, The Register 2005-05-09
Security researchers have discovered two unpatched vulnerabilities in Firefox, the popular alternative web browser. The security bugs affect even the latest version of Firefox (version 1.0.3) and create a means for attackers to seize control of vulnerable systems using cross-site scripting attacks.
Expand all |
Post comment
Firefox exploit targets zero day vulns
2005-05-09
TJ (4 replies)
TJ (4 replies)
Firefox exploit targets zero day vulns
2005-05-10
Anonymous (2 replies)
Anonymous (2 replies)
Firefox exploit targets zero day vulns
2005-05-11
Coldman (2 replies)
Coldman (2 replies)
> Yes, this is partially true. Referred to as
> "mono-culture". Although, I would point out,
> those who create and use exploits are the
> "bad guys" here, not the company trying to
> produce a product for positive use."
Now it is my turn to respectfully disagree. It seems strange to me to bring the 'bad guy' argument into a security website; security is all about stopping the 'bad guys'. That said, I would say that, assuming the 'bad guy' argument is valid, the Mozilla community is inherently safer: Mozilla encourages people to review their code when no vulnerability is known, find vulnerabilities and fixes and gain US$500, fame and peer respect within the Mozilla community - while still allowing it to be kept quiet if the reporter prefers.
> Sure, fixing something sooner is always
> better than later. But, this line of
> thinking can be extremely dangerous.
Perhaps. Mozilla users have always maintained that this method puts the ball in the user's court - it allows the user to assess the risk of the vulnerability against the likelihood of a regression or further security hole. As the user has access to the code, there is always the possibility that the user will check the code for themselves before an upgrade.
With Firefox 1.1 the auto-update system will be greatly improved, which addresses the concerns of others with the patch/full download method. There will be, as far as I can see, the new method will allow 'XPI' (or patch) fixes, if that is seen as safe or full downloads. The advantage in Mozilla's auto-build process is that the binaries available for download should always have all of the latest patches. If you are interested in this topic, you should visit:
http://wiki.mozilla.org/Firefox:1.1_Software_Update_Upgrades
and the two technical pages which are linked to by it.
I think that we will not know which is more secure unless MS opens their code and people can see inside it. MS is already (AFAIK) allowing selected customers/security firms to review their code to harness some of the benefits of Open Source.
Personally, I believe that Firefox is more secure. I believe that the increase in bugs being found is a response to the push of the product's security and the fact that it is an easy way for a security person/company to get a large amount of publicity. Firefox, at the cost of a fair amount of bad press now, is getting the benefit of HUNDREDS of security professionals auditing their code in order to make a name for themselves.
Being honest, however, even if the products had identical security (which I don't think is close to the current case), I would sleep a lot better at night with the ability to review the source of the code. I also prefer to help Mozilla enhance their product with my use and feedback than Microsoft who would probably charge me for the fruit of my comments.
Aaron
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/11119/31878#31878