Forgot your password?
typodupeerror
Firefox Bug Internet Explorer Security News

Germany Warns Against Using Firefox 509

Posted by timothy
from the fuer-ihre-sicherheit dept.
jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.
This discussion has been archived. No new comments can be posted.

Germany Warns Against Using Firefox

Comments Filter:
  • 3.6.2 released (Score:5, Informative)

    by Anonymous Coward on Tuesday March 23, 2010 @02:52AM (#31580128)

    Yup

  • 3.6.2 is out. (Score:2, Informative)

    by Anonymous Coward
    3.6.2 is out. [mozilla.org]
  • by n6mod (17734) on Tuesday March 23, 2010 @02:56AM (#31580150) Homepage

    Firefox 3.6.2 was released earlier tonight: http://www.mozilla.com/en-US/firefox/3.6.2/releasenotes/ [mozilla.com]

  • by Statecraftsman (718862) * on Tuesday March 23, 2010 @02:58AM (#31580166) Homepage
    As soon as I read about this on /. I realized Firefox is downloading an update to 3.6.2. This is why free software is our best tool against malware. Reaction time can scale with importance. And (shameless free software plug alert) it's why I wrote what's in my sig.
    • by Anonymous Coward on Tuesday March 23, 2010 @03:09AM (#31580226)

      That is a really poor standard you have. I don't want software that patches exploits quickly, I want software that was correctly written and had no exploits to begin with.

      • by matria (157464)

        Thank you; I needed a good laugh!

      • by lattyware (934246)
        Right. Find me a group of programmers that can write an entire web browser without any flaws or exploits, while having all the features everyone wants. Yeah.
        • by Jurily (900488) <jurily.gmail@com> on Tuesday March 23, 2010 @04:59AM (#31580646)

          OpenBSD seems to do just fine, with a bigger codebase, written in C.

          Wanna guess what the difference is? They have security-obsessed people in charge.

          Nobody gets credit for fixing a bug. Instead, we celebrate the people who get a fix out fastest. We don't care about flammable buildings, but we watch the response time of the fire department like a hawk.

          • by TheLink (130905) on Tuesday March 23, 2010 @07:11AM (#31581334) Journal
            > OpenBSD seems to do just fine, with a bigger codebase, written in C.

            They just ship OpenBSD with most services disabled by default, and then claim it is safe by default.

            That's similar to Microsoft's shipping IE on their server O/S with most stuff disabled by default, and then claiming that IE is not vulnerable
            on their server O/Ses by default.

            Yes they are safe by default just like a car with its wheels, engine and battery "disabled" by default is safe from most carjackers.
      • by c-reus (852386)

        Go ahead and construct a formal verification for any browser currently available. Here's a starting point [wikipedia.org], let's see how far you'll get.

      • by Zontar The Mindless (9002) <plasticfish.info ... com minus author> on Tuesday March 23, 2010 @03:51AM (#31580372)

        I want software that was correctly written and had no exploits to begin with.

        And I want Anonymous Cowards to start making /. posts that are insightful, useful, and realistic.

        And WHERE'S MY PONY?!

      • by DNS-and-BIND (461968) on Tuesday March 23, 2010 @04:17AM (#31580456) Homepage
        A sad day on Slashdot when someone saying "programming correctly is the right response" and he's ridiculed by at least 4 replies and modded +3 Funny. What the hell happened to this place?
        • by chthon (580889) on Tuesday March 23, 2010 @04:26AM (#31580496) Homepage Journal

          They where probably all reactions from people who program for a living.

        • by selven (1556643) on Tuesday March 23, 2010 @05:54AM (#31580918)

          Because "don't set this place on fire" is not a fire escape plan. Bugs and vulnerabilities will happen either way, and you still need a plan for dealing with them.

        • Re: (Score:3, Insightful)

          by natehoy (1608657)

          No matter how clever you think you are, no matter how hard you work to prevent vulnerabilities, they will be in the release code in something as complex as a web browser (or an Operating System).

          "I want software that is written correctly and has no exploits" is an unrealistic expectation. It's like saying "I want my power tools to be built in such a way that they cannot possibly harm me"

          Most (certainly not all) software is built with very careful reviews, trying to figure out ways that black hats might exp

      • by Jaysyn (203771)

        And I want a pony.

      • by Aceticon (140883) on Tuesday March 23, 2010 @07:39AM (#31581502)

        Creating 100% secure software is like trying to prove an absolute statement (as in "All X have Y") - to prove it right, every single one of the subjects of your statement have to comform to it, while proving it wrong only takes one that does not.

        Or in more specific terms: no matter how good the team developing a piece of software is and how long they have to do it, all it takes is one of them doing a single mistake and the results is not 100% secure.

