- Related Stories
-
Mozilla releases Firefox 2 RC1
September 26, 2006 -
Mozilla looks to Microsoft for security
September 21, 2006 -
FAQ: JavaScript insecurities
July 28, 2006 -
Firefox update plugs 'critical' holes
July 27, 2006
An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.
Video:
Hackers claim Firefox zero-day flaw
Is the browser more vulnerable than thought?
Video:
Hackers vs. Firefox
Mozilla antsy about expolited Firefox flaws.
The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."
At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said.
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.
The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said.
Since the presentation, Spiegelmock has backpedalled on the zero-day claims. In a note posted to the Mozilla Web site on Monday, he says that he was never able to exploit the supposed vulnerability to hijack computers.
See more CNET content tagged:
Mischa Spiegelmock, Andrew Wbeelsoi, flaw, hacker, JavaScript
The article doesn't mention whether this is true for this exploit. I run a distribution that has both facilities (Fedora Core), and I'd suggest that anyone that is interested in the security of their system find a distribution that provides these great tools.
There are hundreds of Linux distributions, and security is not a primary concern for many of them. Choose wisely.
As you mentioned, this article doesn't mention if DEP would prevent this flaw, and actually I don't think it would. DEP and ExecShield work by prevented code running out of memory marked as data. This prevents buffer overrun flaws because buffers are used to store data, not exectuable code. Trying to execute code by overruning these buffers just results in a program crash, turning a remote vulnerability into a simple and much less dangerous denial-of-service type bug. However this particular flaw is apparently a stack overflow rather than a buffer overrun, so it might not be caught by DEP/ExecShield.
http://www.noscript.net/whats
While I am aware that NoScript allows you to re-enable Javascript by reloading the page, it is another barrier to the richness of the web, that should not have been unleashed in the first place.
I do NOT let CNET run Javascript. Most site do nothing useful with Javascript and do not require it. Other as foolishly dependant on it; yet still do nothing useful with it. A simple click, then allow (or temporary allow) on NoScript fixes it.
That is what I have Firefox on my machine for, to test sites BEFORE I use IE7 to go to them.
needs to be reprogrammed. I was really disappointed with the
outcome of the software. It just really does not compete anymore
Oh and get a Mac!
I don't think this is so much of a discredit to Firefox as much as this is a way to level the playing field between Firefox, IE, and other browsers and say "look, nothing is really completely secure, especially the things you think are secure."
"application in a whole needs to be reprogrammed"
Crazy, pure crazy.
"does not compete anymore"
Against what, Safari? Less than 2% of web sites are views with that old browser.
Get a clue.
I've got an old G4 and it has more problems than my any of my XP systems... it will be a long time before I buy another Mac. I'm sticking with Linux and XP. I'll leave Mac to all those college wannabe hipsters who do not know any better.
You sicken me. Firefox is an excellent browser, which like every piece of software has some inherent flaws.
needs to be reprogrammed"
Would you mind being more specific? Who are you to claim this? Any real facts (and not unsubstantiated, totally partisan comments)?.
OK thanks. Later!
I see allot of flaming in the talkback on this subject as arrogance seems to attract arrogance. It would be nice to get some clarification on this subject instead of more gunfire.
I as well don't get the arrogance of some of these Mac Guys...Gives the rest of us a bad rep...I like my Mac over my XP box... and I have my reasons... but I certainly don't disparage anyone for their choice in OS's.
Fact is... not a damn one of them (Mac, PC, Linux etc) is perfect. Think about it... They are all made, and all software programmed, by people.
Since this particular exploit compromises the browser it should be assumed that the flaw would lead to the attacker getting the same privileges that the user has. For anyone running with admin privileges (most windows users) that means the attacker effectively owns the computer, for those not running as admin (Vista - if it's done right, Unix et al..) the attackers would need to have another exploit to get the desired privilege escalation.
When ever I search for something which might lead to questionable websites, such as ed2k links, I use virtual PC and use Firefox for the search.
It's my understanding that for the most part those who find flaws in software generally try to give the software maker time to fix the problem before going public. Maybe I missed it in the article. I say it's not fair, but then again if a bad guy was the one that found the code exploit then all bets would be off.
I'm finding that most of these hacker security guys and many developers are little more than babies. Always trying to show up the next guy.
I use Firefox and I use Opera. I would love to own a Mac and I don't like Microsoft. I'm biased and opinionated. I'm just like everybody else. Unlike most I feel like everybody is in the wrong. All these people quick to point out a problem and lay blame on everybody else, but to useless to help find a solution. Those who stand buy ******** about problems, but never looking for the solution are just a bunch of useless people.
We can't have laws on everything but this sounds maliciously negligent to me. (esp. see the last paragraph)
Can it or is it also being used against other browsers - Safari,
Opers, etc.?
Regarding the "Flamer" and the pissing contest that insued:
I learned at a very young age that "if you **** on a fire, you stink
up the whole camp".
Best to keep it zipped or go find some shrubs if ya REALLY gott
go ;-)
Regarding arrogance & snobbery:
There are arrogant snobs in ALL the camps - Mac, M.S. & Linux.
