News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

October 3, 2006 - 8:07 A.M.

Firefox and irresponsible disclosure

10 comments

I'm surprised this hasn't gotten more press: a pair of hackers have found 30 stack overflow errors in Firefox's implementation of JavaScript.   Stack overflows are harder to exploit than buffer overflow issues, which means the script kiddies will have a harder time exploiting these vulnerabilities.  But once the skilled hackers come out with the exploitation code that difficulty won't mean much.  This vulnerability means that Firefox is a little less secure than it was before, but I don't believe it has much relevance in the 'Firefox vs. IE' security arguments.  I know I'll continue using Firefox.

What disturbs me about this incident is the attitude of the two crackers who discovered the vulnerability.  If the CNet article is unbiased, it seems that the crackers took a fair amount of glee in not only showing of the vulnerability in a way that gave other black hats enough information to exploit the vulnerability, they are also making a show out of not working with Firefox to fix the vulnerabilities.  I'm not quite willing to take the article at face value, since it makes the crackers sound like two kids giggling over a toy only they have. 

I'm disappointed that the pair who discovered the Firefox vulnerability aren't playing well with the Mozilla Foundation.  The folks at Firefox have usually shown themselves to be worth cooperating with, and these actions seemed to be aimed only at getting the crackers status in the black hat network.  I don't see any way their claim of this being 'really for the greater good of the Internet' can hold water, even in their own internal logic.  It seems to be for their own personal aggrandizement, pure and simple.

One thing I know for certain: Spiegelmock and Wbeelsoi have given up any chance of ever calling themselves researchers or security experts.  Their actions make them black hats, pure and simple.  But maybe that's what they want.

Update:  An astute reader, Kenneth, pointed out that a the bloginfosec.com site has an article stating that the claim of thirty vulnerabilities was false and that  the Mozilla  Developer Center has a letter from one of the presenters saying that he didn't have thirty vulnerabiliities and no way of using the stack overflow for remote control of a vulnerable system.  If this was their idea of being funny, they need some work on their delivery.

What People Are Saying

Add new comment

Patrick, I agree with every

Submitted by Derek on October 3, 2006 - 5:21 P.M.

Patrick, I agree with every part but the last paragraph of your entry. There are fundamental differences of design when it comes to Windows vs., well, anything that properly seperates administrator and user priviledges. It is, by design and logic, harder to compromise almost any UNIX-like systhem than Windows.

Report this comment

You do have a very valid

Submitted by Patrick on October 4, 2006 - 9:46 P.M.

You do have a very valid point, Derek. I understand this. But it's also true that there has never been a platform that is hack-proof. But you are correct...it's not the ONLY reason that OS X users may have less to worry about...at least for now.

Report this comment

Regardless of the questions

Submitted by Patrick on October 3, 2006 - 4:26 P.M.

Regardless of the questions of plausibility surrounding this story, there is a very important message to take from this. As Firefox gains popularity, so too will its attractiveness to hackers as a conduit to unsuspecting users’ systems.

To be sure, part of the lure of IE to hackers has been its embedded nature in the OS, which has indeed opened opportunities for security breaches. But make no mistake about what motivates those who build and exploit these vulnerabilities: market share. If you’re a hacker and want to make a big splash, you go for the platforms and programs that are most widely used. As long as Microsoft sustains its majority, it will be the target of choice.

And it is precisely because of its growing popularity that Firefox is becoming the target of new hacking efforts. This problem is made worse by the fact that there seems to be a religion growing about the supposed “virtue” of non-Microsoft products - in particular, web browsers. Following blog entries about the browser wars, Firefox is usually portrayed as a white knight. For the record, I think it is a wonderful product and use it extensively. But not for a second do I assume that it’s bullet-proof, nor the potential target for malevolent abuse. Indeed, anyone who does make this assumption merely because it is open-sourced and non-Microsoft is making a very dangerous assumption indeed.

It’s just like the current Mac vs. PC TV ad, which has the Mac guy saying that because he runs OS X he doesn’t need to worry about viruses and spyware. OK, buddy, just keep thinking that way. See where that line of thought eventually takes you. The real reason you don’t have as much to worry about right now is that your platform is still below the radar for most of the hacking community.

Report this comment

You guys sure like to jump

Submitted by Sharrdd on October 3, 2006 - 1:11 P.M.

You guys sure like to jump the gun and print the first thing that comes to mind.

At least it wasn't as bad as Mike Elgan's piece pimping the Zune as Microsoft's "perfect storm."

Report this comment

It's a known hoax,

Submitted by Anonymous on October 3, 2006 - 12:47 P.M.

It's a known hoax, as of yesterday in fact. That Jason Fortuny guy seems to know these folks.

http://rfjason.livejournal.com/417923.html

Report this comment

I think what this does is

Submitted by CJ on October 3, 2006 - 12:29 P.M.

I think what this does is bring to the forefront what we in IT knew for a long time: there are vulnerabiilites that we know about and are working to correct, and there are vulnerabilities that we will never know about until long after the vulnerability has been exploited. There are "hackers" that expose vulnerabilities for the good of the community, and there are "crackers" who find the vulnerabilities and never expose them so that they can use them for their own (nefarious?) purposes.

Bottom line, hopefully this brings to light that there is no software that is truly "secure." Everyone in computer security knows that the most secure system in the world is the one with no users, and the most usable system in the world is the least secure. It is a balancing act between security and usability; you can't have it both ways. Just because Mozilla does things differently than Microsoft doesn't necessarily make it more secure. Mozilla's model depends on the integrity of individuals to actually report the bugs they find, and in that sense, it will never be any more or less secure than Internet Explorer.

Report this comment

I agree with Barb. It was a

Submitted by Tom Bailey on October 3, 2006 - 10:19 A.M.

I agree with Barb. It was a cheap stunt and it was not funny in the least.

I mean if you are going to pull a prank at least be a little creative. This just borders on childish.

Report this comment

Kenneth, Thanks for the

Submitted by Martin McKeay on October 3, 2006 - 9:36 A.M.

Kenneth,

Thanks for the information. I've updated the article with the link you provided.

Martin

Martin McKeay
martin_cw@mckeay.net
http://www.mckeay.net/
Voicemail: 916.231.9479

Report this comment

I read the report and the

Submitted by Barb on October 3, 2006 - 9:27 A.M.

I read the report and the kiddies seem to be crying fire in the middle of the theater when there isn't a fire. What a way to get their three minutes of fame. I hope this is the last piece of publicity anyone will give these two.

Report this comment

Marty, This is factually

Submitted by Kenneth F. Belva on October 3, 2006 - 8:38 A.M.

Marty,

This is factually incorrect. The researcher's claims are false.

Please see: http://www.bloginfosec.com/?p=77

Thanks,
Ken

Report this comment

Related Posts

And things were going along so well, too
Eugene Kaspersky wants no net anonymity
Microsoft: XP is far more vulnerable than Vista, Windows 7
Microsoft Security Essentials: Free is great, but is it effective?

Today's Top Stories

Hands-on: Google's Chrome OS is a work in progress
Windows 7 passes Mac OS X in market share race
Microsoft CFO to leave at end of year
Race on between hackers, Microsoft over IE zero-day
Meow! IBM cat brain simulation dissed as 'hoax' by rival scientist
Microsoft debuts 'streaming' Office 2010 beta
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.