Dailydave mailing list archives

Re: Firefox bugs

From: "Lorenzo Hernández García-Hierro" <lorenzohgh () tuxedo-es org>
Date: Wed, 4 Oct 2006 13:48:48 +0200

On 10/3/06, Dave Aitel <dave.aitel () gmail com> wrote:

Web bugs are not code executing on your computer. Typically they're not even
javascript, just an embedded image or audio file that loads from a remote
site. Spyware is code executing on your computer.

I'm going to say though, I do think weev has 30 Javascript bugs in Mozilla.
The question for Window Snyder is "What are you going to do about it?" Is
Firefox at least compiled with /Gs these days (or pro-police (what's the
current best GCC flag?) on Linux/OS X? Does Mozilla help Novell install
their application profile stuff? Does Mozilla have a certified SELinux
profile? Making browsing safe is a hard job and there's a lot Mozilla can
do. $500 bucks a bug is not it.


SSP/ProPolice has been adopted by the GCC folks since 4.1, AFAIK.
Once that version becomes 'mainstream' (ex. widely deployed), people
will be able to distribute binaries compiled with the
-fstack-protector flag, without compatibility worries (hopefully). The
point is that I have spare fingers in my left hand after counting the
number of so-called distributions (rip-offs?) that implement any of
the security technologies you've mentioned. Fedora Core, Suse and
that's mostly it. The good old mainstream ones and their commercial
counterparts. Most derived works tend to remove the stuff (ex. CentOS
won't ship with SELinux, but RHEL does) as they can't either support
it or just consider it an 'overkill' or have some other reasons.

And nowadays there's a lot of focus on eye candy and so on, instead of
making things actually work they way they should.

Suse comes with AppArmor (from the Immunix fellows) and FC comes with
SELinux and targeted policy (basically enforces only network exposed
and critical packages, not all the system ala strict policy).

SELinux refpolicy currently provides a Mozilla policy:
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/apps
AppArmor has also a Mozilla profile (AFAIK).

BTW, SSP/ProPolice won't play well with multimedia stuff probably. I'm
not sure it would be compatible for things like the Flash Player
plugin but I could be utterly wrong about that.

On the other hand, check out this:
http://web.archive.org/web/20050319003526/http://web.verbum.org/imsep/

It could be of real benefit to web browsers (ex. containing image and
media loaders and preventing those from processing/loading untrusted
sources).

Today I've been suggested to continue the development as apparently
it's stalled. Once I get the time for it, I might develop something
along those lines or just continue the project in case Colin (the
original developer) keeps the archive or desires to work on it.

Cheers.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Firefox bugs, (continued)
- - - Re: Firefox bugs Thor Larholm (Oct 03)
  - Re: Firefox bugs Matt (Oct 03)
- Re: Firefox bugs Alexander Sotirov (Oct 03)
  - Re: Firefox bugs Dave Aitel (Oct 03)
    - Re: Firefox bugs endrazine (Oct 03)
    - Re: Firefox bugs [iRant] Bas Alberts (Oct 03)
    - Re: Firefox bugs [iRant] Jared DeMott (Oct 04)
    - Re: Firefox bugs Rob Lemos (Oct 04)
    - Re: Firefox bugs James (njan) Eaton-Lee (Oct 04)
    - Re: Firefox bugs Jared DeMott (Oct 04)
    - Re: Firefox bugs Lorenzo Hernández García-Hierro (Oct 04)
    - Re: Firefox bugs Matt Richard (Oct 04)
- Re: Firefox bugs Juha-Matti Laurio (Oct 03)
- Re: Firefox bugs Juha-Matti Laurio (Oct 03)