Why we need Gecko updates
ben.bucksch at beonex.com
Wed Dec 16 09:09:17 UTC 2015
Joshua Cranmer wrote on 10.12.2015 19:49:
> I think you're wrong here. It is probably about two to three orders of
> magnitude harder to deliver an exploit to an email client than it is a
> web browser.
Reality proved me right. Google and several other big companies got
hacked by China a few years ago. This hack was bad enough to make the
CEOs so upset that they went public about it and Google even closed down
google.cn , citing this hack as reason / last straw. (Which may not be
the full story, as the public story rarely is. Either way, that's just
one case in point that...)
Email is being actively used as attack vector to hacking on the highest
levels, and even companies who really ought to know better fell for it.
And the cases we know about it probably are just 1% of what's actually
More technical rebuttal:
> ad servers are a great way to feed malware to users
And then, there's spam...
> web browsers willingly send their identities to the servers, making it
> trivial to target malware specific to the user's machine.
I think the email address is more tied to a person than a web browser.
If you want to hack someone specific, HTML email is the easiest way. No
need to redirect Internet traffic, pick the right target out of
hundreds. Just send a well-crafted email.
> if I wanted to specifically target someone, I'd probably try via email
> instead of a web browser.
Right. OK, we agree, then. That's what I was talking about. Most
high-value hacks require to target someone specific. Mass-hacks are boring.
More information about the tb-planning