Announcement

Collapse
No announcement yet.

'Moderately Critical' Vulnerability in Firefox

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    The fact that people running it know how to secure it (which is a good thing) does not necessarily make the software more secure.
    I didn't claim that it did.

    More users doesn't mean that more good people will be searching the code
    Only if all of them are non-developers.

    Yes and Microsoft resolved that issue
    In Server 2003? I didn't know that, actually.

    Though that still doesn't help Windows vs Linux on the desktop.

    Internet Explorer is supposed to be locked down on Windows 2003 and it is an attack vector when it is being used. If it is not being used (on servers it isn't even in the memory) to browse the internet, it can not be exploited.
    It's about time they figure out what everyone else already knew.

    Being Open Source makes it easier for bad guys to find vunerabilities and with more bad guys looking, the chances of a previously unknown vunerability being exploited is much higher.
    The opposite of that, is of course, that more good guys will be searching the code and the chances of a vulnerability being found is much higher. Not only that, the time said vulnerability gets fixed is much less because the person that found it can also fix it. In the case of closed source, if a good guy stumbles upon a vulnerability all that person can do is report it to the company and hope it gets fixed.

    Since the person that finds it can also fix it, the time between a discovered hole and a patched hole is greatly reduced, which negates any loss in having the source open.

    If the person who finds it is bad, something bad will come of it and it is much easier to find a hole in Open Source than it is in Windows.
    And the reverse is exactly true, see above.

    The reason why it doesn't happen often is because finding a hole in it isn't attractive due to marketshare.
    Not in the case of Apache. Apache is the most popular product for webservers yet it has fewer exploits than IIS.

    the fact that it is open makes it no less or more secure than Windows
    Straw-man. A product that is open source may very well be less secure than a closed-source alternative, though I think in practice it is rare.(I think most cases where this is true it is where the open source project is rather small) Open source has the advantage of allowing anyone to view and fix security holes in a timely manner, but that usually only is beneficial if enough outside developers are interested in the product. That's certainly true for Apache, Linux, and to a lesser-extent Mozilla where many developers are very interested in the project and use it themselves.

    Open source is really great for large projects because as the project expands, so does the developer interest, and the bug fixing and hole patching happens at a great enough rate to offset any malicious users.

    The opposite is true for closed-source projects. A closed-source project works better in smaller projects, where the proportion of developers to malicious users remain constant. No company(except maybe Microsoft with it's billion$) can keep adding developers to a project as it grows. As a closed source project grows, the only people that can fix vulnerabilities is the internal dev team, whether the project has 1000 users or 10 million.

    There are obviously exceptions to all of this, but that is the general rule where each type has it's strength and weaknesses. The strength of open source is that as the interest grows, outside developers will generally be added proportionately which will hopefully(and usually is) be enough to offset attacker's interest in the project. The downside is that smaller projects may not get the attenion they need.

    Closed source's strength is that it lends itself well to smaller projects. It doesn't have the need to be all things to all people, and the developers can remain proportionate to the interest in the project. The downside is that if the project gets too huge, it becomes expensive to keep the ratio of devs to attackers up.

    Okay, couple points. One, I haven't talked about OSX once. Second, I have never said that open source will guaranty that a paticular project will be more secure, just that it will be more likely. Thirdly, that article doesn't talk about open source vs close source at all. And fourthly, when it talks about Linux venders it says nothing about independent developers which is a clear advantage of open source.

    So tell me, how many terrorist organizations have direct access to the Windows source code? the Linux source code?
    You crack me up. That has nothing to do with what you just said:

    People with malicious intentions would not be decompiling, blind guessing, etc to find holes to exploit.
    You have no proof for that outrageous and silly statement. If that were true there would be no need for patches for Windows or any other closed source applications nor would there ever be any unexpected attacks where attackers took advantage of unknown vulnerabilities.
    TheologyWeb. We debate theology. srsly.

    Comment


    • #47
      We very much also forget that Linux is subjected to its flaws as well. When people find bugs in Linux, they hit Linux very hard as well because of the severity of the bug.
      ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
      Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

      Comment


      • #48
        Originally posted by cirisme
        Only if all of them are non-developers.
        Not everyone can be a developer.

        Originally posted by cirisme
        In Server 2003? I didn't know that, actually.

        Though that still doesn't help Windows vs Linux on the desktop.
        Windows XP SP2 resolves that. Last check it should be out within 2 weeks.

        Originally posted by cirisme
        It's about time they figure out what everyone else already knew.
        They did it and you no longer have that to criticize them by.

        Originally posted by cirisme
        The opposite of that, is of course, that more good guys will be searching the code and the chances of a vulnerability being found is much higher. Not only that, the time said vulnerability gets fixed is much less because the person that found it can also fix it. In the case of closed source, if a good guy stumbles upon a vulnerability all that person can do is report it to the company and hope it gets fixed.
        There are home users that don't even know what source code is. I really don't think that the ratio, assuming it cancels itself out, can be sustained as the popularity goes up.

