Does Firefox have something similar to ActiveX in terms of security vulnerabilities?

security firefox

People always say that Linux is more secure than Windows. The main reason seems to be the general system design philosophy and the fact that users are users and not root.

One main security concern when using Windows and Internet Explorer seem to be ActiveX. Every few days I read about another kind of exploit using ActiveX, and almost always the workaround is to deactivate ActiveX. I read that so often I wonder why people bother to activate ActiveX at all. (One reason might be that the name contains "active"; another might be the windows update function.)

Using Ubuntu and Firefox, I always feel so safe when reading about the ActiveX exploits. I know that there are many other security vulnerabilities that use JavaScript and/or Adobe Flash, but as far as I understand those kind of security vulnerabilities can only do as much damage as my user rights allow. Of course that doesn't help much when the malware wants to destroy all of my data - but most malware today only wants to use my PC as a botnet drone and so is not interested in destroying my data.

So the question again: does Firefox running under Ubuntu have something similar to ActiveX, in terms of security vulnerabilities?

Another question which may be identical: can a security vulnerability involving Adobe Flash and/or JavaScript be "easily" exploited to do as much damage as an ActiveX exploit?

When I say "easy" I mean that the attack does not need to exploit another component of the system to elevate user rights. For example, an exploit involving Adobe Flash will gain access to my PC using my user rights, and then proceed to exploit some known vulnerability in X to gain root access. That is not "easy".


does firefox under ubuntu has something similar to activeX, in terms of security vulnerability?

‘ActiveX’ can be considered in two parts, the object model and the installation method. Firefox has something similar—and cross-platform compatible, Ubuntu or other—for both.

The object model of ActiveX is Microsoft COM; Firefox's equivalent is XPCOM. Many other Windows features and applications that are nothing to do with web browsing use MS COM, and there have traditionally been endless problems where COM controls that were not written for secure web usage were nonetheless available to web pages. This caused many compromises. Firefox is better off here as XPCOM is not shared with the rest of the system. Newer versions of IE have better controls for mitigating what sites are allowed to use what controls.

(As a side-issue, because many add-ons for Firefox are themselves written in JavaScript, a high-level scripting language, they are often more secure from buffer overflow and string handling errors than extensions for IE which are commonly written in C[++].)

The control-downloader part of ActiveX has also been cleaned up a bit since the bad old days when anything in the My Computer zone could install any software it liked, and aggressive loader scripts could trap you in an alert loop until you agreed to approve the ActiveX prompt. Firefox's equivalent, XPInstall, behaves largely similarly, with the ‘information bar’ on all but Mozilla's sites by default and a suitable warning/prompt before installation.

There is another built-in way you can compromise yourself in Mozilla: signed scripts. I have never seen this actually used, and certainly there'll be another warning window appear before a script gains extra rights, but it kind of worries me that this is available to web pages at all.

for example an exploit through flash will gain access to my pc under my user rights

Yes, the majority of web exploits today occur in plugins. Adobe Reader, Java(*) and QuickTime are the most popular/vulnerable. IMO: get rid of those, and use FlashBlock to only show Flash when you want it.

(*: and Java's dialogues before it lets you give up all security to some untrusted applet is a bit bare too.)

Ubuntu gives you some questionable plugins by default, in particular a media player plugin that will make every vulnerability in any of your media codecs exploitable through the web (similar to the Windows Media Player plugin, only potentially with many more formats). Whilst I have yet to meet an exploit targeting Linux like this, that's really only security through obscurity.

Note that ActiveX itself is no different. A web browser compromise based on ActiveX still only gives user-level access; it's only because prior to Vista everyone habitually ran everything as Administrator that this escalated to a full-on rooting.

and then follow to exploit some known vulnerability in X to gain root rights. that is not "easy".

Maybe, maybe not. But I think you'll find the damage some malware can do from even a normal user account is quite bad enough. Copy all your personal data, observe your keypresses, delete all your documents...


It depends on the nature of the vulnerability. Sometimes you're "lucky" and the vulnerability "just" allows for some limited disclosure, but often the vulnerabilities allow for arbitrary code execution. At that point, you're in deep doo-dah, just as deep as ActiveX problems. And those holes can be in the handling for image files (malicious images), or for sound, or almost anything else.

ActiveX was worse because it provided a way for code writers to declare "If this is installed, it's safe to be referenced from a web-page" and a lot of coders turned that on without understanding the implications, so there were a lot of targets and it would be easy to get out. But you have just as much exposure from bad handling of weird numbers in image files. It's just that the image-file problems are fixed by updating the browser.

The only defense against any of this is to use sandboxing, which limits what a process running as a user can do. OpenBSD pioneered making this popular with privilege separation of various daemons (most notably OpenSSH, so you're using this on Ubuntu now). Chrome popularised this for web-browsers, but only has sandboxing on some platforms. Ironically perhaps, for a while you were probably safer with Chrome on Windows than any graphical browser on Linux. Fortunately, this is changing. I believe that some partial protection is in the Linux releases now. The Capsicum project showed how this could be done more fully on FreeBSD (with a capability system) and hopefully at some point the Linux kernel devs will stop fighting over which security model is best and just go with something that becomes near-universally available for web-browsers to rely upon, rather than the blunt hammer that is the suid wrapper which allows for chroot pseudo-sandboxes.

http://www.cl.cam.ac.uk/research/security/capsicum/ is good if you want to explore capability systems for sandboxes and see how things might get better.


AFAIK an ActiveX exploit can't do harm outside your user's rights either (without using other exploits, as you indicate). The main problem on Windows was that almost everybody was working as Administrator most of the time...

Related

Shouldn't tasksel be installed by default?
USB mouse moves but doesn't accept left clicks [closed]
Live CD works OK. Is it OK to assume a new install will work?
RSS Torrent Software
What is an alternative to PowerDesigner or IBM Rational Rose?
How can I set the clock to 24 hour mode? [closed]
Mass printing ODT documents
How do I blacklist certain directories in Samba?
Remapping both mouse and keyboard to a gamepad
Looking for a Commercial Grade SIP Softphone
Is there an icon pack for nautilus right click menu?
Lubuntu as an official derivative of Ubuntu