Posted on 01/06/2005 11:07:43 PM PST by Bush2000
Solid reputation paints bull's-eye on Mozilla's Firefox Free Web browser is known to be virtually impregnable to viruses and pop-ups, but it isn't hack-proof
Sarah Stables
CanWest News Service
Thursday, January 06, 2005
A reputation for being virtually impregnable to viruses, pop-ups and other nasties of the Web is driving millions of fed-up computer users to ditch Internet Explorer in favour of the supposedly hack-proof alternative, Firefox, Mozilla's free Web browser. There's only one problem: the upstart isn't hack-proof at all.
The evidence is at K-Otic.com, a Web site where hackers and security experts post their latest "exploits" - coded recipes for manipulating vulnerabilities detected in software or operating system programs.
From 2004 to the start of 2005 alone, there were no fewer than 55 ways found to get inside computers and control them through Firefox, mostly without leaving a trace, the latest posted yesterday.
As the popularity of Firefox grows, experts caution, so will the number of successful hacks and attempts. The browser's reputation for "safety and reliability" will paint a bull's-eye on its back.
"If you can actively exploit Internet Explorer in so many ways, hackers, they get bored quick. They're going to be looking for a new challenge. And what's going to fuel that fire is every person who says (Firefox) is so much more secure," said Ryan Purita, a West Coast programmer who is one of a handful of certified forensic examiners in Canada.
"For hackers, it'll be a badge of honour to go out there and prove them wrong."
Praise for Firefox in the Wall Street Journal, the New York Times, Forbes and elsewhere has raised Firefox's cachet in recent weeks. More than 14 million people have downloaded the browser since it was officially launched on Nov. 9, 2004.
The attraction is an uncomplicated interface, and features such as instant access to Google, pop-up blockers, and its obstruction of so-called "Active-X controls" - an architectural feature of IE that has proven to be an effective back door for hundreds of hacker attacks.
In less than two months, Firefox has grabbed a four-per-cent share of the browser market, making it the second-most popular engine after Internet Explorer, and dropping back IE to roughly a 90-per-cent take, according to Internet analysis firm WebSideStory.
Pundits now debate the possibility of a renewed browser war not unlike the mid-1990s battle between IE and arch-nemesis Netscape, which ended with the latter's demise - and now, rebirth.
A few years after AOL bought Netscape, the browser code was bequeathed to the Mozilla Foundation, based in Mountainview, Calif. It re-emerged first as a beta engine in 2000, then was further re-engineered as Firefox.
Mozilla officials themselves recognize attempts to hack their products in a prominent section on their Web site, but say Firefox and a new e-mail application, Thunderbird, are still safer than IE, for which Microsoft receives daily notice of blindside attacks.
"Historically, we've had a fewer number of vulnerabilities and they've been less severe," said Mozilla director of engineering Chris Hofmann.
But the statistics suggest an ominous trend. As early as 2000, when Firefox was but a teething babe at the Mozilla programming lab, K-Otic.com had found three exploits for early Mozilla programs, bugs that would apply equally to Firefox, Purita said.
The tally grew to 15 exploits in 2001. It bulged to 27 exploits in 2002, and in 2003, reached 30 known exploits. Last year, the number of exploits nearly doubled.
Yesterday, Danish security firm Secunia.com posted a "fix" shoring up several vulnerabilities within Firefox and Thunderbird it rated as "highly critical."
Interlopers could turn a computer into a "zombie" used to launch "denial of service" attacks against other machines - flooding them with useless e-mail until they crash. Or they could root around in search of files, and "spoof" aspects of a system to trick it into disclosing sensitive information, such as bank account numbers, according to Secunia's alert.
Perceptions of Firefox's invulnerability owe much to its open-source history. Hundreds of volunteers helped refurbish the old Netscape by tracking down "bugs" and vulnerabilities as a hobby, Hofmann said.
Proponents of open-source programming argue altruistic pursuit of perfection by legions of anonymous programmers is bound to produce better code than a proprietary engine such as Microsoft's.
"We do have a community that's very serious about security and fixing problems fast when they show up," the Mozilla spokesperson said.
"We get a lot of professors, graduate undergraduate students doing security research on a volunteer basis, trying to figure out the potential for exploits. That's another strength we have," he said.
But Purita, whose role at the Vancouver consulting firm Totally Connected Security Ltd., among other things, is to test corporate networks for problems, believes both browsers are similarly vulnerable.
The difference, he argued, is strictly a "numbers game."
"If you can exploit hundreds of millions of machines running Internet Explorer, why go after the 10 per cent of people who are running Firefox? If I want to do a massive hack, I want people with a similar operating system," he said. "And I'm not being paid by Microsoft to say that."
The speed with which hackers share knowledge makes the Internet a far more dangerous place today than it has ever been, he said.
"It's complete access to whatever malicious activity they want to do, whether it's to reformat your hard-drive, copy financial data or keystroke log your passwords for online banking."
So according your nihilistic philosophy, everything is the same. You believe that a poorly-designed product is as good as a well-designed one. It's like saying there's no difference between Yugos and Cadillacs, or Democrats and Republicans.
I say your philosophy is a load of crap.
People should use the software they feel comfortable with and adopt an attitude of security that includes updates, regular backups and awareness of changes in their computer system.
It is great if you prefer one browser over another, but blind faith in that browser is a serious security issue.
I agree that prompt updates, regular backups and checking the log files for unusual events are best practices. But you are totally overlooking the role of the operating system to provide a robust, secure environment.
I also agree that blind faith should not be used as a basis for computer security. Instead, compare the designs and the actual track records of the respective systems. If you make those comparisons, you will find that some systems are better than others, and the choice of operating systems does make a big difference in security. Microsoft has the worst track record because their systems are designed poorly.
No one ever claimed Firefox was flawless. It's simply less flawed than Internet Explorer while being a better product.
It's cute how, since you think Firefox is for gullible morons, you then go on to use the browser with even more holes and exploit potential. A picket fence is better than an open yard.
Read my 84.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.