 |
|
| CURRENT SECTION :: TechZone | |
|
 |
Last week, the – the organisation behind the increasingly popular Firefox web browser – issued an extraordinary email to its SpreadFirefox.com users asking them to change their logon details. Users might have mistaken it for a phishing email, but Mozilla was deadly serious. It had suffered a hack attack that attempted to turn its servers into a spam factory. Mozilla said: "On Tuesday, July 12, the Mozilla Foundation discovered that the server hosting Spread Firefox, our community marketing site, had been accessed on Sunday, July 10 by unknown remote attackers who exploited a security vulnerability in the software running the site. This exploit was limited to SpreadFirefox.com and did not affect other mozilla.org web sites or Mozilla software." Mozilla was quick to point out that there was no evidence to suggest personal details had been stolen, but in a frank admission conceded, "It is possible that the attackers acquired information site-users provided to the site." Speculation is mounting that the underlying cause of the problem was third-party software from Drupal. Drupal is an open source content management system that Spread Firefox uses to host its website. At least two security vulnerabilities existed in Drupal at the time, one related to the use of Drupal's input filters – and one in the XML-RPC library (software to enable remote communication) that ships with the product. Mozilla patched the problems after quickly discovering the intrusion, "We have applied the necessary security fixes to the software running the site, have reviewed our security plan to determine why we didn't previously apply those fixes in this case, and have modified that plan to ensure we do so in the future." And their actions are a reminder to other organisations that patch management is a vital part of security planning, since vendors often publicise vulnerabilities at the same time patches become available. In other words, the bad guys get the information at the same time the company does, leaving a possible window of opportunity while organisations scrabble to update their systems. The Spread Firefox website is a critical part of the Mozilla Foundation's thrust into the browser market. Being a non-profit organisation, Mozilla relies on the goodwill of its supporters and this has taken Firefox to just under 10 per cent of the browser market, since the Foundation's launch in July 2003. "We believe there is nothing that a large community of enthusiastic volunteers can't accomplish, and this site exists to unite the community into one cohesive marketing force that even competitors with unlimited resources can't compete with," Mozilla said. The Firefox browser is pushed largely on its supposed security advantages over Microsoft's Internet Explorer, so any security breach at Mozilla is an embarrassment, particularly where the organisation's security management practices – in this case, its patch management – can be blamed. But every organisation suffers security breaches, and no software in invulnerable. If anything the episode shows us the frailty of all computer systems that are, by necessity, patchworks of software from multiple vendors, open-source groups, and manufacturers. Systems are only as secure as the weakest link, so vendors priding themselves on their own component's fastidious security are always likely to be caught out, even if it is not of their making. Users do not greatly care about the details of who's to blame, just the irritation of another fault. Exposure via one application can open up a system like the soft underbelly of a gnarly old croc, so it will always be the responsibility of the user to treat the claims of vendors with caution and manage their own information security with care. Few systems are identical, and threats will come from all directions. William Knight Jul 21, 2005 Email this article Printer friendly page Previous Page
|
|
 |
||||||||||||||||||||||||
| All content © Contractor UK Limited | [Archive] | [Register for News Letter] | [Privacy Statement] | [Terms of Use] | [Top of Page] |