[HN Gopher] Mozilla patches two use-after-free vulnerabilities (...
___________________________________________________________________
Mozilla patches two use-after-free vulnerabilities (ab)used in the
wild
Author : caaqil
Score : 82 points
Date : 2022-03-05 19:12 UTC (3 hours ago)
(HTM) web link (www.mozilla.org)
(TXT) w3m dump (www.mozilla.org)
| abhaynayar wrote:
| I use Firefox on Ubuntu and Android. I love Firefox more than
| Chromium-based browsers. But security is the one thing that makes
| me think of switching.
|
| Two minor things that prevent me from switching to Chromium-based
| browsers:
|
| 1. There is no addon functionality on Android for Chromium-based
| browsers. For example, I can add the uBlock addon on Firefox for
| Android but not Chrome for Android.
|
| 2. There is no option to place the address bar at the bottom of
| the screen for one-handed usage, as in Firefox Android.
| classichasclass wrote:
| Why would this make you think Firefox is less secure? They've
| publicly disclosed they've fixed an issue. That's what you
| _want_.
| abhaynayar wrote:
| I didn't say that this specific link made me think Firefox is
| less secure. Advisories are great and everyone should do
| them.
|
| But as someone in the security community (not browsers), I've
| heard Chrome is a much harder target.
|
| Would love for someone actually aware of the browser security
| scene to let me know if otherwise.
| saagarjha wrote:
| They have a larger and better funded security team, but
| Chrome is also a large target and gets exploited all the
| time as a result.
| hannob wrote:
| I'm not sure there's that much difference in browser security.
| There were tiny nits where Chrome was somewhat stricter that I
| was aware of (e.g. handling of nosniff header), but most of
| that has been fixed at some point. Mozilla was somewhat slower
| with some security improvements like site isolation, but
| eventually catched up.
|
| Memory safety is a general problem, but all browsers have it.
| "We urgently fixed this use after free bug because we've seen
| exploits in the wild" is something you can read about Chrome
| every now and then as well. It's not good, but noone has a
| solution for that right now. With Rust Mozilla is at least
| working on getting a handle on that.
| concinds wrote:
| This is slightly outdated now, but here's the GrapheneOS
| explanation for why they don't recommend Firefox, and why
| they bundle Chromium-based forks instead.
|
| https://grapheneos.org/usage#web-browsing
|
| It's basically universally agreed among security people that
| Firefox is less secure than Chrome. It's up to you to decide
| is it's likely Mozilla's caught up in the (year?) since this
| was written,. Or if they'll ever be able to catch up, with
| their current funding, compensation packages, the size of
| their workforce (750 employees?), their hiring attractiveness
| to top security researchers, and their management priorities.
| upofadown wrote:
| That seems to be quite focused on the situation with
| Firefox on the Android/Graphene environment.
|
| >It's basically universally agreed among security people
| that Firefox is less secure than Chrome.
|
| A reference would be nice here...
| tgsovlerkhgsel wrote:
| Related: Mozilla fired parts of their security team (though
| likely not the people directly responsible for securing the
| browser) - https://news.ycombinator.com/item?id=24128865
|
| Quote from one of the tweets confirming it: "They killed
| entire threat management team. Mozilla is now without
| detection and incident response."
| stranded22 wrote:
| [deleted]
| mvkg wrote:
| I have found brave to be a decent chromium-based browser for
| android if the only addon needed is for ad blocking. It has a
| bottom toolbar provides a similar experience to the firefox
| bottom address bar.
| tragictrash wrote:
| I 2nd this
| qumpis wrote:
| To me, not having an integrated translator in android Firefox
| is a deal-breaker
| abhaynayar wrote:
| Oh yeah, this was a huge annoyance when I was in another
| country.
| uneekname wrote:
| I agree with you entirely. My third reason to stick with
| Firefox is to vote with my feet regarding browser engine
| diversity.
| moonchrome wrote:
| This keeps getting repeated and I still haven't heard a
| convincing argument on why that's a good thing.
| Chromium/Blink is opensource, has two megacorp contributors
| (Microsoft and Google) - it's a far cry from MS IE monopoly.
| Plus Apple has WebKit.
|
| Firefox just adds incompatibility to the mix of things you
| have to support, frankly I'd switch to Firefox if they
| decided to build it on top of Chromium.
|
| When they were actively working on Servo and had devtools
| team I could see the potential, but after they sacked those -
| what's the point ? Market share is shrinking so compatibility
| is going to get worse, devtools are worse,
| performance/stability is worse in my experience.
| wizzwizz4 wrote:
| When Google wants a feature implemented in Chromium, it
| gets implemented, pretty much regardless of how buggy it
| is. When I want a feature implemented and Google wants it
| not implemented... tough luck.
| eternityforest wrote:
| When Google invents a feature I want, Mozilla writes a
| position statement on how it's evil and never implements
| it.
|
| It's hard to get behind engine diversity when Mozilla is
| trying to take the web in a direction I don't really
| want.
|
| Meanwhile Brave does the same thing, but with
| Cryptocurrency.
|
| I wish we had an open source clone of Vivaldi.
| bkberry352 wrote:
| What features are you referring to?
| extra88 wrote:
| FLoC may be one that could be characterized as "evil." I
| mainly think about APIs that extend beyond the browser,
| like USB or Bluetooth, that Firefox won't do for security
| reasons.
| moonchrome wrote:
| Is that different with Firefox? I haven't been paying
| attention in a while now but I constantly read complaints
| about UI changes - and Firefox has it's share of
| experimental features that ended up being exploited or
| abuse (asm.js comes to mind).
| wizzwizz4 wrote:
| It's _not_ much different with Firefox, no. I was making
| a point that browser monopolies are bad; the fact we only
| have three real browser engines (two of which are based
| on Konqueror) is a problem.
|
| But at least Mozilla do a basic back-of-the-envelope "is
| this feature a huge security vulnerability" check before
| shipping. (Looking at you, <portal>.)
| classichasclass wrote:
| How much does Microsoft actually contribute to Blink's core
| _really_? The benefit for Microsoft of Chromium Edge is
| they get to outsource development. Their interest is in
| making it run well, and so far they 've largely left the
| web features to Google. If Firefox became a Chromium fork
| they'd be just another junior partner in name only; Google
| would still be running the show on policy. In fact,
| possibly worse, because of their poor negotiating position.
|
| WebKit only matters because of iOS, and Blink and WebKit
| still share a lot of DNA. It's not a credible competitor
| otherwise.
|
| I do agree killing Servo was a shortsighted move, but,
| speaking as a long-time Mozilla community member, that's
| hardly the only shortsighted move MoCo has ever made (see
| also: dumping embedding for Fx4).
| dijonman2 wrote:
| Mozilla laid off the bulk of their security team, there will be
| a natural decline in security over time.
| tgv wrote:
| Do you really think Chrome is safer than Firefox?
| abhaynayar wrote:
| Anecdotally, yes. Would be great to get information on the
| contrary.
| Georgelemental wrote:
| Kiwi Browser (https://kiwibrowser.com/) is a FOSS Chromium for
| Android derivative that supports Chrome extensions.
| jwilk wrote:
| Is there a way to disable XSLT in Firefox?
___________________________________________________________________
(page generated 2022-03-05 23:01 UTC)