Posted on 10/02/2006 2:49:35 PM PDT by Ernest_at_the_Beach
An overflow of stories concerning an alleged Firefox 1.5 exploit hit the Web over the weekend, emerging from an underground users' conference in San Diego. But after the dust has begun settling, evidence of the exploit's severity and even existence has yet to materialize from official sources, including the Mozilla organization responsible for Firefox's development.
A few weeks ago, a series of exploitable bugs involving Firefox's JavaScript interpreter were reported by Secunia in an official advisory, which continues to rate these flaws this morning as "highly critical."
"An error in the handling of JavaScript regular expressions containing a minimal quantifier," reads the Secunia advisory, "can be exploited to cause a heap-based buffer overflow." No more recent Firefox flaws have been added to Secunia's list since then.
The alleged flaw introduced last weekend at the ToorCon convention in San Diego was reported to also involve a buffer overflow triggered through the JavaScript interpreter, although reports have made it appear this is the first such flaw in Firefox's history - which is far from reality. The venue in which the alleged flaw was presented -- a session entitled "LOVIN THE LOLS - LOL IS MY WILL" -- promised attendees a mix of BIOS patches, AIM exploits and sexual innuendo.
There, amid the presumed innuendo, new Mozilla security chief Window Snyder -- a former @stake researcher recently hired away from Microsoft -- reportedly took seriously a video of the exploit shown at the conference, although reports do not go so far as to say whether Mozilla officials consider the exploit to be particularly novel.
In any event, characterizations of the apparently uniquely prepared exploit as "unpatchable" have spread faster than the average zero-day, without the aid of a professional security advisory to push it along.
BetaNews has contacted Mozilla.org officials for comment on the alleged flaw, which may yet be forthcoming.
fyi
I call BS on the "unfixable" part.
Besides, using NoScript renders this unconfirmed vulnerability totally impotent.
Might be a good article for the tech ping list.
Firefox vulnerable to JavaScript hackers
***************************************
By Stan Beer
| Tuesday, 03 October 2006 | |
| Two hackers have detailed a serious security flaw in the Firefox web browser that would enable attackers to gain control of any computer running the Internet Explorer rival regardless the underlying operating system. According to Mischa Spiegelmock and Andrew Wbeelsoi, who gave a detailed presentation at the ToorCon hacker conference in San Diego on Saturday, the vulnerability is not able to be patched unless Mozilla rewrites key sections of its JavaScript code. The two hackers gave a detailed presentation on stage showing a slide with key information on how to exploit the vulnerability. They said that a hacker could gain control of a computer which visits a web page containing malicious JavaScript code. Mozilla is taking the presentation seriously and is reportedly annoyed at the way the hackers disclosed the exploit in enough detail for a hacker to repoduce it. What was even more disturbing to Mozilla is that Spiegelmock and Wbeelsoi claim to have knowledge of about 30 Firefox vulnerabilities and have no intention of responsibly disclosing them to Mozilla. It seems that the US$500 a flaw bounty that Mozilla is willing to pay hackers who find genuine vulnerabilities was not enough incentive to dissuade the two hackers from contributing to the sort of environment that forces internet users to be wary of what sites they visit. Only WireTalkers can write comments.
|
Ok, being a Mozilla, Firefox fan, will someone please translate all that for me.
Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site.
This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality...
Experts do agree: Firefox is really safer with NoScript ;-)
Works with:
 |
Firefox | 1.0 - 3.0a1 | ALL |
 |
Mozilla | 1.7 - 1.8 | ALL |
 |
SeaMonkey | 1.0 - 1.5a | ALL |
When I click on it, it says "Document not found".
So, no. Don't download it.
:)
Thank you. I have never had any issues with Firefox and I allow javascript sites to load. Selectively.
https://addons.mozilla.org/firefox/722/
You can get it on that page.
And I think the link I set up works....so maybe Bigh4u2 is just having fun....
Thanks.
I've never had java till I got this computer. I don't even know what the heck java is.
Ah, thank you.
one correction,. to post #11
...I said I did a right click with the mouse button,...it is actually a left click....
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.