| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Jun 2004 13:55:17 -0700 From: "Drew Copley" <dcopley@...e.com> To: <ntbugtraq@...tserv.ntbugtraq.com>, <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com> Subject: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs There has been a great deal of talk about people switching to Mozilla because of this recent Internet Explorer issue. This is a serious misunderstanding about security that comes about because of people's ignorance and because they "believe the hype" but do not look at the details. An example: http://slate.msn.com/id/2103152/ *** In less than a day, Internet administrators sterilized the infection by shutting down the Russian server that hosted the spyware. But not before a barrage of scary reports had circled the world. "Users are being told to avoid using Internet Explorer until Microsoft patches a serious security hole," the BBC warned. <..> Scob didn't get me, but it was enough to make me ditch Explorer in favor of the much less vulnerable Firefox browser. *** The issue has been found not to utilize the zero day spyware worm we have seen of late, but utilizes a known and patched IE bug. Previous attacks used this same vulnerability before it was patched, this is true. That attack and the latest spyware zero day attack were both unreported. The latest attack was way over reported and there was a great deal of wrong information in a lot of these news stories. Disclaimer: * I like Mozilla. I use it nearly daily for Usenet. I use it as a secondary browser. I used it as a primary mail client for years. I have worked at an open source company and have been involved in several major open source security projects over several years. * [Primary Caveat to what I am about to say: Microsoft has an atrocious record of fixing bugs. They routinely take six months to fix security issues given to them. Some issues they simply leave open with absolutely no explanation, such as the adodb stream issue which has been used in all of the latest IE attacks. There is absolutely no excuse for this kind of behavior, and people should consider leaving Internet Explorer for this kind of reason... not because because bugs were found.] This said, people should not change browsers "because of the Scob", nor should they assume Mozilla is more secure. Change because of the features or to support Open Source. But, don't change any software because someone found a bug in it... unless that bug was horribly stupid to find. Very often I see people saying "Because of this recent security hole, I am changing to Mac, they are safer". The same argument remains true. Mozilla is safer in some regards. Its' lack of activex is not really the reason, though. For one thing, it has "plug ins". This is how Shockwave runs on it. One of the Shockwave bugs I found also worked in Mozilla. Maybe others did -- I did not even bother to test it. Here are some facts: -> Bug finders want attention. Bug finders want to find bugs that will affect the systems they use and the systems everyone else uses. -> Internet Explorer, for several years, has had 94% of the browsing population. That is everyone. It may not be the most visible majority, but it is definitely the majority. If you have ever managed a large site, you - like me - have likely seen the very same stats. This is a huge majority of the Internet population. -> The very same people are finding these big bugs. It is not like there are a whole ton of unexperienced people finding these bugs. These are the best. They are experts at finding them. They may not always be cognizant of this themselves, the act of finding them may not seem difficult to them, but it is -- and this is clearly shown by the fact that the same people keep finding these bugs. So, what I am saying is: it could be Internet Explorer or it could be Mozilla. Whichever is more popular, ultimately. If these bugfinders spend their time trying to break it, it will be broken. Professional QA and open source QA can not find security bugs like security researchers can. If you want to break an application, you do not hire QA to do it. You hire hackers to do it, people with proven experience. -> It is true. A lot of top IE bugfinders have it in with Microsoft. Liu Die Yu was ripped off by them in China. One top bugfinder had a very bad experience with them as a new computer user. Guninski was viciously attacked by them for a long period of time -- I watched as he became slowly more and more anti-Microsoft until it became an obsession for him. So, Microsoft's PR campaign has made them some pretty hardened enemies. This is true. Companies like Netscape tend to not do this kind of thing because they are used to getting free help and appreciating it. -> Using a Mac used to be far more secure then it is now, because now it is based on the BSD kernel and is far more accessible. Using a Commodore 64 or an Apple II or a TI-99/4A - if these things were possible - would be the most secure of all. This is "security by obscurity". -> Applications which have less foothold, less code, will have less bugs. Applications which have more code and more "landscape" will have more bugs. It does not matter who is developing it. There may be some freaks out there, mutants, who can write flawless, absolutely safe code. But, most of us are human beings. -> Anyone that has worked in the software development field knows and understands that applications have bugs. This is a fact of life in these fields. End users are extremely buffeted from this fact of life because everything that goes into selling the products tries to keep that from them. Yet, what end user could forget just how often their application crashes or their system? It happens all the time. And, if you are using a certain application or OS all the time, you may think it only happens to you and only with this software. This is not true. (It may be true that some users on some OS's do experience less bugs, but they well know they do not do the kinds of things which require software with more "foothold" or code for which bugs might happen -- you shouldn't expect to see a lot of bugs in your experience if all you use is notepad.) Conclusion: Mozilla may be better. I think there is some strong chance of that. But only marginally. It has had bugs. It has a lot of features, which means a lot of potential for security issues. They have kept their browser more conservative then Microsoft has kept Internet Explorer. Traditionally, Mozilla developers have been far more "RFC compliant" - as the saying goes then Microsoft. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists