Well, apparently one of my Firefox vulnerabilities has been leaked. Mikx and I have been working on Firefox security for some time and we are trying to put together something spectacular, but unfortunatly there are always those people out there that feel they need to ruin it for people. About a week ago, Mikx and I put together a nice remote compromise for Firefox, submitted it to bugzilla, and got a bug number for it. This is the message that I just got from Bugzilla:
bugzilla-daemon (AT) mozilla (DOT) org to me 12:14 am (1 hour ago)
brendan (AT) mozilla (DOT) org changed:
What |Removed |Added
CC| |bugs (AT) bengoodger (DOT) com,
| |vladimir (AT) pobox (DOT) com,
| |shaver (AT) mozilla (DOT) org,
| |brendan (AT) mozilla (DOT) org,
| |chofmann (AT) gmail (DOT) com
Additional Comments From brendan (AT) mozilla (DOT) org 2005-05-07 21:14 PDT
So now someone is claiming a 0day that looks a lot like this. See bug 293302.
So apparently, the secret is out. I wish that this could have been used for good purposes but I guess that just isn't possible these days
Here is the original PoC:
I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice.
Sorry to Mozilla, Mikx, and everyone else that was harmed by the inconsiderate, irresponsible actions of an individual.
Regards,
Paul
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

tuytumadre (AT) att (DOT) net wrote:
So apparently, the secret is out. I wish that this could have been used
for good purposes but I guess that just isn't possible these days

What 'good purposes' did you have in mind?

What higher purpose is there above full disclosure with a proof of
concept? Disclosure spreads awareness, and awareness allows defense.

The secret is no longer a secret, and it didn't remain one as long as
you had hoped it would. This reduces the chances that the secret will be
exploited against people who aren't aware that there is a secret.
Nothing at all would have been gained by delaying disclosure, other than
to give attackers a bigger window of opportunity to mount successful
attacks and design new exploits that will launch successfully against a
completely unprepared computing public.

Your belief that you could keep a secret, or that you have any right to
keep such a secret even if you could, is moronic and it's wrong-headed.

Sincerely,

Jason Coombs
jasonc (AT) science (DOT) org

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Looking at the current record, what makes you guys think firefox won't
beat IE 6 for security holes. (o;
Bipin Gautam
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Mon, May 9, 2005 4:46 pm, Mary Landesman said:
Well, that's one way to crunch the numbers.

course, IE 6 has been out since 2001, Firefox 1.x was released three
years later. Looking at the advisories on a timeframe basis for 2005,
Firefox 1.x has had 12 Secunia advisories compared to 6 for IE 6. In other
words, the odds you're banking on shift quite a bit depending on how you
look at it.

Ah, but new releases always have more bugs, which are supposed to get
ironed out over time. I guess for a more accurate look at the overall
quality of the release, compare IE in its first six months to Firefox in
it's first six months I get 12 advisories (2 highly critical) for
Firefox and 18 advisories (7 highly critical) for IE in that time period.
It still looks to me like the future is safer with Firefox.

K, so next you'll say "but Firefox didn't have the same market share when
it first came out. Now that people are using it, the numbers of found
vulnerabilities will go up"

Well, I guess it's just a game of numbers at this point. But the fact is,
I feel more secure with Firefox because they actively work with the
community to fix the problems. The team seems to really care and take
pride in the quality of their work. I somehow don't think we'll ever see
something like "Microsoft MCIWNDXCX ActiveX Plugin Buffer "
rated highly critical and still not patched almost two years after the
announcement, or "Windows Explorer / Internet Explorer Long Share Name
Buffer ", also rated highly critical and over a year old with no
patch available. If we did have things like that start happening, I'd bail
off of Firefox pretty quickly. But for now, they've been very responsive,
and that makes me feel more secure.

To each his or her own
-Eric

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

I find security in understanding how best to secure a browser, rather than
switching to whichever one advertises the least vulnerabilities regardless
of how open that interpretation might be.

My point is that crunching numbers reveals different results, depending
solely on the desired outcome. could equally argue that Firefox had the
advantage of learning from IE's mistakes, hence comparing the first six
months of a browser three years later becomes a moot point. But, of course,
if one were to make that argument, one would expect Firefox to have done
better in the previous six months, which it clearly has not.

Regards,
-- Mary

Message
From: "Eric Paynter" <eric (AT) arcticbears (DOT) com>
To: <full-disclosure (AT) lists (DOT) grok.org.uk>
Sent: Monday, May 09, 2005 8:24 PM
Subject: Re: [Full-disclosure] Firefox Remote Compromise Leaked

Mon, May 9, 2005 4:46 pm, Mary Landesman said:
Well, that's one way to crunch the numbers.

course, IE 6 has been out since 2001, Firefox 1.x was released three
years later. Looking at the advisories on a timeframe basis for 2005,
Firefox 1.x has had 12 Secunia advisories compared to 6 for IE 6. In other
words, the odds you're banking on shift quite a bit depending on how you
look at it.

Ah, but new releases always have more bugs, which are supposed to get
ironed out over time. I guess for a more accurate look at the overall
quality of the release, compare IE in its first six months to Firefox in
it's first six months I get 12 advisories (2 highly critical) for
Firefox and 18 advisories (7 highly critical) for IE in that time period.
It still looks to me like the future is safer with Firefox.

K, so next you'll say "but Firefox didn't have the same market share when
it first came out. Now that people are using it, the numbers of found
vulnerabilities will go up"

Well, I guess it's just a game of numbers at this point. But the fact is,
I feel more secure with Firefox because they actively work with the
community to fix the problems. The team seems to really care and take
pride in the quality of their work. I somehow don't think we'll ever see
something like "Microsoft MCIWNDXCX ActiveX Plugin Buffer "
rated highly critical and still not patched almost two years after the
announcement, or "Windows Explorer / Internet Explorer Long Share Name
Buffer ", also rated highly critical and over a year old with no
patch available. If we did have things like that start happening, I'd bail
off of Firefox pretty quickly. But for now, they've been very responsive,
and that makes me feel more secure.

To each his or her own
-Eric

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Mary Landesman wrote:

>I find security in understanding how best to secure a browser, rather than
>switching to whichever one advertises the least vulnerabilities regardless
>of how open that interpretation might be.
>
>My point is that crunching numbers reveals different results, depending
>solely on the desired outcome. could equally argue that Firefox had the
>advantage of learning from IE's mistakes, hence comparing the first six
>months of a browser three years later becomes a moot point. But, of course,
>if one were to make that argument, one would expect Firefox to have done
>better in the previous six months, which it clearly has not.
>

course, you could also make the argument that Microsoft could have
learned from Netscape and Mosaic when it bought the mess which became IE
from Spyglass.

So that door swings both ways.

Not to mention that you're not talking about the same kinds of mistakes
in firefox versus those in IE in all instances. Many of the flaws in IE
come from its poorly planned position within MS Windows as an
System component. (Before people jump on me - I'm referring to its
place in the interface. I'm well aware that it is not part of the
Windows Kernel and that you can, if you intend to break a large number
of programs, remove IE completely with enough work.) What kind of
lessons would Firefox learn from IE's zoning issues? It wouldn't and
any argument that it would is specious at best.

Listen, there are no perfect programs. All programs will have bugs. If
you track the statistics, you can play games with the numbers until
you're blue in the face. However, what we can say is this:

- Firefox has, at this moment, only 1 quasi-functional unpatched
hole while IE has 3 completely unpatched holes.
- Firefox is not part of the S interface and, as such, does not
implement poorly concieved zoning interfaces.

Mozilla/Firefox are designed the way that browsers should ideally be
designed. Some of the holes found in Firefox rely on external programs
(like Java) to do their dirty work and some of them are in the web
standards and equally apply to IE.

Those are the facts, statistics be damned and firefox still wins.

-Barry

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/