Firefox security strategy (was: Firefox goodies)
Thomas Charron
twaffle at gmail.com
Thu Dec 29 18:54:01 EST 2005
On 12/29/05, Bill McGonigle <bill at bfccomputing.com> wrote:
>
> catastrophic bug. Guess which one has a zero-day exploit today for the
> same thing that was supposedly patched in the past few months?
Oh! Oh! I Know! FIREFOX!
http://www.frsirt.com/exploits/20051212.fireburn.php
http://www.eweek.com/article2/0,1759,1814056,00.asp
http://www.theregister.co.uk/2005/05/09/firefox_0day_exploit/
... < Insert list here > ...
Exploits are going to happen. They're in the nature of C and C++.
Anytime you have data intermingled with executable code, it can and will
happen. And untill someone redesigns compilers, and it manages to get it
accepted by the masses, they will be around. Having the source makes it
easier to *FIX* the obscure exploits. Over the years, I've come to the
belief that the argument that it's more secure becouse more eyes can look at
it is utter poo, becouse the software changes over time. People DON'T spend
their time going to a several month audit, and find each and every exploit.
They find the ones that cause them problems in the manner that they use the
software. Not many actually sit back and say 'Well, what happens in my URL
is a BEEEEEELion characters long? Ok, it's fine with that many. OH
SHEEEET! Someone used a BEEEEEEEELION and *ONE*!??!?!! Poo!' I'm not
saying no one cares, I'm saying, software, becouse of the way all of this
evolved, is going to have exploits. Period. OPen source has the advantage
that ANYONE can fix it. But saying that the exploit just doesnt happen
becouse it's open source is just silly.
> And then we have the Mozilla/VMWare Browser Appliance, a totally
> tangential approach:
> http://blog.bfccomputing.com/index.php?p=100
Man that seems like overkill. It's a hell of alot safer then driving with
no underwear, but the overhead of an entire virtual machine seems.. Well,
if the steel underpants weigh 50 pounds, I'm thinkin maybee it IS safe
enough to just wear tighty whiteys and risk getting shot in the ass.. ;-)
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20051229/18213d4e/attachment.html
More information about the gnhlug-discuss
mailing list