One calling the other such is the proverbial "Pot calling the
Kettle black". Or even worse, just think back to those
kindergarten days when the arguments resorted to "So am I but
what are You?"
However, I think this flaw is specific to Firefox/Mozilla probably related to only Netscape/Mozilla codebase.
Firefox is a great browser. All software has its flaws, but Firefox is not an operational part of windows. As such, any "flaw" can only go so far. If you run on windows as a unprivledged user, then even this flaw is harmless. However, in IE the browser runs as SYSTEM, so you would be in trouble no matter what.
The most popular browsers are going to be targets, PERIOD.
This does not make them bad products nor does it make indicate their developers are inempt.
People get a grip, coding anything these days no longer involves cheat sheets to CPU instructions and hand coding machine code byte by byte. It involves librarys, compilers, frameworks and IDEs. All of which by themselves can introduce security issues.
If you want to nail someone or something for security flaws then start at the right place, the development tools.
That will clearly show which is the better browser!!!
Walt
Like thieves everywhere they try to justify their actions with a lame excuse (providing black hats with places to meet?!) ignoring the simple fact that their own machines could be used for that purpose instead of stealing from others.
http://www.netdive.com/htms/products.htm
I swear if it was not for this Oxygen browser, I think I would have thrown my PC out of the window 10 times already :)
Because whenever I switch to IE or FFox, it seems it is matter of weeks before something nasty inflicts my PC.
And then I am back to only using Oxygen to be able to access the web free of whatever crap that IE or FFox
brought down onto my PC.
Well this is my 2 cents :)
Cheeriooo,
It's a crappy browser. It's outdated by about ten or so years.
For anybody thinking about downloading it... don't. It's a waste of time and energy. It's not even as good as IE version 1.
No scripting issues. No flash issues. No image overflow issues. Nothing but text.
:-p
I haven't found similar settings in firefox yet, but IE does also have the ability to set security for different "zones". I'm hoping firefox does have this ability. What it comes down to, is being able to divide the internet into seperate zones that you can define and being able to set the security level different for each zone. For those zones you trust, you add the website to the zone and set the security to the level you need to allow the features you want. For those websites not defined in your trusted zone, they fall under the general internet zone where you set the security much, much higher. It's like having a condom put on automatically just for the hookers.
Ok, so the hooker analogy is crude, but it does emphasize a point and I only use it to emphasize the importance of protecting your compute from viruses, trojans, etc. Secure your computer browser.
"You may not wear a condom when you have sex with your
spouse, but go to the local hooker without a condom and you
can get infected with nasty diseases. It's the same way on the
internet."
Crude, yes. True? YES!!!
An analogy that the sleaziest of people should be able to
understand. I couldn't have said it better myself, thank you
Seaspray0!
First of all this article is a hoax, a joke.
Secondly, turning off activex control limits your ability to update windows. The fact that it should be shut off shows how flawed your precious company made it.
Mentioning Java and activeX in the same sentence shows your stupidity. I dare you to write code to allow an applet to run outside the sandbox without a security certificate. Of course you can't since you can't program, but even if you could you would have a rough time at it.
Even you, in your ignorance, can exploit windows.
It is funny you mention hookers as an anology because MS is the prime reaon why surfing the net is unsafe.
Firefox doesn't run the security hole known as activex, no need to turn it off.
Even without all those controls, Firefox is infinitely more secure.
"Secure your browser"??
Even with all scripting turned off, everything set to high, IE is still easily exploitable. If you use IE you are not secure, end of story.
Seriously, get a little education on computers(more then just changing settings) and then maybe someone will take your rahrah MS posting seriously.
Of course, if you were educated, you would not like MS unless your paycheck depended on them, and even then you would secretly dislike them.
Mischa and his buddy sound like a couple of immature punks who don't mind screwing over millions of innocent computer users for the sake of gaining prestige within the hacker community. If Six Apart is smart they will fire this guy. I hope they lose a lot of business until they do.
Mozilla would be good to SERIOUSLY look into going to a lawyer and forcing these people to give them ALL info on the flaws that they have found.
It's as they say: If you don't know that a program has a flaw, you cannot fix said flaw.
...even the vuln DB and Bugtraq are empty of details.
Methinks there is more noise than toys in this case. I'll wait and see if anything actually comes of it, or if it's just someone trying to see just how little they can actually prove while making themselves look good.
/P
All they got out of it was a DDoS attack, which has possibilities, but nothing concrete.
So much for all that - turned out to be almost all smoke and only a spark for fire.
Now, will CNet post an update, or not?
/P
Shame to those who so blindly defends a product just as flawed... But at least Firefox does not crash compared to IE7. Ha!
So far, Opera is still cleaner. But it gets slower to launch every new version. I wonder about version 10...
- Those two
- by Lindy01 October 2, 2006 7:56 PM PDT
- girls need to be flogged. What total ant-social punks. I wish them much misfortune in their liftimes.....to say the least.
- Like this Reply to this comment
-
Showing 1 of 2 pages (103 Comments)