|
Critical Firefox flaw exposed
|
View this Thread in Original format
| sensorium |
| quote: | Wolfgang Gruener - October 2, 2006 13:05
Chicago (IL) - According to media reports, a pair of hackers said on Saturday that the Firefox Web browser, commonly perceived as the safer and more customizable alternative to market leader Internet Explorer, is critically flawed. A presentation on the flaw was shown during the ToorCon hacker conference in San Diego.
The hackers claim that anyone running Firefox could be a victim of the flaw, which is related to the browser's handling of the Internet language JavaScript. Reportedly, someone could create a Web page with malicious JavaScript code that would specifically affect computers running Firefox browsers. The hackers, Mischa Spiegelmock and Andrew Wbeelsoi, claim that this could lead to remote control of any affected computer, including Windows, Apple, and Linux systems.
Spiegelmock reportedly said that the JavaScript implementation is a "complete mess" and that it is "impossible to patch." Upon watching a video of the presentation, Window Synder, Mozilla's security chief, said that this issue appears to be a "real vulnerability".
Reportedly, Snyder is also understandably upset about the public flow of this information, claiming that the details presented during the conference almost completely show how one could exploit the flaw. "I think it is unfortunate because it puts users at risk, but that seems to be their goal," she said.
Jesse Ruderman, another member on the Mozilla security staff, persuaded hackers to disclose any potential security holes via their "bug bounty" program, instead of maliciously exploiting them for hijacking vulnerable computers. Mozilla's bug-reporting system gives $500 to anyone who reports a vulnerability to the Firefox staff.
Firefox was originally introduced as an alternative to Internet Explorer, the browser that has long been known for easy exploiting and distribution of worms and viruses. Because Microsoft's browser contains such an enormous userbase, it has always remained the main target for hackers. However, Firefox's audience has been growing and it is becoming a viable target for hackers.
http://www.tgdaily.com/2006/10/02/f...security_issue/
|
Just when you thought Firefox was perfect. Oh well, they're human after all. |
|
|
| Akridrot |
| Doesn't necessarily make IE the better option. Opera might be a good alternative, but I'm sticking with Firefox. They'll have this patched immediately. |
|
|
| Sunsnail |
| quote: | Originally posted by Akridrot
Doesn't necessarily make IE the better option. Opera might be a good alternative, but I'm sticking with Firefox. They'll have this patched immediately. |
article says its impossible to patch |
|
|
| Akridrot |
| quote: | Originally posted by Sunsnail
article says its impossible to patch |
| quote: |
Spiegelmock reportedly said that the JavaScript implementation is a "complete mess" and that it is "impossible to patch." |
Does not matter, they will have this fixed. He was most likely exaggerating. |
|
|
| Sunsnail |
| quote: | Originally posted by Akridrot
Does not matter, they will have this fixed. He was most likely exaggerating. |
yeah.. don't think it'll be "immediately" though. |
|
|
| Temperate |
| spare me your propoganda, you IE whore. |
|
|
| Googooly |
| Avant browser is the BEST! |
|
|
| sensorium |
Here's more on the matter:
| quote: | ...
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."
At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said.
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.
The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said.
http://news.zdnet.com/2100-1009_22-6121608.html |
I use Firefox and this doesn't chage anything. However, I've been using Opera more often. |
|
|
| Silky Johnson |
| Haha! Spiegelmock!! LOLOLOLOL |
|
|
| kid nyce |
| hackers are paid a lot of money by these companies for the consultation of the patches |
|
|
| CraveTheRave |
| Only complaint about Firefox is that they need a keyconfig patch for the new version quick!!! |
|
|
| _Nut_ |
| I wonder if this carries through to Firefox2? |
|
|
|
|
