Bad news for Firefox: Hackers claim zero-day flaw in it - Updated: False Alarm

[KenR]

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it ...

Read the rest of the article ...

[Renegade]

This really ticks me off. I hate hearing all the anti-MS BS about how IE is "not secure". Pure silliness. FF has problems too. I just wish people would be a bit more level headed and not run off spouting lies about IE. (But yeah - I still use FF - but NOT because of security.)

The last round of FF problems were really bad. Multiple exploits that allowed full control. They both have problems. But that doesn't mean that either is more secure than the other. There have been no REAL security studies (that I've seen or heard of) that show any relationship between security and the two browsers.

Ok. That was a rant... 

But it's kind of silly to expect someone to turn in an exploit that gives you a computer for $500. Mozilla needs to give it's head a shake. Really. Think about it. You've got some people that put in the time to find these things, and they can make a fortune selling it to spammers. Why would they turn it in? For $500? Doubtful...

In other news, has anyone noticed a rise in porn spam?

[app103]

These vulnerabilities affect more than just firefox...

They affect any application using the spidermonkey js engine too.

So there are a bunch of programs out there that use it for js scripting features that are ticking time bombs.

[Eóin]

Makes me happy that I run the NoScript extension by default. But still thats not a complete defense as JavaScript is so popular that I nearly always end up renabling it for the websites I visit.

[urlwolf]

Is opera safe?

[dk70]

Yeah, yeah http://developer.moz...reported-at-toorcon/

The bug-hunting reward  should be seen in light of how Bugzilla works and who they know are likely to find bugs. Those are busy people, developers, extension makers - nothing more than a pad on the back and probably more directed at delivering good documentation and follow up. Selling to spammers have nothing to do with reward.

I really dont think main stream media should put such security debates up on front page. They always twist it so it becomes a question of am I now safe using X or Y? Complete nonsense. Way too many eat it up and believe there is a direct link between a headline and internet security.

No-script = giving up if you use for what could be called "general safety", or dont dare enter internet without it enabled. The reason Firefox was made in the first place was certainly not to make user have to barricade them self, more like the opposite. Nothing to do with the extension but if it really was needed, in real life, you would have 2 browsers to pick between, Firefox would die very fast.

[CodeTRUCKER]

Just out of curiosity... do you think that maybe the reason that M$ has gotten a bad rap is because they have always been a high-visibility, widespread target that can provide the highest ROI for collateral damage? 

Let me do the math for you...

(EvilBrains**Nth) * (M$IE**Nth) == (Opportunity**Nth)**Nth
... therefore it follows
M$IEDamage > OtherBrowserDamage
... and
PerceivedM$IESecurity < PerceivedOtherBrowserSecurity


That was fun!    All kidding aside, would you agree?

[Mark0]

It has now been reported that the session in question was likely an unsubstantiated joke / BS show.

Link: ArsTechnica - Firefox JavaScript security "a complete mess"? More like a hoax (updated)


Anyway, Mozilla team is investigating:
Link: Mozilla Developer News - Update: Possible Vulnerability Reported at Toorcon

[app103]

Just out of curiosity... do you think that maybe the reason that M$ has gotten a bad rap is because they have always been a high-visibility, widespread target that can provide the highest ROI for collateral damage? 

Let me do the math for you...

(EvilBrains**Nth) * (M$IE**Nth) == (Opportunity**Nth)**Nth
... therefore it follows
M$IEDamage > OtherBrowserDamage
... and
PerceivedM$IESecurity < PerceivedOtherBrowserSecurity


That was fun!    All kidding aside, would you agree?

-cjkawd (October 03, 2006, 12:19 AM)

Has anybody ever discovered any exploits for IBrowse, the default browser for Amiga OS4?

Based on that I would have to say you are right. 

It has now been reported that the session in question was likely an unsubstantiated joke / BS show.

-Mark0 (October 03, 2006, 11:26 AM)

Maybe that was a hoax but this isn't:

http://www.us-cert.g...lerts/TA06-208A.html

I think the hoax could have been based on older already known information. And it still affects programs using SpiderMonkey and still affects Netscape.

[Redhat]

Once upon a time 0day meant releasing knowledge of an exploit the day after Microsoft's patch day. Ahhh reminicent mood 

[mouser]

The two hackers who declared last week at ToorCon event in San Diego that FireFox browser is affected by a critical and nearly impossible-to-fix flaw are now stating that the code is not capable of doing much damage.

http://www.playfuls....law_Just_a_Joke.html

[Mizraim]

Wow... for a minute I thought I was reading something about frailities in Microsoft... but that is old news.

[mitzevo]

My spanner would be quite exploitable if I kept looking for ways to break it..