Stop Microsoft
Miscellaneous => Applications => Topic started by: mobrien_12 on 9 May 2005, 08:05
-
Slashdot Discussion (http://it.slashdot.org/it/05/05/08/135217.shtml?tid=154&tid=172)
A problem with FireFox on Windows. Click on a malicious webpage anywhere and arbitrary code gets executed.
Partially mitigated by the Mozilla foundation by updating their servers, but not fully fixed yet.
-
This is proof that open source software isn't always more secure.
-
This is proof that open source software isn't always more secure.
It proves nothing. Some amount of people have already said on these forums (possibly you too) something along these lines: "nothing's completely secure". I'll third, fourth, fifth or whatever it.
Oh, and by the way, Firefox is more secure than Internet Explorer. Everybody knows that.
-
Don't be so retarded.
That was uncalled for, I haven't Insulted you before!
It proves nothing. Some amount of people have already said on these forums (possibly you too) something along these lines: "nothing's completely secure". I'll third, fourth, fifth or whatever it.
I agree.
Oh, and by the way, Firefox is more secure than Internet Explorer. Everybody knows that.
No you don't say.
Opensource isn't nessacerally more secure (although as you said this exploit doesn't prove it) because the majority of users don't read the source code and this isn't the main way bugs are found anyway. Bugs are found by people discovering that a program behaves in an incorrect manner like allowing code to be executed when it shouldn't be or just crash.
For all we know Opera could be more secure than FireFox. The only difference is the FireFox source code and bug tracking system are both open. This doesn't mean that FireFox is more secure or less sure than Opera it just means we know how many bugs and exploits have already been discovered.
About Internet Explorer, I've not herd of any newly discovered exploits for a long time.and before you start I'm not saying Internet explorer is secure. If you've thought about arguing with this paragraph then please re-read my post!
Could it be possible that Internet Explorer is actually improving!?
-
That was uncalled for, I haven't Insulted you before!
I know that. Read what you said.
It's just another security hole. How does it "prove" anything?
And to say that free software is _always_ more secure than closed source, is wrong.
EDIT: I edited that post. It was a bit uncalled for.
No you don't say.
Yes I do say, actually. So what, they found a security hole in Firefox? That doesn't mean that Firefox is less secure than Internet Explorer. And it doesn't even mean that "open source software isn't always more secure", as if "open source" software ever was _always_ more secure.
Opensource isn't nessacerally more secure (although as you said this exploit doesn't prove it) because the majority of users don't read the source code and this isn't the main way bugs are found anyway. Bugs are found by people discovering that a program behaves in an incorrect manner like allowing code to be executed when it shouldn't be or just crash.
The majority of users don't have to read the source code. All it takes is one person and you've benefitted from free software.
For all we know Opera could be more secure than FireFox.
Could be.
About Internet Explorer, I've not herd of any newly discovered exploits for a long time.
Neither have I.
Could it be possible that Internet Explorer is actually improving!?
Yes it could. Or it could be (but probably isn't) that (slightly) less people are using Internet Explorer and more are using Firefox... If Firefox goes under... :nothappy:
-
Could it be possible that Internet Explorer is actually improving!?
IE could be experiencing the Sendmail Syndrome: After years and years of endless patches, you're left with secure code.
Also, MS may be doing tons of Longhorn/IE7 work and not have enough time for much IE auditing.
-
I know that. Read what you said.
It's just another security hole. How does it "prove" anything?
And to say that free software is _always_ more secure than closed source, is wrong.
I agree with you, I badly mis-worded that post.
Yes I do say, actually.
Well I was being sarcastic, but who knows Internet explorer might for all we know be the most secure browser, but I very much doubt it somehow.
So what, they found a security hole in Firefox? That doesn't mean that Firefox is less secure than Internet Explorer.
I didn't mean to imply it was, you obviosly haven't read the small print. :D
And it doesn't even mean that "open source software isn't always more secure", as if "open source" software ever was _always_ more secure.
I agree.
The majority of users don't have to read the source code. All it takes is one person and you've benefitted from free software.
True, but it still depends on who's looked at it and their skill level.
IE could be experiencing the Sendmail Syndrome: After years and years of endless patches, you're left with secure code.
That might be true.
Also, MS may be doing tons of Longhorn/IE7 work and not have enough time for much IE auditing.
That's possible too, but I talking more about 3rd parties discovering exploits. MS also say that IE 7 will not require Longhorn and will run on XP.
-
3rd parties rarely discover the IE exploits, they reverse-engineer the patches, and release the worm or whatever.
-
They released a new version of FireFox and Mozilla this morning.
-
They released a new version of FireFox and Mozilla this morning.
yep, they patched teh hole!:thumbup:
-
72-hour turnaround on a potential exploit. I've yet to see Microsoft do THAT. ;)
-
72-hour turnaround on a potential exploit. I've yet to see Microsoft do THAT. ;)
That's (part of) the power of free software.
-
Yea, power of free software. Just like "fixing" bugs so that same function gets rewritten 3 times, each patch not really fixing the problem but merely protecting against the specific exploit, when it's a critical vulnerability such as remote crash bug in linux kernel related to packet fragmentation. Microsoft sometimes does that too, but don't go touting about power of free software when even critical bugs can take damned long time to fix, and they STILL haven't patched several remote crash bugs in FireFox. Hell, there are heaps of open bugs which have been around for years and known by everyone. Nobody's just bothering to fix them. Power of free software my ass.
-
This is proof that open source software isn't always more secure.
Oh give me a freakin break!! Comparing Firfox to IE is like comparing the Delta Force to Barney Fief.
-
Well they're both web browsers, and if you read my pevious posts in this thread I've already admited that post was mis-worded. My point was while this doesn't prove whether open source is more or less secure, open source isn't inherently more or less secure.
I reckon Microsoft is still patching IE but just no longer telling anyone about the exploits, they've finally figured out that this wasn't a very good marketing tatic. I've had to download several "Windows Updates" over the last few months and some have been for IE. I wouldn't've botherd because I don't use IE I use FireFox, but it's good to have a fully patched IE in case I have to use it for some shitty IE-only website.
-
Yea, power of free software. Just like "fixing" bugs so that same function gets rewritten 3 times, each patch not really fixing the problem but merely protecting against the specific exploit, when it's a critical vulnerability such as remote crash bug in linux kernel related to packet fragmentation. Microsoft sometimes does that too, but don't go touting about power of free software when even critical bugs can take damned long time to fix, and they STILL haven't patched several remote crash bugs in FireFox. Hell, there are heaps of open bugs which have been around for years and known by everyone. Nobody's just bothering to fix them. Power of free software my ass.
Holy shit.
The damn thing is FIXED! Stop crying, just 'cause the Firefox dev's are faster at fixing security vunerabilities than MS.
As soon as that vunerability was noticed and revealed, hundreds (I'd say) of programmers looked through some of the Firefox code to fix it. They did. Fast.
And don't tell me "oh well the quality of these programmers skills are questionable", I know it is. As are the MS programmers. We all know that Firefox is better than Internet Explorer, it doesn't take a genius to figure that out. In my mind, it's safe enough to assume that the Firefox dev's are better than the Internet Explorer dev's.
-
Are you actually implying that the availibility of source code makes a peice of software inherently better?
In practince, yes, many time OSS packages are in fact better than their proprietary counterparts. However, this does not mean that a peice of software is somehow "better", ONLY because it is open source. This would mean that the GPL licensed KDE/Qt is magically better than when it is released under a commercial license.
-
Are you actually implying that the availibility of source code makes a peice of software inherently better?
No I am not. I'm saying that:
As soon as that vunerability was noticed and revealed, hundreds (I'd say) of programmers looked through some of the Firefox code to fix it. They did. Fast.
EDIT: And the availabilty of the source code probably and more than likely speeded up the fixing process, at least on this occasion.
EDIT: Please read my other post again.
-
The damn thing is FIXED! Stop crying, just 'cause the Firefox dev's are faster at fixing security vunerabilities than MS.
As soon as that vunerability was noticed and revealed, hundreds (I'd say) of programmers looked through some of the Firefox code to fix it. They did. Fast.
If you only look at the incidents that you choose, you won't get very interesting view. As an example to counter your silly little view, I present you a bug that's been reported over two years ago, is marked critical, crashes the browser, and testcase is available:
https://bugzilla.mozilla.org/show_bug.cgi?id=202765
See the bug live in here, tested against latest firefox:
http://muzzy.net/ffcrash/crash.xml
So, where are the "hundreds" of programmers now? Oh, it's not an issue because it hasn't been publicized in any magazine?
-
That's not that critical in my opinion. So what the browser crashes, it's more of an inconvenience than anything, it's not like it crashes the whole system or allows a hacker to compromise the system or allow some executable code to run.
I do take your point though, this should've been fixed years ago.
-
If you only look at the incidents that you choose
[sarcasm]Oh ok, so HE is the one doing that all the time, i could have sworn it was you[/sarcasm]
-
http://muzzy.net/ffcrash/crash.xml (http://muzzy.net/ffcrash/crash.xml)
That's the first time ever that Mozilla crashed on me.
