User: Password:
|
|
Subscribe / Log in / New account

Firefox buffer overflow and full disclosure

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 16:38 UTC (Thu) by cventers (subscriber, #31465)
Parent article: Firefox buffer overflow and full disclosure

I like Daniel Bernstein's attitude - publish the bug to punish the lazy
programmer. Sure, we all make mistakes, but if they really bite us in the
ass, we might just learn to be more careful with memory management.

It's possible to write secure software... indeed, the $500 Qmail security
guarantee is still unclaimed...


(Log in to post comments)

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 17:24 UTC (Thu) by rfunk (subscriber, #4054) [Link]

An unclaimed $500 bounty is no security guarantee.
http://www-dt.e-technik.uni-dortmund.de/~ma/qmail-bugs.html

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 23:47 UTC (Thu) by cventers (subscriber, #31465) [Link]

The page you linked points out a memory exhaustion condition and a
so-called "bounce flood". The memory exhaustion attack is addressed here:

http://cr.yp.to/qmail/venema.html

As for the bounce flood, I don't see how you can consider this a security
problem because the size of the input is 1:1 the size of the output...
ie, send a 5 mb message, get 5 mb back.

Qmail is a huge target because of DJB's attitude and security guarantee,
plus its reputation. So far the only "security problems" anyone can point
out are total grabbing-at-the-straws attempts where you don't set ulimits
(the procedure is described all over his site, and all the other Qmail
sites as well), etc.

I'd say that Qmail is the most secure daemon that there ever was, period.
It's in huge and widespread use and despite an entire community of
hackers that hate Dan, no one has actually managed to execute arbitrary
code - or certainly, obtain root privileges.

That's beside the point anyway. My point is that buffer overflows and
other "escalated privileges" bugs are not at all a fact of life...
they're a result of lazy programming and/or cluelessness. Sure, we all
make mistakes... but I think Dan's qmail demonstrates that good design
and careful programming can produce software that doesn't break. Firefox
is certainly way on the other end of the spectrum, second to only
Internet Explorer in its number of exploits.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 11:48 UTC (Fri) by RobSeace (subscriber, #4435) [Link]

> Firefox is certainly way on the other end of the spectrum, second to only
> Internet Explorer in its number of exploits.

Ok, most of your comments were reasonable, but this is just a horrible
exaggeration that is completely out of line with reality... There is a
vast magnitude of difference between the number and severity of exploits
which IE (and, really, ALL Microsoft products) has had over its lifetime
(and continues to still have, steadily, to this day), and those which
Firefox has had... It's either blind ignorance or malicious FUDery to
try to equate them as you just did... Perhaps you should take a look at
the link in the very first post, above... There's a world of difference
between the two, and compared to IE, Firefox is a paragon of security...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 15:06 UTC (Fri) by cventers (subscriber, #31465) [Link]

Look... I don't dislike Firefox, and I hate Internet Explorer. I'd
recommend Firefox over Internet Explorer to anyone and everyone.
(Personally, I use Konqueror, because I have that option available on my
platform). But there has been a large number of exploitable bugs that
have been reported on Firefox since it became popular.

When the floodgates first opened, I was like a lot of other Firefox users
- I patched and said to myself, "well, it's still more secure than
Internet Explorer". Then there was another volley, and another volley.

Is Firefox more secure than Internet Explorer? Almost certainly. I'm just
objecting to many people's practice of pretending that it's a really
secure browser. Better than the competition? Yes. Really secure? The
track record makes me question that.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 16:49 UTC (Fri) by RobSeace (subscriber, #4435) [Link]

> Better than the competition? Yes. Really secure? The track record makes me
> question that.

Ok, that's a perfectly reasonable stance... But, that's a far cry from
what you originally said, and what I objected to... You seemed to be
equating its security to that of IE, as if there were little or no
difference between them... And, there's a vast ocean of difference...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:44 UTC (Fri) by cventers (subscriber, #31465) [Link]

Actually, there is a vast ocean of difference. And I was wrong. This is
on /. today:

'From March 2005 to September 2005 10 vulnerabilities were published for
Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September
timespan there were 6 exploits for MSIE, 11 for Firefox. From March 2005
to September 2005 10 vulnerabilities were published for Microsoft
Internet Explorer, 40 for Mozilla Firefox. In April-September timespan
there were 6 exploits for MSIE, 11 for Firefox. '

I rest my case.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 15:47 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

Oh, please... I do hope you're joking, and aren't actually buying into
that ZDNet FUD... Comparing raw numbers of adviseries is never a good
tactic, to start with... Product X may have a higher number of discovered
bugs than product Y, but that says absolutely nothing about the relative
security of the two... If all of product X's bugs are trivial and cause
no serious problems, while all of product Y's are extremely serious and
lead to easy exploitation and take-over of the system, then which would
you rather be running?? If all of product X's bugs were fixed within a
couple days, while all of product Y's remain unfixed to this day, which
would you rather be running??

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 19:34 UTC (Sat) by cventers (subscriber, #31465) [Link]

Ok, then, how exactly do you quantify the difference in security between
Internet Explorer and Firefox? So far all you've said is that Firefox is
much more secure than Internet Explorer. Do you have any way at all to
back up this claim? I got tired of being a Firefox apologist... perhaps
you should too.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 20:11 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

How about number of machines/users infected/exploited because of each? Or, how about the idea proposed in the link from the first comment on this story: number of safe/unsafe days? Or, if you want to go with simple counts, how about separating the actual critical/important bugs from the minor/trivial ones, and compare apples to apples and oranges to oranges, at least? Or, how about you actually follow the links in that ZDNet story to Secunia, and read what THEY actually have to say on the matter, rather than some ZDNet mouthpiece with an axe to grind? ("Mozilla Firefox 1.x ... 22 total advisories ... 0% extremely critical, 23% highly critical, 36% moderately critical, 32% less critical, 9% not critical ... leads to system access: 18% ... remains unpatched: 14%" versus "Microsoft Internet Explorer 6.x ... 85 total advisories ... 14% extremely critical, 29% highly critical, 20% moderately critical, 14% less critical, 22% not critical ... leads to system access: 31% ... remains unpatched: 28%"... Does Firefox look great? No, certainly not... But, it's not even on the same universe of insecurity as IE is...)

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 20:18 UTC (Sat) by cventers (subscriber, #31465) [Link]

I see no point in continuing to push this debate along - neither one of
us is going to have an impact in either the number of Firefox/IE users or
the number of Firefox/IE vulnerabilities.

You're probably right on all regards about establishing the security
difference (who knows, I don't feel like arguing about it).

The bottom line? I guess your definition of universe differs from mine.
Firefox looks incredibly insecure to me. So does Internet Explorer. If
you could define some magic security number and rank all of the Internet
Browsers, Internet Explorer would probably be the worst, followed by
Firefox, followed by the rest of the browsers.

I made this basic claim a number of posts back, and you felt determined
to point out this universe of difference between the two. Frankly, the
gap doesn't seem *that* wide to me. At the end of the day, though, what
have we won? I've wasted a cumulative half an hour arguing over it, and
so have you.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 21:29 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

Arguing online never accomplishes much... But, it's sometimes fun... ;-)

As for other browsers besides IE and FF, I don't know... But, so few people
actually use any of the others that it's nearly irrelevent to the topic at
hand, since at the end of the day 99% of the people are going to be using
either IE or FF... It's like saying compared to OpenBSD, both Linux and
Windoze are horribly insecure... While perhaps true, it's not entirely
relevent if you want to talk about OS's which most people actually USE...
(Oh, no, I just know I've offended some BSD person with that, and am going
to get flamed... ;-) I honestly don't mean anything bad by it... I have
nothing but respect for the OpenBSD team; but, I'm not likely to ever run
their OS, I'm afraid... Nor are the vast majority of others... That's not
their fault, nor does it lessen their accomplishments, but it IS just the
way things are, like it or not...)

Now, maybe you could argue that other browsers are more deserving of the
wide-spread popularity that FF is enjoying... Yeah, maybe so; I don't
know... But, if they were, don't you think more people might start poking
at them, and possibly turn up many more security problems with them, as
well? The FF holes didn't start popping up until it started becoming
popular and wide-spread enough for people to start caring... I know, the
old lame chestnut about "Product X is only attacked because it's the most
popular, and if product Y were that popular, it would appear just as
buggy!" is often used to justify MS's insecurities, but there IS a grain
of truth to the statement... It certainly isn't the whole truth by any
means, but it's not entirely BS, either... If a product is so obscure as
to be off everyone's radar, then it makes sense that fewer people will be
even looking for problems in it... *shrug*

But, anyway... Like you say, I think we've pretty much said as much as we
can on the subject, at this point...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 14:55 UTC (Fri) by KaiRo (subscriber, #1987) [Link]

> Firefox is certainly way on the other end of the spectrum, second to only
> Internet Explorer in its number of exploits.

From what I know, the Linux kernel has about as many security flaws getting reported than the whole Mozilla source repository (of which Firefox is only a part, even though it uses a vast majority of it, as the Core code is used by all of Mozilla suite, SeaMonkey, Firefox, Thunderbird etc.) or maybe the kernel has even more.

That doesn't mean the kernel is very insecure, nor does it mean that for the Mozilla codebase. It's just that both a really huge piles of code doing an incredibly large amount of stuff - and yes, even rendering web pages as well as Gecko does is a very large and complex task to do.

It's much easier to create a project that does a fairly simple (even if important) job, such as an SMTP server or, say, a shell, without known security flaws than a system kernel or a sophisticated, modern web browser. Why? Just look at the amount of code involved and the dirty tricks you sometimes need to go thorugh to e.g. work with hardware and userspace (in the case of the kernel) or plugins and scripting (in the browser case).

That said, it's good that there are tools out there that have no really known security issues (yet), believing they'll never have is more dangerous than knowing you have to apply some patches now and then.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 15:08 UTC (Fri) by cventers (subscriber, #31465) [Link]

You're right about the number of vulns in the kernel. It's upsetting.
Thankfully, though, the kernel vulnerabilities tend to apply only in a
very specific situation, and very rarely allow someone without an account
to do anything dangerous. So perhaps comparing the kernel (an operating
system) to Firefox (an Internet browser) is unfair. But I didn't bring up
apples to oranges - the comparison was Firefox and Internet Explorer, and
both have had a very embarrasing security history lately.

$500 bounty

Posted Sep 15, 2005 19:43 UTC (Thu) by rfunk (subscriber, #4054) [Link]

To expand a bit... $500 is cheap for someone with the required knowledge
to spend the required time to audit qmail. Generally those people make
that amount in a morning, which is much much less than it would take to
audit
the program.

Firefox buffer overflow and full disclosure

Posted Sep 15, 2005 22:51 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

But, it's really NOT "punishment" of any sort... That's the point I was
trying to make above... It's HELPING the programmer (and, the users),
whether they actually REALIZE that at the time, or not...


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds