Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Mozilla Security The Internet

Can Mozilla-Based Browsers be Hijacked? 102

Posted by Cliff from the any-exploits-out-there dept.
Chibi Merrow asks: "Matt Hartley in his latest GnomeReport speaks of supposed browser hijacker programs that are now targeting Mozilla FireFox instead of IE. While this is in a way cool (since that means the browser's now considered mainstream), it's also hard to believe. It doesn't help that his article is very light on details. Now there have been some discussion about spyware masquerading as valid extensions; but they require user intervention to install. Most people think of a browser hijack as something that automatically installs itself. Has anyone ever encountered an actual self installing browser hijacker/spyware program that has targeted Mozilla Firefox, or is this a bunch of FUD?"
This discussion has been archived. No new comments can be posted.

Can Mozilla-Based Browsers be Hijacked? More

Can Mozilla-Based Browsers be Hijacked?

Comments Filter:

  • No ActiveX (Score:3, Insightful)

    by colinramsay ( 603167 ) on Friday May 21, 2004 @04:36AM (#9212987) Homepage
    One of the reasons that IE is so susceptible to this sort of thing is because of ActiveX - an inherent security hole. While xpinstall is similar, it will always require clear user input to get the extension installed.

    And lets not forget the obvious - IE6 is always going to be bad for this. Mozilla gets updated each and every day and has a regular release schedule.

    I know who I'd rely on for the latest and greatest security tech.

    • Re:No ActiveX (Score:4, Insightful)

      by obeythefist ( 719316 ) on Friday May 21, 2004 @04:52AM (#9213040) Journal
      There's always a risk that any application that's handling data, especially unclean internet data, can be the victim of a buffer overflow. Here's where the open source nature of Mozilla beats MSIE hands down, the code is open to scrutiny which means that someone somewhere has probably already looked after most of the exploits already. That's the theory, anyway.

      • Re:No ActiveX (Score:4, Insightful)

        by mhesseltine ( 541806 ) on Friday May 21, 2004 @11:17AM (#9215511) Homepage Journal
        There's always a risk that any application that's handling data, especially unclean internet data, can be the victim of a buffer overflow. Here's where the open source nature of Mozilla beats MSIE hands down, the code is open to scrutiny which means that someone somewhere has probably already looked after most of the exploits already. That's the theory, anyway.

        That's the theory. In practice, however, that still doesn't necessarily work. Look, for example, at the recent buffer overflow found in CVS, software that's been open since its inception and been around for a long time. Also, look at the latest problems with OpenSSH, again a package that has been around for quite a while, and one that people should be *very* security concious about.

        While the idea that the code being open forces the bugs to be found and removed, that only works if someone with the skill to find the bug, and the willingness and skill to fix the bug does so.

        • That's a good point, well backed up, but on the upside, if you follow the process along, open source has another advantage. The fixes for open source software seem to come out within hours after really serious exploits are found. Microsoft, being a product seller, spends way too much time rationalising the budgetary costs of fixing the bug, implementing, then testing it. They have to, because you sure hear about it whenever a MS patch breaks something else.

          I'm a big advocate of the theory of open source

      • Re:No ActiveX (Score:3, Insightful)

        by llefler ( 184847 )
        There's always a risk that any application that's handling data, especially unclean internet data, can be the victim of a buffer overflow.

        Insightful? Not even close. Buffer overflows aren't a given. They aren't a fact of life. Quite simply, all you have to do is simple bounds checking. If you allocate a 4k buffer, don't try to copy 6k to it. Buffer overflows are a 'feature' of C/C++. There are plenty of other languages that don't have that problem.

        Unchecked buffers are the result of poor program design.
        • Buffer overflows are a 'feature' of C/C++. There are plenty of other languages that don't have that problem.

          Of course the interpreters for those languages are usually written in C or C++, so we haven't quite escaped the problem yet.

          • Of course the interpreters for those languages are usually written in C or C++, so we haven't quite escaped the problem yet.

            Well, since Delphi doesn't have an interpreter, I would say as least some of us have escaped the problem. Haven't had a buffer overflow in an application in 10 years. Pointers and range checking hasn't been a problem either.

