See? It CAN do everything Internet Explorer can!zdnet.com wrote:Firefox tops list of 12 most vulnerable apps
Mozilla’s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.
According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.
The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Here’s Bit9’s dirty dozen:
Mozilla Firefox: In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.
Adobe Flash and Adobe Acrobat: Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,“input validation issues” and malformed parameters.
EMC VMware Player,Workstation and other products: A total of 10 bugs introduced risks ranging from privilege escalation via directory traversal, ActiveX buffer overflows leading to arbitrary code execution and denial of service.
Sun Java JDK and JRE, Sun Java Runtime Environment (JRE):
Inability to prevent execution of applets on older JRE release could allow remote attackers to exploit vulnerabilities of these older releases. Buffer overflows allowing creation, deletion and execution of arbitrary files via untrusted applications. 10 patched vulnerabilities listed.
Apple QuickTime, Safari and iTunes: In QuickTime, the list includes nine vulnerabilities that allow remote attackers to execute arbitrary code via buffer overflow, or cause a denial of service (heap corruption and application crash) involving malformed media files, media links and third party codecs. The Safari for Windows browser was haunted by three flaws that could be lead to arbitrary code execution and denial of service involving JavaScript arrays that trigger memory corruption. Apple’s iTunes software was susceptible to a remote improper update verification that allowed man-in-the-middle attacks to execute arbitrary code via a Trojan horse update.
Symantec Norton products (all flavors 2006 to 2008): Stack-based buffer overflow in the AutoFix Support Tool ActiveX exposed Windows users to arbitrary code execution.
Trend Micro OfficeScan: A total of four stack-based buffer overflows that opened doors for remote attackers to execute arbitrary code.
Citrix Products: Privilege escalation in DNE via specially crafted interface requests affects Cisco VPN Client, Blue Coat WinProxy, SafeNet SoftRemote and HighAssurance Remote. Search path vulnerability, and buffer overflow lead to arbitrary code execution.
Aurigma Image Uploader, Lycos FileUploader: Remote attackers can perform remote code execution via long extended image information.
Skype: Improper check of dangerous extensions allows user-assisted remote attackers to bypass warning dialogs.Cross-zone scripting vulnerability allows remote attackers to inject script via Internet Explorer web control.
Yahoo Assistant: Remote attackers can execute arbitrary code via memory corruption.
Microsoft Windows Live (MSN) Messenger: Remote attackers are allowed to control the Messenger application, “change state,” obtain contact information and establish audio or video connections without notification.
See Bit9’s full report (.pdf) for information on how the list was put together, including criteria for inclusion.
Firefox - this years most vulnerable app
- hamin_aus
- Forum Moderator
- Posts: 18363
- Joined: 28 Aug 2003, 02:00
- Processor: Intel i7 3770K
- Motherboard: GA-Z77X-UP4 TH
- Graphics card: Galax GTX1080
- Memory: 32GB G.Skill Ripjaws
- Location: Where beer does flow and men chunder
- Contact:
Firefox - this years most vulnerable app
-
- Registered User
- Posts: 20732
- Joined: 13 Sep 2004, 02:00
- Location: Cruising the streets of Pretoria
- Contact:
Re: Firefox - this years most vulnerable app
How is Firefox MORE vulnerable than MSN? Haters
Re: Firefox - this years most vulnerable app
//hides thread from Rusty and SoulBlade.
I feel a whole lot of "I told you so" coming my way.
Ceterum autem censeo Samsung Mobile esse delendam.
When something is important enough, you do it even if the odds are not in your favor.
- Elon Musk
When something is important enough, you do it even if the odds are not in your favor.
- Elon Musk
Re: Firefox - this years most vulnerable app
IE is not even on the list... Something smells fishy.
Josh Dies is my hero! |50,000,601.375 forum points
Re: Firefox - this years most vulnerable app
jamin, what are you posting this in public for? rusty might see!
