Firefox

8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech
http://www.extremetech.com/computing/178587-firefox-is-still-the-least-secure-web-browser-falls-to-four-zero-day-exploits-at-pwn2own 1/15
COMPUTING FIREFOX IS STILL THE LEAST SECURE WEB BROWSER, FALLS TO FOUR ZERO-DAY EXPLOITS AT PWN2OWN
By Sebastian Anthony on March 17, 2014 at 9:09 am 63 Comments
At Pwn2Own 2014, an annual
Email Address...
The demon core: A scary
story of sloppy science
from the Manhattan
Project Aug 20
Smartphone usage surges while PCs show
startling decline in new worldwide study
Aug 20
Follow
Follow @ExtremeTech

ExtremeTech Newsletter
Subscribe Today to get the latest ExtremeTech
news delivered right to your inbox.
Subscribing to a newsletter indicates your consent
to our Terms of Use and Privacy Policy.
More Articles
Top Searches: Windows 8 Autos Quantum Intel Trending: Linux Windows 8 NASA Batteries Automobiles
Firefox is still the least secure web browser,
falls to four zero-day exploits at Pwn2Own
206,955 people like this. Like Share
computer hackfest in Vancouver,
Mozillas Firefox has proven yet
again that its the least secure major
web browser. While all four major
web browsers Chrome, Internet
Explorer, Firefox, and Safari were
successfully exploited, for a grand
total of $850,000 in prize money awarded to successful security researchers, Firefox was
by far the least secure browser, racking up no less than four zero-day vulnerabilities. These
vulnerabilities, if they were in the wild, would allow a hacker to do just about anything with
your computer if you visited a specially crafted website.
Firefox has never had a great record at Pwn2Own. While the format of the contest has
generally changed every year since its inauguration in 2007 (different platforms, different
rules, different attack vectors), Firefox has been involved in some way or another since
2009. While Chrome went unhacked in 2009, 2010, and 2011, the only year that Firefox
wasnt hacked was 2011. Since 2012, however, as security researchers have grown ever
more wiley, every major browser has fallen to at least one zero-day vulnerability. That four
separate vulnerabilities were found in Firefox at Pwn2Own 2014, however, is impressive.
(Read: The death of Firefox.)
Firefoxs weaker security is generally attributed to its lack of a sandbox a shell or firewall
around a piece of software that keeps it segregated from the rest of the operating system.
In theory, the sandbox should prevent the browser from running other programs, reading
the contents of your RAM, or opening other files. Chrome, Safari, and Internet Explorer
(newer versions) all have a sandbox, while Firefox does not. In short, if someone finds a big
enough vulnerability in Firefox, theres nothing preventing them from gaining complete
access to your computer. It is slightly disconcerting that security researchers found four
such vulnerabilities in just three days at Pwn2Own. (Read: How to surf safely: From LastPass
to tin foil hats, and everything in between.)
NASAs electric vertical-
takeoff airplane takes first
flight, aims to eventually
replace the helicopter
Aug 20
Californias new solar
power plant is actually a
death ray thats
incinerating birds mid-flight
Aug 20
The PS4 is still selling
much faster than expected
and Sony doesnt know
why Aug 20
673
Like Tweet
222 StumbleUpon
949
117
reddit
1
Share Thi s Arti cle
The key to improving Firef ox security: Multiple processes
Somewhat fortunately for us, since Pwn2Own 2013, all of the vulnerabilities are reported to
the web browser makers so that they can be fixed in a timely fashion. Still, it is a good
reminder that Firefox might not be the best choice of browser if security is one of your
primary concerns when surfing the web. As for why Firefox doesnt have a sandbox, its
most likely because it was conceived in an era when security on the web was still a nascent
and naive topic. Chrome, which was developed a few years later, was intentionally
designed from the outset to be very fast and secure. Likewise, Microsoft went through a
complete overhaul between IE8 an IE9, adding a sandbox and other modern features so
that it could actually stand next to its peers without being snickered at. Mozilla would like
to add sandboxing to Firefox, its very hard to add sandboxing to a program that wasnt
originally designed for it. (For technical people: Its closely linked to the Electrolysis project,
which will eventually give Firefox per-tab processes.)
A grand total of $850,00 in prize money was given out to security researchers at Pwn2Own
2014. Much like 2012 and 2013, French security firm Vupen had a very strong showing,
taking home $400,000 for a total of 11 zero-day vulnerabilities, covering Chrome, Firefox,
Software Google Operating Systems Web Security Surfing Chrome Firefox
Internet Explorer Sandbox Pwn2own Pwn2own 2014
More reading:
Share This Article
Tweet 222
StumbleUpon
117

673 Like
IE, and Adobe Flash and Reader. George Hotz (yes, Geohot of PlayStation and iOS hacking
fame) took home $50,000 for a Firefox exploit. The prize money is awarded by the Zero-
Day Initiative (owned by TippingPoint, which was acquired by HP), which actually buys the
vulnerabilities from the hackers, so that they can improve the security of TippingPoint/HP
products.
[Image credit: Gill Penney]
You Might Also Like
We Recommend
The death of Firefox
Cold fusion tech picked up by major US partner,
prepares for launch in the American and Chinese
energy markets
Just how big are porn sites?
How to surf safely: From LastPass to tin foil hats, and
everything in between
Think GPS is cool? IPS will blow your mind
US militarys mysterious X-37B space plane passes
500 days in orbit, but we still have no clue what its
actually doing up there
From Around The Web
Recommended by
Post a Comment
63 Comments ExtremeTech Login
63 Comments
Sort by Oldest Share
Join the discussion
Reply
Jake Locker 5 months ago
You know you're in for a rough day as a web browser when IE is considered the better
choice...

42
Reply
Ray C 5 months ago Jake Locker
Not if you don't hold a bias for or against any particular software

10
Reply
XenoSilvano 5 months ago Ray C
It's not bias, it's Internet Explorer that is just plain ####.

8
Reply
XenoSilvano 5 months ago XenoSilvano
Its about time to sandbox my Firefox.

10
Reply
paul 5 months ago Jake Locker
Firefox with noscript is the best choice available now.
You will not get a plugin like noscript for google chrome or ie. Trust is a hard thing to
find these days.

4
Reply
Chris Bordeman 5 months ago paul
Chrome + Ghostery and Grease Monkey

2
Favorite
Share
Share
Share
Share
Share
Share
Reply
Jon Q. Publix 5 months ago paul
Firefox with noscript is the best choice available now.
Not an effective solution for the average user. Disabling javascript effectively
cripples the web experience.

6
Reply
nithudi 5 months ago paul
HTTP Switchboard. Blocks scripts (including inline scripts). It's Request
Policy + Noscript + Adblock + many privacy enhancing features.

4
Reply
Ray 5 months ago Jake Locker
Only thing is that Firefox is the best overall browser and everyone who knows about
these types of things knows it, plus most non biased and non corporate.

12
Reply
jaimie bisbee 5 months ago Jake Locker
my Aunty Sienna recently got a year old
Jaguar only from working off a home computer... Recommended Reading CashDu-
ties.om

2
Reply
George Valkhoun 2 months ago Jake Locker
This article is FUD and probably funded by google in some way. What a joke. This
doesn't prove firefox is the least secure. And what is with "the death of firefox". This
article is just another of these FUD articles to get people to switch to Chrome. We
all know by now Google's run by the CIA, NSA or whatever other pack of worthless
excuses of existence. Who are you going to trust? Closed source spyware or open
soruce?

2
Mac JT 5 months ago
Share
Share
Share
Share
Share
Reply
Mac JT 5 months ago
Switched to Chrome , never looked back at Crappyfox.

11
Reply
David 5 months ago Mac JT
SRWare s' Iron chromium port is even better :)

1
Reply
George Valkhoun 2 months ago Mac JT
You're an idiot.

7
Reply
jpmjr 5 months ago
lol, funny how so many "pc experts" always knock people using ie and tell them to use
firefox.

12
Reply
Sebastian Anthony 5 months ago Admin jpmjr
Well, zero-day vulnerabilities are one thing -- there are other reasons you might
want to use Firefox! (Add-ons, functionality that IE11 misses, etc.)
It's a balancing act. If security is your #1 concern, I would say use Chrome, or IE11
on a fully-patched Windows 8 machine.

19
Reply
Guest 5 months ago Sebastian Anthony
Among the reasons time-to-patch is another one to consider. From a 2011
study from accuvant (I'm not aware of more recent studies), IE appeared to
be the slowest (214 days) while Chrome (53 days) was the fastest with
Firefox (158 days) in between.
Browser+platform share is another factor, the probability of falling to an
attack on unknownbrowser+linux is lower than the common IE+windows
even if the first has probably more bugs.

5
Share
Share
Share
Share
Share
Share
Reply
Phobos 5 months ago Sebastian Anthony
What kind of add-ons are we talking about? I haven't use FF in a very long
time, I have it as a back up just incase ie goes down, though it rarely does. I
hardly have any problems with IE not sure why people hate it so much and I
have use it sense IE7, though I do agree IE8 was flaky and 10 for some
reason it crashed adobe flash in youtube web page. 9 and 11 are great.

3
Reply
Ray 5 months ago Sebastian Anthony
Security with Chrome? that's funny considering Google is anti privacy and
security.

18
Reply
Fla 5 months ago Ray
Yeah, it looks like nobody here saw that they do not control what is
happening in Chrome, Safari or IE. *This* is the first security leak...

4
Reply
joe 2 months ago Sebastian Anthony
or just install sandboxie and manually or automatically sanbox any program
that touches the internet.

Kellic 5 months ago jpmjr
The nature of IE and its deep ties into the bowels of Windows is one core reason
why avoiding IE is a good thing. I'm well aware of its sandbox capabilities, but the
simple fact is after the better part of a half decade of ignoring security on the
browser side of the force. I trust IE as far as I could through Microsoft's campus.
They have burned so many of their advocates over the years that they could build
the most secure browser in the known universe, it wouldn't matter. The minute you
mention IE to a seasoned IT professional you will have them flash back to long
evenings spent patching IE only to have a patch for the patch come out the day
Share
Share
Share
Share
Reply
evenings spent patching IE only to have a patch for the patch come out the day
later and in one case I remember a patch for the patch for the patch.
Level of ****s given about IE: -8

16
Reply
Ray C 5 months ago Kellic
Well, it's easy for other companies to not ignore security after all the
headaches Microsoft had to go through. Look at the one company that
came around before Microsoft made those changes, Firefox. They're the
weakest on security. IT's easy for any product, browser or otherwise, to
come many years after another product has been in existence and make
changes or point out what is wrong with another product. It's also easy to
constantly complain about what another company did 5 to 10+ years ago
compared to what is going on now instead of just looking at now

9
Reply
FlyFlyTN 5 months ago jpmjr
The lesson is that nothing ever stays the same. IE was a complete joke until
recently, for security, features and standards. MS had to react (slowly) and now
they've got somewhere. In the meantime, FF slipped in relation. This is why I am
always prepared to change my view over time, because nothing is set in stone.

12
Reply
Ray 5 months ago jpmjr
If you would actually inform yourself and not simply read this you would know that
the best overall browser is still Firefox and has been for a while now.

4
Reply
Sijjvra 5 months ago
I hope you know that the picture is a group of red pandas... Not foxes. Just sayin' maybe
you were hacked?

11
Share
Share
Share
Share
Share
Reply
Sebastian Anthony 5 months ago Admin Sijjvra
http://www.bbc.co.uk/nature/li...

9
Reply
Phobos 5 months ago Sijjvra
red pandas or foxes one thing for sure they look fucking adorable.

3
Reply
Chewykernel Geo 5 months ago
This would imply that the lesser developed 64-bit Firefox engines (Waterfox in my case)
have even bigger holes.

1
Reply
FlyFlyTN 5 months ago Chewykernel Geo
Bigger holes because there's more bits to fill of course....

Reply
Jon Q. Publix 5 months ago Chewykernel Geo
This would imply that Firefox OS is one big ball of security lapses.

3
Reply
paul 5 months ago
Heart breaking to know that Firefox has so much security holes.
Should consider Opera or Chromium. Can't trust Google products.

13
Reply
tgrech 5 months ago paul
Try Maxthon. Great Chrome alternative, lots of great features, not made by Google,
one of the fastest browsers there are, and security focused. Not many plugins
though.

Share
Share
Share
Share
Share
Share
Share
Reply
Cees Timmerman 5 months ago paul
I've used Opera years back, but it had too many keyboard options and ran as a
single process.

Reply
paul 5 months ago
On second thoughts, i think it is better to live with security holes in 100% open source
projects like firefox (with noscript installed) than installing proprietary softwares like google
chrome.

9
Reply
Jon Q. Publix 5 months ago paul
So you just throw caution and safety to the wind in favor of open source? Wasn't
one of the big selling points of open source supposed be better security --- eyeballs
on code and all that rot?
Your call but you only have yourself to blame. Good luck.

10
Reply
tgrech 5 months ago Jon Q. Publix
The point is it's not throwing caution to the wind, because it's open source.
The security benefits of open source software far outweigh the "dangers".

1
Reply
Cees Timmerman 5 months ago tgrech
Do you leave your house unlocked in case emergency services
have to enter? Secret services are well known to use zero-day
exploits as well, before reporting them if in the interest of their
country.

1
Groud Frank 4 months ago Cees Timmerman
I would leave my house open if there was a community of people
Share
Share
Share
Share
Share
Reply
I would leave my house open if there was a community of people
keeping an eye on it. Absolutely.

2
Reply
Cees Timmerman 10 days ago Groud Frank
I saw a community on the news today, but they were quite irate over
a certain flag.

Reply
Lophs 5 months ago
Yet it is always IE is in the news. I wouldn't forgo real world data for test lab experiments.
"If we count just the critical zero-days, there were at least 89
non-overlapping days (about three months) between the beginning of 2011
and Sept. 2012 in which IE zero-day vulnerabilities were ACTIVELY EXPLOITED"
http://krebsonsecurity.com/201...

1
Reply
Paul Salmon 5 months ago Lophs
In addition to the thought, it is has been shown that 100% of IE vulnerabilities in
2013 could have been mitigated by using a standard user account instead of an
admin account. From Vista onwards, there is zero reason to use an administrator
account as an everyday user.

Reply
Cees Timmerman 5 months ago Paul Salmon
I can't believe.. wait, people complained about Vista's prompts, but still, i
can't believe that's still an issue.

SumGuy954 5 months ago
Easier to use less secure. I guess that makes sense. Firefox is more convenient for me,
but I have always known it is less secure. I have always considered IE to be more secure if
Share
Share
Share
Share
Share
Reply
configured properly vs the others. I know some disagree, but this is my opinion.
I still prefer to use the Chrome and Firefox.

1
Reply
Paul Salmon 5 months ago SumGuy954
Same here. I prefer Firefox, but have Chrome as a backup, just in case I have
trouble with a website using NoScript.

2
Reply
Cees Timmerman 5 months ago Paul Salmon
If Chrome didn't hide its plugins and respected my session management
(don't spend 15 minutes loading everything; only what i click on), i'd probably
be using it instead of Firefox. Also, debugging is still best in Firefox.

1
Reply
Julien 5 months ago
Bad new for Firefox this day. How it's possible to work on untrusted world wide code
without sandbox ??? Maybe refactoring this will also increase stability with memory when
keeping the browser open for long time.. and a better sandbox when Flash crash too...
Your the only browser company i want to make trip with. Keep the good work.

Reply
Cees Timmerman 5 months ago Julien
Flash crashes are no problem in Firefox anymore, but hangs are. Stupid complex
threading setup.

Reply
HowardBrazee 5 months ago
The only reason I use Firefox is that, unlike the new "improved" Opera, it has old fashioned
book marks, and unlike Chrome, those bookmarks have a place to put comments, such as
my UserID and password clues.

Share
Share
Share
Share
Share
Share
Load more comments
Reply
Software Company India 5 months ago
What ever, Firefox is still user friendly like Google chrome.
Software Development Company India

1
Subscribe Add Disqus to your site
Share
About ExtremeTech
Advertising
Contact ExtremeTech
ET Forums
Terms Of Use
Privacy Policy
Ziff Davis
Jobs
Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2014 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved.
ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff
Davis, LLC. is prohibited.

Firefox

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Firefox

Загружено:

Авторское право:

Доступные форматы

8/20/2014 Firefoxis still the least secure web browser, falls to four zero-dayexploits at Pwn2Own | ExtremeTech

Вам также может понравиться