Dailydave mailing list archives
Re: Firefox bugs
From: "Lorenzo Hernández García-Hierro" <lorenzohgh () tuxedo-es org>
Date: Wed, 4 Oct 2006 13:48:48 +0200
On 10/3/06, Dave Aitel <dave.aitel () gmail com> wrote:
Web bugs are not code executing on your computer. Typically they're not even javascript, just an embedded image or audio file that loads from a remote site. Spyware is code executing on your computer. I'm going to say though, I do think weev has 30 Javascript bugs in Mozilla. The question for Window Snyder is "What are you going to do about it?" Is Firefox at least compiled with /Gs these days (or pro-police (what's the current best GCC flag?) on Linux/OS X? Does Mozilla help Novell install their application profile stuff? Does Mozilla have a certified SELinux profile? Making browsing safe is a hard job and there's a lot Mozilla can do. $500 bucks a bug is not it.
SSP/ProPolice has been adopted by the GCC folks since 4.1, AFAIK. Once that version becomes 'mainstream' (ex. widely deployed), people will be able to distribute binaries compiled with the -fstack-protector flag, without compatibility worries (hopefully). The point is that I have spare fingers in my left hand after counting the number of so-called distributions (rip-offs?) that implement any of the security technologies you've mentioned. Fedora Core, Suse and that's mostly it. The good old mainstream ones and their commercial counterparts. Most derived works tend to remove the stuff (ex. CentOS won't ship with SELinux, but RHEL does) as they can't either support it or just consider it an 'overkill' or have some other reasons. And nowadays there's a lot of focus on eye candy and so on, instead of making things actually work they way they should. Suse comes with AppArmor (from the Immunix fellows) and FC comes with SELinux and targeted policy (basically enforces only network exposed and critical packages, not all the system ala strict policy). SELinux refpolicy currently provides a Mozilla policy: http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/apps AppArmor has also a Mozilla profile (AFAIK). BTW, SSP/ProPolice won't play well with multimedia stuff probably. I'm not sure it would be compatible for things like the Flash Player plugin but I could be utterly wrong about that. On the other hand, check out this: http://web.archive.org/web/20050319003526/http://web.verbum.org/imsep/ It could be of real benefit to web browsers (ex. containing image and media loaders and preventing those from processing/loading untrusted sources). Today I've been suggested to continue the development as apparently it's stalled. Once I get the time for it, I might develop something along those lines or just continue the project in case Colin (the original developer) keeps the archive or desires to work on it. Cheers. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Firefox bugs, (continued)
- Re: Firefox bugs Thor Larholm (Oct 03)
- Re: Firefox bugs Matt (Oct 03)
- Re: Firefox bugs Alexander Sotirov (Oct 03)
- Re: Firefox bugs Dave Aitel (Oct 03)
- Re: Firefox bugs endrazine (Oct 03)
- Re: Firefox bugs [iRant] Bas Alberts (Oct 03)
- Re: Firefox bugs [iRant] Jared DeMott (Oct 04)
- Re: Firefox bugs Rob Lemos (Oct 04)
- Re: Firefox bugs James (njan) Eaton-Lee (Oct 04)
- Re: Firefox bugs Jared DeMott (Oct 04)
- Re: Firefox bugs Dave Aitel (Oct 03)
- Re: Firefox bugs Lorenzo Hernández García-Hierro (Oct 04)
- Re: Firefox bugs Matt Richard (Oct 04)