Posted on 01/06/2005 11:07:43 PM PST by Bush2000
Solid reputation paints bull's-eye on Mozilla's Firefox Free Web browser is known to be virtually impregnable to viruses and pop-ups, but it isn't hack-proof
Sarah Stables
CanWest News Service
Thursday, January 06, 2005
A reputation for being virtually impregnable to viruses, pop-ups and other nasties of the Web is driving millions of fed-up computer users to ditch Internet Explorer in favour of the supposedly hack-proof alternative, Firefox, Mozilla's free Web browser. There's only one problem: the upstart isn't hack-proof at all.
The evidence is at K-Otic.com, a Web site where hackers and security experts post their latest "exploits" - coded recipes for manipulating vulnerabilities detected in software or operating system programs.
From 2004 to the start of 2005 alone, there were no fewer than 55 ways found to get inside computers and control them through Firefox, mostly without leaving a trace, the latest posted yesterday.
As the popularity of Firefox grows, experts caution, so will the number of successful hacks and attempts. The browser's reputation for "safety and reliability" will paint a bull's-eye on its back.
"If you can actively exploit Internet Explorer in so many ways, hackers, they get bored quick. They're going to be looking for a new challenge. And what's going to fuel that fire is every person who says (Firefox) is so much more secure," said Ryan Purita, a West Coast programmer who is one of a handful of certified forensic examiners in Canada.
"For hackers, it'll be a badge of honour to go out there and prove them wrong."
Praise for Firefox in the Wall Street Journal, the New York Times, Forbes and elsewhere has raised Firefox's cachet in recent weeks. More than 14 million people have downloaded the browser since it was officially launched on Nov. 9, 2004.
The attraction is an uncomplicated interface, and features such as instant access to Google, pop-up blockers, and its obstruction of so-called "Active-X controls" - an architectural feature of IE that has proven to be an effective back door for hundreds of hacker attacks.
In less than two months, Firefox has grabbed a four-per-cent share of the browser market, making it the second-most popular engine after Internet Explorer, and dropping back IE to roughly a 90-per-cent take, according to Internet analysis firm WebSideStory.
Pundits now debate the possibility of a renewed browser war not unlike the mid-1990s battle between IE and arch-nemesis Netscape, which ended with the latter's demise - and now, rebirth.
A few years after AOL bought Netscape, the browser code was bequeathed to the Mozilla Foundation, based in Mountainview, Calif. It re-emerged first as a beta engine in 2000, then was further re-engineered as Firefox.
Mozilla officials themselves recognize attempts to hack their products in a prominent section on their Web site, but say Firefox and a new e-mail application, Thunderbird, are still safer than IE, for which Microsoft receives daily notice of blindside attacks.
"Historically, we've had a fewer number of vulnerabilities and they've been less severe," said Mozilla director of engineering Chris Hofmann.
But the statistics suggest an ominous trend. As early as 2000, when Firefox was but a teething babe at the Mozilla programming lab, K-Otic.com had found three exploits for early Mozilla programs, bugs that would apply equally to Firefox, Purita said.
The tally grew to 15 exploits in 2001. It bulged to 27 exploits in 2002, and in 2003, reached 30 known exploits. Last year, the number of exploits nearly doubled.
Yesterday, Danish security firm Secunia.com posted a "fix" shoring up several vulnerabilities within Firefox and Thunderbird it rated as "highly critical."
Interlopers could turn a computer into a "zombie" used to launch "denial of service" attacks against other machines - flooding them with useless e-mail until they crash. Or they could root around in search of files, and "spoof" aspects of a system to trick it into disclosing sensitive information, such as bank account numbers, according to Secunia's alert.
Perceptions of Firefox's invulnerability owe much to its open-source history. Hundreds of volunteers helped refurbish the old Netscape by tracking down "bugs" and vulnerabilities as a hobby, Hofmann said.
Proponents of open-source programming argue altruistic pursuit of perfection by legions of anonymous programmers is bound to produce better code than a proprietary engine such as Microsoft's.
"We do have a community that's very serious about security and fixing problems fast when they show up," the Mozilla spokesperson said.
"We get a lot of professors, graduate undergraduate students doing security research on a volunteer basis, trying to figure out the potential for exploits. That's another strength we have," he said.
But Purita, whose role at the Vancouver consulting firm Totally Connected Security Ltd., among other things, is to test corporate networks for problems, believes both browsers are similarly vulnerable.
The difference, he argued, is strictly a "numbers game."
"If you can exploit hundreds of millions of machines running Internet Explorer, why go after the 10 per cent of people who are running Firefox? If I want to do a massive hack, I want people with a similar operating system," he said. "And I'm not being paid by Microsoft to say that."
The speed with which hackers share knowledge makes the Internet a far more dangerous place today than it has ever been, he said.
"It's complete access to whatever malicious activity they want to do, whether it's to reformat your hard-drive, copy financial data or keystroke log your passwords for online banking."
Right! And think about people who let their kids and their kids' friends play on the 'family computer' semi-supervised - merrily skipping across the web picking up trojans, viruses, and BHOs galore.
I agree. It is the total faith in one operating system or piece of software or hardware that is so dangerous.
Oh, dear! Didn't mean for you to take it personal! Only wanted to hear your opinion.
I applaud your efforts to educate!
ROFL! I remember. So sad. (but why was I laughing?)
On a darker note with that. I was 'browsing' someone's computer on the kazaa network, like we just discussed, and found what certainly appeared to be child porn. I traced the address to an ISP in New Zealand. I was furious, but didn't know what to do, afraid of getting trouble myself if I gathered the evidence from their computer. I sent an email to their ISP notifying them of what I had found with the users IP address, and never heard anything else about it.
No problem. Given that the first post called Firefox users "gullible morons", I probably over-reacted. I saw "fools and idiots" and thought "Hey, wait a minute!" ;)
I personally don't use Firefox (Mozilla & Opera). I simply want people to make an informed choice.
Learning the hard way can be a painful experience.
Firefox: People who want no spyware and popups, plus faster surfing, wanted.
I don't care that it can be hacked.
Big deal. Anything can be hacked with the right tools.
This is news why?
Bush2000 is nothing if not analogous to a Molotov throwing hippie, and has all the debating skills of a Leftist. Just learn to ignore it.
The extensions are awesome. I can zoom in on any image in the browser itself, something I can't do with IE.
And, you know what?
1. No longer getting tons of spyware like when I was on IE.
2. Maybe 1 popup per hour compared to 50 in IE.
3. No viruses get through unliked in IE.
Yeah, hacker exploits will be discovered and abused.
I am not sitting here thinking Firefox is hack-proof. But, I know that the experience is much better. And, while not perfect, I am safer.
What you said. It's a cyber-jungle out there.
It's not that Firefox is perfect. It's just that IE is less so.
Oh yeah, but of course it isn't "hack proof", considering that even I can download the source code and look for exploits, (assuming this appliance operator knew what to do). Gates protects his source code, but what good has that really done?
I try to look at it from a hacker's point of view - what bragging rights to my fellow thugs, what claim to computer prowess, will I have when messing with Mozilla as compared to the latest and greatest "more secure" MS?
My instincts say there's going to be an onslaught against that new spyware beta MS just announced, by the way, so it'll be very interesting to see the reactions of Bush2000 and Quasimodo, etc. Stock up on the popcorn.
"The United States Computer Emergency Readiness Team (US-CERT) does note that IE's design makes it very difficult to secure. They note that "There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model,-
-local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX... IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system."
please link to a post where someone who thinks opensource is a good idea says that it is invulnerable to attack. Levels of security are based more on the underlying architecture than on is popularity. If you think IE has better architecture then put up a post to back it up..
The simplistic advice you "wrote above as gospel" is incomplete and inadequate for security purposes. Keeping things updated is important - but it will not improve your security much if your basic design is flawed. To get truly good security, it is essential that you start with a well-designed foundation.
To put it in terms you can understand, let's consider the design issues of the "The Three Little Pigs". The first two little pigs were ignorant. They thought that design didn't matter, so they chose to built their houses from straw and sticks. Of course, we all know what happened to those foolish little pigs - they were eaten by the Big Bad Wolf!
But the third little pig was smart. He understood the importance of using a good design as the basis for a secure home, so he built his house from bricks. He survived! So the moral of the story is that to have "the closest you can get to safety", you must start with a good design.
It's that way with operating systems too. Microsoft Windows is a poorly-designed house of straw. Merely keeping a house of straw updated won't do much to improve your basic security.
Windows XP shipped with a known worm (known to MS anyways) for over six months before MS released a patch. And they never bothered to tell anyone before the patch was ready!
You make me laugh! To put it in terms you can easily understand, your brick house is an illusion and you are in bed with the Big Bad Wolf!
In a nutshell (a place you are probably quite comfortable), all of the houses are made of straw and believing your house is made of brick won't help you.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.