Windows running Firefox more secure than linux running it?
 

Bullet points from an article in this week's (3/27) Economist about browsers. What does linux do about memory location randomization during installs? Did the author get it wrong?

Here:

The default browser on all Macs has been Apple’s Safari—a nifty program that uses a rendering engine and tools for running Java scripts borrowed from a venerable Linux browser called Konqueror.

A Windows machine [invading a browser] is harder to crack than a Mac because of the way Microsoft randomises the memory locations of code inserted into processes. Even if they can get into the system, hackers then have trouble finding where their nefarious bit of code is lurking.

Apple is not big on randomisation, which is part of the reason why Macintosh computers are so vulnerable to online attack, whether running Safari or even Firefox.

Hackers agree the toughest nut to crack is Firefox running on Windows.

For the second year running, a team led by Charlie Miller of Independent Security Evaluators won a $10,000 prize at the CanSecWest security conference in Vancouver held between March 16th and 20th, with a “drive-by” attack on a MacBook Air. With judges watching every keystroke, it took him only seconds to break remotely into the fully patched Macintosh laptop running Safari and take control of it.

Another security researcher at the Vancouver meeting cracked both Safari and Firefox on a Mac as bonus while doing something seriously tricky. The researcher in question, known only by his first name, Nils, broke into a Sony Vaio laptop running Internet Explorer 8 on Vista’s heavily fortified replacement, Windows 7. For compromising all three browsers—Internet Explorer, Firefox and Safari—Nils walked away with $5,000 in prize money.

The only browser left standing was Google’s one-year-old Chrome. The consensus was that even the lightning-fast Chrome would have been toppled if Google made a habit of buying information about bugs—thereby giving researchers an incentive to develop exploits.

Google’s engineers broke with the traditional architecture adopted by all web browsers. Instead of using a monolithic structure that combines both the user and the web together in a single protected area, Chrome ingeniously separates the main part of the program, the browser kernel, from the various rendering processes that recreate web pages on a computer screen. The browser kernel, which interacts directly with the operating system, is therefore shielded from anything questionable lurking on the web.

Next time please post the articles URI plus your own opinion of things. Linux uses ASLR but not as strong as Linux patched with say PaX.

Anytime someone claims "everyone agrees" about anything, you know they're full of !@#$%.

DEP (Data Execution Prevention) wasn't introduced into the Windows product family until XP SP2, by the way, and many people still don't use it.

--------------
I have no opinion on it. I simply read the article, had a question about the implied statement about Windows and Firefox being more secure than linux and Firefox, and condensed some of the salient points (within the limits of the "fair use" doctrine -- being a lawyer, I know what they are) so that others could readily get the gist of the article and comment on it.

Less effort on the part of others to see what the problem is = greater likelihood of good response.

Thanks for the note about ASLR and PaX.

Since the Economist is an authority on hacking, perhaps some computer geek here can explain exactly how trickle-down economics works. From what I gather, Bernanke waves a magic wealth-creating wand over the freshly printed green paper. He then distributes it to his banker buddies and it trickles down in a supply-side and quasi-religious sort of way. :p

Someone once said that "the Lord works in mysterious ways," and our economic bailout mechanisms certainly are mysterious, so you are right about the "quasi-religious" sort of way.

The Economist, as you know, covers a wide range of interests, and usually gets things right (but not always). I was stunned by the remark that Firefox on Windows was the hardest to hack into. I mean, Windows? So I posted the bullet points and wanted to get analysis from people who actually know Linux.

Because the alternative would be the crazy belief that expanding the money supply dilutes the money in my pocket, stealing wealth from me and redistributing it to bankers who then give it to multinational monopolists who can't fail because they're "too big". But who would believe such a conspiracy theory? Only some tin foil hat wearing nut, I'm sure.

I'm just glad smarter people than me with MBAs from Harvard are taking care of the problem. We just need to have confidence in them and faith in the dollar. As long as everyone continues to worship at the church of free-market capitalism everything will be OK.:rolleyes:

I posted the story myself (including the link) for last year's event in Linux Questions/News-- Yes, the Mac was cracked in no time at all, and Windows was busted on the last day. BUT nobody could get into the Linux box.

Quick, let's all switch to Window$ and run FF because a BS article says it's more secure.

ROFL

Thanks, H- I needed that. :D

The Economist isn't even reliable for economic news.

The Quiet Coup: http://www.theatlantic.com/doc/200905/imf-advice

====================
I've read that too. But the Economist (Brit, so no wonder they're keeping us in the dark) has also warned that Wall Street was getting too big for its briches

I don't know of any news source that is always accurate all the time. However, that does not mean that a given periodical has never published anything accurate. One has to read an article and evaluate it, and the more one reads, the broader base they will have with which to evaluate information.

I, for one, doubt that Firefox is more secure on Windows than on anything else (especially Linux). I think it's fundamentally a permissions issue. Linux is a lot better about executing code at the user level than as root, if the user is logged in as a normal user, thus limiting the damage. Windows executes *all* code as admin unless you have created and logged into a restricted account, and even then permissions are not enforced as thoroughly as they could be.

Yep, FF on Windows is far more secure, that's why all of the Windows firewall and AV folks are going out of business.

Windows makes me feel like a mushroom: kept in the dark and fed s**t

But Bill Gates is too big to lose now. Anything that hurts Microsoft is bad for the economy, not just here in the USA either, but the entire globe. :rolleyes: