You'll have to excuse me if you think I (or others) have been making a big deal over one Firefox flaw, but in my opinion it is much more than one flaw. With all the fuss over Internet Explorer and its flaws recently, I think it is important to show that when the tables are turned and Mozilla is the one with the flaws exposed, they were able to correct the problem in a few hours. Also, thanks to kainashi for alerting me to this story in BPN.
Adam Sacarny, a freshman at Columbia Univeristy has put together a very interesting timeline of the way the recent "shell:" exploit in the Mozilla application suite was handled. Sacarny put together the timeline as a way to demonstrate to his friends and potential Firefox converts why he feels Firefox is superior to Internet Explorer from a security point of view.
Every point in the timeline is backed up with linked sources.
To round up the entire timeline, beginning on 13:46 GMT July 7, Keith McCanless files a bug in the Bugzilla Database reporting the vulnerability, the bug is marked private since it is security-related; only developers with proper clearance can see it. Around three hours later at 16:26 GMT, Josh Perrymon sends the first e-mail to the “Full-Disclosure” mailing list about the vulnerability. The vulnerability is now known to the world.
Two hours later a patch was created by Mozilla developer "timeless" then approved three minutes later by Mike Shaver. Over the course of of the next few hours, the flaws are cleared up in all three effected programs. Infact around 13 hours after the flaw was discovered, at 03:23 GMT July 8, all Mozilla code was fixed. At 20:53 GMT July 8, the mozilla.org website had the new downloads listed.
The full timeline is a very interesting read, and some insight into the way the Mozilla group works. Sacarny deserves a hand for his handy work, as does the Mozilla team for their speedy handling of this bug.
View: Sacarny's Blog
View: 'Mozilla updated to correct Windows protocol bug' (posted on Neowin July 8)
News source: In-House
Adam Sacarny, a freshman at Columbia Univeristy has put together a very interesting timeline of the way the recent "shell:" exploit in the Mozilla application suite was handled. Sacarny put together the timeline as a way to demonstrate to his friends and potential Firefox converts why he feels Firefox is superior to Internet Explorer from a security point of view.
Every point in the timeline is backed up with linked sources.
To round up the entire timeline, beginning on 13:46 GMT July 7, Keith McCanless files a bug in the Bugzilla Database reporting the vulnerability, the bug is marked private since it is security-related; only developers with proper clearance can see it. Around three hours later at 16:26 GMT, Josh Perrymon sends the first e-mail to the “Full-Disclosure” mailing list about the vulnerability. The vulnerability is now known to the world.
Two hours later a patch was created by Mozilla developer "timeless" then approved three minutes later by Mike Shaver. Over the course of of the next few hours, the flaws are cleared up in all three effected programs. Infact around 13 hours after the flaw was discovered, at 03:23 GMT July 8, all Mozilla code was fixed. At 20:53 GMT July 8, the mozilla.org website had the new downloads listed.
The full timeline is a very interesting read, and some insight into the way the Mozilla group works. Sacarny deserves a hand for his handy work, as does the Mozilla team for their speedy handling of this bug.
View: Sacarny's Blog View: 'Mozilla updated to correct Windows protocol bug' (posted on Neowin July 8) News source: In-House
Neptune can run multiple websites side-by-side on the same computer over one IP address, allowing you to serve websites on different domains. Full MIME-type conversion and HTTP-Basic authentication are provided as standard, to ensure a standards-compliant browsing experience across the broadest range of platforms. The server interface has been widely acclaimed as friendly but powerful enough for both first-time and experienced users alike.
- For administrative purposes, Neptune features a Remote Console accessible through any web browser. Once logged-in, you can view statistics about the server, reset cache or other settings, and view event logs.
- When you're away from your computer, Neptune can be set-up to automatically upload the server address (the means of accessing your server over the Internet) to an FTP server of your choice. This facility ensures that you can always find the current address of the server from wherever you are.
- Neptune features 'Virtual Folders', which allows you to make any folder on your computer a sub-folder of your web site. For example, 'C:My Documents' could be made accessible through the folder 'mydocs' in your web site.
- Neptune also allows you to design your own error pages, such as when a file is not found, or if a user is unauthorised to access a certain resource.
You can choose to protect specific files or folders in a directory, or all files and folders under a given directory. The security model is easy to manage and based on user access privileges; not only are resources within your website protected, you can restrict certain program operations (Shutting down, Clear Logs) to users as well.
NEOWIN - Do your research. The bug in Firefox had to do with WINDOWS... Mac and Linux versions of Firefox were not vulnerable.
So your precious Microsoft STILL is at the heart of the bug. Oh - and the bug was fixed the day it was discovered. How's that for fast? Arent you guys still waiting on IE fixes for KNOWN critical vulnerabilities?? Sheesh.
Sorry, but your news headline "comment" was an obvious troll.
So how is this a fault of windows yet mozilla is the only browser it affects? Surely it is a confluence of "features" that has alllowed this to develop into an exploit. The blame lies firmly with both organisations; if you can really blame any org for such a bug.
This is an excellent point.
If Windows has an issue with a certain protocol, feature, or function, then an app written for it ought ot take the OS flaw into some account - if nothing else, then for the sake of the users.
Last edited by 411 on 10 Jul 2004 - 07:09
Guys no one is perfect. It takes bigger people to admit when you screwed up.
All I have seen from you firefox people is flag waving and trumpeting about how great you are. This is a horrible example of open source and you should just let it go. Two years went by and a bug was labled WONTFIX. I don't find that to be a ringing endorsement for Moz or Open Source Software in general.
This is not something to be happy about. What you should be saying is what went wrong 2 years ago to mark this a WONTFIX bug. The more you distort the truth about this the less credibility you have. Frankly after reading this its spin spin spin. Almost getting like politics.
Which they should. Mozilla should have a white list or they should duplicates IE's security zones. Its ridiculous that this wasn't fixed a long time ago. And this bug does apply to this most recent deal.
This clearly shows how Internet Explorer is actually good.
Mozilla just releases a bugfix without any concerns on the consequences. What if a company using Mozilla, and the shell:// protocol for their internal programs?
Their programs wouldn't work anymore because of the socalled "fix". Then they could as well not use it, and also be suspectable to other attacks.
When IE finds a bug/exploit, they fix it rather quickly(No not as quick as in this case, but i'm sure the could do a workaround that quickly as well). And then they release it as a beta, to make sure that it is a proper fix and not a quick "workaround".
I thought you were joking...but you aren't. If there was a single site or group that relied on this technology to automatically open protocols without user input, they would have complained by now or (dun dun dun!) not upgraded. There is no-one, and I suggest you find some sort of example before making assertive comments like your post above.
oh come on, man! That would require researching facts instead of using readily available opinions!
http://dobbse.net/thinair/2004/05/help-url-exploit.html As it says it is used internally for their help system. I believe it is used to launch some programs as well.
So wether you want to acknowledge the fact or not, it is used.
On our intranet site as mentioned earlier, it's used to open up different programs, and also to configure them. We had one which opened outlook and it would automaticly make the account.
Everyone: dump MS & go Linux!
Dale, I highly suggest you switch in 2 years. It's great by now, but the next goal is automatic hardware detection/installation like Mac OS X. Then, it'll truely rock.
"Oh look at us, we fixed a bug in 13 hours."
I'm sorry, if Mozilla needs this kind of hype, great. Personally, I see right through it. If you think they're the only company that can fix a bug in 13 hours, or if you think Microsoft can't do it either, you really need to rethink your point of view on coders in general.
You can claim all you want that it's not possible, or MS doesn't fix known issues, but it's all a matter of priority. Just because your priority doesn't mesh with the rest of the public, is not a defining factor in a company's ability to produce code quickly, whether you would like it or not.
OMG, K, Mozilla Rocks.
"Oh look at us, we fixed a bug in 13 hours."
Minor correction:
Grandstanding at its finest.
"Oh look at us, we fixed a WINDOWS OS RELATED bug in 13 hours."
For the most part, they usually succeeded (not always, but they tried). Netscape, on the other hand, seldom released patches within 48 hours, and sometimes took up to two weeks before releasing a fix. And MS still has that policy today...it's just that there are some issues that aren't that easy to fix without completely breaking something else.
Last edited by 29300 on 10 Jul 2004 - 19:50
Meaningless. Context is everything. I can just as easily say that Firefox has been working on a stable release for 2 years now (because it hasn't reached 1.0 -- and they themselves say that it's not ready for mission-critical tasks).
Did they say that was the time it took them to write it? To regression test it? To test it cross-platform? No. 48 hours is actually quite good to go from known problem to cross-platform-regression-tested patch. But we'll never know which side you're poking at now, will we?
Again, irrelevent. You know how many known vulnerabilities are still unpatched in Firefox? More than IE! Before you immediately hit reply and slam the bejeezus out of me, read on! You know why I do not think this is bad of Mozilla (regardless of it being an in-development product)? Because the chances of an exploit using those vulnerabilities are near zero.
(a hypothetical) I have a key in my lawn. It is hidden in my backyard. My backyard is 3 acres. The amount of time it would take for someone to find that key is so massive I can safely leave it there. Many people do this. Yes, it's a risk, but it's so minimalized that it's considered a non-threatening risk.
You can look at known IE bugs and see them as flaws. I can look at the bugtraq in Firefox and see the same thing. Who cares, really? Where are the exploits for these known vulnerabilities you've seen for so damn long? I'm not going to berate Mozilla for having known bugs that aren't fixed. Every product has them. Really. It's a matter of user impact, known exploits, etc, that make these fixes priority.
13 hours to patch is very very fast, maybe a little too fast but all the same they've patched it, I mean for all you guys know it was a simple simple simple error that caused the faulty code and took only a couple of minutes to fix, i've had a big hole in an intranet site i've written and it was all because i mis-checked a variable, see how easy it is and its just as easy to fix.
Firefox isn't ready for everything yet its still a development browser, but all the same its stable and the code is maturing nicely, and will continue to as long as people keep finding bugs, but ranting and raving about this one is silly, in fact ranting and raving about a bug that doesn't cause system failure or loss of data or credit card details is silly
ITS BEEN FOUND, ITS BEEN FIXED, END OF...
They should have fixed this problem long before this.
You can call me a "fan-boy" if you'd like, but it just shows that you don't truly understand what's going on.
This story isn't saying that the Mozilla organization is the only one that can fix a bug in 13 hours. It's showing that they actually care enough to do that. I have no doubt that Microsoft developers could have done such a thing, but they don't care enough to get it out as quickly.
You should run for public office.
You should run for public office.
I don't like politics much, thanks.
And btw, what the hell does "spin spin spin spin..." mean? That's the dumbest thing I've ever heard. You tell me why MS doesn't put out bug fixes very quickly.
And come on, there's no way that bug you posted has anything to do with this. If Mozilla were to take out ALL external handlers, how can you open up IRC and AIM links? Unless you're somebody who knows how to look at the source (or just the status bar), then you're out of luck, and the average user doesn't really care enough to snoop around figuring out where the link is pointing to and how to use the information it contains.
User #1 calls in and says "I have a problem with the CSSv2 rendering code. It's not working well in my page."
User #2 calls in and says "Download.Ject is causing a problem on IE worldwide."
This is a clear example of priorities. Of course MS is going to work on #2 first.
User #1 calls: "I have a problem with CSSv2"
User #2 calls: "I have a problem with PNG alpha rendering"
This is an unclear issue of features. CSS as I understand it is not entirely handled uniformly. This exact same growing pain existed in the original HTML specs... there were different ways to do the same thing, based upon the verbage in the spec. In the other case, this is something that is requested as a feature improvement. I'm sure MS is working on fixing CSS support, and that PNG is being worked on, but not as a priority -- and to be clear, that would not be classified as a "bug".
User #1 calls: "There's a page fault when I click on something"
Maybe this is a bug. It's handled, tested, regression tested, tested some more. Why isn't there a patch released immediately for it? Well, like most actual bugs, these are saved for service packs. The only thing released publicly are critical updates -- the kind of bugs that actually are security-related. Chances are the person who called in on the incident -- and anyone else who called in on the incident -- will get the patch, if one exists. Have you really tried calling in on an actual, verifyable bug (and to be clear here, not something that could be classified as something you want as a feature upgrade) and not gotten a satisfactory answer? Every time I've called I've always gotten a satisfactory answer. Maybe your answers vary, but I'd suspect you're probably calling asking for tabbed browsing or something. That would not be a bug.
Let me remake your statement into "Microsoft doesn't put out security patches very quickly" since that would be perhaps more accurate -- and go from there.
If I were to call Microsoft and show proof of a problem (basically getting to the point here that I can contact someone and verify there is a problem out there that needs attention), there will be immediate work done. I would be willing to bet there are patches available relatively immediately, just like the "bug" issues I listed above. However, there is the known issue of publication, testing, and distribution, which are problems that Microsoft has detailed many times in many conferences, and it goes something like this:
The moment Microsoft publishes a vulnerability -- in other words, making it known to the public -- the public has a greater risk immediately of being abused by that vulnerability as a direct result of that announcement. The reasons are obvious. Hackers know about the problem, they know a focal area to work on, they can exploit it faster, or the "wild code" that might be out there gets distributed by malicious people simply because they know it works -- it was confirmed by Microsoft! So simply keeping quiet about problems, actually does help issues, in certain situations.
Then there is the problem of distribution, where the patch has to be made available to everyone. There was a problem about a year ago where patches were being released willy-nilly. People stopped applying them because they (mostly companies) had to almost have a full-time person on staff to test patches on systems prior to deployment because one could come out any time. In order to fix that, Microsoft has basically lumped all security issues into one monthly release, rather than all the time. They've basically stated that there is no additional risk to immediate disclosure, based upon the "publication" problem. And let me make this point very very clear: They are absolutely willing to break this policy based upon known or wild issues of magnitude. So of course they'll release a critical security patch on a sunday night at 2am if the exploit is in the wild and moving fast. But if some guy in Missouri noticed a problem and is just informing MS and noone else has said anything, and there's no code example in the wild to exploit it or there isn't an easy way for the problem to be replicated across networks, sure -- that security patch will wait til the next batch. It's really just a matter of priority.
I skipped testing, though it's still important. I'll bet you that MS has a patch for every single problem -- once verified as an actual bug or exploit by the engineering team -- within hours of an initial report. You'd be absolutely naive if you believe differently. But it's a careful balance to release an untested, unproven patch to zillions of machines immediately without very carefully weighing the problems of distribution and publication first. Chances are that the engineering team releases patches to the people reporting the problem first, to get verfifcation that it works for them. That's standard. Then there are some careful analyses done to determine what the risk is. All the while, this patch has to be regression tested as best as possible against many different code bases.
In regards to your first post: Microsoft does care to get patches out quickly. But it's almost irresponsible to do it in the manner that open source does it. If open source does it badly, the repercussion would be that "oh that one checked in code from last night was bad, sorry, new build coming right now..." but if Microsoft does it badly, the repercussions are far, far greater. This coming from a product that isn't even supported yet too. They have no fear of any failures. In effect, the patch is being tested by us right now, because they have no testing methodology for the patches.
So yeah... Mozilla put out a patch written by one guy in 13 hours. I'm impressed.
Last edited by 48053 on 10 Jul 2004 - 08:51
That is completely true. We've tested several patches that were written based around specific problems we'd discovered, and we were the only people to have them before release. Proving a patch works can take a long time depending on the issue, and proving it affects nothing else is even tougher.
Mram, I've enjoyed reading your posts on this matter. Most of the kids (lets face it, that's what most are) here have no real idea what they are talking about.
They probably haven't.. Need a retail version, not a pirated copy...
I really think you should look elsewhere for successfull OS projects. Mozilla isn't one of them. See Apache for truth in advertising.
If you are using Moz or firefox because you believe them to be more secure you will find out shortly how very wrong you are. I guarantee as it gains in popularity so will these exploits. This is just the beginning.
As to your comment about people and pride I guarantee you MS engineers take every bit if not more pride in their work. Its interesting how you play the corporate bad guy play on MS then say Mozilla is run by the people. I'll call horse **** on that right now. Bottom line is Mozilla is funded by an incredible array of corporate interests. Moz does not exist because they care about you.
Talk to some of the MS devs and I guarantee you will not a find a finer group of dedicated people. There is a reason people work for MS. And they don't just hire joe schmoes. They pay for the cream of the crop and have some of the most talented people developing software today.
Really the rhetoric is getting out of control. Turn your blinders off and read the post above.
Last edited by 20309 on 10 Jul 2004 - 08:18
I agree. And if you read many of the bugzilla comments, you'll find that a fair bit of politics come out in it. Many design and security decisions were made with corporate interests taken into account.
try talking to some opensource devs and I guarantee you will not a find a finer group of dedicated people. There is a reason people work for opensource and its sure not the paycheck. They get the cream of the crop and have some of the most talented people developing software today.
Really your rhetoric is getting out of control. Turn your blinders off and read the post above.
The best thing about you guys is I can always count on you being unoriginal!
You even copy other peoples posts!
Congratulations Werejag you have just perpetuated an OSS steroptype!
Please do some research first.
Windows is a huge program. Massive. Internet Explorer is as well. We are talking MILLIONS of lines of code and over 20,000 people that have to UNDERSTAND That code and collaborate to change it. They can't just make a change to it by themselves, they have to make sure the rest of the 'teams' understand on the change and have to brainstorm on it, making sure it's correct and needed. THAT TAKES A HELL OF A LOT OF TIME.
Other people should just s.t.f.u. if they don't know what they're talking about.
They allowed the "shell:" command in the first place on the URL line.
If any program allowed the launch of a separate program through a non-thorough evaluation of the launching mechanism (in this case, why allow anything other than http:// or https:// or ftp:// if this is only a web browser) then regardless of underlying code that may facilitate this, it is still sloppy programming in the first place.
Now if and only if you seriously want to blame this on Microsoft then you have to accept that Mozilla was using a Microsoft API in order to invoke or parse the URL line from the Firefox browser (which would be an embarrasment to the firefox crew, and I know this isn't really the case) or you need to realize that this isn't really a bug at all. SP2 fixes this pseudo-bug by basically restricting programs from launching other programs in the local space to a degree, in much the same way that a virus would launch Outlook Express and send a billion emails without your permission or knowledge.
That's why they simply removed it for 0.9x. What did it break? Nothing, because it never should've been allowed in the first place. Was it Microsoft's fault? If you say so... if I wrote a program that allowed a user to run anything on my machine by typing a command then apparently it would be microsoft's fault then too, right?
Or Mozilla could stick to writing just a browser, instead of an application launchpad.
Well.. You can't gaurantee that http, https, and ftp will be the only types of protocols used in the future. Plus, people do enter in locations on their hard drive directly to open local html or folders (type in C:windows for example)..
Also, people seem to forget that Firefox is in BETA.. It isn't supposed to be vulnarability or bug free.. That is the POINT of BETA TESTING....
I totally agree. But they allow the "shell:" line to function. If there is something new in the future, or they implement a feature, then that should be supported.
Typing in "c:windows" translates to a "file:" command, which is also supported. Since this is rendered within the browser, this is not an external launched program. It is also being encoded by the browser.
I suppose I'm just saying that the only real "fix" here was to remove a command they had previously allowed, and most everyone here had made a big stink that it was a windows flaw. I don't see it that way. The command is doing precisely what it is supposed to do, with the way windows is currently written. SP2 changes that mechanic (in fact, according to what I've been reading, IE6 SP1 changes it, but I have yet to confirm it)... but potentially yes, it could be a security issue. I still feel that it was irresponsible of Mozilla to allow this flaw to perpetuate knowing the mechanics of the operation at the time it was coded.
This vulnerability also affects Mozilla Seamonkey which is not in BETA.
And if it's in BETA then they shouldn't market it to the general public until it is finished.
Tell that to the OSS zealots who tout that the browser is flawless.
Mozilla have a huge advantage that Firefox isn't final. Effectivly everyone is working as a quality assurence testers for Firefox. If Firefox doesn't work on Windows 98SE with some patch the Mozilla team don't care and will fix that later, however if Microsoft have a problem with just one configuration they have to fix it before they release it. They have a level of quality they have to provide to all of their customers. Firefox doesn't have this.
Because of what I have said above there is no fair way that you can compare Mozilla and Microsoft when it comes to updating their software.
Edit: Before anyone says I don't know what I am talking about I work in SQA (Software Quality Assurence). I am not a tester however I know the full process and it is NOT quick.
Mozilla have a huge advantage that Firefox isn't final. Effectivly everyone is working as a quality assurence testers for Firefox. If Firefox doesn't work on Windows 98SE with some patch the Mozilla team don't care and will fix that later, however if Microsoft have a problem with just one configuration they have to fix it before they release it. They have a level of quality they have to provide to all of their customers. Firefox doesn't have this.
Because of what I have said above there is no fair way that you can compare Mozilla and Microsoft when it comes to updating their software.
Edit: Before anyone says I don't know what I am talking about I work in SQA (Software Quality Assurence). I am not a tester however I know the full process and it is NOT quick.
You don't know what you're talking about.
The good thing about Firefox is that the Mozilla foundation doesn't need to support it. So you are right, if a bug slips through one of the nightly builds, or even into one of the minor versions, it wouldn't be all that bad.
Second, we are all QA for Microsoft, with Windows XP, Windows Media Player, Office 2003 and MSN Messenger. They all send back information to Microsoft, like the Mozilla talkback feature.
You are right that Microsoft needs to consider more users. But outside of the Office series, I believe that Explorer.exe and Iexplore.exe are the most used applications (perhaps except solitare) they've got. Sure they need to test it a lot. But unlike the Mozilla foundation Microsoft is almost drowning in money. I am sure they can afford say ten boxes to test each Windows version. In every city, in every country.
And even with the all the Microsoft QA there is still a lot of bugs that slip through, and poorly secured systems like ActiveX are embraced warmly.
Just look at that BLOG for a start, it's ugly as hell
And these are the two top links on his page:
http://mickenberg.blogspot.com/
http://www.edibleplastyc.net/
Says enough about that guy, doesn't it? It's a student hanging out with the weirdest weirdos on earth, stoned as hell.
So please put things in perspective people, and read blogs of serious developers who know what they're talking about.
Last edited by 31413 on 10 Jul 2004 - 08:21