$0.02 Regarding Firefox Security

[WolfRune]

For those who haven't heard, Symantec recently decided to fire a shot over Mozilla's bow regarding the security of their Firefox browser.

Read the ZDNews Story

After looking over Symantec's position, I've started to wonder if they're in Bill Gates' pocket.

Yes, Firefox has flaws. Show me a piece of software that doesn't! Have they had a fair number in the last 6 months? Absolutely! Is Symantec's analysis flawed? Very possibly.

I would be interested in comparing the first year of IE 6 vs the first year of Firefox 1.0. I suspect that there would be far more necessary patches, and far more of those would be critical, with IE. As well, I think it would be fair to compare the average amount of time for each browser's developer to release a patch once the vulnerability has been identified. However, Symantec didn't find/gather these stats, making their results questionable.

I guess some people figured that Firefox was a magic bullet for security. They're finding out now that there is no such thing as a truly SAFE browser, only ones that are less insecure. I still believe Firefox to be a safER and superior browser than IE.

Read Mozilla's Comeback on ZDNews

[!mitationRust]

Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems.

http://www.nsa.gov/selinux/papers/inevit-abs.cfm

Until the masses understand that security must be accomplished at the OS level you'll see this pattern in pop security (people being sheep).....if you want more security buy an OS that offers more assurance.

XP on a limited account is the shiznyte. Too bad the masses, including the majority on this site pretermit the Run-As feature and will NEVER understand the depths of XP security that was provided before the first faggy service pack was released.

[WolfRune]

I agree that the O/S is the place to implement the strongest security, but even a well locked-down Windows XP or Linux box is bound to be vulnerable to SOMETHING. It is the nature of humankind's creations to have flaws, and some of humankind to exploit those flaws.

[!mitationRust]

I'm sorry, that statement needs elucidation.

[WolfRune]

I was stating that I agree with you that the O/S is where strong security should be implemented, but that relying on ANY software (and an O/S is ultimately software) is a mistake because even a well-secured O/S has flaws in its code and thus could be vulnerable to attack.

[zencoder]

So we should go back to banging rocks together, eh?

This is an oft rehashed topic in many guises. We participate in a technical culture of 'Permit All'. That is forever going to be the root problem, until such a time as we switch to 'Deny All' as our default behavior. It won't happen, I believe. Microsoft and Apple are always talking about the new features, how fast and easy something is to use, and why it is so much better than all the previous versions.

The point is a 'Deny All' system is not really all that functional, in the way we identify 'functionality'...what, you mean I can't read my email, surf the net, and write code on the same system?!?

Let's add something meaningful to this old rhetoric or let it rest in peace.

[WolfRune]

So we should go back to banging rocks together, eh?

Nope, I'd be screwed without my various and sundry electric gizmos. I just don't think we should assume/rely on ANY technology to keep us completely safe - every time we make a better mousetrap, nature builds a better mouse.

Unfortunately, since I have no way to improve the root of the problem (i.e. people out to harm other people), there's not much more I can contribute.

[!mitationRust]

I just noticed something hilarious.....zencoder you claim to have a CISSP but you have a get firefox sig. lol

Did you come away with any knowledge about application level security and its value?


That's the second person with a CISSP to openly do this.

[warl0ck7]

I agree with !mitationRust OS level security must come first, how many windows applications
suggest not to run as *administrator*, this is normal with other OS like Linux and OpenBSD.

Bieng vulnerable to SOMETHING does not neccessary employ to be vulnerable to
everything. I haven't heard or seen a single case of linux or a bsd box being compromised
by a web browser, and it is common with microsoft's IE ( Insecure Explorer).

[!mitationRust]

Seriously what is smarter? :
a) Configuring to your very important TFM (if your system has one)?

b) Or masking poor configuration with applications and blaming the OS when something goes wrong?

As long as you understand what real security is and what pop security is you have a head start in my book....... I mean you could seriously market another application and call it a lightning wall and the masses would flock to it. Why? Because people feel safe knowing "this is what everybody’s doing now to keep safe".

IE ships in a loose state just like a SOHO router...... and is extremely configurable...... which translates into: over your head to most.

The manual is pretty clear:

Originally posted here by Microsoft TFM
Use separate accounts for administrative activity and general user activity. Individuals who do administrative work on the computer should each have two user accounts on the system: one for administrative tasks, and one for general activity.

Table 4.1 C2 Configuration Checklist
God did he just say checklist?