SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.
The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."
At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said.
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.
The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said.
Since the presentation, Spiegelmock has backpedalled on the zero-day claims. In a note posted to the Mozilla Web site on Monday, he says that he was never able to exploit the supposed vulnerability to hijack computers.
There have been a number of zero-day flaws reported, but (so far) these have been prevented from being effective by either ExecShield or SELinux or both. For example, the recent exploit that compromised the Debian servers would have been prevented.
The article doesn't mention whether this is true for this exploit. I run a distribution that has both facilities (Fedora Core), and I'd suggest that anyone that is interested in the security of their system find a distribution that provides these great tools.
There are hundreds of Linux distributions, and security is not a primary concern for many of them. Choose wisely.
Data Execution Prevention (DEP) in WinXP SP2 (and also in Win2K3 Server SP1 I think) should also prevent many/most of these bugs. It's basically the same thing as ExecShield, though where ExecShield will work on any x86 chips, Windows DEP requires that the chip support the NX-bit in hardware (ExecShield will use this feature if available or emulate it if not). This feature first showed up on AMD's Athlon64 and Opteron chips in 2003 and was implemented on Intel's P4 and Celeron lines about a year later (though Intel called their version 'XD bit' because they don't like using names invented by other companies) and a bit later on their notebook chips.
As you mentioned, this article doesn't mention if DEP would prevent this flaw, and actually I don't think it would. DEP and ExecShield work by prevented code running out of memory marked as data. This prevents buffer overrun flaws because buffers are used to store data, not exectuable code. Trying to execute code by overruning these buffers just results in a program crash, turning a remote vulnerability into a simple and much less dangerous denial-of-service type bug. However this particular flaw is apparently a stack overflow rather than a buffer overrun, so it might not be caught by DEP/ExecShield.
Thanks to macemoneta for posting the availability of security programs to those who use linux. Such programs would also be valuable for those on windows if they were available. I will disagree that security isn't a prime concern for many linux distributions... it should always be a concern, reguardless of the risk.
I have been using the NoScript extension for Firefox and Seamonkey. It allows you to select those sites that you trust to use javascript. CNET is one of the sites on which I allow javascript to run. I hope my trust is not misplaced :)
I've found that NoScript is a knee jerk reaction to javascript FUD. Javascript may have bugs from time to time, but it also makes the web experience much richer to the point of being indispensible. Every new form of technology has bugs, but it also brings with it new possibilities. One shouldn't throw the baby out with the bath water. Just look at Web 2.0 and AJAX. It wouldn't have been possible without Javascript.
While I am aware that NoScript allows you to re-enable Javascript by reloading the page, it is another barrier to the richness of the web, that should not have been unleashed in the first place.
Javascript at its core has many shady uses. NoScript allows you to open up the sites you love, but avoid trouble on those you find randomly through google. What is nice is you can open up a domain or subdomain so your favorite site will work, but it will break 3rd party usage trackers that, in my opinion, are too much like spyware.
I do NOT let CNET run Javascript. Most site do nothing useful with Javascript and do not require it. Other as foolishly dependant on it; yet still do nothing useful with it. A simple click, then allow (or temporary allow) on NoScript fixes it.
wow, did know that. Anyways the whole application in a whole needs to be reprogrammed. I was really disappointed with the outcome of the software. It just really does not compete anymore Oh and get a Mac!
Not everyone can afford their prices, and not everyone wants their OS.
I don't think this is so much of a discredit to Firefox as much as this is a way to level the playing field between Firefox, IE, and other browsers and say "look, nothing is really completely secure, especially the things you think are secure."
My god, could they be any more self centered egotestical fashion tards?
I've got an old G4 and it has more problems than my any of my XP systems... it will be a long time before I buy another Mac. I'm sticking with Linux and XP. I'll leave Mac to all those college wannabe hipsters who do not know any better.
Well, I for one, am getting tired of people calling these things "flaws"! They are not "flaws" but "vulnerabilities","discovered vulnerabilities", or "created vulerabilities". They would not exist if it weren't for some quasie-intellegent jackass, or some underworld pinhead attempting to write code to exploit them and attept to bot, or compromise our systems, and attempt to steal I.D.'s. It's time for Draconian measures against "created vulnerabilities". If you posted to this blog, you too were using Java and Javascript to chime in. Now our 1st Amendment voices are now at risk. We chime in to express ourselves, and that creates a bot condition that can possibly create my own Identity Theft? We need to quickly find these punks, and bring them to justice! Again, they're not "flaws" they're "vulnerabilities". Sheeeeesh!
Does anyone know if this stack overflow in FF can be exploited in Vista? Vista is a piece for security but it generally makes these kind of holes much more difficult to exploit.
I see allot of flaming in the talkback on this subject as arrogance seems to attract arrogance. It would be nice to get some clarification on this subject instead of more gunfire.
Don't get the Flaming myself...I wish these forums spent a little more time shedding light on these subjects... I love FireFox and am interested in just How serious this is...
I as well don't get the arrogance of some of these Mac Guys...Gives the rest of us a bad rep...I like my Mac over my XP box... and I have my reasons... but I certainly don't disparage anyone for their choice in OS's. Fact is... not a damn one of them (Mac, PC, Linux etc) is perfect. Think about it... They are all made, and all software programmed, by people.
All these people and not one of them can be bothered to answer an honest question.
Since this particular exploit compromises the browser it should be assumed that the flaw would lead to the attacker getting the same privileges that the user has. For anyone running with admin privileges (most windows users) that means the attacker effectively owns the computer, for those not running as admin (Vista - if it's done right, Unix et al..) the attackers would need to have another exploit to get the desired privilege escalation.
I was reading that the "hackers" basically showed how to exploit the hole. I might have missed this, but did the "hackers" give Mozilla and advanced warning or notification?
It's my understanding that for the most part those who find flaws in software generally try to give the software maker time to fix the problem before going public. Maybe I missed it in the article. I say it's not fair, but then again if a bad guy was the one that found the code exploit then all bets would be off.
I'm finding that most of these hacker security guys and many developers are little more than babies. Always trying to show up the next guy.
I use Firefox and I use Opera. I would love to own a Mac and I don't like Microsoft. I'm biased and opinionated. I'm just like everybody else. Unlike most I feel like everybody is in the wrong. All these people quick to point out a problem and lay blame on everybody else, but to useless to help find a solution. Those who stand buy ******** about problems, but never looking for the solution are just a bunch of useless people.
Reread the article. It's quite clear these two hackers are just in it for themselves and would rather exploit (and have others exploit) the apparent bugs.
We can't have laws on everything but this sounds maliciously negligent to me. (esp. see the last paragraph)
Is this the same "zero-day" exploit being used against I.E.? Can it or is it also being used against other browsers - Safari, Opers, etc.?
Regarding the "Flamer" and the pissing contest that insued: I learned at a very young age that "if you **** on a fire, you stink up the whole camp". Best to keep it zipped or go find some shrubs if ya REALLY gott go ;-)
Regarding arrogance & snobbery: There are arrogant snobs in ALL the camps - Mac, M.S. & Linux. One calling the other such is the proverbial "Pot calling the Kettle black". Or even worse, just think back to those kindergarten days when the arguments resorted to "So am I but what are You?"
Javascript (as a technology) has some security issues that appeared a few months back. It should be disabled by default in ANY browser, and you should only allow it for those you trust.
However, I think this flaw is specific to Firefox/Mozilla probably related to only Netscape/Mozilla codebase.
Firefox is a great browser. All software has its flaws, but Firefox is not an operational part of windows. As such, any "flaw" can only go so far. If you run on windows as a unprivledged user, then even this flaw is harmless. However, in IE the browser runs as SYSTEM, so you would be in trouble no matter what.
You can side with one browser or another, that's your choice. But what it comes down to is this: The most popular browsers are going to be targets, PERIOD. This does not make them bad products nor does it make indicate their developers are inempt. People get a grip, coding anything these days no longer involves cheat sheets to CPU instructions and hand coding machine code byte by byte. It involves librarys, compilers, frameworks and IDEs. All of which by themselves can introduce security issues. If you want to nail someone or something for security flaws then start at the right place, the development tools.
Browsers are targets for the simple reason that they are an interface to content outside the user's "safe zone". The browser (when an exploit is available) provides the attacker with a wedge into the system.
It's obvious they are there to brag about what they know and not to help solve the problem. Their statements should be enough to provide grounds for a search warrant to seize and examine all of their computer systems.
Like thieves everywhere they try to justify their actions with a lame excuse (providing black hats with places to meet?!) ignoring the simple fact that their own machines could be used for that purpose instead of stealing from others.
That is why I only use Oxygen browser from Netdive. It may be old. But in 4 years of using it myself and everyone else in our company, we have not had one, NOT even ONE, Virus or Hack getting through it. It is one of my favorite software products to use, you should try it too, it is here: <a class="jive-link-external" href="http://www.netdive.com/htms/products.htm" target="_newWindow">http://www.netdive.com/htms/products.htm</a> I swear if it was not for this Oxygen browser, I think I would have thrown my PC out of the window 10 times already :) Because whenever I switch to IE or FFox, it seems it is matter of weeks before something nasty inflicts my PC. And then I am back to only using Oxygen to be able to access the web free of whatever crap that IE or FFox brought down onto my PC. Well this is my 2 cents :) Cheeriooo,
of pushing that trash browser. It's old, old, old, and old. I downloaded the browser and tried it out. All I can say is that that browsers is as useless today as it was when it came out.
It's a crappy browser. It's outdated by about ten or so years.
For anybody thinking about downloading it... don't. It's a waste of time and energy. It's not even as good as IE version 1.
Believe it or not, many browsers do have the ability to set what your browser will and will not do. There are browser settings that will turn on/off active-x, java scripting, cookie handling etc. The more restrictive you make the settings, the more secure your computer will be against an attack. You also restrict what features webpages can do in your browser and there may be websites you trust where you wish to have these features. Most people will lower their settings for these sites and leave them that way when they browse the rest of the internet, going to "unknown" sites. This is a bad security risk and entirely your responsibility since you were given the ability to set the level of security. You may not wear a condom when you have sex with your spouse, but go to the local hooker without a condom and you can get infected with nasty diseases. It's the same way on the internet.
I haven't found similar settings in firefox yet, but IE does also have the ability to set security for different "zones". I'm hoping firefox does have this ability. What it comes down to, is being able to divide the internet into seperate zones that you can define and being able to set the security level different for each zone. For those zones you trust, you add the website to the zone and set the security to the level you need to allow the features you want. For those websites not defined in your trusted zone, they fall under the general internet zone where you set the security much, much higher. It's like having a condom put on automatically just for the hookers.
Ok, so the hooker analogy is crude, but it does emphasize a point and I only use it to emphasize the importance of protecting your compute from viruses, trojans, etc. Secure your computer browser.
Seaspray0 had the brass to make this kind of comment:
"You may not wear a condom when you have sex with your spouse, but go to the local hooker without a condom and you can get infected with nasty diseases. It's the same way on the internet."
Crude, yes. True? YES!!!
An analogy that the sleaziest of people should be able to understand. I couldn't have said it better myself, thank you Seaspray0!
Secondly, turning off activex control limits your ability to update windows. The fact that it should be shut off shows how flawed your precious company made it.
Mentioning Java and activeX in the same sentence shows your stupidity. I dare you to write code to allow an applet to run outside the sandbox without a security certificate. Of course you can't since you can't program, but even if you could you would have a rough time at it.
Even you, in your ignorance, can exploit windows.
It is funny you mention hookers as an anology because MS is the prime reaon why surfing the net is unsafe.
Firefox doesn't run the security hole known as activex, no need to turn it off.
Even without all those controls, Firefox is infinitely more secure.
"Secure your browser"??
Even with all scripting turned off, everything set to high, IE is still easily exploitable. If you use IE you are not secure, end of story.
Seriously, get a little education on computers(more then just changing settings) and then maybe someone will take your rahrah MS posting seriously.
Of course, if you were educated, you would not like MS unless your paycheck depended on them, and even then you would secretly dislike them.
According to the article one of the hackers, Mischa Spiegelmock, works for the blogging company Six Apart. I wonder how their business customers would feel knowing that they are providing employment to a hacker who is "setting up communication networks for black hats". Would they feel comfortable using software developed by a company whose employees are helping criminals compromise the security of their networks by providing them detailed information about how to exploit browser security flaws but refusing to provide the same information to the browser vendors? I sure wouldn't.
Mischa and his buddy sound like a couple of immature punks who don't mind screwing over millions of innocent computer users for the sake of gaining prestige within the hacker community. If Six Apart is smart they will fire this guy. I hope they lose a lot of business until they do.
One of the 'net's larger blogging sites, livejournal.com, is owned by Six Apart. Now millions of LJ users can have their machines compromised "for the good of the internet".
...even the vuln DB and Bugtraq are empty of details.
Methinks there is more noise than toys in this case. I'll wait and see if anything actually comes of it, or if it's just someone trying to see just how little they can actually prove while making themselves look good.
There was a zero day exploit for internet explorer found last, but you guys at CNET never posted anything about it. Why did you not report the IE bug, but are now reporting this Firefox one?
Do you mean this: <a class="jive-link-external" href="http://news.com.com/Another+zero-day+threat+hits+Windows/2100-1002_3-6121236.html" target="_newWindow">http://news.com.com/Another+zero-day+threat+hits+Windows/2100-1002_3-6121236.html</a> ?
It's 29 September and it's part of IE Exploit. Oh God, please don't easily comment something that you don't know for sure. I do simple search, and easily found it. If you don't read CNET frequently, don't claim they don't post something.
That's the place in the middle of the desert where the Chinese Army has constructed a scale-model replica of the entire region of Aksai Chin (occupied by China since the 1962 war with India). At 1:500, it's still 700 by 900 meters big ( = several football fields). Next to it is a base with dozens of troop transporters seen coming and going. The duplicate shows everything: rivers, lakes, roads and snow-capped mountains. It's basically a landscape within a landscape.
The problem is that nobody has been able to figure out the function of this thing. The world's biggest miniature golf course, perhaps? China's own Area 51? That's why it's the subject of so much discussion in the blogosphere. The discoverer even had to set up his own blog: foundinchina.blogspot.com
Microsoft Word is now on the top ranks of MacOSX word processors as well since Apple opened the compatibility doors to MS, since they realized they bite at making applications made for something other than hobbies.
And we have alternatives, they're just not as good as Word, IMO at least.
So just... shh. You obviously don't check up on what you say. And my condolences for your inability to do such a remedial task as keeping a virus database up to date. We like to face problems head on instead of hiding in the bomb-shelter.
[b]RETIRED: Mozilla Firefox Multiple Unspecified Javascript Vulnerabilities[/b] - <a class="jive-link-external" href="http://www.securityfocus.com/bid/20294/discuss" target="_newWindow">http://www.securityfocus.com/bid/20294/discuss</a> "Update (October 3, 2006): This BID is being retired as reports indicate that these issues are a hoax. The researchers responsible for disclosing these vulnerabilities have claimed that their original reports were not correct. It is possible that a remote denial of service vulnerability affects the browser; however this has not been confirmed. A new BID will be created if subsequent reports confirm the possibility of the potential denial of service issue. Please see references for more information."
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
George Lucas has just released his version of "Star Wars" in 3D, but c'mon--the guy believes Greedo shot first. Why not make your own Star Wars world? In the first installment of a Crave series, a crack team of crafters fight the power and turn paper bags into the Rebel Alliance's Admiral Ackbar. It's a sack!
The article doesn't mention whether this is true for this exploit. I run a distribution that has both facilities (Fedora Core), and I'd suggest that anyone that is interested in the security of their system find a distribution that provides these great tools.
There are hundreds of Linux distributions, and security is not a primary concern for many of them. Choose wisely.
As you mentioned, this article doesn't mention if DEP would prevent this flaw, and actually I don't think it would. DEP and ExecShield work by prevented code running out of memory marked as data. This prevents buffer overrun flaws because buffers are used to store data, not exectuable code. Trying to execute code by overruning these buffers just results in a program crash, turning a remote vulnerability into a simple and much less dangerous denial-of-service type bug. However this particular flaw is apparently a stack overflow rather than a buffer overrun, so it might not be caught by DEP/ExecShield.
<a class="jive-link-external" href="http://www.noscript.net/whats" target="_newWindow">http://www.noscript.net/whats</a>
While I am aware that NoScript allows you to re-enable Javascript by reloading the page, it is another barrier to the richness of the web, that should not have been unleashed in the first place.
I do NOT let CNET run Javascript. Most site do nothing useful with Javascript and do not require it. Other as foolishly dependant on it; yet still do nothing useful with it. A simple click, then allow (or temporary allow) on NoScript fixes it.
That is what I have Firefox on my machine for, to test sites BEFORE I use IE7 to go to them.
needs to be reprogrammed. I was really disappointed with the
outcome of the software. It just really does not compete anymore
Oh and get a Mac!
I don't think this is so much of a discredit to Firefox as much as this is a way to level the playing field between Firefox, IE, and other browsers and say "look, nothing is really completely secure, especially the things you think are secure."
"application in a whole needs to be reprogrammed"
Crazy, pure crazy.
"does not compete anymore"
Against what, Safari? Less than 2% of web sites are views with that old browser.
Get a clue.
I've got an old G4 and it has more problems than my any of my XP systems... it will be a long time before I buy another Mac. I'm sticking with Linux and XP. I'll leave Mac to all those college wannabe hipsters who do not know any better.
You sicken me. Firefox is an excellent browser, which like every piece of software has some inherent flaws.
needs to be reprogrammed"
Would you mind being more specific? Who are you to claim this? Any real facts (and not unsubstantiated, totally partisan comments)?.
OK thanks. Later!
I see allot of flaming in the talkback on this subject as arrogance seems to attract arrogance. It would be nice to get some clarification on this subject instead of more gunfire.
I as well don't get the arrogance of some of these Mac Guys...Gives the rest of us a bad rep...I like my Mac over my XP box... and I have my reasons... but I certainly don't disparage anyone for their choice in OS's.
Fact is... not a damn one of them (Mac, PC, Linux etc) is perfect. Think about it... They are all made, and all software programmed, by people.
Since this particular exploit compromises the browser it should be assumed that the flaw would lead to the attacker getting the same privileges that the user has. For anyone running with admin privileges (most windows users) that means the attacker effectively owns the computer, for those not running as admin (Vista - if it's done right, Unix et al..) the attackers would need to have another exploit to get the desired privilege escalation.
When ever I search for something which might lead to questionable websites, such as ed2k links, I use virtual PC and use Firefox for the search.
It's my understanding that for the most part those who find flaws in software generally try to give the software maker time to fix the problem before going public. Maybe I missed it in the article. I say it's not fair, but then again if a bad guy was the one that found the code exploit then all bets would be off.
I'm finding that most of these hacker security guys and many developers are little more than babies. Always trying to show up the next guy.
