Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

Secunia Stay Secure ^ | July 30, 2004

[Bush2000]

Sure it does. A little knowledge of the difference between an application and an operating system is all you need to understand.

Again, how did integration directly contribute to some of these flaws? The courts have found that IE is an application that was bolted onto the operating system. At the end of the day, IE is still an application, even if it's welded into Windows; consequently, it's subject to the same kinds of flaws as any other application.

[Bush2000]

There are plenty of bad guys out there gunning for everyone, there are plenty of crackers out there trying to crack everything. Including Mozilla/Firefox.

No, wrong. This isn't a difficult concept to understand -- even for you. If you're a cracker, you don't crack code running on Commodore 64s or Amigas or Apple IIs. You're going to go after the dominant platform -- the one that will create the most havoc and disruption. Since Mozilla/Firefox have less than 5% browser market share, few crackers would consider it worth their time. That may change over time, if there is a change in market share.

In fact, with the source code *open* like it is, you might even expect far more exploits on it than IE.

Nope. Security through obscurity isn't a protection.

[Bush2000]

Exactly why I've gone to Firefox! The exploit listed above is going to reside on how many websites? I've known the whole IIS and IE infrastructure has been broken since the Code Red virus. Just look in your software upgrade list andsee how many patch/kludges have been applied.

How many websites deployed the Download.Ject IE crack? How many people have actually been burned? Answer: Nobody. You're spewing nothing but FUD.

[Marie Antoinette]

Ping a roonie

[vollmond]

Let's see -- one major flaw in a work-in-progress as opposed to a production model that has had multiple flaws/exploits/problems/et.al.

I use Firefox at home and many other open source tools, but this is a cop-out. Mozilla has been under development long enough that the "beta means never having to say you're sorry" excuse doesn't cut it.

There's a reason most open source tools never leave beta stage or get superceded by newer beta versions. Not having to accept responsibility for a finished product is one of them.

[Bush2000]

Why are you driving your IE?

1. I don't blame the car when some malicious punk pours sugar in the gas tank or lays down a nail strip. I blame the perp.

2. Like most people, I don't visit visit malicious websites (hak0rz, war3s, p0rn); consequently, my risk (and that of most people) of encountering exploits is damn close to 0%. You're advocating getting a new car because of a theoretical threat. Ridiculous tripe. I say don't drive through known bad parts of town.

3. If you've ever bothered to study software engineering issues/concepts, you'd realize that the defect rates for both open and closed source products are essentially the same. Consequently, you can go with an obscure/marginal application such as Mozilla/Firefox in the hope that it will paint less of a bullseye on your forehead, but don't be surprised when you're hit with the same kinds of vulnerabilities (as evidenced by this article, of all things) when hackers/crackers turn their attention to you.

[mhking]

Mozilla has been under development long enough that the "beta means never having to say you're sorry" excuse doesn't cut it.

If the FF release had been post-1.0, I'd agree with you, but the FF 1.0 milestone won't show until sometime in the middle to the end of the 4th quarter.

When comparing that to Microsoft's track record of vulnerabilities and fixes (or non-fixes as some might point to), I'd say that Mozilla has a pretty damn good track record.

[D-fendr]

You're advocating getting a new car because of a theoretical threat.

I was accepting your analogy as I understood it in your post – true not theoretical:

"Whenever IE drives down the road, they throw out a nail strip. Or put a bullet through the front grill."

don't be surprised when you're hit with the same kinds of vulnerabilities (as evidenced by this article, of all things) when hackers/crackers turn their attention to you.

Perhaps, but until, if, or when that happens, why drive ( anymore than absolutely necessary) the vehicle that's the major target right now?

I trust that you can take good care of yourself. However as a general policy, I still think it more prudent to minimize security risk, particularly when the cost of doing so is so low.

thanks very much for your reply.

[Bush2000]

I was accepting your analogy as I understood it in your post – true not theoretical

I don't drive through bad parts of town; therefore, my risk of getting hit with random gunfire, bottles, etc from those parts of town is non-existent. There's a theoretical risk -- but only if you choose to traverse those roads.

Perhaps, but until, if, or when that happens, why drive ( anymore than absolutely necessary) the vehicle that's the major target right now?

Because the risk is practically non-existent. That's why.

[Bush2000]

When comparing that to Microsoft's track record of vulnerabilities and fixes (or non-fixes as some might point to), I'd say that Mozilla has a pretty damn good track record.

Mozilla/Firefox doesn't have any appreciable market share. As it gains in market share, its vulnerabilities will explode.

[Advil]

Yo guys,

Version 0.9.3 of Firefox is already out. Go grab it and be happy.

No matter what you think about all these vulnerabilities, Firefox has been patched within 24 hours almost every time. And it's a small painless download. So far a better experience than IE. I'm a computer tech for a living, and I used to be a big IE fan. The idea is, why use a browser that isn't supported everywhere? Well, times have changed. We spend half our day working on systems that have been infected with just about every kind of virus and spyware you can imagine. Most people simply have no idea how to protect themselves, and even the ones who say "I'm carefull" still don't have a clue. I'm not trying to be hard on people who aren't computer literate, just realistic. We need a larger spread of web browsers and applications, just so these damn hackers can't screw up the whole world with one virus. I used to think MS would get it worked out, but as people have said above, MS isn't continuing browser development in a good way. And it's hurting everyone.

Get Firefox web browser. (free)
Get Ad-Aware. (free)
Get Spybot. (free)
Get Spyware Blaster. (free)
Get Norton Internet Security (Or at least Norton Antivirus)

www.mozilla.com for Firefox browser.
www.majorgeeks.com (left column, spyware tools)
www.symantec.com for info on Norton. (buy it at your favorite software store or computer shop)

ABOVE ALL:

CHECK FOR UPDATES TO ALL THESE PROGRAMS EVERY TWO WEEKS, AND RUN THE AD/ANTIVIRUS SCANNERS AT LEAST ONCE EVERY TWO WEEKS.

[D-fendr]

I don't drive through bad parts of town; therefore, my risk of getting hit with random gunfire, bottles, etc from those parts of town is non-existent.

You don't have to drive thru bad parts anymore.. and there's email, and p2p, etc...

Again, I'm sure you can take care of yourself, but in general it's easier and prudent to recommend that others drive a safer vehicle as much as possible as part of basic security measures..

thanks for the discussion and best wishes...

[Bush2000]

You don't have to drive thru bad parts anymore.. and there's email, and p2p, etc...

Great. Cite some major-traffic websites that are providing malicious content. I'll wait while you decide...

and there's email, and p2p, etc...

I don't use HTML mail. Nor p2p. Try again.

Again, I'm sure you can take care of yourself, but in general it's easier and prudent to recommend that others drive a safer vehicle as much as possible as part of basic security measures..

Oh, right. "Everyone, please buy a M1A1 Abrams tank because you may encounter the possibility of malicious traffic..." /SARCASM

[LTCJ]

*whew*...im glad im running IE. Im safe!

LOL!

[LTCJ]

I subscribe to Kim Komando's newsletters. She convinced me to switch to Mozilla's Firefox! However, in her yesterday's newsletter she said after Microsoft's latest security patch she has now switched back to I.E. being more safe!!

I believe it. On Saturday I tried installing that patch. The installation froze half way through and now I can't connect to the internet at all without booting SuSE. Safer? Yep, but not quite what I had in mind.

Maybe I'll fix it one of these days. But right now I'm still too PO'ed.

[rwfromkansas]

Firefox is MUCH MUCH faster than my IE.

I originally was just going to Firefox part of the time, but I have now switched for good (unless I get that weird "the file / could not be found" error when I try to load a page I saw before in the same day....but that should be fixed with my downloading of 9.3.

It is ridiculous how fast pages load on Firefox vs. IE.

It just loads up almost immediately.