IT PRO: Blogs: Davey Winder: Firefox

Home

Davey Winder's Blog

In need of an urgent Firefox fix

Posted in Blog, Firefox, Security on March 26, 2009 at 7:59 pm

With the publication of drive by download attack code this week which impacts Firefox security on all platforms by exploiting an unpatched and critical flaw in the browser, and the successful hacking of the Firefox client (as well as IE8 and Safari) at the CanSecWest PWN2OWN competition, you might be getting a little concerned that the ‘more secure than Internet Explorer’ choice isn’t, perhaps, so secure after all.

It’s somewhat annoying that the exploit code was published yesterday, before Mozilla had actually released a patch, so giving the bad guys time to modify it and attempt to get malicious software onto end user machines as a result. However, the underlying vulnerability known officially as Bug 485217 - or if you are a real glutton for punishment the ‘Exploitable crash in xMozillaXSLTProcessor::TransformToDoc’ bug - which according to Bugzilla allows “Exploit code at the link iframes a little xml file with an xslt transform that causes a crash reliably on 3.0 branch and trunk” is to be fixed with the release of Firefox 3.0.8

Luckily there is not long to wait for the update, it is due to roll out at the start of next week thanks to it now being flagged as a high priority security update.

Unluckily, there is no word yet of a fix for the PWN2OWN vulnerability, and anyway a week is a hell of a long time in the world of the malware hacker.

Maybe Google Chrome is a more secure browser bet after all?

Rated: 65% (4 votes)

Loading ...

Google Chrome stands alone at PWN2OWN

By Davey Winder in Editorial

Posted in Security, Firefox, Google, Internet, Microsoft, Apple on March 22, 2009 at 3:59 pm

Permalink | Author Profile

Which web browser client is least at risk from hackers? If the PWN2OWN hacking competition is any measure of client security, then the clear winner was Google Chrome.

Of course, not everything is always as straightforward as it seems. And that is certainly the case when it comes to the annual PWN2OWN hacking championships that are run during the CanSecWest security conference. Standard PCs and Macs running default OS installations are used, loaded up with fully patched and current versions of the target software and no additional plug-ins to help the hackers. The rules seems pretty simple: hack the app as quickly as possible, with code execution as a requirement.

First of the web browsers to fall was Apple Safari running on a MacBook which lasted between 5 and 10 seconds in total. Charlie Miller managed to ‘own’ it by exploiting a previously unknown vulnerability and then simply clicking on a malicious URL. He proved to the judges that as a result of the remote code execution he had full control over the Mac.

Next was, perhaps a little surprisingly, Internet Explorer 8. A German chap known only as Nils managed to exploit a new vulnerability in IE8, running on a recent build of Windows 7. Someone who was no doubt surprised would be the main Internet Explorer 8 man at Microsoft, Dean Hachamovitch, who gave his keynote at the Las Vegas Mix 09 conference to launch the public release of IE8 just a few hours later proclaiming that the browser had been engineered to withstand evolving attack methods used by hackers. Oh dear. Nils, mean while, went back to the keyboard and then managed to successfully hack the Firefox browser client as well.

Two bits of good news did emerge from all this though. Firstly that these new vulnerabilities will not remain exploitable for long, indeed Microsoft are said to have already fixed the IE8 one and the patch is likely to roll out real soon now. This courtesy of the competition sponsors, TippingPoint, who pay the winning hackers a cash prize which also buys them the rights to the vulnerability details and exploit code which are immediately passed over to the vendors concerned.

Secondly, the competition did seem to prove one thing: if you want the most secure of the mainstream web browser clients then Google Chrome would appear to be the way to go. During the course of the competition, it remained unhackable it would seem. Safari hacking supremo Charlie Miller did manage to find a vulnerability, but unlike previous vulnerabilities Miller reports that he was unable to exploit this one thanks to the sandboxing and security features of Chrome.

Rated: 100% (5 votes)

Loading ...

Firefox 3, Beta 4, Enhancements 900, Tested 5

By Davey Winder in Editorial

Posted in Blog, Firefox on March 12, 2008 at 12:13 am

Permalink | Author Profile

I’m a sucker for risking it all and installing beta software, especially when its my favourite browser client Firefox. OK, so I don’t install this stuff on a business critical machine, it goes on the test lappy instead. Which is exactly where Firefox 3, Beta 4 has been for the last 24 hours or so. Now I cannot claim hand on heart to have experienced all 900 claimed enhancements that this release brings, but I thought I might share my views on the few that I have noticed.

First and foremost there’s the memory issue, you know that one whereby Firefox has traditionally had something of a problem with letting go. This presents itself in a not so wonderful propensity to keep using more and more memory the more you use it, and not give it back when you close windows etc. Memory bloat is a terrible thing, especially on a Vista driven laptop which has enough trouble keeping up as it is. Which is why I was pleasantly surprised to see that the Mozilla developers have kept to their word and done something about it. Claiming to have plugged hundreds of memory leaks, the team have certainly done something as it does not slow down as quickly as it used to and memory fragmentation seems noticeably reduced.

But it was the security stuff that I most naturally and most quickly gravitated towards,

Rated: 100% (3 votes)

Loading ...

Are you a thieving Firefox user?

By Davey Winder in Editorial

Posted in Firefox on August 20, 2007 at 5:01 pm

Permalink | Author Profile

I am not going to suggest that advertising revenue is not important in the overall web business model scheme of things, for a huge swathe of such enterprises it is vital. But suggesting that using ad-blocking technology within your web browser client is tantamount to theft is just daft. Not as daft as blocking anyone who uses the Firefox client because it comes with some rather effective ad-blocking technology built in, mind you, but daft nonetheless. The fact that one site has done both is shockingly stupid.

Take a look at whyfirefoxisblocked.com and you’ll see what I mean. Sure, it could all be some kind of elaborate hoax. Reverse psychology marketing perhaps, suggesting that Firefox users are the scum of the earth and detailing a (very primitive) way of blocking access to them, all to stir up media attention and get some free advertising (no pun intended) for the Mozilla browser.

Somehow, I doubt it though. I am inclined to lean more towards it being a genuinely ridiculous campaign by the hard of thinking. And here is why…

“Software that blocks all advertisement is an infringement of the rights of web site owners and developers” claims the site, continuing “accessing the content while blocking the ads, therefore would be no less than stealing.” OK, they have a point so far, and the ethical approach would be not to visit a site and make use of that content if you are unwilling to take the advert rendering alongside. Indeed, this is pretty much what I practice. If a site provides quality content, gives me access to a resource that is valuable, then I will happily put up with some unobtrusive advertising. IT Pro falls nicely into this category as far as I am concerned. I disable ad-blocking on a site-by-site basis where I believe the content deserves it. However, where a site is geared towards feeding me adverts, filling their coffers in the process but without any worthwhile content or user experience alongside then the adverts are blocked. That is called freedom of choice, and unless there is a specific legal requirement which stipulates I must not block ads in order to access the site, I don’t think I am doing anything wrong.

Then again, I don’t think that site owners who try and prevent access by people using blocking software is wrong either. Na

Not yet rated

Loading ...

Tag cloud

football remote working network copyright VeriSign EU Jobs linkedin App graphics Backlash Intel meme Ballmer universe hypervisor dumb Business social networking theft printing smartphone migration wifi Addiction Software Lotus Linux law Internet Explorer Army snooping Employment science Mobile Phone HPC millions Pirate Study IDC size news Palm Pre Windows Phone 7 Series Health stupid virus hardware acquisition Mafia technology standards prison Digital Footprint data web 2.0 web Beta patent data protection Hack Kill Switch MSN Top 10 Press RAM staffing iPhone Review Media Adobe transactional security world of warcraft Firefox Research mobile Android Sony Big Brother betting symantec iPhone 3GS iPad Gadget economy USA earth hour Web Development workplace App Store economics Battery Blog hacking documentation Experiment Psychic Networks Military students FBI Google Windows 7 Video Netbook Patents Eee PC work Harry Potter crime YouTube Education mail support Amazon Vista Top 500 scareware SSL politics Internet service Steve Ballmer christmas Porn hubdub help ISPA debian terrorism outsourcing Project Texting cloud Paris Hilton VPN IBM Supercomputer global PS3 monetisation sick Death storage NBC teleworking Guardian President Browser eBook adware Data Centre statistics e Microsoft ASUS Enterprise GSM Programming Silverlight computing GMail gadgets security virtual machine email Yahoo policy DNS gaming Europe e-commerce NASA survey productivity lawsuit SMS man-in-the-middle hacker OCR IP Psion remote family virtual world Energy Parenting Google Earth Cisco MessageLabs Flash rootkits Microchip report development ISP McKinnon disclosure Notebooks Texas Instruments Architecture exploit worm xmas InfoSec Music ecommerce Election credit card fraud Analysis credit crunch green Scotland Facebook computers Gartner Meh banking fraud second life desktop botnet recession Russia chips Kaspersky MiniBook Nintendo patch management Kin Browsers archiving AMD Eee iPhone 3G ID Theft books iPod Geeks biometrics Government Gateway XP services worker console RATM office payments Steve Jobs Opinion search holidays Deal Dell information Acer money Recall Windows Apple tech CAPTCHA OS digitise Tesco IT Olympics Trojan computer tax Jesus Phone Space BSI museum shopping parental control broadband VM Michael Jackson surveys Developers Johnny Depp Digg open source memory Performance computing Rumour spam home Funny Children code Advertising encryption Madness Game scam payment server nightmare virtualisation Nexus Spotify privacy Conference The Federation China Zango Kindle Marketing environment Banned management Sex innovation fool spending compromise School games Blogging hoax MSNBC library HP Rant Retail Voice Noro avatar Twitter black hat malware carbon copy fun Mobile Phones poll Application stupidity Bill Gates Finjan BOFH Palm fake banks Obama Apps phishing Licensing scan Trousers trust campaign Mars ROFL admin