[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200407011709.47801.tcgreene@verizon.net>
Date: Thu, 1 Jul 2004 17:09:47 -0400
From: "Thomas C. Greene" <tcgreene@...izon.net>
To: "Drew Copley" <dcopley@...e.com>, <ntbugtraq@...tserv.ntbugtraq.com>,
<bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
Drew, you make some valid points. However, i think your conclusion is off the
mark nevertheless. Admittedly, IE's vast installed user base and MS's
arrogance regarding security (and many other matters) have influenced the
number of bugs that come to light. No argument there. However, there *are*
valuable security advantages inherent to the more platform-independent
development style of a product like Mozilla, and inherent to the fact that
it's open source as well.
Developing across platforms leads to a more modular product, with the effect
that a security vulnerability in one component will not typically extend into
another. In this situation, bugs can be patched without fuss, and simple
workarounds are often available. It is the highly interlaced, interdependent
architecture of Windows and its apps and clients, and the way they're
designed to interact, that often makes patching so time consuming and
difficult, and so deplorably slow, as you noted. A browser that doesn't have
as much access to the guts of the system is simply more secure by design.
It's less of a threat to begin with, and it can be patched more easily.
Also important is the simple fact that it's open source and therefore
transparent: anyone is welcome to review the source code and see for himself
exactly what it does and how it works. There are no secrets in Mozilla.
On the other hand, Internet Explorer and Outlook Express (and Netscape and
Opera) are closed-source products. Microsoft doesn't permit consumers to look
under the hood, so to speak. All we're told about these products is what's
stated in the documentation, but Microsoft has for decades included
undocumented functions in many of its products. Obviously, any software
containing secret functions is an obstacle to good security.
Furthermore, Mozilla offers users more control over potentially risky features
like JavaScript. It doesn't run ActiveX controls, a dangerous, powerful
gimmick with which Microsoft is much enamored. It offers superior user
privacy with better management of the URL history, page cache, cookies,
plugins, and passwords. It doesn't store data traces in the Registry, or
clog up the system with index.dat files, thereby making data hygiene easier
and more certain. And it doesn't use MS's preposterous security 'zones' that
are so confusing to novices, and easily exploitable with scripts anyway. It's
ludicrous to expect users to know which Web sites they can trust. Any site
can be malicious, and even a 'trustworthy' one can be compromised. Scob
showed people how essentially stupid the 'zone' scheme is, just in case
anyone was fool enough to doubt it.
Finally, Mozilla is produced by people who *wish* to work on it, not people
who have merely been commissioned to work on it. The developers care about
what they're doing, and it shows. Firefox and Thunderbird are even better,
as you noted, though some users prefer a more feature-rich product. For
them, Mozilla is vastly a superior replacement for IE and OE.
Your memo was indeed factual, as promised; but your facts failed to support
your conclusion that Mozilla is no more secure than IE and OE. It's
immensely more secure. And that's a fact ;-)
chrz,
tom
==============
Thomas C. Greene
Associate Editor
The Register
http://basicsec.org
http://theregister.co.uk
On Wednesday 30 June 2004 16:55, Drew Copley wrote:
> There has been a great deal of talk about people
> switching to Mozilla because of this recent Internet
> Explorer issue.
>
> This is a serious misunderstanding about security
> that comes about because of people's ignorance and
> because they "believe the hype" but do not look at
> the details.
>
> An example:
> http://slate.msn.com/id/2103152/
>
> ***
> In less than a day, Internet administrators sterilized
> the infection by shutting down the Russian server that
> hosted the spyware. But not before a barrage of scary
> reports had circled the world. "Users are being told
> to avoid using Internet Explorer until Microsoft patches
> a serious security hole," the BBC warned.
>
> <..>
>
> Scob didn't get me, but it was enough to make me ditch
> Explorer in favor of the much less vulnerable Firefox
> browser.
> ***
>
> The issue has been found not to utilize the zero day spyware
> worm we have seen of late, but utilizes a known and patched
> IE bug. Previous attacks used this same vulnerability before
> it was patched, this is true. That attack and the latest spyware
> zero day attack were both unreported. The latest attack was
> way over reported and there was a great deal of wrong information
> in a lot of these news stories.
>
> Disclaimer: * I like Mozilla. I use it nearly daily for Usenet. I
> use it as a secondary browser. I used it as a primary mail client
> for years. I have worked at an open source company and have been
> involved in several major open source security projects over
> several years. *
>
> [Primary Caveat to what I am about to say: Microsoft has an atrocious
> record of fixing bugs. They routinely take six months to fix security
> issues given to them. Some issues they simply leave open with
> absolutely no explanation, such as the adodb stream issue which
> has been used in all of the latest IE attacks. There is absolutely
> no excuse for this kind of behavior, and people should consider
> leaving Internet Explorer for this kind of reason... not because
> because bugs were found.]
>
>
> This said, people should not change browsers "because of the Scob",
> nor should they assume Mozilla is more secure. Change because of
> the features or to support Open Source. But, don't change any
> software because someone found a bug in it... unless that bug
> was horribly stupid to find.
>
> Very often I see people saying "Because of this recent security
> hole, I am changing to Mac, they are safer". The same argument
> remains true.
>
> Mozilla is safer in some regards. Its' lack of activex is not
> really the reason, though. For one thing, it has "plug ins". This
> is how Shockwave runs on it. One of the Shockwave bugs I found
> also worked in Mozilla. Maybe others did -- I did not even bother
> to test it.
>
> Here are some facts:
>
> -> Bug finders want attention. Bug finders want to find bugs that
> will affect the systems they use and the systems everyone else uses.
>
> -> Internet Explorer, for several years, has had 94% of the browsing
> population. That is everyone. It may not be the most visible majority,
> but it is definitely the majority. If you have ever managed a large
> site, you - like me - have likely seen the very same stats. This is
> a huge majority of the Internet population.
>
> -> The very same people are finding these big bugs. It is not like
> there are a whole ton of unexperienced people finding these bugs. These
> are the best. They are experts at finding them. They may not always
> be cognizant of this themselves, the act of finding them may not
> seem difficult to them, but it is -- and this is clearly shown by
> the fact that the same people keep finding these bugs.
>
> So, what I am saying is: it could be Internet Explorer or it could
> be Mozilla. Whichever is more popular, ultimately. If these bugfinders
> spend their time trying to break it, it will be broken.
>
> Professional QA and open source QA can not find security bugs
> like security researchers can. If you want to break an application,
> you do not hire QA to do it. You hire hackers to do it, people
> with proven experience.
>
> -> It is true. A lot of top IE bugfinders have it in with Microsoft.
> Liu Die Yu was ripped off by them in China. One top bugfinder had
> a very bad experience with them as a new computer user. Guninski was
> viciously attacked by them for a long period of time -- I watched
> as he became slowly more and more anti-Microsoft until it became
> an obsession for him.
>
> So, Microsoft's PR campaign has made them some pretty hardened
> enemies. This is true. Companies like Netscape tend to not do this
> kind of thing because they are used to getting free help and
> appreciating it.
>
> -> Using a Mac used to be far more secure then it is now, because
> now it is based on the BSD kernel and is far more accessible. Using
> a Commodore 64 or an Apple II or a TI-99/4A - if these things were
> possible - would be the most secure of all. This is "security by
> obscurity".
>
> -> Applications which have less foothold, less code, will have less
> bugs. Applications which have more code and more "landscape" will
> have more bugs. It does not matter who is developing it. There may
> be some freaks out there, mutants, who can write flawless, absolutely
> safe code. But, most of us are human beings.
>
> -> Anyone that has worked in the software development field
> knows and understands that applications have bugs. This is a fact
> of life in these fields. End users are extremely buffeted from this
> fact of life because everything that goes into selling the products
> tries to keep that from them. Yet, what end user could forget just
> how often their application crashes or their system?
>
> It happens all the time. And, if you are using a certain application
> or OS all the time, you may think it only happens to you and only
> with this software.
>
> This is not true.
>
> (It may be true that some users on some OS's do experience less bugs,
> but they well know they do not do the kinds of things which require
> software with more "foothold" or code for which bugs might happen -- you
> shouldn't expect to see a lot of bugs in your experience if all you
> use is notepad.)
>
> Conclusion: Mozilla may be better. I think there is some strong
> chance of that. But only marginally. It has had bugs. It has a lot
> of features, which means a lot of potential for security issues. They
> have kept their browser more conservative then Microsoft has kept
> Internet Explorer. Traditionally, Mozilla developers have been
> far more "RFC compliant" - as the saying goes then Microsoft.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists