Firefox. From March 2005
to September 2005 10 vulnerabilities were published for Microsoft
Internet Explorer, 40 for Mozilla Firefox. In April-September timespan
there were 6 exploits for MSIE, 11 for Firefox. '

I rest my case.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 15:47 UTC (Sat) by RobSeace (subscriber, #4435) [Link] (4 responses)

Oh, please... I do hope you're joking, and aren't actually buying into
that ZDNet FUD... Comparing raw numbers of adviseries is never a good
tactic, to start with... Product X may have a higher number of discovered
bugs than product Y, but that says absolutely nothing about the relative
security of the two... If all of product X's bugs are trivial and cause
no serious problems, while all of product Y's are extremely serious and
lead to easy exploitation and take-over of the system, then which would
you rather be running?? If all of product X's bugs were fixed within a
couple days, while all of product Y's remain unfixed to this day, which
would you rather be running??

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 19:34 UTC (Sat) by cventers (guest, #31465) [Link] (3 responses)

Ok, then, how exactly do you quantify the difference in security between
Internet Explorer and Firefox? So far all you've said is that Firefox is
much more secure than Internet Explorer. Do you have any way at all to
back up this claim? I got tired of being a Firefox apologist... perhaps
you should too.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 20:11 UTC (Sat) by RobSeace (subscriber, #4435) [Link] (2 responses)

How about number of machines/users infected/exploited because of each? Or, how about the idea proposed in the link from the first comment on this story: number of safe/unsafe days? Or, if you want to go with simple counts, how about separating the actual critical/important bugs from the minor/trivial ones, and compare apples to apples and oranges to oranges, at least? Or, how about you actually follow the links in that ZDNet story to Secunia, and read what THEY actually have to say on the matter, rather than some ZDNet mouthpiece with an axe to grind? ("Mozilla Firefox 1.x ... 22 total advisories ... 0% extremely critical, 23% highly critical, 36% moderately critical, 32% less critical, 9% not critical ... leads to system access: 18% ... remains unpatched: 14%" versus "Microsoft Internet Explorer 6.x ... 85 total advisories ... 14% extremely critical, 29% highly critical, 20% moderately critical, 14% less critical, 22% not critical ... leads to system access: 31% ... remains unpatched: 28%"... Does Firefox look great? No, certainly not... But, it's not even on the same universe of insecurity as IE is...)

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 20:18 UTC (Sat) by cventers (guest, #31465) [Link] (1 responses)

I see no point in continuing to push this debate along - neither one of
us is going to have an impact in either the number of Firefox/IE users or
the number of Firefox/IE vulnerabilities.

You're probably right on all regards about establishing the security
difference (who knows, I don't feel like arguing about it).

The bottom line? I guess your definition of universe differs from mine.
Firefox looks incredibly insecure to me. So does Internet Explorer. If
you could define some magic security number and rank all of the Internet
Browsers, Internet Explorer would probably be the worst, followed by
Firefox, followed by the rest of the browsers.

I made this basic claim a number of posts back, and you felt determined
to point out this universe of difference between the two. Frankly, the
gap doesn't seem *that* wide to me. At the end of the day, though, what
have we won? I've wasted a cumulative half an hour arguing over it, and
so have you.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 21:29 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

Arguing online never accomplishes much... But, it's sometimes fun... ;-)

As for other browsers besides IE and FF, I don't know... But, so few people
actually use any of the others that it's nearly irrelevent to the topic at
hand, since at the end of the day 99% of the people are going to be using
either IE or FF... It's like saying compared to OpenBSD, both Linux and
Windoze are horribly insecure... While perhaps true, it's not entirely
relevent if you want to talk about OS's which most people actually USE...
(Oh, no, I just know I've offended some BSD person with that, and am going
to get flamed... ;-) I honestly don't mean anything bad by it... I have
nothing but respect for the OpenBSD team; but, I'm not likely to ever run
their OS, I'm afraid... Nor are the vast majority of others... That's not
their fault, nor does it lessen their accomplishments, but it IS just the
way things are, like it or not...)

Now, maybe you could argue that other browsers are more deserving of the
wide-spread popularity that FF is enjoying... Yeah, maybe so; I don't
know... But, if they were, don't you think more people might start poking
at them, and possibly turn up many more security problems with them, as
well? The FF holes didn't start popping up until it started becoming
popular and wide-spread enough for people to start caring... I know, the
old lame chestnut about "Product X is only attacked because it's the most
popular, and if product Y were that popular, it would appear just as
buggy!" is often used to justify MS's insecurities, but there IS a grain
of truth to the statement... It certainly isn't the whole truth by any
means, but it's not entirely BS, either... If a product is so obscure as
to be off everyone's radar, then it makes sense that fewer people will be
even looking for problems in it... *shrug*

But, anyway... Like you say, I think we've pretty much said as much as we
can on the subject, at this point...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 14:55 UTC (Fri) by KaiRo (subscriber, #1987) [Link] (1 responses)

> Firefox is certainly way on the other end of the spectrum, second to only
> Internet Explorer in its number of exploits.

From what I know, the Linux kernel has about as many security flaws getting reported than the whole Mozilla source repository (of which Firefox is only a part, even though it uses a vast majority of it, as the Core code is used by all of Mozilla suite, SeaMonkey, Firefox, Thunderbird etc.) or maybe the kernel has even more.

That doesn't mean the kernel is very insecure, nor does it mean that for the Mozilla codebase. It's just that both a really huge piles of code doing an incredibly large amount of stuff - and yes, even rendering web pages as well as Gecko does is a very large and complex task to do.

It's much easier to create a project that does a fairly simple (even if important) job, such as an SMTP server or, say, a shell, without known security flaws than a system kernel or a sophisticated, modern web browser. Why? Just look at the amount of code involved and the dirty tricks you sometimes need to go thorugh to e.g. work with hardware and userspace (in the case of the kernel) or plugins and scripting (in the browser case).

That said, it's good that there are tools out there that have no really known security issues (yet), believing they'll never have is more dangerous than knowing you have to apply some patches now and then.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 15:08 UTC (Fri) by cventers (guest, #31465) [Link]

You're right about the number of vulns in the kernel. It's upsetting.
Thankfully, though, the kernel vulnerabilities tend to apply only in a
very specific situation, and very rarely allow someone without an account
to do anything dangerous. So perhaps comparing the kernel (an operating
system) to Firefox (an Internet browser) is unfair. But I didn't bring up
apples to oranges - the comparison was Firefox and Internet Explorer, and
both have had a very embarrasing security history lately.

$500 bounty

Posted Sep 15, 2005 19:43 UTC (Thu) by rfunk (subscriber, #4054) [Link]

To expand a bit... $500 is cheap for someone with the required knowledge
to spend the required time to audit qmail. Generally those people make
that amount in a morning, which is much much less than it would take to
audit
the program.

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 22:51 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

But, it's really NOT "punishment" of any sort... That's the point I was
trying to make above... It's HELPING the programmer (and, the users),
whether they actually REALIZE that at the time, or not...


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds