Gimmie a freakin break

Story: Linux users warned about Firefox flawTotal Replies: 5
Author Content
Corriher

Sep 21, 2005
1:41 PM EDT
This "extremely critical" critical security flaw, is that maybe... just maybe... someone will be able to use social engineering to get someone to click a link... that under the perfect conditions it might run a shell command AS THE USER ?!? This is an "extremely critical" security flaw? Would the "hackers" in this hypothetical hijack be able to... gasp... read an e-mail... or... gasp... look at a downloaded nudie picture!!! Or would it download to the user's directory an honor system virus script named:

"login_as_root_and_run_me_please.sh"

and contain the commands:

#!/bin/bash @echo off < -- (showing haxing eliteness) LH DOSKEY /INSERT < -- (more eliteness) echo -e "\n\t I am an 3L33T HaX0r. Ph33r M3 ! \n" rm -rf / REM --- ALL YOUR LINUSES BELONG TO US REM --- YOUR LINUX COMMAND.COM IS GONE!

I realize that FUD is something which needs to be dealt with, but is there really any point in even acknowledging ZDNet? Really, this is what it accomplishes:

1. Links help prop up whatever traces are left of their credibility, as if we actually take their "journalism" seriously.

2. It gives them exactly what they are trying to accomplish, which is click counts. Hasn't it become just painfully obvious what they do?

3. It feeds the trolls, including the ones on ZDNet's payroll. That Dvork dude showed he is actually proud of shilling, in an article about him being upset his colleague (who was harassing the Groklaw lady) was actually fired for a lack of professional ethics... and that the people who care about them are just "nuts".

4. The audience at ZDNet seriously and overwhelmingly does not have the intelligence to understand issues of network security. Just read the dozens of "Your momma sucks my..." posts. I don't know about you, but I don't know many technical people who actually talk like that. How many REAL Linux advocates act like that? Yeah... I think they must have sock puppets playing both sides of the issue for maximum Linux trashing.

When they made the mysterious John Carrol, a major Microsoft shill, who coincidently lives just outside of Redmond WA, a core "journalist" covering OS issues... well... that was it for me. Please try not to feed the trolls people. They literally just want to drag us down.
sbergman27

Sep 21, 2005
2:01 PM EDT
Well, secunia *does* rate it as extremely critical. And secunia is probably the most common place that people point to when demonstrating FF's superiority.

I'm a big fan of Mozilla and Firefox. But even I have to wonder if Mozilla 1.0 did any input validation whatsoever, or if they just decided to leave all that out and patch as vulnerabilities were found. Hey, makes for a smaller download, right?

When Michal Zalewski came out with his mangleme script, it could crash FF (representing a potential exploit) in seconds simply by throwing random pages at it, while IE could take the pounding for hours before it hit something it couldn't handle.

People are fond of pointing out that the Mozilla guys fix things faster. But it is a fact of life that many do not patch in a timely fashion, or even realize that they should. It would be 10x better if Mozilla were more proactive and less reactive wrt security and these "vulnerabilities of the week" did not occur at all. Of course, no software is ever going to be perfect, but there is a lot of room between where Mozilla/FF are now and perfection.
Corriher

Sep 21, 2005
2:26 PM EDT
All of your reply seems accurate. Everyone is probably frustrated at these screw-ups, which any entry-level programmer should know to avoid. These mistakes were flat-out sloppy and careless, so I don't dispute you at all.

We're talking apples and oranges. I am slamming ZDNet because they truly deserve it. Notice that their article title is:

"An 'extremely critical' flaw has been found in Firefox 1.0.6 running on Linux or Unix"

Which should have been in this format:

"XYZ Labs reports a potential vulnerability in ABC package: categorizes it as 'critical'."

How is 'extremely critical' a fact? Isn't that just an opinion expressed in such a way to provoke the readers? Despite your respect for Secunia, can you say with a straight face that you would consider this as an "extremely critical" security weakness? You seem like a bright guy, so I seriously doubt it. Look... if this were Joe Bob off the street, then this could be forgiven. However, these people are pretending to be professional journalists, who have shown a clear pattern of behavior over a period of years which is entirely disgraceful.

If Secunia indeed contends this is "extremely critical", then it is is an overreaction.
sbergman27

Sep 21, 2005
2:57 PM EDT
Well, if I understand correctly, you can email a link to someone and if they click to view it, and use FF as their default browser, it can, say, delete all the files in their home directory. Alternatively, one could create a Windows virus that would send the link to addresses in the infected machine's address book, increasing the likelihood of the recipient trusting the email enough to click the link.

That seems quite critical enough to me. Remember that most home users (right or wrong) do not back up their machines. User data is more important than system files. An OS install is 30 minutes. User data is potentially unrecoverable.
Corriher

Sep 22, 2005
8:43 AM EDT
I understand you. So, while you might call it "critical", I would call it merely "urgent". Remote root exploits in Sendmail and Bind are what I call "extremely critical". Anyway... we assume here that the worse case of a successful exploit would be deletions of important user files, and it would be possible in the right conditions. This is, of course, speculation until someone actually is able to create a proof-of-concept exploit. Time will tell.

This isn't meant to disagree, but files which are never backed-up will be lost eventually anyway, regardless of whether the cause is security related. Even if ideally we had perfect software, all files are eventually lost due to user errors, and hardware failures. Thus, the risk of major data loss to anyone who never does backups is already "critical" and impending. The smartest backups are archived off-site, in case of fire or natural disaster.

So, yet again, the biggest security threat is actually poor administration and poor user education. The best medicine is alway preventative medicine. As you stated before, the greatest problem with security overall is that people are too reactive, instead of being proactive. You were dead-on target with that.

cjcox

Sep 22, 2005
12:44 PM EDT
I run FF on my laptop... and I tried and tried to get it to run a back-ticked element and could not get it to go. I'm running 1.0.6 on SUSE 9.3. I sent myself an email with a back-ticked element... didn't work for me.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!