Posted on 01/06/2005 11:07:43 PM PST by Bush2000
Solid reputation paints bull's-eye on Mozilla's Firefox Free Web browser is known to be virtually impregnable to viruses and pop-ups, but it isn't hack-proof
Sarah Stables
CanWest News Service
Thursday, January 06, 2005 
A reputation for being virtually impregnable to viruses, pop-ups and other nasties of the Web is driving millions of fed-up computer users to ditch Internet Explorer in favour of the supposedly hack-proof alternative, Firefox, Mozilla's free Web browser. There's only one problem: the upstart isn't hack-proof at all.
The evidence is at K-Otic.com, a Web site where hackers and security experts post their latest "exploits" - coded recipes for manipulating vulnerabilities detected in software or operating system programs.
From 2004 to the start of 2005 alone, there were no fewer than 55 ways found to get inside computers and control them through Firefox, mostly without leaving a trace, the latest posted yesterday.
As the popularity of Firefox grows, experts caution, so will the number of successful hacks and attempts. The browser's reputation for "safety and reliability" will paint a bull's-eye on its back.
"If you can actively exploit Internet Explorer in so many ways, hackers, they get bored quick. They're going to be looking for a new challenge. And what's going to fuel that fire is every person who says (Firefox) is so much more secure," said Ryan Purita, a West Coast programmer who is one of a handful of certified forensic examiners in Canada.
"For hackers, it'll be a badge of honour to go out there and prove them wrong."
Praise for Firefox in the Wall Street Journal, the New York Times, Forbes and elsewhere has raised Firefox's cachet in recent weeks. More than 14 million people have downloaded the browser since it was officially launched on Nov. 9, 2004.
The attraction is an uncomplicated interface, and features such as instant access to Google, pop-up blockers, and its obstruction of so-called "Active-X controls" - an architectural feature of IE that has proven to be an effective back door for hundreds of hacker attacks.
In less than two months, Firefox has grabbed a four-per-cent share of the browser market, making it the second-most popular engine after Internet Explorer, and dropping back IE to roughly a 90-per-cent take, according to Internet analysis firm WebSideStory.
Pundits now debate the possibility of a renewed browser war not unlike the mid-1990s battle between IE and arch-nemesis Netscape, which ended with the latter's demise - and now, rebirth.
A few years after AOL bought Netscape, the browser code was bequeathed to the Mozilla Foundation, based in Mountainview, Calif. It re-emerged first as a beta engine in 2000, then was further re-engineered as Firefox.
Mozilla officials themselves recognize attempts to hack their products in a prominent section on their Web site, but say Firefox and a new e-mail application, Thunderbird, are still safer than IE, for which Microsoft receives daily notice of blindside attacks.
"Historically, we've had a fewer number of vulnerabilities and they've been less severe," said Mozilla director of engineering Chris Hofmann.
But the statistics suggest an ominous trend. As early as 2000, when Firefox was but a teething babe at the Mozilla programming lab, K-Otic.com had found three exploits for early Mozilla programs, bugs that would apply equally to Firefox, Purita said.
The tally grew to 15 exploits in 2001. It bulged to 27 exploits in 2002, and in 2003, reached 30 known exploits. Last year, the number of exploits nearly doubled.
Yesterday, Danish security firm Secunia.com posted a "fix" shoring up several vulnerabilities within Firefox and Thunderbird it rated as "highly critical."
Interlopers could turn a computer into a "zombie" used to launch "denial of service" attacks against other machines - flooding them with useless e-mail until they crash. Or they could root around in search of files, and "spoof" aspects of a system to trick it into disclosing sensitive information, such as bank account numbers, according to Secunia's alert.
Perceptions of Firefox's invulnerability owe much to its open-source history. Hundreds of volunteers helped refurbish the old Netscape by tracking down "bugs" and vulnerabilities as a hobby, Hofmann said.
Proponents of open-source programming argue altruistic pursuit of perfection by legions of anonymous programmers is bound to produce better code than a proprietary engine such as Microsoft's.
"We do have a community that's very serious about security and fixing problems fast when they show up," the Mozilla spokesperson said.
"We get a lot of professors, graduate undergraduate students doing security research on a volunteer basis, trying to figure out the potential for exploits. That's another strength we have," he said.
But Purita, whose role at the Vancouver consulting firm Totally Connected Security Ltd., among other things, is to test corporate networks for problems, believes both browsers are similarly vulnerable.
The difference, he argued, is strictly a "numbers game."
"If you can exploit hundreds of millions of machines running Internet Explorer, why go after the 10 per cent of people who are running Firefox? If I want to do a massive hack, I want people with a similar operating system," he said. "And I'm not being paid by Microsoft to say that."
The speed with which hackers share knowledge makes the Internet a far more dangerous place today than it has ever been, he said.
"It's complete access to whatever malicious activity they want to do, whether it's to reformat your hard-drive, copy financial data or keystroke log your passwords for online banking."
French-Canadian FUD. Yawn.
Yawn.
You disappoint me, Petronski. Usually, you're good for a reasonable argument. But since you can't defend your argument, why bother.
I offer you no argument. I dismiss your troll-bait. This one is beneath you (even you).
If the operating system is inherently unsafe, there is no way that switching browsers can achieve more than a false sense of security.
Twelve dead links. Impressive. Is that code from FrontPage?
That would be my opinion also.
Just fired up Xandros V3 today....looking good .
While reading this, it occurred to me that this is a good analogy for Free Republic vs. Old Media.
Proponents of:-Dopen-source programmingaccurate news argue altruistic pursuit of perfection by legions of anonymousprogrammersFReepers is bound to producebetter codemore accurate news than aproprietary enginelying sack of dung such asMicrosoft'sDan RAthER.
The ones I tried to post were the newer ones. The 55 is cumulative, I have patches for I think 18 of the old exploits.
And here's the breakdown of the advisories, specific for Firefox, (as in not Mozilla).
http://secunia.com/product/4227/
ping
Just as I thought.
The open source is 'secure" myth continues to crumble like. Al Gore's presidential ambitions!
BWHAHAHAHAHAHAHAHA!!
SHADENFREUD!!
Firefox ping
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.