Writing Secure Web Browsers is Hard


I’m not making excuses, just stating facts. In fact, I just read this from SANS… emphasis is mine.


http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=19


Fixes Not Yet Available for Firefox Vulnerabilities (9 May 2005)
Two vulnerabilities in the Firefox web browser could allow attackers to gain control of users’ computers just by getting them to visit a maliciously crafted web site. Mozilla is recommending that Firefox users disable Javascript or lock down the browser to prevent it from installing additional software. There is no a patch available, although information about the vulnerabilities and proof-of-concept exploit code have already been released. Mozilla plans to release an update, Firefox 1.0.4, as soon as possible.
http://informationweek.com/story/showArticle.jhtml?articleID=163100338
http://www.vnunet.com/news/1162904
[Editor’s Note (Schultz): The number of vulnerabilities in Firefox recently has been alarming. At first Firefox appeared to be an attractive alternative to Internet Explorer (IE) for security reasons, but IE is now looking better and better in comparison.
(Shpantzer): There’s so much hacking at the application layer, at some point we’ll have to actually lock down configurations for all browsers, regardless of the security mythology that surrounds the project’s code and architecture. If you have a supposedly ‘secure’ browser that’s insecurely configured, well, it’s not very secure. ]

Comments (3)

  1. Ben Woolley says:

    I am using Galeon, a gecko-based browser, and much of the vulns lately in Firefox don’t even affect me, especially the bad ones. Opera has been doing pretty well, too. It seems that the real problem is making something tries to do _everything_ secure.

    Most vulns that attack programming logic seem to attack those features that make the browser do things that I don’t think a browser should even be doing, like updating itself, or automatically running programs. I think that the idea of being extensible, and practically like a platform is just fine. It is the philosophy that it has to integrate everything that makes it difficult. Firefox is trying to be the browser for everyone and everything.

    I don’t think that it is the fault of Firefox that it didn’t have an auto update feature. I never needed it because I didn’t run Windows. The only reason why Firefox needed it in the first place was to compete with Windows Update. Third-party software should NOT have to implement its own update procedure. From where I come, that is the responsibility of the operating system.

    So basically, it comes to bad design decisions yet again. You have to admit that IE has some horrible design decisions. The problem with Firefox is that it is following IE’s lead there, in order to compete with it. Meanwhile, I will happily be running Just A Browser, and be happy.

  2. seth arnold says:

    I wish PivX hadn’t taken down their list of unpatched IE vulnerabilities. When they took it down, the list was around 33, some known for two years.

    Writing a secure web browser isn’t hard. Getting it to also do all the dancing-pig things that users want (and are willing to switch browsers for), on the other hand….

    I’m glad it isn’t my line of work. 🙂

  3. Ben Woolley says:

    Seth, secunia has a page which is similiar:

    http://secunia.com/product/11/

    They also have pages for the other browsers as well. I think you might find it even more informative than the old PivX site.