        It's reasonable to expect that all first order mistakes (i.e. the blindingly obvious) are caught, it is however not reasonable to expect that higher-order mistakes (for example: "unexpected interactions with a different version of a certain library installed in the same system in the 64 bit version of the OS") are caught, expecially those relating to external factors (which can change after the release is done).

        Also there are economic limits to the level of security in a piece of software: more specifically, time is money, getting only the top best professionals to do it is a lot of money and (suprise, suprise) people are not willing to pay the higher price that such a product would require to break-even.

    • Re: (Score:3, Funny)

      by im_thatoneguy (819432)

      What the German government should do is release an open source application which switches your default browser.

      A team of German security experts would make a bi-weekly security assessment and then set the default browser for the period. ;)

      Of course this browser switcher would also be able to push patches as well. Automate their recommendations!

      • by umghhh (965931)
        I think you are right but your proposal misses one vital feature - this switcher should also fully automatically transfer all our account information to the tax man - that would save the government some millions usually charged for bank accounts info stolen from swiss banks.
    • Better yet, free software authors (developers) aren't hiding anywhere. It would be hard to contact IE team but Mozilla developers can be reached easily, via mail or even IRC.

      Posting this warning while it is easy to figure/ask 3.6.2 is OTW really requires some review by German Govt. For example, did someone from that team have some dinner/launch with some company executive lately?

    • by Zoidbot (1194453) on Tuesday March 23, 2010 @03:54AM (#31580382)

      You know it's taken over a month to fix this right? The exploit was discovered 18-02-2010 according to securina.

      Opera takes less than a week usually (and the occurrence of exploits is less also).

      The argument that Open Source allows anyone to fix things and thus making patches quicker does not work, as clearly it also opens up your code for hackers to review looking for new exploits. I don't believe in security by obscurity, but the fact remains, Opera is closed source and the most secure (and fastest) web browser out there.

      • Re: (Score:2, Informative)

        by Anonymous Coward
        The guy who found the bug didn't give details to Mozilla promptly, he sold it in his security product to clients for a few weeks, then told Mozilla. Can't blame Mozilla for not fixing a bug they had 0 details on. Once they were given details they fixed it in a few days, not bad for fixing the bug, making a build, QA'ing and releasing it.
        • by Rockoon (1252108) on Tuesday March 23, 2010 @09:35AM (#31582612)
          While its true that Mozilla got the fix out pretty fast once someone pointed right at it for them, it is often claimed that Open Source is more secure because there are thousands of eyes looking at the source code.

          None of those Mozilla-loving eyes found this bug, yet a researcher unaffiliated with Mozilla but certainly looking for exploits, found it. Now what about all the researchers looking for exploits in order to driveby firefox users.. that will just keep the damn thing a secret?

          Yeah.. they got the fix out fast. Bravo. Look at the real significance of these events, tho..

          ..exploit found
          ..went unpatched for a month
          ..only got patched because the person who discovered it pointed right at it.
      • by MrMista_B (891430)

        You know it takes a little while to bug test bug patches, right?

      • by Nemyst (1383049)
        [citation needed]

        In other words, one case does not a rule make. And your last line makes your entire post crumble because it's a totally unfounded claim (whether it is true is moot, it's just totally unrelated to the subject at hand and is backed up in no way).
    • by umghhh (965931)
      This is all very strange - on BSI [bsi.bund.de] (this is what the german abbreviation of Federal Office for IT Security is) site there is nothing about this, BuergerCert [buerger-cert.de] site informs about new upcoming release of firefox that is going to fix unspecified security problem. If you compare it with IE warning from some time ago there is a difference - back then BSI issued a warning telling people not to use compromised software that is actively used for attacks and here you have a warning based on information of new release.
  • by Seth Kriticos (1227934) on Tuesday March 23, 2010 @03:03AM (#31580188)

    The vulnerability *only* affects the current 3.6 branch. Patch is complete and will be pushed on the 30th of March.

    Here is the Mozilla blog entry on the topic:
    http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608 [mozilla.com]

    Here is the original bug report:
    http://secunia.com/advisories/38608 [secunia.com]

    Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??

    • Re: (Score:3, Insightful)

      by n6mod (17734)

      Seth, scroll up one post in the blog. 3.6.2 was released tonight.

    • Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??

      But we are all going to die! Every single one of us. At some point. ^^

    • by julesh (229690)

      The vulnerability *only* affects the current 3.6 branch

      Although note that other vulnerabilities with exploits in the wild and being actively used affect the 3.5 branch. I've had malware installed on my machine by drive-by redirects in advertising on otherwise trustworthy sites (TPB, for instance). If you're on 3.5, upgrade now.

  • This just in (Score:3, Insightful)

    by Rijnzael (1294596) on Tuesday March 23, 2010 @03:04AM (#31580200)
    German government warns against use of the internet and software that has bugs.

    Software is inevitably going to have bugs in it and try as we might, it's something we'll always have to deal with. There are always mitigation strategies, such as running Firefox in a virtualized environment a la Sandboxie [sandboxie.com] or a full virtual machine, but we'll never be privy to using only bug-free software day to day. I'm glad to see the German government taking an active approach to notifying people in regard to vulnerabilities in an attempt to mitigate them, but as TFA states, what's the point in suggesting users quit using Firefox when the alternatives are potentially just as vulnerable?
    • by mlts (1038732) *

      Sometimes I wonder if application virtualization like Sandboxie should be part of the OS. Not just Windows, but on UNIX as well. With ZFS, this is easier because a directory can be rolled back fairly easy due to the snapshot functionality.

      Another cool idea is how Thinstall (well, now called VMWare ThinApp) packages apps. The app thinks it has admin rights and can happily doodle around the Registry and the filesystem, but in reality, all it does is just modify stuff stored in \users\blarf\appdata\roaming\

      • by rawler (1005089)

        Only if that app does not have to communicate in any way with the rest of the system. What people encouraging virtualization tends to forget is that a multi-tasking OS already have means of protection. The memory an application sees is virtual, and the access to the rest of the system often enforces a security-model.

        Still, however, the user has little use for isolated applications that cannot talk to others. A modern web-browser more or less requires other apps to be of any use, such as flash, a pdf viewer,

      • Actually, OS X supports application virtualization.

        http://www.macosxhints.com/article.php?story=20100318044558156 [macosxhints.com]

    • In other news: (Or in Soviet Russia...)
      Internet warns against German government and leaders with narrow mustaches. ;)

  • Bah (Score:4, Insightful)

    by tsotha (720379) on Tuesday March 23, 2010 @03:05AM (#31580206)
    The take-away from this is Germans are never happy.
    • Re:Bah (Score:4, Insightful)

      by beh (4759) * on Tuesday March 23, 2010 @03:20AM (#31580276)

      So, what would you rather have?

      That they warn you about vulnerabilities in IE6, but ignore vulnerabilities in open source browsers?

      I think they've done the right thing - there was a security hole (in the 'current' 3.6), and they warned about it. Their warning DID include that it affected the 'current' 3.6 version and that it should be fixed in 3.6.2.

      That's fair comment, and it's their job to report it and not lull people into a false sense of security that the (then current 3.6) version of firefox was safe.

      If they had NOT warned, it might have damaged their reputation for NOT covering it, and it might also have helped MS lobbying efforts if they could have been shown to be biased by reporting on IE issues, but not Firefox ones...

      • by hackel (10452)

        If they would have contacted the Mozilla team they could have announced that the update was due out TODAY and advise users to upgrade, instead of advising them not to use it.

        This is just irresponsible fear-mongering, and I think it is highly likely that it was done as a form of retaliation against the previous IE recommendation.

        • by beh (4759) *

          mod parent TROLL...

          Have you looked at the BSI page and linked mozilla blog page?

          The mozilla blog entry was dated March 18th (giving March 30th as the release date for 3.6.2). The BSI advisory was dated March 19th (4 days before the story broke on slashdot; and 4 days before the actual release of 3.6.2).

          So, you're saying, it was retaliation by BSI against Firefox, for publishing a release date the firefox crew themselves published the day before?

          On March 19th - with the projected release date 11 days away,

          • Re: (Score:3, Insightful)

            by Dr. Evil (3501)

            The difference is that Firefox has vulnerabilities like any normal application... Internet Explorer on the other hand has been the forefront infection vector for botnets of hundreds of thousands of machines for the past decade.

  • by AmiMoJo (196126) <mojo@@@world3...net> on Tuesday March 23, 2010 @03:07AM (#31580220) Homepage

    The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.

    The government is simply trying to keep people informed about this rather important topic, and has done so in a reasonable and proportional way. Not every warning put out is a damning condemnation of flawed security that mandates switching to Lynx you know.

    • The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.

      No, it's an attempted government takeover of the IT sector. Do you really want a government bureaucrat telling you what you can or can't do, what sites you can visit, or what browser you should use? I say let the free market decide. This country was founded on the ideas of personal responsibility, freedom and liberty,

      • by Sique (173459)

        As far as I can see, the BSI didn't release a new EU DIN which required "any browser except Firefox 3.6 until Firefox 3.6.2".
        So where do you see a bureaucrat telling you what you have to do?`

        It works completely different. If an organisation gets into IT trouble in the next time and the root cause can be determined to be the usage of a pre 3.6.2 release of Firefox 3.6 it can't claim "act of God", because they have been warned.

        That's the whole purpose of the warning.

    • Re: (Score:2, Informative)

      by mysidia (191772)

      Yeah... that's actually encouraging, it means they are actually providing meaningful distinctive advise/suggestions, and not merely copy and pasting vendor vulnerability lists and activating pretty 'alert level' colors...

      not like the US government, who yanked up what used to be the wonderful somewhat independent [but gov sponsored] organization called 'CERT', absorbed them into the department of homeland security, and turned them into US-CERT a mere vacant shadow of their former selves, just another clea

    • by jaraxle (1707)

      Note as well that the headline of this writeup appears to be misleading. I read the article and nowhere does it say the German government is actually warning AGAINST using Firefox, they are simply warning the public of a security issue in the browser.

      Specifically, the article states that the government is also warning people against switching browsers "willy nilly" every time a security hole is found because you never know what you'll be getting into. They're saying to be cautious if you're using Firefox

    • The BSI is not the government. It is a federal agency. BSI = Bundesamt für Sicherheit in der Informationstechnik (engl. Federal Agency for safety and security in Information Technology). They are more something like CERT. Even though the US government thinks the BSI is some sort of NSA, because the NSA also does security in information technology (e.g. seLinux). However, the BSI does not spy on people. This is done by another agency. And the BSI is so much the government as it is the police or judges.
  • Well, the Germans, by releasing this warning about the same time the expected Firefox update came out only proves that their eariler recommendation for choosing Firefox was the right one.
  • First (Score:5, Funny)

    by Beelzebud (1361137) on Tuesday March 23, 2010 @03:16AM (#31580262)
    First they came for IE, and I didn't speak up because I didn't use IE.

    Then they came for Firefox, and I didn't speak up because I didn't use Firefox.
  • * against the use of Opera!
    * against the use of Chrome!
    * against the use of internets!

  • Surely anyone who is concerned about this vulnerability could simply run one of the nightly builds until the official update is released?

  • The article says:

    It is only the current version that is affected, but given that prior releases have different vulnerabilities, reverting to an older version of the browser is ill-advised.

    However, the older releases page [mozilla.com] states that 3.5 will receive security updates until August 2010.

    So, since 3.5 was not affected by this specific vulnerability, what vulnerabilities are unpatched in the current 3.5 release (3.5.8)?

    If the Beeb or the German government knows something Firefox doesn't know, maybe they should tell us so that people still using/shipping (in the case of most linux distros) 3.5 can upgrade to 3.6? Or, if they *don't* know better, maybe they should stick to fact and

    • by sowth (748135) *

      This is what I was wondering, however the firefox site does point to the experimental 3.6 version last time I checked. When I upgraded to 3.5.8, I had to find the ftp site to download it. WTF? I know they want testers, but seriously, that is crap.

      The mozilla project isn't so immature they need lots of people testing their new experimental code. I could see them putting a note on the main page saying "Hey, some of you try out our experimental version 3.6, it has new wiz bang technologies! (not ready for pr

    • by Spad (470073)

      Because reverting to older versions increases the chances of accidentally getting part of, say the 3.5.x branch, that isn't 3.5.8 and does have unpatched vulnerabilities. Remember that we're not really talking about /. users here - we already know about the current vulns, patches, workarounds and alternatives - but "regular" users of Firefox who are used to just clicking on the "Firefox x.x Free Download" link on the getfirefox.com frontpage.

  • If I'm reading this correctly, the vulnerability is in WOFF fonts (what is a WOFF font?) and possibly allows some heap corruption. How do these various "exploits" actually get the Firefox code to execute out of the heap? I.e. one presumably has to either scribble on some known call-back function address in the heap, or somehow scribble on the stack (so Firefox/Seamonkey functions return to the exploit code in the heap) and isn't the data in the heap non-executable (at least under Linux)? I would expect t

  • Mozilla clearly have no idea about....... ....wait a minute....it's not a Microsoft product we're talking about?!

    THIS IS SUCH A NON ISSUE! The German government are clearly over-reacting here.

  • This is general warning not to use any software that has known and/or unknown bugs in it. This warning goes moot when every known and/or unknown issue is solved.

  • ...unchecking "Allow pages to choose their own fonts" block this?

    (Or "Stop using Microsoft Windows", but I won't mention that.)

  • Is there a link to a working exploit ?
  • by ukemike (956477) on Tuesday March 23, 2010 @10:04AM (#31583054) Homepage
    Germany warns against using internet.

Reference the NULL within NULL, it is the gateway to all wizardry.

Working...