back to article Mozilla confirms own URL handling bug

The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker. In early July, three researchers found a way to execute code in Firefox - and potentially …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    What is it with browsers?

    Before the Microsoft-baiting begins can't anyone actually design a secure browser? Let's face it, a browser is a simple enough application (it's hardly an operating system or Office suite?) that should be secure yet the never ending stream of security problems is awesomely depressing. Given that a browser presents such an obvious risk to security don't the likes of Microsoft and Mozilla really need to rethink the whole thing? Shouldn't browsers work in a sandbox environment that can't actually influence the host system? We've had browsers for more than a decade now, this really is poor software development.

  2. Anonymous Coward
    Anonymous Coward

    nooooooo

    It MUST be MS & i.e's fault, it must be. Our beloved browser can't have holes, it must be MS' fault, everything is their fault, me giving my bank details to a nice man in Nigeria, me downloading dodgy files and getting a virus, people stealing my idenity via my "social" website blog sh*te thing, it's all MS' fault, it is!

    It can't be true, next you'll be telling me Apple make phones that have holes in them...lol...what they have..Nooooooooooo! Thud...

    And another one bites the dust.

    Hold on, he's waking up, he's enlightened, he's going outside, wow, he's meeting real people, he is seeing the sun (well except in England). He is born again. He is ALIVE!

  3. Anonymous Coward
    Anonymous Coward

    Re: What is it with browsers

    OK, please design me a secure browser. Can I have it by the end of the day please, after all it will be simple to do so shouldn't take you any time at all.

    Have you ever built software and had it examined by 100/1000s of people, looking for flaws?

  4. Anonymous Coward
    Anonymous Coward

    RE: What is it with browsers?

    "a simple enough application (it's hardly an operating system or Office suite?) "

    You've got to be joking, right?!

  5. Anonymous Coward
    Anonymous Coward

    Simple? Browsers?

    Have you ever tried writing one anonymous?

    I used to work on one, let me tell you they are not a simple application to write - from a security standpoint this is made more difficult because they are expected to allow users to do all sorts of things in the name of progress.

    When all a browser had to do was parse html and display it, then yes it was very simple. These days a browser is expected to be a script host, execution environment, offline application host etc. the list is endless. All of these uses are IMHO fundamentally incompatible with a secure system.

    The idea of executing random script fetched from unknown servers should make any of us a little paranoid. This is why I always install NoScript first on any firefox installation. Yes, it makes things a little less convenient sometimes (you would be amazed how many websites move the location of their js files around - FACEBOOK I'M LOOKING AT YOU!) but I personally feel it's a decent tradeoff against executing stuff you don't get to see first.

    Back to the story, I suspect mozilla will change their argument now - can you really expect an application to rely on some other part of the system to validate it's command line? It could just as easily come from a local source as on the web, meaning that an application *needs* to check it's command line out before using it in any case. It's a crappy argument to suggest that the originator should also do this.

  6. Anonymous Coward
    Anonymous Coward

    Re: What is it with browsers

    Not that I'm making excuses for the authors of browser code (I'm not one btw), but AFAIK a browser is a significantly complex beastie. For one thing, the bulk of your browser data content is coming from external data source(s) which must immediately be untrusted. Unlike a typical Office app, which is most likely to be reading/writing a file on a local disk (obviously Google Apps and the like are steadily changing this notion) which is going to be a trusted source unless your PC has malware/globally accessible network shares/etc.

    Secondly, this external data is rich in content. The zealots will insist that we should just be looking at text-only data. Yeah right. So this rich content offers numerous attack vectors, be it maliciously constructed JPEGs, movies, javascript, ActiveX, etc. Your browser code also has to interpret the CSS, HTML, Java/VB script streams it receives in both a safe manner and a manner which provides all the rich goodies that we want out of our frequently visited web sites these days. (not to mention all the plugin software modules)

    Thirdly, and most arguably, browser software is probably the most run software on the planet by the most users and probably the most non computer literate people at that. So you get this weird mix where all the visual indicators and warnings in the world won't stop someone clicking 'Yes' to the question 'Do you want to install Spyware now?'. Of course this is a software problem, but how do you continue to offer the rich user experience whilst trying to get the balance of what is permitted and what is suspect right automatically? As a mostly UI developer, I find there is always the trade off between ease of use and system integrity. Ideally you want both but time and money will not allow for the gold plated solution.

  7. Chris Ellis

    Both at fault

    Both MSIE and FF are at fault!

    Any program should validate its input data before it does anything else with it, thus MSIE should validate the data pass it to FF which validates it again. It is a common failure with ALL programs that they never validat input data.

    Browsers are not the only insecure programs, infact it is hard to think of many programs which are. It is a generalised failure within the software industry which breads bad programmers and software. Focus is always on cost and not quality.

  8. Anonymous Coward
    Anonymous Coward

    Secure browsers exist

    but they're no fun to use. For example Lynx is a pretty secure browser.

  9. Giorgio Maone

    Already fixed

    It should be noted that, while Microsoft denied this problem, Mozilla admitted its error, filed a bug ( https://bugzilla.mozilla.org/show_bug.cgi?id=389106 ) and already fixed it 2 days ago.

    This means that already available Minefield builds and Firefox 2.0.0.6 release candidates are immune.

    Furthermore, latest NoScript release ( http://noscript.net/getit#direct ) offers early protection against this exploit for those stuck with stable 2.0.0.5.

    --

    There's a browser safer than Firefox... http://noscript.net

  10. CharleyBoy

    Gaol the lot of them

    I run my browsers on linux from within a chroot-ed jail. I've never had a problem and don't worry too much about them breaking out and savaging the system. In fact, I have set these up in the same way for a few newby linux users who wanted the security once they heard that it was - and I've never heard complaints from any of them. Of course updating the browser is a little more of a chore - but you need to do so less often also.

  11. Gaz

    Simple enough application...

    I love users. Show them a working application formed from unfathomable oceans of of blood, sweat and tears and what do they have to say?

    "Oh is that it? Why did it take so long? Why doesn't it protect me from my own terminal stupidity. And wheres the coffee widget?" RAAARRGGGHHH! *makes bad user play dead*

  12. Dillon Pyron

    Noscript

    I love Noscript. I'm stuck with stable at work, so that's my cure. I haven't installed 2.0.0.6 RC at home because, well, because I'm too lazy. But I've got Noscript. I also resist using IE unless I absolutely have to.

    I agree, IE should validate before sending to FF and FF should validate before sending to IE. BUT, FF should validate after receiving from IE and IE should validate after receiving from FF. You should NEVER EVER trust another program to protect you from the bad guys. To do so is either crap design, crap coding or pure laziness. Or more likely, a combination.

  13. Kev

    Validate

    the only way IE could validate parameters passed to a 3rd part app is if the app provided an interface for it to validate against. it couldn't just validate everything against an IE defined set of rules. what might be invalid for your app could be valid for mine

  14. Anonymous Coward
    Anonymous Coward

    Re: Validate

    "the only way IE could validate parameters passed to a 3rd part app is if the app provided an interface for it to validate against. it couldn't just validate everything against an IE defined set of rules. what might be invalid for your app could be valid for mine."

    But IE shouldn't validate the parameters passed to the 3rd part app. The 3rd part app should validate the parameters.

    As Dillon Pyron pointed out: "You should NEVER EVER trust another program to protect you from the bad guys."

    Your suggestion only covers 'good programming'. If I wrote a program taking advantage of the exploit, and wanted to pass data to IE (or another program) in an attempt to do something on your system that I really shouldn't, do you rely on my code to follow the rules, and validate the data before passing them?

This topic is closed for new posts.