|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
03:22 EST/08:22 GMT | News Source:
ZDNet |
Posted By: Kenneth van Surksum |
Since our last article on Firefox’s problems with Vista, considerable progress has been made to improve the browser for Microsoft’s newest operating system. We caught up with Mike Schroepfer, VP of Engineering at the Mozilla Foundation, to bring us up to date.
|
|
#1 By
1401 (69.27.196.98)
at
7/4/2007 9:19:57 AM
|
Just running Firefox is Protected Mode...
|
#2 By
32132 (142.32.208.232)
at
7/4/2007 10:39:29 AM
|
#1 If you say so ...
Firefox 2
Fixed in Firefox 2.0.0.4
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4)
Fixed in Firefox 2.0.0.3
MFSA 2007-11 FTP PASV port-scanning
Fixed in Firefox 2.0.0.2
MFSA 2007-09 Privilege escalation by setting img.src to javascript: URI
MFSA 2007-08 onUnload + document.write() memory corruption
MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
MFSA 2007-05 XSS and local file access by opening blocked popups
MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
MFSA 2007-03 Information disclosure through cache collisions
MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)
Fixed in Firefox 2.0.0.1
MFSA 2006-76 XSS using outer window's Function object
MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escalation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
Firefox 1.5
... a lot more
|
#3 By
23275 (24.179.4.158)
at
7/4/2007 11:04:44 AM
|
Please note, Windows Vista's Integrity Mechanism - Windows Vista includes an addition to the access control security mechanism of Windows that labels processes and other securable objects with an integrity level. As we all know, Internet-facing programs are at higher risk for exploits than other programs because they download untrustworthy content from unknown sources. Running these programs with fewer permissions, or at a lower integrity level, than other programs reduces the ability of an exploit to modify the system or harm user data files. Internet Explorer 7 in Windows Vista uses the Integrity Mechanism and it is what is behind IE 7's Protected Mode. But That is only the beginning - ANY developer has access to the tools that make this possible and it gets better, any single process may be executed in this space, or any grouping of them - so the parts of an application that face the Internet should use them. Think of these as objects, or securable objects in MS speak - see, http://msdn2.microsoft.com/en-us/library/aa379557.aspx also see, http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp
Further, the User Interface Privilege Isolation (UIPI) prevents processes from sending selected window messages and other USER APIs to processes running with higher integrity. If UAC and Protected Mode are straight rights in Vista's security arsenal, the UIPI is one of Vista's stiff jabs. UIPI continually counters attempts to escalate processes and it keeps bad-guy-code off balance. At the same time, it provides developers with an easy way to check process escalation without burning the user experience. Go here to learn how to use it, http://msdn2.microsoft.com/en-us/library/ms644950.aspx
IE 7 in Vista uses these techniques concurrently, to make browsing the Internet safer. Firefox does not feature these assets. I am not certain why Moz/FF have not made use of these available tools - it makes no sense.
This post was edited by lketchum on Wednesday, July 04, 2007 at 11:11.
|
#4 By
16797 (142.46.227.65)
at
7/4/2007 12:10:50 PM
|
Why is Windows Mail not running in protected mode?
Windows Media Player (when playing files downloaded from internet), could be another candidate, too.
|
#5 By
15406 (216.191.227.68)
at
7/4/2007 12:13:02 PM
|
#3: I could think of several reasons why it makes some sense. Perhaps the Mozilla team does not have access to these new super-awesome MS security APIs. Maybe they do; I don't know. Perhaps they are working on it, but MS is a little slow on the assistance so that IE7 could get a head-start in the browser PR wars ("Only IE7 has Protected Mode!"). Perhaps, seeing as how they make a browser that can be compiled on many different platforms, they don't want to get locked into one vendor's proprietary functionality. Perhaps they decided that to depend on MS for security, no matter how well-intentioned, is not in their best interests. While MS has made claims about Protected Mode, the jury is still out on how effective those measures are.
|
#6 By
32132 (142.32.208.232)
at
7/4/2007 12:41:25 PM
|
#3 Even XP had a simple registry change that stripped any admin tokens out before an application ran.
The Mozilla team has been "working" on this since October. Why is it taking them so long? Too busy counting Google cash? Part of the conspiracy to try and keep Vista from doing so well.
"October 6, 2006
Mozilla developers who spent several days this week with the Windows Vista team at Microsoft's Redmond, Wash. campus said that they're considering implementing a security feature in the upcoming OS to better protect future versions of Firefox from attack.
Vladimir Vukievi, who was one of the Mozilla team to take up Microsoft's August offer of Vista assistance, said that Vista's "Low Integrity Mode" might make Firefox less susceptible to exploits. "
http://www.techweb.com/wire/security/193105163
This post was edited by NotParker on Wednesday, July 04, 2007 at 12:41.
|
#7 By
23275 (24.179.4.158)
at
7/4/2007 1:11:34 PM
|
#4, Windows Mail and Outlook 2007 do not use IE 7's rendering engine. They each use an even more restricted engine, partly based upon that used by Office 2007 applications. It is slower than IE 7, but it is safer and it disallows forms of access often used by criminal hackers.
#5, No, they are not secret at all and in fact, Microsoft hosted a special summit for Mz/FF devs to work directly with IE 7/Windows Vista engineers - work that continues to this day, but mostly between specific engineers, which appears to be Moz's choice.
The links I provided reflect how to use securable objects and the other technologies. Much more additional information is available to partners and ISV's - most of which have not had a purpose structured summit as Moz/FF did. According to Mike Schroepfer at the Moz foundation, their team prefers patching as opposed to using protected mode, though he states that are considering it as they also like the idea of a layered defense. He does however, misstate what PM, and securable objects can actually prevent. I think Moz/FF should give this more consideration and take advantage of the tools available to Windows Vista - and therefore all applications that run on it.
|
#8 By
15406 (216.191.227.68)
at
7/4/2007 2:54:07 PM
|
#7: Another potential reason would be they're too far along in the 3.0 development to throw in PM support, but perhaps in 3.5...
|
#9 By
32132 (142.32.208.232)
at
7/4/2007 5:06:30 PM
|
3.0 isn't due out until next year.
|
#10 By
23275 (24.179.4.158)
at
7/4/2007 5:12:36 PM
|
#8, I guess about any reason is possible - including it all coming down to pride, spite, a lack of humility, stubbornness, adolescent nonsense, and a huge does of nah...nah, nah, nuh, nah nah...
We have to face facts - we have two countries now and MS wants to sell software to both of them. Moz/FF doesn't. I mean, Moz/FF waved the "we're more secure" flag around so much, they can't very well admit that MS would have anything of any value to them in this regard - perpetuating the myth is just too important.
As for 3.x - it's all about cloud based apps sync and coalition with Google that Moz/FF likes to pretend isn't there.
If I were MS, I'd crush them by leveraging what is already there - namely their ability to "late start" all apps <that's a signal term by the way, and not a reflection on late shipping software>, and fully leverage what they can already do - remotely connect anything and use intelligent caching to make it smooth without burning the user experience [look out for how SharePoint will be leveraged this way]. I mean, look at their ability to support an Excel server - it's wicked cool and fun for devs. As I said last year, IE isn't going to be about a browser as we know it.
This post was edited by lketchum on Wednesday, July 04, 2007 at 17:13.
|
#11 By
16797 (65.93.149.195)
at
7/5/2007 12:53:08 AM
|
#7 "#4, Windows Mail and Outlook 2007 do not use IE 7's rendering engine. They each use an even more restricted engine, partly based upon that used by Office 2007 applications. It is slower than IE 7, but it is safer and it disallows forms of access often used by criminal hackers. "
I think you're wrong on this one, partially.
Windows Mail was affected by that recent "ANI cursor" flaw (or whatever it was called). I don't think it uses Office 2007's rendering engine.
Outlook 2007 does use rendering engine based on Word 2007 and was not affected, so you're right there.
|
#12 By
15406 (216.191.227.68)
at
7/5/2007 8:01:42 AM
|
#10: We have to face facts - we have two countries now and MS wants to sell software to both of them. Moz/FF doesn't. I mean, Moz/FF waved the "we're more secure" flag around so much, they can't very well admit that MS would have anything of any value to them in this regard - perpetuating the myth is just too important.
I'm not sure where you're trying to go here. You start off by talking about how MS wants to sell software and Mozilla doesn't. That turns into a dig at Mozilla by insinuating that they're not using PM because of insolent pride. Mozilla did not wave the flag. They were pretty much silent. FF users and bug trackers like CERT and many, many Windows sites (like WinInformant) were waving the flag for them. If PM turns out to be what it claims, I'm sure the FF guys will use it as long as they aren't prevented from doing do by MS.
|
#13 By
32132 (66.183.203.110)
at
7/5/2007 8:23:40 AM
|
#12 "They were pretty much silent"
Nope.
See #6
Vladimir Vukievi, who was one of the Mozilla team to take up Microsoft's August offer of Vista assistance, said that Vista's "Low Integrity Mode" might make Firefox less susceptible to exploits. "
|
#14 By
2960 (24.254.95.224)
at
7/5/2007 12:37:49 PM
|
#2,
The key word is FIXED. If only MS was so light-footed.
I'm astonished that you can still, today, be hit with a drive-by spyware installation in IE.
TL
|
#15 By
32132 (142.32.208.232)
at
7/5/2007 5:42:49 PM
|
#14 "The key word is FIXED"
Fewer vulnerabilities help a lot!
Many people are not patched. According to my weblogs over the last week I've got people with Firefox .9 still running.
I get more hits with 1.5.0.1 (2346) than 1.5.0.12 (2185).
There have been 30 severe security holes found in post-1.5.0.1.
|
|
|
|
|