topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Monday March 18, 2024, 11:19 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Bad news for Firefox: Hackers claim zero-day flaw in it - Updated: False Alarm  (Read 9583 times)

KenR

  • Super
  • Blogger
  • Joined in 2006
  • ***
  • Posts: 826
    • View Profile
    • Donate to Member
SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it ...

Kenneth P. Reeder, Ph.D.
Clinical Psychologist
Jacksonville, North Carolina  28546
« Last Edit: October 06, 2006, 12:45 PM by mouser »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #1 on: October 02, 2006, 01:51 AM »
This really ticks me off. I hate hearing all the anti-MS BS about how IE is "not secure". Pure silliness. FF has problems too. I just wish people would be a bit more level headed and not run off spouting lies about IE. (But yeah - I still use FF - but NOT because of security.)

The last round of FF problems were really bad. Multiple exploits that allowed full control. They both have problems. But that doesn't mean that either is more secure than the other. There have been no REAL security studies (that I've seen or heard of) that show any relationship between security and the two browsers.

Ok. That was a rant...  :D

But it's kind of silly to expect someone to turn in an exploit that gives you a computer for $500. Mozilla needs to give it's head a shake. Really. Think about it. You've got some people that put in the time to find these things, and they can make a fortune selling it to spammers. Why would they turn it in? For $500? Doubtful...

In other news, has anyone noticed a rise in porn spam?

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #2 on: October 02, 2006, 02:06 AM »
These vulnerabilities affect more than just firefox...

They affect any application using the spidermonkey js engine too.

So there are a bunch of programs out there that use it for js scripting features that are ticking time bombs.

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #3 on: October 02, 2006, 05:54 AM »
Makes me happy that I run the NoScript extension by default. But still thats not a complete defense as JavaScript is so popular that I nearly always end up renabling it for the websites I visit.

urlwolf

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,837
    • View Profile
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #4 on: October 02, 2006, 02:03 PM »
Is opera safe?

dk70

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 269
    • View Profile
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #5 on: October 02, 2006, 08:50 PM »
Yeah, yeah http://developer.moz...reported-at-toorcon/

The bug-hunting reward  should be seen in light of how Bugzilla works and who they know are likely to find bugs. Those are busy people, developers, extension makers - nothing more than a pad on the back and probably more directed at delivering good documentation and follow up. Selling to spammers have nothing to do with reward.

I really dont think main stream media should put such security debates up on front page. They always twist it so it becomes a question of am I now safe using X or Y? Complete nonsense. Way too many eat it up and believe there is a direct link between a headline and internet security.

No-script = giving up if you use for what could be called "general safety", or dont dare enter internet without it enabled. The reason Firefox was made in the first place was certainly not to make user have to barricade them self, more like the opposite. Nothing to do with the extension but if it really was needed, in real life, you would have 2 browsers to pick between, Firefox would die very fast.

CodeTRUCKER

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,085
    • View Profile
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #6 on: October 03, 2006, 12:19 AM »
Just out of curiosity... do you think that maybe the reason that M$ has gotten a bad rap is because they have always been a high-visibility, widespread target that can provide the highest ROI for collateral damage? 

Let me do the math for you...

(EvilBrains**Nth) * (M$IE**Nth) == (Opportunity**Nth)**Nth
... therefore it follows
M$IEDamage > OtherBrowserDamage
... and
PerceivedM$IESecurity < PerceivedOtherBrowserSecurity


That was fun! ;D   All kidding aside, would you agree?
« Last Edit: August 06, 2010, 11:33 PM by CodeTRUCKER »

Mark0

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 652
    • View Profile
    • Mark's home
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #7 on: October 03, 2006, 11:26 AM »
It has now been reported that the session in question was likely an unsubstantiated joke / BS show.

Link: ArsTechnica - Firefox JavaScript security "a complete mess"? More like a hoax (updated)


Anyway, Mozilla team is investigating:
Link: Mozilla Developer News - Update: Possible Vulnerability Reported at Toorcon


app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #8 on: October 04, 2006, 06:32 AM »
Just out of curiosity... do you think that maybe the reason that M$ has gotten a bad rap is because they have always been a high-visibility, widespread target that can provide the highest ROI for collateral damage? 

Let me do the math for you...

(EvilBrains**Nth) * (M$IE**Nth) == (Opportunity**Nth)**Nth
... therefore it follows
M$IEDamage > OtherBrowserDamage
... and
PerceivedM$IESecurity < PerceivedOtherBrowserSecurity


That was fun! ;D   All kidding aside, would you agree?

Has anybody ever discovered any exploits for IBrowse, the default browser for Amiga OS4?

Based on that I would have to say you are right.  :D

It has now been reported that the session in question was likely an unsubstantiated joke / BS show.

Maybe that was a hoax but this isn't:

http://www.us-cert.g...lerts/TA06-208A.html

I think the hoax could have been based on older already known information. And it still affects programs using SpiderMonkey and still affects Netscape.

Redhat

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 254
    • View Profile
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #9 on: October 04, 2006, 10:09 AM »
Once upon a time 0day meant releasing knowledge of an exploit the day after Microsoft's patch day. Ahhh reminicent mood  :D

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #10 on: October 04, 2006, 01:22 PM »
The two hackers who declared last week at ToorCon event in San Diego that FireFox browser is affected by a critical and nearly impossible-to-fix flaw are now stating that the code is not capable of doing much damage.

http://www.playfuls....law_Just_a_Joke.html

Mizraim

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 155
    • View Profile
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #11 on: October 04, 2006, 01:54 PM »
Wow... for a minute I thought I was reading something about frailities in Microsoft... but that is old news. :Thmbsup:

mitzevo

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 462
  • Control is power
    • View Profile
    • Donate to Member
Re: Bad news for Firefox: Hackers claim zero-day flaw in it
« Reply #12 on: October 06, 2006, 04:40 AM »
My spanner would be quite exploitable if I kept looking for ways to break it..  :'(
The clock is running. Make the most of today. Time waits for no man. Yesterday is history. Tomorrow is a mystery. Today is a gift. That's why it is called the present.