• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Firefox has security problem

Love the sensationalist reporting:

Firefox seems to be heading Internet Explorer's way with security research company Secunia stating on its website that two vulnerabilities found in the popular browser can be exploited to conduct cross-site scripting attacks and compromise a user's system....
Click to expand...
 
Actually this was to be expected. The only reason less popular browsers have less security holes is that hackers spend less time searching for them. As they become more popular though...
 
El Greco said:
The only reason less popular browsers have less security holes is that hackers spend less time searching for them. As they become more popular though...
Click to expand...

Very true.
 
Re: Re: Firefox has security problem

geni said:
Users are warned to disable Java Script full stop.
Click to expand...

And you are most safe, if you shut down your computer altogether.

Damned if you do, damned if you don't.
 
Darat said:
Perhaps the originator of the claim may be able to provide more information i.e. El Greco?
Click to expand...

I don't know what information I should provide. Browsers and every other program are evolving continuously. It's not like we can count each browser's bugs and make comparisons, because we don't even know them. But I've been into low level programming and reverse engineering in the past and I can say that programs are so complex that exploiting a weakness is just a matter of persistence. Microsoft apparently spend a lot of time and money in securing IE and Outlook express; I think this is more than evident. But hackers and virus coders who want to become "famous" are always finding new ways to exploit new and old holes. And as software evolution forces programmers to keep adding all the time new and often not adequately tested code, finding a hole becomes a question of how hard you search for it. The more popular a browser is the more malicious site owners will be trying to install their spyware via that browser. Securing a product will never be good enough. Personally I see it like a goalkeeper trying to defend his goalpoast from a penalty shot. You never know where and how the attacker will strike, you can only guess. The goalpoasts keep moving further away from each other with every new release and you keep trying to bring them closer again but you are never efficient enough.
 
CFLarsen said:
Wudang,

That's a lot of text. Can you summarize, please?
Click to expand...

Well firstly, the claim that more security flaws are found in IE rather than firefox is (to some significant degree) attributable to the former being more common, while perhaps intuitively appealing, is still an assertion that requires some evidence.

Briefly though the article referenced makes some points about this, of which I think the following extract is a good sample
This reasoning backfires when one considers that Apache is by far the most popular web server software on the Internet. According to the September 2004 Netcraft web site survey, [1] 68% of web sites run the Apache web server. Only 21% of web sites run Microsoft IIS. If security problems boil down to the simple fact that malicious hackers target the largest installed base, it follows that we should see more worms, viruses, and other malware targeting Apache and the underlying operating systems for Apache than for Windows and IIS. Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.

Yet this is precisely the opposite of what we find, historically. IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful.
Click to expand...
 
If security problems boil down to the simple fact that malicious hackers target the largest installed base, it follows that we should see more worms, viruses, and other malware targeting Apache and the underlying operating systems for Apache than for Windows and IIS. Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.
Click to expand...

IMO the above excerpt fails to address 1) how popular a 'target' Microsoft is (because of several reasons that are not relevant here) and 2) that most malware target user-side applications and not the much better protected server-side ones.

Besides, while I just skimmed through the linked article, I couldn't find whence they draw the conclusion that "IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful". Is there any evidence that IIS has attracted more attacks than Apache ?
 
Re: Re: Re: Firefox has security problem

CFLarsen said:
Damned if you do, damned if you don't.
Click to expand...

On the contrary, by disabling javascript and associated "enhancements" you make www much more enjoyable place for yourself. Avoiding 95% [*] of security vulnerabilities is just nice bonus.

[*] This figure was derived by the Stetson-Harrison statistical analysis method.
 
El Greco said:
IMO the above excerpt fails to address 1) how popular a 'target' Microsoft is (because of several reasons that are not relevant here) and 2) that most malware target user-side applications and not the much better protected server-side ones.
Click to expand...

So, are you saying that even if FireFox became the most popular browser, it wouldn't be attacked that much because Microsoft would still be the preferred target?
 
El Greco said:
IMO the above excerpt fails to address 1) how popular a 'target' Microsoft is (because of several reasons that are not relevant here) and 2) that most malware target user-side applications and not the much better protected server-side ones.

Besides, while I just skimmed through the linked article, I couldn't find whence they draw the conclusion that "IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful". Is there any evidence that IIS has attracted more attacks than Apache ?
Click to expand...

Well, the studies I've read suggest that the bulk of these exploits are developed by people who want to make money from it not to win popularity contests.
I fail to grasp to how the reasons that MS are attacked are not relevant to the discussion.
Yes a lot of malware is browser-based rather than server-based. Which misses the point of the quote as it compares 2 servers.
Correct they didn't quote a source for the effects of worms etc on IS versus Apache, just some anecdotes which match my memory of the severity of the problems. But you have vastly failed to read the article at all - they do not claim IIS has attracted more attacks - they claim that more successful attacks have been possible.
Still this is drawing away from your claim - where is your evidence that "The only reason less popular browsers have less security holes is that hackers spend less time searching for them"?
 
Wudang said:
Well firstly, the claim that more security flaws are found in IE rather than firefox is (to some significant degree) attributable to the former being more common, while perhaps intuitively appealing, is still an assertion that requires some evidence.
Click to expand...

The evidence is there: IE has been around for far longer than Firefox, with far more versions. Naturally, there would be more attacks on and flaws in IE. Over time.

Wudang said:
Briefly though the article referenced makes some points about this, of which I think the following extract is a good sample
Click to expand...

Only that your quote doesn't talk about browsers, but servers.
 
LW said:
On the contrary, by disabling javascript and associated "enhancements" you make www much more enjoyable place for yourself. Avoiding 95% [*] of security vulnerabilities is just nice bonus.
Click to expand...

Sure. But, as we know, the most dangerous attacks use very hidden, hitherto unknown holes.
 
LW said:
So, are you saying that even if FireFox became the most popular browser, it wouldn't be attacked that much because Microsoft would still be the preferred target?
Click to expand...

I think it is fair to say that at least of the attacks are based on a personal hatred for Bill Gates and Microsoft. I suspect that those are done by amateur hackers, though.
 
Wudang said:
Yes a lot of malware is browser-based rather than server-based. Which misses the point of the quote as it compares 2 servers.
Click to expand...

You are missing the point of the subject of the thread.

Wudang said:
Still this is drawing away from your claim - where is your evidence that "The only reason less popular browsers have less security holes is that hackers spend less time searching for them"?
Click to expand...

Volume.

Let's say you want to create a profit from conning people into, say, visit a site, where they can see ads. Most people will never even get to the site, and of those that do, most won't click on the ad.

So, you need as many people as possible to get there. The more people, the higher the chance of someone clicking on it.

Which means you have to exploit what most people use.

It's exactly the same thing as with "Get rich quick" email schemes, and Nigerian Spam Scam: Volume is the key.
 
You must log in or register to reply here.

Back
Top Bottom