Forgot your password?
typodupeerror
Bug Mozilla The Internet

Spyware for Firefox Coming This Year? 630

Posted by Zonk
from the deeply-unsettling dept.
EvilCowzGoMoo writes "One of the main reasons for the Firefox browser's successful seizure of market share from Microsoft's Internet Explorer is the desire to escape the inundation of PC-slowing spyware. However, spyware experts indicate that with its increased popularity, Firefox itself will become a target for spyware creators." From the article: "Basically, if you use Firefox today, you're not susceptible to any spyware, other than what you download when you're on Kazaa...The spyware writers target mostly Explorer users because that's the most fertile feeding ground for piranha-like (spyware) attacks. They'll watch as Firefox becomes mainstream, they'll see opportunity there and start targeting them."
This discussion has been archived. No new comments can be posted.

Spyware for Firefox Coming This Year?

Comments Filter:
  • by Anonymous Coward on Tuesday February 08, 2005 @12:21PM (#11606927)
    IE's spyware problems were largely due to exploits. Someone not up to date with patches could visit a website and have something remotely installed pretty easily.

    For Firefox, though, it'll take social engineering. The place to look for the spyware threats is in the brand new extension you WANT to install. Most Firefox users have at least one extension, and many have a dozen. How do you know what each of those is doing behind your back? Most people don't bother to scan the code, and while some may do so and report problems publicly, will you find out about them? A firewall won't even help you in this situation since you've probably given Firefox free access to port 80 (plus 443, etc).

    Mozilla should probably create some sort of permission system for extensions. Can it connect to a remote server? Can it write to disk?
  • Duh. (Score:2, Insightful)

    by Anonymous Coward on Tuesday February 08, 2005 @12:22PM (#11606936)
    How is this news? If Linux was the #1 desktop operating system in the world, spyware authors would be targeting it, too.
  • ...and.... (Score:5, Insightful)

    by numbski (515011) * <numbski@hks i l v e r.net> on Tuesday February 08, 2005 @12:22PM (#11606937) Homepage Journal
    Since xpi's are blocked by default, they're going to get there how? By a javascript dialogue that says "You must allow this installation to continue."?

    Hmm. That's probably exactly how it'll happen. :(
  • cool (Score:1, Insightful)

    by Anonymous Coward on Tuesday February 08, 2005 @12:22PM (#11606942)
    good, help to improve it
  • by Illuminati Member (541846) on Tuesday February 08, 2005 @12:23PM (#11606943)
    Imagine a whole company full of coders looking into code to find loopholes to exploit. [Tt]hat's what they'll end up doing! Sure, the firefox developers will be fast about plugging holes the minute they find them, but people are bound to get a little upset by getting hammered (ie) once every week, then having to patch their browser weekly...
  • I doubt it ... (Score:5, Insightful)

    by NitroWolf (72977) on Tuesday February 08, 2005 @12:23PM (#11606947)
    While the spyware makers may initially try to target Firefox... the fact is, Firefox is written to prevent just these sort of things. Is it possible there will be bugs that allow unauthorized code to run? Yeah... but they will be patched, and patche quickly.

    Overall, no matter how you slice it, Firefox is more secure and is designed from the ground up to prevent the "fertile feeding ground" that IE offers Spyware writers.

    So no, you aren't going to see the same rampant irresponsibility that you see with IE, and the threat is a tempest in a teapot.

    Of course, nothing is going to protect your computer from your own stupidity when opening executables, etc... that's all on the user whether or not they authorize code to run or not.

  • by Anonymous Coward on Tuesday February 08, 2005 @12:23PM (#11606948)
    As soon as Firefox supports ActiveX, it supports spyware.

    Solution: don't enable ActiveX (duh)
  • by Anonymous Coward on Tuesday February 08, 2005 @12:23PM (#11606949)
    Security is a process, not a product. There is no magical one product or suite of products that will protect you while online. Security is risk mitigation, plain and simple. Far less people would be vulnerable to the tricks of the miscreants out there trying to do people harm if they would just employ a little common sense. But, alas, common sense isn't that common.
  • by Shayde (189538) on Tuesday February 08, 2005 @12:25PM (#11606963) Homepage

    The issue isn't really how many people are using it. That certainly does figure into it, but the very basic design philosophy of IE allows spyware to propogate easily.

    Firefox has far better controls on what programs can be installed and can't be. Also, the very multi-platform nature of the code makes it harder to write an app that will work well.

    I'm not worried. On the IE side, the only people who can fix the code are microsoft drones, and they won't do it. On the firefox side, the people who fix the code are the people who use it, namely us.

    Planet-Geek [planet-geek.com]
  • by gatesh8r (182908) on Tuesday February 08, 2005 @12:25PM (#11606968)
    "The only reason why X has $BAD_THING is because the system is popular. I'm 100% certain when Y has such popularity it too will have such problems." -- while ignoring any design differences that make Y less suceptable to $BAD_THING. Firefox is better designed from the ground up. Not saying that it's bullet-proof (it's not...), just less suceptable and less desirable to target. Would you rather target a locked door with an alarm system, or a door that's wide open and no security measures taken?
  • Re:...and.... (Score:2, Insightful)

    by slungsolow (722380) on Tuesday February 08, 2005 @12:28PM (#11607012) Homepage
    The article does state that adware would be "invited in". This doesn't really suprise me. There will be some users who will think that they are protected by default and won't be afraid to click "yes" (or in some cases click "no" or hell, just click on the ad itself).

    Security is only as good as the person keeping watch. Sure, having all the bells and whistles is grand, but in the end human interaction (or lack thereof) can bring the biggest ship down.
  • by Acts of Attrition (635948) on Tuesday February 08, 2005 @12:29PM (#11607021)
    In the immortal words of G.W.
    "Bring it on"

    How's Firefox supposed to get even more resistant to exploits if hackers aren't sitting there trying the exploit the heck out of it?
    Trial by fire. There's a reason it started out as Phoenix.

  • Re:Duh. (Score:3, Insightful)

    by owlclownish (553387) on Tuesday February 08, 2005 @12:30PM (#11607045)
    Oh, yes. Let's remove a spyware infection by "wiping out the home directory" because that "would usually fix you right up." Excellent solution. It's like using a flamethrower to get at that pesky mosquito. No, the proper solution is anti-virus style threat control systems for Web browsers. Systems that scan incoming traffic and look for malicious code, then say something like "I've detected what looks like malicious code. Please think carefully, and go forward only if you trust the site sending you this code." It won't be easy, but it's not a bad option. Snort provides an excellent model. Think of a browser or browser add-on that constantly updates threat signatures from a central repository. Or just think of the current anti-virus software model.
  • by Anonymous Coward on Tuesday February 08, 2005 @12:30PM (#11607047)
    Fact is, things won't be exactly the same if FF gets a bigger market share. It's not the same product. Articles like these are written by Microsoft apologists.
  • by j-turkey (187775) on Tuesday February 08, 2005 @12:32PM (#11607076) Homepage
    IE's spyware problems were largely due to exploits. Someone not up to date with patches could visit a website and have something remotely installed pretty easily.

    For you and I, I'd say that exploits are the issue...but in my experience, most average users don't get a malware infestation via browser exploits (mainly because when you and I see the words Gator or Newnet, we say hell no). They simply click "yes" when asked if they'd like to install a piece of software. I don't know if the mentality is "yeah I want more functionality" or "yeah yeah, just show me the damn webpage!". One way or the other (antecdotally), most of the users whom I deal with tend to install the malware themselves. FWIW, these users tend to be on the low end of the learning curve.

    It would be interesting to see a permission based system for this...maybe even registering approved plugins with a crypto signature/hash.

  • by hkmwbz (531650) on Tuesday February 08, 2005 @12:32PM (#11607077) Journal
    Sometimes it sounds like the new browser war is between Internet Explorer and Firefox, and only those. But people often forget that there are other browsers out there, such as Opera and Safari/Konqueror (when will we get a decent KHTML browser for Windows?).

    If the market is indeed split into two major parts, this is actually a bad thing, because it gives you only two huge targets. That makes it easier and less expensive to create viruses, or take over computers for monetary purposes.

    What we need is several browsers that each have a significant part of the market. Not just IE and Firefox/Gecko based browsers, but also Opera and KHTML based browsers. Maybe there would be room for even more as well.

    It is good that an alternative browser is growing rapidly, but monoculture or duoculture makes life easier for virus makers. With four browsers, it would take four times the effort to get as much "bang for your buck" for virus authors looking to make money by infecting people.

  • by penginkun (585807) on Tuesday February 08, 2005 @12:33PM (#11607085)
    Don't forget-these dire predictions come from AV software makers, who have an interest in keeping you scared.
  • by blueZhift (652272) on Tuesday February 08, 2005 @12:35PM (#11607110) Homepage Journal
    Heh, when spyware makers really do begin to actively target Firefox users en masse, maybe a toast is in order. Pop open the bubbly! Why? Because spyware and spam are playing a numbers game. Of all the spam sent out and machines infested with spyware, only about 1 percent of those are going to make any money for the exploiter. But because we're talking about total numbers in the tens of millions at least, that 1 percent is good money.

    So when Firefox becomes worth the effort, the folks in Redmond will really have to worry. In this game, nothing flags success like being the target of abuse! Tens of millions of Firefox users might just mean ten of millions of people considering something other than Windows. And that affects the bottom line for Microsoft. Hmmm, anyone heard of any OpenOffice exploits yet?

  • by EvilGrin666 (457869) on Tuesday February 08, 2005 @12:39PM (#11607145) Homepage
    Mozilla should probably create some sort of permission system for extensions. Can it connect to a remote server? Can it write to disk?

    Isn't that just reinventing Java?
  • by OwnedByTwoCats (124103) on Tuesday February 08, 2005 @12:40PM (#11607153)
    "They're only safe because they're such a small target."


    While this is no doubt true, ...

    I doubt that this is true. Apache has a greater market share than IIS. There are more exploits and worms for IIS than there are for Apache.

    You may be safe if you are small. You are safer if your design takes security into account up front, and that design remains intact through implementation.

    Windows is insecure by design. Therefore, there are windows exploits. Unix, Linux, and MacOS X were designed with multi-user security in mind from the beginning; they are more secure than Windows.
  • by nacturation (646836) <nacturation.gmail@com> on Tuesday February 08, 2005 @12:40PM (#11607156) Journal
    It would be interesting to see a permission based system for this...maybe even registering approved plugins with a crypto signature/hash.

    You mean like the way Microsoft handles signed vs. unsigned ActiveX? ;-)
  • by beef curtains (792692) on Tuesday February 08, 2005 @12:41PM (#11607170)
    Nevertheless, Stiennon also indicated the creators, maintainers, and even users of Firefox will quickly and aggressively step up their anti-spyware efforts along with the increased threat. "The people who use Firefox -- their reaction to any spyware-type attacks will be pretty vehement," he said. "There'll be fast reaction from both Firefox developers and users."

    I think this part sums up the beauty of Firefox, and the reason why I don't think this is any sort of cause for alarm:

    There is a whole community of brilliant frickin' people out there who have taken a personal interest in making sure Mozilla products are secure & as bug-free as possible. I don't think it would be an exaggeration to say that they might look at Firefox as "their baby."

    More importantly, some of these individuals are well-versed with the shadier aspects of software...so I predict Firefox security holes being patched as quickly as they're found.

    Not only that, but I don't see many Firefox users (especially not those that have used it since its early days) taking spyware/adware lightly...turning the other cheek or throwing hands up in frustration don't seem to be personality traits of bastards like us ;)
  • Re:I doubt it ... (Score:3, Insightful)

    by bano (410) on Tuesday February 08, 2005 @12:42PM (#11607178) Homepage Journal
    While the spyware makers may initially try to target Firefox... the fact is, Firefox is written to prevent just these sort of things. Is it possible there will be bugs that allow unauthorized code to run? Yeah... but they will be patched, and patche quickly.


    But getting users to actually run the patch is a problem, wether it be IE, Windows, Firefox, Fedora, or Solaris.
    The problem is most users dont patch unless they have a specific problem that warrents a patch. I think that more things need to nag when patches are needed. A little icon in firefox is not going to make my grandma install the latest patch for x-expolit. How this can be accomplished is proably against the views of the OSS community, but software needs to check it self(call home), and report vividly to the user that it needs updating.
  • Re:YES. (Score:5, Insightful)

    by arkanes (521690) <arkanes&gmail,com> on Tuesday February 08, 2005 @12:44PM (#11607208) Homepage
    Nonsense. The security of Firefox *has* been tested, and in fact holes have been found, and patched. To date, it has handled itself far better than IE has. For example, when malicious XPIs appeared, it was realized that the installation procedure was far too lenient and a new, superior, method was put into place within a single release (about a month, as I recall). IE has been plagued by the same category of bugs since the inception of ActiveX, and hasn't done a damn thing.

    Firefox doesn't rely on security through obscurity. It relies on security through process and architectural improvements, the same way anything should. Nobody has made any claims of perfection, simple of a superior process and architecture coupled with a much faster response time. So far, that has proven to be true.

  • same old story... (Score:3, Insightful)

    by l3v1 (787564) on Tuesday February 08, 2005 @12:44PM (#11607210)
    ...same old argument: spyware experts indicate that with its increased popularity, Firefox itself will become a target Like when they say Unix/Linux is just as insecure as anything else, it just doesn't have a large enough userbase for viruses/trojans/spyware/whatever to be fashionable.

    I don't doubt snippets written to exploit Firefox's vulnerabilities will pop up, eventually in larger numbers. But that does not make the above argumentation any more valid, nor any less stupid. And we've been trhough argumentations about that, so I'll just skip that one.

  • Re:"Expert"? (Score:3, Insightful)

    by Mr.Ned (79679) on Tuesday February 08, 2005 @12:45PM (#11607224)
    "Their expert is the Vice President of Threat Research at Webroot. That much is from the article. The article doesn't take the next logical step, however, and point out that Webroot is in the business of developing and selling software to prevent, detect and eleminate spyware. So it's certainly in this guy's interest for people to think that spyware is still a problem."

    At the same time, to be fair, his current position _is_ researching spyware - it is likely that he has a good understanding of it.

    What kind of source would be an "independent third party" that would be reliable? Clearly, Firefox and anti-virus/anti-spyware are out - where does that leave us when looking for an authority on the subject of spyware in Firefox? That isn't a rhetoric question; I'm not sure where I'd go if I wanted to back up my own observations with an authoritative source.
  • by altstadt (125250) on Tuesday February 08, 2005 @12:46PM (#11607235)

    The loophole here is that people will only see those reviews once, just before they install the extension. A year goes by and everybody hits the software update button which just goes ahead and installs the new stuff. Instant malware.

    I'm not saying this will happen, but it could. Hopefully the developers figure out a defence for this before it does, such as popping up tabs with the lastest reviews of the extensions Firefox wants to upgrade.

  • Re:It's possible (Score:2, Insightful)

    by bano (410) on Tuesday February 08, 2005 @12:47PM (#11607240) Homepage Journal
    Stats from your personal blog or whatever don't report an accurate display of browser dispersion.
    Since mostlikely your site is a geek related site, sure there will be more firefox and mozilla users, geeks are more likely to use them. We need to see stats from non-technical sites cnn.com, expedia.com, etc... to see the real trend.

  • by Anonymous Coward on Tuesday February 08, 2005 @12:48PM (#11607260)
    ..isn't the malware authors. It isn't the browser authors. It's the web designers.

    Sorry, but it is. The direction is toward more whiz-bang on pages. Flash. Shockwave. More stuff that makes people say "ooh...pretty."

    And it all runs off of plugins. So users get used to seeing popups for "hey, this needs a plugin to run. Click here to get it" or warning messages "hey, this site is trying to run scripts. You OK with that?" And they get numb to it.

    Sure, a more secure and harder-to-exploit-without-explicit-consent browser is a good thing. But until people stop writing pages that REQUIRE you to run code locally to view them, there will be exploits. The users are always the weak point--this is why e-mail viruses continue to exist.

    And until page authors start toning down the whiz-bang stuff, users will continue to "get used to" these warnings and either turn them off because they're annoying, or simply click "OK" without reading them.
  • Re:Duh. (Score:1, Insightful)

    by Anonymous Coward on Tuesday February 08, 2005 @12:48PM (#11607262)
    not necesarily FUD. sure they'd be targetting it, but i'm with you, they probably wouldn't get very far.

    plus if things got really bad, you could run your browser in a chroot jail. can anything even similar be done in windows?
  • by Zeinfeld (263942) on Tuesday February 08, 2005 @12:49PM (#11607271) Homepage
    For you and I, I'd say that exploits are the issue...but in my experience, most average users don't get a malware infestation via browser exploits (mainly because when you and I see the words Gator or Newnet, we say hell no). They simply click "yes" when asked if they'd like to install a piece of software. I don't know if the mentality is "yeah I want more functionality" or "yeah yeah, just show me the damn webpage!".

    There is a bug in the original IE authenticode interface (fixed in XP SP2) that allows a site to repeatedly present the user with the download dialogue.

    The real problem here is that the idiot who invented Javascript thought that the creator of the page should gain complete control over the user's Web browser. Its an interactive TV model, the content provider controls the user experience completely. Netscape did this because they were paid by the big media companies to do so. Microsoft made a big mistake in following suit.

  • by hab136 (30884) on Tuesday February 08, 2005 @12:49PM (#11607276) Journal
    What's the reasoning behind your guess? The old argument that simply because the open-source community has more coders, they're bound to fix problems more quickly and get it right the first time?

    That and OSS has coders that aren't being hamstrung by marketing weasels. If something is awesome, but would take too long to develop ("cost too much"), an OSS developer can still do it if he wants.

    What guarantee do we have that the people looking at the code are even qualified to review? What insurance do we have against their work if it goes wrong?

    None, same as closed source developers. No company will pay you, either voluntarily or in a lawsuit, for bugs in their code; neither will OSS. Read your EULAs.

    Who's accountable?

    Nobody, same as closed source developers. Both have reputations to uphold, but commercial developers only care about their reputation as a means to profit. If they can make money without bothering to have a good reputation, they will.

    One advantage is that OSS developers have a reputation they would like to uphold. If they write crappy/insecure code, people stop using their code. Closed source developers will often say "well, it works, and it sells, so.." and let the developer stay on, making more bugs.

  • by hackstraw (262471) * on Tuesday February 08, 2005 @12:51PM (#11607298)
    I hate to be an "I told you so", but I could have predicted that XPI would be the first line of attack for people when I first heard of it.

    Why can't a browser simply be a browser anymore?

    All it needs to do is render html, optionally show pictures, and supply widgets for forms.

    That is it.
  • by lurker4hire (449306) on Tuesday February 08, 2005 @12:52PM (#11607306) Homepage
    But for spyware writers to care, wouldn't the browser need a market share of 50% or more.

    I don't think so, I think even a relatively small, but noticable and increasing, percentage of web share would be sufficent for spyware manufacturers to attack firefox.

    For one, they want to ensure their product (and I use the term loosely) is on as many computers as possible. For two if they could successfully make firefox a vehicle for their crap for the average user, then one of the major incentives for switching to firefox would be lessened, and they'd maybe keep as many users as possible on IE where it's so much easier to infect them.

    l4h

  • by Misch (158807) on Tuesday February 08, 2005 @12:53PM (#11607312) Homepage
    Microsoft IIS seems to have about a 28% market share right now [netcraft.com]... yet people still write viruses for it.
  • Re:...and.... (Score:3, Insightful)

    by gbjbaanb (229885) on Tuesday February 08, 2005 @12:57PM (#11607372)
    It won't be Firefox's fault, but it will be the FF community's fault.

    Read some of the other posts on this thread, they're all going on about how FF can't be affected because it was 'designed from the ground up to be more secure', and 'there is inbuilt protection from viruses', and 'the developers would release a patch way quicker than microsoft'.

    The advert telling people to get FF claimed it was more secure. So when people (deliberatly)install their IM smiley-banner-weather-forecast-search-toolbar extension for FF, and start seeing popup adverts... they'll say 'but you told me FF was more secure and this couldn't happen' and think 'FF is just as bad as IE'.

    The answer - get some mature, sensible, reasoned information out there, and not the F/OSS fanboy rubbish spouted off by those karma whores who havn't even read the article.
  • by hkmwbz (531650) on Tuesday February 08, 2005 @01:00PM (#11607417) Journal
    "Sure, but people just don't think along these lines when they aquire a browser. Do you? Personally, I would rather use the best browser for my purposes, and I think most people would."
    Yes, but Firefox doesn't cover everyone's needs. And just trust me on that. There's a lot of focus on Firefox right now. Fine. But let's not forget that there are other browsers, and they do something better than Firefox. Firefox is not perfect.
    "Your example is a portrait of a perfect world avoiding spyware, malware etc., but what about standards? Surely you would now have to make sure your webpage displays well in four different browsers, which results in a lot more testing. Yes, I know - you should code to standards, but browsers will always have their little quirks, and so you still need to do testing."
    Very true, but in such a world, the browsers would probably be more aligned. The problem is that Microsoft have been doing everything their way for so long. But standards compliant browsers generally do the same things.
  • Re:Duh. (Score:3, Insightful)

    by bonch (38532) on Tuesday February 08, 2005 @01:15PM (#11607642)
    First thing--I disagree with the tactic of calling anything one disagrees with "FUD." If there was ever an overused term around here, that one would be it.

    Second, Linux would most definitely have exploits galore. We've already seen outright kernel exploits and holes in the 2.6 series of kernels. I don't know about you, but I don't even remember there being a Windows security flaw that used the kernel. Go to LinuxSecurity [linuxsecurity.com] and witness the stream of security advisories that are announced for each Linux distro, much more than the Windows patches we get on the second Tuesday of each month. These advisories very rarely make Slashdot front page news.

    And no, it's not an unfair comparison to put a Linux distro and a Windows install on the same level. Just because the Linux distro ships with more software doesn't matter. If someone buys Mandrake, uses the software it came with, and then gets exploited, that is an exploit of the Mandrake software distribution that they bought with their distro.

    People like to compare a single kernel to the entire Windows operating system, and in the next breath argue about how Linux is "just a kernel." So it's all the more amusing when some people argue that there's a difference between a Linux distro and Windows. There's not.

    On a *nix based system, wiping out the home directory would usually fix you right up.

    Bollocks. The UNIX "filesystem standard" fragments things way more than Windows does. With Windows, you know a few places to look for a malicious program to get rid of it--\Windows, \Windows\System, \Program Files, and so on. There aren't a lot of places. Linux, on the other hand? Where do you look? /usr, /usr/bin/, /usr/shared/bin, /usr/local, /usr/local/bin, /opt/bin, /opt/local/bin...and that's just the executable, not even getting into whatever configuration files it might have left which could be in /etc, a .directory in ~, and so on. Thankfully, most Linux users don't run as root, but there are still PLENTY of ways a program can exploit someone without needing root access. If Linux was #1, we'd see all kinds of crap getting installed on people's Linux systems, and you'd have fun exploring the entire UNIX filesystem hierarchy fishing it out, possibly even dealing with self-propagating shell scripts to keep moving it around. Fun for everyone.

    Believe me, malicious software writers would find a way you haven't thought of to screw people. That's what they do.
  • by Mr_Matt (225037) on Tuesday February 08, 2005 @01:25PM (#11607790)
    It's *rare* that I talk to ACs, especially ones who present themselves as asshat blowhards as you've done repeatedly (here and to the two responses to your 'question'.) But I s'pose it's fun to stir the poo sometimes, and you definitely count.

    Anecdotally, I don't have security issues with my Windows boxes when I use Firefox. When my wife uses IE, I find myself removing spyware. For me, in my experience, Firefox is more secure. You may write that off as a niche user in a niche market, but fuck you anyways, AC.

    As far as other people, STFW - there's plenty of other people reviewing the ways and means which make Firefox less exploitable than IE. Type 'Firefox IE more secure' into Google and see which way the order comes out on your links. I know you won't, since you're just trolling, but maybe somebody reading this will and learn something.

    Back under the bridge with you, then.
  • Re:Duh. (Score:3, Insightful)

    by n0-0p (325773) on Tuesday February 08, 2005 @01:32PM (#11607903)
    Well, I had mod points to use, but I thought your comment merits an explanation rather than modding you down, so here goes. In Windows (2K, XP), if you are running as a normal (non-admin) user, then deleting the users profile should always remove any spyware infection. In fact, due to the way most spyware is written it will not even be able to infect your system if you are not running as an admin. I suppose there could be exceptions that take advantage of escalation exploits, but I have yet to see one. The root of the problem is that most people don't even know it's possible to not log in as administrator. The inherent advantage on a un*x system is that account and privilege separation is ingrained into the mind of the operator and the design of the system. Any un*x user with the smallest clue does not run regularly as root and is suspicious of anything that requires root privilege. The modern (not 9x based) Windows OS's all support this functionality also, but you really have to be an experienced admin to run a system this way. This is without question a deficiency not in the base OS, but in the policies of software developers (MS is very much included). Simply put, as long as the user browses the web at the same privilege they install software, these kinds of infections will continue. This is regardless of your browser.
  • by pitdingo (649676) on Tuesday February 08, 2005 @01:35PM (#11607945)
    You do not seem to understand the point. The point is firefox is secure by default. People have to go out of their way to make it insecure. IE, by default, is insecure and you have to go out of your way to make it more secure.

    The majority of people simply use the browser as is and do not go out of there way to change the settings. IE can be made somewhat secure by going out of your way to lock it down, but this is beyond most peoples ability.

    Security is an after thought in IE. Security is the first thought in Firefox. That is the difference.

  • by jht (5006) on Tuesday February 08, 2005 @01:40PM (#11608005) Homepage Journal
    Sure, Firefox will be attacked. But the implications of a successful attack are much less likely to disrupt the whole system - Firefox is a self-contained application with pretty good controls for avoiding non-trusted XPIs from being installed. IE is really just the front-end for a whole series of system-level tools that are, for better or for worse, completely linked in to the OS itself.

    So the consequences of an IE exploit are typically far worse than the consequences of a Firefox exploit. This is just how it works with modular applications instead of system-level everything.

    Of course, if you run ActiveX within Firefox, all bets are off...
  • by Anonymous Coward on Tuesday February 08, 2005 @01:48PM (#11608124)
    I could download something off of a P2P that, when I ran it, would find my Firefox profile folder, install the malware files, and modify my configuration files directly to turn it on. The uesr would never know, especially if it gave itself an innocent looking name in the Extensions list.

    You could also download something from a P2P network that replaced your Firefox shortcut with one to a batch file that contained the command "echo y | del c:\* /f /s /q". Would you call that a Firefox vulnerability as well?
  • by uradu (10768) on Tuesday February 08, 2005 @01:53PM (#11608205)
    And how is that a Firefox problem? You can download and execute any old crap, and whose fault is it other than your own? The point is whether the browser allows sites to push executable content to your machine without your knowledge.
  • by Mant (578427) on Tuesday February 08, 2005 @01:58PM (#11608286) Homepage

    I find it's the cumulative effects of lots of XPI extensions that really make browsing with FireFox enjoyable.

    I use adblock, the Sage RSS reader, Spellbound spell checker, GMail notifier and FoxyTunes.

    If all it did was what you suggest, may as well go back to Mosaic. I really enjoy the customisations I can do to get the browser I want.

    I also develop web sites for a living. The reason we have ActiveX, Java, Flash, Javascript, DHTML it because it needs to do more than render HTML.

    The fact is that for some things successful and useful website use this stuff, and need to use this stuff to give a good user experience. They are, of course, also horribly abused no doubt about it. Trade off for a more useful web. If you don't think it's worth it, you can run FireFox without any plugins, or a text only browser.

    I'll be off enjoying the web, and being careful what I install.

  • Re:Bring it On (Score:1, Insightful)

    by rho (6063) on Tuesday February 08, 2005 @02:23PM (#11608583) Homepage Journal
    Your grasp of asymmetrical warfare is staggering in its naivete.

    Muslim terrorists are not fighting the Great Satan because of Levis jeans and MTV and American imperialism. They are fighting to establish a worldwide caliphate under Islamic law, through coercive force, using asymmetrical tactics that target civilians with the intent of scaring them into compliance.

    i.e., a bully. And it works, too, at least on silly liberals with Pollyanna views of the world and who take terrorists at their word when they claim that it's American imperialism that makes them strap bombs to retarded kids.

  • by Abcd1234 (188840) on Tuesday February 08, 2005 @02:24PM (#11608592) Homepage
    Too bad an XPI can't be installed without direct use intervention, eh? Kinda defeats the purpose of spyware. Of course, that doesn't guard against social engineering, but it significantly reduces the problem...
  • by ptlis (772434) on Tuesday February 08, 2005 @02:31PM (#11608693) Homepage
    The Mozilla and Microsoft web browsers are both guilty of noncompliance with web standards. Any time any code works in one browser but not the other, regardless of how simple or complex the code, it's an example of one of the browsers either not supporting it's supposed to or supporting something unnecessary.

    I'd disagree, I am not saying that Mozilla support 100% perfectly the w3c's standards, but then they are constantly working towards supporting as much of it as reasonably possible (some of the more esoteric areas of the CSS specification will probably never be fully supported). Microsoft OTOH had pretty much just left IE to rot until relatively recently (infact their main motivation for modernising it seems to be the rise of FireFox), but even when IE7 is released it will only be made available to either >Longhorn or >XP users (I don't recall which).

    To some extent, proprietary or extra code support is a good thing, [...]

    I strongly disagree, for the end user propriatary extensions to the HTML/XHTML specifications are not a good thing, it means they're restricted to viewing a site on a particular browser which is unnecessarily taking choice away from them.

    [...] but it also means that people will continue to use it if they use that browser, forcing others to be unable to view content properly.

    I'm not sure what you're trying to say...

    If Mozilla and Microsoft can just agree to develop their browsers to display the exact same code and let their differences be in interface, options, security, etc... then we would have an effective and worthwhile browser war.

