PDA

View Full Version : Critical flaw found in Firefox browser


RobertoOrtiz
05-09-2005, 07:14 PM
Quote:
"Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.
The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.

"
>>Link<< (http://www.yahoo.com/_ylh=X3oDMTB2MXQ5MTU3BF9TAzI3MTYxNDkEdGVzdAMwBHRtcGwDaW5kZXgtaWU-/s/239465)
-R

Dearmad
05-09-2005, 07:25 PM
I hope they don't take over my system just I begin my final approach to the planet Neptune... :argh:

brenton
05-09-2005, 07:32 PM
goes to show that not even web browsers are bullet-proof.

but we all new that *cough* IE *cough* :D

Pentagramma
05-09-2005, 08:01 PM
Argh, thatīs not very good. Iīve also noticed a few memory-related problems here at the studio, with the machines using Firefox.

Anyone else?

ShadowHunter
05-09-2005, 08:44 PM
Confirms my theory that the more popular the software the more volnourable it becomes. I think that if Firefox was as popular as IE (in terms of # of people using it), it might turn out to be less secure actually since all the hackers currently targeting IE would start exploiting Firefoxes features ceaselessly. Same theory applies to OSX/XP etc.

Still good though that there are always great alternatives.

Opelfruits
05-09-2005, 08:50 PM
the link doesnt open, im using firefox :sad:

jud
05-09-2005, 09:12 PM
Netscape is based on mozilla(is'nt it?) will that be affected too?

pgp_protector
05-09-2005, 09:14 PM
First.
http://www.fau.edu/images/dont-panic.gif

A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

Sounds like it will be under controll soon.

Beamtracer
05-09-2005, 09:30 PM
The story is just an attempt to spread hysteria and scare people.

In actual fact, people using Firefox are much more secure surfing the web than those using the troubled Microsoft Internet Explorer browser.

We should note the following quote from the story:
"In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism"

It reminds me of another story a few weeks ago when Symantec was running around saying that there are terrible viruses that might attack Mac OS X. The truth of the matter is that there are no viruses in the wild that attack OS X, and Symantec was just trying to drum up fear so they could sell their anti-virus software to Mac users.

The viruses and malware are attacking Microsoft products. Windows, Word, Internet Explorer and Outlook Express. Microsoft should change the name to Virus Express, 'cause that's what it is.

Windows users should agree that Microsoft has been negligent and left the Windows community vulnerable to viruses. It has nothing to do with market share. It has more to do with inherent security failures in their systems. Microsoft claims these flaws will be fixed in a new version of Internet Explorer late this year, and the Longhorn OS which will come out in the years ahead. However, Microsoft claimed this about previous versions of their software, which are still insecure.

The first thing Windows users should do is stop using Internet Explorer, and switch to the Firefox web browser. A lot of security vulnerabilities will be fixed just by doing that.

You can download Firefox from here:
http://www.mozilla.org/products/firefox/

The next step is to get rid of Outlook Express (Virus Express) and replace it with the open-source Thunderbird email application, which you can download for free here:
http://www.mozilla.org/products/thunderbird/

Hazdaz
05-09-2005, 09:33 PM
Why does everyone sound all worried?!?

FF was patched in like a week after the last vulnerability was found out and made public. I am sure this one will be patched quite quicikly.... and that is one of the reasons I like FF so much. Microsft has gone ages in patching it's software, and only recently has decided that vulnerabilities is an important issue.

There are vulnerabilities to ALL software - detecting a vulnerability is a moot point - it's how long it takes to get a patch that is the important issue here.

ShadowHunter
05-10-2005, 12:53 AM
There are vulnerabilities to ALL software - detecting a vulnerability is a moot point - it's how long it takes to get a patch that is the important issue here.
In that case take a look at this study:
http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html

In particular:
On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup...
I think market share plays a big role in security. That is market share is directly proportional to voulerability to put it in mathematical terms. The more people try to hack a system the more secure it gets due to patches. Systems that are rarely hacked IMO only appear secure, but are often just as (if not more) voulnerable. I've been using IE and Outlook (which I always keep up-to-date) since I can remember, and never had any spyware or viruses on my box. Ofcourse this is just my opinion, and whatever suits you, you should stick to. Besides, the more heat MS gets for their products the better for us, the end users.

CGmonkey
05-10-2005, 12:57 AM
" Ha! In your face! " ;)

Hehe, glad I'm still running IE incase someone wanna take over my system.. :P

Hazdaz
05-10-2005, 01:20 AM
In that case take a look at this study:
http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html

In particular:

I think market share plays a big role in security. That is market share is directly proportional to voulerability to put it in mathematical terms. The more people try to hack a system the more secure it gets due to patches. Systems that are rarely hacked IMO only appear secure, but are often just as (if not more) voulnerable. I've been using IE and Outlook (which I always keep up-to-date) since I can remember, and never had any spyware or viruses on my box. Ofcourse this is just my opinion, and whatever suits you, you should stick to. Besides, the more heat MS gets for their products the better for us, the end users.

Your link there can probably be countered by tons of "studies" from other groups that say Linux is better/more secure than Windows... I see it all as just "marketting".

Either way, what you said is partly true - about less popular systems being perceived as being more secure, but honestly, sometimes perception is reality. If a broswer is obscure enough to not have these vulnerabilities be known by the public, then chances are the hackers don't know about the vulnerabilites either. If your a hacker, why waste time trying to exploit XYZ browser when only .00001% of internet users have it, when they can concentrate on breoswers that make up 70% of the market instead.

Anyways, I still prefer, and will continue to use FF - one little news story isn't going to sway me.

Beamtracer
05-10-2005, 01:36 AM
In that case take a look at this study:
http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html
That study, which just by coincidence happens to be published by the pro-Microsoft Seattle Times, was just a stunt by two bozos on a stage. Note that they won't release any details about their stunt until more than a month afterwards.

What really matters is what happens in the real world. The internet is largely run by UNIX servers, yet despite this, most of the internet servers that get attacked are running Microsoft Windows. It just goes to show that market share has nothing to do with it.

We all know that in the real world, Microsoft products are attacked more often, even above its market share. The Internet Explorer browser is at the center of most of these attacks.

Free, open-source products should be used whenever possible, such as Firefox to replace Internet Explorer, and Thunderbird to replace Outlook (Virus) Express.

ben_o
05-10-2005, 01:54 AM
Originally Posted by ShadowHunter
In that case take a look at this study:
http://seattletimes.nwsource.com/ht...security17.html (http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html)

In particular:

I think market share plays a big role in security. That is market share is directly proportional to voulerability to put it in mathematical terms. The more people try to hack a system the more secure it gets due to patches. Systems that are rarely hacked IMO only appear secure, but are often just as (if not more) voulnerable. I've been using IE and Outlook (which I always keep up-to-date) since I can remember, and never had any spyware or viruses on my box. Ofcourse this is just my opinion, and whatever suits you, you should stick to. Besides, the more heat MS gets for their products the better for us, the end users.


You do know that the study that you quote was paid for and the metrics by which the 'security' was tested was set by Microsoft, don't you? The two 'professors' had to make details of their funding public after this announcement.

They measured the time between all patches to all packages available at install of both operating systems. On a redhat install, this can number many thousands of applications. I am not talking miscellaneous random libraries, I'm talking office suites, graphic design, web servers, countless language interpreters, build environments, desktops, window servers, and also the experimental, unstable packages, programs with a version number below 1.

The patches that counted were not just remote exploit fixes (of which there were four, php, slogin, and two others I can't remember right now) but also patches to fix graphical/interface glitches, seg faults, etc.

On a windows install, well, it's practically a husk of an operating system in comparision. The only patches that counted here, were those marked severe to critical.

Hardly a fair and balanced study. More FUD for the furnace...

ben_o
05-10-2005, 02:01 AM
Oh, and I've also heard this quite regularly: "Everytime Linux is dissed in the media, a bunch of 'Fanboys' jump out to defend it."

My answer to this:
When you've got Microsoft funding blatently dodgy reports, month in, month out, dismissing one of the better and secure OS's as 'insecure' compared to Windows and making people actually believe this, it's hard not to jump up and say 'Hang on a minute. That's a total crock of sh*t'

ShadowHunter
05-10-2005, 02:04 AM
You do know that the study that you quote was paid for and the metrics by which the 'security' was tested was set by Microsoft, don't you? The two 'professors' had to make details of their funding public after this announcement.

That is news to me :shrug:. I still stick to what I said, but then I prefer apples to oranges :D

ben_o
05-10-2005, 02:18 AM
ShadowHunter,

Fair enough. Some like apples, some like penguins...

It's just the misconceptions that float around in the media irk me. For example, I have a friend at work who one day lost his work four times in one day, to Word, and Macromedia Director (50:50 split). (This was not a hardware problem, as three different machines and four different files were used)

Anyway, after the fourth crash, I half-heartedly suggested that he try out linux, for the word-processing at least. He replied, absolutely dead serious - "I don't use beta software. I only use software which is stable."

richcz3
05-10-2005, 02:29 AM
I'm not an MS basher nor will I ever be, but there are many on CGTalk who are. Tit for Tat mates. As Firefox use increases, so will the probabilty of hacks. I take all reports good and bad for all companies with equal interest.

I've been using Firefox for a few months now and I don't care to use IE. However when I read all the downplaying of the problem that strikes me as wrong. Particularly from those that would rail hard against MS for the same flaw. To ignore the alert is like saying what are the chance of getting an STD. Go ahead have unprotected sex until the next batch of condemns arrive.

Ghostscape
05-10-2005, 03:23 AM
Guys, maybe we should keep it on topic instead of hijacking the thread to diss Microsoft?

Beamtracer
05-10-2005, 03:27 AM
Guys, maybe we should keep it on topic instead of hijacking the thread to diss Microsoft?
Microsoft paid for the publication of hoax research against Firefox. They deserve criticism.

You do know that the study that you quote was paid for and the metrics by which the 'security' was tested was set by Microsoft, don't you? The two 'professors' had to make details of their funding public after this announcement.
It's just pathetic! Totally pathetic! That Microsoft goes around funding these bogus "studies" that the media prints without question.

It's a typical Microsoft performance. They've done it before by spreading F.U.D about Linux. They spend millions on it. Now they're spreading F.U.D about Firefox.

This is even more reason to get that insidious Internet Exploiter off your desktop and switch to Firefox instead.

Apoclypse
05-10-2005, 04:00 AM
The whole things just like it has been stated before, FF will probably get patched pretty quickly and will be usable once again. There is no down playing, FOS just works that way especially one as big as Mozilla and its derivatives. When was the last time you seen a new version of IE, the patches don't come regurlarly enough.

I do have anti-microsoft seniments but its not against there software ( thats just annoying) its against there politics adn the fact that they let this influence there software. Nobody thinks that maybe its not market share inspiring such attention from hackers for microsoft (maybe not script kiddies). Perhaps that whole david versus goliath mentality is what drives them to do what they do, who knows, but as this ine post (among many others) shows there is a lot of anti-MS sentiment and some arguably not unfounded, be it getting screwed by their lack of stability or feeling like they are slowly trying to takeover the little freedom you have (I don't give a rats ass about piracy, drm shouldn't be forced on anyone, and the day longhorn comes out I'm going 100% linux).

FF will be patched and will be updated, but for the meantime just do what is suggested abd turn off javascript and stuff.

NanoGator
05-10-2005, 04:44 AM
Oh, and I've also heard this quite regularly: "Everytime Linux is dissed in the media, a bunch of 'Fanboys' jump out to defend it."

My answer to this:
When you've got Microsoft funding blatently dodgy reports, month in, month out, dismissing one of the better and secure OS's as 'insecure' compared to Windows and making people actually believe this, it's hard not to jump up and say 'Hang on a minute. That's a total crock of sh*t'

Oh please. When a vulnerability in IE is found it's "yet another reason to switch to FireFox". (never Opera or any other browser out there, only FireFox.) When a vulnerability is found in FireFox it's always "isn't FireFox great!!" Gee, I wonder why Microsoft should fund such studies.

The FUD flying around on this topic is NOT one way.

ben_o
05-10-2005, 08:15 AM
Oh please. When a vulnerability in IE is found it's "yet another reason to switch to FireFox". (never Opera or any other browser out there, only FireFox.) When a vulnerability is found in FireFox it's always "isn't FireFox great!!" Gee, I wonder why Microsoft should fund such studies.

The FUD flying around on this topic is NOT one way.

Reasons for the disimilar treatment of IE vs Firefox:

1) Yes, there are Fanboys. Yes, you probably want to throttle them, haXOR$ that they are. Fair enough.
2) Microsoft had (and some say still have) a tendancy to ignore and dismiss announcements of proven security holes in their products. This leads to the feeling that if there is a problem with IE, Outlook etc., you're best bet would be to get a better application from somewhere else to do the job, as it's going to be a while before it gets fixed.
-> Hence, "another reason to shift to Firefox"
3) The Mozilla team, (and GNU apps in general) have a tendancy to take minor security threats seriously and fix them quickly. This being a large critical hole, the fix should be well on it's way, if it hasn't been patched over already. This rapid response has a tendancy to engender loyalty in those that rely on their software -> hence, 'Fanboys' are created.
4) Open Source software lives and breathes bug reports. The faster people can flag up errors and security problems, the shorter the time an exploit might have in the wild. This is why large security problems in Firefox can be mistakenly glossed over by fanboys, as they believe it will get fixed soon. Please, don't be a fanboy; Fill in a bug report.

On the other hand, a number of the Key players in the Firefox chain of command have been appropriated by large companies, so it'll be interesting how this gets handled.

Ben

ben_o
05-10-2005, 08:21 AM
Oh, and a little off topic, but it relates to browser security:

http://yro.slashdot.org/yro/05/04/04/177238.shtml?tid=95&tid=158

Whilst you may clean out your cookies and your internet cache, the Flash plugin has provided a way for spyware companies to create persistant 'cookies' anyway.

Personally, I recommend Firefox + Flashblock extension. You click on the Flash 'applets' to make them run. They don't even get loaded otherwise.

Ben

Beamtracer
05-10-2005, 10:06 AM
Thanks, ben_o. I will follow your advice and add the flash-blocking extension. I didn't know about that tracking software.

Gamoron
05-10-2005, 02:19 PM
temporary workaround

http://www.mozilla.org/security/announce/mfsa2005-42.html

Disabling Javascript affects you being able to post though.

Droolz
05-10-2005, 03:43 PM
Ben, How does the flash blocking software work? Is it easy to switch flash back on as you might unblock a popup? [been busily putting together my site, in flash, and am somewhat concerned by this...], please pm me if this is too off topic..

Nemoid
05-10-2005, 04:10 PM
a computer is secure only when not connected to the web.
and even that way, the danger could come through cdroms or other issues.

backup your data the more often u can !

BTW FF will be patched soon.

if this news is real. :D

NanoGator
05-10-2005, 04:21 PM
The reason for dissimilar treatment of IE vs. FireFox is anti-MS zealotry. There's lots of justufications around, but that's the reason. There's no denying that FireFox is greatly superior to IE in terms of usability and security, but the reason that it comes up has little to do with trying to get back at MS for a claim they made. This was happening long before any studies were funded by Microsoft.

Why does it bug me? It's not because I'm a fan of Microsoft. (Hardly.) It's because I'm worried about the message that's being sent to new FireFox users. "It's secure, you don't have to worry about it!" That's far from the case. I was stupid enough to fall for that zealotry with Linux, and I ended up building a webserver that was rooted within two weeks.

L.Rawlins
05-10-2005, 04:31 PM
I use IE quite happily. I guess that makes me the enemy. :shrug:

NanoGator
05-10-2005, 04:40 PM
I use IE quite happily. I guess that makes me the enemy. :shrug:

Depends on where you go. If you said that at Slashdot, for example, you'd be considered an idiot. (Then again, they think over there that Windows XP blue screens every 10 minutes and there's no way that work can ever get done on it.)

Sorry, to everybody, for having a bit of a chip on my shoulder. I've spent a little too much time on Slashdot. I'll try to keep it cool from here on.

stenosis|kill
05-10-2005, 05:16 PM
a never ending story :)

ben_o
05-10-2005, 05:20 PM
Droolz:

Flashblock:
http://flashblock.mozdev.org/

See attached for the plugin in action... (in theory)

ben_o
05-10-2005, 05:30 PM
NanoGator:

You're right. We can't let zealots tout the message "Firefox is Secure, you don't have to worry about it."

Firefox merely gives you a head-start on making your machine as secure as it can be, compared to browsing with IE. It's by no means impregnable, but it has a much better update cycle than IE. People will still need to be educated to update regularly.

Sorry to hear about your bad experience with a linux server... what was it: red hat, debian, slackware?

Ben

Beamtracer
05-10-2005, 09:51 PM
The reason for dissimilar treatment of IE vs. FireFox is anti-MS zealotry.

How can "zealotry" be the reason people recommend Firefox over Internet Explorer, when you also admit Firefox has security advantages...

There's no denying that FireFox is greatly superior to IE in terms of usability and security

And again...

NanoGator:

You're right. We can't let zealots tout the message "Firefox is Secure, you don't have to worry about it."

Did anyone say that by installing Firefox you no longer have to worry about any security?

Firefox merely gives you a head-start on making your machine as secure as it can be, compared to browsing with IE.

For a start...

Browser differentation brings security.
If everyone doesn't use the same browser then it makes it harder for exploits to become widespread
Firefox receives less exploits and malware than I.E.
Whatever you see as the reason, whether marketshare, fast patching or better coding, it can't be denied that users of Firefox are less likely to be exploited than those using Internet Explorer. Isn't that a good thing for new users?


And there are more reasons to ditch Internet Explorer:

One company (whether Microsoft or anyone else) should not control the internet
Internet Explorer breaks web standards by introducing proprietary Microsoft protocols, which forces web developers to put MS proprietary code on their websites
Non-MS browsers, such as Firefox and others, tend to adhere strictly to web standards, so if web developers write for Firefox it will most likely work with the other non-MS browsers

NanoGator
05-10-2005, 10:08 PM
How can "zealotry" be the reason people recommend Firefox over Internet Explorer, when you also admit Firefox has security advantages...


Very simple: The recommendation was based on FireFox zealotry, not over a serious appraisal of anybodys' requirements. Mozilla (before FireFox) wasn't always better than IE. For a time, it was a masochistic browser to use, and people STILL pushed it.



Did anyone say that by installing Firefox you no longer have to worry about any security?


Here or on Slashdot? Here, no.

On Slashdot: Sort of. When there's an IE exploit, there's always comments to the tune of "Those idiots should have used FireFox!" The implication is quite clear: FireFox doesn't have these problems. Welp, that's not only wrong, but it's also a dangerous thought to have. It's very clear, right this second, that FireFox users have to be vigilant as well.


Non-MS browsers, such as Firefox and others, tend to adhere strictly to web standards, so if web developers write for Firefox it will most likely work with the other non-MS browsers

Sorry, but reality tells a very different story. If what you were saying was true, FireFox, Opera, and every other browser out there would have passed the acid test. NONE of them have. The WC3 standards are obviously quite ambiguous, which caused this whole fuss in the first place. If they were clearer a few years ago today might be a different story.

Beamtracer
05-10-2005, 10:33 PM
Nanogator, why would it be in your interests to encourage people to use Internet Explorer over other browsers?

If we use the market-share theory that often gets promoted, then Internet Explorer would receive less exploits as its market share drops. So according to that theory, if more people use Firefox, then your Explorer experience should also slowly start to improve.

Do you think it's a good thing for one dominant company to override standards set by the internet standards bodies?

By the way, I never promoted other Mozilla derived browsers. Firefox is much much faster, and a better browsing experience.

ShadowHunter
05-10-2005, 10:44 PM
Sorry, but reality tells a very different story. If what you were saying was true, FireFox, Opera, and every other browser out there would have passed the acid test. NONE of them have. The WC3 standards are obviously quite ambiguous, which caused this whole fuss in the first place. If they were clearer a few years ago today might be a different story.

I agree! Actually FF only recently implemented full support for CSS 1, to allow centering of the background image for example (which IE could do since 5.5 I believe). It's much better now as FF also supports CSS 2 (IE does not), but the demage has been done as many web designers steer clear from CSS due to the shady support from various browsers (including IE). The reason that I use IE (appart from never having experienced any problems/security exploits) is that most web designers are too lazy to make sure that their site is crossbrowser compatible, and usually only target IE (thus many sites display properly only in IE, eventhough FF adheres to the W3C standards better!), but tell that to the web designers.

I'm not a MS fanboy, and I work both with Windows and Unix systems. Both have their strengths and weaknesses, and you should use what suits you best. I've no preblems with the MS criticism as long as it is not unfounded, that will only make their products better. :thumbsup:

thedaemon
05-10-2005, 10:47 PM
How come, I have to read slashdot article's on cgtalk too!?!?! :bounce:

NanoGator
05-10-2005, 10:51 PM
"Nanogator, why would it be in your interests to encourage people to use Internet Explorer over other browsers?"

I'm not promoting IE. Frankly, I'd like to see IE go bye bye -or- majorly overhauled.

"Do you think it's a good thing for one dominant company to override standards set by the internet standards bodies?"

I think it's a bad thing that the internet standards bodies failed to do their job.

However, to answer your question: For Microsoft to be able to override the standards, it would mean that they are the de-facto winner. Their interpretation IS the standard. Should MS be allowed to change them? I have an alternative question: If Microsoft is leading the parade, should they leave innovation (i.e. ActiveX) to the web standards committee? I know that's not going to eleciit a good reaction. No hard feelings. The thing, HTML is NOT proprietary. If Microsoft invents a tag, there's not a thing in the world preventing another browser from picking up that interpretation. For this reason, Microsoft cannot possibly 'own' HTML.

I know it sounds like I'm defending MS here, that's purely incidental. I am not pro-Microsoft or MS biased. However, I don't shake my pitchfork at everything they do, either. Why? When anti-MS motivation takes hold, good judgement takes a vacation. Want to ditch IE? Do it because it makes sense to, not because you automatically hate everything MS touches. I learned this lesson the hard way.

NanoGator
05-10-2005, 10:53 PM
NanoGator:

Sorry to hear about your bad experience with a linux server... what was it: red hat, debian, slackware?

Ben

Hey Ben, I appreciate your tact even though I was a little snippy.

It was Red Hat. (technically, Apache was the problem.) I'd love to blame Slashdot for my false belief in Linux's security, but really it was my own stupidity.

Beamtracer
05-10-2005, 11:05 PM
If Microsoft is leading the parade, should they leave innovation (i.e. ActiveX) to the web standards committee?
...
If Microsoft invents a tag, there's not a thing in the world preventing another browser from picking up that interpretation.
For a start, there are licensing fees. For another browser maker to adopt proprietary Microsoft code can mean they would have to pay licensing fees, which cannot be done.

Also, Microsoft has no interest in cross-platform functionality. After Microsoft won the browser war by destroying Netscape, they dropped development of Internet Explorer on other non-Windows platforms.

Then Microsoft claimed that Internet Explorer was part of the Windows OS, and could not be separated.

Most of the servers that run the World Wide Web are UNIX based servers. The web has traditionally been a platform-agnostic network that you can log onto with any device you choose.

Then along comes Microsoft with Internet Explorer that introduces code that cannot be used on other platforms.

Keep the web accessible by all devices, whether a Windows PC, a Mac, a Linux machine, a handheld device or even a phone. Keep it accessible by all. The way to do this is to stop using Internet Explorer immediately, and adopt Firefox (or any other non-MS browser) instead.

NanoGator
05-10-2005, 11:10 PM
For a start, there are licensing fees. For another browser maker to adopt proprietary Microsoft code can mean they would have to pay licensing fees, which cannot be done.

It's about interpreting HTML, not about licensing code. For example: It would cost FireFox NOTHING to interpret the tag that calls an ActiveX control.

That pretty much addresses the rest of your points, too.

Ghostscape
05-11-2005, 12:29 AM
Nano, Beamtracer is a troll. Stop feeding him before this becomes 8 pages of stupid crap.

NanoGator
05-11-2005, 12:36 AM
Nano, Beamtracer is a troll. Stop feeding him before this becomes 8 pages of stupid crap.


I honestly don't think he's maliciously trying to argue with me.

But I will try to keep it from going on much more. :)

ben_o
05-11-2005, 12:39 AM
Hey Ben, I appreciate your tact even though I was a little snippy.

It was Red Hat. (technically, Apache was the problem.) I'd love to blame Slashdot for my false belief in Linux's security, but really it was my own stupidity.

Ah, Apache, we meet again. Truely is a great webserver platform 'out of the box', but takes a lot of fine-tuning to get both speed and security out of it, like chrooting the server, etc.

....

And on the note of implementing various control tags for ActiveX controls... there is no (legal) problem with Firefox using the existing ActiveX API hooks to do the web-designers dirty task. However, they aren't brilliantly documented, and implementing them is a real security risk. There is a Firefox add-on to implement these anyway, just google for it.

Ben

NanoGator
05-11-2005, 12:46 AM
Hmm I didn't express myself too clearly. What I meant was that the code used to call up an ActiveX control could be legally called up and interpreted anyway they wanted. If, for example, the FF dev team wanted to, they could have FireFox read HTML that calls up the Flash AX control and instead call up the browser plugin with the right data. (meaning it's not actually calling up an ActiveX control, but rather re-interpreteing the wish of the HTML.)

That a little clearer?

richcz3
05-11-2005, 01:31 AM
...The reason that I use IE (appart from never having experienced any problems/security exploits) is that most web designers are too lazy to make sure that their site is crossbrowser compatible, and usually only target IE (thus many sites display properly only in IE, eventhough FF adheres to the W3C standards better!), but tell that to the web designers....Lazy may apply in some cases, but definately not all cases. In one case you have an individual who builds his personal web site and doesn't bother checking against other browsers. Then there are the corporate sites that would have to pay people to toil through all the tests and fixes. Remember, it isn't just browsers type, there are multiple revisions of each browser type.

Simply put most established companies don't care for a fractured browser market because it puts an added expense and introduces an increased risk. If Firefox continues to make gains, I fully expect companies and Web developers to wring their hands in joy.

novadude
05-12-2005, 02:42 AM
Firefox 1.04 is out now, fixes for this included.

Gein
05-12-2005, 04:50 AM
It took 3 days to patch the holes. That's great to me. http://cgtalk.com/images/smilies/thumbsup.gif

Beamtracer
05-12-2005, 05:13 AM
It took 3 days to patch the holes. That's great to me. http://cgtalk.com/images/smilies/thumbsup.gif
The speed that Firefox has been patched should set the standard for all other browsers. This is what makes Firefox so great compared to its main competitor.

slaughters
05-12-2005, 12:09 PM
....Sorry, but reality tells a very different story. If what you were saying was true, FireFox, Opera, and every other browser out there would have passed the acid test. NONE of them have. The WC3 standards are obviously quite ambiguous, which caused this whole fuss in the first place. If they were clearer a few years ago today might be a different story.I know this has been beaten to death, but I agree. As a web developer Firefox has it's own set of layout issues, bugs, and work arounds you have to get used to.

As for the actual Firefox bug found, "...The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox..."

As far as I'm aware JavaScript can not read or write files to your hard drive and always runs from the browsers user interface anyway. So, what's the big deal?

noisewar
05-12-2005, 01:19 PM
Confirms my theory that the more popular the software the more volnourable it becomes. I think that if Firefox was as popular as IE (in terms of # of people using it), it might turn out to be less secure actually since all the hackers currently targeting IE would start exploiting Firefoxes features ceaselessly. Same theory applies to OSX/XP etc.

Still good though that there are always great alternatives.


That's why Opera will always be the most secure. Paying for your software isn't very popular.

ben_o
05-12-2005, 01:51 PM
That's why Opera will always be the most secure. Paying for your software isn't very popular.

*Must... not... respond... ...... ACK!*

So Windows is free, is it?

*joke*

Opera is actually a really widespread app. It is THE 'embedded-OS' web browser, which you will find all over the place.

It is also really slick and well-written (from a users point of view, having not seen any code)

What browser do I use? Firefox. Why? Well, with the new Opera 8, I may no longer have a good reason...

stenosis|kill
05-12-2005, 01:54 PM
I'm using Opera since version 5 and i also know firefox very well, both are great browsers but i prefer Opera.. just cuz it can do alot more,it's faster and also i dont need to download so many several bug fixes.
Btw: Pay for it or add a Opera banner on your Homepage, for about 250 clicks on it you'll get a free license :thumbsup:
http://my.opera.com/community/affiliates/

noisewar
05-12-2005, 04:01 PM
*Must... not... respond... ...... ACK!*

So Windows is free, is it?

*joke*

Opera is actually a really widespread app. It is THE 'embedded-OS' web browser, which you will find all over the place.

It is also really slick and well-written (from a users point of view, having not seen any code)

What browser do I use? Firefox. Why? Well, with the new Opera 8, I may no longer have a good reason...


Just a joke bro, chill =)
If only that was true for everything, that you get what you pay for.

CGTalk Moderation
05-12-2005, 04:01 PM
This thread has been automatically closed as it remained inactive for 12 months. If you wish to continue the discussion, please create a new thread in the appropriate forum.