Announcement

Collapse
No announcement yet.

Zero day flaw found in fire fox.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Zero day flaw found in fire fox.

    Originally posted by ZD Net
    Full Story Here.
    An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

    "Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

    The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."
    The best solution for Firefox users right now is to turn of Java Script all together, or download and use the NoScript Firefox extension. Also another option is trying the Opera web browser.

    You can disable Java Script in Tools/Oprtions/Content and Disable Java Script.
    (I should of posted this hours ago but never got around to it)


  • #2
    Re: Zero day flaw found in fire fox.

    Originally posted by ZD Net
    "Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.
    I wonder if this slide is freely available on the Internet? *shudder*
    Character: Bricklayer
    Server: Ramuh
    31 RDM/ 23 BLM/ 20 WHM

    Comment


    • #3
      Re: Zero day flaw found in fire fox.

      Yes that info is freely out there.

      Right now it is proof of concept but heck if it gets people to better secure there browsers its all for the better.

      Comment


      • #4
        Re: Zero day flaw found in fire fox.

        Not that is surprising. Any hacker determined to find a flaw in software is going to find some.

        Fortunately the fix (installing no script) appears to really straight forward.

        From the article:
        "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said.
        Gah! What a couple of smarmy hypocrites. Attack an open source product, and don't even provide the patch.

        signature by fallenintoshadows

        Comment


        • #5
          Re: Zero day flaw found in fire fox.

          I've been telling my friends for quite some time that security is not a valid reason to switch from IE to Firefox. Firefox has mostly been ignored by the hacker crowd until recently due to it not being very commonly used, but it has gained enough popularity to receive some scrutiny, and articles like this are the direct result of that popularity.

          EDIT: Oh, and let me second the recommendation to use Opera. It's not really more secure, but again - less common browser means less people searching for the ways to break it and attack you.


          Icemage

          Comment


          • #6
            Re: Zero day flaw found in fire fox.

            lolZDNet
            http://developer.mozilla.org/devnews...ed-at-toorcon/

            Thanks Yyg!

            Comment


            • #7
              Re: Zero day flaw found in fire fox.

              Where are all those people telling me to switch to Firefox now? Maybe this will knock all the zealots down a notch.

              Comment


              • #8
                Re: Zero day flaw found in fire fox.

                Well went to the site's full story, I couldn't find that comment that's be quoted here. then also wen to the link neighbortaru posted. That makes more sense there, the issue occuring from Java script in FireFox isn't exactly a hack issue. They can't gain control of your system through it.

                Big whoop they cause FireFox to bomb out if you go to the site because of an overstacking (Seriously, some people creating a website accidently do this without knowing it). So you end up at your desktop again. Something that is close to impossible to prevent regardless of what browser you use, it's a very frequent issue with databases. If you make a query to complex it crashes, if you try to restrict the queries to prevent those specific actions you end up dumbing down the database so badly it becomes ineffective to use for anything.

                Issue is far less detremental then it's being made to look, just another damn News hype to draw attention to something that is almost ineffective. It's the false train derailing being recorded live simply because the reporter or reporting group doesn't know that there are trains built to intentionally scrape the tracks in order to clean and prevent derailing.

                Like I stated in another thread to many people with the damn "Sky is falling" syndrome. To state there is a difference between IE and Firefox, IE in the same fashion that M$ does, loves to ignore standards set in order to provide safer securities and other such things. They go and do some proprietary BS that often breaks their program making it a whole lot easier for hackers to get control of.

                Very reason I hate those M$ designed routers. They defy the IEEE standards to damn much and a result you have to keep fiddling with the damn thing to make sure it's secure. Extra work that would not of been needed if they just had followed the damn IEEE standards.


                Cheezy Test Result (I am nerdier than 96% of all people. Are you nerdier? Click here to find out!)

                Comment


                • #9
                  Re: Zero day flaw found in fire fox.

                  Originally posted by Macht View Post
                  To state there is a difference between IE and Firefox, IE in the same fashion that M$ does, loves to ignore standards set in order to provide safer securities and other such things. They go and do some proprietary BS that often breaks their program making it a whole lot easier for hackers to get control of.
                  Firefox is not a standards complient browser. It just breaks different standards then IE does and this is hardly the first Firefox exploit to be created.
                  I use a Mac because I'm just better than you are.

                  HTTP Error 418 - I'm A Teapot - The resulting entity body MAY be short and stout.

                  loose

                  Comment


                  • #10
                    Re: Zero day flaw found in fire fox.

                    Originally posted by Mhurron View Post
                    Firefox is not a standards complient browser. It just breaks different standards then IE does and this is hardly the first Firefox exploit to be created.
                    True, but they are closer to standards then IE is. Basically just pointing out that people either way shouldn't be boasting crap against it. The bigger focus is seeing how the company handles it, mozilla has had a better track record at preventing then IE has. Likely due to the fact that they have stayed closer to the standards then IE has.


                    Cheezy Test Result (I am nerdier than 96% of all people. Are you nerdier? Click here to find out!)

                    Comment


                    • #11
                      Re: Zero day flaw found in fire fox.

                      Originally posted by DakAttack View Post
                      Where are all those people telling me to switch to Firefox now? Maybe this will knock all the zealots down a notch.
                      Okay, I'll bite.

                      Switch to Firefox. Or Opera. Or Maxthon. Not because they're more secure, but because those products actually react to their users.

                      In the face of escalating of pop-up ads, viruses, spyware, and every other malware exploit you can imagine, Microsoft could be barely motivated to patch Internet Explorer. They abandonded it, left their users twisting in the wind. The Program Manager Tony Chor even fessed up to it at Webstock:
                      "On behalf of Microsoft and the IE team, we messed up - and we’re sorry"
                      Leaving for dead a browser that millions of people rely on day to day is simply not cool. Despite users and press clamoring about badly broken IE was, the IE development team stayed pretty darn quiet.

                      Suddenly Apple's Safari, Firefox, and a few other fringe browser start showing up in relevant numbers. Then, and only then does Microsoft wake up. Clearly the only thing that motivates Microsoft is the hissing sound that started coming from their marketshare balloon.

                      Switch to Firefox, not because it's more secure, but because of the customization features inherent in the platform. If the base product doesn't exactly fit you, there's a decent amount of of community support around building extensions to make Firefox operate the way you want.

                      Originally posted by Icemage
                      I've been telling my friends for quite some time that security is not a valid reason to switch from IE to Firefox.
                      No, switching to Firefox for security is still a perfectly valid reason. The Mozilla Foundation still has better turn-around on exploits than Microsoft (so long as it's not related to DRM). IIRC, Opera still leads everyone by averaging a window of less than 24 hours.

                      Likewise, there are a number of community driven extension for Mozilla that are security related. (I digs the NoScript, and Flashblock extensions.)

                      signature by fallenintoshadows

                      Comment


                      • #12
                        Re: Zero day flaw found in fire fox.

                        I see this hasn't taken the zealots down a notch.

                        Comment


                        • #13
                          Re: Zero day flaw found in fire fox.

                          Originally posted by DakAttack View Post
                          Where are all those people telling me to switch to Firefox now? Maybe this will knock all the zealots down a notch.
                          It was nothing more than a hoax for crying out loud. Switch to Firefox. :p
                          My Signature. Now with 50% more processed ham product than those other leading signatures.

                          Which FF Character Are You?
                          Originally posted by Balfree
                          Why does every discussion have to be a little festivity of sorts, with purple doom rain and lunatic frogs singing the yodelay on top of mushrooms and little babies being eaten by crazy flying cows and green gas explosions on the horizon and screaming goats?

                          Comment


                          • #14
                            Re: Zero day flaw found in fire fox.

                            Dak, switch to FireFox or the devil will eat your soul.

                            Is Opera as customizable as FF? Mainly, does it have tabbed pages in the same window? I'm a fan of that little feature.
                            I RNG 75 I WAR 37 I NIN 38 I SAM 50 I Woodworking 92+2

                            PSN: Caspian

                            Comment


                            • #15
                              Re: Zero day flaw found in fire fox.

                              Somebody is going to have to hold me down while somebody else installs it, that's the only way.

                              Besides, I heard IE will have tabs soon enough. I don't even think it's that nifty of a feature, but oh well, it'll be there.

                              Comment

                              Working...
                              X