Unpatchable Flaw in Firefox???

Discussion in 'Firefox' started by Victor, Oct 2, 2006.

  1. Victor

    Victor Guest

    http://news.com.com/Hackers claim zero-day flaw in Firefox/2100-1002_3-6121608.html?tag=newsmap

    I've read about this in various news sites.

    To Quote:
    An attacker could commandeer a computer running the [Firefox] browser simply by crafting
    a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew
    Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects
    Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

    The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting
    language widely used on the Web. In particular, various programming tricks can cause a
    stack overflow error, Spiegelmock said. The implementation is a "complete mess," he
    said. "It is impossible to patch."
     
    Victor, Oct 2, 2006
    #1
    1. Advertising

  2. Victor wrote:
    > http://news.com.com/Hackers claim zero-day flaw in Firefox/2100-1002_3-6121608.html?tag=newsmap
    >
    > I've read about this in various news sites.
    >
    > To Quote:
    > An attacker could commandeer a computer running the [Firefox] browser simply by crafting
    > a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew
    > Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects
    > Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
    >
    > The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting
    > language widely used on the Web. In particular, various programming tricks can cause a
    > stack overflow error, Spiegelmock said. The implementation is a "complete mess," he
    > said. "It is impossible to patch."
    >
    >
    >


    I understand a patch is in the works, probably a couple of days. Note
    the following from the article you site:

    "At the same time, the presentation probably gives Mozilla enough data
    to fix the apparent flaw, Snyder said."

    If it concerns you, turn off javascript until the patch comes through.

    Lee
     
    Leonidas Jones, Oct 2, 2006
    #2
    1. Advertising

  3. On 2006-10-02, Victor <> wrote:

    > http://news.com.com/Hackers claim zero-day flaw in Firefox/2100-1002_3-6121608.html?tag=newsmap
    >
    > I've read about this in various news sites.
    >
    > To Quote:
    > An attacker could commandeer a computer running the [Firefox] browser simply by crafting
    > a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew
    > Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects
    > Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
    >
    > The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting
    > language widely used on the Web. In particular, various programming tricks can cause a
    > stack overflow error, Spiegelmock said. The implementation is a "complete mess," he
    > said. "It is impossible to patch."


    So use the "NoScript" extension, which lets you block all Javascript
    except for sites you explicitly allow.

    --

    John ()
     
    John Thompson, Oct 3, 2006
    #3
  4. On 2006-10-03, John Thompson <2.dhs.org> wrote:

    > On 2006-10-02, Victor <> wrote:
    >
    >> http://news.com.com/Hackers claim zero-day flaw in Firefox/2100-1002_3-6121608.html?tag=newsmap
    >>
    >> I've read about this in various news sites.
    >>
    >> To Quote:
    >> An attacker could commandeer a computer running the [Firefox] browser simply by crafting
    >> a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew
    >> Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects
    >> Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
    >>
    >> The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting
    >> language widely used on the Web. In particular, various programming tricks can cause a
    >> stack overflow error, Spiegelmock said. The implementation is a "complete mess," he
    >> said. "It is impossible to patch."


    > So use the "NoScript" extension, which lets you block all Javascript
    > except for sites you explicitly allow.


    And now it appears to have been a hoax:

    http://www.eweek.com/article2/0,1895,2023762,00.asp

    --

    John ()
     
    John Thompson, Oct 4, 2006
    #4
  5. Victor

    Victor Guest

    "John Thompson" wrote...
    > On 2006-10-03, John Thompson wrote:
    >
    > > On 2006-10-02, Victor wrote:
    > >
    > >>

    http://news.com.com/Hackers claim zero-day flaw in Firefox/2100-1002_3-6121608.html?tag=newsmap
    > >>
    > >> I've read about this in various news sites.

    :
    > > So use the "NoScript" extension, which lets you block all Javascript
    > > except for sites you explicitly allow.

    >
    > And now it appears to have been a hoax:
    >
    > http://www.eweek.com/article2/0,1895,2023762,00.asp
    >


    If it's a hoax, why is Mozilla working on a fix?

    I'll wait for the official statement from Mozilla, but really, if Google is acting more
    and more like Microsoft every day, who's to say that Mozilla is going to be in denial,
    too?

    As far as using the NoScript extension - yeah, right, I'm gonna mess up website displays
    for this. Look, like 95% of the people on the web, I'm not a techie guy, and expecting
    most people to turn off JavaScript is like expecting most people to rotate their own
    tires - it's easy if you know how, but most people just won't bother.

    But you've got to believe that there are some interested hackers in Russia that are
    meticulously combing through the Mozilla JavaScript virtual machine as we speak, and if
    they don't find the exploit described in the original article they'll find a new one.

    Some of us are only interested in getting our work done, and I'll use Internet Explorer
    until this whole thing is sorted out.

    Vic
     
    Victor, Oct 4, 2006
    #5
  6. Victor wrote:
    > "John Thompson" wrote...
    >> On 2006-10-03, John Thompson wrote:
    >>
    >>> On 2006-10-02, Victor wrote:
    >>>

    > http://news.com.com/Hackers claim zero-day flaw in Firefox/2100-1002_3-6121608.html?tag=newsmap
    >>>> I've read about this in various news sites.

    > :
    >>> So use the "NoScript" extension, which lets you block all Javascript
    >>> except for sites you explicitly allow.

    >> And now it appears to have been a hoax:
    >>
    >> http://www.eweek.com/article2/0,1895,2023762,00.asp
    >>

    >
    > If it's a hoax, why is Mozilla working on a fix?
    >
    > I'll wait for the official statement from Mozilla, but really, if Google is acting more
    > and more like Microsoft every day, who's to say that Mozilla is going to be in denial,
    > too?
    >
    > As far as using the NoScript extension - yeah, right, I'm gonna mess up website displays
    > for this. Look, like 95% of the people on the web, I'm not a techie guy, and expecting
    > most people to turn off JavaScript is like expecting most people to rotate their own
    > tires - it's easy if you know how, but most people just won't bother.
    >
    > But you've got to believe that there are some interested hackers in Russia that are
    > meticulously combing through the Mozilla JavaScript virtual machine as we speak, and if
    > they don't find the exploit described in the original article they'll find a new one.
    >
    > Some of us are only interested in getting our work done, and I'll use Internet Explorer
    > until this whole thing is sorted out.
    >
    > Vic



    Did you read the article?

    There is a security exploit, it is just no where near as severe as
    initially presented.

    Mozilla is going to fix it and fix it quickly.

    Fine, use IE. You'll be less secure, not more.

    Lee
     
    Leonidas Jones, Oct 4, 2006
    #6
  7. Victor

    Tony Raven Guest

    Victor wrote on 04/10/2006 17:31 +0100:
    >
    > If it's a hoax, why is Mozilla working on a fix?
    >
    > I'll wait for the official statement from Mozilla, but really, if
    > Google is acting more and more like Microsoft every day, who's to say
    > that Mozilla is going to be in denial, too?
    >


    http://developer.mozilla.org/devnew...e-possible-vulnerability-reported-at-toorcon/

    "We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that
    reported the potential javascript security issue referenced earlier. He
    gave us more code to work with and also made this statement and agreed
    to let me post it here:

    The main purpose of our talk was to be humorous.

    As part of our talk we mentioned that there was a previously known
    Firefox vulnerability that could result in a stack overflow ending up in
    remote code execution. However, the code we presented did not in fact do
    this, and I personally have not gotten it to result in code execution,
    nor do I know of anyone who has.

    I have not succeeded in making this code do anything more than cause a
    crash and eat up system resources, and I certainly haven’t used it to
    take over anyone else’s computer and execute arbitrary code.

    I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever
    make this claim. I have no undisclosed Firefox vulnerabilities. The
    person who was speaking with me made this claim, and I honestly have no
    idea if he has them or not.

    I apologize to everyone involved, and I hope I have made everything as
    clear as possible.

    Sincerely,

    Mischa Spiegelmock

    Even though Mischa hasn’t been able to achieve code execution, we still
    take this issue seriously. We will continue to investigate.

    -Window Snyder"

    --
    Tony

    "Anyone who conducts an argument by appealing to authority is not using
    his intelligence; he is just using his memory."
    - Leonardo da Vinci
     
    Tony Raven, Oct 4, 2006
    #7
  8. Victor

    Victor Guest

    "Tony Raven" <> wrote in message
    news:...
    > Victor wrote on 04/10/2006 17:31 +0100:
    > >
    > > If it's a hoax, why is Mozilla working on a fix?
    > >
    > > I'll wait for the official statement from Mozilla, but really, if
    > > Google is acting more and more like Microsoft every day, who's to say
    > > that Mozilla is going to be in denial, too?
    > >

    >
    >

    http://developer.mozilla.org/devnew...e-possible-vulnerability-reported-at-toorcon/
    >


    Thank you.
     
    Victor, Oct 4, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ron
    Replies:
    14
    Views:
    733
    Gunther
    Apr 14, 2005
  2. Agent777
    Replies:
    4
    Views:
    477
    Ralph Fox
    Jun 9, 2005
  3. pcbutts1

    FireFox flaw

    pcbutts1, Jul 23, 2005, in forum: Computer Support
    Replies:
    10
    Views:
    899
    Krull
    Jul 25, 2005
  4. Au79
    Replies:
    0
    Views:
    515
  5. Au79
    Replies:
    22
    Views:
    1,044
Loading...

Share This Page