Security

  • Posted on by Wladimir Palant

    Thanks to morgamic for telling me this, I probably wouldn’t have noticed otherwise — Addons.Mozilla.Org has made an important move towards raising the quality bar. The autogenerated spyware-infested Conduit-based toolbars have been disabled, all 93 of them. Any new submissions will be automatically rejected. Way to go, AMO!

    Mike Shaver writes:

    Read more… Comment [7]

  • Posted on by Wladimir Palant

    I have seen many people complaining about how Firefox is no more secure than Internet Explorer. Usually this impression comes up when people read the long lists of security bugs fixed with every maintenance release. Since I have reported a few security bugs myself and could observe how Mozilla deals with those, I knew well that Firefox is still incomparably more secure than Internet Explorer — and now there is proof. Internet Explorer Unsafe for 284 Days in 2006 has the data. Last year users of Internet Explorer have been exposed to unpatched critical security flaws for 284 days in total, on 98 of those days the security flaws were actively abused by web sites. In comparison, there was only one vulnerability in Firefox that was publicly disclosed before a patched Firefox release was available, amounting to 9 days of exposure.

    So where did the long lists of security bugs go? Did the author of this article overlook them? No, he didn’t. These bugs were there, they have been discovered and fixed — and only then the information on them has been disclosed. So while each and every software has bugs, the major difference here is that Firefox vulnerabilities are reported and fixed before the information is disclosed and somebody gets a chance of abusing them — and with Internet Explorer it often happens the other way round.

    Read more… Comment [9]

  • Posted on by Wladimir Palant

    Disclaimer: I don’t blame people working on AMO for anything. They face extremely difficult problems and are working very hard. I am simply noting some areas where they still have a long way to go.

    I started a little experiment — downloaded all extensions from addons.mozilla.org (AMO), unpacked them and tried to find security holes by searching for specific strings. As expected, it wasn’t all too difficult, one can easily find a dozen vulnerable extensions in an hour, and that not even accounting for the fact that there is a certain unpopular class of extensions on AMO all sharing the same buggy code. The only reason I didn’t hit all too many high profile extensions was that I was going through the extensions in alphabetical order instead of going by popularity.

    Read more… Comment [7]

  • Posted on by Wladimir Palant

    Do you still remember? Sometime in the beginning of year 2004 Bill Gates promised us to take care of the spam problem by 2006. It was big in the news all over the world. Well, the year is almost over and I don’t see anything change for the better. A look at my inbox tells me that spam got much worse if anything. In fact, spammers have made considerable progress in these two years. They are now making heavy use of botnets thus rendering the spam protection methods based on IP address checks or identity verification almost irrelevant. They successfully use randomized mail content and images to trick Bayesian filters. And they got much better at social engineering. What did Microsoft do? They sued a few spammers — which didn’t quite make the expected impact because spam is still much too profitable.

    It’s not that I really expected them to find the silver bullet. I mean, it was obvious that Bill Gates was selling hot air there. But I miss the public outcry. Where are the newspapers who reported about this two years ago, do they want to let him simply get away with a lie?

    Read more… Comment [11]

  • Posted on by Wladimir Palant

    I am back from my vacation and working through all the mail I got in the two weeks. Amongst others I found a funny email bounce for the forum’s confirmation message: “We are not aware of anyone in Germany needing to email us”. That is already weird enough but ok — the forum sends mails using a DE domain as a sender, maybe they don’t like that. So I forwarded the mail using my @adblockplus.org address. The new bounce message was: “We are not aware of anyone in Norway needing to email us”. This time I finally got it — Americans only want to speak to other Americans :)

    Read more… Comment [5]