I use Firefox and I use Opera. I would love to own a Mac and I don't like Microsoft. I'm biased and opinionated. I'm just like everybody else. Unlike most I feel like everybody is in the wrong. All these people quick to point out a problem and lay blame on everybody else, but to useless to help find a solution. Those who stand buy ******** about problems, but never looking for the solution are just a bunch of useless people.
We can't have laws on everything but this sounds maliciously negligent to me. (esp. see the last paragraph)
Can it or is it also being used against other browsers - Safari,
Opers, etc.?
Regarding the "Flamer" and the pissing contest that insued:
I learned at a very young age that "if you **** on a fire, you stink
up the whole camp".
Best to keep it zipped or go find some shrubs if ya REALLY gott
go ;-)
Regarding arrogance & snobbery:
There are arrogant snobs in ALL the camps - Mac, M.S. & Linux.
One calling the other such is the proverbial "Pot calling the
Kettle black". Or even worse, just think back to those
kindergarten days when the arguments resorted to "So am I but
what are You?"
However, I think this flaw is specific to Firefox/Mozilla probably related to only Netscape/Mozilla codebase.
Firefox is a great browser. All software has its flaws, but Firefox is not an operational part of windows. As such, any "flaw" can only go so far. If you run on windows as a unprivledged user, then even this flaw is harmless. However, in IE the browser runs as SYSTEM, so you would be in trouble no matter what.
The most popular browsers are going to be targets, PERIOD.
This does not make them bad products nor does it make indicate their developers are inempt.
People get a grip, coding anything these days no longer involves cheat sheets to CPU instructions and hand coding machine code byte by byte. It involves librarys, compilers, frameworks and IDEs. All of which by themselves can introduce security issues.
If you want to nail someone or something for security flaws then start at the right place, the development tools.
That will clearly show which is the better browser!!!
Walt
Like thieves everywhere they try to justify their actions with a lame excuse (providing black hats with places to meet?!) ignoring the simple fact that their own machines could be used for that purpose instead of stealing from others.
<a class="jive-link-external" href="http://www.netdive.com/htms/products.htm" target="_newWindow">http://www.netdive.com/htms/products.htm</a>
I swear if it was not for this Oxygen browser, I think I would have thrown my PC out of the window 10 times already :)
Because whenever I switch to IE or FFox, it seems it is matter of weeks before something nasty inflicts my PC.
And then I am back to only using Oxygen to be able to access the web free of whatever crap that IE or FFox
brought down onto my PC.
Well this is my 2 cents :)
Cheeriooo,
It's a crappy browser. It's outdated by about ten or so years.
For anybody thinking about downloading it... don't. It's a waste of time and energy. It's not even as good as IE version 1.
No scripting issues. No flash issues. No image overflow issues. Nothing but text.
:-p
I haven't found similar settings in firefox yet, but IE does also have the ability to set security for different "zones". I'm hoping firefox does have this ability. What it comes down to, is being able to divide the internet into seperate zones that you can define and being able to set the security level different for each zone. For those zones you trust, you add the website to the zone and set the security to the level you need to allow the features you want. For those websites not defined in your trusted zone, they fall under the general internet zone where you set the security much, much higher. It's like having a condom put on automatically just for the hookers.
Ok, so the hooker analogy is crude, but it does emphasize a point and I only use it to emphasize the importance of protecting your compute from viruses, trojans, etc. Secure your computer browser.
"You may not wear a condom when you have sex with your
spouse, but go to the local hooker without a condom and you
can get infected with nasty diseases. It's the same way on the
internet."
Crude, yes. True? YES!!!
An analogy that the sleaziest of people should be able to
understand. I couldn't have said it better myself, thank you
Seaspray0!
First of all this article is a hoax, a joke.
Secondly, turning off activex control limits your ability to update windows. The fact that it should be shut off shows how flawed your precious company made it.
Mentioning Java and activeX in the same sentence shows your stupidity. I dare you to write code to allow an applet to run outside the sandbox without a security certificate. Of course you can't since you can't program, but even if you could you would have a rough time at it.
Even you, in your ignorance, can exploit windows.
It is funny you mention hookers as an anology because MS is the prime reaon why surfing the net is unsafe.
Firefox doesn't run the security hole known as activex, no need to turn it off.
Even without all those controls, Firefox is infinitely more secure.
"Secure your browser"??
Even with all scripting turned off, everything set to high, IE is still easily exploitable. If you use IE you are not secure, end of story.
Seriously, get a little education on computers(more then just changing settings) and then maybe someone will take your rahrah MS posting seriously.
Of course, if you were educated, you would not like MS unless your paycheck depended on them, and even then you would secretly dislike them.
Mischa and his buddy sound like a couple of immature punks who don't mind screwing over millions of innocent computer users for the sake of gaining prestige within the hacker community. If Six Apart is smart they will fire this guy. I hope they lose a lot of business until they do.
Mozilla would be good to SERIOUSLY look into going to a lawyer and forcing these people to give them ALL info on the flaws that they have found.
It's as they say: If you don't know that a program has a flaw, you cannot fix said flaw.
...even the vuln DB and Bugtraq are empty of details.
Methinks there is more noise than toys in this case. I'll wait and see if anything actually comes of it, or if it's just someone trying to see just how little they can actually prove while making themselves look good.
/P
All they got out of it was a DDoS attack, which has possibilities, but nothing concrete.
So much for all that - turned out to be almost all smoke and only a spark for fire.
Now, will CNet post an update, or not?
/P
Shame to those who so blindly defends a product just as flawed... But at least Firefox does not crash compared to IE7. Ha!
So far, Opera is still cleaner. But it gets slower to launch every new version. I wonder about version 10...
It's 29 September and it's part of IE Exploit. Oh God, please don't easily comment something that you don't know for sure. I do simple search, and easily found it. If you don't read CNET frequently, don't claim they don't post something.
<a class="jive-link-external" href="http://regmedia.co.uk/2006/07/19/huangyangtan_wide.jpg" target="_newWindow">http://regmedia.co.uk/2006/07/19/huangyangtan_wide.jpg</a>
<a class="jive-link-external" href="http://bbs.keyhole.com/ubb/showthreaded.php/Cat/0/Number/484568" target="_newWindow">http://bbs.keyhole.com/ubb/showthreaded.php/Cat/0/Number/484568</a>
That's the place in the middle of the desert where the Chinese Army has constructed a scale-model replica of the entire region of Aksai Chin (occupied by China since the 1962 war with India). At 1:500, it's still 700 by 900 meters big ( = several football fields). Next to it is a base with dozens of troop transporters seen coming and going. The duplicate shows everything: rivers, lakes, roads and snow-capped mountains. It's basically a landscape within a landscape.
The problem is that nobody has been able to figure out the function of this thing. The world's biggest miniature golf course, perhaps? China's own Area 51? That's why it's the subject of so much discussion in the blogosphere. The discoverer even had to set up his own blog: foundinchina.blogspot.com
Any ideas?
Ha. Ha. Ha.
I'm not laughing.
And we have alternatives, they're just not as good as Word, IMO at least.
So just... shh. You obviously don't check up on what you say. And my condolences for your inability to do such a remedial task as keeping a virus database up to date. We like to face problems head on instead of hiding in the bomb-shelter.
[b]RETIRED: Mozilla Firefox Multiple Unspecified Javascript Vulnerabilities[/b]
- <a class="jive-link-external" href="http://www.securityfocus.com/bid/20294/discuss" target="_newWindow">http://www.securityfocus.com/bid/20294/discuss</a>
"Update (October 3, 2006): This BID is being retired as reports indicate that these issues are a hoax. The researchers responsible for disclosing these vulnerabilities have claimed that their original reports were not correct. It is possible that a remote denial of service vulnerability affects the browser; however this has not been confirmed. A new BID will be created if subsequent reports confirm the possibility of the potential denial of service issue. Please see references for more information."
.