PDA

View Full Version : Firefox not as secure as thought?


Hydrae
10-03-2006, 08:44 AM
http://news.com.com/2100-1002_3-6121608.html?part=rss&tag=6121608&subj=news

Hackers claim zero-day flaw in Firefox
Mozilla is investigating hacker claims that the Web browser has a serious flaw in the way it handles JavaScript.

By Joris Evers
Staff Writer, CNET News.com

Published: September 30, 2006, 10:57 PM PDT

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

Mozilla antsy about expolited Firefox flaws
The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said.

DaFace
10-03-2006, 08:54 AM
I've always been a believer that Firefox is only more secure because hackers haven't had the motivation to exploit it yet.

jspchief
10-03-2006, 08:56 AM
I've always been a believer that Firefox is only more secure because hackers haven't had the motivation to exploit it yet.Yep.

jspchief
10-03-2006, 08:58 AM
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Anyone else get a chuckle out of a Mozilla bigwig with the name Window?

Mr. Laz
10-03-2006, 09:13 AM
parker in 3 .... 2 ..... 1 ....

htismaqe
10-03-2006, 09:16 AM
parker in 3 .... 2 ..... 1 ....

Nah, there's no need to rub anything in...

unlurking
10-03-2006, 09:23 AM
OK, so that's one serious flaw in the last what, 6 months? How many can we count for IE? Anyways, Firefox is obviously not perfct, so the thread title seems like something from the DC forum. To answer the question of the thread title, I always thought it was more secure than IE, but definitely not perfect. One flaw does not change my mind.

I think the FIrefox response was excellent. They are jumping forward trying to fix a problem these guys won't give a full explanation about. I gotta say, I'm really sick of these "half exploits" that are starting to pop up all over the place. Either tell us everything, or go back under your hole and share it with your team only.

The hacker crowd is mostly becoming a bunch of spotlight hugging jerks in the last several years. Really annoying.

SLAG
10-03-2006, 09:57 AM
OK, so that's one serious flaw in the last what, 6 months? How many can we count for IE? Anyways, Firefox is obviously not perfct, so the thread title seems like something from the DC forum. To answer the question of the thread title, I always thought it was more secure than IE, but definitely not perfect. One flaw does not change my mind.

I think the FIrefox response was excellent. They are jumping forward trying to fix a problem these guys won't give a full explanation about. I gotta say, I'm really sick of these "half exploits" that are starting to pop up all over the place. Either tell us everything, or go back under your hole and share it with your team only.

The hacker crowd is mostly becoming a bunch of spotlight hugging jerks in the last several years. Really annoying.


So should i start using Konquorer that comes with KDE or should I look into opera or some other such browser?

unlurking
10-03-2006, 12:03 PM
hahaha

I use Firefox or SeaMonkey. Konqueror has the most compatibility issues.

Funny thing is, all the exploits for browsers affect Windows, not Linux. Nobody bother trying to exploit the same vulns (browser based) for Linux due to the lower number of targets and the more difficult nature of exploiting a flaw in a service/app not running with root permissions.

Seriously, under Linux I wouldn't care what I ran. Hell, use IE under Wine and the exploit is still not going to affect you.

unlurking
10-03-2006, 02:51 PM
Christ I hate these loser ****ing pricks running around to cons making shit up. Joke my ass, you were lying and got caught you dumbasses.

http://arstechnica.com/news.ars/post/20061003-7885.html
The after-story... there's no story at all?

Mozilla has been able to reproduce a DoS issue based on the information, according to a new post on the Mozilla Developer Center. So far, they have yet to determine whether code execution is a possibility, but say they are "still investigating" and promise updates as necessary. Nevertheless, it's beginning to look as though this was largely a prank.

Mischa Spiegelmock has now said that the talk "was to be humorous," and that the presentation covered a "previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution." In other words, they didn't discover a new flaw.

Spiegelmock said that the code they presented to attendees does not not actually work, lowering fears that a true zero-day exploit could be in the wild. To make matters more embarrassing, Spiegelmock also said that no one has successfully executed arbitrary code using the attack. "I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly havenít used it to take over anyone elseís computer and execute arbitrary code," according to comments on Mozilla's developers blog.

As to the claim that there are 30 known exploits in Firefox, Spiegelmock said that the claim was made only by Wbeelsoi, and indicated that it, too, has not been verified.

SLAG
10-03-2006, 03:08 PM
Christ I hate these loser ****ing pricks running around to cons making shit up. Joke my ass, you were lying and got caught you dumbasses.

http://arstechnica.com/news.ars/post/20061003-7885.html

Hack Teh Planet!1!1!!

Hydrae
10-03-2006, 03:54 PM
Christ I hate these loser ****ing pricks running around to cons making shit up. Joke my ass, you were lying and got caught you dumbasses.

http://arstechnica.com/news.ars/post/20061003-7885.html


Thanks for the follow up. Sorry I posted and didn't follow up, busy busy day. But wanted to throw this out as I know there are a lot of Firefox users around here.