Home Phone and Internet $60/mo
- Related Stories
-
Security update out for Firefox 1.5
February 2, 2006 -
Attack code out for old Firefox bug
December 13, 2005 -
Mozilla issues Firefox alert
December 12, 2005 -
Mozilla takes wraps off Firefox 1.5
November 29, 2005
The two pieces of exploit code, posted online earlier this week, take advantage of a security vulnerability in Firefox that Mozilla patched in an update Thursday. In response to the exploit release, the browser maker on Tuesday upgraded the severity rating of the flaw from "moderate" to "critical," its most serious rating.
"This exploit was published after we released the 1.5.0.1 update," said Mike Schroepfer, vice president of engineering at Mozilla. "Most of our users had already been upgraded by the time this exploit was published."
The code could be used to commandeer computers running a vulnerable version of the open-source Web browser on Linux or Mac OS X systems. It has been published as part of the Metasploit Framework, a widely used hacking tool.
The specific flaw exists only in Firefox 1.5 and was fixed in Firefox 1.5.0.1. The problem could cause a memory corruption an outsider could use to run code on a vulnerable PC, according to a Mozilla advisory. The corruption would come from calling the "QueryInterface" method of the Location and Navigator objects in the browser.
Firefox users have already been urged to install the patched version of the browser. Security monitoring company Secunia last week rated the Firefox update "highly critical," and Mozilla has pushed out updates.
If for some reason users have not upgraded, they should definitely do so, Schroepfer said.
See more CNET content tagged:
Mozilla Corp.,
Firefox,
flaw,
Web browser,
security
The fact it has seen a security exploit is both a negative and positive event. It's negative in that flaws are not good and it reflects on the security of the browser that was touted as built around security. It is positive that this newcommer browser has garnered so much attention in the short lifespan to be considered worthy of the attention of the scum hackers.
Welcome to the big time, Firefox, and take your place alongside Windows, IE, OSX, Linux and others that have made enough impact to be hacked at in this imperfect world of software written by humans.
Here's a full bug list https://bugzilla.mozilla.org/buglist.cgi?&product=Firefox&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=RESOLVED&resolution=WONTFIX&resolution=---
There has been no zero day exploits for IE in the last year. There was the WMF flaw, but that was a Windows flaw, not IE, and it affected you even if you used Firefox.
OTOH, Firefox has had at least one Zero Day exploit. Not the case of this last one, but that doesn't magically make past incidents disappear.
So the argument goes actually the other way. If you count zero day exploits, IE has a big edge over FF.
Now, the whole point is moot. The interesting part of this is not that FF has an exploit. It's that all the MS bashers that have nothing else to do than to criticize anything Microsoft does now have to go on claiming what they always criticize MS fanboys for saying. All software has flaws. It's the ability to handle them effectively and quickly that matters. All other considerations are of little importance.
Not logging in with an administrative account is a big plus in security. I wish I could convince windows users to follow the same practice that many linux users do out of habit... log in with a generic user account unless you need administrative priveledges. Remember, security is not just the responsibility of the OS.
In software we also struggle with the fact that it's a young industry, relative to other engineering disciplines. There is a growing movement in the industry, especially at the university level, to work towards remedying those issues with the introduction of formal engineering practices into software. It's slow going though because there is an existing mentality of corporate rebellion (if the term rebellion can really be applied to throngs of nerds) and informality already ingrained in the current crop of developers. We are already seeing more college grads that come from "Software Engineering" programs, rather than traditional computer science studies.
So you can't go to a site that uses ActiveX, complain to the site and use Firefox.
Pre-emptive fixing, gotta love it! :)
and I guess now you can say its just about as secure as FF, but since FF has exploits and IE has exploits and they will all continue to have exploits then really who cares?
IE7 baby
Its great: http://www.microsoft.com/windows/ie/ie7/default.mspx
Have a great day...
there are still plenty of OTHER reasons to use Firefox - the main
one being it's commitment towards standards compliance.
MS users typically have a negative attitude towards this - 'it
works for me and 90% of the world, so who cares' - which is one
reason the other 10% of people get so annoyed. If MS would
make their browser standards compliant (breaking all those IE
only web pages in the process, so not likely) then a lot of that
anger would go away, because people would have a free choice
in what they use - at the moment, their choice is limited by the
action of others.
'Quit whining and use IE' seems to be the line, but that's holding
back innovation - I don't see IE on my PSP or PS2 or set-top box
or PDA or Phone - ALL of which can connect to the Internet.
There's also the fact that Firefox is massively extensible, and
rapidly changing, while it's taken years to get tabbed browsing
into IE. You get a similar thing happening with Apple's 'Safari'
browser - new features only come along with a new version of
the OS, while other browsers innovate around it.
Oh yes - as my other post says - schaudenfreude is no basis for
a security policy.
I figured once FF got some market share and thus started to become a target for hackers that this would start happening.
Firefox, especially if you run the NOSCRIPT extension is pretty much impervious to these types of threats.
We will see what IE7 has to offer, but unless they drop active X they are going to remain vulnerable.
There is no question, for the average user, FireFox is safer than IE.
This has become ridiculas, not that I expected anything more, but what you have is one side hell bent on proving that IE is just as safe and secure as anything else out there and the other side hell bent of proving them wrong. The fact is IE can be just as secure as Firefox and Firefox can be just as insecure as IE. It does boil down to how each are used and updated. Firefox is updated faster generally than IE. Of course one could say that as long as IE has been out without any significant updates that it should be rock solid and bulletproof.
I have gone from looking so much at security and all the bells and whistles of a browser to looking at it's useability, stability, and, as a web developer, codeability.
Here's my assesment. IE is a simple interface that most people are use to. It renders most pages as long as they are not to heavy into the W3C standards. Most people will be just as happy with IE as I am with Firefox. From a web developers point of view. I hate IE for not even comming close to trying to be more standard compliant.
Firefox and Opera are both good browsers that are lightweight and full of power. I think they are both far more functional than IE, but that's just a matter of opinion. I like the way Firefox and Opera render pages and Opera has a lot of useful extras. From a web developers point of view it's nice to create a w3c compliant page and have it actually render correctly (I do mean more than basic HTML and basic CSS 1).
I say use what you like. If you like IE use it. If you don't use something else.
I use IE - won't change.
I like German beer - won't change.
I like pretty women - won't change.
So, even though they all have pros/cons - I know what I like. Why does everyone want to talk others into changing? If you are truly happy with what you have, common behavior is to keep it for yourself!
LOL - later.
I've come to the conclusion that this is a form of techie's boxing ring. Nobody here is (probably) a real in-the-ring boxer like Mike Tyson, so it relieves the stress to believe we're "fighting" about something that is cerebrally important...and maybe it is. The question I've had is how much of a difference does it make? Is anyone here going to switch from IE to Firefox, or vice-versa? When it's all said and done, and CNET's article goes in the pile three days later, will anything have been accomplished?
Pass around the peace pipe, folks---be satisfied and celebrate the technology you have.
As someone who removes Spyware from other peoples PC's, IE remains more vulnerable to Spyware.
http://secunia.com/product/4227/
Internet Explorer 6.x vulnerabilities
http://secunia.com/product/11/
An interesting read for those of you who like statistics.
understand the attitude of Microsoft fans in delighting in seeing
flaws in other people's products.
It doesn't help improve the situation for them one bit to know
that BOTH major browsers on the Windows platform are flawed -
especially when they are probably less protected than other
systems once someone compromises the browser. (I say
probably, because people running a well-configured XP Pro
installation will be safer).
problem, then the Internet must be.
ignorant of, and for some strange reason hostile to - that the
biggest problem with IE is that it doesn't comply with standards.
It might seem a stupid thing to be concerned about, when
'everyone has IE' but it becomes a vicious circle. New devices like
the Sony PSP have wireless connection and a web browser, but
cannot access many badly written pages. As the screens on
mobile phones grow, this will only become more of an issue.
Equally, browser development has also been held back - the
other browsers support standards like SVG and the 'canvas' tag,
which could really improve the graphical experience of the web,
but instead the only way to achieve these things is through
using the Flash plugin. Again, your typical user will say 'well,
that's not a problem, more people have Flash than IE' - except
your PSP users and a lot of phone users.
The point is that ANYONE could write a browser that works to
standards. (It is up to them how good a job they do of it). If you
want a Flash player or IE, you need to wait for Macromedia or
Microsoft to write it for you - and they may decide at any point
to cease support.
If you can't see how this hurts innovation, then I'm afraid you're
lacking in imagination.
Companies like Adobe/Macromedia (Flash) Apple (QuickTime) and others have every right to develop products for the browser. This should not interfere with the W3C developing standards for other technologies like SVG. As a matter of fact, SVG development was driven by the introduction of other graphic formats by Microsoft, Adobe, Macromedia and Sun.
The above points out that many standards derive from non-standard ideas and successes. You could argue that, in many cases, it is non-standard code that drives the innovation that leads to standard technology.
One recent example is AJAX. Javascript was not a standard when it began and it took awhile to become a standard. XMLHTTPREQUEST was a non-standard success invented by Microsoft and that to took awhile to become part of standard. In the case of IE7, MS has moved closer to the W3C standards for CSS, and according to the IE team, will keep working to meet those standards.
But I hope it doesn't stop MS or any other company from introducing technology that is worthwhile but doesn't meet the standards dujour.
- FF Patched in a day, IE in months
-
by likes2comment
February 10, 2006 6:51 AM PST
- if IE even gets patched or acknowledged that it has bugs...... I'll stick with FF.
-
Reply to this comment
-
See all 89 Comments >>