Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Firefox Mozilla Security Software IT

Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy) (eweek.com) 288

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."
This discussion has been archived. No new comments can be posted.

Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy)

Comments Filter:
  • by lesincompetent ( 2836253 ) on Friday February 12, 2016 @08:15AM (#51493623)
    I immediately thought about TOR Browser. The horror.
  • by Sax Russell 5449D29A ( 4449961 ) <sax.russell@protonmail.com> on Friday February 12, 2016 @08:17AM (#51493631)

    As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers. Many of the security risks can probably be averted by configuring the browser for added privacy and disabling certain features, but this is no excuse for lagging behind.

    Maybe Mozilla will someday focus on its core competencies again and stop fooling around with nonsense like Firefox OS...

    • As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers.

      No being default on spyware? ;)

    • And that's quite unlikely to change. Almost any feature of FF that requires a setting's change (beyond trawling through about:config) also requires a third-party extension to do so.

      A very basic example:

      Built into Firefox is "Scratchpad" (an on the fly JS editor). The Scratchpad window is an implementation of CodeMirror. The code itself is utilized across many of the Firefox Dev Tools. Within the Firefox Dev Tools is a "Style Editor". Everything you need to access|change a site's CSS and custom User Css is implemented by Firefox except none of it is exposed, and there is no management gui to do so.

      So we need to use Stylish or the mostly-broken-for-the-last-year "User Style Manager". Neither of these addons implement CodeMirror|scratchpad. USM's editor is the thing that breaks constantly and poorly implements some of the features of a Scratchpad window. Neither of these addons allow you to use a cust

  • Wait a mintue (Score:3, Interesting)

    by Anonymous Coward on Friday February 12, 2016 @08:21AM (#51493647)

    One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.

    "We wanted to focus on the browsers that have made serious security improvements in the last year," Gorenc said.

    Read that again.

    Notice serious "security improvements".

    So. am I to take it that Firefox was sitting on their asses and just adding bells and whistles?

    Or their security was so good before and now that there wasn't much improvement necessary?

    • Re:Wait a mintue (Score:5, Informative)

      by TheRaven64 ( 641858 ) on Friday February 12, 2016 @08:50AM (#51493745) Journal
      The former. All modern browsers except Firefox have decomposed their browser into multiple processes, so that a compromise from one site will only gain control over an unprivileged (i.e. isolated from other stuff the user cares about) process. They also run plugins in separate processes and have fairly narrow communication paths between them. Firefox is still a massive monolithic process, including all add-ons, plugins, and so on.

      This basically means that you just need one arbitrary code execution vulnerability in Firefox and it's game over. In contrast, if you have the same in Chrome, Edge, or Safari, then it's just the first step - you now have an environment where you can run arbitrary exploit code, but you can't make (most) system calls and you have to find another exploit to escape from the sandbox. Typical Chrome compromises are the result of chaining half a dozen vulnerabilities together.

      • All modern browsers except Firefox have decomposed their browser into multiple processes,

        Mozilla is doing one better than that. Servo is being written to be provably memory correct and thread safe. Ultimately that's the better solution. Of course, firefox doesn't use servo yet.

      • Re: (Score:2, Interesting)

        by Viol8 ( 599362 )

        Firefox used to be multiprocess, in the sense that if you started a new instance a new process would start. But they then heard about threading and decided it must be the solution to everything so now when you kick off a new firefox instance (on linux anyway) when one is already running it checks for some shared memory, and if its there hands over to the current firefox process which kicks off a new thread then the process you started dies. A very complex, inefficient and security poor method of doing thing

        • Its not quite how you describe it. Yes, when you start firefox it checks first whether the current profile is currently opened. That's not done because of "parralel" (or "threading", which doesn't have anthying to do with this), but to the contrary, it is meant so that only one instance of firefox has write access to the profile.

          If you want to start multiple firefox processes, you'll need multiple profiles. When you start the separate firefox process you must then specify the --no-remote -P command line ar

      • Firefox is loosing in both the mobile and desktop markets so they are concentrating on ways to keep and expand their user base else be irrelevant. Chrome on the other hand has been on the rise for some time and is the leader in both markets therefore it's a likely target.

        • Chrome on the other hand has been on the rise for some time and is the leader in both markets therefore it's a likely target.

          Yeah, wonder why that is? Google was more aggressive about pushing Chrome than MS ever was about pushing Windows 10.

          Now that everyone has taken the bait and installed Chrome and see that it works well with their investment in Google services... of course they are going to justify its use.

    • Re:Wait a mintue (Score:5, Interesting)

      by BZ ( 40346 ) on Friday February 12, 2016 @09:07AM (#51493817)

      Or maybe this is the contest organizers trolling? Because I know for a fact Firefox made serious security improvements in the last year; I reviewed some of those patches.

  • by Anonymous Coward on Friday February 12, 2016 @08:33AM (#51493681)

    "Yeah, Pwn2own, well.... your MOM is too easy!"

  • by Anonymous Coward on Friday February 12, 2016 @08:37AM (#51493695)

    The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.

    It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!

    (I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Removing cookie management features was the last straw for me. That is an essential feature for browsing the modern web. It's simply bewildering they would remove a critical ability while simultaneously adding weird social media things.

      • by amorsen ( 7485 )

        I really don't get this. Did you seriously click through the cookies on every web site, picking which ones should be allowed and which shouldn't?

        If anything, the Firefox developers should have included Self Destructing Cookies in the main distribution, but it works well as an addon. Deleting the silly "click to accept cookie" thing made a lot of sense though.

        • You kind of have to to know which cookies to block.
    • Heh, the UI is one thing, but there's also the bit where they went:
      Ok, so let's take a bunch of features that by any right should be an external plugin a few people would use and integrate them into the browser.
      Then let's take a bunch of basic features out so people have to replicate them in plugin form.
      Oh, and then obviously, let's deprecate our plugin API and replace it with Chrome's, so that after the UI changes the only thing differentiating us from Chrome will be how much our browser crashes and leaks

  • We wanted to focus on the browsers that have made serious security improvements in the last year

    Rather than giving Mozilla some bad press they could have stated in the rules that exploit A, B and C have already been done last year and don't count for the 2016 edition of the contest. Even if they haven't changed whatever these guys think is "serious" since last year that doesn't mean the whole thing is bad.

  • by Millennium ( 2451 ) on Friday February 12, 2016 @09:16AM (#51493863)

    I thought Pwn2Own was supposed to be all about shaming vendors into cleaning up their act. If Firefox's security is really so poor, then shouldn't these guys be directing more resources toward it, rather than less?

    Is this not a large part of how Microsoft was pressured into finally making certain decisions which, while clearly necessary, were very inconvenient from its own perspective? Why are we to believe that it would not work again?

    • And also, I noticed that TrendMicro [extremetech.com] is a sponsor... is that their method of making sure that their product is never a focus of the hacker attention?

    • Throwing good money after bad. Firefox was the most "shamed" browser last year, and if this guy is correct they have done nothing about it for the last 12 months.

    • by dj245 ( 732906 )

      I thought Pwn2Own was supposed to be all about shaming vendors into cleaning up their act. If Firefox's security is really so poor, then shouldn't these guys be directing more resources toward it, rather than less?

      Is this not a large part of how Microsoft was pressured into finally making certain decisions which, while clearly necessary, were very inconvenient from its own perspective? Why are we to believe that it would not work again?

      Why would they do that? Firefox is losing market share and has spent a lot of effort in the past year degrading the user experience. It seems they did not make security a priority whatsoever, despite being in last place last year. Why would Pwn2Own offer prize money for Firefox exploits? That only serves to send a message that companies can slash the security budget of their browser and someone else will pick up the tab in identifying exploits.

  • They don't say it would be too easy, they just say Firefox hasn't made significant security changes (e.g. in architecture). Probably doesn't hurt that they can hit Google, Apple and Microsoft for more money than they could get from Mozilla.
    • parent needs mods up. This summary is almost entirely a fabrication. The only thing the article says is that FF isn't included since it hasn't made any major security related changes in the last year. i.e. it is not significantly different from the version targeted at the last pwn2own
  • I'm a certified hater of Firefox, but I'd like to hear what Mozilla has to say about this. Firefox's security is reviewed by not only their security team, but also Debian, the Tor Project, Red Hat, and many others. I have a hard time believing the situation is really so bad.
  • Because they're in the process of becoming yet another Chrome also-ran and basically they're too busy tonguing the Google sphincter to bother stopping the freefall of their flagship product and business.

  • by MSG ( 12810 ) on Friday February 12, 2016 @12:41PM (#51495357)

    I see a lot of comments about Firefox's security but no references so far. So, let's look at cvedetails code execution counts:

    2016:
    Edge: 6
    Chrome: 0
    Safari: 0
    Firefox: 3

    2015:
    Edge: 19 (Nov 12 - Dec 31, a projected rate of 142 per year)
    Chrome: 8
    Safari: 101
    Firefox: 83

    2014:
    Chrome: 4
    Safari: 65
    Firefox: 55

    So while Firefox is getting a lot of hate here today, I think the unbiased view is that Firefox is clearly more secure than any browser other than Chrome, which has by far the best record. I struggle to imagine an objective reason to exclude Firefox from any evaluation while including Safari. Edge hasn't been out very long, but based on the very small amount of data we have so far, it looks significantly worse than Firefox.

    https://www.cvedetails.com/pro... [cvedetails.com]
    http://www.cvedetails.com/prod... [cvedetails.com]
    http://www.cvedetails.com/prod... [cvedetails.com]
    https://www.cvedetails.com/pro... [cvedetails.com]

  • who wants to run NoScript to use?
    Given that Chrome won't run it.

There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, "Ad familiares"

Working...