55 Ways to Hack Mozilla's Firefox

CanWest News Service ^ | Sarah Stables

[KwasiOwusu]

"According to experts "

Would one of those "experts'" name be Michael Moore? :)
How much evidence did he fake?

[SilentServiceCPOWife]

I run my DSL thru a Linksys router. Never had anyone "inside" my computer.

We have a wireless router also and it's password protected to make sure that no one can access it. But every time I look at my connection, I can see my neighbor's Linksys router. If I knew who they were I would tell them about it, but it could be anyone close to us.

[KwasiOwusu]

"30 in one year on relatively new code "

Something that's been around at least from 2000 is not "new" code.

Plus malignant code writers and hackers really only concentrated on Firefox in just the past few months when it started getting all that attention.
In fact there are at least probably a hundred times more virus writers on IE than Firefox.
Firefox has really only just BEGUN to be attacked.
Expect the # of vulnerabilities to SHOOT UP exponentially as the malignant hackers really get to work on it.
Firefox security holes will make IE look like Fort Knox!
LMAO!!

[Bloody Sam Roberts]

I run my DSL thru a Linksys router.

If you get a spyware bot on your PC that can initiate a connection request from behind your firewall, your router/firewall is useless. You need to get a software firewall to squash this type of activity to be truly protected. Try Outpost. It's robust and it's free.

[Petronski]

I did warn ya about drinking that open source Kool Aid.

LOL You have the wrong guy, pal. I'm on the record here for trying and rejecting various Linux distros because they just don't do enough, well enough.

I use what works best, I have no fealty to any master. You in contrast are tied to the estate of Lord Gates whether his stuff works or not.

[SW6906]

"Expect the # of vulnerabilities to SHOOT UP exponentially as the malignant hackers really get to work on it.
Firefox security holes will make IE look like Fort Knox!

I'm going to try to remember this and throw it in your face......you do the same should I be wrong.

[KwasiOwusu]

"I'm going to try to remember this and throw it in your face......you do the same should I be wrong"

Fair enough.
But just so you know, the # of vulnerabilities for Firefox already shot up last year, after it started getting famous, as compared to the last 3 years.
25 vulnerabilities from 2000 to 2003, and 30 already just last year, unless I am reading the article wrong.

So the early indications are not so good.

[N3WBI3]

No it was these guys..

[dd5339]

Firefox ping!

Semper Fi

[mhking]

Firefox is still far better than IE6 ever hoped to be.

[Poser]

It's more secure than Internet Explorer AND... It doesn't download spyware/malware/adware.

So...
It may not be perfect, but it's better than IE.

[Paridel]

This is a little off topic... but man, I really hate when people use the term FUD (Fear, uncertainty, and doubt). There are several reasons for this:

1. Many people who are not involved with computers, and even some who have been in the industry a long time, do not know what this term stands for. I have had to explain it so many times it isn't funny. I have to assume that there are many who did not have the luxury of someone like me to ask and thus are still in the dark. I was taught that, even when writing a journal article for a specific field, that the excepted practice for using acronyms that are not universally understood is to write them out in full the first time. As FUD is used in quick jabs this negates its usefulness in public forums.

2. It is used too often when it is really a stretch to fit in a conversation. (To me this to me is somewhat indicative of another problem, which is the avoidance of legitimate debate or criticism) About half the time I see FUD it is in this context. "Linux users are all a bunch of commies" could easily be construed as FUD. Talking about legitimate software flaws or failings is not FUD (well, depending on whether they are being portrayed fairy or overemphasized). But too often the latter is prematurely dismissed after a precursory glance as FUD, rather than a legitimate argument of whether the pros outweigh the cons, or better yet discussing solutions.

3. It is not that powerful a concept. There is nothing spectacular about FUD. There are times when a concept leads to looking at looking at a problem from a different light and when compartmentalizing this concept in an acronym is clearly useful to the point than the flaws of acronyms in general are more than made up for. Fear, uncertainty, and doubt when used in this context are synonyms; no major insight there. You might as well just substitute the liberals perennial favorite fear-mongering.

Then again this could all just be my irrational backlash against a life in acronyms. I grew up on military posts and then went straight into engineering, and sometimes I just get sick of all the acronyms. Two of three days ago I got a call from my dad from Baghdad. He said they were investigation a vm-ied. By that he meant "vehicle-mounted improvised explosive device"... aka a car bomb. But no, the military can no more easily call that a car bomb than we computer professionals / enthusiasts (of either side) can get off our haunches and either come up with real counter arguments to criticism or at least pick up a thesaurus to come up with a new derisive adjective every once and a while.

