View Full Version : Firefox Flaws??????


wolfus
ATTENTION FIREFOX USERS:

Just thought I'd broadcast another goodie I saw on my travels.

Hackers claim zero-day flaw in Firefox
Last modified: September 30, 2006, 10:57 PM PDT
By Joris Evers
Staff Writer, CNET News.com

update SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
In other news:

* Is tech injuring children?
* Cancer survivor's advice to programmers, others

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said.

Since the presentation, Spiegelmock has backpedalled on the zero-day claims. In a note posted to the Mozilla Web site on Monday, he says that he was never able to exploit the supposed vulnerability to hijack computers.

kyteflyer
Interesting. Back to Safari and Opera with me. It might be a nonsense but why take the risk?

Gintoh
Aaaaaaaaargh.... :sick:

FunnyBone
Ha ha. The Firefox zero-day flaw is a hoax

Posted by: Robert Vamosi

Over the weekend, Mischa Spiegelmock and Andrew Wbeelsoi told a crowd at the Toorcon security conference in San Diego they had found and exploited a flaw in the way Firefox handles JavaScript. Now they say they made it up, that the code presented does not, as they insisted over the weekend, compromise a vulnerable PC. Security experts are not laughing, however. For more on their story, see Joris Evers' report on News.com.

http://reviews.cnet.com/4531-10921_7-6648315.html

warlord
very interesting , i will go to opera , opera is the best

Mr_Chiang
now ... I don't know which one is the best browser.

hyipfly
q) Best of web browser?
a) use them if you like them.

cool_british
Well i've been using firefox for a long time and simply love it. Its quite fast and easy navigation. Far better than IE.

mastergenuise
Is there any security patch after that? Whatever it is, I am not going to change Firefox because it is the best browser around the world.

jordon
What the hell!! And i always thought i use the most secured explorer..I think now is the time i should also shift to Opera

betsybee
Hi jordon, mistergenuise and cool_british

This thread is 1 yr old and all the issues have been corrected, so there are no worries anymore.
Welcome to Goldentalk :)

Khurram
No doubt that Firfox is a best browser but itís depending upon your requirements. I suggest that Firfox is the best for users of every type.

asif
No doubt that Firfox is a best browser but itís depending upon your requirements. I suggest that Firfox is the best for users of every type.
What are your thoughts about the security flaws which are being described in this thread? I am thinking about it seriously because FF knows all my passwords. :eek: