On Wed, May 03, 2006 at 09:05:59PM +0100, Mike Hearn wrote: > On 5/3/06, Marcus Meissner <[EMAIL PROTECTED]> wrote: > >Number of konqueror affecting security problems in the last 2 years > >(by CVE entry): ca 10. > >Number of firefox security problems in the last 2 years > >(by CVE entry): ca 100. > > > >(Just go to http://cve.mitre.org/cve/ and look for yourself.) > > I wonder how much of that is due to the differences in popularity vs > the differences in engineering? (a disturbing number of Firefox > exploits are based on its platform features like XUL/XBL). Konq just > isn't as interesting a target for security "researchers".
Its more of feature bloatedness and codesize vs small (but full necessary ) featureset and clean programming ;) The 5000 (?) US$ challenges might have helped to poke holes in it. > Safari has quite a lot of exploits available for it too and it's based > on KHTML .... But they are not konqueror issues. The konqueror developer look at the Safari fixes. ;) > >One reason I hate Firefox. > > I've just come to accept that web browsers are exploit-zones all round > - their entire purpose in life is to download and manipulate extremely > complex data structures and code from the net at high speeds. Pretty > much a textbook case of where you'd expect to find security problems. Yeah similar to this strange emulator program where users actually download .exe files and run them under Linux :) > My dissertation is on splitting software into modules using a fast > form of local RPC so they can be confined using AppArmor/SELinux .. > the idea is you could try and split things like the renderer out of a > web browser so it runs with no privileges (except perhaps minimal X > server access). The architecture of Firefox, where the entire program > basically runs inside the rendering engine, makes that rather tricky, > but the same principles apply to things like image decoders. helix-dbus-server is a good start (although for 64 <-> 32bit interop), imgsep a nice idea, seccomp a too restricted idea ... and so on. ;) Ciao, Marcus
