IT PRO: Blogs: Davey Winder: Firefox

Home

Davey Winder's Blog

In need of an urgent Firefox fix

Posted in Blog, Firefox, Security on March 26, 2009 at 7:59 pm

With the publication of drive by download attack code this week which impacts Firefox security on all platforms by exploiting an unpatched and critical flaw in the browser, and the successful hacking of the Firefox client (as well as IE8 and Safari) at the CanSecWest PWN2OWN competition, you might be getting a little concerned that the ‘more secure than Internet Explorer’ choice isn’t, perhaps, so secure after all.

It’s somewhat annoying that the exploit code was published yesterday, before Mozilla had actually released a patch, so giving the bad guys time to modify it and attempt to get malicious software onto end user machines as a result. However, the underlying vulnerability known officially as Bug 485217 - or if you are a real glutton for punishment the ‘Exploitable crash in xMozillaXSLTProcessor::TransformToDoc’ bug - which according to Bugzilla allows “Exploit code at the link iframes a little xml file with an xslt transform that causes a crash reliably on 3.0 branch and trunk” is to be fixed with the release of Firefox 3.0.8

Luckily there is not long to wait for the update, it is due to roll out at the start of next week thanks to it now being flagged as a high priority security update.

Unluckily, there is no word yet of a fix for the PWN2OWN vulnerability, and anyway a week is a hell of a long time in the world of the malware hacker.

Maybe Google Chrome is a more secure browser bet after all?

Rated: 65% (4 votes)

Loading ...

Google Chrome stands alone at PWN2OWN

By Davey Winder in Editorial

Posted in Security, Firefox, Google, Internet, Microsoft, Apple on March 22, 2009 at 3:59 pm

Permalink | Author Profile

Which web browser client is least at risk from hackers? If the PWN2OWN hacking competition is any measure of client security, then the clear winner was Google Chrome.

Of course, not everything is always as straightforward as it seems. And that is certainly the case when it comes to the annual PWN2OWN hacking championships that are run during the CanSecWest security conference. Standard PCs and Macs running default OS installations are used, loaded up with fully patched and current versions of the target software and no additional plug-ins to help the hackers. The rules seems pretty simple: hack the app as quickly as possible, with code execution as a requirement.

First of the web browsers to fall was Apple Safari running on a MacBook which lasted between 5 and 10 seconds in total. Charlie Miller managed to ‘own’ it by exploiting a previously unknown vulnerability and then simply clicking on a malicious URL. He proved to the judges that as a result of the remote code execution he had full control over the Mac.

Next was, perhaps a little surprisingly, Internet Explorer 8. A German chap known only as Nils managed to exploit a new vulnerability in IE8, running on a recent build of Windows 7. Someone who was no doubt surprised would be the main Internet Explorer 8 man at Microsoft, Dean Hachamovitch, who gave his keynote at the Las Vegas Mix 09 conference to launch the public release of IE8 just a few hours later proclaiming that the browser had been engineered to withstand evolving attack methods used by hackers. Oh dear. Nils, mean while, went back to the keyboard and then managed to successfully hack the Firefox browser client as well.

Two bits of good news did emerge from all this though. Firstly that these new vulnerabilities will not remain exploitable for long, indeed Microsoft are said to have already fixed the IE8 one and the patch is likely to roll out real soon now. This courtesy of the competition sponsors, TippingPoint, who pay the winning hackers a cash prize which also buys them the rights to the vulnerability details and exploit code which are immediately passed over to the vendors concerned.

Secondly, the competition did seem to prove one thing: if you want the most secure of the mainstream web browser clients then Google Chrome would appear to be the way to go. During the course of the competition, it remained unhackable it would seem. Safari hacking supremo Charlie Miller did manage to find a vulnerability, but unlike previous vulnerabilities Miller reports that he was unable to exploit this one thanks to the sandboxing and security features of Chrome.

Rated: 100% (5 votes)

Loading ...

Firefox 3, Beta 4, Enhancements 900, Tested 5

By Davey Winder in Editorial

Posted in Blog, Firefox on March 12, 2008 at 12:13 am

Permalink | Author Profile

I’m a sucker for risking it all and installing beta software, especially when its my favourite browser client Firefox. OK, so I don’t install this stuff on a business critical machine, it goes on the test lappy instead. Which is exactly where Firefox 3, Beta 4 has been for the last 24 hours or so. Now I cannot claim hand on heart to have experienced all 900 claimed enhancements that this release brings, but I thought I might share my views on the few that I have noticed.

First and foremost there’s the memory issue, you know that one whereby Firefox has traditionally had something of a problem with letting go. This presents itself in a not so wonderful propensity to keep using more and more memory the more you use it, and not give it back when you close windows etc. Memory bloat is a terrible thing, especially on a Vista driven laptop which has enough trouble keeping up as it is. Which is why I was pleasantly surprised to see that the Mozilla developers have kept to their word and done something about it. Claiming to have plugged hundreds of memory leaks, the team have certainly done something as it does not slow down as quickly as it used to and memory fragmentation seems noticeably reduced.

But it was the security stuff that I most naturally and most quickly gravitated towards,

Rated: 100% (3 votes)

Loading ...

Are you a thieving Firefox user?

By Davey Winder in Editorial

Posted in Firefox on August 20, 2007 at 5:01 pm

Permalink | Author Profile

I am not going to suggest that advertising revenue is not important in the overall web business model scheme of things, for a huge swathe of such enterprises it is vital. But suggesting that using ad-blocking technology within your web browser client is tantamount to theft is just daft. Not as daft as blocking anyone who uses the Firefox client because it comes with some rather effective ad-blocking technology built in, mind you, but daft nonetheless. The fact that one site has done both is shockingly stupid.

Take a look at whyfirefoxisblocked.com and you’ll see what I mean. Sure, it could all be some kind of elaborate hoax. Reverse psychology marketing perhaps, suggesting that Firefox users are the scum of the earth and detailing a (very primitive) way of blocking access to them, all to stir up media attention and get some free advertising (no pun intended) for the Mozilla browser.

Somehow, I doubt it though. I am inclined to lean more towards it being a genuinely ridiculous campaign by the hard of thinking. And here is why…

“Software that blocks all advertisement is an infringement of the rights of web site owners and developers” claims the site, continuing “accessing the content while blocking the ads, therefore would be no less than stealing.” OK, they have a point so far, and the ethical approach would be not to visit a site and make use of that content if you are unwilling to take the advert rendering alongside. Indeed, this is pretty much what I practice. If a site provides quality content, gives me access to a resource that is valuable, then I will happily put up with some unobtrusive advertising. IT Pro falls nicely into this category as far as I am concerned. I disable ad-blocking on a site-by-site basis where I believe the content deserves it. However, where a site is geared towards feeding me adverts, filling their coffers in the process but without any worthwhile content or user experience alongside then the adverts are blocked. That is called freedom of choice, and unless there is a specific legal requirement which stipulates I must not block ads in order to access the site, I don’t think I am doing anything wrong.

Then again, I don’t think that site owners who try and prevent access by people using blocking software is wrong either. Na

Not yet rated

Loading ...

Tag cloud

mobile copyright Microsoft tax service Eee innovation productivity family virus SMS hubdub holidays digitise Meh Sony patch management botnet NASA Steve Ballmer Business Licensing email Silverlight Application virtualisation Kin virtual machine fake Military Performance computing cloud scam Trousers data Top 500 admin Rumour data protection Gateway code Retail Steve Jobs Geeks Mars students Browsers avatar NBC statistics hoax Palm Pre Battery Windows Phone 7 Series snooping Netbook IP disclosure Nintendo China news Yahoo HPC fun storage Kaspersky Texas Instruments Employment Analysis Army eBook Review scan symantec Blog The Federation Psion iPod e CAPTCHA museum XP FBI Education exploit IT credit crunch Internet acquisition Windows 7 ROFL law App Enterprise spending mail Adobe dumb Guardian biometrics OS Nexus Texting Flash Data Centre Project hacker Acer banking malware Kill Switch broadband RAM ID Theft management help School Addiction parental control Apps Space web books iPhone politics Conference virtual world Mafia Scotland compromise Harry Potter Press Big Brother graphics PS3 Microchip Funny Sex terrorism Programming Obama information Mobile Phone Game policy standards encryption Jesus Phone fool Parenting GSM gadgets theft tech Europe home Olympics worm remote christmas MiniBook documentation BSI Research printing xmas banks YouTube Facebook prison campaign MessageLabs Beta universe worker betting Supercomputer search wifi surveys support nightmare fraud second life Browser crime Vista Lotus Media technology work payments earth hour computer remote working iPhone 3GS HP USA App Store President Porn VPN shopping OCR economy Video Tesco web 2.0 open source MSN Google EU games Rant Zango Android patent stupid Patents trust Madness millions IDC football lawsuit Windows hardware Mobile Phones Deal archiving linkedin ISPA VeriSign computing Hack size security Election development Jobs man-in-the-middle hypervisor console Software Architecture office black hat carbon copy Study AMD Government Michael Jackson RATM chips Advertising Johnny Depp DNS phishing McKinnon Digg Twitter Google Earth Top 10 Noro SSL ecommerce GMail Psychic Death ASUS stupidity VM teleworking science Bill Gates memory Music scareware Marketing spam report privacy Trojan sick Linux Intel recession credit card fraud economics Finjan outsourcing Paris Hilton iPad ISP Palm desktop payment server Internet Explorer network monetisation iPhone 3G Networks Digital Footprint transactional security Ballmer Voice BOFH Opinion Backlash IBM InfoSec Eee PC social networking migration Children Web Development Amazon meme Developers e-commerce Cisco poll library Gadget staffing Spotify Pirate Blogging Notebooks gaming adware Russia Recall world of warcraft Experiment workplace debian environment computers rootkits Apple money Banned services Health Firefox Gartner Kindle global hacking green survey smartphone Energy MSNBC Dell