Robert Hensing's Blog

Software Security . . . and stuff.

More FireFox 3.0 entertainment (Fail Open Goat Award)

More FireFox 3.0 entertainment (Fail Open Goat Award)

  • Comments 3
  • Likes

It's nice to see that the security researchers are taking notice of FireFox's increased share of the market and responding appropriately: http://blogs.zdnet.com/security/?p=1288

This is interesting on many levels . . . here we have a free, open source browser and I'm just guessing that this un-named researcher found this vuln ages ago and deliberately held off on releasing it until FF 3.0 went RTW so he/she could test it out against the RTW bits so that he/she could sell it to ZDI and get paid.  Sure you COULD find the vulnerability and contribute the fix back to the OSS community for free . . . or you could get paid.  Hmmmm . . .

And again - if you're running FireFox 2.x or 3.x on Vista - that seems unwise . . . you'll actually be LESS safe than you would with IE7 on Vista if you have UAC enabled.  Think about it . . .

Okay okay - so you still want to use FF 3.0 on Vista - at least force it to use DEP (permanent) via the ExecuteOptions reg value or something . . . sheesh.
I'd give you the .REG script to do it here but don't feel like downloading FF 3.0 at the moment, so forcing FF 3.0 to use DEP (permanent) is left as an exercise to the reader.

EDIT:  An astute blog reader willing to install FF 3.0 on Vista pointed out that it seems to have opted-in to DEP all by itself.  Hooray Moz!  That's good stuff.

Welp the gauntlet has been thrown down . . . with the release of IE 8 possibly only months away . . . will we be able to beat the ~5 hour mark on release day and "follow in Moz's foot steps"?  I certainly hope I don't have to FOGA IE8 on release day.  That would suck. :)

Comments
  • "Sure you COULD find the vulnerability and contribute the fix back to the OSS community for free . . . or you could get paid."

    As opposed to say:

    Sure you COULD find the vulnerability and inform Microsoft for free . . . or you could get paid.

    Sure, this does raise a valid point that some people are going to sell exploits (and I'm not about to hold that against them), but if you take a look at how many security bugs were actually reported to Mozilla it's pretty surprising that we actually have that many altruistic people at all IMO.

  • Robert Hensing has more to say about the press coverage of FF 3.0. http://blogs.technet.com/robert_hensing

  • We wtorek swoją premierę miał Firefox 3. W jednej wypowiedzi Window Snyder powiedziała: In setting out to elevate Firefox's basic security, Snyder is also compelling Microsoft and Apple, maker of the Safari browser, to follow her lead — or get ou

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment