September 30, 2006 10:57 PM PDT

Hackers claim zero-day flaw in Firefox

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. Hackers' presentation

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

Click here to Play

Video: Hackers claim Firefox zero-day flaw
Is the browser more vulnerable than thought?

Click here to Play

Video: Hackers vs. Firefox
Mozilla antsy about expolited Firefox flaws.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said.

Since the presentation, Spiegelmock has backpedalled on the zero-day claims. In a note posted to the Mozilla Web site on Monday, he says that he was never able to exploit the supposed vulnerability to hijack computers.

See more CNET content tagged:
Mischa Spiegelmock, Andrew Wbeelsoi, flaw, hacker, JavaScript

103 comments

Join the conversation!
Add your comment
ExecShield, SELinux?
There have been a number of zero-day flaws reported, but (so far) these have been prevented from being effective by either ExecShield or SELinux or both. For example, the recent exploit that compromised the Debian servers would have been prevented.

The article doesn't mention whether this is true for this exploit. I run a distribution that has both facilities (Fedora Core), and I'd suggest that anyone that is interested in the security of their system find a distribution that provides these great tools.

There are hundreds of Linux distributions, and security is not a primary concern for many of them. Choose wisely.
Posted by macemoneta (18 comments )
Reply Link Flag
? ExecShield, SELinux
Is this a viable & necessary alternative for all Linux users[I'm newbie linux on home pc] & whats a good site to chk for available distros?
Posted by randiroo76073 (2 comments )
Link Flag
DEP in Windows
Data Execution Prevention (DEP) in WinXP SP2 (and also in Win2K3 Server SP1 I think) should also prevent many/most of these bugs. It's basically the same thing as ExecShield, though where ExecShield will work on any x86 chips, Windows DEP requires that the chip support the NX-bit in hardware (ExecShield will use this feature if available or emulate it if not). This feature first showed up on AMD's Athlon64 and Opteron chips in 2003 and was implemented on Intel's P4 and Celeron lines about a year later (though Intel called their version 'XD bit' because they don't like using names invented by other companies) and a bit later on their notebook chips.

As you mentioned, this article doesn't mention if DEP would prevent this flaw, and actually I don't think it would. DEP and ExecShield work by prevented code running out of memory marked as data. This prevents buffer overrun flaws because buffers are used to store data, not exectuable code. Trying to execute code by overruning these buffers just results in a program crash, turning a remote vulnerability into a simple and much less dangerous denial-of-service type bug. However this particular flaw is apparently a stack overflow rather than a buffer overrun, so it might not be caught by DEP/ExecShield.
Posted by Hoser McMoose (182 comments )
Link Flag
Very useful post, macemoneta
Thanks to macemoneta for posting the availability of security programs to those who use linux. Such programs would also be valuable for those on windows if they were available. I will disagree that security isn't a prime concern for many linux distributions... it should always be a concern, reguardless of the risk.
Posted by Seaspray0 (9714 comments )
Link Flag
NoScript extension for Firefox
I have been using the NoScript extension for Firefox and Seamonkey. It allows you to select those sites that you trust to use javascript. CNET is one of the sites on which I allow javascript to run. I hope my trust is not misplaced :)

<a class="jive-link-external" href="http://www.noscript.net/whats" target="_newWindow">http://www.noscript.net/whats</a>
Posted by david.donoho (1 comment )
Reply Link Flag
knee jerk reaction
I've found that NoScript is a knee jerk reaction to javascript FUD. Javascript may have bugs from time to time, but it also makes the web experience much richer to the point of being indispensible. Every new form of technology has bugs, but it also brings with it new possibilities. One shouldn't throw the baby out with the bath water. Just look at Web 2.0 and AJAX. It wouldn't have been possible without Javascript.

While I am aware that NoScript allows you to re-enable Javascript by reloading the page, it is another barrier to the richness of the web, that should not have been unleashed in the first place.
Posted by nrlz (98 comments )
Link Flag
Great Extension
Javascript at its core has many shady uses. NoScript allows you to open up the sites you love, but avoid trouble on those you find randomly through google. What is nice is you can open up a domain or subdomain so your favorite site will work, but it will break 3rd party usage trackers that, in my opinion, are too much like spyware.

I do NOT let CNET run Javascript. Most site do nothing useful with Javascript and do not require it. Other as foolishly dependant on it; yet still do nothing useful with it. A simple click, then allow (or temporary allow) on NoScript fixes it.
Posted by umbrae (1073 comments )
Link Flag
Using a javascript blocker is best
It is best to use a javascript blocker like NoScript when you are going to sites that you don't know if you can trust at first.

That is what I have Firefox on my machine for, to test sites BEFORE I use IE7 to go to them.
Posted by Leria (585 comments )
Link Flag
Yea...
Obviously so because 90% of the time it crashes when you try and run JavaScript.
Posted by PCCRomeo (432 comments )
Reply Link Flag
People Still Use Firefox?
wow, did know that. Anyways the whole application in a whole
needs to be reprogrammed. I was really disappointed with the
outcome of the software. It just really does not compete anymore
Oh and get a Mac!
Posted by Mephux (51 comments )
Reply Link Flag
Don't be so cocky...
Not everyone can afford their prices, and not everyone wants their OS.

I don't think this is so much of a discredit to Firefox as much as this is a way to level the playing field between Firefox, IE, and other browsers and say "look, nothing is really completely secure, especially the things you think are secure."
Posted by coryschulz (326 comments )
Link Flag
You're Out of Touch
Nearly 15% of all web traffic is viewed with Firefox. Less than 80% is view with Internet Explorer.

"application in a whole needs to be reprogrammed"

Crazy, pure crazy.

"does not compete anymore"

Against what, Safari? Less than 2% of web sites are views with that old browser.

Get a clue.
Posted by mstrclark (62 comments )
Link Flag
Mac Users
My god, could they be any more self centered egotestical fashion tards?

I've got an old G4 and it has more problems than my any of my XP systems... it will be a long time before I buy another Mac. I'm sticking with Linux and XP. I'll leave Mac to all those college wannabe hipsters who do not know any better.
Posted by SeizeCTRL (1333 comments )
Link Flag
Trolls
Don't feed the trolls
Posted by SrLnclt (3 comments )
Link Flag
...
*bang*

You sicken me. Firefox is an excellent browser, which like every piece of software has some inherent flaws.
Posted by Corrupt_Data (9 comments )
Link Flag
for example?
"the whole application in a whole
needs to be reprogrammed"

Would you mind being more specific? Who are you to claim this? Any real facts (and not unsubstantiated, totally partisan comments)?.
Posted by feranick (212 comments )
Link Flag
People use a MAC?? buahahahah
how lame is that!
Posted by baswwe (299 comments )
Link Flag
Stop feeding the iTroll...
Pity the fool. He's obviously an unarmed warrior in this battle of wits.
Posted by bedardp (1 comment )
Link Flag
Whoa !
Well, I for one, am getting tired of people calling these things "flaws"! They are not "flaws" but "vulnerabilities","discovered vulnerabilities", or "created vulerabilities". They would not exist if it weren't for some quasie-intellegent jackass, or some underworld pinhead attempting to write code to exploit them and attept to bot, or compromise our systems, and attempt to steal I.D.'s. It's time for Draconian measures against "created vulnerabilities". If you posted to this blog, you too were using Java and Javascript to chime in. Now our 1st Amendment voices are now at risk. We chime in to express ourselves, and that creates a bot condition that can possibly create my own Identity Theft? We need to quickly find these punks, and bring them to justice! Again, they're not "flaws" they're "vulnerabilities". Sheeeeesh!
Posted by Jon N. (182 comments )
Reply Link Flag
AppArmor
Not an issue--just run AppArmor in SUSE 10.1 and you have a 'sandbox' around it.

OK thanks. Later!
Posted by _dietrich (8 comments )
Reply Link Flag
exploit in vista?
Does anyone know if this stack overflow in FF can be exploited in Vista? Vista is a piece for security but it generally makes these kind of holes much more difficult to exploit.

I see allot of flaming in the talkback on this subject as arrogance seems to attract arrogance. It would be nice to get some clarification on this subject instead of more gunfire.
Posted by arzynik (18 comments )
Reply Link Flag
Flaming...
Don't get the Flaming myself...I wish these forums spent a little more time shedding light on these subjects... I love FireFox and am interested in just How serious this is...

I as well don't get the arrogance of some of these Mac Guys...Gives the rest of us a bad rep...I like my Mac over my XP box... and I have my reasons... but I certainly don't disparage anyone for their choice in OS's.
Fact is... not a damn one of them (Mac, PC, Linux etc) is perfect. Think about it... They are all made, and all software programmed, by people.
Posted by ArtGuy69 (2 comments )
Link Flag
Exploit in Vists - answer
All these people and not one of them can be bothered to answer an honest question.

Since this particular exploit compromises the browser it should be assumed that the flaw would lead to the attacker getting the same privileges that the user has. For anyone running with admin privileges (most windows users) that means the attacker effectively owns the computer, for those not running as admin (Vista - if it's done right, Unix et al..) the attackers would need to have another exploit to get the desired privilege escalation.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
heh
pretty rich that someone who works at sixapart calls someone else's code "a mess".
Posted by james2vegas (2 comments )
Reply Link Flag
Or you could use emulation
Or you could run a virtual OS and run firefox in it.

When ever I search for something which might lead to questionable websites, such as ed2k links, I use virtual PC and use Firefox for the search.
Posted by hybris06 (66 comments )
Reply Link Flag
I wonder?
I was reading that the "hackers" basically showed how to exploit the hole. I might have missed this, but did the "hackers" give Mozilla and advanced warning or notification?

It's my understanding that for the most part those who find flaws in software generally try to give the software maker time to fix the problem before going public. Maybe I missed it in the article. I say it's not fair, but then again if a bad guy was the one that found the code exploit then all bets would be off.

I'm finding that most of these hacker security guys and many developers are little more than babies. Always trying to show up the next guy.

I use Firefox and I use Opera. I would love to own a Mac and I don't like Microsoft. I'm biased and opinionated. I'm just like everybody else. Unlike most I feel like everybody is in the wrong. All these people quick to point out a problem and lay blame on everybody else, but to useless to help find a solution. Those who stand buy ******** about problems, but never looking for the solution are just a bunch of useless people.
Posted by System Tyrant (1453 comments )
Reply Link Flag
they're bad guys
Reread the article. It's quite clear these two hackers are just in it for themselves and would rather exploit (and have others exploit) the apparent bugs.

We can't have laws on everything but this sounds maliciously negligent to me. (esp. see the last paragraph)
Posted by HandGlad2 (91 comments )
Link Flag
About the flaw . . .
Is this the same "zero-day" exploit being used against I.E.?
Can it or is it also being used against other browsers - Safari,
Opers, etc.?

Regarding the "Flamer" and the pissing contest that insued:
I learned at a very young age that "if you **** on a fire, you stink
up the whole camp".
Best to keep it zipped or go find some shrubs if ya REALLY gott
go ;-)

Regarding arrogance &#38; snobbery:
There are arrogant snobs in ALL the camps - Mac, M.S. &#38; Linux.
One calling the other such is the proverbial "Pot calling the
Kettle black". Or even worse, just think back to those
kindergarten days when the arguments resorted to "So am I but
what are You?"
Posted by K.P.C. (227 comments )
Reply Link Flag
I believe it is different...
Javascript (as a technology) has some security issues that appeared a few months back. It should be disabled by default in ANY browser, and you should only allow it for those you trust.

However, I think this flaw is specific to Firefox/Mozilla probably related to only Netscape/Mozilla codebase.

Firefox is a great browser. All software has its flaws, but Firefox is not an operational part of windows. As such, any "flaw" can only go so far. If you run on windows as a unprivledged user, then even this flaw is harmless. However, in IE the browser runs as SYSTEM, so you would be in trouble no matter what.
Posted by umbrae (1073 comments )
Link Flag
FireFox, IE, Whatever. Browsers are targets...
You can side with one browser or another, that's your choice. But what it comes down to is this:
The most popular browsers are going to be targets, PERIOD.
This does not make them bad products nor does it make indicate their developers are inempt.
People get a grip, coding anything these days no longer involves cheat sheets to CPU instructions and hand coding machine code byte by byte. It involves librarys, compilers, frameworks and IDEs. All of which by themselves can introduce security issues.
If you want to nail someone or something for security flaws then start at the right place, the development tools.
Posted by fred dunn (793 comments )
Reply Link Flag
Correct, browsers are targets
Browsers are targets for the simple reason that they are an interface to content outside the user's "safe zone". The browser (when an exploit is available) provides the attacker with a wedge into the system.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
No question about Browsers being targets
But what differentiates them is not their popularity (numbers being used)... but how quickly the vendor patches them.

That will clearly show which is the better browser!!!

Walt
Posted by wbenton (522 comments )
Link Flag
These bozos should go to jail
It's obvious they are there to brag about what they know and not to help solve the problem. Their statements should be enough to provide grounds for a search warrant to seize and examine all of their computer systems.

Like thieves everywhere they try to justify their actions with a lame excuse (providing black hats with places to meet?!) ignoring the simple fact that their own machines could be used for that purpose instead of stealing from others.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
get Oxygen browser, be Hack free
That is why I only use Oxygen browser from Netdive. It may be old. But in 4 years of using it myself and everyone else in our company, we have not had one, NOT even ONE, Virus or Hack getting through it. It is one of my favorite software products to use, you should try it too, it is here:
<a class="jive-link-external" href="http://www.netdive.com/htms/products.htm" target="_newWindow">http://www.netdive.com/htms/products.htm</a>
I swear if it was not for this Oxygen browser, I think I would have thrown my PC out of the window 10 times already :)
Because whenever I switch to IE or FFox, it seems it is matter of weeks before something nasty inflicts my PC.
And then I am back to only using Oxygen to be able to access the web free of whatever crap that IE or FFox
brought down onto my PC.
Well this is my 2 cents :)
Cheeriooo,
Posted by Sea of Cortez (67 comments )
Reply Link Flag
Do you ever get tired...
of pushing that trash browser. It's old, old, old, and old. I downloaded the browser and tried it out. All I can say is that that browsers is as useless today as it was when it came out.

It's a crappy browser. It's outdated by about ten or so years.

For anybody thinking about downloading it... don't. It's a waste of time and energy. It's not even as good as IE version 1.
Posted by System Tyrant (1453 comments )
Link Flag
Even Better
Just use Lynx.

No scripting issues. No flash issues. No image overflow issues. Nothing but text.

:-p
Posted by adlyb1 (123 comments )
Link Flag
Secure your browser
Believe it or not, many browsers do have the ability to set what your browser will and will not do. There are browser settings that will turn on/off active-x, java scripting, cookie handling etc. The more restrictive you make the settings, the more secure your computer will be against an attack. You also restrict what features webpages can do in your browser and there may be websites you trust where you wish to have these features. Most people will lower their settings for these sites and leave them that way when they browse the rest of the internet, going to "unknown" sites. This is a bad security risk and entirely your responsibility since you were given the ability to set the level of security. You may not wear a condom when you have sex with your spouse, but go to the local hooker without a condom and you can get infected with nasty diseases. It's the same way on the internet.

I haven't found similar settings in firefox yet, but IE does also have the ability to set security for different "zones". I'm hoping firefox does have this ability. What it comes down to, is being able to divide the internet into seperate zones that you can define and being able to set the security level different for each zone. For those zones you trust, you add the website to the zone and set the security to the level you need to allow the features you want. For those websites not defined in your trusted zone, they fall under the general internet zone where you set the security much, much higher. It's like having a condom put on automatically just for the hookers.

Ok, so the hooker analogy is crude, but it does emphasize a point and I only use it to emphasize the importance of protecting your compute from viruses, trojans, etc. Secure your computer browser.
Posted by Seaspray0 (9714 comments )
Reply Link Flag
RE: Secure your browser
Seaspray0 had the brass to make this kind of comment:

"You may not wear a condom when you have sex with your
spouse, but go to the local hooker without a condom and you
can get infected with nasty diseases. It's the same way on the
internet."

Crude, yes. True? YES!!!

An analogy that the sleaziest of people should be able to
understand. I couldn't have said it better myself, thank you
Seaspray0!
Posted by Dalkorian (3000 comments )
Link Flag
lol
More stupidity from you.

First of all this article is a hoax, a joke.

Secondly, turning off activex control limits your ability to update windows. The fact that it should be shut off shows how flawed your precious company made it.

Mentioning Java and activeX in the same sentence shows your stupidity. I dare you to write code to allow an applet to run outside the sandbox without a security certificate. Of course you can't since you can't program, but even if you could you would have a rough time at it.

Even you, in your ignorance, can exploit windows.

It is funny you mention hookers as an anology because MS is the prime reaon why surfing the net is unsafe.

Firefox doesn't run the security hole known as activex, no need to turn it off.

Even without all those controls, Firefox is infinitely more secure.

"Secure your browser"??

Even with all scripting turned off, everything set to high, IE is still easily exploitable. If you use IE you are not secure, end of story.

Seriously, get a little education on computers(more then just changing settings) and then maybe someone will take your rahrah MS posting seriously.

Of course, if you were educated, you would not like MS unless your paycheck depended on them, and even then you would secretly dislike them.
Posted by qwerty75 (1164 comments )
Link Flag
Six Apart better fire this guy
According to the article one of the hackers, Mischa Spiegelmock, works for the blogging company Six Apart. I wonder how their business customers would feel knowing that they are providing employment to a hacker who is "setting up communication networks for black hats". Would they feel comfortable using software developed by a company whose employees are helping criminals compromise the security of their networks by providing them detailed information about how to exploit browser security flaws but refusing to provide the same information to the browser vendors? I sure wouldn't.

Mischa and his buddy sound like a couple of immature punks who don't mind screwing over millions of innocent computer users for the sake of gaining prestige within the hacker community. If Six Apart is smart they will fire this guy. I hope they lose a lot of business until they do.
Posted by Hardrada (359 comments )
Reply Link Flag
They are being very antisocial
They are being very anti-social by not giving Mozilla the info on their flaws and allowing them to fix said flaws.

Mozilla would be good to SERIOUSLY look into going to a lawyer and forcing these people to give them ALL info on the flaws that they have found.

It's as they say: If you don't know that a program has a flaw, you cannot fix said flaw.
Posted by Leria (585 comments )
Link Flag
Ever hear of LiveJournal
One of the 'net's larger blogging sites, livejournal.com, is owned by Six Apart. Now millions of LJ users can have their machines compromised "for the good of the internet".
Posted by Trane Francks (936 comments )
Link Flag
All Hearsay thus far...
<a class="jive-link-external" href="http://www.securityfocus.com/bid/20282/discuss" target="_newWindow">http://www.securityfocus.com/bid/20282/discuss</a>

...even the vuln DB and Bugtraq are empty of details.

Methinks there is more noise than toys in this case. I'll wait and see if anything actually comes of it, or if it's just someone trying to see just how little they can actually prove while making themselves look good.

/P
Posted by Penguinisto (5042 comments )
Reply Link Flag
...and I was right
<a class="jive-link-external" href="http://developer.mozilla.org/devnews/index.php/2006/10/02/possible-vulnerability-reported-at-toorcon/" target="_newWindow">http://developer.mozilla.org/devnews/index.php/2006/10/02/possible-vulnerability-reported-at-toorcon/</a>

All they got out of it was a DDoS attack, which has possibilities, but nothing concrete.

So much for all that - turned out to be almost all smoke and only a spark for fire.

Now, will CNet post an update, or not?

/P
Posted by Penguinisto (5042 comments )
Link Flag
does this affect flock?
are these exploits likely to work on flock?
Posted by careysizer (2 comments )
Reply Link Flag
Shame
For something that claims to be more secure than IE, it's definitely breaking a lot of promise.

Shame to those who so blindly defends a product just as flawed... But at least Firefox does not crash compared to IE7. Ha!

So far, Opera is still cleaner. But it gets slower to launch every new version. I wonder about version 10...
Posted by Mendz (519 comments )
Reply Link Flag
Those two
girls need to be flogged. What total ant-social punks. I wish them much misfortune in their liftimes.....to say the least.
Posted by Lindy01 (443 comments )
Reply Link Flag
You Guys missed the IE exploit of last week
There was a zero day exploit for internet explorer found last, but you guys at CNET never posted anything about it. Why did you not report the IE bug, but are now reporting this Firefox one?
Posted by shadowcomputer (7 comments )
Reply Link Flag
There is IE Exploit News
Do you mean this: <a class="jive-link-external" href="http://news.cbsi.com/Another+zero-day+threat+hits+Windows/2100-1002_3-6121236.html" target="_newWindow">http://news.cbsi.com/Another+zero-day+threat+hits+Windows/2100-1002_3-6121236.html</a> ?

It's 29 September and it's part of IE Exploit. Oh God, please don't easily comment something that you don't know for sure. I do simple search, and easily found it. If you don't read CNET frequently, don't claim they don't post something.
Posted by Gunady (191 comments )
Link Flag
Is Google Maps OK in Firefox?
If so, I'd switch. Google Maps is where all the strange stuff is being discovered, like that bizarre military facility in China:

<a class="jive-link-external" href="http://regmedia.co.uk/2006/07/19/huangyangtan_wide.jpg" target="_newWindow">http://regmedia.co.uk/2006/07/19/huangyangtan_wide.jpg</a>

<a class="jive-link-external" href="http://bbs.keyhole.com/ubb/showthreaded.php/Cat/0/Number/484568" target="_newWindow">http://bbs.keyhole.com/ubb/showthreaded.php/Cat/0/Number/484568</a>

That's the place in the middle of the desert where the Chinese Army has constructed a scale-model replica of the entire region of Aksai Chin (occupied by China since the 1962 war with India). At 1:500, it's still 700 by 900 meters big ( = several football fields). Next to it is a base with dozens of troop transporters seen coming and going. The duplicate shows everything: rivers, lakes, roads and snow-capped mountains. It's basically a landscape within a landscape.

The problem is that nobody has been able to figure out the function of this thing. The world's biggest miniature golf course, perhaps? China's own Area 51? That's why it's the subject of so much discussion in the blogosphere. The discoverer even had to set up his own blog: foundinchina.blogspot.com

Any ideas?
Posted by tania3000 (18 comments )
Reply Link Flag
Google Maps
<a class="jive-link-external" href="http://maps.google.com/" target="_newWindow">http://maps.google.com/</a> is safe in any browser.
Posted by Trane Francks (936 comments )
Link Flag
Hacker: Was supposed to be humorous
<a class="jive-link-external" href="http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon/" target="_newWindow">http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon/</a>

Ha. Ha. Ha.

I'm not laughing.
Posted by Trane Francks (936 comments )
Reply Link Flag
Last time I checked...
Microsoft Word is now on the top ranks of MacOSX word processors as well since Apple opened the compatibility doors to MS, since they realized they bite at making applications made for something other than hobbies.

And we have alternatives, they're just not as good as Word, IMO at least.

So just... shh. You obviously don't check up on what you say. And my condolences for your inability to do such a remedial task as keeping a virus database up to date. We like to face problems head on instead of hiding in the bomb-shelter.
Posted by Rawnchie14 (125 comments )
Reply Link Flag
RETIRED: Firefox JS vulns
FYI...

[b]RETIRED: Mozilla Firefox Multiple Unspecified Javascript Vulnerabilities[/b]
- <a class="jive-link-external" href="http://www.securityfocus.com/bid/20294/discuss" target="_newWindow">http://www.securityfocus.com/bid/20294/discuss</a>
"Update (October 3, 2006): This BID is being retired as reports indicate that these issues are a hoax. The researchers responsible for disclosing these vulnerabilities have claimed that their original reports were not correct. It is possible that a remote denial of service vulnerability affects the browser; however this has not been confirmed. A new BID will be created if subsequent reports confirm the possibility of the potential denial of service issue. Please see references for more information."

.
Posted by J. Warren (17 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.