- hamin_aus
- Forum Moderator
- Posts: 18363
- Joined: 28 Aug 2003, 02:00
- Processor: Intel i7 3770K
- Motherboard: GA-Z77X-UP4 TH
- Graphics card: Galax GTX1080
- Memory: 32GB G.Skill Ripjaws
- Location: Where beer does flow and men chunder
- Contact:
Re: Firefox - this years most vulnerable app
I thought rusty was an Opera groupie....
Re: Firefox - this years most vulnerable app
He is ... can you imagine the kind of ammo this is going to give him against us FF fanbois?
Re: Firefox - this years most vulnerable app
Have no fear, the first word in the thread title is 'Firefox'. Rusty won't get past that he'll move onto another thread
There are 10 types of people in this world.
Those who understand binary and those who do not.
Those who understand binary and those who do not.
-
- Registered User
- Posts: 2663
- Joined: 29 Jul 2004, 02:00
- Location: hidden deep in the depths of the underworld is my home.
- Contact:
Re: Firefox - this years most vulnerable app
Lies. i know IE is EPIC FAIL Number 1.
Re: Firefox - this years most vulnerable app
Lol, I'm not going to post it, but I'm thinking it...D3PART3D wrote:
//hides thread from Rusty and SoulBlade.
I feel a whole lot of "I told you so" coming my way.
FF is just taking all the lime light :pcapanno wrote:IE is not even on the list... Something smells fishy.
Core i5 3550 | 8GB RAM | 500W | Samsung T260 | GTX760 OC | 4.56TB HDD space
Re: Firefox - this years most vulnerable app
I suppose this is why IE is not on the list ...
M$ doesn't patch its vulnerabilities; at least Mozilla does.jamin_za wrote:Mozilla Firefox: In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.
Re: Firefox - this years most vulnerable app
FF FTW ...w00t
-
- Registered User
- Posts: 2663
- Joined: 29 Jul 2004, 02:00
- Location: hidden deep in the depths of the underworld is my home.
- Contact:
Re: Firefox - this years most vulnerable app
ya. tats why. i bet if MS did as much patching we would find them on top.
-
- Forum Administrator
- Posts: 22136
- Joined: 14 Jun 2004, 02:00
- Processor: Ryzen 1700K
- Motherboard: Asus X370
- Graphics card: Asus 1060 Strix
- Memory: 16GB RAM
- Location: Where Google says
Re: Firefox - this years most vulnerable app
Hmm you never see this news about Opera I wonder why?
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
-
- Registered User
- Posts: 2663
- Joined: 29 Jul 2004, 02:00
- Location: hidden deep in the depths of the underworld is my home.
- Contact:
Re: Firefox - this years most vulnerable app
cos they also neva fix any bugs. shows just how much like MS they are.
-
- Forum Administrator
- Posts: 22136
- Joined: 14 Jun 2004, 02:00
- Processor: Ryzen 1700K
- Motherboard: Asus X370
- Graphics card: Asus 1060 Strix
- Memory: 16GB RAM
- Location: Where Google says
Re: Firefox - this years most vulnerable app
Thats cause there are no bugs that need fixing just shows how secure Opera is .
/bumping thread for rusty to see
/bumping thread for rusty to see
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
Re: Firefox - this years most vulnerable app
Even if they don't fix it it still shows that FF is, and I quote; "this years most vulnerable app".DeathStrike wrote:cos they also neva fix any bugs. shows just how much like MS they are.
Core i5 3550 | 8GB RAM | 500W | Samsung T260 | GTX760 OC | 4.56TB HDD space
- rustypup
- Registered User
- Posts: 8872
- Joined: 13 Dec 2004, 02:00
- Location: nullus pixius demonica
- Contact:
Re: Firefox - this years most vulnerable app
as much as i'd love to have a cackle of the FF fanbois silliness, the list selection requirements are decidedly retarded...
given that their product is aimed at making money out of the clueless, it isn't all that surprising to discover that they have a soft spot for mickeysoft... hence zero mention of IE...
i also take issue with them ranking vulnerability on the number of patches released.... which is more secure... a company telling you openly about the flaw and offering you a fix or the one hiding the flaw and sneaking updates through the back door?
right...Bit9 wrote:• Runs on Microsoft Windows.
• The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.
given that their product is aimed at making money out of the clueless, it isn't all that surprising to discover that they have a soft spot for mickeysoft... hence zero mention of IE...
i also take issue with them ranking vulnerability on the number of patches released.... which is more secure... a company telling you openly about the flaw and offering you a fix or the one hiding the flaw and sneaking updates through the back door?
Most people would sooner die than think; in fact, they do so - Bertrand Russel
-
- Registered User
- Posts: 2663
- Joined: 29 Jul 2004, 02:00
- Location: hidden deep in the depths of the underworld is my home.
- Contact:
Re: Firefox - this years most vulnerable app
Hence my point that IE and Opera have more flaws that we neva hear bout.
- rustypup
- Registered User
- Posts: 8872
- Joined: 13 Dec 2004, 02:00
- Location: nullus pixius demonica
- Contact:
Re: Firefox - this years most vulnerable app
;/ opera is fairly vociferous when announcing bugs... the last 3 were remote execution bugs that only affected, (surprise, surprise), windows boxes...DeathStrike wrote:Hence my point that IE and Opera have more flaws that we neva hear bout.
the simple fact is, opera is far less buggy than its competitors...
Most people would sooner die than think; in fact, they do so - Bertrand Russel
-
- Registered User
- Posts: 2618
- Joined: 26 Apr 2007, 02:00
- Location: Westcliff, Johannesburg
- Contact:
Re: Firefox - this years most vulnerable app
rustypup, I agree with you.
aaand look at the number of holes in IE over the past 3 years and then tell me FF is junk.
Any application has holes but FF works much better then IE in most ways (some issues with flash irritate me).
I'm sure Opera is better (I've used it with my E61 and it's lè win) but I love FF.
aaand look at the number of holes in IE over the past 3 years and then tell me FF is junk.
Any application has holes but FF works much better then IE in most ways (some issues with flash irritate me).
I'm sure Opera is better (I've used it with my E61 and it's lè win) but I love FF.
Soon Google will know everything...including how to divide by zero
Re: Firefox - this years most vulnerable app
Somehow I fail to see how the most updated application could be called the most vulnerable one. So I could design an utter POS browser and if I don't update it, it is therefor automatically seen as more secure than the most updated one?
DFI LanParty X48 LT-2TR
Intel Q9450 @ 3.2Ghz
Dell 24" 2408WFP | Phillips 37" 1080p
Sapphire HD4870 X2 2GB
4GB Corsair DDR-2 1066 | Thermalrite 120 Ultra Extreme | G9 Mouse | G15 Keyboard
Vista Ultimate x64
Intel Q9450 @ 3.2Ghz
Dell 24" 2408WFP | Phillips 37" 1080p
Sapphire HD4870 X2 2GB
4GB Corsair DDR-2 1066 | Thermalrite 120 Ultra Extreme | G9 Mouse | G15 Keyboard
Vista Ultimate x64
Re: Firefox - this years most vulnerable app
a micorsoft application just couldnt stay off the list
-
- Registered User
- Posts: 2618
- Joined: 26 Apr 2007, 02:00
- Location: Westcliff, Johannesburg
- Contact:
Re: Firefox - this years most vulnerable app
I'm not surprised about Norton being on there. Pile of rubbish.
Soon Google will know everything...including how to divide by zero
Re: Firefox - this years most vulnerable app
I often get these Security bulletins from our security team.
This one relates to FF so for your concern.
Dear All
There is a critical vulnerability in Mozilla Firefox 3 announced today.
Please advise users to download and apply the latest updates.
-------------------------------------------------------------------
TITLE:
Mozilla Firefox Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33799
VERIFY ADVISORY:
http://secunia.com/advisories/33799/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
WHERE:
>From remote
SOFTWARE:
Mozilla Firefox 3.x
http://secunia.com/advisories/product/19089/
DESCRIPTION:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious, local users to potentially disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, or potentially to compromise a user's system.
1) Multiple errors in the layout engine can be exploited to cause memory corruptions and potentially execute arbitrary code.
2) Multiple errors in the Javascript engine can be exploited to cause memory corruptions and potentially execute arbitrary code.
3) A chrome XBL method can be used in combination with "window.eval"
to execute arbitrary Javascript code in the context of another web site
4) An error when restoring a closed tab can be exploited to modify an input control's text value, which allows e.g. to disclose the content of a local file when a user re-opens a tab.
5) An error in the processing of shortcut files can be exploited to execute arbitrary script code with chrome privileges e.g. via an HTML file that loads a privileged chrome document via a .desktop shortcut file.
This is related to:
SA32192
6) A security issue is caused due to cookies marked "HTTPOnly" being readable by Javascript via the "XMLHttpRequest.getResponseHeader" and "XMLHttpRequest.getAllResponseHeaders" APIs.
7) A security issue is caused due to Firefox ignoring certain HTTP directives to not cache web pages ("Cache-Control: no-store" and
"Cache-Control: no-cache" for HTTPS pages), which can be exploited to disclose potentially sensitive information via cached pages.
SOLUTION:
Update to version 3.0.6.
ORIGINAL ADVISORY:
Mozilla Foundation:
http://www.mozilla.org/security/announc ... 09-01.html
http://www.mozilla.org/security/announc ... 09-02.html
http://www.mozilla.org/security/announc ... 09-03.html
http://www.mozilla.org/security/announc ... 09-04.html
http://www.mozilla.org/security/announc ... 09-05.html
http://www.mozilla.org/security/announc ... 09-06.html
OTHER REFERENCES:
SA32192:
http://secunia.com/advisories/32192/
This one relates to FF so for your concern.
Dear All
There is a critical vulnerability in Mozilla Firefox 3 announced today.
Please advise users to download and apply the latest updates.
-------------------------------------------------------------------
TITLE:
Mozilla Firefox Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33799
VERIFY ADVISORY:
http://secunia.com/advisories/33799/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
WHERE:
>From remote
SOFTWARE:
Mozilla Firefox 3.x
http://secunia.com/advisories/product/19089/
DESCRIPTION:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious, local users to potentially disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, or potentially to compromise a user's system.
1) Multiple errors in the layout engine can be exploited to cause memory corruptions and potentially execute arbitrary code.
2) Multiple errors in the Javascript engine can be exploited to cause memory corruptions and potentially execute arbitrary code.
3) A chrome XBL method can be used in combination with "window.eval"
to execute arbitrary Javascript code in the context of another web site
4) An error when restoring a closed tab can be exploited to modify an input control's text value, which allows e.g. to disclose the content of a local file when a user re-opens a tab.
5) An error in the processing of shortcut files can be exploited to execute arbitrary script code with chrome privileges e.g. via an HTML file that loads a privileged chrome document via a .desktop shortcut file.
This is related to:
SA32192
6) A security issue is caused due to cookies marked "HTTPOnly" being readable by Javascript via the "XMLHttpRequest.getResponseHeader" and "XMLHttpRequest.getAllResponseHeaders" APIs.
7) A security issue is caused due to Firefox ignoring certain HTTP directives to not cache web pages ("Cache-Control: no-store" and
"Cache-Control: no-cache" for HTTPS pages), which can be exploited to disclose potentially sensitive information via cached pages.
SOLUTION:
Update to version 3.0.6.
ORIGINAL ADVISORY:
Mozilla Foundation:
http://www.mozilla.org/security/announc ... 09-01.html
http://www.mozilla.org/security/announc ... 09-02.html
http://www.mozilla.org/security/announc ... 09-03.html
http://www.mozilla.org/security/announc ... 09-04.html
http://www.mozilla.org/security/announc ... 09-05.html
http://www.mozilla.org/security/announc ... 09-06.html
OTHER REFERENCES:
SA32192:
http://secunia.com/advisories/32192/