back to article Attack code for Firefox zero-day goes wild, says researcher

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser. The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

    1. jmesse
      Badgers

      WOW

      Longer explanation: Mozilla made millions distributing a crappy insecure browser, we might as well cash in and screw their users too. Adequate road sign, as this is Mozilla, not Toyota.

      1. Anonymous Coward
        Linux

        @jmesse

        "Longer explanation: Mozilla made millions distributing a crappy insecure browser"

        Sorry, for a moment I thought you said "Mozilla" instead of "Microsoft"...

        "We've tested it on XP and Vista"

        ...but does it work on Ubuntu (or any other Linux for that matter)? What about OSX? If not then we know where the problem *really* lies...

        1. Andrew Norton
          FAIL

          @AC (12:10)

          "...but does it work on Ubuntu (or any other Linux for that matter)? What about OSX? If not then we know where the problem *really* lies..."

          Does the code work if the program (firefox) is not running, or better yet if it's not installed? Probably not, so we REALLY know where it lies.

          When a company says it's product is 'the most secure', and spends more than half its annual income on marketing, I'd guess it talks about 'secure' in the anti-terrorism sense. (IE keep claiming safety, and hope people are stupid enough to believe the line of crap)

    2. Anonymous Coward
      Badgers

      Wanna bet they reach out...

      to companies that can afford to pay before they release an exploit!

      Open-source, non-profit organizations would be perfect targets to show proprietary, for profit companies that this company can find and will release exploits.

      Perhaps, there should be an International law on disclosing exploits. Should the time frame be two weeks, a month from the time the exploit is handed to the company which owns (created) the code until it is release?

      badjers, because this has got me fighting mad - I'm not big on police states and increasing policing powers but if this is not illegal it probably should be.

  2. This post has been deleted by its author

    1. Anonymous Coward
      WTF?

      Paid to Shill Much?

      *cough* "As efficient as C++ - as safe as Java or .Net" *cough*

      Oh dear oh dear oh dear.

    2. Charles 9

      There's a big problem to that.

      Safe languages take up resources and time with garbage collection and sanity checking. Thing is, even now with modern multicore CPUs, speed is still an issue (one of Mozilla's criticisms is that it's a bit slow--particularly with ECMAScript). Optimizing coding means eschewing some of the checks and balances.

      Think of the safe vs. fast programming problem like the airport security checkpoint problem. They're very much alike in that being too lenient or quick means things get through while being too strict or thorough reduces throughput to a crawl.

      1. MacroRodent
        Boffin

        Re: There's a big problem to that.

        "Safe languages take up resources and time with garbage collection and sanity checking. "

        Not necessarily. Garbage collection is not required, just the checking (Pascal and its relatives do not have garbage collection). And it was demonstrated already in the 1970's by some researchers that the cost of runtime checks can be reduced to just a few % when an optimizing compiler is made to take them into account. This requires the checks are integral to the language and compiler, not a bolted-on feature.

        In respect to safety, the field took a nosedive when C and its descendants took over from Pascal and its descendants (like Modula and Ada).

        1. Anonymous Coward
          Thumb Up

          @MacroRodent

          "And it was demonstrated already in the 1970's by some researchers that the cost of runtime checks can be reduced to just a few % when an optimizing compiler is made to take them into account. This requires the checks are integral to the language and compiler, not a bolted-on feature"

          This is just a variant of the Assembler Vs HLL problem. You'd have thought it had died a *long* time ago.

          One of Pascal's original aims was to make it run as fast as badly structured languages like FORTRAN (this is early 1970's FORTRAN). It succeded. In the commercial world Ferranti released an ALGOL compiler with substantial error checking. When they asked customers did they want runtime error checking removed to improve speed for 2.0 the customers said no. This was in the 60's, when assembler was pretty much the norm and performance was a real premium.

          For the daddy of these contests look at the Space Shuttle systems. Real time control system with *hard* response limits on a processor which flat out managed 400KIPS (that's not a typo).

          Benchmarked assembler Vs the HLL gave IIRC at most a 15% performance hit. Despite hardware failures the system has *never* failed in flight. No 178b standard. No TCP/IP stack.. Just an awareness that failure means people will die and a pretty effective compiler for a HLL which fitted the problem domain quite well.

          And BTW Microsoft whine about putting a JVM on Windows but what is the "Common Language Environment"? How much of Windows already is running on a VM?

          IMHO writing secure, reliable code consistantly (anyone can get lucky once) is *never* an accident. The whole system is only as secure as its weakest link (human, software or hardware). A first rate team with a good understanding of security issues running solid tools and following a painstaking process could still (and my gut tells me probably has) been undermined because a bought in library was actually written by some clueless bong chugging Summer intern.*

          However for this to happen it has to be a *management* priority. Someone somewhere has to be responsible for it and get it in the neck if it does not happen.

          Anon for the line at the bottom.

          *or in one case getting to a Star Trek convention on time.

          1. Ian 10
            Linux

            Safty first ? Only after the lawers!

            The only time its going to become a *management* priority is when software HAS to be fit for purpose and can not hide behind the "Not fit for any particular purpose" which is the get out of Gail free card.

            Once users can sue providers for crap software then and only then will market forces make software reliable and safe.

      2. Haydies
        WTF?

        Speed?

        Hahaha, now that just silly and wrong.

        Its been proven, look it up. C is not quicker to develope because it takes much longer to debug.

        Plus, execution speed will not change much as your not executing the code.

        Your thinking Java, and that slow because it not native execution.

        As an Ex-Delphi developer I know 100% that if I coded some thing in delphi it would be as fast as if it was coded in C++. This speed argument has been going on for 20 years and its no more true now then 20 years ago.

        Good, well writen code is what matters. You honestly think that with multiple giga, multi core machines a little bit of pointer checking matters? For a start, now Mozilla will have to write code to stop the problem.... so shockingly, they will be just a touch slower then not checking. Just more secure.

      3. Ian 10
        Linux

        The problem with C / C++

        The issue with C and C++ is that they are NOT safe and require programmer and expirience to add the code to cover for this.

        Safer languages are not always slower. The solution is a language that is safe by DEFAULT and if required the checks and balances can be disable were required.

        You dont spend time optimising the full source tree, that would be an expensive waste you only optimise were the bottle necks are.

        Why use a language that is always unsafe just because occasionally it is an advantage?

    3. steven W. Scott

      It's not the language

      It's the programmer.

      1. Anonymous Coward
        Anonymous Coward

        It's not the programmer... it's the QA process

        It's not the language... it's not the programmer... it's the QA process

        With the best will in the world, even the best programmer will make a mistake sooner or later. That's why every organisation that develops software should have a QA process that ensures all code is reviewed against a checklist of good and bad development practices (amongst other things).

    4. Unus Radix
      Boffin

      Deal ?

      I for one would be all for trading some of the rather plentiful hardware horsepower we have today for easier to write, more reliable software; Brinch Hansen, Hoare & al. were pushing this in the 1970s already, apparently convinced that this would be a good deal.

    5. Anonymous Coward
      WTF?

      @joeuro

      Sappeur:

      "Which platforms are supported at this time ?SAPPEUR currently is available for Intel(R) 32bit 80X86 Processors running Windows VISTA or Ubuntu"

      So none then. Clicking on the tab for "Buying" gives a blank screen which tells me that this product isn't finished yet anyway.

      The *real* solution is rigorous testing and not falling for any of the traps (as listed yesterday in El Reg's article on 25 potential problems you might accidentally code into your software...)

    6. GrahamT
      Boffin

      sappeur?

      Isn't that a bit of a giveaway. Sappers traditionally undermine the opposition's position.

    7. Ocular Sinister
      FAIL

      Its not that simple

      If you think fixing security bugs is as simple as using a different language, I'm afraid you are mistaken. Its perfectly possible, easy in fact, to write insecure programs that leak memory in C#/Java/whatever.

      The only way to fix the problem is to write secure code in whatever language you are using.

      Incidentally, garbage collection is possible in C++...

      1. Ocular Sinister
        Alert

        Just to clarify...

        I don't mean to say that we shouldn't be looking at higher level languages for these kind of applications, but doing so in the belief that this will solve all, or even many of our security problems is to bury our heads in the sand.

      2. Usko Kyykka
        Heart

        C is a harsh mistress

        >If you think fixing security bugs is as simple as using a different language ...

        It is not that simple, but using a language/environment where it is not plain possible to e.g. inject code trough causing a piece of code overwrite the machine stack should help. Somehow e.g. insisting on using C for everything smacks of an attitude where the only honourable way of writing software by operating console switches. Silly, that, when we can use the machine itself to do such mundane stuff and save our attention for more important things, such as security.

        Mind you, C in itself is an object of my deepest admiration [hence icon] as the language is clean and simple, yet strikes a pretty much optimal balance between portability and low-level access to the machine. The latter, unfortunately, opens the door for a class of nasty bugs. Fortunately, low-level access (and absolute efficiency) is not needed for most work and/or all code.

      3. Anonymous Coward
        Anonymous Coward

        I studied C++ ...

        fifteen years ago, and I wasn't that young then, and not only is garbage collection in C++ possible it wasn't very hard to implement.

        I only worked/studied in the programming environment for one year and I must say that I'm sorry my opportunities took in other employment directions, but if C++ programmers can't implement proper garbage collection in C++ perhaps there are in the field.

    8. Haydies
      Black Helicopters

      C Must Die!!!

      Here here! well said. C and C++ are the main cause of this kind of issue. With a proper language you simply can not over run a buffer etc.

      Modula 2, now thats and OO language and its good for saftey critical work. Ok, so it didn't have a large take up once windows came along but you'd never have exploited it.

      Still, C is the most popular language, so your manager isn't going to be blamed for failier if he choses a less common language.

      C as a language suffers primarily from a design floor. It was only ment to port the unix kernal, so its the only language that was designed to make the compiler easier to write. Now since when was that import to an application developer?

      C should be buried at Sea!

      1. Anonymous Coward
        Anonymous Coward

        RE: C Must Die!!!

        Do you possibly do you mean "Design flaw" rather than "Design Floor" (which is just wrong).

  3. Anonymous Coward
    Stop

    All browsers have vulnerabilities!

    Will the French and German goverments now be advising their citizens to stay clear of Firefox as well?

    1. Charles 9

      The rate they're going...

      ...they'll be advising their citizens to cut their Ethernet cords and WiFi antennae and go back to the pre-Net days when the most reliable method of content delivery was the Sneakernet.

      1. The Fuzzy Wotnot
        Happy

        Too late!

        Thought they were already doing that by cutting off anyone that so much as downloads a gif/jpg they have no copyright on!

    2. lennie

      nope

      they won't do that at all.

  4. heyrick Silver badge

    Stands to reason Firefox is getting flack

    as it is getting an ever-larger piece of the action, so nefarious people will turn their attentions to it. Safety is valued in terms of what you trust, and how much trust you have.

    Would I be safe? ABP&NoScript and I don't "allow" sites at random. If a site fails with NoScript, I usually just find another. I hope the morons that require scripting to follow a clicky-link are paying attention.

    Please let's NOT have any references to Opera, Chrome, Safari, or other browsers. Trust me, if said browser(s) had a sufficiently large share, it would be compromised.

    1. Joe H.
      Terminator

      about getting flack...

      "I hope the morons that require scripting to follow a clicky-link are paying attention."

      Perhaps they are, and far too closely.

    2. Anonymous Coward
      Anonymous Coward

      So?

      You've just pointed out the only reason you need to move away from Firefox. There are of course other reasons, but the only one you actually NEED is that minority browsers don't attract the attention of the black hats.

      As for Noscript it's a nice addon but far too intrusive for ordinary Josephines.

      1. heyrick Silver badge
        Grenade

        Move away from Firefox? (and a security rant)

        Why? It works for me. And maybe one day it will be the IE replacer and Opera will have a 33% market share and it will be subject to attacks. So what, all the Opera lovers will ditch it for some other minority browser?

        As for the ordinary Josephines, there are countless examples of stupid things ordinary people do that backfire on them. Just last year a girl in her Clio went around a bunch of cars (about seven of us) on a blind bend. 70kph (in a 50 zone) straight into the front of a corn harvester. It would have been epic wreckage had the driver not been up high, seen the car, and stopped. As it was, pieces of Clio and body parts. People are expected to have a clue when hurting around at high speed in soft metal containers. There's fairly rote but nonetheless complex things to remember like starting and stopping, braqking distance, reaction times, changing track on the CD player instead of putting the wipers on, the scary gearstick (which while R is usually opposite 5, the car really would sulk expensively at going from one to the other). Yet everybody does this regularly. Some even know how to indicate correctly on the roundabout. Some <gasp> even pay attention to the Give Way signs.

        Why is it, then, that our portal to the online world is "too complicated" and "difficult"? Sure, there's a lot to remember as the Internet provides a lot of different services, and it is further compounded by subtle differences in browsers (but no less annoying than the control sticks by the steering wheel having no standardisation, the one on the left - indicators or headlights? and God help you if your car has more than two!).

        Given the level of loss possible (to your wallet, not just trashing your computer), perhaps it is time Josie educated herself and understood why these precautions are necessary. You don't walk in a city alone at night. You don't leave your front door wide open. You don't run scripting from sites you don't know...

        [on my mother's profile, I am installing NoScript... ought to be a barrel of laughs, given her previous level of tech was opening the typewriter to change the inky ribbon! but, hell, if she's going to Google crochet and Amish recipes (!?) on my computer, she's going to have to take security seriously and not cop out with "oh, it's complicated" like so many people seem to want to do... after all, getting scammed to hell and back happens to other people, right?]

  5. Goat Jam
    FAIL

    We've tested it on XP and Vista.

    Good work, it's not like there are any other OS's out there.

    Oh wait . . .

    1. Andrew_F

      That makes 75% of computers (says W3counter)

      I'm sure that as far as he's concerned, that's a success.

  6. steven W. Scott
    Linux

    Need more input

    It would be nice to know a little more about the mechanics of the exploit.

  7. Mike Kamermans
    Happy

    So they charge for it

    Open Source has had the benfit of people debugging the code for free for quite a while now, it stands to reason people are starting to go "this is not our product, and no one is paying us to fix what we've discovered. we can either report it and hope someone fixes it (whenever they feel like it), or come up with POC code that exploits it, and if the company whose product is flawed wants to fix it, they can buy a license for the POC code"

    Sound fair, to be honest. If you spend time to work out an exploit bug and the people whose program it is don't feel that's worth rewarding, charge them. No one's stopping Mozilla from forking over the same amount of money they charge for anyone else to get their hands on the exploit code. Just because it's open source doesn't mean everyone's an altruist through thick and thin - a little economic dip and anyone who can come up with a good way to generate cash will do so.

    To borrow a phrase, the real wtf is that they're the first to figure out that if they sell licenses to exploit code, either the owning company can pay that license in order to stop the exploit, or their product gets blasted. Pretty effective business model really.

    1. GrahamT
      Unhappy

      Business models

      "pay that license in order to stop the exploit, or their product gets blasted. Pretty effective business model really."

      Yes, I think it is called blackmail.

    2. Anonymous Coward
      Flame

      You sir are a Knob!

      You really think this is responsible, justifiable behaviour? Guys like this make the net *less* secure. What kind of d*ckhead releases details of a remote execution exploit to make a quick buck rather than notifying the software maker. Doesn't matter whether it's mozilla, Microsoft, Apple. That's why there's a responsible in 'responsible disclosure'

      Frankly, I hope that the exploit does get exploited by some black hats, then hopefully the marks will sue this shithole of a company into oblivion for negligently releasing details of an attack vector without taking steps to help the developers mitigate the risks.

      This guy is scum, and if you think his stance sounds fair, then you can join the ranks of people not worthy of internet access!

  8. fastoy

    Isn't Firefox 3.6 the current release?

    That's what I'm running.

    1. frank ly
      Stop

      Have a look and find out

      http://www.mozilla.com/en-US/firefox/upgrade.html

  9. ForthIsNotDead
    Thumb Down

    Bottoms

    "Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure."

    So he just flogs the info to whoever wants to pay for it? Black or white hat?

    Dear Sarah,

    Can we have bullshit icon?

    Ta!

  10. Anonymous Coward
    Gates Halo

    @Mike Kamermans

    Open source?

    Mozilla is free to use but its not open source.

    1. peter 62
      FAIL

      @AC 2010-02-19-05:17

      you can download the source here.

      http://releases.mozilla.org/firefox/releases/latest/source/

      you can refer to the open source information here:

      http://www.mozilla.org/foundation/licensing.html

      "All Mozilla software is open source. This means that it is not only available for download free of charge, but you have access to the source code and may modify and redistribute our software subject to certain restrictions as detailed in our license agreements."

      1. Anonymous Coward
        Anonymous Coward

        But...

        ...they get very arsey if they don't like the modifications. Hence Iceweasel.

        1. Anonymous Coward
          Anonymous Coward

          No they don't

          They get arsey if you distribute your modified version with Firefox branding because of the 'defend it or lose it' part of US trademark law. It's an aspect of law with some unfortunate effects for free software, much like patent law. Hence Iceweasel, because it's preferable to Monopoly Firefox, now with added vendor lockin, or AdBroker Firefox with extra spying.

    2. Ian 55

      Firefox is open source, but not Free

      Because, yes, they do get upset if you change things and still call it Firefox.

    3. A J Stiles

      Not quite

      Not quite.

      The version that Mozilla distribute in binary form contains proprietary components that are not present in the version that you can build for yourself from Source Code.

      1. Tom Maddox Silver badge
        WTF?

        Really?

        [citation needed]

  11. Anonymous South African Coward Bronze badge
    Linux

    Linux, linux and more linux

    Should be safe on Linux.

    And I don't follow dodgy links.

  12. Barrycudasuck
    Grenade

    But WINDOWS still remains the target!

    Despite the cross platform nature of Firefox, this hole is still a more significant issue for Windows users than anyone else. Last time I checked I was not starting Firefox as root :-) if someone went to the trouble to use the exploit with Linux & Mac they may be able to empty my home directory, but that would pretty much be the limit of it :-)

    1. Ocular Sinister
      Grenade

      A good point...

      But lets not be complacent - its not impossible to chain this exploit with a local root exploit. Given the size of the Linux market right now, I'd say its highly unlikely this would ever get done. If Linux does get a large enough market share for all these kind of exploits to become profitable I shall be installing a *BSD...

    2. Anonymous Coward
      Anonymous Coward

      rm -rf ~

      "...they may be able to empty my home directory..."

      And you would be OK with that?

      1. Keith Oldham
        Linux

        Re : rm -rf ~

        I may be paranoid but I don't run FF or other browsers on my own account - the slight inconvenience of using a password to start the browser is more than compensated by the security of running in an empty account.

        Assuming I ran the browser on my own account ) the daily backup of the home directories would provide a safety net.

  13. Anonymous Coward
    Gates Horns

    Problem is with the OS

    If the OS sandboxed programs in a reasonable way, i.e., by not allowing them to install/run other programs, or to modify themselves, or to read/write files that aren't their own, then all of these security problems would vanish immediately.

    The iPhone OS does this for apps and notice that so far no iPhone app has been able to compromise the rest of the system. All of the iPhone security issues have been with jailbroken phones or Apple's weak data encryption.

  14. Anonymous Coward
    Anonymous Coward

    Extortion by another name?

    It's interesting to note that you can only buy access to the exploit after requesting a quote from Intevydis.

    Also interesting to note that they're Russian.

    You have to wonder if there IS an exploit, and if there is and no-one coughs up who the exploit will be passed on to ...

    1. Anonymous Coward
      Flame

      re: Extortion by another name

      Exactly. CANVAS/Vuldisco etc. cost silly money, even more if they don't "approve" of your organisation. They are extremely dodgy people.

      On the upside, while it has probably already been used in corporate espionage, various Eastern European organised crime gangs will get careless as it goes further down the food chain, using it to rip off all and sundry via shoddy malware. It's only a matter of time until security researchers who aren't massive f*cking c*ntbags get it, who will tell both Mozilla and the rest of the world, so it can be fixed.

      (Sarah, apologies for the outburst. It makes me a little cross, and possibly needs to be said.)

    2. AnonymousNow

      Legerov

      I was thinking the same thing. This Legerov might not want to travel overseas as I can't see how what he is doing is legal anywhere that complies with the rule of law. Apparently Russia is not such a place.

  15. Anonymous Coward
    FAIL

    Screw him

    Lack of responsible disclosure procedures should be equated with blackhattery and prosecuted. What an asshat.

  16. Robert Carnegie Silver badge

    Story says

    Currently the Firefox folk haven't decided there -is- a problem.

    Microsoft paid SCO to sue Linux over UNIX properties and hamper its adoption for business for years, maybe they paid this guy, whether there's something there or not... then again, I'm still not quite sure why Bill Gates doesn't just have all these competitors murdered. He's got the money.

    1. Anonymous Coward
      Thumb Down

      Bill Who?

      Get with the program!

    2. Anonymous Coward
      Anonymous Coward

      Mozilla have learned from MS

      The MS method has always been to deny there is a vulnerability whenever possible until the fix has been released. Of late Mozilla have been following exactly the same protocol.

      Quite how anybody go from "we haven't seen any evidence of this vulnerability" to a fix with no intevening period to develop and test said fix is beyond me.

  17. Anonymous Coward
    Flame

    Oh b*gger...

    Started reading the article - looked at my version of Firefox - 3.5.7. Updated it and got 3.5.8 which opened with a web page saying that for security reasons I should upgrade to the latest and greatest version. Did so and now have Firefox 3.6. Changed to Chrome to type this.

    Does anyone know of an effective way of communicating my displeasure to dear comrade Evgeny Legerov?

  18. Defiant
    Thumb Down

    Losers

    Noticed everyone who give an honest opinion about FF but negative gets the thumbs down. The Firefox sheep really are a sad and pathetic bunch

    1. Intractable Potsherd
      Thumb Down

      Haven't seen...

      ... an honest, negative comment, borne out with evidence. If I saw one, I'd vote it up!

    2. CD001

      voted down...

      ... in an ironic fashion.

    3. Anonymous Coward
      Thumb Down

      Ah but...

      ...the saddest thing about the FF fanbois is that they always assume that anybody who criticizes FF must be an MS shill. Have they tried all the alternatives and made an informed choice? Or have they just jumped on a bandwagon?

      The really strange thing is that most FF fanbois apparently hate MS but run their jesus browser on a MS OS, presumably because they're too dumb to get to grips with an alternative.

      1. heyrick Silver badge
        Happy

        Are you reading the same forums?

        I kinda thought all the Firefox criticism came from Opera fanbois!

        I guess this explains why numerous Firefox fanbois use Windows - we just want the damn browser to work, pretty much out of the box, with minimal time overheads and as little administration as is possible...

  19. Anonymous Coward
    Anonymous Coward

    Whiners complaining about thumbs down votes

    get an automatic down vote from me. Reviewing the down tallies at the time of this post, the one with the most down votes at 22, contained the provably false statement: "Mozilla made millions distributing a crappy insecure browser,..." followed closely by the post with the equally provable statement "Mozilla is free to use but its not open source."

  20. Duncan Robertson 1
    Flame

    One of the reasons I read the comments on El Reg

    is to laugh at the fucktards that post! You have to piss yourself laughing at people claiming to be programmers and vilifying languages, platforms, etc. going on about things like overflows when they can't even spell simple words like "failure".

    I mean, come on people! These flaws and vulnerabilities are often caused by circumventing the design process. Proper testing, validation and verification should mitigate most problems with software. However, there will never be the perfect piece of software. Apple fanboi's and Linux guru's - stay down!

    I'm not Bill's love child, nevertheless, I do use Windows for certain things like most do. I also use Linux for a lot of things too. In the past I've used AiX and OS/400 where appropriate. This is the entire point. Platforms and languages suited to the task at hand. Testing and verification also suited to the task at hand. I mean there's no point in running Tetris on a super secure OpenBSD box is there?!?!

    1. Ted Treen
      Thumb Up

      Nicely put.

      I don't use Windows myself - I'm a Mac user - that's my choice and if someone else goes the other way, then that's their choice.

      I do feel that Duncan's phrase "However, there will never be the perfect piece of software." should be tattooed on the genitals of most of the "one or t'other exclusively" zealots, just to concentrate their minds on pragmatic reality.

      Proper testing etc. will as Duncan says, mitigate most problems with software.

      That's MOST problems. It's not ALL problems.

      No one person, or team will ever have the experience, imagination and time to test modern software for absolutely every contingency - unless we want software's gestation period to go out to several decades. Way back in the '80's, when I installed mini's & micro's for Burroughs Machines, I was often asked to "make this system idiot-proof". I rapidly gained a healthy respect for just how ingenious and inventive idiots could be - and I don't suppose I ever quite achieved the Holy Grail.

      Just think how much mor involved & complex things are 25 years later!

      A pox & a plague on all the blackhat villains and associated ungodly who give us these problems. May all their capacitors bulge, their r/w heads crash and their RAM sockets fail!

    2. Anonymous Coward
      Happy

      Well....Really?...no point....oh

      except just for the fun of it and if more people took a little interest in computers/computing and actually learned something the Internet might be a little safer.

    3. Anonymous Coward
      Anonymous Coward

      @ One of the reasons I read the comments on El Reg →

      ' they can't even spell simple words like "failure" '

      Hey - could be worse, Duncan, they might not know where to put their apostrophes - as in non-possessive ` guru's `.

  21. Robert Carnegie Silver badge

    "Open source" only means

    that the source code is supplied to suitably qualified customers. If Microsoft released all the Windows source code to be read by any customer spending more than $1,000,000, they'd be open source. But the product would not be any better than it is now. You couldn't do anything to improve it. Well... they might accept comments about some spelling mistakes.

    You can, however, improve Firefox. But you can't call your version anything that makes it sound like you're directly involved with the Firefox people.

    I don't know how many people are currently rolling-their-own from the source code. It can be an interesting hobby.

    1. heyrick Silver badge
      WTF?

      You what?

      Your example of Open Source is about as good as saying Windows 7 is free - provided you buy a two hundred euro box to take it home in.

      Or were you not aware that "open source" as a phrase has a number of little conditions above and beyond the literal interpretation of those two words?

      Try reading http://www.opensource.org/docs/definition.php

  22. Neeblor
    Go

    Had me confused for a second

    "wild", not wild

  23. Henry Wertz 1 Gold badge

    open source and patch tuesday

    @Robert Carnegie

    "Open source" only means that the source code is supplied to suitably qualified customers.

    No it doesn't! Microsoft *does* allow Windows source (at least that source for 2000 that was already leaked) to be read by their few largest customers. It's not open source. Open source includes the right to examine the code, right to modify the code, and right to distribute the code. There have been a few products that have an open source license, that the company will only give the source to their own paying customers -- and that is their right. But, as the products were open source, these customers were free to give that source to ANYONE else they wanted. There've been a few other instances where these companies dual-license (so you could buy the software open-source, or buy it, probably less expensively, under a more restrictive license. This is also their right.) Microsoft was trying to pretend their "shared source" crap was open source for a while, it is not.

    @grumpy "Lack of responsible disclosure procedures should be equated with blackhattery and prosecuted. What an asshat."

    Mozilla foundations been good about it, but I've seen enough groups just sit on security flaws that I think I'd take the discoverers approach too. Note he hasn't released exploit code, he's not selling or giving it to blackhats. I think "responsible disclosure" is a crock -- if a company has it together they get a patch out within days, if they pull a Microsoft they are stupid and wait until "patch Tuesday".

    1. Anonymous Coward
      Anonymous Coward

      Notice, he used the phrase...

      "responsible disclosure". This would seem to indicate that a company was informed of the exploit but that those who discovered it would be releasing the exploit to the public after a reasonable time. The question is what is a reasonable amount of time?

  24. John Riddoch
    Grenade

    Fixed it for you...

    automated exploitation system sold to security professionals

    should be

    automated exploitation system sold to anyone willing to pay us money, including black hats, dodgy Russians/Chinese hacking groups, etc.

    1. Anonymous Coward
      Thumb Up

      Agree

      The Russian Business Network is just that - in it for the money - and they're probably smart enough to invest a bit now and then in new technology. They might even get a rebate from Legorov and perhaps even a hint or two on what's really going on inside the tool, being as he's of the Russian persuasion too and probably quite fond of his kids.

  25. Lord Lien
    Paris Hilton

    Security flaws.

    Would it be safe to assume that you would need to visit a website that contained malicious code for this to be effective?

    Paris, because she knows malicious sites can get you in to a whole lot of trouble......

  26. Anonymous Coward
    Anonymous Coward

    Surfing using a live CD...

    I've been surfing the net mostly booted from a live CD. In my case using OpenSolaris. Seems like that might be a fairly safe option for people, like me, who just browse some sites and read articles they are interested in. It may be a bit limiting but it's all I need most of the time.

    1. Usko Kyykka

      Guest session

      Ubuntu would seem to have a convenient feature for this sort of thing: the Guest Session. The idea is that each session starts with a clean slate (the home directory of user guest is restored to a default state). [This can be activated from the upper right corner menu of the default gnome setup.]

  27. Simon Waddington

    Wibbly wobbly safety

    I know it's not easily used by the billions of web users out there but Sandboxie has proved to be a wonderful program for me. It can easily be used to sandbox a browser, including firefox, and as far as I humbly know, prevents the siege of nasties. Is this an exploit that circumvents my primary guardian, NoScript? Or is this a dodgy enterprise intending to pimp half-baked exploits?

  28. bluest.one
    Black Helicopters

    Sandboxie

    Decided to run Firefox in Sandboxie - which is now 64-bit OS compatible - until this is all over. Might just continue to do that anyway; there's always something on the horizon.

  29. Anonymous Coward
    Megaphone

    sandboxes...

    "If the OS sandboxed programs in a reasonable way, i.e., by not allowing them to install/run other programs, or to modify themselves, or to read/write files that aren't their own, then all of these security problems would vanish immediately."

    Even though I agree that OS-based sandboxing is a very good idea it does not fix all kinds of problems. SE Linux and AppArmor are indeed a good idea. So is the sandbox of the new IE.

    Yet... it is not a panacea.

    Imagine first visiting www.evil.com and then www.barclays.com. Evil.com will install nastyware into your running browser instance and from that point on transmit your banking details to www.evil.com. The OS sandbox cannot do anything against that threat.

    The nastyware migh even be able to install itself persistently by means of a buffer overflow in something like the browser's caching, cookie or bookmarking system.

    Maybe a well-designed sandbox especially for browsers could work around this (by setting up sandboxes for each www server), but the general problem persists, that a sandbox can only contain, but not avoid risks.

    Imagine the malware completely re-rendering the browser window - displaying "I am www.rbs.com, please enter banking credentials now". This certainly requires the cooperation of the user, but we know that inexperienced people often fall to this kind of tricks.

    So, OS sandboxes are indispensible in a defense-in-depth strategy, but a safe programming language is absolutely useful as a second layer of defense. Not allowing a buffer overflow in the first place is definitely better than just containing malware.

    Forts have deep ditches, high and thick walls, special geometry and big guns. Just relying on high walls is not sufficient.

    And no, checking array bounds and using smart pointers is not really a significant performance-penalty, while GC languages like Java and .Net are indeed performance hogs.

    Pascal/Delphi demonstrated that to a large degree. It is a sign of widespread unprofessionalism that well-trained software engineers still use C/C++, while knowing about these issues very well.

    Despite the fact that one can stil screw up with a safe language, it definitely would be good practice to use them, because low-level issues like buffer overflows are responsible for more than 50% of all security issues.

  30. Anonymous Coward
    Alert

    @Lord

    "Would it be safe to assume that you would need to visit a website that contained malicious code for this to be effective?"

    My lord, I am afraid it would probably be effective for whatever malicious piece of html you viewed with firefox. I suggest you do not visit any websites except theregister.co.uk and that you do not view any html Email, except those of Colonel Waitlove, Countess Mildmanner and Baroness Mudslinger.

  31. Anonymous Coward
    Stop

    So again

    Opera users get to have a huge gloat at all the morons that jumped on Firefix because Mozilla told them it was was more secure than Internet Explorer...

    www.opera.com

  32. chris 130
    Grenade

    Just a bunch of Russian asswipes

    Deliberately releasing trouble to show how clever they are?

    Sounds like another pre-pubescent Russian asswipe script jockey kid.

    Bring back Stalin

  33. frymaster

    the definition of open source

    open source means whatever the person damn well wants it to mean. some people mean it's got an OSI-appoved license, some people have wider or narrower or totally different criteria

    the MS-PL (OSI approved) has no stipulations on the availability of source code, for example (and is more about protection from patent comeback and preserving attribution) and is only an open source license by the OSI definition if it's attached to source code

  34. Robert Carnegie Silver badge

    Malicious code

    In general, malicious code can be planted on many innocent web sites - unless their own security is state-of-the-art. For instance, even some browsers' handling of picture files such as JPEG has been a route of attack in older versions. So a web site that lets people upload JPEGs could unintentionally distribute malicious code to other visitors. And then too there's actual hacking of innocent sites to make them dangerous. And interference with the domain name service, to make malicious servers be the ones that your own computer communicates with instead of genuine safe sites.

    But are we still waiting to hear whether this particular story is true or false?

  35. WelshTom

    So....

    Does this mean the German Government will recommend not using Firefox like they did with IE?

    I think not...

  36. Robert Carnegie Silver badge

    No, hand on, Secunia

    If Secunia records a problem, is it real? Or just an alert, without verification of a real prooblem?

    (Firefox on 3.6 still, why izzit reported for "3.6.*" ? Perhaps including next development edition.)

This topic is closed for new posts.

Other stories you might like