Bad News About Firefox Security

by Preston Gralla

It hasn't been a good week for Firefox and its fans. First, the Danish security company Secunia warned that it had uncovered a vulnerability in Firefox and other browsers that can allow the URL displayed in the address bar and the SSL certificate to be spoofed, which means the browser and others are vulnerable to phishing attacks. The flaw affects all browsers built using the open-source Gecko browser kernel.


And this time around, Internet Explorer is not vulnerable to the attack.


Making matters worse, a few days after that, a security researcher found a trio of security bugs that affect Firefox and Mozilla -- but not Internet Explorer. Among other dangers, the bugs can allow someone to steal your cookies, and then use them to find out personal information about you and log into web sites with your login.


Perhaps most disturbing is that as of this writing, although fixes have been found, they have not yet been rolled up into a patch, or made available in a new Firefox version that can be downloaded and installed.


I'm a big Firefox fan, and I tell everyone I know to give up IE and use it. But this news doesn't bode well for the browser. Its increasing popularity will mean that it will be subject to more frequent attacks. Worse, though, is that as of this writing, the fixes aren't publicly available. People have rightly accused Microsoft of not posting security patches quickly enough. But up until now, Firefox developers have always been quick to react with security fixes.


Let's hope that this is an anomaly, and patches are posted quickly. I'd hate to see Firefox get bedeviled by the same problems that afflict Internet Explorer.


What do you think about how Firefox handles security flaws?


23 Comments

flursn
2005-02-09 10:54:26
Told you so
*channeling oss zealot*


It's because the Firefox company is evil. They have a monopoly. They don't follow standards. If only they opened up the source-code so that everyone could see the bad code and fix it within mere hours ...

srijith
2005-02-09 11:07:09
Fix in!
The IDN "fix" is already in Firefox nightly (http://www.boingboing.net/2005/02/08/mozilla_and_firefox_.html)


As for IE not being vulnerable, well it is because IE does not implement IDN support. "Secure by absence of implementation" is not the way to go. Verisgn's plugin to support IDNs (http://www.idnnow.com/index.jsp) also suffers from the same problem.


As for the other bugs mentioned, the article clearly mentions that fixes are in, it just has not been rolled out into a public release.

cdurst
2005-02-09 14:35:42
Security Bugs and Free/Open Source Software


When comparing security bugs between IE and Firefox, you should also take into account the fact that security bugs in Open Source programs are usually found long before exploits actually appear in the wild.


Microsoft security bugs, on the other hand, are usually not even acknowledged by the company until after exploits have been found in the wild.


In any case, if you read the article you linked to, the fixes have already been checked into the public CVS source tree. Sure, most Windows users wouldn't be able to get them, and would get an unstable version if they did download the nightly snapshot and built it themselves, but it is a little unfair to say that the "fixes aren't publicly available."


If Mozilla.org doesn't do it soon, someone else will probably backport the fixes and release a patched version of Firefox. One of the great things about Free/Open Source Software is that others can step in when the original developers drop the ball.

aristotle
2005-02-09 16:37:53
All programs have bugs. Film at 11.
Haven't we been over this a million times before? What matters is reaction time. It has only been days since the IDN spoof was published. Even if it takes another week for the Mozilla folks to publish a fixed build: I want to see MSFT match that kind of reaction time.
2222227777
2005-02-09 22:20:34
Firefox probs
Well, looks to me like someone working for Internet Explorer is trying to get their own back.
jwenting
2005-02-10 00:10:37
Everyone should stop using FireFox
After all, that's what everyone says about IE every time there's even a rumour of a problem with that product...
jwenting
2005-02-10 00:13:38
Security Bugs and Free/Open Source Software

Microsoft security bugs, on the other hand, are usually not even acknowledged by the company until after exploits have been found in the wild.



Wrong. Most times it's Microsoft themselves who report the problem and the first anyone outside the company knows of it is the appearance of a fix for it.

Of course a lot of people don't then install that fix and later blame Microsoft for not fixing their products...
Alkon
2005-02-10 02:52:51
Everyone should begin/continue using FireFox
I do. Simply because its technically a better product, with better and more innovative design and much better maintenance (including security issues handling). And it will get even better.


For me, also, there is a good general reason to stop using IE and other MS products, apart from MS technological weaknesses and countless security flaws. It is good thing to do in life - discontinue artificial monopoly of M$ and open the way for creativity of many good people, that otherwise are artificially kept restricted by M$'s litigations, various legal "devices" - patents and other legal "innovations". We should all stop them from stopping us... Well, sounds good for me!

aristotle
2005-02-10 05:16:49
Security Bugs and Free/Open Source Software
The “usually” in that sentence was wrong indeed, but you can't deny the fact that quite a number of such cases have happened.
jwenting
2005-02-10 07:16:51
All programs have bugs. Film at 11.
Microsoft reaction time is generally hours, days at most (if it happens to be midnight in Seattle...).


Mozilla reaction time is measured in weeks or months.
cdurst
2005-02-10 09:31:18
Security Bugs and Free/Open Source Software
You are correct, I shouldn't have used the word "usually".


A better point to make would have been that Open Source security bugs are often found by reading the code and noticing something like a failure to limit a copy to the size of the receiving buffer.


Cases like that are usually reported as a "buffer overflow vulnerability" and treated as an actual security bug, when in fact there may be no way for oversized data to even reach that part of the code. Or there may be other reasons why it might be impossible to turn the overwrite into a real exploit that's available from outside the program (e.g. if the input data had already been validated or changed in some way).


On the other hand, Microsoft security bugs are often found by outsiders who don't have the source code. This usually means that they have found the problem by actually feeding a MSFT program bad data and that the bad data reached the buggy code and crashed the program.


This means that the typical, reported MSFT overwrite bug is much closer to the surface than most typical, reported overwrite bugs in Open Source code.


This implys that the existance of an actual workable exploit is more likely for the MSFT bugs than the Open Source ones.

csgallagher
2005-02-10 09:33:35
Gralla: Liar, Liar Pants on Fire(fraud)
Gralla falsely claims "...as of this writing, although fixes have been found..." but the TRUTH is what has been attempted are HACKS and if anybody cares to read the articles describing the HACKS they can DISCOVER THE TRUTH that the HACKS themselves only resolve this problem TEMPORARILY


CAN YOU READ MR. GRALLA?


I actually like Fire(fraud) as its current implementation is a joy to work with when developing websites but advocating Fire(fraud) has indeed become little more than a fraudulent campaign of lies and misinformation and the persons such as Mr. Gralla need to stop telling those lies and spreading that misinformation.


When you get your 15 minutes of fame and step out into the lime light you damn well better make sure you do not have a booger on your lip.


-- Clinton Gallagher

babelex
2005-02-10 09:44:15
Fixes
Hi guys


Might be worth you popping over to the reg where a number of more interesting fixes are covered.


much more informative


regards
Al

TimmMurray
2005-02-10 09:50:58
Not Just Firefox
One of these exploits is only possible on Windows because Windows associates certain extentions with certain actions. In this case, naming a GIF/JPEG/whatever file "mumble.exe", then having the user save the image, then double-clicking the image later. This is much less likely to be a problem outside Windows, due to a smaller (but unfortunately, not zero) tendency to ignore the file extention, combined with better privilege seperation to limit the extent of possible damage.


The IDC flaw is, as another poster noted, unversial to all browsers that implement IDC. IE just happens to not implement IDC. Not a very fair comparison.

chase
2005-02-10 19:05:10
No. Whay would anyone ever come to that conclusion?
"After all, that's what everyone says about IE every time there's even a rumour of a problem with that product..."


No. That's what we say after endless confirmed problmes in a version 6 product.


No one ever claimed that Firefox would never have any security problems. If this is bad news, what about the ongoing horrendous news about IE?

pyellman
2005-02-11 09:02:05
This is getting downright ridiculous
All right now, folks, this is getting pretty ridiculous now.


This so-called "security vulnerability" in Firefox is simply a result of the implementation of unicode-aware urls to allow for urls in other character sets. For example, the numerical representation for the letter "a" might be 92 in one form of English, but 192 in another character set. So you could think you were at www.a.com, but actually be at a completely different site using Cyrillic character set. The reason IE is not "vulnerable" is that it has not yet issued an update to support internationalized domain names. I suppose one possible way to overcome this "security vulnerability" might be to give more exposure/visibility to the character set currently in use, and embark on some kind of public education campaign about unicode. See below for some of the flaws in that idea.


If you think this is really a major "vulnerability", here are some others that should keep you awake at night:
(1) The use of letters and words to form urls is a security risk. For example, someone could make a url to "www.citydank.com", and an semi-literate, distracted, or tired user might be fooled into thinking that they were at City Bank's website. In fact, you might want to take a quick check to make sure you are at www.oreillynet.com and not www.oreilllynet.com right now.


(2) The alphabet is filthy. It can be used to spell words like "sh*t", and therefore, should be banned.


Sigh.
Peter Yellman

teejay
2005-02-14 02:07:51
All programs have bugs. Film at 11.
jwenting, you are plain wrong. (and you can't even do HTML ;p)


Microsoft STILL hasn't fixed bugs in IE and Windows that have been around for years.


Microsoft also have not fixed IE outside of Win XP, so if you are running win2k or win98/ME/95 you are just plain out of luck.


teejay
2005-02-14 02:10:37
Told you so
Firefox follow standards.


They opened up the source code.


People saw the source-code and the bad code and fixed it within mere hours.


You have a problem with that?

wizliz
2005-02-25 06:06:13
Told you so
No, but I guess there's no point in trying to destroy firefox when the 95% of the world uses IE. Doesn't do much for the ego!
ragingguppy
2005-09-08 20:09:01
Everyone should begin/continue using FireFox
I'm seeing alot of people flaming critics of the firefox browser. (Probably the people on the firefox development team as this is what they do every time someone reports a bug)


As for me I'm about as impressed with firefox as I am with IE. Since I've installed it on my linux machine my browsing consistently slows down. The software crashes ALL THE TIME!!!!!! and during normal operation. IE I'm not doing any more then clicking from site to site.


Personally I think the software is crap. Regardless of how inovative the developers think the the design is. Its just shit.


I do tech support. I have seen dozens of people call up and not be able to get online with firefox while they can still surf with IE. And no its not a firewall. These people had their firewall turned off.



ragingguppy
2005-09-08 20:25:35
Fix in!
I beg to differ. Not putting a feature out when it has security issues IS THE WAY TO GO. I wish you did do this. It would save me from alot of headaches.


This is another example of the firefox development teams pompus attitude toward users. Flame the user so that he doesn't report bugs and you don't have to fix them. I think the person who wrote the article in the first place should be commended for bringing the issue about the security issue to light. Now people can protect themselves about it. Flaming him shouldn't be your mission.


I'm pretty tierd of firefox developers saying they have a secure and decent product when they don't. Don't make false claims. Its the worst browser I've used on the Linux platform.


ragingguppy
2005-09-08 20:35:20
Everyone should stop using FireFox
Hmmm.... A decent alternative is definetly needed on the Linux platform.
Sean
2006-05-03 07:01:52
I think firefox handles security problems quite well as any browser will have security issues. It's just a matter of time until the patch is released.