IT PRO: Blogs: Davey Winder: Firefox

Home

Davey Winder's Blog

In need of an urgent Firefox fix

Posted in Blog, Firefox, Security on March 26, 2009 at 7:59 pm

With the publication of drive by download attack code this week which impacts Firefox security on all platforms by exploiting an unpatched and critical flaw in the browser, and the successful hacking of the Firefox client (as well as IE8 and Safari) at the CanSecWest PWN2OWN competition, you might be getting a little concerned that the ‘more secure than Internet Explorer’ choice isn’t, perhaps, so secure after all.

It’s somewhat annoying that the exploit code was published yesterday, before Mozilla had actually released a patch, so giving the bad guys time to modify it and attempt to get malicious software onto end user machines as a result. However, the underlying vulnerability known officially as Bug 485217 - or if you are a real glutton for punishment the ‘Exploitable crash in xMozillaXSLTProcessor::TransformToDoc’ bug - which according to Bugzilla allows “Exploit code at the link iframes a little xml file with an xslt transform that causes a crash reliably on 3.0 branch and trunk” is to be fixed with the release of Firefox 3.0.8

Luckily there is not long to wait for the update, it is due to roll out at the start of next week thanks to it now being flagged as a high priority security update.

Unluckily, there is no word yet of a fix for the PWN2OWN vulnerability, and anyway a week is a hell of a long time in the world of the malware hacker.

Maybe Google Chrome is a more secure browser bet after all?

Rated: 65% (4 votes)

Loading ...

Google Chrome stands alone at PWN2OWN

By Davey Winder in Editorial

Posted in Security, Firefox, Google, Internet, Microsoft, Apple on March 22, 2009 at 3:59 pm

Permalink | Author Profile

Which web browser client is least at risk from hackers? If the PWN2OWN hacking competition is any measure of client security, then the clear winner was Google Chrome.

Of course, not everything is always as straightforward as it seems. And that is certainly the case when it comes to the annual PWN2OWN hacking championships that are run during the CanSecWest security conference. Standard PCs and Macs running default OS installations are used, loaded up with fully patched and current versions of the target software and no additional plug-ins to help the hackers. The rules seems pretty simple: hack the app as quickly as possible, with code execution as a requirement.

First of the web browsers to fall was Apple Safari running on a MacBook which lasted between 5 and 10 seconds in total. Charlie Miller managed to ‘own’ it by exploiting a previously unknown vulnerability and then simply clicking on a malicious URL. He proved to the judges that as a result of the remote code execution he had full control over the Mac.

Next was, perhaps a little surprisingly, Internet Explorer 8. A German chap known only as Nils managed to exploit a new vulnerability in IE8, running on a recent build of Windows 7. Someone who was no doubt surprised would be the main Internet Explorer 8 man at Microsoft, Dean Hachamovitch, who gave his keynote at the Las Vegas Mix 09 conference to launch the public release of IE8 just a few hours later proclaiming that the browser had been engineered to withstand evolving attack methods used by hackers. Oh dear. Nils, mean while, went back to the keyboard and then managed to successfully hack the Firefox browser client as well.

Two bits of good news did emerge from all this though. Firstly that these new vulnerabilities will not remain exploitable for long, indeed Microsoft are said to have already fixed the IE8 one and the patch is likely to roll out real soon now. This courtesy of the competition sponsors, TippingPoint, who pay the winning hackers a cash prize which also buys them the rights to the vulnerability details and exploit code which are immediately passed over to the vendors concerned.

Secondly, the competition did seem to prove one thing: if you want the most secure of the mainstream web browser clients then Google Chrome would appear to be the way to go. During the course of the competition, it remained unhackable it would seem. Safari hacking supremo Charlie Miller did manage to find a vulnerability, but unlike previous vulnerabilities Miller reports that he was unable to exploit this one thanks to the sandboxing and security features of Chrome.

Rated: 100% (5 votes)

Loading ...

Firefox 3, Beta 4, Enhancements 900, Tested 5

By Davey Winder in Editorial

Posted in Blog, Firefox on March 12, 2008 at 12:13 am

Permalink | Author Profile

I’m a sucker for risking it all and installing beta software, especially when its my favourite browser client Firefox. OK, so I don’t install this stuff on a business critical machine, it goes on the test lappy instead. Which is exactly where Firefox 3, Beta 4 has been for the last 24 hours or so. Now I cannot claim hand on heart to have experienced all 900 claimed enhancements that this release brings, but I thought I might share my views on the few that I have noticed.

First and foremost there’s the memory issue, you know that one whereby Firefox has traditionally had something of a problem with letting go. This presents itself in a not so wonderful propensity to keep using more and more memory the more you use it, and not give it back when you close windows etc. Memory bloat is a terrible thing, especially on a Vista driven laptop which has enough trouble keeping up as it is. Which is why I was pleasantly surprised to see that the Mozilla developers have kept to their word and done something about it. Claiming to have plugged hundreds of memory leaks, the team have certainly done something as it does not slow down as quickly as it used to and memory fragmentation seems noticeably reduced.

