Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Martin McKeay

Security Matters

Firefox and irresponsible disclosure

10 comments

IT TOPICS:Security, Software

I'm surprised this hasn't gotten more press: a pair of hackers have found 30 stack overflow errors in Firefox's implementation of JavaScript. Stack overflows are harder to exploit than buffer overflow issues, which means the script kiddies will have a harder time exploiting these vulnerabilities. But once the skilled hackers come out with the exploitation code that difficulty won't mean much. This vulnerability means that Firefox is a little less secure than it was before, but I don't believe it has much relevance in the 'Firefox vs. IE' security arguments. I know I'll continue using Firefox.

What disturbs me about this incident is the attitude of the two crackers who discovered the vulnerability. If the CNet article is unbiased, it seems that the crackers took a fair amount of glee in not only showing of the vulnerability in a way that gave other black hats enough information to exploit the vulnerability, they are also making a show out of not working with Firefox to fix the vulnerabilities. I'm not quite willing to take the article at face value, since it makes the crackers sound like two kids giggling over a toy only they have.

I'm disappointed that the pair who discovered the Firefox vulnerability aren't playing well with the Mozilla Foundation. The folks at Firefox have usually shown themselves to be worth cooperating with, and these actions seemed to be aimed only at getting the crackers status in the black hat network. I don't see any way their claim of this being 'really for the greater good of the Internet' can hold water, even in their own internal logic. It seems to be for their own personal aggrandizement, pure and simple.

One thing I know for certain: Spiegelmock and Wbeelsoi have given up any chance of ever calling themselves researchers or security experts. Their actions make them black hats, pure and simple. But maybe that's what they want.

Update: An astute reader, Kenneth, pointed out that a the bloginfosec.com site has an article stating that the claim of thirty vulnerabilities was false and that the Mozilla Developer Center has a letter from one of the presenters saying that he didn't have thirty vulnerabiliities and no way of using the stack overflow for remote control of a vulnerable system. If this was their idea of being funny, they need some work on their delivery.

Email this

Digg this

What People Are Saying

Add new comment

Patrick, I agree with every

Submitted by Derek on October 3, 2006 - 5:21 P.M.

Patrick, I agree with every part but the last paragraph of your entry. There are fundamental differences of design when it comes to Windows vs., well, anything that properly seperates administrator and user priviledges. It is, by design and logic, harder to compromise almost any UNIX-like systhem than Windows.

Report this comment

You do have a very valid

Submitted by Patrick on October 4, 2006 - 9:46 P.M.

You do have a very valid point, Derek. I understand this. But it's also true that there has never been a platform that is hack-proof. But you are correct...it's not the ONLY reason that OS X users may have less to worry about...at least for now.

Report this comment

Regardless of the questions

Submitted by Patrick on October 3, 2006 - 4:26 P.M.

Regardless of the questions of plausibility surrounding this story, there is a very important message to take from this. As Firefox gains popularity, so too will its attractiveness to hackers as a conduit to unsuspecting usersâ€™ systems.

To be sure, part of the lure of IE to hackers has been its embedded nature in the OS, which has indeed opened opportunities for security breaches. But make no mistake about what motivates those who build and exploit these vulnerabilities: market share. If youâ€™re a hacker and want to make a big splash, you go for the platforms and programs that are most widely used. As long as Microsoft sustains its majority, it will be the target of choice.

And it is precisely because of its growing popularity that Firefox is becoming the target of new hacking efforts. This problem is made worse by the fact that there seems to be a religion growing about the supposed â€œvirtueâ€ of non-Microsoft products - in particular, web browsers. Following blog entries about the browser wars, Firefox is usually portrayed as a white knight. For the record, I think it is a wonderful product and use it extensively. But not for a second do I assume that itâ€™s bullet-proof, nor the potential target for malevolent abuse. Indeed, anyone who does make this assumption merely because it is open-sourced and non-Microsoft is making a very dangerous assumption indeed.

Itâ€™s just like the current Mac vs. PC TV ad, which has the Mac guy saying that because he runs OS X he doesnâ€™t need to worry about viruses and spyware. OK, buddy, just keep thinking that way. See where that line of thought eventually takes you. The real reason you donâ€™t have as much to worry about right now is that your platform is still below the radar for most of the hacking community.

Report this comment

You guys sure like to jump

Submitted by Sharrdd on October 3, 2006 - 1:11 P.M.

You guys sure like to jump the gun and print the first thing that comes to mind.

At least it wasn't as bad as Mike Elgan's piece pimping the Zune as Microsoft's "perfect storm."

Report this comment

It's a known hoax,

Submitted by Anonymous on October 3, 2006 - 12:47 P.M.

It's a known hoax, as of yesterday in fact. That Jason Fortuny guy seems to know these folks.

http://rfjason.livejournal.com/417923.html

Report this comment

I think what this does is

Submitted by CJ on October 3, 2006 - 12:29 P.M.

I think what this does is bring to the forefront what we in IT knew for a long time: there are vulnerabiilites that we know about and are working to correct, and there are vulnerabilities that we will never know about until long after the vulnerability has been exploited. There are "hackers" that expose vulnerabilities for the good of the community, and there are "crackers" who find the vulnerabilities and never expose them so that they can use them for their own (nefarious?) purposes.

Bottom line, hopefully this brings to light that there is no software that is truly "secure." Everyone in computer security knows that the most secure system in the world is the one with no users, and the most usable system in the world is the least secure. It is a balancing act between security and usability; you can't have it both ways. Just because Mozilla does things differently than Microsoft doesn't necessarily make it more secure. Mozilla's model depends on the integrity of individuals to actually report the bugs they find, and in that sense, it will never be any more or less secure than Internet Explorer.

Report this comment

I agree with Barb. It was a

Submitted by Tom Bailey on October 3, 2006 - 10:19 A.M.

I agree with Barb. It was a cheap stunt and it was not funny in the least.

I mean if you are going to pull a prank at least be a little creative. This just borders on childish.

Report this comment

Kenneth, Thanks for the

Submitted by Martin McKeay on October 3, 2006 - 9:36 A.M.

Kenneth,

Thanks for the information. I've updated the article with the link you provided.

Martin

Martin McKeay
martin_cw@mckeay.net
http://www.mckeay.net/
Voicemail: 916.231.9479

Report this comment

I read the report and the

Submitted by Barb on October 3, 2006 - 9:27 A.M.

I read the report and the kiddies seem to be crying fire in the middle of the theater when there isn't a fire. What a way to get their three minutes of fame. I hope this is the last piece of publicity anyone will give these two.

Report this comment

Marty, This is factually

Submitted by Kenneth F. Belva on October 3, 2006 - 8:38 A.M.

Marty,

This is factually incorrect. The researcher's claims are false.

Please see: http://www.bloginfosec.com/?p=77

Thanks,
Ken

Report this comment

And things were going along so well, too

Eugene Kaspersky wants no net anonymity

Microsoft: XP is far more vulnerable than Vista, Windows 7

Microsoft Security Essentials: Free is great, but is it effective?

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Martin McKeay's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

Firefox and irresponsible disclosure

What People Are Saying

Patrick, I agree with every

You do have a very valid

Regardless of the questions

You guys sure like to jump

It's a known hoax,

I think what this does is

I agree with Barb. It was a

Kenneth, Thanks for the

I read the report and the

Marty, This is factually

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Martin McKeay's Archive

IT Topics

Sponsored Links