Firefox
Wednesday 4th April, 2007 01:00 Comments: 0
I'm sorry for sounding like a Microsoft "fanboy" today, but I came across this link on Sandi Hardmeier's blog, a ZDNet blog entry about Firefox:
Determina is previewing a version of the ANI exploit that will hijack Mozilla Firefox 2 as well as Internet Explorer 7 running on Vista.
[snip]
What's interesting about this is the fact that Firefox doesn't have the benefit of Protected Mode under Vista, which can somewhat mitigate the damage that can be done if Internet Explorer 7 is exploited by this vulnerability. While UAC will prevent the exploit from infecting the system with a persistent backdoor or rootkit [NB: this isn't entirely true, according to details on the Metasploit blog, although it's currently only theoretical], nothing prevents damage to the user's data unless Protected Mode is implemented. If someone using Firefox gets exploited with this or any other vulnerability, that malicious code gets the same permissions as the user, which means it can read and write to all of that user's data. That means the exploit can steal personal data, delete personal data, or encrypt it for ransom. Internet Explorer, on the other hand, running in Protected Mode would "only" permit the malware to have read-only access to the user's files. While that's still very bad, it's not nearly as bad as full read and write permissions. With Protected Mode, the malware still gets to steal and copy all of your personal data, but it can't alter it, delete it, or encrypt it for ransom.
[snip]
Firefox alone in recent months has had more exploits than Windows XP and Vista combined and is in serious need of mitigation measures (not to mention better code auditing). For example, here's a batch of 11 critical vulnerabilities and here's a batch of nine critical vulnerabilities, and some of those exploits were zero-day with proof-of-concept code. If Mozilla ever wants Firefox to be taken seriously, it's going to need to do better auditing of its code and implement security measures that are available in the operating system. The Web browser is simply too large an exploit vector to ignore, and the sooner Mozilla implements Protected Mode the better.
In the past, Firefox has had a good reputation because it's not tied into the OS like Internet Explorer, but without adopting some form of "Protected Mode" to broker access to the OS, it's clear that IE7 is currently using a better model - although it may still be just as prone to vulnerabilities, and it still has a few things that probably shouldn't be there (it's nice to see MSXML4 support being ditched fairly shortly). I thought it was very interesting that Mozilla security chief Window Snyder recently said in a News.com article:
"The researcher has all the power. They control when they disclose it, and they control the idea whether or not the vendor responds in time... I would appreciate 30 days, but I will take what I can get."
I thought it was interesting that she believes that researchers have all the power. You'd think that the developers that write the code in the first place have all the power, and that if they did their jobs properly there wouldn't be any vulnerabilities for researchers to discover. And that's assuming that a malicious person hasn't already been abusing it first.
Determina is previewing a version of the ANI exploit that will hijack Mozilla Firefox 2 as well as Internet Explorer 7 running on Vista.
[snip]
What's interesting about this is the fact that Firefox doesn't have the benefit of Protected Mode under Vista, which can somewhat mitigate the damage that can be done if Internet Explorer 7 is exploited by this vulnerability. While UAC will prevent the exploit from infecting the system with a persistent backdoor or rootkit [NB: this isn't entirely true, according to details on the Metasploit blog, although it's currently only theoretical], nothing prevents damage to the user's data unless Protected Mode is implemented. If someone using Firefox gets exploited with this or any other vulnerability, that malicious code gets the same permissions as the user, which means it can read and write to all of that user's data. That means the exploit can steal personal data, delete personal data, or encrypt it for ransom. Internet Explorer, on the other hand, running in Protected Mode would "only" permit the malware to have read-only access to the user's files. While that's still very bad, it's not nearly as bad as full read and write permissions. With Protected Mode, the malware still gets to steal and copy all of your personal data, but it can't alter it, delete it, or encrypt it for ransom.
[snip]
Firefox alone in recent months has had more exploits than Windows XP and Vista combined and is in serious need of mitigation measures (not to mention better code auditing). For example, here's a batch of 11 critical vulnerabilities and here's a batch of nine critical vulnerabilities, and some of those exploits were zero-day with proof-of-concept code. If Mozilla ever wants Firefox to be taken seriously, it's going to need to do better auditing of its code and implement security measures that are available in the operating system. The Web browser is simply too large an exploit vector to ignore, and the sooner Mozilla implements Protected Mode the better.
In the past, Firefox has had a good reputation because it's not tied into the OS like Internet Explorer, but without adopting some form of "Protected Mode" to broker access to the OS, it's clear that IE7 is currently using a better model - although it may still be just as prone to vulnerabilities, and it still has a few things that probably shouldn't be there (it's nice to see MSXML4 support being ditched fairly shortly). I thought it was very interesting that Mozilla security chief Window Snyder recently said in a News.com article:
"The researcher has all the power. They control when they disclose it, and they control the idea whether or not the vendor responds in time... I would appreciate 30 days, but I will take what I can get."
I thought it was interesting that she believes that researchers have all the power. You'd think that the developers that write the code in the first place have all the power, and that if they did their jobs properly there wouldn't be any vulnerabilities for researchers to discover. And that's assuming that a malicious person hasn't already been abusing it first.