Version: 2008
  • On BNET: Give your browser a panic button

Comments on: Microsoft, Mozilla downplay browser bug

Security flaw affecting both Internet Explorer and Firefox could allow an attacker to steal files from vulnerable computers, but is tough to exploit.

Add a Comment (Log in or register) (10 Comments)
  • prev
  • 1
  • next
Wait for it....
by June 8, 2006 6:10 PM PDT
Ok...Let the stone throwing commence!

My browser if better than your browser.

No it's not...Mine is better than yours.

My browswer is to better...and you're stupid and ugly too.

Yeah...well...your mother wears combat boots....and my browser is still better than yours...

Blah! Blah! Blah!
Reply to this comment
Ok...
by System Tyrant June 8, 2006 7:42 PM PDT
my browser is better than your browser. o_O

I think we should all just get rid of our computers and phone and lights and go back to cave painting. Then the only bugs we have to worry about are the ones were going to eat. :)
lol :-)
by Gino Deblauwe June 9, 2006 1:06 AM PDT
see subject
Opera, Opera, Opera!
by Mendz June 8, 2006 10:41 PM PDT
Another reason to love Opera...
Reply to this comment
Opera? Maybe.
by gmcaloon--2008 June 9, 2006 9:32 AM PDT
I don?t recall if there have been any security vulnerabilities revealed in Opera as yet, but it has other problems. The chief problem is that it has far more trouble rendering web sites properly than either Microsoft's IE or Mozilla?s browsers. That seems to be particularly true of financial sites.

If you are using Opera you may or may not be effected by this with the particular sites you visit, but some people are with the sites they visit. On the other hand, IE and Firefox are practically universal in their ability to render properly just about any site on the web. That is not because they are better browsers, but because their popularity has made it incumbent on site designers to code their sites to accommodate them.

But I know what you have in mind with your comment. I have used Opera and it is nice, very nice with all the options it offers. However, if it were to become more popular it too would be shown to have security problems. It is the nature of what browsers do that makes them particularly attractive to hackers and Opera can?t be expected to be free of security problems any more than any other browser.

In any case, all browsers are safe to use if the user takes the usual protection measures; up to date patches, virus definitions and so on.
This is stupid
by umbrae June 9, 2006 5:32 AM PDT
How can you even call this a vulenability? That is a function of JavaScript and fixing it would actually limit functionality in the browser. If some hacker gets a user to input the FULL PATH to a file, I say the idiot deserved it.

I guess since its possible to aim a car at school children we should just remove the steering wheel. I am sure that will solve the problem.
Reply to this comment
You misunderstand
by aabcdefghij987654321 June 9, 2006 7:46 AM PDT
Exploiting this bug would require the user to type but since javascript can selectively control which characters are actually input to the hidden control the goal would be to provide some sort of interactive content to the user which would have them enter the desired keystrokes in the desired order over a period of time, the javascript could still respond to all keystrokes entered by the user but only deposit the ones it wants into the hidden field until it has the complete name of the file it want to upload. That would be made easier by making sure the name of the file is short and uses few unique letters.
This problem would still require the user to do something with the uploaded file or require another exploit (known or unknown) to take advantage of the uploaded file.
This is Stupid?
by gmcaloon--2008 June 9, 2006 9:47 AM PDT
It is definitely a vulnerability. That it involves JavaScript doesn?t make it less of one. Nor is it the first time JavaScript has been a problem. Hackers have used it before.

Fixing the problem doesn?t make the browser any less functional any more than previous fixes did. The recommendation to not use JavaScript is simply a work-around that some might like to try. Not all web sites depend on its presence to function properly. However, given the nature of this particularly crude hacker design requiring the user to go through all sorts of hoops to implement it, there is no need for the user to do anything at the moment other than wait for the fixes. The various virus companies will have a definition for it long before that anyway given that the story mentions Symantec.
Flaw is in the hacker...
by Walt Connery June 9, 2006 10:49 AM PDT
...not in the browsers. When are you guys going to get that straight?...;)

Besides, I applaud both companies for not dancing like puppets on a string whenever a so-called "security expert" (in reality, a hacker) spends hours and hours of time trying to hack these browsers in some arcane fashion just so he can get the headlines and the attention you guys are always so willing to give him as a reward.

There's a very thin line between "malicious hacker" behavior and the way in which many of these so-called "security experts" behave. It'd be nice if you'd mention that once in awhile.
Reply to this comment
by primefalcon August 17, 2008 6:31 PM PDT
What's new Microsoft software is full of bugs from throwing in tons and tons of features without bug testing.

another reason to use a more standards compliant browser like firefox, opera or whatever
Reply to this comment
(10 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET