55 Ways to Hack Mozilla's Firefox

CanWest News Service ^ | Sarah Stables

[Bush2000]

Solid reputation paints bull's-eye on Mozilla's Firefox Free Web browser is known to be virtually impregnable to viruses and pop-ups, but it isn't hack-proof

Sarah Stables
CanWest News Service

Thursday, January 06, 2005
A reputation for being virtually impregnable to viruses, pop-ups and other nasties of the Web is driving millions of fed-up computer users to ditch Internet Explorer in favour of the supposedly hack-proof alternative, Firefox, Mozilla's free Web browser. There's only one problem: the upstart isn't hack-proof at all.

The evidence is at K-Otic.com, a Web site where hackers and security experts post their latest "exploits" - coded recipes for manipulating vulnerabilities detected in software or operating system programs.

From 2004 to the start of 2005 alone, there were no fewer than 55 ways found to get inside computers and control them through Firefox, mostly without leaving a trace, the latest posted yesterday.

As the popularity of Firefox grows, experts caution, so will the number of successful hacks and attempts. The browser's reputation for "safety and reliability" will paint a bull's-eye on its back.

"If you can actively exploit Internet Explorer in so many ways, hackers, they get bored quick. They're going to be looking for a new challenge. And what's going to fuel that fire is every person who says (Firefox) is so much more secure," said Ryan Purita, a West Coast programmer who is one of a handful of certified forensic examiners in Canada.

"For hackers, it'll be a badge of honour to go out there and prove them wrong."

Praise for Firefox in the Wall Street Journal, the New York Times, Forbes and elsewhere has raised Firefox's cachet in recent weeks. More than 14 million people have downloaded the browser since it was officially launched on Nov. 9, 2004.

The attraction is an uncomplicated interface, and features such as instant access to Google, pop-up blockers, and its obstruction of so-called "Active-X controls" - an architectural feature of IE that has proven to be an effective back door for hundreds of hacker attacks.

In less than two months, Firefox has grabbed a four-per-cent share of the browser market, making it the second-most popular engine after Internet Explorer, and dropping back IE to roughly a 90-per-cent take, according to Internet analysis firm WebSideStory.

Pundits now debate the possibility of a renewed browser war not unlike the mid-1990s battle between IE and arch-nemesis Netscape, which ended with the latter's demise - and now, rebirth.

A few years after AOL bought Netscape, the browser code was bequeathed to the Mozilla Foundation, based in Mountainview, Calif. It re-emerged first as a beta engine in 2000, then was further re-engineered as Firefox.

Mozilla officials themselves recognize attempts to hack their products in a prominent section on their Web site, but say Firefox and a new e-mail application, Thunderbird, are still safer than IE, for which Microsoft receives daily notice of blindside attacks.

"Historically, we've had a fewer number of vulnerabilities and they've been less severe," said Mozilla director of engineering Chris Hofmann.

But the statistics suggest an ominous trend. As early as 2000, when Firefox was but a teething babe at the Mozilla programming lab, K-Otic.com had found three exploits for early Mozilla programs, bugs that would apply equally to Firefox, Purita said.

The tally grew to 15 exploits in 2001. It bulged to 27 exploits in 2002, and in 2003, reached 30 known exploits. Last year, the number of exploits nearly doubled.

Yesterday, Danish security firm Secunia.com posted a "fix" shoring up several vulnerabilities within Firefox and Thunderbird it rated as "highly critical."

Interlopers could turn a computer into a "zombie" used to launch "denial of service" attacks against other machines - flooding them with useless e-mail until they crash. Or they could root around in search of files, and "spoof" aspects of a system to trick it into disclosing sensitive information, such as bank account numbers, according to Secunia's alert.

Perceptions of Firefox's invulnerability owe much to its open-source history. Hundreds of volunteers helped refurbish the old Netscape by tracking down "bugs" and vulnerabilities as a hobby, Hofmann said.

Proponents of open-source programming argue altruistic pursuit of perfection by legions of anonymous programmers is bound to produce better code than a proprietary engine such as Microsoft's.

"We do have a community that's very serious about security and fixing problems fast when they show up," the Mozilla spokesperson said.

"We get a lot of professors, graduate undergraduate students doing security research on a volunteer basis, trying to figure out the potential for exploits. That's another strength we have," he said.

But Purita, whose role at the Vancouver consulting firm Totally Connected Security Ltd., among other things, is to test corporate networks for problems, believes both browsers are similarly vulnerable.

The difference, he argued, is strictly a "numbers game."

"If you can exploit hundreds of millions of machines running Internet Explorer, why go after the 10 per cent of people who are running Firefox? If I want to do a massive hack, I want people with a similar operating system," he said. "And I'm not being paid by Microsoft to say that."

The speed with which hackers share knowledge makes the Internet a far more dangerous place today than it has ever been, he said.

"It's complete access to whatever malicious activity they want to do, whether it's to reformat your hard-drive, copy financial data or keystroke log your passwords for online banking."

[KwasiOwusu]

"According to experts "

Would one of those "experts'" name be Michael Moore? :)
How much evidence did he fake?

[SilentServiceCPOWife]

I run my DSL thru a Linksys router. Never had anyone "inside" my computer.

We have a wireless router also and it's password protected to make sure that no one can access it. But every time I look at my connection, I can see my neighbor's Linksys router. If I knew who they were I would tell them about it, but it could be anyone close to us.

[KwasiOwusu]

"30 in one year on relatively new code "

Something that's been around at least from 2000 is not "new" code.

Plus malignant code writers and hackers really only concentrated on Firefox in just the past few months when it started getting all that attention.
In fact there are at least probably a hundred times more virus writers on IE than Firefox.
Firefox has really only just BEGUN to be attacked.
Expect the # of vulnerabilities to SHOOT UP exponentially as the malignant hackers really get to work on it.
Firefox security holes will make IE look like Fort Knox!
LMAO!!

[Bloody Sam Roberts]

I run my DSL thru a Linksys router.

If you get a spyware bot on your PC that can initiate a connection request from behind your firewall, your router/firewall is useless. You need to get a software firewall to squash this type of activity to be truly protected. Try Outpost. It's robust and it's free.

[Petronski]

I did warn ya about drinking that open source Kool Aid.

LOL You have the wrong guy, pal. I'm on the record here for trying and rejecting various Linux distros because they just don't do enough, well enough.

I use what works best, I have no fealty to any master. You in contrast are tied to the estate of Lord Gates whether his stuff works or not.

[SW6906]

"Expect the # of vulnerabilities to SHOOT UP exponentially as the malignant hackers really get to work on it.
Firefox security holes will make IE look like Fort Knox!

I'm going to try to remember this and throw it in your face......you do the same should I be wrong.

[KwasiOwusu]

"I'm going to try to remember this and throw it in your face......you do the same should I be wrong"

Fair enough.
But just so you know, the # of vulnerabilities for Firefox already shot up last year, after it started getting famous, as compared to the last 3 years.
25 vulnerabilities from 2000 to 2003, and 30 already just last year, unless I am reading the article wrong.

So the early indications are not so good.

[N3WBI3]

No it was these guys..

[dd5339]

Firefox ping!

Semper Fi

[mhking]

Firefox is still far better than IE6 ever hoped to be.

[Poser]

It's more secure than Internet Explorer AND... It doesn't download spyware/malware/adware.

So...
It may not be perfect, but it's better than IE.

[Paridel]

This is a little off topic... but man, I really hate when people use the term FUD (Fear, uncertainty, and doubt). There are several reasons for this:

1. Many people who are not involved with computers, and even some who have been in the industry a long time, do not know what this term stands for. I have had to explain it so many times it isn't funny. I have to assume that there are many who did not have the luxury of someone like me to ask and thus are still in the dark. I was taught that, even when writing a journal article for a specific field, that the excepted practice for using acronyms that are not universally understood is to write them out in full the first time. As FUD is used in quick jabs this negates its usefulness in public forums.

2. It is used too often when it is really a stretch to fit in a conversation. (To me this to me is somewhat indicative of another problem, which is the avoidance of legitimate debate or criticism) About half the time I see FUD it is in this context. "Linux users are all a bunch of commies" could easily be construed as FUD. Talking about legitimate software flaws or failings is not FUD (well, depending on whether they are being portrayed fairy or overemphasized). But too often the latter is prematurely dismissed after a precursory glance as FUD, rather than a legitimate argument of whether the pros outweigh the cons, or better yet discussing solutions.

3. It is not that powerful a concept. There is nothing spectacular about FUD. There are times when a concept leads to looking at looking at a problem from a different light and when compartmentalizing this concept in an acronym is clearly useful to the point than the flaws of acronyms in general are more than made up for. Fear, uncertainty, and doubt when used in this context are synonyms; no major insight there. You might as well just substitute the liberals perennial favorite fear-mongering.

Then again this could all just be my irrational backlash against a life in acronyms. I grew up on military posts and then went straight into engineering, and sometimes I just get sick of all the acronyms. Two of three days ago I got a call from my dad from Baghdad. He said they were investigation a vm-ied. By that he meant "vehicle-mounted improvised explosive device"... aka a car bomb. But no, the military can no more easily call that a car bomb than we computer professionals / enthusiasts (of either side) can get off our haunches and either come up with real counter arguments to criticism or at least pick up a thesaurus to come up with a new derisive adjective every once and a while.

I understand the desire to attempt to dissuade someone from listening to an argument without really putting much effort into dissembling it, especially when there is an almost infinite supply of tripe on the Internet. However you are deceiving yourself if you think that is really effective means of combating it. Furthermore on a site such as freerepublic, which exists for the free exchange of thought and ideas, we are all big enough to think for ourselves and realize when an argument is valid and worth our time or not. If you don't want to fully debate a point then you should feel free to leave it to others to do so.

-paridel

[JoJo Gunn]

I really wish that the paid shills from Redmond would use larger fonts....

[Paridel]

I'm sure as we speak there are IE and Windows exploits out there that MS knows about, and we don't.

I'm sure you are right... because applying software patches is a liability as well. There is always the possibility of things breaking when a patch is applied. Thus, if it is a minor vulnerability, one not likely to see a real world variant, it would be irresponsible for MS to announce it publicly.

Why? Because 1. the patch could cause downtime for costumer's. 2. some computers will not be patched, but announcing the vulnerability means that a real world example will surface.

The same thing happens with open-source programs. There a still plenty of people running out of date software with known vulnerabilities. I have seen people scan for and compromise old red hat system in a very short amount of time. I'm not blaming OSS developers for those shortcomings, it is clearly the fault of the individual with the unpatched box, but yes, it can and does happen.

In Microsoft's case when exploits are revealed they tend to go unpatched for months, sometimes a year, or until the next service pack is released.

Here you are way off base. MS releases lots of patches outside of service packs.

-paridel

[Richard Kimball]

Bush2000! What's going on, man?

In reference to the article, one of the points they make is that Firefox has been hacked because of it's reputation as being invulnerable to hacking. When talking about OSX, though, no one ever makes the point, which I've wondered about for a while, that even though, like Firefox, OSX has a much smaller installation base, making a successful hack would make the hacker a pop culture hero in the hacking world. So, wouldn't OSX also be a target for hackers that wanted to prove their hacking brilliance.

That aside, I like Firefox because of the smaller footprint and tabbed browsing. Most of the enhanced security (I don't know much about browser internals), seems to me, though, can be replicated in IE by turning off specific features. Active-X, for example, simply isn't available in Firefox, which makes Active-X exploits pretty difficult on the browser. Active-X controls, though available on IE, can easily be disabled at various levels, and turning them off completely makes IE just as invulnerable to Active-X exploits as Firefox, while maintaining the ability to use Active-X when dealing with trusted sites.

Honestly, I never obsessed over viruses and worms when I ran Windows, but used reasonable precautions, and I have never had an infection (except that the Ethan Fromme virus got loose on campus, but that was a fairly harmless Word exploit), and I've probably received about a hundred documents with it attached. Norton catches and strips it, though).

Anyway, hadn't heard from you for a while, and wanted to say hi.

[Peacerose]

For all the Fools and Idiots Who Think They're Safe:

There is no one operating system, browser, anti-virus, firewall, hardware router, or whatever, that cannot be exploited. Thousands of people are constantly looking for a way to hack everything.

The closest you can get to safety is to accept what I wrote above as gospel, keep your OS, browser, anti-virus and firewall updated and watch always for changes in your system.

If you don't understand what I just said, you are part of the problem.

[KoRn]

Here you are way off base. MS releases lots of patches outside of service packs."

Sure they do, except for one I remember reading about last year that Microsoft let go for months. The one where a user could click on a URL that could be set up to delete any file on the end user's computer the URL's creator wanted. That one was allowed to stay out there until a major service pack. Microsoft knew about it long before, and didn't fix it because it hadn't been discovered by Hackers.

[KoRn]

Correct you are! The primary security risk on ALL equipment is physical access. There is almost no computer I can't hack if I have physical access to it(I don't mean with an axe either). I can change the password, thus reconfigure a Cisco Router in about 5min if I have physical access to it.

I can't tell you how many well protected systems I've seen against remote access be so easy to break into by simply opening an unlocked door.

[JoJo Gunn]

Yep, what one man can make, another man can break.

Mozilla is far from perfect. Images associating with the Downloads box, and it's problems for some users, shows the Mozilla coders can also be mind numbingly stupid. But the popup blocker and adblocker extension are the main reasons I stick with it.

[holymoly]

There is no one operating system, browser, anti-virus, firewall, hardware router, or whatever, that cannot be exploited.

I've never claimed there was. Anyone who visits my FR homepage will find it full of PC/Windows security-related links.

While I offer alternatives to MSIE, I also link to an article with tips on how to harden IE. The choice is up to the individual. I hope they make an educated one.

Again, I have never claimed that Mozilla, Firefox or Opera were immune to virii, malware, etc. However, these browsers simply do not suffer from the myriad IE-only vulnerabilities, which include, but are not limited to, those related to AciveX. (E.G. drive-by downloads.)

For those interested in PC security-related links, visit my FR homepage. The information is there. Do what you will with it.