LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   General (http://www.linuxquestions.org/questions/general-10/)
-   -   Windows running Firefox more secure than linux running it? (http://www.linuxquestions.org/questions/general-10/windows-running-firefox-more-secure-than-linux-running-it-715169/)

moxieman99 03-28-2009 04:56 PM

Windows running Firefox more secure than linux running it?
 
Bullet points from an article in this week's (3/27) Economist about browsers. What does linux do about memory location randomization during installs? Did the author get it wrong?

Here:

The default browser on all Macs has been Apple’s Safari—a nifty program that uses a rendering engine and tools for running Java scripts borrowed from a venerable Linux browser called Konqueror.

A Windows machine [invading a browser] is harder to crack than a Mac because of the way Microsoft randomises the memory locations of code inserted into processes. Even if they can get into the system, hackers then have trouble finding where their nefarious bit of code is lurking.

Apple is not big on randomisation, which is part of the reason why Macintosh computers are so vulnerable to online attack, whether running Safari or even Firefox.

Hackers agree the toughest nut to crack is Firefox running on Windows.

For the second year running, a team led by Charlie Miller of Independent Security Evaluators won a $10,000 prize at the CanSecWest security conference in Vancouver held between March 16th and 20th, with a “drive-by” attack on a MacBook Air. With judges watching every keystroke, it took him only seconds to break remotely into the fully patched Macintosh laptop running Safari and take control of it.

Another security researcher at the Vancouver meeting cracked both Safari and Firefox on a Mac as bonus while doing something seriously tricky. The researcher in question, known only by his first name, Nils, broke into a Sony Vaio laptop running Internet Explorer 8 on Vista’s heavily fortified replacement, Windows 7. For compromising all three browsers—Internet Explorer, Firefox and Safari—Nils walked away with $5,000 in prize money.

The only browser left standing was Google’s one-year-old Chrome. The consensus was that even the lightning-fast Chrome would have been toppled if Google made a habit of buying information about bugs—thereby giving researchers an incentive to develop exploits.

Google’s engineers broke with the traditional architecture adopted by all web browsers. Instead of using a monolithic structure that combines both the user and the web together in a single protected area, Chrome ingeniously separates the main part of the program, the browser kernel, from the various rendering processes that recreate web pages on a computer screen. The browser kernel, which interacts directly with the operating system, is therefore shielded from anything questionable lurking on the web.

unSpawn 03-28-2009 07:31 PM

Next time please post the articles URI plus your own opinion of things. Linux uses ASLR but not as strong as Linux patched with say PaX.

Crito 03-28-2009 07:57 PM

Quote:

Hackers agree the toughest nut to crack is Firefox running on Windows.
Anytime someone claims "everyone agrees" about anything, you know they're full of !@#$%.

DEP (Data Execution Prevention) wasn't introduced into the Windows product family until XP SP2, by the way, and many people still don't use it.

moxieman99 03-28-2009 08:13 PM

Quote:

Originally Posted by unSpawn (Post 3491059)
Next time please post the articles URI plus your own opinion of things. Linux uses ASLR but not as strong as Linux patched with say PaX.

--------------
I have no opinion on it. I simply read the article, had a question about the implied statement about Windows and Firefox being more secure than linux and Firefox, and condensed some of the salient points (within the limits of the "fair use" doctrine -- being a lawyer, I know what they are) so that others could readily get the gist of the article and comment on it.

Less effort on the part of others to see what the problem is = greater likelihood of good response.

Thanks for the note about ASLR and PaX.

Crito 03-28-2009 08:50 PM

Since the Economist is an authority on hacking, perhaps some computer geek here can explain exactly how trickle-down economics works. From what I gather, Bernanke waves a magic wealth-creating wand over the freshly printed green paper. He then distributes it to his banker buddies and it trickles down in a supply-side and quasi-religious sort of way. :p

moxieman99 03-28-2009 09:13 PM

Quote:

Originally Posted by Crito (Post 3491113)
Since the Economist is an authority on hacking, perhaps some computer geek here can explain exactly how trickle-down economics works. From what I gather, Bernanke waves a magic wealth-creating wand over the freshly printed green paper. He then distributes it to his banker buddies and it trickles down in a supply-side and quasi-religious sort of way. :p

Someone once said that "the Lord works in mysterious ways," and our economic bailout mechanisms certainly are mysterious, so you are right about the "quasi-religious" sort of way.

The Economist, as you know, covers a wide range of interests, and usually gets things right (but not always). I was stunned by the remark that Firefox on Windows was the hardest to hack into. I mean, Windows? So I posted the bullet points and wanted to get analysis from people who actually know Linux.

Crito 03-28-2009 09:14 PM

Because the alternative would be the crazy belief that expanding the money supply dilutes the money in my pocket, stealing wealth from me and redistributing it to bankers who then give it to multinational monopolists who can't fail because they're "too big". But who would believe such a conspiracy theory? Only some tin foil hat wearing nut, I'm sure.

I'm just glad smarter people than me with MBAs from Harvard are taking care of the problem. We just need to have confidence in them and faith in the dollar. As long as everyone continues to worship at the church of free-market capitalism everything will be OK.:rolleyes:

DragonSlayer48DX 03-28-2009 09:43 PM

I posted the story myself (including the link) for last year's event in Linux Questions/News-- Yes, the Mac was cracked in no time at all, and Windows was busted on the last day. BUT nobody could get into the Linux box.

H_TeXMeX_H 03-29-2009 03:55 AM

Quick, let's all switch to Window$ and run FF because a BS article says it's more secure.

DragonSlayer48DX 03-29-2009 06:07 AM

Quote:

Originally Posted by H_TeXMeX_H (Post 3491314)
Quick, let's all switch to Window$ and run FF because a BS article says it's more secure.

ROFL

Thanks, H- I needed that. :D

Crito 03-29-2009 06:37 PM

The Economist isn't even reliable for economic news.

Quote:

The crash has laid bare many unpleasant truths about the United States. One of the most alarming, says a former chief economist of the International Monetary Fund, is that the finance industry has effectively captured our government -- a state of affairs that more typically describes emerging markets, and is at the center of many emerging-market crises. If the IMF’s staff could speak freely about the U.S., it would tell us what it tells all countries in this situation: recovery will fail unless we break the financial oligarchy that is blocking essential reform. And if we are to prevent a true depression, we’re running out of time.
The Quiet Coup: http://www.theatlantic.com/doc/200905/imf-advice

moxieman99 03-29-2009 08:02 PM

Quote:

Originally Posted by Crito (Post 3491966)
The Economist isn't even reliable for economic news.



The Quiet Coup: http://www.theatlantic.com/doc/200905/imf-advice

====================
I've read that too. But the Economist (Brit, so no wonder they're keeping us in the dark) has also warned that Wall Street was getting too big for its briches

FlGator81 04-03-2009 08:36 PM

I don't know of any news source that is always accurate all the time. However, that does not mean that a given periodical has never published anything accurate. One has to read an article and evaluate it, and the more one reads, the broader base they will have with which to evaluate information.

I, for one, doubt that Firefox is more secure on Windows than on anything else (especially Linux). I think it's fundamentally a permissions issue. Linux is a lot better about executing code at the user level than as root, if the user is logged in as a normal user, thus limiting the damage. Windows executes *all* code as admin unless you have created and logged into a restricted account, and even then permissions are not enforced as thoroughly as they could be.

masonm 04-04-2009 12:23 AM

Yep, FF on Windows is far more secure, that's why all of the Windows firewall and AV folks are going out of business.

Crito 04-04-2009 10:12 AM

Windows makes me feel like a mushroom: kept in the dark and fed s**t

But Bill Gates is too big to lose now. Anything that hurts Microsoft is bad for the economy, not just here in the USA either, but the entire globe. :rolleyes:


All times are GMT -5. The time now is 11:01 AM.