    • Re:No ActiveX (Score:5, Insightful)

      by cookd ( 72933 ) <.moc.onuj. .ta. .koocsalguod.> on Friday May 21, 2004 @05:31AM (#9213168) Journal
      That means nothing. In any computer product that is intended for use by non-computer-experts, the developer needs to keep this in mind: You cannot trust the end user to make good decisions regarding computer security.

      Here is what I mean. My dad clicks on a link. The front page says "Click here to install the software necessary to view this web site." So he clicks. He gets a scary message, warning about potential viruses and trusting and digital signatures and stuff. None of it makes sense. Essentially, it gets translated into the following question:

      Do you want to visit the web site? OK / Cancel.

      XpInstall is just as vulnerable as ActiveX in this regard. People are dumb. Just like you don't care enough to read the full EULAs with all their legal mumbo-jumbo, most computer users won't really consider the warning.

      And, by the way, ActiveX also requires an OK before installing, just like XPI. There are buffer overflows or cross-site scripting attacks that can bootstrap an attack without ActiveX (and to which Mozilla is just as vulnerable), but ActiveX itself doesn't offer any way to auto-install software without the user's agreement, unless the user changes the Internet Security settings.

      ActiveX == Browser Plugins. Mozilla allows plugins, so there is NO difference.

      IE gets updated whenever a security flaw is found. And the user is prompted to download the update. I don't get alerts when FireFox needs an update -- I go to the website once in a while. You tell me which method is more likely to keep my dad's computer secure.

      • Re:No ActiveX (Score:3, Informative)

        by Curtman ( 556920 )
        • IE gets updated whenever a security flaw is found. And the user is prompted to download the update. I don't get alerts when FireFox needs an update -- I go to the website once in a while. You tell me which method is more likely to keep my dad's computer secure.

        You're wrong. Mozilla, and Firefox both inform you about about updates. take a look at the URL 'about:config' and filter for 'update_notifications'. Unless you changed something, update_notifications.enabled will be set to true, and when a ne

        • I just did what you suggested and (using Firefox 0.8) my update_notifications.provider.0.datasource is empty [default]. Does this prevent Firefox checking for updates? Certainly it never told about the upgrade from 0.7 to 0.8.
          • No it won't disable it, it just allows you to override the default. I believe 0.8 is the first browser in the pheonix/firefox lineage to support updates, but Mozilla has since 1.4 or something like that. Here's a screenshot [mozillazine.org] of what updates in future Firefox's will look like (known as SmartUpdate)
      • Take a look at
        http://www.safecenter.net/UMBRELLAWEBV4/ie_un p atch ed/index.html
        http://pivx.com/larholm/unpatched/
        http://www.malware.com/index2.html
        http://www.ee ye.com/html/Research/Upcoming/index.h tml
        http://www.guninski.com/browsers.html

        And for Mozilla, see
        http://bugzilla.mozilla.org/
        (search for "security" and sort by Severity)

        How many bugs of type "silent delivery & execution of code" can you find for MS IE? How many in for Mozilla?
        • So what you're saying is:

          Check all of these 3rd-party sites that I have chosen which list a bunch of security holes for Explorer. How evil! Now check a specific query that I have chosen. See! No bugs!

          Well, duh. If you get to pick the evidence, you can prove whatever you want. I'll try my hand at this game. Try this page [mozilla.org]. 9 serious security issues in the November 2003 update. And I was even nice and kept it on Mozilla's own site. These are the vulnerabilities that were fixed in the last release.
          • There are many old/new tricks for MS IE that allows
            malicious scripts to cross MS IE security zones too.

            MS IE is an increasing target for the attackers, just
            like MS Outlook was/is. Just wait and see.
            • There are many old/new tricks for Mozilla that allows (sic)
              malicious scripts to cross Mozilla security zones too.
              (Well, they aren't called security zones, but some scripts get more privileges than others.)

              Mozilla is an increasing target for the attackers, just
              like every other program that touches a network was/is. Just wait and see.

              (Grin.)

      • Re:No ActiveX (Score:4, Informative)

        by ccady ( 569355 ) on Friday May 21, 2004 @07:16AM (#9213453) Journal

        ActiveX itself doesn't offer any way to auto-install software without the user's agreement, unless the user changes the Internet Security settings.

        AFAIK Mozilla never allows you to auto-install without a warning.

        IE gets updated whenever a security flaw is found.

        B.S.

      • Re:No ActiveX (Score:3, Insightful)

        by 4of12 ( 97621 )

        You cannot trust the end user to make good decisions regarding computer security.

        You are so right.

        It makes me think the better overall policy is to make flexible easy upgrades scarier.

        But make the initial installation as capable as possible so most users won't ever feel a need to do an insecure upgrade.

        In the Mozilla and FOSS world things are still not much better than in the Windows world as far as security is concerned. A lot of the current problems with Linux security policies are masked by a 1337

      • Re:No ActiveX (Score:3, Insightful)

        by rthille ( 8526 )
        Your post made me think that the user prompt really needs to be: "Do you trust this website with full control over your computer?"
        But the problem is with the browser. If the browser were designed to be able to per-domain sandbox even plugins (a shit load of work I know, and it would limit their functionality), then a user could install a plugin downloaded from a site, view that site, and all the plugin could do would be screw with the data from that site. I guess what I'm advocating is that plugins be wr
      • ActiveX == Browser Plugins. Mozilla allows plugins, so there is NO difference.

        You couldn't be more wrong and here's why:

        XPI installer will ask you ONCE if you'd like to install a plugin without any custom text that lies to you and says to view our website click here.

        ActiveX pops up 20+ times before it goes away.

        Slight difference in my mind.
        • I believe the updates to IE in XP SP2 will block all ActiveX controls unless explicitly told otherwise, and it won't use a popup to notify them of this - simply display a message at the top of the window.

          But I don't use IE much, so I don't have any experience of this.
      • >ActiveX also requires an OK before installing

        If memory serves, IE's Medium security setting allows signed ActiveX to load without prompting. You're right if you're talking about XP SP2, or if I'm mistaken.
        • It probably depends on the version of IE. I'm using XP SP1 right now, and IE reports version 6.0. I didn't notice what they were on SP2, but I'm guessing they're tighter. They're downright draconian on W2k3.

          In any case, here are the settings on my XP SP1 version of IE6:

          Default security for Internet zone: Custom (but very similar to Medium, and the same in all of the settings I list below).

          Medium security setting: .NET programs = enabled
          Download unsigned ActiveX = disabled
          Download signed ActiveX = prom

    • Re:No ActiveX (Score:5, Insightful)

      by WIAKywbfatw ( 307557 ) on Friday May 21, 2004 @06:01AM (#9213253) Journal
      And lets not forget the obvious - IE6 is always going to be bad for this. Mozilla gets updated each and every day and has a regular release schedule.

      Let's get one thing straight: this sort of browser hijacking isn't aimed at defeating technically-minded people like you or I, it's aimed at non-technical users, such as friends and relatives we might have encouraged to switch away from Microsoft Internet Explorer, or people who've installed Mozilla Firefox from a magazine cover disc, etc.

      For the most part, these non-technical users aren't going to be actively updating their software on a regular basis. They're not going to be looking out for potential security risks and their solutions because they thought that they were leaving all that behind when they switched over from MSIE. In all probability, many if not most of these users won't even know that they've been hijacked if and when that happens.

      To suggest that browser hijacking doesn't have the potential to be a major problem for Mozilla users is rather short-sighted. Being dismissive about it is like adopting a "head in the sand" security policy, and no better than a "security through obscurity" one.

  • IE is part of Windows (Score:5, Informative)

    by Gary Destruction ( 683101 ) * on Friday May 21, 2004 @04:55AM (#9213048) Journal
    That in of itself makes it more insecure. I mean, it uses Windows' SSL whereas Mozilla has its own SSL. It has Windows remember passwords whereas Mozilla has a password manager. Mozilla just being a stand alone app makes it safer in that regard. And even a recent exploit caused by an issue with file extension spoofing vulnerability [secunia.com] was an issue only with IE. Mozilla still showed the file's name in its entirety.

    • Re:IE is part of Windows (Score:5, Insightful)

      by Anonymous Coward on Friday May 21, 2004 @05:21AM (#9213142)
      Integration into the OS makes the scope of IE vulnerabilites larger, but it doesn't necessarily make IE less safe. Microsofts neglect towards known vulnerabilities is a problem, but a similar attitude would hit Mozilla just as hard.

      An example: For a short time, several themers chose to distribute Mozilla skins in XPI form, because that allowed users to install them without additional files. The now preferred way of installing skins requires the help of a script, either in the browser (theme installer extension) or on a webpage. The latter method does not give skins access to JavaScript and is considered safe. XPIs can do a lot more: The installation process can run arbitrary code on the target system and even skins which are installed this way can later on access browser resources and relay them to an external attacker.
      • Why did they have to make XPI? I mean, Mozilla was doing so well. Why not just make a plugin that has an installer or a self-extract zip file or something of that nature? Is there an XPI viewer available?

        • Re:IE is part of Windows (Score:4, Informative)

          by Curtman ( 556920 ) on Friday May 21, 2004 @06:31AM (#9213329)
          • Why not just make a plugin that has an installer or a self-extract zip file or something of that nature?


          Haha. That's exactly what they did [mozdev.org] do. To quote the manual:

          An XPI file is nothing more than a ZIP file with its own installation script. Using a ZIP utility, you can archive the xfly directory and preserve the subdirectory structure so it's installed in the user's chrome directory as it is in your own. Make sure that the ZIP file, whatever it's called, contains the top-level xfly subdirectory as part of this structure. If it is a JAR file you are distributing for your package, make the JAR file (xfly.jar) the top level, with the content, skin, and locale directories contained within

    • Re:IE is part of Windows (Score:4, Interesting)

      by sql*kitten ( 1359 ) * on Friday May 21, 2004 @08:38AM (#9213832)
      it uses Windows' SSL whereas Mozilla has its own SSL

      Actually, this is exactly contrary to SSL philosophy. When asked "why doesn't SSL/SSH do such-and-such", developers reply that they want to concentrate on the crypto layer and other applications can use that layer to provide their own services (for example, sftp is layered on top of ssh, VNC uses ssh to provide its crypto, etc). So, there's one crypto system to maintain and patch, not two or even n.

      It's Unix philosphy too, building useful things from small tools that do one thing well. The Mozilla people lost sight of that pure vision LONG ago, and reimplemented everything from scratch. Kinda missing the point of libraries altogether.
      • It's Unix philosphy too, building useful things from small tools that do one thing well. The Mozilla people lost sight of that pure vision LONG ago, and reimplemented everything from scratch. Kinda missing the point of libraries altogether.

        OTOH this is why Mozilla is able to run on multiple platforms and architectures.

      • Re:IE is part of Windows (Score:1, Insightful)

        by Anonymous Coward
        > It's Unix philosphy

        And "Windows Philosphy" would be to use the built-in HTTPS libs. The idea of shared code isn't exclusive to Unix.

        The fact is that Netscape^WMozilla has always seeen themeselves as their own 'operating system' layer. Remember Andreeson and his quip about "reducing Windows to a bunch of poorly debugged device drivers" -- well, the same attitute lives on today at mozilla.org.
      • One of the major problems with Windows and IE isn't so much the quality of the code, but the fact that everyone is running the same code, hell even the same binary. Hence the worms can be spread so easily.

        Mozilla/Firewombat have so many different versions floating about that a large scale exploit would be very difficult to pull off.

        The fact that mozilla's ssl implementation is new and probably less tested will never make it more of a target than IEs or windows, even if mozilla became as popular. (So long

  • Yes, i've seen it (Score:5, Informative)

    by Joff_NZ ( 309034 ) on Friday May 21, 2004 @04:56AM (#9213052) Homepage Journal
    www.crack-locater.com tries to get you to install a couple of .xpi extensions into Mozilla... I naturally clicked "Cancel", so I couldn't tell you what they did...

  • Semi-OT: Why are extensions not signed ? (Score:5, Insightful)

    by Wudbaer ( 48473 ) on Friday May 21, 2004 @04:57AM (#9213055) Homepage
    I love Firefox and Thunderbird. But everytime I install an extension I really wonder: Why does noone bother to sign their extensions ? As the browser complains that the extension is not signed a mechanism to do that must be there.

    • Re:Semi-OT: Why are extensions not signed ? (Score:2, Insightful)

      by Anonymous Coward
      Signing extensions doesn't really help unless you have hierarchical or p2p trust relationships. Even then someone would have to identify bad code and revoke the trust relationship with the author.

      Let's say I sign my extension with a private key named "George.Brampton@yahoo.com". How does that make you more confident that the extension is legit?

      The only thing which signing would accomplish is making redistribution safer for people who actually check the signatures against the public keys on the authors web

      • Re:Semi-OT: Why are extensions not signed ? (Score:5, Insightful)

        by ManxStef ( 469602 ) on Friday May 21, 2004 @06:47AM (#9213368) Homepage

        Surely you could get MozDev [mozdev.org] to be (one of) the top level Certificate Authority(s) though, seeing as it's already the main repository for plugins. Maybe XULPlanet [xulplanet.com] and a few others too, along the same lines as the SSL cert. verification model. Establish some trusted bodies and give them the issuing responsibilities.

        Get these bodies to issue a cert. to each project and provide a mechanism for signing code, then plug the above CA servers into Mozilla, Firefox, etc., write some checking code (displaying warnings for unsigned code, for example) then you're done :)
        Not quite that easy in practice though, I guess?

    • Do you know how much a certificate costs? When someone writes a small plugin and shares with the rest of the world for nothing, what reasons does he have to sign it.

      If you want to install a plugin, just make sure you trust the provider. I think it's better to install plugins only from the official mozilla web site, just as a precaution.

      • Re:Semi-OT: Why are extensions not signed ? (Score:1, Interesting)

        by Anonymous Coward
        I think it's around $200 for a ActiveX cert, not ridiclously expensive.

        But, others have pointed out, it would actually be better to create a signing authority at MozDev rather than have stuff signed by Joe Blow.

        what reasons does he have to sign it

        As Mozilla-based malware becomes more popular, Mozilla WILL have to change the install policy to require signed components. Just look at the path Microsoft took -- For IE3, signed ActiveX was optional, for IE4 it became required, and XP SP2 will have a bunch o
  • On a Linux-based system this would only affect the current user unless running Mozilla as root. But on a Windows system, depending on the version of Windows, the damage would be equivalent to that in an IE exploitation would it not?

  • Only thing I've seen... (Score:5, Informative)

    by J'raxis ( 248192 ) on Friday May 21, 2004 @05:46AM (#9213214) Homepage
    I've only come across a couple of porn sites that try to install something using the XPI [mozdev.org] facility, but you get prompted to install it. It was amidst a rats' nest of other dialogs popping up (not "popup" windows, just dialogs asking me to install extensions to handle all kinds of exotic filetypes and JavaScript alert() boxes), so I almost missed it.
    • That's a rather appropriate place for "exotic" filetypes.

    • Re:Only thing I've seen... (Score:1, Insightful)

      by Anonymous Coward
      It's a good point that the current dialog box looks too much like a javascript "confirm()" prompt. Which probably make it too easy to just click OK without reading it.

      One smart thing Microsoft did was make the ActiveX install dialog look unique and a little scary -- it says "Security Warning" and has it's own graphic.
      • The Master Password dialog box is nearly identical to:
        prompt( 'Please enter the master password for the Software Security Device.' );
        Even the same icon is used, FFS. At least the Master Password icon should be something like a padlock, or a key, like other browsers use for their password dialogs.

        The only difference is that the JavaScript version will say "[JavaScript Application]" in the title bar instead.

  • It's interesting to note that these security hacks and loop holes are not just restricted to "windows".

    As other OS's and app's become more popular we will see a rise in breaches and attempted breaches of these systems.

    No matter if your an Admin of a "microsoft", "Sun", "Linux" system. Security should still be on your agenda regardless of system.

  • What's really funny.... (Score:3, Interesting)

    by Fuzzle ( 590327 ) on Friday May 21, 2004 @07:28AM (#9213496) Homepage Journal
    Is that I submitted a story about a website trying to install mal-ware through Mozilla 2 months ago, and it never got published. While I'm not trying to bitch about the editors, because it probably didn't seem that important, it's hilarious that now because someone has written "an article", which appears to be rambling, it's a large issue. Oh bla di.

  • Wow, talk about timing! (Score:4, Informative)

    by GeckoX ( 259575 ) on Friday May 21, 2004 @08:20AM (#9213736)
    OK, well, AVG on my main system was screaming at me this morning, found a trojan browser-hijacker.

    So what right?
    Well, I haven't had a virus in _years_ now, AND, (here's the kicker), I do NOT run IE, EVER. Firefox exclusively and previous incarnations for years previous.

    And no, it most deffinately did not come in through email.

    So apparently, the article is correct.

    (As well, I NEVER click ok or the like unless I KNOW i initiated installation of something myself, and I haven't seen anything like that anyways in the past few weeks.)

    I'd love some more details and a patch ;)
    • I had similar experince just the other day using Firefox on Windows. My McAfee virus scan went crazy telling me that there was a javascript (no suprise that it was javascript but I can't ever remember having somethink like this happen with Firefox) file trying to run and the path that it was pointing to was in the mozilla directory, McAfee was unable to quartine or delete it (even though I went to another page and went to Privacy options and clicked the clear cache button) so I had to do it manually. The fi

  • OS dependancy? (Score:3, Interesting)

    by polyp2000 ( 444682 ) on Friday May 21, 2004 @08:58AM (#9213965) Homepage Journal
    Im sure if one hacks around hard enough a security hole can be found in any browser. I'd like to hope the non-bloat nature of Mozilla and its open-source goodness would ensure to an extent that its inherently very secure, and that potential holes are fixed rapidly. However I think that one also has to take into account the operating system the browser is running on and whether any Mozilla exploits are dangerous accross different platforms. My guess is that though Mozilla is enjoying a good market share at the moment, any exploits that may arise are going to target the operating system, in most cases that will be Windows. Its pretty dificult to run arbitrary code on linux or OSX without being very stupid.

    Even so, using Mozilla on windows is a sensible thing to do from a security perspective since it provides another layer of security. IE, is so tied into the OS in this regard, but Mozilla is more of a seperate entity.

    nick ..
    • the non-bloat nature of Mozilla

      Oh man, you almost had me there!

    • I just reloaded a friend's old laptop last night that had been overrun by malware and spyware--toolbars, browser redirection, the whole bit. It's Win98SE, and he hadn't been very good keeping up on his Windows Update. I had gotten the CD of updates from Microsoft through February 2004, so I was able to keep his computer unplugged from the net for that. Then, I made a CD of some protection software--ZoneAlarm, Spybot, Firefox to load up before I connected him to the network. That was my first experience

  • I've seen it (Score:2, Interesting)

    by alatesystems ( 51331 )
    I saw one xpi try to install on cracks.am [cracks.am]. I was happy and mad at the same time. It's mainstream!!!

    Chris

  • Related info (Score:4, Informative)

    by eyepeepackets ( 33477 ) on Friday May 21, 2004 @10:07AM (#9214607)
    I run Opera (IDs as IE) on a Slackware-based IBM laptop. Here is today's hijack string my Opera user got in his shell as I was browsing sites for heat pipes from a Google search:

    Warning: Actions not found: addBookmark, viewBookmark, copy, undefined-key, find, findAgain, history, loadImages, openURL, mailNew, new, openFile, print, exit, reload, saveAs, paste, delete, cut, undo, historyItem, back, forward, abort, PageUp, PageDown

    Didn't bother to determine which site did this as it doesn't bother me, but it was interesting to see.

