Ah, security confusion…
Well, no software is perfect. So today saw alot of activity regarding a newly publicized exploit in Firefox 1.0.3. The exploit is a combination of several flaws, which make it appear that a software install comes from addons.update.mozilla.org, then another flaw in the iconURL paramter of installTrigger that JS can be inserted into, which runs with chrome privledges.
So, in an effort to mitigate the effects of this problem, the Update team and the Mozilla Foundation have redirected Mozilla Update to do-not-add.mozilla.org, which is outside the whitelist, and therefore can’t install software (and blogs the installTrigger.install JS call).
Only one problem…
From the top of Mozilla Update…
“To address security concerns, we have made a number of changes, including temporarily changing the URL for this site. If prompted, please DO NOT add this new URL (do-not-add.mozilla.org) to your Allowed Sites or White List.”
Umm, this is not only inexcusably vague, its basically misleading. End-users greeted by this message don’t know what the security concern is, what to do, if its with the website or the Firefox browser, or anything…
From MozillaZine:
“I’m sorry if I’m coming off a little thick here but could someone please explain in plain english what the problem is. I downloaded an update for one of my extensions through the automatic extension updater today before I saw anything was going on. How can I tell if I downloaded this exploit and how do I get rid of it. Turning off Java just isn’t practical though I have turned it off for now. Please any and help would be appreciated. Thanks in advance.”
Mozilla Update operates on the basis of trust, between the users and the site, and the people/organization that operates it. I feel the vague security warning at the top, makes people question if Update is safe to use at all, and in the lack of any information regarding a Firefox flaw, the attempt to actually protect users, is hurting Update at the same time it helps it and Firefox both.
So, the warning on Mozilla Update really needs to be changed to not confuse the users hitting that site that are completely unaware of the flaw. Be clear that the changes are attempting to address the vulnerablity, as a workaround, to make them safer. and that the Update website was not compromised. Failure to explicitly mention details and rely on the user to find them on their own, is very likely to end up with the user just making uninformed and blind assumptions.
On a slightly different, but related note, (which should be in a seperate post, but I don’t much feel like doing two posts tonight.) I really am starting to hate all the hype about Firefox security. Firefox is a secure browser, only because Mozilla.org puts effort into patching flaws that are found quickly, and in general, design considerations take security into account. Firefox is most certainly not a security utopia though. It seems like Firefox advocates, in their effort to make the case that Firefox is more secure than Internet Explorer, a topic which is very likely to convince people to switch browsers on, have over-hyped Firefox’s security. To the point where people expect Firefox never to have a flaw. This is now starting to generate alot of bad press for Firefox, by over-eager reporters wanting to find the smoking gun in Firefox that brings it into the same field as IE. It makes even fairly minor security flaws have the same weight as every one of IE’s usually much more critical flaws. Basically, allowing Microsoft to get off the hook with having to be accountable for their security problems. By being able to say, “look over there at the “more secure” Firefox browser, it has flaws too.” Its fine and useful to use Firefox’s security as a “selling” point for the browser, but try to keep it realistic. So when flaws are discovered and patched, you can use Mozilla’s responsiveness to support the product, instead of having to defend it from overblown criticism because it had a flaw.
Very well said about the overhyping of Firefox security. These days whenever I introduce Firefox to users, I always sell them on features first, and better security is just icing on the cake.
No browser is ever going to have perfect security, and we need to give users and the media realistic expectations. Is Firefox more secure than IE? Yes! Can we guarantee that Firefox will never have a flaw that can trash your system? No!
The problem with selling firefox on features alone is that firefox isn’t that unique when it comes to features.
IE shells like Avant browser, Maxthon, or alternative browsers like Opera provide more features, and are lighter and smarter than firefox to boot.
Forgive my ignorance – in a sentence at the Mozilla update site, saying “Just a few weeks ago, the lead developer stepped down ” I was linked here, is that Wolf, what exact position were you, and stand down, why, briefly?
Whilst agreeing in the post, and in always improving things, in the grand scheme of things, certainly by comparison to many past IE security problems, this really is being overblown. Yes the way this security issue was dealt with was a little rough round the edges, not worded that well, and other mistakes occurred.
However, it was done relatively quickly, no messing about, and the immediate effect of the do-no-add-mozilla despite being roughly done, was that it did quickly get a reasonable grip of the situation.
IE would have sat on it for days, most of that time spent wording it in such a pretty, hidden way to minimise reprocussions, that it would be worthy to attack far more.
Mozilla needs to learn from things like this for sure, they’re growing pains for a browser that is adapting to growing usage and attack. Whilst being critical is key to improvement, being overly critical, when there have been few critical Firefox issues so far, isn’t as much.
Microsoft wants it’s users to UNINSTALL Netscape
yep, after a bashing for bundling internet explorer the browser with the WIndows OS , it’s Microsoft ‘s turn to avenge it’s browsers divorce from the OS. The issue sprouted up this afternoon on a MSDN Blog , where Microsoft ‘s chief IE developer