Hackers claim zero-day flaw in Firefox
Posted by Steven Parker on 01 October 2006 - 16:50 · 62 comments & 16051 views
About the Author
Full name: Steven Parker
Forum name: Neobond
Contact: via forum PM
Submissions: Normal · Headline
Full name: Steven Parker
Forum name: Neobond
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(8 replies)
#1 Posted by Primetime2006 on 01 Oct 2006 - 16:59
- Go ahead. Let the browser war begin. Here, I'll start it.
"Firefox isn't so safe after all. All the fanboys begging everyone to switch from IE to Firefox are eating their words now."
Ok, I'm done. Go nuts everyone. -
#1.1 Posted by Jugalator on 01 Oct 2006 - 17:49
- That was the lamest troll post in a while I've seen.
Sure, it suceeded as it made me reply, but still...
Go nuts about what? That Firefox is like every other browser out there?
I don't think many Firefox fans are claiming it's bug free. :-p -
#1.2 Posted by MrCobra on 01 Oct 2006 - 18:16
- No it's the fanbois that claim it's the holy grail of the internet.
-
#1.4 Posted by Berserk on 02 Oct 2006 - 01:15
- obviously there is no "holy grail" of web browsers, there all gonna have exploits...
but yes, i do believe firefox is better, because it runs smoother, and loads better/faster than IE6 (for me) i havnt tried the newest release of IE 7, but i did try the first release. -
#1.5 Posted by cork1958 on 02 Oct 2006 - 02:05
- Quote - Berserk said @ #1.4obviously there is no "holy grail" of web browsers, there all gonna have exploits...
but yes, i do believe firefox is better, because it runs smoother, and loads better/faster than IE6 (for me) i havnt tried the newest release of IE 7, but i did try the first release.
I can almost like Firefox in Linux, but for me it absolutely blows in Windows. Crashes and burns all the time. Not as fast as IE either. But, even in Linux, I can't stand Firefox either just because I became so nauseated from all the fanboyism. Using Seamonky over Firefox in my current install of Zenwalk 3.0. Yeah, I know, just about the same browser. -
#1.6 Posted by Berserk on 02 Oct 2006 - 03:52
- Quote - cork1958 said @ #1.5
I can almost like Firefox in Linux, but for me it absolutely blows in Windows. Crashes and burns all the time. Not as fast as IE either. But, even in Linux, I can't stand Firefox either just because I became so nauseated from all the fanboyism. Using Seamonky over Firefox in my current install of Zenwalk 3.0. Yeah, I know, just about the same browser.
????
ive had firefox crash on me mabye 3 or 4 times in 3/4 years, and it loads way faster then ie, on EVERYTHING.
the only thing i use IE for is checking my WLMail
-
(1 reply)
#2 Posted by idoia on 01 Oct 2006 - 17:00
- NoScript!!!! fgfjfdhfdhfdjld
-
#2.1 Posted by Emphatic on 01 Oct 2006 - 20:41
- erm if you actually wanna use most websites scripting might be handy... and if you're suggesting turning it on for websites you trust you just skipped out the mainstream user who is the main target for exploits like this anyway (unless you wanna claim that Firefox has few mainstream users of course...).
-
#3 Posted by -Dave- on 01 Oct 2006 - 17:01
- hmm i guess its no coincidence that 7 JS security fixes landed on the 2.0 branch last night then........
i expect this is almost fixed already, prior to the release of 2.0
-
(2 replies)
#4 Posted by barneyt on 01 Oct 2006 - 17:08
- Yup... NoScript will do it:
https://addons.mozilla.org/firefox/722/
Barney -
#4.1 Posted by rive on 01 Oct 2006 - 19:38
- Heh, agree. NoScript really works wonders, though this is the first js-based vulnerability I've seen.
-
(2 replies)
#5 Posted by Cryton on 01 Oct 2006 - 17:19
- Please bear in mind this is only one side of the story; none of the mozdev's have blogged about this yet. Their declaration that "they know of about 30 unpatched Firefox flaws" can't be verified since they refuse to file the bugs so they can be examined.
And their assertion that what they're doing "is really for the greater good of the Internet" is just plain f*cktarded. What i think they're /really/ doing is getting media attention by bragging about the fact they found some exploits so they can sell the other exploits to nefarious people who can abuse them proper. -
#5.1 Posted by Primetime2006 on 01 Oct 2006 - 17:22
- Quote - Cryton said @ #5Please bear in mind this is only one side of the story; none of the mozdev's have blogged about this yet. Their declaration that "they know of about 30 unpatched Firefox flaws" can't be verified since they refuse to file the bugs so they can be examined.
And their assertion that what they're doing "is really for the greater good of the Internet" is just plain f*cktarded. What i think they're /really/ doing is getting media attention by bragging about the fact they found some exploits so they can sell the other exploits to nefarious people who can abuse them proper.
There *are* unpatched flaws with Firefox. I'm sure there are unpatched flaws in many software applications.
Do you wear tinfoil hats on your head and claim that TV gives you radiation?
Talk about delusional. -
#5.2 Posted by Cryton on 01 Oct 2006 - 17:42
- Quote - Primetime2006 said @ #5.1There *are* unpatched flaws with Firefox. I'm sure there are unpatched flaws in many software applications.
Do you wear tinfoil hats on your head and claim that TV gives you radiation?
Talk about delusional.
Uh, I never said there weren't vulnerabilities in firefox. If man can make it, man can break it.
Talk about the inability to read and comprehend simple sentences!
Last edited by Cryton on 01 Oct 2006 - 17:47
-
(6 replies)
#6 Posted by EduardValencia on 01 Oct 2006 - 17:37
- and here we go again firefox,well done
-
#6.1 Posted by em_te on 01 Oct 2006 - 18:51
- Is it the browser's fault that people don't know how to properly configure their computers? There is no excuse for not using the NoScript extension.
-
#6.2 Posted by XerXis on 01 Oct 2006 - 20:02
- Quote - em_te said @ #6.1Is it the browser's fault that people don't know how to properly configure their computers? There is no excuse for not using the NoScript extension.
that's ridiculous, many sites rely on javascript and have every right to do so -
#6.3 Posted by RangerLG on 01 Oct 2006 - 21:53
- Quote - em_te said @ #6.1Is it the browser's fault that people don't know how to properly configure their computers? There is no excuse for not using the NoScript extension.
If its such a useful feature, why doesn't Firefox have it implemented by default? -
#6.4 Posted by mram on 01 Oct 2006 - 23:15
- Quote - RangerLG said @ #6.3If its such a useful feature, why doesn't Firefox have it implemented by default?
Because people actually like to use features on websites. -
#6.5 Posted by Fourjays on 02 Oct 2006 - 12:14
- Quote - mram said @ #6.4Quote - RangerLG said @ #6.3If its such a useful feature, why doesn't Firefox have it implemented by default?
Because people actually like to use features on websites.
Please learn what you are commenting on, before making stupid comments like that. NoScript allows you to allow and disallow Javascript on a per-site basis. So when you visit a new site, the Javascript is disabled. If you think you can trust it, then you can enable it permanently or temporarily.
Eg: Here on Neowin at the moment, it has Javascript from neowin.net enabled, but it has Javascript from netshelter.net, intellitxt.com and falkga.net disabled. Those (I believe) are to do with Neowins advertising, but I can't be sure that I can trust them, so I leave them disabled.
I have to allow alot of websites for them to work though. Not a problem really, but it gives me a chance to deem whether the site is likely to have some dodgy Javascript there or not.
-
#7 Posted by mircleman on 01 Oct 2006 - 18:14
- the comment that it cant be fixed is pure stupidity.
-
#8 Posted by bibutteryboy on 01 Oct 2006 - 18:28
- Quote -#1.1 Posted by ThaCrip on 30 Sep 2006 - 22:18
thats why Firefox is the best choice (or anything besides IE) since i think other browsers are safer in general since if a flaw is found, odds are most hackers will only target IE in general since it has the most users using it.
heh
-
#9 Posted by miniM3 on 01 Oct 2006 - 18:45
- so what? THERE will never be a perfect browser or any piece of software for that matter. Find a flaw, exploit, fix and repeat....
-
#10 Posted by em_te on 01 Oct 2006 - 18:50
- What is a Spiegelmock and Wbeelsoi?
-
#11 Posted by CrisCr0ss on 01 Oct 2006 - 19:08
- thts why we have noscript
-
#12 Posted by andy2004 on 01 Oct 2006 - 19:30
- the apocolypse is here !! quick everyone run for the hills
-
(5 replies)
#13 Posted by Midnight Mick on 01 Oct 2006 - 19:37
- Does Opera suffer from this?
-
#13.1 Posted by XP1 on 01 Oct 2006 - 20:03
- Quote - Midnight Mick said @ #13Does Opera suffer from this?
Opera has 0 unpatched vulnerabilities:
Firefox has 3 unpatched vulnerabilities:
Opera: http://secunia.com/product/10615/
Firefox: http://secunia.com/product/4227/ -
#13.2 Posted by dextro on 02 Oct 2006 - 09:39
- Quote - XP1 said @ #13.1Quote - Midnight Mick said @ #13Does Opera suffer from this?
Opera has 0 unpatched vulnerabilities:
Firefox has 3 unpatched vulnerabilities:
Opera: http://secunia.com/product/10615/
Firefox: http://secunia.com/product/4227/
Firefox is open-source, opera is not... In firefox you can check the code for vulnerabilities and in Opera you can't... I wonder if that might help those numbers...
And btw: 3?!?!? Men that's a lot, I wonder how many does IE have LOL
-
#13.3 Posted by Unplugged on 02 Oct 2006 - 10:02
- Also the number of vunrabilities is proportional to the number of users.
The more users your software has the more errors will be found thats just simple logic its also the came case with errors. If you have 10 times as many users as your competitor there is a 9 times greater chance they will run into an error maybe causing said software to crash.
Opera has no vunrabilities because noboody uses it its like macs why bother exploting a vunrability that maybe one in every 2 million hits to your infected page might actually effect. -
#13.4 Posted by dangel on 02 Oct 2006 - 14:26
- Quote - Unplugged said @ #13.3Opera has no vunrabilities because noboody uses it its like macs why bother exploting a vunrability that maybe one in every 2 million hits to your infected page might actually effect.
I do
And so do all my happy-bunny friends -
#13.5 Posted by XP1 on 30 Nov 2006 - 22:18
- I guess for the paranoid, their best choice would be the Opera web browser.
I like Opera becuase everything I could ever need is already included.
When I install 10-20 extensions with Firefox, I can see that startup time slows down a bit.
I also see high memory usage with Firefox instead of Opera from being open over a week's period.
I do use Firefox sometimes, but most of the time is when I'm being forced.
IMO, Firefox is a good browser but Opera fits my needs better.
-
#14 Posted by Neobond on 01 Oct 2006 - 20:44
- Neowin relies on Javascript.. with it disabled the experience would be sub-par. This is the case for many web sites today.
-
#15 Posted by eilegz on 01 Oct 2006 - 21:48
- well even with that i find firefox more secure, i dont know in my workspace that people only use ie, its a complete mess, with spyware and too much problems just to deal with ie, im using firefox and opera so far 0 spyware and no problems with it. Now ie7 on vista its a big improvement but now that i used firefox its just too great to switch back, extensions its part of my life in this days, i can only rely on ie when i use windows live mail and windows update, i use opera when i need something fast.
So in the end its good to have 3 browsers and have some choice nothing can be perfect and theres no 100% security neither.
-
(5 replies)
#16 Posted by Chugworth on 01 Oct 2006 - 22:13
- It has always been shocking to me just how popular NoScript is. I mean, I hate Java just as much as the next person, but by disabling JavaScript, you botch up about 75% of the sites on the Internet, making many of them completely unusable.
-
#16.2 Posted by Chugworth on 02 Oct 2006 - 03:30
- Quote - Miran said @ #16.1Java != Javascript
Yeah, I know. I hate Java more than JavaScript (since it requires me to download crappy Sun software), but I really don't like either one of them. -
#16.3 Posted by Danrarbc641 on 02 Oct 2006 - 04:31
- NoScript doesn't completely block javascript. It still works fine for sites you whitelist. Think of it as the 'trusted sites' zone for Firefox.
-
#16.4 Posted by Ideas Man on 02 Oct 2006 - 07:54
- So, it's an addon you have to download for a feature that's been part of IE since like v4, about 8 years ago, fascinating.
-
#16.5 Posted by mrbester on 02 Oct 2006 - 11:40
- Quote - Ideas Man said @ #16.4So, it's an addon you have to download for a feature that's been part of IE since like v4, about 8 years ago, fascinating.
Whachoo talkin' 'bout Willis? NoScript allows me to run neowin's scripts, but not scripts from (checks) netshelter.net, intellitxt.com or falkag.net. It also allows me to temporarily (i.e. for that session) run scripts so I don't have a massive whitelist for sites I don't visit very often (such as a Google result for some obscure search). IE has a checkbox that is global; run script or don't run script. Having to go: Tools -> Internet Options -> (click on) Security [
-> click Internet -> Custom Level -> (scroll, scroll, scroll) Scripting::Active scripting::Enable (click) -> OK |
-> click Trusted Sites -> Sites... (click) -> check site url -> Add -> verify https checkbox off -> Close -> ]
-> OK
every time I want to use a site because I happen to be using IE in a locked down mode is not worth the hassle.
-
(8 replies)
#17 Posted by Croquant on 01 Oct 2006 - 22:27
- I'm sure the folks at Mozilla will have this flaw fixed in a week or so.
I wonder if Firefox 2.0 RC1 is affected?
Spiegelmock said. "It is impossible to patch.", but as we all know, that's complete bull****. Nothing is impossible. -
#17.1 Posted by RealFduch on 01 Oct 2006 - 23:17
- I'm sure the folks at Mozilla will make browser without bugs.
Nothing is impossible. -
#17.2 Posted by Jexel on 01 Oct 2006 - 23:22
- Quote - RealFduch said @ #17.1I'm sure the folks at Mozilla will make browser without bugs.
Nothing is impossible.
I'm sure that the flaw will be fixed but there ALWAYS will be bugs no matter how hard they try. -
#17.3 Posted by mikey on 01 Oct 2006 - 23:28
- Bugs are inherent with new features. The only way to truly fix all bugs would be to stop developing it and concentrate on bug fixes.
Just don't visit websites that are likely to take over your computer. -
#17.4 Posted by MrCobra on 01 Oct 2006 - 23:35
- Quote - mikey said @ #17.3Bugs are inherent with new features. The only way to truly fix all bugs would be to stop developing it and concentrate on bug fixes.
That would be quite impossible as well. In fixing software bugs, new ones are inadvertently created or exposed elsewhere. There has never been, is not now, or will ever be bug free software. -
#17.5 Posted by Magallanes on 02 Oct 2006 - 00:47
- Quote - MrCobra said @ #17.4Quote - mikey said @ #17.3Bugs are inherent with new features. The only way to truly fix all bugs would be to stop developing it and concentrate on bug fixes.
That would be quite impossible as well. In fixing software bugs, new ones are inadvertently created or exposed elsewhere. There has never been, is not now, or will ever be bug free software.
Not really.
For example to stop a sql injection, the solution is to limit the string. The function to limit the string can be build flawless in less that 15 lines of code, so this fix will not generate more bugs. -
#17.6 Posted by Broken Halo on 02 Oct 2006 - 00:52
- Quote - MrCobra said @ #17.4Quote - mikey said @ #17.3Bugs are inherent with new features. The only way to truly fix all bugs would be to stop developing it and concentrate on bug fixes.
That would be quite impossible as well. In fixing software bugs, new ones are inadvertently created or exposed elsewhere. There has never been, is not now, or will ever be bug free software.
I disagree, a "Hello World!" I wrote once didn't have any bugs! -
#17.7 Posted by Smigit on 02 Oct 2006 - 02:29
- exactly, you CAN write bug free code. The thing is that as soon as the code begins to expand it becomes expotentially harder to keep it working bug free. But if hello world can be bug free then its not impossible for other apps to be bug free, just very unlikely and not at all expected. I suspect 90% of software bugs are ones noone would even notice anyway.
-
#17.8 Posted by DomG on 02 Oct 2006 - 10:55
- Quote - Broken Halo said @ #17.6Quote - MrCobra said @ #17.4Quote - mikey said @ #17.3Bugs are inherent with new features. The only way to truly fix all bugs would be to stop developing it and concentrate on bug fixes.
That would be quite impossible as well. In fixing software bugs, new ones are inadvertently created or exposed elsewhere. There has never been, is not now, or will ever be bug free software.
I disagree, a "Hello World!" I wrote once didn't have any bugs!
Last time I tried to write a "Hello World!" app, my computer was taken over by hackers
-
(2 replies)
#18 Posted by machorro on 02 Oct 2006 - 02:35
- this is just like the OS X wireless vulnerability...
why can't they show REAL proof of the vulneability, they don't have to show and/or give the code, just show a LIVE example, not like the OS X example where it was taped and then showed.
its not so hard to do... -_- -
#18.1 Posted by The_Decryptor on 02 Oct 2006 - 04:04
- Unlike the OS X incident, these guys actually showed it working (and actually have proof as well)
Anyway, this isn't a Firefox issue, the JS interpreter is part of the engine (Gecko) and is also a stand alone component (for example, a scripting plug-in for OS X uses it) -
#18.2 Posted by Cryton on 02 Oct 2006 - 12:50
- Quote - The_Decryptor said @ #18.1Unlike the OS X incident, these guys actually showed it working (and actually have proof as well)
Anyway, this isn't a Firefox issue, the JS interpreter is part of the engine (Gecko) and is also a stand alone component (for example, a scripting plug-in for OS X uses it)
Gecko is firefox's rendering engine (which doesn't use javascript). Spidermonkey is firefox's JS implementation.
-
#19 Posted by C_Guy on 02 Oct 2006 - 17:52
- "Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart.
A blog expert, I guess he would know.
I wish people could restrain themselves from spewing crap. I've always used IE and not once, ever, had a virus, malware attack, or compromsie on my system.
IE and FF are not perfect. Let's all move on and just use the browser we like best.
-
#20 Posted by Cryton on 02 Oct 2006 - 23:21
- From http://developer.mozilla.org/devnews/index...ted-at-toorcon/Quote -When someone says they’ve identified a vulnerability, we treat it as real until we can verify otherwise. We immediately begin investigating and trying to fix it. This is how we’re able to ship fixes so quickly.
At Toorcon this weekend, two speakers claimed they found vulnerabilities in the Javascript VM. Of course we take that very seriously.
So far we’ve been able to reproduce a denial of service issue based on the information they gave during their talk. In some cases this causes a crash based on an out of memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. We’re still investigating and we’ll keep you updated.
-Window Snyder
-
(1 reply)
#21 Posted by Davebo on 03 Oct 2006 - 03:54
- UPDATE:
http://developer.mozilla.org/devnews/index...ted-at-toorcon/Quote -We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:
The main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.
I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.
I apologize to everyone involved, and I hope I have made everything as clear as possible.
Sincerely,
Mischa Spiegelmock
Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.
-Window Snyder -
#21.1 Posted by Fred Derf on 03 Oct 2006 - 19:34
- Quote - Davebo said @ #21
Yeah, we have a BPN forum thread on that one too:
http://www.neowin.net/forum/index.php?showtopic=500453
-
#22 Posted by Croquant on 03 Oct 2006 - 22:17
- http://www.pcworld.com/article/127375-1/ar...ml?tk=nl_dnxnws
Spiegelmock has now admited that the whole thing was "...all a joke." There never was any vulnerability. t worst, all that could happen is that you could crash the client.
The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.
The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."