I understand the desire to attempt to dissuade someone from listening to an argument without really putting much effort into dissembling it, especially when there is an almost infinite supply of tripe on the Internet. However you are deceiving yourself if you think that is really effective means of combating it. Furthermore on a site such as freerepublic, which exists for the free exchange of thought and ideas, we are all big enough to think for ourselves and realize when an argument is valid and worth our time or not. If you don't want to fully debate a point then you should feel free to leave it to others to do so.

-paridel

[JoJo Gunn]

I really wish that the paid shills from Redmond would use larger fonts....

[Paridel]

I'm sure as we speak there are IE and Windows exploits out there that MS knows about, and we don't.

I'm sure you are right... because applying software patches is a liability as well. There is always the possibility of things breaking when a patch is applied. Thus, if it is a minor vulnerability, one not likely to see a real world variant, it would be irresponsible for MS to announce it publicly.

Why? Because 1. the patch could cause downtime for costumer's. 2. some computers will not be patched, but announcing the vulnerability means that a real world example will surface.

The same thing happens with open-source programs. There a still plenty of people running out of date software with known vulnerabilities. I have seen people scan for and compromise old red hat system in a very short amount of time. I'm not blaming OSS developers for those shortcomings, it is clearly the fault of the individual with the unpatched box, but yes, it can and does happen.

In Microsoft's case when exploits are revealed they tend to go unpatched for months, sometimes a year, or until the next service pack is released.

Here you are way off base. MS releases lots of patches outside of service packs.

-paridel

[Richard Kimball]

Bush2000! What's going on, man?

In reference to the article, one of the points they make is that Firefox has been hacked because of it's reputation as being invulnerable to hacking. When talking about OSX, though, no one ever makes the point, which I've wondered about for a while, that even though, like Firefox, OSX has a much smaller installation base, making a successful hack would make the hacker a pop culture hero in the hacking world. So, wouldn't OSX also be a target for hackers that wanted to prove their hacking brilliance.

That aside, I like Firefox because of the smaller footprint and tabbed browsing. Most of the enhanced security (I don't know much about browser internals), seems to me, though, can be replicated in IE by turning off specific features. Active-X, for example, simply isn't available in Firefox, which makes Active-X exploits pretty difficult on the browser. Active-X controls, though available on IE, can easily be disabled at various levels, and turning them off completely makes IE just as invulnerable to Active-X exploits as Firefox, while maintaining the ability to use Active-X when dealing with trusted sites.

Honestly, I never obsessed over viruses and worms when I ran Windows, but used reasonable precautions, and I have never had an infection (except that the Ethan Fromme virus got loose on campus, but that was a fairly harmless Word exploit), and I've probably received about a hundred documents with it attached. Norton catches and strips it, though).

Anyway, hadn't heard from you for a while, and wanted to say hi.

[Peacerose]

For all the Fools and Idiots Who Think They're Safe:

There is no one operating system, browser, anti-virus, firewall, hardware router, or whatever, that cannot be exploited. Thousands of people are constantly looking for a way to hack everything.

The closest you can get to safety is to accept what I wrote above as gospel, keep your OS, browser, anti-virus and firewall updated and watch always for changes in your system.

If you don't understand what I just said, you are part of the problem.

[KoRn]

Here you are way off base. MS releases lots of patches outside of service packs."

Sure they do, except for one I remember reading about last year that Microsoft let go for months. The one where a user could click on a URL that could be set up to delete any file on the end user's computer the URL's creator wanted. That one was allowed to stay out there until a major service pack. Microsoft knew about it long before, and didn't fix it because it hadn't been discovered by Hackers.

[KoRn]

Correct you are! The primary security risk on ALL equipment is physical access. There is almost no computer I can't hack if I have physical access to it(I don't mean with an axe either). I can change the password, thus reconfigure a Cisco Router in about 5min if I have physical access to it.

I can't tell you how many well protected systems I've seen against remote access be so easy to break into by simply opening an unlocked door.

[JoJo Gunn]

Yep, what one man can make, another man can break.

Mozilla is far from perfect. Images associating with the Downloads box, and it's problems for some users, shows the Mozilla coders can also be mind numbingly stupid. But the popup blocker and adblocker extension are the main reasons I stick with it.

[holymoly]

There is no one operating system, browser, anti-virus, firewall, hardware router, or whatever, that cannot be exploited.

I've never claimed there was. Anyone who visits my FR homepage will find it full of PC/Windows security-related links.

While I offer alternatives to MSIE, I also link to an article with tips on how to harden IE. The choice is up to the individual. I hope they make an educated one.

Again, I have never claimed that Mozilla, Firefox or Opera were immune to virii, malware, etc. However, these browsers simply do not suffer from the myriad IE-only vulnerabilities, which include, but are not limited to, those related to AciveX. (E.G. drive-by downloads.)

For those interested in PC security-related links, visit my FR homepage. The information is there. Do what you will with it.