Unpatchable Flaw in Firefox???

http://news.com.com/Hackers+claim+ze...ml?tag=newsmap

I've read about this in various news sites.

To Quote:
An attacker could commandeer a computer running the [Firefox] browser simply by crafting
a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew
Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects
Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting
language widely used on the Web. In particular, various programming tricks can cause a
stack overflow error, Spiegelmock said. The implementation is a "complete mess," he
said. "It is impossible to patch."

Victor

Victor wrote:
> http://news.com.com/Hackers+claim+ze...ml?tag=newsmap
>
> I've read about this in various news sites.
>
> To Quote:
> An attacker could commandeer a computer running the [Firefox] browser simply by crafting
> a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew
> Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects
> Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
>
> The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting
> language widely used on the Web. In particular, various programming tricks can cause a
> stack overflow error, Spiegelmock said. The implementation is a "complete mess," he
> said. "It is impossible to patch."
>
>
>

I understand a patch is in the works, probably a couple of days. Note
the following from the article you site:

"At the same time, the presentation probably gives Mozilla enough data
to fix the apparent flaw, Snyder said."

If it concerns you, turn off javascript until the patch comes through.

Lee

On 2006-10-02, Victor <> wrote:

> http://news.com.com/Hackers+claim+ze...ml?tag=newsmap
>
> I've read about this in various news sites.
>
> To Quote:
> An attacker could commandeer a computer running the [Firefox] browser simply by crafting
> a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew
> Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects
> Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
>
> The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting
> language widely used on the Web. In particular, various programming tricks can cause a
> stack overflow error, Spiegelmock said. The implementation is a "complete mess," he
> said. "It is impossible to patch."

So use the "NoScript" extension, which lets you block all Javascript
except for sites you explicitly allow.

--

John ()

On 2006-10-03, John Thompson <> wrote:

> On 2006-10-02, Victor <> wrote:
>
>> http://news.com.com/Hackers+claim+ze...ml?tag=newsmap
>>
>> I've read about this in various news sites.
>>
>> To Quote:
>> An attacker could commandeer a computer running the [Firefox] browser simply by crafting
>> a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew
>> Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects
>> Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
>>
>> The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting
>> language widely used on the Web. In particular, various programming tricks can cause a
>> stack overflow error, Spiegelmock said. The implementation is a "complete mess," he
>> said. "It is impossible to patch."

> So use the "NoScript" extension, which lets you block all Javascript
> except for sites you explicitly allow.

And now it appears to have been a hoax:

http://www.eweek.com/article2/0,1895,2023762,00.asp

--

John ()

"John Thompson" wrote...
> On 2006-10-03, John Thompson wrote:
>
> > On 2006-10-02, Victor wrote:
> >
> >>
http://news.com.com/Hackers+claim+ze...ml?tag=newsmap
> >>
> >> I've read about this in various news sites.
:
> > So use the "NoScript" extension, which lets you block all Javascript
> > except for sites you explicitly allow.
>
> And now it appears to have been a hoax:
>
> http://www.eweek.com/article2/0,1895,2023762,00.asp
>

If it's a hoax, why is Mozilla working on a fix?

I'll wait for the official statement from Mozilla, but really, if Google is acting more
and more like Microsoft every day, who's to say that Mozilla is going to be in denial,
too?

As far as using the NoScript extension - yeah, right, I'm gonna mess up website displays
for this. Look, like 95% of the people on the web, I'm not a techie guy, and expecting
most people to turn off JavaScript is like expecting most people to rotate their own
tires - it's easy if you know how, but most people just won't bother.

But you've got to believe that there are some interested hackers in Russia that are
meticulously combing through the Mozilla JavaScript virtual machine as we speak, and if
they don't find the exploit described in the original article they'll find a new one.

Some of us are only interested in getting our work done, and I'll use Internet Explorer
until this whole thing is sorted out.

Vic

Victor wrote:
> "John Thompson" wrote...
>> On 2006-10-03, John Thompson wrote:
>>
>>> On 2006-10-02, Victor wrote:
>>>
> http://news.com.com/Hackers+claim+ze...ml?tag=newsmap
>>>> I've read about this in various news sites.
> :
>>> So use the "NoScript" extension, which lets you block all Javascript
>>> except for sites you explicitly allow.
>> And now it appears to have been a hoax:
>>
>> http://www.eweek.com/article2/0,1895,2023762,00.asp
>>
>
> If it's a hoax, why is Mozilla working on a fix?
>
> I'll wait for the official statement from Mozilla, but really, if Google is acting more
> and more like Microsoft every day, who's to say that Mozilla is going to be in denial,
> too?
>
> As far as using the NoScript extension - yeah, right, I'm gonna mess up website displays
> for this. Look, like 95% of the people on the web, I'm not a techie guy, and expecting
> most people to turn off JavaScript is like expecting most people to rotate their own
> tires - it's easy if you know how, but most people just won't bother.
>
> But you've got to believe that there are some interested hackers in Russia that are
> meticulously combing through the Mozilla JavaScript virtual machine as we speak, and if
> they don't find the exploit described in the original article they'll find a new one.
>
> Some of us are only interested in getting our work done, and I'll use Internet Explorer
> until this whole thing is sorted out.
>
> Vic


Did you read the article?

There is a security exploit, it is just no where near as severe as
initially presented.

Mozilla is going to fix it and fix it quickly.

Fine, use IE. You'll be less secure, not more.

Lee

Victor wrote on 04/10/2006 17:31 +0100:
>
> If it's a hoax, why is Mozilla working on a fix?
>
> I'll wait for the official statement from Mozilla, but really, if
> Google is acting more and more like Microsoft every day, who's to say
> that Mozilla is going to be in denial, too?
>

http://developer.mozilla.org/devnews...ed-at-toorcon/

"We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that
reported the potential javascript security issue referenced earlier. He
gave us more code to work with and also made this statement and agreed
to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known
Firefox vulnerability that could result in a stack overflow ending up in
remote code execution. However, the code we presented did not in fact do
this, and I personally have not gotten it to result in code execution,
nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a
crash and eat up system resources, and I certainly haven’t used it to
take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever
make this claim. I have no undisclosed Firefox vulnerabilities. The
person who was speaking with me made this claim, and I honestly have no
idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as
clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn’t been able to achieve code execution, we still
take this issue seriously. We will continue to investigate.

-Window Snyder"

--
Tony

"Anyone who conducts an argument by appealing to authority is not using
his intelligence; he is just using his memory."
- Leonardo da Vinci

"Tony Raven" <> wrote in message
news:...
> Victor wrote on 04/10/2006 17:31 +0100:
> >
> > If it's a hoax, why is Mozilla working on a fix?
> >
> > I'll wait for the official statement from Mozilla, but really, if
> > Google is acting more and more like Microsoft every day, who's to say
> > that Mozilla is going to be in denial, too?
> >
>
>
http://developer.mozilla.org/devnews...ed-at-toorcon/
>

Thank you.