-
Same here.
Unlike Internet Explorer which often crashes for no reason.
-
And muzzy, of course Firefox will have it's bugs. As will Internet Explorer. The only difference is that the Firefox bugs, fixed and not-fixed, are publicly availabe. That's why you can rumage through the bug database and craft some amount of pages that take advantage of these (publicly available) bugs, to try to undermine it's stability. EDIT: And that is what you did do. Those crashes were no accident, if they were, I might get worried (not).
Could you imagine if Microsoft released a bug database to the world with all the fixed and not-fixed bugs in Internet Explorer?
-
http://www.internetnews.com/security/article.php/3504661
-
Are you actually implying that the availibility of source code makes a peice of software inherently better?
I never suggested that.
You should read this (http://www.technewsworld.com/story/43046.html) tho. The following is stolen from that:
"A lot of security problems derive from the core ... [With open-source code,] thousands of people look at the critical portions of source code and ... check [to make sure that] those portions are right. It's a major advantage to have open-source code."
-
I'd like to mention that the bug I'm touting about was independently found by my friend, who actually tried to do document.write() inside a stylesheet. I didn't just go looking through the bug database, looking for a crash bug. I only found afterwards that the bug had already been known for quite a while.
Also, while this demonstration doesn't show any code execution, HOW CAN YOU KNOW it isn't a remote code execution hole? Every crash bug potentially is, and it takes a while to analyze it to see if it is or isn't. This is damn well a critical hole.
-
I'd like to mention that the bug I'm touting about was independently found by my friend, who actually tried to do document.write() inside a stylesheet. I didn't just go looking through the bug database, looking for a crash bug. I only found afterwards that the bug had already been known for quite a while.
Also, while this demonstration doesn't show any code execution, HOW CAN YOU KNOW it isn't a remote code execution hole? Every crash bug potentially is, and it takes a while to analyze it to see if it is or isn't. This is damn well a critical hole.
I'm sure your friend is very pissed off that (s)he can't do document.write() inside a stylesheet without Firefox crashing. Why would (s)he want to do such a thing (I have no idea about this XML/etc. stuff)?
-
that's hardly the point though, is it? perhaps the aim of somebody who did such a thing is to crash firefox? in which case, it needs fixed.
-
that's hardly the point though, is it? perhaps the aim of somebody who did such a thing is to crash firefox? in which case, it needs fixed.
If it happened to every second webpage, yes, it would be fixed in no time at all. But very, very few people are gonna be crashed because, obviously, it seems that document.write(), or whatever, inside stylesheets, isn't incredibly popular.
Yea, I agree that it should be fixed, but it shouldn't be a huge priority. And it's not gonna make anyone switch from Firefox back to IE, I would hope.
-
Well, piratePenguin, I hope I never hear you bitching about IE crashing "for no reason" then.
There's a good reason why document.write doesn't work for xhtml, it'd potentially corrupt the document and that just can't be allowed. XML has to be verifiable, and if it can be fucked up during runtime by incompetent webdesigner, it's a bad thing. My friend didn't think of this, as he was trying to write xml table renderer that could sort by any column. Well, you can use xsl to sort stuff, but you can't use xsl to rewrite the page after it's been translated once. I recall he ended up writing a html page with javascript to do the XSLT and rewriting the html page instead. Either way, he seriously tried to write javascript into XSL, and learned it isn't supported. The surprise was that firefox crashes when this unsupported operation is tried.
Anyway, a crash bug is critical, always. It can be exploited to annoy the user to no end, and I'm sure you'd bitch about microsoft if we were discussing an IE crash bug that hasn't been patched for two years.
-
Well, piratePenguin, I hope I never hear you bitching about IE crashing "for no reason" then.
And if you do?
The fact remains, Firefox has never, ever unexpectedly crashed on me. IE has.
Anyway, a crash bug is critical, always. It can be exploited to annoy the user to no end, and I'm sure you'd bitch about microsoft if we were discussing an IE crash bug that hasn't been patched for two years.
Yes I know it should be fixed. If it was exploited more often I'd guess it would be fixed quicker (fairly obvious). But obviously it isn't exploited alot and the Firefox dev's don't see it as important as some other stuff. I would doubt many users would care anyhow, I mean it's not crashing on too-many of them (it seems).
And, if MS hadn't patched an IE crash-bug for two years, yea, I'd probably bitch about it. Depending mainly on how often it's exploited (obviously).
-
I'm temped to sign up to the mozilla forum and see if I can persuade them to get this fixed, maybe I could pretend to be an Opera fanboy to make it more fun. :D