        Originally posted by cirisme
        Since the person that finds it can also fix it, the time between a discovered hole and a patched hole is greatly reduced, which negates any loss in having the source open.
        What if a bad person finds it? Yeah he/she could fix it but he/she wasn't looking for holes to fix... He/she was looking for holes to exploit.

        Originally posted by cirisme
        And the reverse is exactly true, see above.
        We don't need to make it easier for bad people to find holes.

        Originally posted by cirisme
        Not in the case of Apache. Apache is the most popular product for webservers yet it has fewer exploits than IIS.
        It is server software on the most user unfriendly OS in the world. People running it must know how to use it and therefore how to lock it down.

        Originally posted by cirisme
        Straw-man. A product that is open source may very well be less secure than a closed-source alternative, though I think in practice it is rare.(I think most cases where this is true it is where the open source project is rather small) Open source has the advantage of allowing anyone to view and fix security holes in a timely manner, but that usually only is beneficial if enough outside developers are interested in the product. That's certainly true for Apache, Linux, and to a lesser-extent Mozilla where many developers are very interested in the project and use it themselves.

        Open source is really great for large projects because as the project expands, so does the developer interest, and the bug fixing and hole patching happens at a great enough rate to offset any malicious users.

        The opposite is true for closed-source projects. A closed-source project works better in smaller projects, where the proportion of developers to malicious users remain constant. No company(except maybe Microsoft with it's billion$) can keep adding developers to a project as it grows. As a closed source project grows, the only people that can fix vulnerabilities is the internal dev team, whether the project has 1000 users or 10 million.
        Open Source can't afford to keep adding developers too as it does not put food on the table and is payed for by government grants. The government gets its money from the people who actually make money. They can't increase the size of grants exponentially.

        Originally posted by cirisme
        Closed source's strength is that it lends itself well to smaller projects. It doesn't have the need to be all things to all people, and the developers can remain proportionate to the interest in the project. The downside is that if the project gets too huge, it becomes expensive to keep the ratio of devs to attackers up.
        I wouldn't say that as it can fall back on the fact that it is closed source and thus difficult to reverse engineer which adds time to the amount required for an evil person to find exploits.

        Originally posted by cirisme
        Okay, couple points. One, I haven't talked about OSX once. Second, I have never said that open source will guaranty that a paticular project will be more secure, just that it will be more likely. Thirdly, that article doesn't talk about open source vs close source at all. And fourthly, when it talks about Linux venders it says nothing about independent developers which is a clear advantage of open source.
        Yes it does:

        Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said. "A product is not necessarily more secure because fewer vulnerabilities are discovered," he added.
        You say that Linux is more secure than Windows. Linux's marketshare is neligible therefore less people search for holes and less are discovered. That states that it is not necessarily more secure because fewer vulnerabilities are discovered.

        Originally posted by cirisme
        You crack me up. That has nothing to do with what you just said:
        I've said that switching to Open Source is not the answer and I stand by it. Being Open makes the source code easier to analyze. Terrorists would want to find and use vunerabilities in a way that will allow them to invoke fear in the hearts of people. If they could break into a government system, they would be able to do accomplish their goal in one way or another. Open source makes that easier and therefore is not an answer.

        Originally posted by cirisme
        You have no proof for that outrageous and silly statement. If that were true there would be no need for patches for Windows or any other closed source applications nor would there ever be any unexpected attacks where attackers took advantage of unknown vulnerabilities.
        If Windows had 0.1% of the market and was closed source. Why would people with malicious intentions even bother exploiting it?

        Comment


        • #49
          I couldn't get the patch to work. I just downloaded .9.2

          Comment


          • #50
            Originally posted by Vile
            Lol, are you people too busy with your anti-Microsoft crusade that you fail to understand why it is that hackers and other people target Microsfot so much?
            Do you honestly not get why so many holes and security issues are found with Windows and less so with other OS'?

            Try being number one, and at the top for years and years. Try being the most popular and most widely OS/software throught the world, and you'll see this will happen with anything.

            Common sense people, common sense.
            There's far more to it than that though. Most of that is covered below already, but one point I've failed to see mentioned much: patching speed.

            Microsoft is one of the slowest corporations in the world to patch security holes. There have been around 30 major security leaks in Internet Explorer that had existed for months (up to a year, with a few of them) that Microsoft was perfectly aware of, but did nothing about to fix.

            You'll never find a security leak in Linux or Mozilla or Firefox or something like that, that doesn't get patched blisteringly fast.

            One of the main reasons why people are so against Microsoft is because Microsoft has, for the longest time, not given a d*mn about security. Or Standards, and the that's why most modern webdevelopers really dislike MS

            It wasn't until like 5 months ago or so that MS finally started patching the list of security holes in IE (almost all of which allowed websites to format the harddrive, for instance). Some of them were known since 2002.

            Anyone who thinks he'll find a security hole in Mozilla or Linux that's been known since 2002, needs to lay off the dope and get some reality knocked into them.


            Originally posted by Jake Bunce
            I opened the file in Firefox. Nothing.
            Check your settings to see if you have Software Installation enabled.


            Originally posted by Shining Arcanine
            (lots of babbling)
            Some of what you said is true, but plenty of it is just crap from a very one-sided perspective.

            Security is not just an issue of popularity and open source / closed source. Security is first and foremost an issue of being coded properly. There will forever be security holes in any major software product; OS or otherwise. Being closed source makes it harder for people to find bugs, but if your product is coded really poorly, people will still find more bugs because of that. On the other hand, open source makes it easier to find bugs as you can just see the source code, but if it's coded far better (== more secure), then people will find less bugs because of that.

            Mathematically, you simply can't say that Linux is less secure than Windows; that's bullfeces, as you can't make such a decision based solely on the arguments you used. There's more to it, and one hugely important factor cannot be weighed in because Microsoft's products are closed source: quality of code. You can't possibly compare Windows to Linux properly without having full access to the sourcecode of Windows, and that's not really the case.

            Originally posted by Shining Arcanine
            I've said that switching to Open Source is not the answer and I stand by it. Being Open makes the source code easier to analyze. Terrorists would want to find and use vunerabilities in a way that will allow them to invoke fear in the hearts of people. If they could break into a government system, they would be able to do accomplish their goal in one way or another. Open source makes that easier and therefore is not an answer.
            Yeah, so that's why the well-informed governments are slowly migrating to Linux on all of their offices now... </sarcasm>

            Comment


            • #51
              I was under the impression that this topic was about Mozilla fixing a loophole; not about Windows is better than Linux or vice versa...

              Some people need to get a life

              Comment


              • #52
                I agree with alot of the things said,

                An insecure application, speaking on behalf of linux, doesn't nessisarily make the Operating insecure!

                Windows, has had it's fair share of issues, along with Linux. So i've read, Windows NT meet's NSA's Evaulation criteria (c2) better than what Linux does.
                Computer Networking Forums
                www.unlocked-networks.com

                Comment


                • #53
                  Good post Faruk.
                  TheologyWeb. We debate theology. srsly.

                  Comment


                  • #54
                    Winblows

                    I thought maybe there was an issue with firefox. As mentioned it's a winblows issue the open sourcers are trying to patch for winblows. I agree with the above, M$ doesn't patch their software. When they do... They hold on to it (service pack2) so they can make a big deal out of it. Being there are security fixes in SP2, you would think they wouldn't dangle it over peoples heads waiting for a bark. It now takes almost an hour to update the original XP pro with a 3MB download roadrunner line. A patch for a patch for a patch for a patch and then of course the software isn't patched. If you were on dial up, you'de be hacked before you ever retrieved the software updates.

                    You know, winblows hasn't changed ever. You still have to reboot several times just to install and update. Reboot, reboot, reboot, reboot, patch, patch, patch.... and so on.

                    When was the last time you had to reboot a linux machine due to updating or installing a single program?

                    Thanks. That was my M$ rant for the day.
                    Last edited by Hooper; Tue 13 Jul '04, 8:27am.

                    Comment


                    • #55
                      Originally posted by Hooper
                      It now takes almost an hour to update the original XP pro with a 3MB download roadrunner line. A patch for a patch for a patch for a patch and then of course the software isn't patched. If you were on dial up, you'de be hacked before you ever retrieved the software updates.
                      You know, you can order a free CD with all updates up to March 2004 Saves a bit of downloading time.

                      Comment


                      • #56
                        Originally posted by Vile
                        Lol, are you people too busy with your anti-Microsoft crusade that you fail to understand why it is that hackers and other people target Microsfot so much?
                        Do you honestly not get why so many holes and security issues are found with Windows and less so with other OS'?

                        Try being number one, and at the top for years and years. Try being the most popular and most widely OS/software throught the world, and you'll see this will happen with anything.

                        Common sense people, common sense.
                        That doesn't mean that Linux would be nearly as exploited as Windows if it were #1. Especially when you have several distributions that are compiled differently, Gentoo and other source distributions where you compile things yourself, running on several different platforms and etc.

                        Microsoft being big is one thing, but wouldn't the bragging rights of having the first widespread virus/worm of Linux or some other OS be enough to cause people to try for it? Unless the virus can magically find a hole, compile itself, etc, a Linux virus/worm would be extremely difficult to be widespread.

                        Of course now I'm going on a tangent about something I don't know a whole lot about, so I'm shutting up.

                        Comment


                        • #57
                          Originally posted by Hooper
                          When was the last time you had to reboot a linux machine due to updating or installing a single program?
                          Umm... umm... *thinks*... umm... I had to reboot after I compiled and installed a new kernel.

                          Comment


                          • #58
                            Originally posted by squall14716
                            Umm... umm... *thinks*... umm... I had to reboot after I compiled and installed a new kernel.
                            And that's one of the very few things that will always require a reboot, with Linux.

                            Oh look! I have WinXP updates to install... oh look, they require a reboot...

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X