Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

55 Ways to Hack Mozilla's Firefox
CanWest News Service ^ | Sarah Stables

Posted on 01/06/2005 11:07:43 PM PST by Bush2000

Solid reputation paints bull's-eye on Mozilla's Firefox Free Web browser is known to be virtually impregnable to viruses and pop-ups, but it isn't hack-proof

Sarah Stables
CanWest News Service

Thursday, January 06, 2005
A reputation for being virtually impregnable to viruses, pop-ups and other nasties of the Web is driving millions of fed-up computer users to ditch Internet Explorer in favour of the supposedly hack-proof alternative, Firefox, Mozilla's free Web browser. There's only one problem: the upstart isn't hack-proof at all.

The evidence is at K-Otic.com, a Web site where hackers and security experts post their latest "exploits" - coded recipes for manipulating vulnerabilities detected in software or operating system programs.

From 2004 to the start of 2005 alone, there were no fewer than 55 ways found to get inside computers and control them through Firefox, mostly without leaving a trace, the latest posted yesterday.

As the popularity of Firefox grows, experts caution, so will the number of successful hacks and attempts. The browser's reputation for "safety and reliability" will paint a bull's-eye on its back.

"If you can actively exploit Internet Explorer in so many ways, hackers, they get bored quick. They're going to be looking for a new challenge. And what's going to fuel that fire is every person who says (Firefox) is so much more secure," said Ryan Purita, a West Coast programmer who is one of a handful of certified forensic examiners in Canada.

"For hackers, it'll be a badge of honour to go out there and prove them wrong."

Praise for Firefox in the Wall Street Journal, the New York Times, Forbes and elsewhere has raised Firefox's cachet in recent weeks. More than 14 million people have downloaded the browser since it was officially launched on Nov. 9, 2004.

The attraction is an uncomplicated interface, and features such as instant access to Google, pop-up blockers, and its obstruction of so-called "Active-X controls" - an architectural feature of IE that has proven to be an effective back door for hundreds of hacker attacks.

In less than two months, Firefox has grabbed a four-per-cent share of the browser market, making it the second-most popular engine after Internet Explorer, and dropping back IE to roughly a 90-per-cent take, according to Internet analysis firm WebSideStory.

Pundits now debate the possibility of a renewed browser war not unlike the mid-1990s battle between IE and arch-nemesis Netscape, which ended with the latter's demise - and now, rebirth.

A few years after AOL bought Netscape, the browser code was bequeathed to the Mozilla Foundation, based in Mountainview, Calif. It re-emerged first as a beta engine in 2000, then was further re-engineered as Firefox.

Mozilla officials themselves recognize attempts to hack their products in a prominent section on their Web site, but say Firefox and a new e-mail application, Thunderbird, are still safer than IE, for which Microsoft receives daily notice of blindside attacks.

"Historically, we've had a fewer number of vulnerabilities and they've been less severe," said Mozilla director of engineering Chris Hofmann.

But the statistics suggest an ominous trend. As early as 2000, when Firefox was but a teething babe at the Mozilla programming lab, K-Otic.com had found three exploits for early Mozilla programs, bugs that would apply equally to Firefox, Purita said.

The tally grew to 15 exploits in 2001. It bulged to 27 exploits in 2002, and in 2003, reached 30 known exploits. Last year, the number of exploits nearly doubled.

Yesterday, Danish security firm Secunia.com posted a "fix" shoring up several vulnerabilities within Firefox and Thunderbird it rated as "highly critical."

Interlopers could turn a computer into a "zombie" used to launch "denial of service" attacks against other machines - flooding them with useless e-mail until they crash. Or they could root around in search of files, and "spoof" aspects of a system to trick it into disclosing sensitive information, such as bank account numbers, according to Secunia's alert.

Perceptions of Firefox's invulnerability owe much to its open-source history. Hundreds of volunteers helped refurbish the old Netscape by tracking down "bugs" and vulnerabilities as a hobby, Hofmann said.

Proponents of open-source programming argue altruistic pursuit of perfection by legions of anonymous programmers is bound to produce better code than a proprietary engine such as Microsoft's.

"We do have a community that's very serious about security and fixing problems fast when they show up," the Mozilla spokesperson said.

"We get a lot of professors, graduate undergraduate students doing security research on a volunteer basis, trying to figure out the potential for exploits. That's another strength we have," he said.

But Purita, whose role at the Vancouver consulting firm Totally Connected Security Ltd., among other things, is to test corporate networks for problems, believes both browsers are similarly vulnerable.

The difference, he argued, is strictly a "numbers game."

"If you can exploit hundreds of millions of machines running Internet Explorer, why go after the 10 per cent of people who are running Firefox? If I want to do a massive hack, I want people with a similar operating system," he said. "And I'm not being paid by Microsoft to say that."

The speed with which hackers share knowledge makes the Internet a far more dangerous place today than it has ever been, he said.

"It's complete access to whatever malicious activity they want to do, whether it's to reformat your hard-drive, copy financial data or keystroke log your passwords for online banking."


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: computersecurity; kneepads; littleprecious; lowqualitycrap; msmoonbat; paidshill; redmondpayroll; technical; trollfromredmond
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-8081-85 next last
Firefox. Gullible Morons Wanted.
1 posted on 01/06/2005 11:07:44 PM PST by Bush2000
[ Post Reply | Private Reply | View Replies]

To: Bush2000

French-Canadian FUD. Yawn.


2 posted on 01/06/2005 11:15:02 PM PST by Petronski (I'd give my right arm to be ambidextrous.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Petronski
French-Canadian FUD. Yawn.

Oh, c'mon. Surely you can do better than that. Either the article is factually correct -- or it's not. Which is it -- and what's your evidence?
3 posted on 01/06/2005 11:16:29 PM PST by Bush2000
[ Post Reply | Private Reply | To 2 | View Replies]

To: Bush2000

Yawn.


4 posted on 01/06/2005 11:17:53 PM PST by Petronski (I'd give my right arm to be ambidextrous.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Petronski

You disappoint me, Petronski. Usually, you're good for a reasonable argument. But since you can't defend your argument, why bother.


5 posted on 01/06/2005 11:20:30 PM PST by Bush2000
[ Post Reply | Private Reply | To 4 | View Replies]

To: Bush2000

I offer you no argument. I dismiss your troll-bait. This one is beneath you (even you).


6 posted on 01/06/2005 11:23:33 PM PST by Petronski (I'd give my right arm to be ambidextrous.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Bush2000
- Mozilla "MSG_UnEscapeSearchUrl()" Buffer Overflow Vulnerability
- Mozilla / Mozilla Firefox Window Injection Vulnerability
- Mozilla / Thunderbird Valid Email Address Enumeration Weakness
- Mozilla / Firefox / Thunderbird Downloaded File Content Disclosure Vulnerability
- Mozilla / Mozilla Firefox / Camino Tabbed Browsing Vulnerabilities
- Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability
- Mozilla Multiple Vulnerabilities
- Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability
- Mozilla / Mozilla Firefox / Mozilla Thunderbird libpng Vulnerabilities
- Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability
- Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing
- Mozilla / Firefox Certificate Store Corruption Vulnerability

7 posted on 01/06/2005 11:30:00 PM PST by JerseyHighlander
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
The problem with Foxfire for Windows is obvious: it's running on Windows.

If the operating system is inherently unsafe, there is no way that switching browsers can achieve more than a false sense of security.

8 posted on 01/06/2005 11:32:22 PM PST by HAL9000 (Spreading terrorist beheading propaganda videos is an Act of Treason!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: JerseyHighlander

Twelve dead links. Impressive. Is that code from FrontPage?


9 posted on 01/06/2005 11:33:04 PM PST by Petronski (I'd give my right arm to be ambidextrous.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: HAL9000
The problem with Foxfire for Windows is obvious: it's running on Windows.

Even if I were to accept your basic premise, the logical conclusion is that it isn't worthwhile to switch to Firefox.
10 posted on 01/06/2005 11:40:50 PM PST by Bush2000
[ Post Reply | Private Reply | To 8 | View Replies]

To: Bush2000
You work for Microsoft?
11 posted on 01/06/2005 11:43:48 PM PST by Pro-Bush (Me he perdido)
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000
If the operating system is inherently unsafe, there is no way that switching browsers can achieve more than a false sense of security.

That would be my opinion also.

Just fired up Xandros V3 today....looking good .

12 posted on 01/06/2005 11:47:49 PM PST by Ernest_at_the_Beach (A Proud member of Free Republic ~~The New Face of the Fourth Estate since 1996.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Bush2000
Proponents of open-source programming argue altruistic pursuit of perfection by legions of anonymous programmers is bound to produce better code than a proprietary engine such as Microsoft's.

While reading this, it occurred to me that this is a good analogy for Free Republic vs. Old Media.

Proponents of open-source programming accurate news argue altruistic pursuit of perfection by legions of anonymous programmers FReepers is bound to produce better code more accurate news than a proprietary engine lying sack of dung such as Microsoft's Dan RAthER.

:-D
13 posted on 01/07/2005 12:02:26 AM PST by Nita Nupress
[ Post Reply | Private Reply | To 1 | View Replies]

To: Petronski
It's late, sorry bout that. Let's try this, it's a list of the exploits... A list of bugs

The ones I tried to post were the newer ones. The 55 is cumulative, I have patches for I think 18 of the old exploits.

14 posted on 01/07/2005 12:10:38 AM PST by JerseyHighlander
[ Post Reply | Private Reply | To 9 | View Replies]

To: Petronski

And here's the breakdown of the advisories, specific for Firefox, (as in not Mozilla).

http://secunia.com/product/4227/


15 posted on 01/07/2005 12:12:47 AM PST by JerseyHighlander
[ Post Reply | Private Reply | To 9 | View Replies]

To: Revel

ping


16 posted on 01/07/2005 12:36:13 AM PST by nw_arizona_granny (Today, please pray for God's miracle, we are not going to make it without him.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: nw_arizona_granny
Kinda off the subject...I run my DSL thru a Linksys router. Never had anyone "inside" my computer.
17 posted on 01/07/2005 1:04:25 AM PST by Dallas59 ("A weak peace is worse than war" - Tacitcus)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Bush2000

Just as I thought.
The open source is 'secure" myth continues to crumble like. Al Gore's presidential ambitions!
BWHAHAHAHAHAHAHAHA!!

SHADENFREUD!!


18 posted on 01/07/2005 3:37:32 AM PST by KwasiOwusu
[ Post Reply | Private Reply | To 1 | View Replies]

To: Petronski
"French-Canadian FUD. Yawn."

Hey dude, I AM enjoying your pain.
BIG TIME!! :)
19 posted on 01/07/2005 3:39:12 AM PST by KwasiOwusu
[ Post Reply | Private Reply | To 2 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

Firefox ping


20 posted on 01/07/2005 6:58:30 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-8081-85 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson