Longer explanation: Mozilla made millions distributing a crappy insecure browser, we might as well cash in and screw their users too. Adequate road sign, as this is Mozilla, not Toyota.
A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser. The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source …
This post has been deleted by its author
"Longer explanation: Mozilla made millions distributing a crappy insecure browser"
Sorry, for a moment I thought you said "Mozilla" instead of "Microsoft"...
"We've tested it on XP and Vista"
...but does it work on Ubuntu (or any other Linux for that matter)? What about OSX? If not then we know where the problem *really* lies...
"...but does it work on Ubuntu (or any other Linux for that matter)? What about OSX? If not then we know where the problem *really* lies..."
Does the code work if the program (firefox) is not running, or better yet if it's not installed? Probably not, so we REALLY know where it lies.
When a company says it's product is 'the most secure', and spends more than half its annual income on marketing, I'd guess it talks about 'secure' in the anti-terrorism sense. (IE keep claiming safety, and hope people are stupid enough to believe the line of crap)
to companies that can afford to pay before they release an exploit!
Open-source, non-profit organizations would be perfect targets to show proprietary, for profit companies that this company can find and will release exploits.
Perhaps, there should be an International law on disclosing exploits. Should the time frame be two weeks, a month from the time the exploit is handed to the company which owns (created) the code until it is release?
badjers, because this has got me fighting mad - I'm not big on police states and increasing policing powers but if this is not illegal it probably should be.
This post has been deleted by its author
Safe languages take up resources and time with garbage collection and sanity checking. Thing is, even now with modern multicore CPUs, speed is still an issue (one of Mozilla's criticisms is that it's a bit slow--particularly with ECMAScript). Optimizing coding means eschewing some of the checks and balances.
Think of the safe vs. fast programming problem like the airport security checkpoint problem. They're very much alike in that being too lenient or quick means things get through while being too strict or thorough reduces throughput to a crawl.
"Safe languages take up resources and time with garbage collection and sanity checking. "
Not necessarily. Garbage collection is not required, just the checking (Pascal and its relatives do not have garbage collection). And it was demonstrated already in the 1970's by some researchers that the cost of runtime checks can be reduced to just a few % when an optimizing compiler is made to take them into account. This requires the checks are integral to the language and compiler, not a bolted-on feature.
In respect to safety, the field took a nosedive when C and its descendants took over from Pascal and its descendants (like Modula and Ada).
"And it was demonstrated already in the 1970's by some researchers that the cost of runtime checks can be reduced to just a few % when an optimizing compiler is made to take them into account. This requires the checks are integral to the language and compiler, not a bolted-on feature"
This is just a variant of the Assembler Vs HLL problem. You'd have thought it had died a *long* time ago.
One of Pascal's original aims was to make it run as fast as badly structured languages like FORTRAN (this is early 1970's FORTRAN). It succeded. In the commercial world Ferranti released an ALGOL compiler with substantial error checking. When they asked customers did they want runtime error checking removed to improve speed for 2.0 the customers said no. This was in the 60's, when assembler was pretty much the norm and performance was a real premium.
For the daddy of these contests look at the Space Shuttle systems. Real time control system with *hard* response limits on a processor which flat out managed 400KIPS (that's not a typo).
Benchmarked assembler Vs the HLL gave IIRC at most a 15% performance hit. Despite hardware failures the system has *never* failed in flight. No 178b standard. No TCP/IP stack.. Just an awareness that failure means people will die and a pretty effective compiler for a HLL which fitted the problem domain quite well.
And BTW Microsoft whine about putting a JVM on Windows but what is the "Common Language Environment"? How much of Windows already is running on a VM?
IMHO writing secure, reliable code consistantly (anyone can get lucky once) is *never* an accident. The whole system is only as secure as its weakest link (human, software or hardware). A first rate team with a good understanding of security issues running solid tools and following a painstaking process could still (and my gut tells me probably has) been undermined because a bought in library was actually written by some clueless bong chugging Summer intern.*
However for this to happen it has to be a *management* priority. Someone somewhere has to be responsible for it and get it in the neck if it does not happen.
Anon for the line at the bottom.
*or in one case getting to a Star Trek convention on time.
The only time its going to become a *management* priority is when software HAS to be fit for purpose and can not hide behind the "Not fit for any particular purpose" which is the get out of Gail free card.
Once users can sue providers for crap software then and only then will market forces make software reliable and safe.
Hahaha, now that just silly and wrong.
Its been proven, look it up. C is not quicker to develope because it takes much longer to debug.
Plus, execution speed will not change much as your not executing the code.
Your thinking Java, and that slow because it not native execution.
As an Ex-Delphi developer I know 100% that if I coded some thing in delphi it would be as fast as if it was coded in C++. This speed argument has been going on for 20 years and its no more true now then 20 years ago.
Good, well writen code is what matters. You honestly think that with multiple giga, multi core machines a little bit of pointer checking matters? For a start, now Mozilla will have to write code to stop the problem.... so shockingly, they will be just a touch slower then not checking. Just more secure.
The issue with C and C++ is that they are NOT safe and require programmer and expirience to add the code to cover for this.
Safer languages are not always slower. The solution is a language that is safe by DEFAULT and if required the checks and balances can be disable were required.
You dont spend time optimising the full source tree, that would be an expensive waste you only optimise were the bottle necks are.
Why use a language that is always unsafe just because occasionally it is an advantage?
It's not the language... it's not the programmer... it's the QA process
With the best will in the world, even the best programmer will make a mistake sooner or later. That's why every organisation that develops software should have a QA process that ensures all code is reviewed against a checklist of good and bad development practices (amongst other things).
"Which platforms are supported at this time ?SAPPEUR currently is available for Intel(R) 32bit 80X86 Processors running Windows VISTA or Ubuntu"
So none then. Clicking on the tab for "Buying" gives a blank screen which tells me that this product isn't finished yet anyway.
The *real* solution is rigorous testing and not falling for any of the traps (as listed yesterday in El Reg's article on 25 potential problems you might accidentally code into your software...)
If you think fixing security bugs is as simple as using a different language, I'm afraid you are mistaken. Its perfectly possible, easy in fact, to write insecure programs that leak memory in C#/Java/whatever.
The only way to fix the problem is to write secure code in whatever language you are using.
Incidentally, garbage collection is possible in C++...
>If you think fixing security bugs is as simple as using a different language ...
It is not that simple, but using a language/environment where it is not plain possible to e.g. inject code trough causing a piece of code overwrite the machine stack should help. Somehow e.g. insisting on using C for everything smacks of an attitude where the only honourable way of writing software by operating console switches. Silly, that, when we can use the machine itself to do such mundane stuff and save our attention for more important things, such as security.
Mind you, C in itself is an object of my deepest admiration [hence icon] as the language is clean and simple, yet strikes a pretty much optimal balance between portability and low-level access to the machine. The latter, unfortunately, opens the door for a class of nasty bugs. Fortunately, low-level access (and absolute efficiency) is not needed for most work and/or all code.
fifteen years ago, and I wasn't that young then, and not only is garbage collection in C++ possible it wasn't very hard to implement.
I only worked/studied in the programming environment for one year and I must say that I'm sorry my opportunities took in other employment directions, but if C++ programmers can't implement proper garbage collection in C++ perhaps there are in the field.
Here here! well said. C and C++ are the main cause of this kind of issue. With a proper language you simply can not over run a buffer etc.
Modula 2, now thats and OO language and its good for saftey critical work. Ok, so it didn't have a large take up once windows came along but you'd never have exploited it.
Still, C is the most popular language, so your manager isn't going to be blamed for failier if he choses a less common language.
C as a language suffers primarily from a design floor. It was only ment to port the unix kernal, so its the only language that was designed to make the compiler easier to write. Now since when was that import to an application developer?
C should be buried at Sea!
as it is getting an ever-larger piece of the action, so nefarious people will turn their attentions to it. Safety is valued in terms of what you trust, and how much trust you have.
Would I be safe? ABP&NoScript and I don't "allow" sites at random. If a site fails with NoScript, I usually just find another. I hope the morons that require scripting to follow a clicky-link are paying attention.
Please let's NOT have any references to Opera, Chrome, Safari, or other browsers. Trust me, if said browser(s) had a sufficiently large share, it would be compromised.
You've just pointed out the only reason you need to move away from Firefox. There are of course other reasons, but the only one you actually NEED is that minority browsers don't attract the attention of the black hats.
As for Noscript it's a nice addon but far too intrusive for ordinary Josephines.
Why? It works for me. And maybe one day it will be the IE replacer and Opera will have a 33% market share and it will be subject to attacks. So what, all the Opera lovers will ditch it for some other minority browser?
As for the ordinary Josephines, there are countless examples of stupid things ordinary people do that backfire on them. Just last year a girl in her Clio went around a bunch of cars (about seven of us) on a blind bend. 70kph (in a 50 zone) straight into the front of a corn harvester. It would have been epic wreckage had the driver not been up high, seen the car, and stopped. As it was, pieces of Clio and body parts. People are expected to have a clue when hurting around at high speed in soft metal containers. There's fairly rote but nonetheless complex things to remember like starting and stopping, braqking distance, reaction times, changing track on the CD player instead of putting the wipers on, the scary gearstick (which while R is usually opposite 5, the car really would sulk expensively at going from one to the other). Yet everybody does this regularly. Some even know how to indicate correctly on the roundabout. Some <gasp> even pay attention to the Give Way signs.
Why is it, then, that our portal to the online world is "too complicated" and "difficult"? Sure, there's a lot to remember as the Internet provides a lot of different services, and it is further compounded by subtle differences in browsers (but no less annoying than the control sticks by the steering wheel having no standardisation, the one on the left - indicators or headlights? and God help you if your car has more than two!).
Given the level of loss possible (to your wallet, not just trashing your computer), perhaps it is time Josie educated herself and understood why these precautions are necessary. You don't walk in a city alone at night. You don't leave your front door wide open. You don't run scripting from sites you don't know...
[on my mother's profile, I am installing NoScript... ought to be a barrel of laughs, given her previous level of tech was opening the typewriter to change the inky ribbon! but, hell, if she's going to Google crochet and Amish recipes (!?) on my computer, she's going to have to take security seriously and not cop out with "oh, it's complicated" like so many people seem to want to do... after all, getting scammed to hell and back happens to other people, right?]
Open Source has had the benfit of people debugging the code for free for quite a while now, it stands to reason people are starting to go "this is not our product, and no one is paying us to fix what we've discovered. we can either report it and hope someone fixes it (whenever they feel like it), or come up with POC code that exploits it, and if the company whose product is flawed wants to fix it, they can buy a license for the POC code"
Sound fair, to be honest. If you spend time to work out an exploit bug and the people whose program it is don't feel that's worth rewarding, charge them. No one's stopping Mozilla from forking over the same amount of money they charge for anyone else to get their hands on the exploit code. Just because it's open source doesn't mean everyone's an altruist through thick and thin - a little economic dip and anyone who can come up with a good way to generate cash will do so.
To borrow a phrase, the real wtf is that they're the first to figure out that if they sell licenses to exploit code, either the owning company can pay that license in order to stop the exploit, or their product gets blasted. Pretty effective business model really.
You really think this is responsible, justifiable behaviour? Guys like this make the net *less* secure. What kind of d*ckhead releases details of a remote execution exploit to make a quick buck rather than notifying the software maker. Doesn't matter whether it's mozilla, Microsoft, Apple. That's why there's a responsible in 'responsible disclosure'
Frankly, I hope that the exploit does get exploited by some black hats, then hopefully the marks will sue this shithole of a company into oblivion for negligently releasing details of an attack vector without taking steps to help the developers mitigate the risks.
This guy is scum, and if you think his stance sounds fair, then you can join the ranks of people not worthy of internet access!
you can download the source here.
you can refer to the open source information here:
"All Mozilla software is open source. This means that it is not only available for download free of charge, but you have access to the source code and may modify and redistribute our software subject to certain restrictions as detailed in our license agreements."
They get arsey if you distribute your modified version with Firefox branding because of the 'defend it or lose it' part of US trademark law. It's an aspect of law with some unfortunate effects for free software, much like patent law. Hence Iceweasel, because it's preferable to Monopoly Firefox, now with added vendor lockin, or AdBroker Firefox with extra spying.
Despite the cross platform nature of Firefox, this hole is still a more significant issue for Windows users than anyone else. Last time I checked I was not starting Firefox as root :-) if someone went to the trouble to use the exploit with Linux & Mac they may be able to empty my home directory, but that would pretty much be the limit of it :-)
But lets not be complacent - its not impossible to chain this exploit with a local root exploit. Given the size of the Linux market right now, I'd say its highly unlikely this would ever get done. If Linux does get a large enough market share for all these kind of exploits to become profitable I shall be installing a *BSD...
I may be paranoid but I don't run FF or other browsers on my own account - the slight inconvenience of using a password to start the browser is more than compensated by the security of running in an empty account.
Assuming I ran the browser on my own account ) the daily backup of the home directories would provide a safety net.
If the OS sandboxed programs in a reasonable way, i.e., by not allowing them to install/run other programs, or to modify themselves, or to read/write files that aren't their own, then all of these security problems would vanish immediately.
The iPhone OS does this for apps and notice that so far no iPhone app has been able to compromise the rest of the system. All of the iPhone security issues have been with jailbroken phones or Apple's weak data encryption.
It's interesting to note that you can only buy access to the exploit after requesting a quote from Intevydis.
Also interesting to note that they're Russian.
You have to wonder if there IS an exploit, and if there is and no-one coughs up who the exploit will be passed on to ...
Exactly. CANVAS/Vuldisco etc. cost silly money, even more if they don't "approve" of your organisation. They are extremely dodgy people.
On the upside, while it has probably already been used in corporate espionage, various Eastern European organised crime gangs will get careless as it goes further down the food chain, using it to rip off all and sundry via shoddy malware. It's only a matter of time until security researchers who aren't massive f*cking c*ntbags get it, who will tell both Mozilla and the rest of the world, so it can be fixed.
(Sarah, apologies for the outburst. It makes me a little cross, and possibly needs to be said.)
Currently the Firefox folk haven't decided there -is- a problem.
Microsoft paid SCO to sue Linux over UNIX properties and hamper its adoption for business for years, maybe they paid this guy, whether there's something there or not... then again, I'm still not quite sure why Bill Gates doesn't just have all these competitors murdered. He's got the money.
The MS method has always been to deny there is a vulnerability whenever possible until the fix has been released. Of late Mozilla have been following exactly the same protocol.
Quite how anybody go from "we haven't seen any evidence of this vulnerability" to a fix with no intevening period to develop and test said fix is beyond me.
Started reading the article - looked at my version of Firefox - 3.5.7. Updated it and got 3.5.8 which opened with a web page saying that for security reasons I should upgrade to the latest and greatest version. Did so and now have Firefox 3.6. Changed to Chrome to type this.
Does anyone know of an effective way of communicating my displeasure to dear comrade Evgeny Legerov?
...the saddest thing about the FF fanbois is that they always assume that anybody who criticizes FF must be an MS shill. Have they tried all the alternatives and made an informed choice? Or have they just jumped on a bandwagon?
The really strange thing is that most FF fanbois apparently hate MS but run their jesus browser on a MS OS, presumably because they're too dumb to get to grips with an alternative.
I kinda thought all the Firefox criticism came from Opera fanbois!
I guess this explains why numerous Firefox fanbois use Windows - we just want the damn browser to work, pretty much out of the box, with minimal time overheads and as little administration as is possible...
get an automatic down vote from me. Reviewing the down tallies at the time of this post, the one with the most down votes at 22, contained the provably false statement: "Mozilla made millions distributing a crappy insecure browser,..." followed closely by the post with the equally provable statement "Mozilla is free to use but its not open source."
is to laugh at the fucktards that post! You have to piss yourself laughing at people claiming to be programmers and vilifying languages, platforms, etc. going on about things like overflows when they can't even spell simple words like "failure".
I mean, come on people! These flaws and vulnerabilities are often caused by circumventing the design process. Proper testing, validation and verification should mitigate most problems with software. However, there will never be the perfect piece of software. Apple fanboi's and Linux guru's - stay down!
I'm not Bill's love child, nevertheless, I do use Windows for certain things like most do. I also use Linux for a lot of things too. In the past I've used AiX and OS/400 where appropriate. This is the entire point. Platforms and languages suited to the task at hand. Testing and verification also suited to the task at hand. I mean there's no point in running Tetris on a super secure OpenBSD box is there?!?!
I don't use Windows myself - I'm a Mac user - that's my choice and if someone else goes the other way, then that's their choice.
I do feel that Duncan's phrase "However, there will never be the perfect piece of software." should be tattooed on the genitals of most of the "one or t'other exclusively" zealots, just to concentrate their minds on pragmatic reality.
Proper testing etc. will as Duncan says, mitigate most problems with software.
That's MOST problems. It's not ALL problems.
No one person, or team will ever have the experience, imagination and time to test modern software for absolutely every contingency - unless we want software's gestation period to go out to several decades. Way back in the '80's, when I installed mini's & micro's for Burroughs Machines, I was often asked to "make this system idiot-proof". I rapidly gained a healthy respect for just how ingenious and inventive idiots could be - and I don't suppose I ever quite achieved the Holy Grail.
Just think how much mor involved & complex things are 25 years later!
A pox & a plague on all the blackhat villains and associated ungodly who give us these problems. May all their capacitors bulge, their r/w heads crash and their RAM sockets fail!
that the source code is supplied to suitably qualified customers. If Microsoft released all the Windows source code to be read by any customer spending more than $1,000,000, they'd be open source. But the product would not be any better than it is now. You couldn't do anything to improve it. Well... they might accept comments about some spelling mistakes.
You can, however, improve Firefox. But you can't call your version anything that makes it sound like you're directly involved with the Firefox people.
I don't know how many people are currently rolling-their-own from the source code. It can be an interesting hobby.
Your example of Open Source is about as good as saying Windows 7 is free - provided you buy a two hundred euro box to take it home in.
Or were you not aware that "open source" as a phrase has a number of little conditions above and beyond the literal interpretation of those two words?
Try reading http://www.opensource.org/docs/definition.php
"Open source" only means that the source code is supplied to suitably qualified customers.
No it doesn't! Microsoft *does* allow Windows source (at least that source for 2000 that was already leaked) to be read by their few largest customers. It's not open source. Open source includes the right to examine the code, right to modify the code, and right to distribute the code. There have been a few products that have an open source license, that the company will only give the source to their own paying customers -- and that is their right. But, as the products were open source, these customers were free to give that source to ANYONE else they wanted. There've been a few other instances where these companies dual-license (so you could buy the software open-source, or buy it, probably less expensively, under a more restrictive license. This is also their right.) Microsoft was trying to pretend their "shared source" crap was open source for a while, it is not.
@grumpy "Lack of responsible disclosure procedures should be equated with blackhattery and prosecuted. What an asshat."
Mozilla foundations been good about it, but I've seen enough groups just sit on security flaws that I think I'd take the discoverers approach too. Note he hasn't released exploit code, he's not selling or giving it to blackhats. I think "responsible disclosure" is a crock -- if a company has it together they get a patch out within days, if they pull a Microsoft they are stupid and wait until "patch Tuesday".
The Russian Business Network is just that - in it for the money - and they're probably smart enough to invest a bit now and then in new technology. They might even get a rebate from Legorov and perhaps even a hint or two on what's really going on inside the tool, being as he's of the Russian persuasion too and probably quite fond of his kids.
I've been surfing the net mostly booted from a live CD. In my case using OpenSolaris. Seems like that might be a fairly safe option for people, like me, who just browse some sites and read articles they are interested in. It may be a bit limiting but it's all I need most of the time.
Ubuntu would seem to have a convenient feature for this sort of thing: the Guest Session. The idea is that each session starts with a clean slate (the home directory of user guest is restored to a default state). [This can be activated from the upper right corner menu of the default gnome setup.]
I know it's not easily used by the billions of web users out there but Sandboxie has proved to be a wonderful program for me. It can easily be used to sandbox a browser, including firefox, and as far as I humbly know, prevents the siege of nasties. Is this an exploit that circumvents my primary guardian, NoScript? Or is this a dodgy enterprise intending to pimp half-baked exploits?
"If the OS sandboxed programs in a reasonable way, i.e., by not allowing them to install/run other programs, or to modify themselves, or to read/write files that aren't their own, then all of these security problems would vanish immediately."
Even though I agree that OS-based sandboxing is a very good idea it does not fix all kinds of problems. SE Linux and AppArmor are indeed a good idea. So is the sandbox of the new IE.
Yet... it is not a panacea.
Imagine first visiting www.evil.com and then www.barclays.com. Evil.com will install nastyware into your running browser instance and from that point on transmit your banking details to www.evil.com. The OS sandbox cannot do anything against that threat.
The nastyware migh even be able to install itself persistently by means of a buffer overflow in something like the browser's caching, cookie or bookmarking system.
Maybe a well-designed sandbox especially for browsers could work around this (by setting up sandboxes for each www server), but the general problem persists, that a sandbox can only contain, but not avoid risks.
Imagine the malware completely re-rendering the browser window - displaying "I am www.rbs.com, please enter banking credentials now". This certainly requires the cooperation of the user, but we know that inexperienced people often fall to this kind of tricks.
So, OS sandboxes are indispensible in a defense-in-depth strategy, but a safe programming language is absolutely useful as a second layer of defense. Not allowing a buffer overflow in the first place is definitely better than just containing malware.
Forts have deep ditches, high and thick walls, special geometry and big guns. Just relying on high walls is not sufficient.
And no, checking array bounds and using smart pointers is not really a significant performance-penalty, while GC languages like Java and .Net are indeed performance hogs.
Pascal/Delphi demonstrated that to a large degree. It is a sign of widespread unprofessionalism that well-trained software engineers still use C/C++, while knowing about these issues very well.
Despite the fact that one can stil screw up with a safe language, it definitely would be good practice to use them, because low-level issues like buffer overflows are responsible for more than 50% of all security issues.
"Would it be safe to assume that you would need to visit a website that contained malicious code for this to be effective?"
My lord, I am afraid it would probably be effective for whatever malicious piece of html you viewed with firefox. I suggest you do not visit any websites except theregister.co.uk and that you do not view any html Email, except those of Colonel Waitlove, Countess Mildmanner and Baroness Mudslinger.
open source means whatever the person damn well wants it to mean. some people mean it's got an OSI-appoved license, some people have wider or narrower or totally different criteria
the MS-PL (OSI approved) has no stipulations on the availability of source code, for example (and is more about protection from patent comeback and preserving attribution) and is only an open source license by the OSI definition if it's attached to source code
In general, malicious code can be planted on many innocent web sites - unless their own security is state-of-the-art. For instance, even some browsers' handling of picture files such as JPEG has been a route of attack in older versions. So a web site that lets people upload JPEGs could unintentionally distribute malicious code to other visitors. And then too there's actual hacking of innocent sites to make them dangerous. And interference with the domain name service, to make malicious servers be the ones that your own computer communicates with instead of genuine safe sites.
But are we still waiting to hear whether this particular story is true or false?
Biting the hand that feeds IT © 1998–2021