lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: (IE/SCOB) Switching Software Because of Bugs:
 Some Facts About Software and Security bugs

Drew Copley wrote:

>Conclusion: Mozilla may be better. I think there is some strong
>chance of that. But only marginally. It has had bugs. It has a lot
>of features, which means a lot of potential for security issues. They
>have kept their browser more conservative then Microsoft has kept
>Internet Explorer. Traditionally, Mozilla developers have been
>far more "RFC compliant" - as the saying goes then Microsoft. 
>
>
>
>  
>

Hello Drew,

       I'll start with my own disclaimer.  I have been a Free Software 
developer in the past and my bias is hereby established. 

       However, while I agree with the general point that any piece of 
software will have bugs and switching simply because a bug has been 
found is a bad idea, to say that is not to say that all bugs are equal.  
(I know that that's not what you were saying, but I know that someone 
will read into what was said that way.)  I'm sure that MS Calc has 
bugs.  I know, though, that MS Calc's bugs are, most likely, not going 
to allow black hats to compromise systems and steal people's data. 

       I've had experiences in the past that have shown me one thing and 
one thing alone: the argument about marketshare being the primary 
motivation of all cracking is played up far too heavily.  Many black 
hats and script kiddies focus their bugfinding on the most-installed 
target, this is true.  But, there is a sufficient body of people out 
there still attempting to target other applications -- some of them are 
very bright.  I always wince whenever I see someone bring up the 
marketshare argument because my prior experience dictates that it is 
simply not so simple.

       In my opinion, Microsoft's biggest flaw with Internet Explorer is 
that it is a program that can take untrusted content and process it in a 
trusted manner.  Yes, I know about zoning and yes I acknowledge that as 
long as people have the write to access/modify something, there's always 
some way that they can shoot themselves in the foot.  However, there's a 
far difference between people executing programs off of websites/emails 
and people simply viewing a website and being "infected" by a 
trojan/adware/spyware.

       We both know that this scenario is not new.  We also both know 
that Microsoft is not the only one who's been caught mixing trusted 
processing methods and untrusted processing methods in the same piece of 
software.  However, it's my decided opinion that a web browser's sole 
design priority is to process input that is, by definition, unsafe in a 
safe way.  A program, like Internet Explorer, that mixes OS function 
with (in my opinion, very poor) sandboxing will always have backdoors 
that allow people to execute code in a trusted fashion.  Programs that 
do not include this code will never have those types of flaws.

       I would like someone to prove that Mozilla can be tricked to run 
software in the background without the user's knowledge.  I don't just 
mean running an XPI on a system with software installation enabled.  I 
also mean without using a plugin to carry out the attack.  I also don't 
mean javascript-based XSS attacks - those are a different animal.

       I mean a full-on attack using a plain vanilla install of Mozilla 
to silently attack a system and compromise it. 

       The next stage, once that's been proven, is to not just put a 
bandaid on Mozilla, but to fix the architecture so that that type of 
attack cannot be carried out.

        That is the solution to this type of problem.  That is where 
Internet Explorer (and conversely, Microsoft and many other companies) 
has failed.  I don't think that it's one bug that's changing anyone's 
mind - rather, it's the history of bugs and lack of attention that's 
plagued people.

        I don't mean any disrespect saying this - it's just my 
perspective.  I agree with the majority of what you've said, in 
generalization -- but, in specificity, I tend to disagree, err - if that 
makes sense. :)

                    -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