Dogfood report: Firefox autoupdate works
mike at plan99.net
Wed May 3 15:05:59 CDT 2006
On 5/3/06, Marcus Meissner <marcus at jet.franken.de> wrote:
> Number of konqueror affecting security problems in the last 2 years
> (by CVE entry): ca 10.
> Number of firefox security problems in the last 2 years
> (by CVE entry): ca 100.
> (Just go to http://cve.mitre.org/cve/ and look for yourself.)
I wonder how much of that is due to the differences in popularity vs
the differences in engineering? (a disturbing number of Firefox
exploits are based on its platform features like XUL/XBL). Konq just
isn't as interesting a target for security "researchers".
Safari has quite a lot of exploits available for it too and it's based
on KHTML ....
> One reason I hate Firefox.
I've just come to accept that web browsers are exploit-zones all round
- their entire purpose in life is to download and manipulate extremely
complex data structures and code from the net at high speeds. Pretty
much a textbook case of where you'd expect to find security problems.
My dissertation is on splitting software into modules using a fast
form of local RPC so they can be confined using AppArmor/SELinux ..
the idea is you could try and split things like the renderer out of a
web browser so it runs with no privileges (except perhaps minimal X
server access). The architecture of Firefox, where the entire program
basically runs inside the rendering engine, makes that rather tricky,
but the same principles apply to things like image decoders.
More information about the wine-devel