Tuesday, October 03, 2006

Firefox exploit hoax...

The widely reported 'zero day attack' on Firefox has been reported as a hoax (WaPost)

I am not at all suprised, people who report bugs to the media rather than to the software providers are suspect in my opinion. The days of 'full disclosure' should be behind us. It is not necessary to tell the bad guys how to exploit a vulnerability to get it fixed. Limited disclosure where the vulnerability is disclosed to major customers of the vendor is just as effective in putting pressure on the vendor to issue a patch but avoids making it easy for a hacker to turn the vulnerability into an exploit.

Some people are already reading into the debunking of this particular attack confirmation of their prejudice that open source code is automatically safe. Unfortunately the mere fact of publishing 4 Mb of source code does little to make it safe. Only expert review improves the security of code and that is rather harder to achieve.

The relative resilience of Mozilla owes rather less to being open source than it does to the software architecture. In particular the use of safety checked string handling routines rather than the notoriously buggy and buffer-overun prone UNIX string handling routines. C# and Java represent a further step forward, managed code makes it even easier to avoid buffer overuns.

But even the most resilient code will do little to eliminate the biggest security problem in the system - the user. We still need to solve the problem of designing security interfaces people can use.

No comments: