flat assembler
Message board for the users of flat assembler.

Index > Heap > Firefox Fix Due Next Week After Attack Is Published

Goto page Previous  1, 2, 3, 4
Author
Thread Post new topic Reply to topic
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
Because, again, you are insisting harm is being done in the normal operation of the browser when it was not so. You can visit the most malicious site in the world and the only way you would be affected is if that site was aware of the vulnerability, created code to exploit it and put it on their page. But because no one outside of Mozilla and these two researchers were aware of it, you were not going to have any issues with it whatsoever. Especially considering the time of discovery to the time of patch release was only 9 days, in this case.

iow, no one was ever in any danger because there were no exploits.
Post 20 Jul 2009, 16:41
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Frank wrote:
Back to the car analogy. Car manufacturer XYZ finds out that braking very hard makes the brakes in their cars fail. They work on a fix, but they don't tell anyone about the problem. In fact, they move customer reports about failing brakes out of public sight. Why? Because, if it was publicly known that XYZ cars cannot brake hard, some people might try (for fun, or for profit) to provoque situations where XYZ customers must brake hard.

Is the manufacturer's information hiding policy acceptable for you? Do you think it would be considered acceptable by, say, the Hawaiian traffic authorities?
Why are you copy and pasting your hilariously horrible anology again? I already debunked it. And now I'll just do so again in the same way I did before; problems with car brakes only harm the user if they are not known, where as security vulnerabilities only harm the user if they are known!

That is why it is best for as few people as possible to know about the vulnerability until it is fixed! Obviously it is fine to say "There is vulnerability/vulnerabilities and you should apply this patch to fix them" but it is not good to tell everyone what the vulnerability is and how to use it until you are sure that nobody is effected by it anymore! That is why so many people disapprove of Mozilla having done that in 3.5.0 (not 3.5.1, that isn't a security vulnerability).


Frank wrote:
Leave out the "here's how to exploit it" part, but the rest is exactly what I expect from a responsible manufacturer. A big, fat, red warning box on the front page, telling the users "Firefox 3.5: Please switch off Javascript for untrusted websites, we may have a security issue that we are currently looking into."
That is already narrowing down the location of vulnerability by a LOT! Much better just to fix it and let people know they should update for security reasons, that way you aren't giving away any info to the black hats except that there is some vulnerability somewhere. Zero-day exploits are by nature time-critical so the less information you give about them while they are there the better.
Post 20 Jul 2009, 20:36
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank
@Azu: I did not simply copy & paste the example. I introduced "black-hat guys" to show how the car example is actually not so different from the software situation that you had described immediately before. You did not catch that. What you "debunked" is a simplified strawman version of the car example. But it does not matter. Let's agree to disagree.

@DrH: It seems fair to summarize your argument like this: "It all went well, so why complain." The complaint is about "the next time(s)." Without the bug hiding, FF's security is scrutinized by "the world" -- my favorite computer magazine / technical blog / developer mailing list / and so on, they all compete for being the first to tell me about possible security issues. With the bug hiding, they won't know about critical flaws either. Instead, security now completely depends on a handful of Mozilla developers: that they get things right, and quickly enough, too. Note that the browser's security model just changed from one that is based on "public scrutiny" to one that is based on "blind trust." Somehow I prefer the former. But as above: we should just agree to disagree.
Post 21 Jul 2009, 10:01
View user's profile Send private message Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
I never follow that "agree to disagree" cause it's the same as "I don't want to talk about it anymore".

The purpose of hiding the code is when developers are already aware there is a potential problem and it is scheduled to be looked at. They NEVER hide code otherwise. And the list of developers is far more than a handful.

So, and now I'm not sure if I'm mis-remembering things, but they did NOT hide the code, in this case, and that is why the researchers were able to find the problem on their own. In OTHER cases, when they feel there is a potential problem, they would have but did not in this case cause they did not know there were any issues, as is common with such things of course.

You are still wanting people to expose exploits into the browser before the developers have a chance to fix them and that would never be a good thing.
Post 21 Jul 2009, 14:35
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Frank wrote:
@Azu: I did not simply copy & paste the example. I introduced "black-hat guys" to show how the car example is actually not so different from the software situation that you had described immediately before. You did not catch that. What you "debunked" is a simplified strawman version of the car example. But it does not matter. Let's agree to disagree.
Your analogy is a strawman. You're trying to compare two things that are the exact opposite. If you want to use a car analogy and have it fit, here's one for you; there is something wrong with the locking mechanism in the doors, that lets anyone open them even if they are locked by simply hitting them 3 times and then spraying water in the keyhole.

The solution is to tell everyone who bought that model of car that they should take in it in and have it fixed (free of charge), not to post an article in the newspaper explaining how to break into it.
Post 21 Jul 2009, 19:09
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.