But it was the security stuff that I most naturally and most quickly gravitated towards,

Rated: 100% (3 votes)

Loading ...

Are you a thieving Firefox user?

By Davey Winder in Editorial

Posted in Firefox on August 20, 2007 at 5:01 pm

Permalink | Author Profile

I am not going to suggest that advertising revenue is not important in the overall web business model scheme of things, for a huge swathe of such enterprises it is vital. But suggesting that using ad-blocking technology within your web browser client is tantamount to theft is just daft. Not as daft as blocking anyone who uses the Firefox client because it comes with some rather effective ad-blocking technology built in, mind you, but daft nonetheless. The fact that one site has done both is shockingly stupid.

Take a look at whyfirefoxisblocked.com and you’ll see what I mean. Sure, it could all be some kind of elaborate hoax. Reverse psychology marketing perhaps, suggesting that Firefox users are the scum of the earth and detailing a (very primitive) way of blocking access to them, all to stir up media attention and get some free advertising (no pun intended) for the Mozilla browser.

Somehow, I doubt it though. I am inclined to lean more towards it being a genuinely ridiculous campaign by the hard of thinking. And here is why…

“Software that blocks all advertisement is an infringement of the rights of web site owners and developers” claims the site, continuing “accessing the content while blocking the ads, therefore would be no less than stealing.” OK, they have a point so far, and the ethical approach would be not to visit a site and make use of that content if you are unwilling to take the advert rendering alongside. Indeed, this is pretty much what I practice. If a site provides quality content, gives me access to a resource that is valuable, then I will happily put up with some unobtrusive advertising. IT Pro falls nicely into this category as far as I am concerned. I disable ad-blocking on a site-by-site basis where I believe the content deserves it. However, where a site is geared towards feeding me adverts, filling their coffers in the process but without any worthwhile content or user experience alongside then the adverts are blocked. That is called freedom of choice, and unless there is a specific legal requirement which stipulates I must not block ads in order to access the site, I don’t think I am doing anything wrong.

Then again, I don’t think that site owners who try and prevent access by people using blocking software is wrong either. Na

Not yet rated

Loading ...

Tag cloud

Apple Space spam Kill Switch trust Windows 7 Conference Texting Rumour computing HPC credit crunch MSN gaming iPhone 3GS hacking Nexus Death recession ISP millions web innovation payments mail virtual machine NBC Software Firefox privacy black hat politics Rant campaign Zango Performance computing AMD botnet App Store console RAM home Microsoft surveys Gadget Windows Phone 7 Series credit card fraud Architecture green digitise Top 10 second life Lotus Supercomputer support prison Linux ISPA VeriSign Recall iPhone memory terrorism Google virus GMail Sex HP Intel Netbook migration broadband ASUS transactional security avatar theft Research Banned Amazon information football Advertising size hoax standards world of warcraft graphics XP Digital Footprint christmas web 2.0 Nintendo FBI iPhone 3G Meh Developers Backlash Geeks Twitter computers Google Earth Opinion social networking exploit Blogging Scotland hardware ID Theft Finjan compromise Application Government Ballmer NASA rootkits Porn meme Internet printing Media biometrics Harry Potter debian news tech law Employment library Business shopping President global service crime worm scareware IBM carbon copy scam students Windows data protection Yahoo lawsuit The Federation Sony Microchip help YouTube Notebooks code Funny Silverlight nightmare Networks Education Study China virtual world Music RATM acquisition banks Health Browser remote working security museum Europe encryption Texas Instruments Children policy OCR Licensing linkedin Kin Bill Gates environment statistics economy Mars Enterprise Kaspersky Browsers poll Data Centre scan monetisation Video desktop universe wifi fool games Top 500 Michael Jackson dumb Review economics MessageLabs remote work Voice Vista MiniBook Noro email Eee EU Analysis BSI science VPN books search Experiment Palm Olympics patent MSNBC man-in-the-middle parental control Eee PC Psychic Hack Kindle Addiction eBook Trousers Obama Guardian GSM ecommerce virtualisation betting Steve Ballmer data IDC e earth hour Game malware USA Acer payment server documentation services outsourcing Paris Hilton gadgets IT report McKinnon snooping cloud Retail office Dell sick Mafia mobile Project hubdub CAPTCHA Battery network xmas computer worker Cisco Beta storage App Psion Adobe Deal BOFH hypervisor Russia development Marketing IP Blog Spotify Parenting DNS smartphone Jesus Phone Gateway spending hacker tax Madness Internet Explorer Programming Flash copyright PS3 money Election Gartner adware fake Jobs fun Big Brother VM admin Military Steve Jobs fraud iPad Palm Pre Press productivity School iPod Android survey chips technology stupidity staffing Mobile Phones archiving family workplace holidays Digg banking Apps Mobile Phone e-commerce Tesco Johnny Depp stupid Web Development management SSL Facebook open source Trojan Army SMS OS InfoSec Patents symantec teleworking ROFL Energy disclosure phishing Pirate patch management