  • Not necessarily (Score:3, Insightful)

    by nes11 ( 767888 ) on Friday May 21, 2004 @10:17AM (#9214719)
    "While this is in a way cool (since that means the browser's now considered mainstream)"

    actually it just means that hackers are finally starting to realize that people using IE rarely have data worth accessing. If someone's using FireFox, chances are they're bright enough to have some cool data.

    On our webserver, we're only getting about 1.5% of 50,000 hits per day that our Firebird/Firefox, so it's still far from mainstream.
    • Webalizer stats for May:
      1 39346847 78.96% MSIE 6.0
      2 4523223 9.08% Mozilla/5.0
      3 2250067 4.52% MSIE 5.5
      4 710608 1.43% MSIE 5.0
      5 696715 1.40% MSIE 5.01

      Ok, I know some browsers other than Mozilla disguise as Mozilla/5.0, but their number should be really insignificant.
      And no, it's not very geeky site, it's a forum for R/C enthusiasts.
      • Interesting. Our site is a small private university, so I'm sure the majority of our visitors are parents, grandparents, or alumni that are the farthest from the geek spectrum. And I would guess that R/C visitors are a little more on the geeky side than not. It would be really interesting to see results from someplace like yahoo or google to see the middle of the road.

  • If it has user input and output ... (Score:3, Insightful)

    by Jahf ( 21968 ) on Friday May 21, 2004 @10:56AM (#9215206) Journal
    Any program that is complex enough to have user input and system/user output is going to be possibly exploitable.

    So yes, I believe it may be possible to exploit Mozilla.

    But I also believe that the exploit will be known almost as soon as it hits the streets rather than being kept quiet until the devs get around to fixing it.

    And if the devs don't quickly fix it I trust that the community will, because it is in their own interests.

    The last 2 paragraphs are because Mozilla is open, IE is closed, plain and simple.

    Not to mention that I don't believe that Mozilla is -as- vulnerable to exploits as IE nor will such exploits be as serious due to purposeful lack of OS integration.

  • http://public.searchbarcash.com/v2/prompt.php?p=9F D0986F08B7A3A78E58EA0BA7D7954967FEF1419B066DF507A3 4BFBE0441883698566F3B68DF40448AC9A8309A1DE98CFEADA A19AB062C96BF6FCB02431F41783FD95A9751819B0D69E4766 069F882D40938F635FA9C5E34D3FAA84DC818401D6DE0D8818 FE60E4F0CAC3638AA07AB3EC36C9F96DC232EBC4C884963972 446AAFECB8026C6FE467D0

    from http://www.bkahuna.scripterz.org/dg-tproxy.html

    raj
  • the auto download feature in firefox is great. But what about those site that automatically redirect to an executable file?

    A user visits the site, and the autodownload kicks in; the file being so small it will not pop up the download window. Later on, the user looks at his desktop and sees an executable. he double clicks.

    I think the autodownload should be disabled for links that the user hasn't clicked on. If the site is pushing a download, the browser should prompt the user.

    it has been reported, but the
  • If I would be a web browser designer/engineer, I'd force a privilege degradation for browser process. Just like web server runs under user apache and ftp runs under ftp, browser would be running under user "browser". Saving stuff only to some dedicated "download" area, no-no executable filesystem by default with proper quarantine checks. So the user should manually move stuff into his property to execute it, if she wants to. Or run it in other jail.

    Technically, it is possible to do it on KDE desktop for ex
    • It's a limitation of the Unix user model (and probably also the Windows user model) that only root can change userID to become a less priviledged user (programs like su, sudo, ksu, etc. are all setuid root, or at least communicate with something that is, in order to accomplish this). Making a program that can switch UID thus requires setuid bits and other unpleasantness, and requires active intervention from root.

      (It's particularly nasty if you want to avoid active attacks rather than just mistakes, becaus
  • The other day I saw one that wasn't self installing, however had the mozilla firefox extensions.. Maybe the mozilla developers should have security levels on the extensions so that certain ones can be permanently blocked so u dont accidently install them, after the 10th time its popped up.. Would also be nice if there was a untrusted extensions database too, that means that if someone chooses to use it, that some known dodgy applets would be blocked (which contain spyware or whatever).. But to avoid any l

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close