[TETENAL]

It's gone, the myth of invulnerability of Mozilla users: one wrong click may be enough to infect your system with spyware -- even if you are using Mozilla or Firefox. The reasons are quite similar to well known security holes in Internet Explorer.

[…] The exploits of the last months shattered Mozilla's image as a secure browser. Embarrassing crashes, known from Microsoft's worst days, only made things worse. There was a fix of a serious security problem. Thousands of users downloaded MBytes from the net to install the new version only to learn a short time later that developers had disabled the demo exploit but left the hole wide open. A minor change in the exploit code made it work again.

Instead of patching holes here and there, it is about time to reconsider the security concept. Developers are aware of the situation: "we have done a crappy job lately, patching just symptoms and producing compatibility problems without fixing underlying security holes." Brendan Eich, inventor of JavaScript and Mozilla's chief architect rages in bugzilla.

more…

[BasketofPuppies]

Duh.

Anyone who thought Firefox's superior security was genuine and not because low market share meant fewer hackers were looking for holes was naive, uninformed, or an anti-Microsoft zealot.

[Mediaman_12]

The big difference is that, IE security hole=Gateway to the rest of the OS (due to it's deep integration in to XP). While a Firefox/Mozilla security hole=access to parts of Just Mozilla (hopefully), sure you have a load of passwords etc. stored in there, but it's unlikely to turn the machine in to some sort of bot host.

[CharlesS]

Originally Posted by Mediaman_12

The big difference is that, IE security hole=Gateway to the rest of the OS (due to it's deep integration in to XP). While a Firefox/Mozilla security hole=access to parts of Just Mozilla (hopefully), sure you have a load of passwords etc. stored in there, but it's unlikely to turn the machine in to some sort of bot host.

According to the article, it can be used to write files to the disk, so it could quite easily be used to give access to the rest of the OS. For example, you could write an executable file somewhere, and then write the appropriate XML to ~/Library/Preferences/loginwindow.plist and voilà, your bot is running at the next login.

The reason given for this was that because of the brilliant decision to make the entire UI in JavaScript, the chrome has to be able to save files to the disk for things like the File->Save menu item to work. Through chrome, a web page can get full read/write access. Apparently, the Firefox developers didn't learn from the mistakes of ActiveX on IE at all. Fortunately, there's still Camino and Safari on OS X. Windows users are screwed until this is fixed, though...

[ghporter]

Originally Posted by Mediaman_12

The big difference is that, IE security hole=Gateway to the rest of the OS (due to it's deep integration in to XP). While a Firefox/Mozilla security hole=access to parts of Just Mozilla (hopefully), sure you have a load of passwords etc. stored in there, but it's unlikely to turn the machine in to some sort of bot host.

When Mediaman said "the rest of the OS," he was NOT exagerating. Not only can IE write files, it can EXECUTE them as well, along with executing COMMANDS that are not even normally available to the user. A bug that exploits a hole in IE can completely take over a computer.

Mozilla browsers, on the other hand, run on an application level, not as part of the OS, so they have very limited access to the rest of the system. Further, they are maintained by people who are interested in them, rather than a management team that's mostly interested in a bottom line. While there were some holes in Firefox recently, they were fixed FAST. Not like MS's reactions to holes in IE.

Certainly Mozilla browsers aren't "invincible," but they're a damnsite more secure than IE.

[Millennium]

Of course Mozilla isn't invincible. Neither is OSX. However, as others have mentioned, Mozilla's model does not allow for all of the same things as IE. There are certain classes of exploit which cannot occur on Moz, but this isn't so much a product of Moz being good as it is a product of IE being so bad as to introduce completely new kinds of exploits.

Macs are more secure than Windows PCs, but they are not invincible. The same is true of Mozilla versus IE. But for both Mozilla and the Mac, the reverse also needs to be kept in mind: they are not invincible, but they are better. There is some truth to the idea that Mac and Moz will be exploited, given enough time, but there is only some truth to it: when these exploits are found, they will be harder to trigger and not nearly as damaging as their Windows counterparts.

[CharlesS]

Originally Posted by ghporter

When Mediaman said "the rest of the OS," he was NOT exagerating. Not only can IE write files, it can EXECUTE them as well, along with executing COMMANDS that are not even normally available to the user. A bug that exploits a hole in IE can completely take over a computer.

If you can write to ~/Library/Preferences/loginwindow.plist, you can execute commands. Sure, it's harder to do, you have to wait until the next login, and it's platform-specific. But it can be done.

They need to fix this ASAP.

edit: TETENAL is right; you don't even need to do this. It lets you execute files via file.launch(). Bad, Mozilla, bad...

[TETENAL]

Originally Posted by ghporter

When Mediaman said "the rest of the OS," he was NOT exagerating. Not only can IE write files, it can EXECUTE them as well, […]

You two didn't read the article. Firefox can do the very same thing.

While there were some holes in Firefox recently, they were fixed FAST.

They were patched but the underlying problem will only be started to be addressed with Firefox 1.1

[ghporter]

Originally Posted by TETENAL

You two didn't read the article. Firefox can do the very same thing.
They were patched but the underlying problem will only be started to be addressed with Firefox 1.1

While it is possible, it is Much Harder to do, and because of IE's market saturation, the extra code to identify the browser and select the appropriate exploit is much less attractive-call it protection through a different, much easier target.

Of course v1.1 will have to fix a number of issues, but remember that Firefox is user-supported in much the same way that Linux is. When a hole is detected, a number of independent people examine it, and then they patch it very quickly. There's no executive software control committee approval needed; the coders explain what they've done and how they've tested their code, and it's posted pretty quickly after that.

I'm not at all saying that Firefox is immune to anything, but since it is NOT part of the OS, it is significantly more secure by nature than IE ever can be. Exploits are harder to use, (and harder to find) and the weaknesses in its code are found and fixed more easily. While there is no doubt some "pride in authorship" among the people who have coded Firefox, it is nothing like the corporate "we're always right" mentality of Microsoft. Further, good coders like the chance to fix things they missed, and often find and fix other problems not previously detected. This is known as "professionalism," something that does not seem to be part of Microsoft's lexicon.