Mozilla Developers Respond to Malware 429
An anonymous reader writes "Last week's well- publicised (and quickly fixed) security hole in Mozilla, Firefox and Thunderbird reminded the Slashdot faithful that Mozilla is not invincible and that it is now big enough for malware (virus and spyware) authors to target. MozillaZine has a short article on this topic, looking at the rise in attacks aimed at Mozilla and how the developers are responding."
not so fast of a fix (Score:3, Informative)
Re:not so fast of a fix (Score:5, Informative)
Re:not so fast of a fix (Score:5, Informative)
The original poster was right, and your uninformed bash at his comment caused the truth to be modded down. Maybe he doesn't like Microsoft, but even paranoid people get it right sometimes.
You may want to read this interesting article [infoworld.com]. In it, you'll find that this "shell bug" he's talking about is exactly what the mozilla bug was, and that it also affects word and MSN messenger.
Sorry to burst your bubble. And technically MS didn't fix it yet, they just disabled ADODB.Stream until they do.
Re:not so fast of a fix (Score:3, Informative)
Not really.
A report had been out for a while detailing some improvements that could have prevented that vulnerability. However, the bug itself wasn't exploited until one day before the patch was released.
Re:not so fast of a fix (Score:3, Informative)
The fix was also not easy to find. It was not (and still isn't) listed on the firefox homepage.
Re:not so fast of a fix (Score:3, Informative)
FireFox:
http://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/0.9.2/shellblock.xpi [mozilla.org]
Mozilla:
http://ftp.mozilla.org/pub/mozilla.org/mozilla/rel eases/mozilla1.7.1/shellblock.xpi [mozilla.org]
Re:not so fast of a fix (Score:5, Informative)
First of all, it wasn't a bug at all, it was a problem in Windows' URI handler. Mozilla merely redirected unknown uri's to this handler as it was expected. The "bug" the op mentions was a discussion about whether this feature was safe or not.
When it turned out that it wasn't safe, the Mozilla team was very quick to solve it.
Very simple solution by the way, just turn the redirect off... now the user has to explicitly consent with this action instead of automagical launching of apps.
By the way, this feature was a MS one, not Mozilla's idea. Recent bugs in the MS product family are actually the same. Just an exploit of the URI handling of Windows.
Re:not so fast of a fix (Score:5, Informative)
Since Mozilla doesn't like people on Slashdot being able to trash-talk their browser by linking to bug reports, you'll have to copy the links to actually visit them, but:
2002-08-20 - http://bugzilla.mozilla.org/show_bug.cgi?id=163767 - root of all these bugs, Mozilla passes unknown protocols to Windows8 - same bug, spefically could launch IE and allow the execution of VBScript (possibly in the local security zone)8 - same bug, hcp: protocol could delete any file on your computer (wildcards allowed)0 - requested a whitelist to avoid future instances of the same bug
2002-08-20 - http://bugzilla.mozilla.org/show_bug.cgi?id=16364
2002-10-03 - http://bugzilla.mozilla.org/show_bug.cgi?id=17249
2002-10-07 - http://bugzilla.mozilla.org/show_bug.cgi?id=17301
This bug has been known about for two years. It still hasn't been fixed. When SP2 adds the "delete:" protocol or similar, then Mozilla is going to be vulnerable to that, too. And it looks like the developers have decided not to bother fixing it.
This isn't a triumph of open source - it's an example of how open source falls prey to exactly the same problems closed source does. Except publically, so you can point to these discussions to demonstrate that they knew about the issues for two years.
Re:not so fast of a fix (Score:3, Informative)
Re:not so fast of a fix (Score:5, Informative)
The specific shell: protocol was pointed out as maybe dangerous one day before it was fixed (with just a configuration change, because that framework was already there).
Very quickly fixed.
Re:not so fast of a fix (Score:5, Insightful)
The 'bug report' opened at Mozilla in 2002 was essentially trying to deal with the way Mozilla handles unknown protocols. The normal way was just to pass them to the OS.
E.g. since aim: isn't recognized by Mozilla, an aim: link would be passed to the OS, and if you had AOL IM installed, it would have registered to handle that protocol. (Often used to install a new "buddy icon.")
I believe Mozilla is now going to allow you to let certain protocols through, instead of allowing all.
So it's QUITE a stretch to say that this exploit bug we're talking about is (a) in mozilla, and (b) around since 2002.
Re:not so fast of a fix (Score:3, Informative)
Did you even read the bug report? The link is:
http://bugzilla.mozilla.org/show_bug.cgi?id=167 4 75 (you have to copy/paste and strip out the extra space, they disable links from /.)
Look at comment #11, which links to a duplicate bug. It was known in October of 2002 that it was possible for certain HTML to launch code locally. Yes, t
I'd still rather (Score:2, Interesting)
Re:I'd still rather (Score:3, Insightful)
Re:I'd still rather (Score:5, Funny)
Re:I'd still rather (Score:2)
Re:I'd still rather (Score:4, Insightful)
As opposed to people massively using names like "Lunix" or "open sores"?
I've... never seen anything like that used here on Slashdot. Not ever.
That's not saying it hasn't been, but it's sure a hell of a lot less common.
As long as those MS zealots don't disappear, expect names like "M$".
Wouldn't you rather be the bigger person?
Personally, I'd rather have intelligent discussion about the strong and weak points of various OS/software/languages/etc. here than stupid name calling. Maybe it's just my own prejudices, but when I see a post with that kind of crap, I assume I'm as likely to get reasonable discourse out of the post as I am to get a fair and balanced opinion about non-Causasians from a member of the KKK. I skip to the next post.
(I also assume the poster lives in their parents' basement and has never touched a real girl, but I keep that to myself. That'd be unfair and non-constructive name-calling, too.)
Re:I'd still rather (Score:3, Funny)
"Wouldn't you rather be the bigger person?"
Nope. Too many years of sitting in front of a computer all day have already made me the "bigger person".
Re:I'd still rather (Score:2)
Re:I'd still rather (Score:3, Interesting)
I'd like to see Mozilla products increase in popularity and press coverage, so we can have something substantial to point to to say "that is how well OSS can work."
Re:I'd still rather (Score:4, Funny)
oh, you mean those guys who couldn't figure out a resolution to a link being sent via a aim message that had a virus in it. Instead of blocking that URL on the proxy, they instead choose to ban aim for a week. Or the same IT staff that responds to my solutions with "I have a MCSE, and I know you can't do that". Although never mind that I have real world exp. Or that prior to my programming position I ran office 4 times this size. The same IT department that can't keep exchange running for more then 7 hours without a reboot in the last 1 and 1/2 years.
Yea those guys know whats best.
Oh yea the same IT department that recomends we only use IE.
Why dont I work in IT? Because I get paid more, thats why.
Mozilla "innovation" reaches new low? (Score:5, Insightful)
I'm quite happy to see that the Mozilla team is pro-active in fixing the bugs that could allow MalWare to install unchecked.
Yet, a base Mozilla 1.7 downloaded right after release will have this issue for a very long time. This situation is worse, in one big way, than the Internet Explorer issues; Mozilla users 'feel' safe. Non-techies that use Mozilla assume it's 'safe' because a geek once told them that this is the case.
I've been an Open Source supporter for quite a long while, but the days of relative desktop safety for F/OSS cross-over users is coming to a close.
And, I'm probably not the only one who "shivers", when reading, "... almost a carbon copy of the new Internet Explorer Information Bar ..."
There's no way to defend that.
Mozilla turning into "Carbon Copy" of IE (Score:2, Interesting)
Re:Mozilla "innovation" reaches new low? (Score:5, Funny)
For such users, they need to be taught that there is no such thing as truly "safe" browsing. The only "safe" choice is abstinence.
*then watch as they slip a condom over their mouse and hope for the best*
Re:Mozilla "innovation" reaches new low? (Score:4, Funny)
then watch as they slip a condom over their mouse and hope for the best
Which remindes me of some medical training I've received. What are the three major kinds of shock? (I know there must be more, but follow)
Re:Mozilla "innovation" reaches new low? (Score:3, Funny)
Re:Mozilla "innovation" reaches new low? (Score:4, Insightful)
Re:Mozilla "innovation" reaches new low? (Score:5, Insightful)
Ignorant developers (Score:5, Interesting)
IMHO, desktops (GNOME, KDE) are crossing the line and even X itself has some "features" that may lead to exploits if developers aren't careful - remember the window manager is just a program that can actually control other programs on the machine. No application should ever tell another what to do based on untrusted data, that's reserved for the user (clicking a link doesn't count as approval - the link may not do what it claims).
When you add a feature, consider what a criminal might use it for and who the burden will land on to prevent it. With shell: the burden lands on any application you might possibly launch and that's just unacceptable. With a window manager, consider that I may want to offer my display server to some untrusted application (airline reservation system) running on a remote machine - great possibilities and a great security risk. Because so much is accessible through X we don't use it that way.
I'm rambling now trying to gather too many thoughts in too little time.
Re:Mozilla "innovation" reaches new low? (Score:3, Insightful)
The Mozilla team isn't proactive on security issues. The dangers of Windows URL schemes have been known to the Mozilla team since mid-2002:
http://bugzilla.mozilla.org/show_bug.cgi?id=163767 [mozilla.org]
If they had implemented a whitelist of known-good URL schemes back then, it would have been a proactive security measure. Fixing things after they have been announced on some mailing list (
Re:Mozilla "innovation" reaches new low? (Score:3, Insightful)
And it would have broken a large number of programs. What's your point?
Re:Mozilla "innovation" reaches new low? (Score:3, Informative)
I have a response to your leaving F/OSS in my Journal [slashdot.org]
I invite anybody to read and reply to it.
--
I would like to also point out that this is also a case of "his issue, not mine", that has been the bane of all software (and much hardware) in both Open and Proprietary shops since the Epoch.
This issue is a vulnerability in a Microsoft technology, that just happens to - also - be accessible through Mozilla. Some people chose to ignore this issue simply because they believed that Microsoft would fix th
Re:Mozilla "innovation" reaches new low? (Score:5, Insightful)
The Mozilla team isn't proactive on security issues. The dangers of Windows URL schemes have been known to the Mozilla team since mid-2002
I said last time around I said if I heard this comment one more time I would scream, and, well, I just scared my poor dog. Who the heck is this "Mozilla team" you are insulting? Last time I checked mozilla source code was readily available to you. Patch it. Done. If someone "official" doesn't want to include it in the nightly build, too bad. Put up a little website at geocities.com/securemozilla and post a message on your geek board of choice.
Such is the burden of open source. You can't complain about the coding choice of another person if you are lazy and/or stupid. I don't see it as a failure of the Mozilla team, but a failure of Windows users who were too lame to fix it themselves.
Re:Mozilla "innovation" reaches new low? (Score:5, Insightful)
This whole incident is a huge black-eye for Open Source's theory of many eyes. The eyes saw. The fingers fixed. The brain ignored.
PS: I am still an open source advocate and I still believe in the many-eyes theory of security, but this incident shows that we cannot be abolutely confident in that theory producing better results that proprietary solutions.
Re:Mozilla "innovation" reaches new low? (Score:5, Insightful)
Non-techies using IE, like my mother, feel safe too, just because Microsoft said it's OK. Such a big company with so many users can't be wrong, after all.
Despite the fact that her computer's gotten infected a couple of times already. Despite the fact that she refuses to do her Windows update (it takes so damn long over the modem). Despite the fact that her son (me) who works for an IT security company, have told her repeatedly not to use IE, and have made sure that she always has the latest Mozilla/FireFox and Opera installed.
On a slightly different but related topic. I am not a programmer, so this is just a guess. The same vulnerability that was discovered in Firefox and Mozilla, was discovered in IE too. Would the fact the vulnerability in Firefox and Mozilla only affected the Windows 2000/XP versions, and not the ones on other platforms, suggest that it might have been a vulnerability in windows rather than Mozilla? Sure, preventitive maintainance on Mozilla's side would prevent it from being expoited.
I just find it to be a bit like mopping the floor because the bathtub is overflowing, instead of closing the tap.
Re:Mozilla "innovation" reaches new low? (Score:2)
Also, make sure that Flash, Java, RealPlayer, and other plugins are installed. You may hate them, but your mother is going to hate you if they don't work.
Re:Mozilla "innovation" reaches new low? (Score:3, Funny)
Doh! Damn spellchecker. Yes, I meant psychological. I should really pay more attention to which spell correction I'm choosing.
Re:Mozilla "innovation" reaches new low? (Score:5, Interesting)
Yes. The flaw was that Mozilla handled the protocols it knew and passed all unknown protocols to the OS to handle. Windows was (is) all too happy to launch programs with the shell protocol.
Re:Mozilla "innovation" reaches new low? (Score:2, Informative)
NO, because, Firefox (and I think also Mozilla) now have a function to automatically dowload new versions or security fixes.
Also please note the steps on had to take to get infected by malware before the fix (whitelisting domains):
I would like to point out that this is slightly mis
Re:Mozilla "innovation" reaches new low? (Score:5, Informative)
I don't think this is true. The specific exploit in XP allows shell: protocol links to run arbitrary code if crafted properly. Mozilla was passing these links right on to the OS.
I think you are confusing this bug with the idea that people can install malware via XPI.
Re:Mozilla "innovation" reaches new low? (Score:4, Interesting)
I really don't think someone should be embarrased to use superior ideas just because they were invented at Microsoft. Pretty shallow thinking really.
the interesting thing (Score:5, Insightful)
I think we all know that whatever is the popular software is what will be targeted so the big difference maybe how it's responded to.
Re:the interesting thing (Score:2, Insightful)
Hell - I haven't update Mozilla on this laptop I am working on yet.
Re:the interesting thing (Score:4, Informative)
Re:the interesting thing (Score:2)
Re:the interesting thing (Score:4, Insightful)
Most mainstream people would wait for an "official" release, just like IE.
I wouldn't count the problem as "fixed" until it's "officially fixed" and available for mainstream people who don't want to beta-test software.
D
IE (Score:5, Informative)
Some microsoft products were affected also. [infoworld.com]
Re:IE (Score:5, Insightful)
And there's the rub. As was reported before, the problem with Mozilla was only on Win32 platforms. Then, it comes out that MSN IM and Word are also affected with this problem. So, truly the bug lies in Windows. Why this point isn't getting more press, I am not sure, but it really should.
Re:IE (Score:5, Insightful)
Yeah, Opera never suffers from security problems! [com.com]
Gimme a break. No fancy software is secure.
missiles (Score:5, Funny)
Quickly (Score:5, Interesting)
This coupled with the fact moz/firefox is already more secure than IE means Moz users are not invunerable but we have a better chance than the IE crowd.
The solution is simple (Score:2, Interesting)
Targeting Flaws (Score:4, Interesting)
OSS vs non-OSS (Score:4, Insightful)
Re:OSS vs non-OSS (Score:3, Insightful)
However, you do have a point that Mozilla will allow us to look at the consumer/user end of things and see how this plays out.
Why should installing plugins be easy? (Score:5, Insightful)
There is a fine line between easy to use and easy to exploit. Let's not repeat the mistakes of others.
It was a Windows flaw, not a Mozilla flaw (Score:5, Insightful)
it's still partially Mozilla's responsibility (Score:3, Insightful)
The attitude Mozilla should have that they should only call library and OS interfaces on each OS that they can have a reasonable expectation to be safe and secure in practice. That is, they need to orient themselves not only based on what they think an API ought to do or how the API ought to behave, but what
Just to clear some things up... (Score:2, Interesting)
"Note that this only affects users of Mozilla and Firefox on Windows XP or Windows 2000."
Actually I think the biggest marketing achievement in the last 10 years was Microsoft convincing the public that Win2000/XP is more secure than Win9x.
Re:Just to clear some things up... (Score:2, Informative)
Re:Just to clear some things up... (Score:5, Insightful)
Are you serious? You're saying that an operating system that let anybody use it by simply selecting 'Cancel' on the login screen (if even enabled), is more secure than Windows 2000/XP. Madness.
Re:Just to clear some things up... (Score:3, Insightful)
It's also much more reliable, and on higher end systems, seems much faster than Win9x, unless you are badly starved for memory (say, less than 256MB.)
Autoupdate might be nice (Score:5, Interesting)
Hopefully the developers will be quick enough to fix it, but will users be sharp enough to get the patches. I think automatic updates for firefox are what is needed to ensure users have less to worry about. I know myself that the patch for the shell exploit was not a simple matter of clicking search for updates, as the update program times 0out after 2 secs.
Firefox won't be immune to the legions of spammers, crackers, marketers and pornographers which have already begun to exploit it. With some kind of autoinstaller/updater or a faster update cycle users could be confident that whatever new tricks the spammers come up with, the fixes will be prompt. Hopefully anyway.
I know autoinstallers aren't in vouge, for many good reasons. But if it's just for one, largely selfcontained program, would it really be so bad.
Maybe at the very least mozilla could have a list of critical, anti-spam and other update categories. Or would that just confuse people
Re:Autoupdate might be nice (Score:2)
Re:Autoupdate might be nice (Score:2, Interesting)
Am I the only one who simply got fed up with these kinds of arguments over the years ?
It's _because_ the much more larger user base that they should pay much more attention on this matter. Not just in talks and speeches, but (at least one d
The price of success (Score:5, Interesting)
Re:The price of success (Score:3, Insightful)
my bad.... (Score:2, Funny)
Spoofing (Score:4, Interesting)
Now let us hope that there are no spoofing mechanisms discovered that result in users believing they're on one of the whitelisted sites to allow such installations. As someone on that board had already pointed out, allowing all of mozilla.org as a means to install code can result in people taking advantage of bugzilla.mozilla.org and ftp.mozilla.org.
You know, I really appreciate hearing from developers who recognize a potential threat and are informing us how they are working to fight the problem. Their method might be taking a page out of Internet Explorer for SP2, but if it works than it's good.
Malware (Score:5, Interesting)
I might add that I don't blame Mozilla for it. I blame the programmers who sell their soul for cash to these unscrupulous companies only looking to profit while hurting the systems they populate.
Re:Malware (Score:3, Informative)
This will be the true test. (Score:5, Interesting)
Business types are afraid of OSS mostly for the fact that it's "unsupported." To them, support doesn't mean having developers on hand to fix problems so much as it does having someone to blame when things go wrong. As long as someone else is fiscally responsible for their technology problems, their customers/shareholders are happy.
They won't admit to believing the above, but it's true: I have first hand experience with it. They'll say that they need the support to protect them from threats and vulnerabilities. They cite Microsoft's patches and updates as proof that the support is useful. They claim that OSS is only safer because no one targets it, and thus the threats aren't as severe. They don't believe any of that, but it's what they use to rationalize their decisions.
If Mozilla continually and expertly deals with these vulnerabilities, that argument will fall flat. They'll either have to admit just what they're -actually- paying for when they claim "support," or they'll at least begin to look into OSS alternatives.
At least, that's what I hope ^_~
Re:This will be the true test. (Score:4, Insightful)
Here's the hole in that theory: no one has ever successfully sued Microsoft for technology problems with MS products. Worms, viruses, etc have all cost reported billions of dollars (real cost unknown, but obviously significant), yet MS does not bear the consequences of those losses.
The question of whether it is possible for us (as a species) to build completely error free systems (thus making it feasable to hold vendors responsible for mistakes) is for another time. The possibility that software is more abstract and thus more complex for humans than any other form of commercial engineering maybe the case.
This is not to let MS off the hook. In my dealings with them, the company in the past has tended to let the marketers write the program specifications, often over the objections of actual engineers. The difference in perspective between a salesperson and an engineer is significant with regards to long term security and reliability.
Re:This will be the true test. (Score:3, Interesting)
I can see how CIO's and such could pick Microsoft so that they could say:
1. Don't fire me, Oh boardmembers, I went with the industry leader.
2. Don't blame us, Oh customers, blame Microsoft.
But "someone else is fiscally responsible" sounds like mo
Bad example (Score:4, Insightful)
What has not yet occured is a plug-in or extension for Mozilla/Firefox that is similar to the kinds of spyware/malware that has been developed for IE. If the "AOL crowd" starts dumpping IE for Mozilla/Firefox, spyware/malware authors will have a reason to invest their time and money into developing such applications. Seriously, how will the Mozilla team ensure somone doesn't intentionally install an extension because some website told the user that it will "accelerate their web experience for free?"
Re:Bad example (Score:2)
Linux might be secure by design, but someone with software to install and root access can still install malware or spyware.
However, as far as your question is concerned in how Mozilla will avert people from doing this, the answer is in the article. It's called a whitelist.
Misleading (Score:5, Informative)
- Enable Javascript
- Enable install from XPI locally and globally
- Click on a Javascript link on a WWW page (which would be shown in status bar) (N.B. Mozilla does not execute XPI-related JS automatically--the user must have clicked the link)
- Wait a few seconds while watching a very large uncancellable dialog box saying "A website is requesting permission to install the following item", giving full details of the program it is installing (including its signatures in big red letters, its name and its URI), and saying in big bold letters, "Malicious software can damage your computer or violate your privacy. You can only install software from source you can trust."
- After waiting a few seconds you, you then had to press a button labelled "install now".
I'm guessing that even some ex-MSIE users might not go through all that on the request of a malicious WWW site they have found.I digress.
Re:Misleading (Score:5, Insightful)
That depends. Does the link promise free pr0n, money, or chocolate? Or does the link say it will find and destroy malware or pr0n on your system.
Social engineering is the most effective exploit of any system.
Re:Misleading (Score:3, Interesting)
I'm guessing that even some ex-MSIE users might not go through all that on the request of a malicious WWW site they have found.
Well, I've seen someone with a couple of deca
But who will upgrade? (Score:5, Interesting)
Last week, right before this news, there was news that a lot of people switched to FireFox because of the vulnerabilities in IE.
Who's going to tell them now that they should upgrade their FireFox to the fixed version, because there was a problem?
It doesn't really matter that it was fixed quickly. The people that didn't install updates for IE, won't install the updates for their brand new FireFox either. Sadly.
How will they respond? (Score:3, Interesting)
I think Mozilla Project got a bum rap on this one. When an XP service pack fixes the same issue in all effected products (including IE and Word), I'm inclined to think that it was a Windows problem to begin with.
So the perfect becomes the enemy of the good (Score:2)
Well, even if the beta versions of Mozilla aren't instant nirvana; they're already more secure, more stable, faster, smaller, and better looking.
The mozilla browser also comes with better karma, and I've heard some people have regrown hair, enlarged body parts, and improved their sex
Firefox targeted? (Score:4, Interesting)
The difference may seem irrelevant, but if Firefox wasn't targeted, it means that the evil will of the cracker community has not yet been turned to finding the bugs in Firefox the way that they have in IE. I'm pretty sure Firefox will fare better than IE did, but when you've got so much effort aimed at a product, and with the source available, they will find any easily-findable bugs.
If they did target Firefox, then we begin to have some idea how many security bugs there really are in Firefox, by seeing the rate at which new exploits appear. Thus far, the answer is "quite slow", and I hope that's because people are targeting it and failing.
Run the patch (Score:3, Funny)
more IE swiss cheese (Score:3, Informative)
Now THAT is quick! (Score:3, Interesting)
by dave532
Tuesday July 13th, 2004 1:30 AM
"Mozilla Firefox 0.9 just allows update.mozilla.org (though this has since being expanded to the whole of mozilla.org)."
Allowing the whole of mozilla.org is a bad idea because bugzilla.mozilla.org can allow anyone to upload a malicious XPI
To:
Re: Whole of mozilla.org?
by Ben_Goodger
Tuesday July 13th, 2004 3:44 AM
good point. fixed.
Re:Now THAT is quick! (Score:4, Insightful)
Go Mozilla!
Mozilla exploit? (Score:3, Informative)
No change for protocols... (Score:4, Interesting)
This new dialog would be a great place to add
'$webpage is attempting to display an image from exploit:format+c:\'
so that by default new registered protocols and helper applications would be blocked rather than permitted until the user explicitly whitelists them.
Helper apps, too:
'Should $file.pdf be opened with the Adobe Acrobat plugin? [always] [always for this site] [just this once] [no] [never for this site] [never]'
I'm tired of going in and re-removing 'automatically perform the associated action for each of the following file types' over and over and over again.
At the risk of being flamed... (Score:3, Interesting)
Tho I do like the tabbed browsing. Lets me open a page five times so I can finally get one that doesn't say "Not responding".
Re:At the risk of being flamed... (Score:3, Informative)
user_pref("network.http.connect.timeout", 300);
NOT just a Windows/Mozilla problem (Score:5, Insightful)
Folks - this is not just a Mozilla/Windows problem. Just a few short weeks ago, a lot of noise was made about a very similar URI exploit on Mac OS X, both through any browser that runs on OS X (noise was made about Safari, and I verified that the exploit was also present in Camino) and OS X's help system.
Because of the seemingly general nature of this type of exploit - why are we letting browsers run code ?? The web SHOULD primarily be to exchange information (text, images, audio, video). Why are we allowing remote program execution?
Re:NOT just a Windows/Mozilla problem (Score:5, Insightful)
IDGI. This should be an open and shut case. Feeding data you know can't be trusted to an application you don't know is secure without so much as asking the user if that's OK is so obviously a bad idea that I can't comprehend the confusion of the mind that considers it for a moment.
[1] No, it isn't, you can build a system that's more secure and convenient if protocol handlers didn't have to double as security software because they don't know if they're being run from a browser or directly from local code... if a browser doesn't KNOW that it's safe to use a registered protocol or helper app, it shouldn't blithely go ahead and use it.
Call to Arms (or maybe just eyes) (Score:4, Insightful)
A number of years ago, an initiative was created to make FreeBSD the most secure operating system on the planet. OpenBSD is the result, and I have to say that they did a darn fine job of it.
I'd like to propose that the Opensource community do the same thing with Mozilla. Start a line-by-line security audit of the Mozilla code base. Leverage the opensource massively distributed model and create the first browser that can be called truely secure.
If you don't want to do it to create a truely awesome product, then just do it to rub Microsoft's nose in something that they are completely incapable of. *evil grin*
Remember Slate? (Score:3, Interesting)
Microsoft is gonna use Mozilla as a pawn in the browser wars to re-affirm their grounds in the Browser Monopoly.
If there was no bundling (Score:3, Interesting)
Re:Mozilla being OSS (Score:3, Informative)
Here's the catch: the problem was caused by undocumented behaviour in the Microsoft Windows APIs for handling URLs. No source audit by somebody who didn't know about that behaviour would have found it, because those APIs are closed source.
Re:K-Meleon - 1 line fix in 30 seconds (Score:3, Insightful)
Which is exactly how it's actually fixed on normal Mozilla and Firefox as well. What's your point? That there absolutely shouldn't be a fix easy enough for non-techies to use just because it can be done by fudzing around the hidden config system?
Who needs a 20Mb download, huh?
The people who couldn't possibly understand even about:config, or well, not really, t
Re:XPI? (Score:3, Informative)
Re:Handling a full court press? (Score:5, Insightful)
You're mistaken in your belief.
People argue that Microsoft's getting unfairly blamed becauise they're the majority of the targets. And yet in areas where they haven't been the primary target they have still often had a significantly larger number of exploits for extended periods of time.
For example, for years IIS had a consistent 30% share in the webserver market, yet over the same period IIS served the vast majority of defaced websites.