    I assume you're referring about agreeing to work off a single specification telling them what markup and such to support... this is the goal of the w3c [w3c.org] is, and they've got many specifications which browsers are supposed to aim to follow. The Mozilla team seem to be trying to follow these specifications but Microsoft seem content to just do their own thing and/or only do a half-arsed implementation of certain specifications.

  • I've been trying to tell people this for years. Whatever browser is the most popular will have the most software attack it. Same with your operating system.
  • Re:Spy vs Spy (Score:1, Insightful)

    by Anonymous Coward on Tuesday February 08, 2005 @02:40PM (#11608800)
    Congratulations, you've reinvented tripwire :)

    Granted, I don't personally know of a Windows port of it, but that doesn't mean anything...
  • by altstadt (125250) on Tuesday February 08, 2005 @02:44PM (#11608852)

    No. The updates are fetched based on what is installed...it won't go hit some random (malware) site looking for an update.

    I install Firefox and Thunderbird on other people's computers via CD. I install a collection of extensions from the same CD. Not all of them are from updates.mozilla.org. The update process seems to quite happily go to these other sites.

    Or are you saying the author of the extension will deliberately trojan it down the road?

    That was exactly what I was thinking. What happens if the author of some popular extension, say Adblock, gets an offer he can't refuse from the "Russian spam mob"? I know what I would do if I was offered the choice of losing my knees or gaining a wad of cash.

    Well, there is nothing you can do about that with any software. If Intuit wanted to bundle spyware into Quicken, you would get that with your Quicken updates too.

    Doesn't that happen with Quicken already? :-)

    Seriously though, coupling this loophole with some level of social engineering could be a problem. I kind of like the idea of the update process opening up the authoritative extension source (preferably some semi-trusted third party like updates.mozilla.org) in a tab, and adding a button to the bottom of the page that you have to click to accept the update. Of course this still wouldn't help the clicky-clicky types.

  • Re:Bring it On (Score:1, Insightful)

    by bonch (38532) on Tuesday February 08, 2005 @03:14PM (#11609218)
    In my experience, people who claim such things--that evil American culture is to blame--are just projecting their own trendy counterculturalism onto others. It makes people feel intellectual and clever to criticize mainstream society.

    That's why they can defend certain Islamic societies that brutalize women and employ extreme conservative governments, all the while "standing up" for women's rights and liberalism in America. The contradiction in values always confused me until I realized why they did it. It's another way to "go against the grain" and feel enlightened.

    Doesn't apply to everybody, but I'd say a good portion.
  • Re:Bring it On (Score:4, Insightful)

    by valkraider (611225) on Tuesday February 08, 2005 @04:10PM (#11609975) Journal
    Who said anything about Levis and MTV? I never said that it was our "culture" that the terrorists are opposed to.

    It is not our culture, but rather our FOREIGN POLICY.

    Our government propping up leaders and overthrowing elected governments and things like that, ALL OVER THE WORLD, is what has caused Terrorism to flourish.

    Ask ourselves these simple questions: Why Did Osama Bin Laden switch sides? What caused him to stop working FOR the United States and start working Against it? Where did Iraq get all the weapons that they are now shooting at our sons and daughters? Why are people starving in Cuba but Castro is doing fine? Why did we really oust the Taliban from Afghanistan? Do people in other cultures really *want* democracy forced on them?

    Generally attacks come to places that have American interests or places that help American interests. But also, there is one thing people seem to overlook - How come no one hates Canada (besides Canadians...)? How come no one burns Swiss flags in protest?

    The United States government has a long history of meddling and pushing. Both Republican and Democrat. We have pushed with Military Might. We have meddled with covert actions. We have coerced with financial influence. That is why we are targets for Terrorism.

    They don't "hate our freedom and liberty" - they hate our government. And they see the American people who continue to support the governments policies, and who pay tax dollars to fund those policies - as enemy combattants.

    The Levis and MTV are just icing on the cake. Just one more reason for them to hate us.

    People in the USA are just as guilty of religious fundamentalism, and just as guilty of killing in the name of religion. More people have been killed in the name of Christianity than any other single cause. People resent that over time...
  • Re:Spy vs Spy (Score:3, Insightful)

    by hobo2k (626482) on Tuesday February 08, 2005 @04:41PM (#11610458) Journal
    System file protection is a joke. It is just a defense against poorly written, but well intended, installers. If you can modify kernel32.dll you can easily make the same change to the two backup copies before SFP gets around to restoring it.

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...