Announcement

Collapse
No announcement yet.

'Moderately Critical' Vulnerability in Firefox

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by Jake Bunce
    How do you run that file?
    linux only
    Trent Gillespie Mod Theater Gillespie Photography

    Comment


    • #32
      Originally posted by Jake Bunce
      How do you run that file?
      No you have to open the link through FireFox and it should install it just like any other extention.
      Surrix.net: Computer help forums/articles

      The person in my avatar is Elisha Cuthbert she plays on Fox's 24

      Comment


      • #33
        I opened the file in Firefox. Nothing.

        Comment


        • #34
          Originally posted by Vile
          Lol, are you people too busy with your anti-Microsoft crusade that you fail to understand why it is that hackers and other people target Microsfot so much?
          Do you honestly not get why so many holes and security issues are found with Windows and less so with other OS'?

          Try being number one, and at the top for years and years. Try being the most popular and most widely OS/software throught the world, and you'll see this will happen with anything.

          Common sense people, common sense.
          It doesn't matter why people are targetting Microsoft. The fact is Windows is not a secure enviroment, and has not been one for many years.

          Like I said, if you care about security, you would switch to a more secure OS i.e. Linux.
          Raz - KMC Forums

          Comment


          • #35
            Originally posted by Jake Bunce
            I opened the file in Firefox. Nothing.
            The just download 0.9.2 here: http://www.mozilla.org/products/firefox/
            Raz - KMC Forums

            Comment


            • #36
              Originally posted by Cloud Strife
              I dont know what your all arguing about... Linux IS more secure than Windows, thats a fact... And the main reason behind it is due to permissions.
              While this is true, it slightly misses the point.

              The Linux permissions system (and many other *nix based O/S) are inherently more secure than Windows because the executable permission is not determined by file extension, like Windows. Under linux, a file must be given permission to be executable (chmod a+x program) before it can be run. With Windows, if that file is a .vbs .bat .exe for example, it can be executed. Thus, why so many Windows users suffer from mallicious files sent to them in an e-mail.

              So lets hypothetically fast forward 5 years. Linux holds a greater market share, lets say 30%. Because Linux is more popular and has a large segment of the market, will it make it any less secure? Yes it will. And by being less secure the problems are resolved, and fixed fast we already know.

              As already mentioned, your software will have vunerabilities. They need identifying, fixing, and all of your users to run the patch. Isn't it better this happens sooner (when you have a smaller market share) than later (when you have a greater market share, and your broken product is used by lots more people). And this is the problem with Internet Explorer, there are still users out there browsing their favourite pr0n web sites with IE 5.x which is like swiss cheese.

              Originally posted by Cloud Strife
              Think about it, if a virus writer for example wanted to target a windows box, hed make a virus that would execute and thats all, now when it comes to linux on the other hand, the virus writer has to find a way to bypass the permissions, because people will mostly be running in user mode rather than root mode, its just the way its setup....
              Again, if the Linux desktop market share picks up, we must make sure that the users are educated and do not run software as root. Poor user education means that any bad habbits which leave their system wide open to being exploited are not migrated with the user, and that means the current Windows users who log in as Administrator not running their userland programs as root on a linux box. Or else they need a slap!
              HP DL-380 G6, 2x E5520, 28GB RAM, 4x300GB SAS, VMWare ESXi
              -
              Unreal Tournament : Assault forums - irc://irc.utassault.net:6667 -

              Comment


              • #37
                Originally posted by Kier



                Looks like Mozilla isn't the panacea that so many people make it out to be. No sooner has Microsoft fixed a hole that allows the browser to run executables without intervention from the user than Mozilla develops its own flaw in the same ilk.

                Firefox 0.9.2 has been released to deal with the problem.
                I've been telling people that Firefox is no more or less secure than Internet Explorer, more holes are found in IE because it is more frequently used and people with malicious intentions have direct access to the source code thus making it easier to find vunerabilities but did they listen? No...


                Originally posted by cirisme
                This only affects Windows. If you use Mac/Linux you are unaffected. As for this...



                No sooner? It took Microsoft a week to fix a hole in IE after a known wild exploit, it took Mozilla a day after a known exploit.
                Microsoft could fix a hole in a second but that would break stuff so they try to patch the vunerability in a way that doesn't affect existing functionality.


                Originally posted by cirisme
                AFAIK, (though of course this could be wrong) there is no 'wild' exploit making it's rounds. Just demonstrations of this vulnerability.

                It was discovered before attackers even started using it, apparently.

                Finding exploits this way(before attackers get a chance to use it, and especially before FF 1.0) is a good thing so they can be fixed quickly and make Mozilla overall more secure.

                The question isn't whether there are security holes(there are holes in vBulletin), but whether the good guys find them before the bad guys get to use them. The good guys won this time.
                I doubt that there are many people with malicious intentions looking for holes in Firefox for one reason... Firefox has an insignificant share of the market. When it has a significant share we'll see more vunerabilities poping up.


                Originally posted by CeleronXT
                Once again, ignoring the fact that this is a Windows hole, not a Firefox hole. Fx is still written for security. Please read.
                And it uses Firefox as an attack vector.


                Originally posted by Raz Meister
                If you really care about security, you should quit Windows
                http://www.computerweekly.com/articl...earch=&nPage=1


                Other Operating Systems are no less or more secure than Windows. Even with negible marketshare. If they had a significant marketshare... They would be exploited MORE than Windows.


                Originally posted by chrispadfield
                Vile, its more complicated than just being popular; Microsofts new "Trustworthy computing" and SP2 which is based around security features is testament to microsoft realising they need to raise their game level on security, whether you think they need to or not.

                Of course, if 95% of people used linux my guess is there would be some more security holes found, but generally if their is a gaping linux security hole its going to be found quite quickly because its visible source; in the same way if there is a hole found in vbulletin it wont take that long for it to be found so I wonder if it being more popular would mean that that many more are found; I am sure there are enough people reading or have read most of the source code already.

                I think one of the bigger problems Microsoft faces is all the newbies use Microsoft, linux dosen't even try to cater for them (bar maybe lindows). That is where part of the problem is; how do you balance security with ease of use. If you want a newbie to set up their own wireless network for example, do you make it very easy with less security or harder (so they might not be able to do it) but more secure? I think MS has opted for easy over security in the past but are moving now a bit in the other direction - this is probably a good thing.

                The security for IE is another matter; I don't really know what MS browser product plan is, but in my mind its in microsoft interests to destory the browser; MS makes money selling an OS so they want applications to remain on the OS. Improving the browser so that more and more applications can be run in it is probably not good for their business plan, as it makes the app OS independant.
                Windows XP SP2 is immune to virtually all of the vunerabilities being discovered in Windows XP. When it is out, we can expect a significant decrease in vunerabilities discovered.


                Originally posted by cirisme
                It's obvious, of course, that the more people that use and tinker with a program the more problems(both security and otherwise) will be found. 10,000 people will find fewer bugs than 10 Million. That's really obvious, imho. What's not obvious is what that means. Does it mean that the one with 10 Million will always have gaping security holes at every turn? Not necesarily.

                For a real life demonstration of this, look at the Apache server. According to Netcraft, Apache was at 67% and IIS has 21% in June, with July virtually unchanged so far.
                I'd like to add that the people running web servers (especially Apache since you almost have to know what you're doing to configure it) know how to secure them.


                Originally posted by cirisme
                I'm not disputing the fact that attackers will focus on a product because it is popular. That's obvious, I agree with that. What I am disputing is that Windows is insecure merely because it's popular. A product can be #1 and remain more secure than the competition(see Apache) which means there are deeper issues with Windows than just popularity, whatever those issues might be.
                You'll have a hard time doing that since with Windows people with malicious intentions have to go through decompilation, blind guessing, etc to find holes as it is Closed Source but with Linux they just have to look through the source code to find holes as it is Open Source. They cover alot more ground with Linux than they do with Windows per day and if you mathematically eliminate the popularity difference, mathematically speaking Linux is less secure than Windows.


                Originally posted by Cloud Strife
                I dont know what your all arguing about... Linux IS more secure than Windows, thats a fact... And the main reason behind it is due to permissions. Think about it, if a virus writer for example wanted to target a windows box, hed make a virus that would execute and thats all, now when it comes to linux on the other hand, the virus writer has to find a way to bypass the permissions, because people will mostly be running in user mode rather than root mode, its just the way its setup....
                If you haven't checked, Windows NT also has permissions and as I said in response to cirisme, Linux is mathematically less secure than Windows.


                Originally posted by cirisme
                Of course.

                But if popularity determined who had worse security, Apache should be the most vulnerable out there yet it is one of the better ones, at least better than IIS. That at least shows the blanket statement, "X program is only vulnerable because it's popular" is silly.
                The people running Apache know how to secure it (e.g. turn things they don't use off) therefore vunerabilities that would be be there are not. Some people running IIS are not as lucky (they leave EVERYTHING on). Microsoft changed this situation in IIS6 which is a part of Windows 2003.


                Originally posted by Vile
                Maybe that's one of the benfits of Unix / Open Source?
                Open Source makes things less secure as a person with malicious intentions can go through quite a bit of the code to find vunerabilities in a very short time while with Windows they have to decompile, blind guess, etc to find vunerabilities.

                Originally posted by Vile
                The main reason, not the only reason.
                I agree. The fact that Windows is closed source is making it more secure than it would be if it was open source.


                Originally posted by cirisme
                I'd say a popular open source project(at least, only if it's popular with developers) is beneficial to the program more so than a closed source program. You have more eyes looking at the code and finding holes, whereas a closed program always has a set number of people watching the code and looking for holes and only the really dedicated people will try to reverse engineer it and try to find memory leaks, flaws in communication, etc.

                My theory anyway.
                While that is certainly true, it is absurdly easy for people with malicious intentions to search the source code thus eroding the benefit of the additional people with good intentions.

                Originally posted by cirisme
                Either way, it's silly. The cause of vulnerabilities is not people using your program, it's because, for whatever reason, exploits have slipped in. If Windows was used by just a few thousand users, it would be exactly as exploitable as it is now...because all the exploits would still exist.
                People with malicious intentions would not be decompiling, blind guessing, etc to find holes to exploit. Therefore it would be extremely rare to hear about an exploit.


                Originally posted by Raz Meister
                It doesn't matter why people are targetting Microsoft. The fact is Windows is not a secure enviroment, and has not been one for many years.

                Like I said, if you care about security, you would switch to a more secure OS i.e. Linux.
                http://www.computerweekly.com/articl...earch=&nPage=1


                That shows that Linux is not more secure than Windows. Mathematically speaking if more people were using Linux more exploits would be found making Linux less secure than Windows.


                Originally posted by Martz
                So lets hypothetically fast forward 5 years. Linux holds a greater market share, lets say 30%. Because Linux is more popular and has a large segment of the market, will it make it any less secure? Yes it will. And by being less secure the problems are resolved, and fixed fast we already know.
                People have been saying that Linux was gaining marketshare for a decade now and it is only at 1% and that is because Unix is dying... I doubt it will be at 5% any time within the next decade and 5% is an extremely liberal estimate.
                Last edited by Shining Arcanine; Mon 12 Jul '04, 6:29am.

                Comment


                • #38
                  Microsoft could fix a hole in a second but that would break stuff so they try to patch the vunerability in a way that doesn't affect existing functionality.
                  Doesn't matter why there's a difference in time. To say that Mozilla took as much time as Microsoft to patch their product is completely false, unless you live in a world where a week is the same amount of time as a day.
                  TheologyWeb. We debate theology. srsly.

                  Comment


                  • #39
                    So lets hypothetically fast forward 5 years. Linux holds a greater market share, lets say 30%. Because Linux is more popular and has a large segment of the market, will it make it any less secure? Yes it will.
                    Less secure than...?

                    Certainly not less secure than today. Being popular doesn't just magically insert vulnerabilities into code. Any security holes that exist in the hypothetical 30% Linux exist in the real 2%(or whatever it is) Linux today.
                    TheologyWeb. We debate theology. srsly.

                    Comment


                    • #40
                      Originally posted by cirisme
                      Doesn't matter why there's a difference in time. To say that Mozilla took as much time as Microsoft to patch their product is completely false, unless you live in a world where a week is the same amount of time as a day.
                      They probably set the record for patching Open Source software but this is only 1 hole and Mozilla is not the only Open Source software in the world.

                      Comment


                      • #41
                        Originally posted by Shining Arcanine
                        They probably set the record for patching Open Source software but this is only 1 hole and Mozilla is not the only Open Source software in the world.
                        I honestly have no idea what the last two things you've said to me in this thread have to do with anything I've said.

                        :scratches head:
                        TheologyWeb. We debate theology. srsly.

                        Comment


                        • #42
                          Originally posted by tgillespie
                          linux only
                          Actually, an *.xpi file is a Firefox extension. Open it in FF and it should come up with a dialog asking you to install an extension.

                          It's only necessary on Windows and with Firefox 0.9.1 and earlier, though.
                          TheologyWeb. We debate theology. srsly.

                          Comment


                          • #43
                            Originally posted by cirisme
                            I honestly have no idea what the last two things you've said to me in this thread have to do with anything I've said.

                            :scratches head:
                            You said that there is a difference in time.

                            Comment


                            • #44
                              I doubt that there are many people with malicious intentions looking for holes in Firefox for one reason... Firefox has an insignificant share of the market. When it has a significant share we'll see more vunerabilities poping up.
                              No, because as I've said before, vulnerabilites don't just magically appear when a product is popular. They're there regardless of popularity.

                              I'd like to add that the people running web servers (especially Apache since you almost have to know what you're doing to configure it) know how to secure them.
                              Irrelevant to the point.

                              You'll have a hard time doing that since with Windows people with malicious intentions have to go through decompilation, blind guessing, etc to find holes as it is Closed Source but with Linux they just have to look through the source code to find holes as it is Open Source.
                              Guess what: that applies to both good and bad people.

                              Good people outside the organization can do this, too, and, surprise surprise, they can fix themselves if they want.

                              They cover alot more ground with Linux than they do with Windows per day and if you mathematically eliminate the popularity difference, mathematically speaking Linux is less secure than Windows.
                              Only if Windows weren't inherently less secure. Read below.

                              The people running Apache know how to secure it (e.g. turn things they don't use off)
                              You hit the hammer on the head with the "e.g. turn things they don't use off". This is precisely what's wrong with Microsoft in such a big way.

                              I can set up a server and have only the bare necessities. It's a server, so I don't need Mozilla on it. When a vulnerability is found in Mozilla, I don't even have to think about it. My server is perfectly secure, because I have no need to have Mozilla on a server.

                              On a Windows platform, when a vulnerability is found in Internet Explorer, I have much to worry about, whether I use it or not. It's so deeply tied to the OS, I can't remove it, I can't disable it, I'm just sitting with an inherently insecure setup until Microsoft decides to fix it.

                              That deep integration is what makes Windows inherently less secure than other less-integrated platforms.

                              Open Source makes things less secure as a person with malicious intentions can go through quite a bit of the code to find vunerabilities in a very short time while with Windows they have to decompile, blind guess, etc to find vunerabilities.
                              That falsely presumes a couple things. One, that the only people looking for vulnerabilites will be bad guys, and good people within the organization.(ie, good guys not working on the project will never look for vulnerabilites)

                              This is obviously not true, simply based on all the vulnerabilites reported to Microsoft, and even Jelsoft, by people outside the company looking for them.

                              Secondly, it presumes that there is no good that can done if someone outside the project finds a vulnerability. In a closed source set up, if I find a vulnerability all I can do is report it to the company and hope they fix it. In an open source set up, I can fix it myself, or hire someone to do it without waiting on the project. That makes it much more secure and valuable to me.

                              People with malicious intentions would not be decompiling, blind guessing, etc to find holes to exploit.
                              Good heavens, I can't believe you just said that.

                              While that's true of script kiddies, it's hardly true of others.
                              TheologyWeb. We debate theology. srsly.

                              Comment


                              • #45
                                Originally posted by cirisme
                                No, because as I've said before, vulnerabilites don't just magically appear when a product is popular. They're there regardless of popularity.
                                I agree. However that doesn't mean that if they're not discovered they don't exist.

                                Originally posted by cirisme
                                Irrelevant to the point.
                                The fact that people running it know how to secure it (which is a good thing) does not necessarily make the software more secure. It can be placed in an insecure configuration.

                                Originally posted by cirisme
                                Guess what: that applies to both good and bad people.

                                Good people outside the organization can do this, too, and, surprise surprise, they can fix themselves if they want.
                                More users doesn't mean that more good people will be searching the code but it would make searching for holes to exploit more attractive on that platform.

                                Originally posted by cirisme
                                Only if Windows weren't inherently less secure. Read below.
                                Not according to:

                                http://www.computerweekly.com/articl...earch=&nPage=1

                                Originally posted by cirisme
                                You hit the hammer on the head with the "e.g. turn things they don't use off". This is precisely what's wrong with Microsoft in such a big way.
                                Yes and Microsoft resolved that issue. If you insist on attacking earlier versions of Windows regarding security I'll start on earlier versions of Linux regarding security.

                                Originally posted by cirisme
                                I can set up a server and have only the bare necessities. It's a server, so I don't need Mozilla on it. When a vulnerability is found in Mozilla, I don't even have to think about it. My server is perfectly secure, because I have no need to have Mozilla on a server.

                                On a Windows platform, when a vulnerability is found in Internet Explorer, I have much to worry about, whether I use it or not. It's so deeply tied to the OS, I can't remove it, I can't disable it, I'm just sitting with an inherently insecure setup until Microsoft decides to fix it.

                                That deep integration is what makes Windows inherently less secure than other less-integrated platforms.
                                Internet Explorer is supposed to be locked down on Windows 2003 and it is an attack vector when it is being used. If it is not being used (on servers it isn't even in the memory) to browse the internet, it can not be exploited.

                                Originally posted by cirisme
                                That falsely presumes a couple things. One, that the only people looking for vulnerabilites will be bad guys, and good people within the organization.(ie, good guys not working on the project will never look for vulnerabilites)

                                This is obviously not true, simply based on all the vulnerabilites reported to Microsoft, and even Jelsoft, by people outside the company looking for them.
                                Being Open Source makes it easier for bad guys to find vunerabilities and with more bad guys looking, the chances of a previously unknown vunerability being exploited is much higher.

                                Originally posted by cirisme
                                Secondly, it presumes that there is no good that can done if someone outside the project finds a vulnerability. In a closed source set up, if I find a vulnerability all I can do is report it to the company and hope they fix it. In an open source set up, I can fix it myself, or hire someone to do it without waiting on the project. That makes it much more secure and valuable to me.
                                If the person who finds it is bad, something bad will come of it and it is much easier to find a hole in Open Source than it is in Windows. The reason why it doesn't happen often is because finding a hole in it isn't attractive due to marketshare. And even with its marketshare security advantage (less marketshare = more security), the fact that it is open makes it no less or more secure than Windows:

                                http://www.computerweekly.com/articl...earch=&nPage=1

                                Originally posted by cirisme
                                Good heavens, I can't believe you just said that.

                                While that's true of script kiddies, it's hardly true of others.
                                So tell me, how many terrorist organizations have direct access to the Windows source code? the Linux source code?

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X