Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014 207
darthcamaro writes "Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year's Pwn2own hacking challenge as Mozilla Firefox. A fully patched version of Firefox was exploited four different times by attackers, each revealing new zero-day vulnerabilities in the open-source web browser. When asked why Mozilla was attacked so much this year, Sid Stamm, senior engineering manager of security and privacy said, 'Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users.' The Pwn2own event paid researchers $50,000 for each Firefox vulnerability. Mozilla now pays researcher only $3,000 per vulnerability."
Re:Yeah, but it's fast and it's not bloated (Score:5, Interesting)
Re:Firefox is the most unstable program in common (Score:3, Interesting)
Just saying, I use Firefox as my primary browser. It last crashed.....I can't remember when. Is it maybe possible there's something wrong with your computer?
I use it because IE...though I don't have anything specifically against the new versions, I just don't like it. Chrome, beyond not trusting it being a google product (I assume it logs every keystroke, it wouldn't be out of character for them, though I will grant they probably don't log password fields, but all others...), is there honestly a more bloated browser out there? Firefox right now has 19 tabs open for me, using 950 megs of RAM (a bunch of those tabs have plugins running such as PDF viewers or video viewers). Chrome, 3 tabs, using a grand total of a bit over 500 megs of RAM (hard to say exactly how much since I don't want to pull out a calculator and add together the I believe 8 different processes), and all just displaying simple web pages.
No lowrights mode (not surprised) (Score:5, Interesting)
Both Chrome and IE (yes slashdotters I did say IE) support lowrights mode.
This means it has no access to the file system at all, no access to processes or threads and %appdata is its prison ... assuming you are on Windows 7 or greater on Windows. XP users will get hacked regardless of browser because the OS does not support kernel level sandboxing.
I left Firefox for IE 9 in 2011 after it won rewards on tomshardware.com. Then switched to Chrome. Firefox like Netscape before it is a sad shell of its former self. I do admit the later firefox releases are much more lenient on ram usage and have improved drastically.
But I have an older Phenom II x6. Nice 6 core with virtualization support for VMWare .. but it is 2.6 ghz and is showing its age at only 2.6 ghz. My machine needs multi processing/threading apps to run close to modern and they provide greater security. One tab does not interfere with another and can be assigned for each core.
To prevent my fan from going high and causing high usage both IE 10+ and Chrome utilize my system fine and still display pages as fast as those reading this on an icore5 or later. But Firefox puts +20 tabs on one cpu with no lowrights mode and as you can image when firebug is on it slows down all the tabs and it is a security risk.
Like netscape it was the lack of funding that killed it agaisn't IE 6 onslaught. I wonder if the same is true? I used Netscape 4.7 before succumbing to IE 6 and then Firefox 1.5 to IE 9 and later Chrome today.
Re:Not so many options (Score:4, Interesting)
I left firefox after 4.0 debuncle. Yes it was the first release to really support HTML 5 but it was freaking HORRIBLE. Bad UI, sloooow, and on older hardware it was unusable. IE 9 won rewards on tomshardware.com which was released march 2011. I held my nose and gave it a try. It supported hardware acceleration, html5 (I admit it was more limited at the time), and was great on my 6 core system as it has per process tab. Since 2001 it ran circles on gecko web engines??!
Many slashdotters said ewww no thanks based on IE 6 memories.
I then played with Chrome. Yes it is spyware somewhat but it too has important features and has less hardware acceleration but it is more secure and frankly a much better browser than Firefox.
My father got hacked with Firefox. It is a shitty browser with no lowrights mode. It is frome the XP era and has no concept of %appdate and uses the filesystem and has access rights to some processes and threads. Bad security wise but that is what XP era software did.
Chrome and IE 9+ have separate code bases for this with XP vs Windows 7 and greater with sandbox support. Many here use Comodo Dragon which is based off of Chrome but has no privacy issues. However, be warned it based off the previous version of Chromium with some security holes.
Switch my friend!
Until Firefox goes to a processing model and supports lowrights mode I will not go back. This may change hopefully as Firefox is improving with performance and ram requirements since 2011 but on a 6 core system it is stupid not to multitask!
How many were DNS baed issues? (Score:2, Interesting)
The tendency of Firefox to preserve its own DNS cach means I cannot use it when hopping from VPN to VPN with split DNS running. unless I configure and install my _own_ local DNS server to auto-reconfigure every time I activate a VPN. I'm afraid it's become unusable for me for real work and testing when switching from internal to external website access as I debug network and configuration issues: it's the only browser that fails this way.
Re:God (Score:2, Interesting)
Software freedom > "fast" and "not bloated" (Score:4, Interesting)
At least Firefox can be altered to become what you want it to be because Firefox respect's a users software freedom. Far more important than vagaries like "fast" and "not bloated" is how a program treats its users. Proprietary browsers leave users no opportunity for improving the program. Thus security issues in proprietary programs go unfixed and are exploited for years. This, in turn, allows others to invade people's computers and leaves users helpless. This is exactly what happened with Apple's iTunes for over 3 years [telegraph.co.uk]. I would not be surprised to learn that software proprietors including Microsoft, Google, and Apple are doing similar things with proprietary web browser programs as well.
So while I like trustworthy programs like other computer users, I know that I can't ascertain the trustworthiness of proprietary programs like Microsoft's Internet Explorer, Apple's Safari, and Google's Chrome. The extent to which any of them are built from software that respects my software freedom is irrelevant because proprietary programs and their updates are essentially black boxes. I can't possibly inspect or fix all of the software I use, but I can put myself in a position where I stand to benefit from the improvements a lot of programmers make by exclusively running software that respects my freedom to run, inspect, share, and modify—free software [gnu.org]—freedoms I value in their own right.