Firefox "critically flawed"?

 
Post new topic   Reply to topic    Couchtripper Forum Index -> News mash
View previous topic :: View next topic  
Author Message
faceless
admin


Joined: 25 Apr 2006

PostPosted: Mon Oct 02, 2006 10:27 am    Post subject: Firefox "critically flawed"? Reply with quote

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

--------------

interesting indeed as I moved onto firefox a few months back... I'd still recommend it over IE.
Back to top
View user's profile Send private message Send e-mail
Griffo



Joined: 24 May 2006
Location: Staffordshire, England

PostPosted: Mon Oct 02, 2006 10:30 am    Post subject: Reply with quote

FireFox rules Smile
Back to top
View user's profile Send private message Visit poster's website
IRiSHMaFIA
Admin


Joined: 29 Apr 2006

PostPosted: Mon Oct 02, 2006 11:15 am    Post subject: Reply with quote

I'd never go back to IE now as it's like an old dinosaur. The newer version is a little better visually, but still has loads of bugs.

I'm stickin with the fox thumbs
Back to top
View user's profile Send private message
Skylace
Admin


Joined: 29 Apr 2006
Location: Pittsburgh, PA

PostPosted: Mon Oct 02, 2006 2:06 pm    Post subject: Reply with quote

I've been using firefox for a long while now and I love it. kiss
Back to top
View user's profile Send private message
Kezza
Gone To The Dogs!


Joined: 30 Apr 2006

PostPosted: Mon Oct 02, 2006 7:51 pm    Post subject: Reply with quote

My youngest sister was using IE (against my advice) whilst making a hotel booking. Turns out her credit card was hijacked. She received a call from her credit card company informing her that her card had been used in Japan and Malaysia (and she lives on the East Coast of the U.S.!). :grr: What really sucks is that the bastard (or bastards/bastardesses) who did this will never be caught.

I use Firefox and Netscape, and will NEVER use IE unless I have to.
Back to top
View user's profile Send private message
Bob



Joined: 01 May 2006
Location: US

PostPosted: Mon Oct 02, 2006 10:59 pm    Post subject: Reply with quote

That's a bugger ain't it...but requires a site made for it and for people to go to that site...so like a lot of these exploits, if you don't go to dodgy sites, you'll probably be all set...
Back to top
View user's profile Send private message
maycm
'cheeky banana'


Joined: 29 Apr 2006

PostPosted: Tue Oct 03, 2006 7:49 pm    Post subject: Reply with quote

Guess what - they were 'avin a larf! Laughing Shocked

http://www.vnunet.com/vnunet/news/2165546/fifefox-hacker-back-peddles
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Couchtripper Forum Index -> News mash All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Couchtripper - 2005-2015