|
|
| Next: Slack 11 released |
| Author |
Message |
arachnid
External
Since: Nov 03, 2006
Posts: 192
|
 Posted: Mon Oct 02, 2006 10:59 pm Post subject: [News] Firefox flaw overrated
Archived from groups: comp>os>linux>advocacy (more info?) |
|
|
This was reported a few days ago:
<http://news.com.com/Hackers+claim+zero-day+flaw+in+Firefox/2100-1002_3-6121608.html>
Hackers claim zero-day flaw in Firefox
SAN DIEGO--The open-source Firefox Web browser is critically flawed
in the way it handles JavaScript, two hackers said Saturday
afternoon. Hackers' presentation
An attacker could commandeer a computer running the browser simply by
crafting a Web page that contains some malicious JavaScript code,
Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the
ToorCon hacker conference here. The flaw affects Firefox on Windows,
Apple Computer's Mac OS X and Linux, they said.
<snip>
The hackers claim they know of about 30 unpatched Firefox flaws. They
don't plan to disclose them, instead holding onto the bugs.
Turns out the vulnerability was a bit overstated by the press:
<http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon/>
Update: Possible Vulnerability Reported at Toorcon
We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker
that reported the potential javascript security issue referenced
earlier. He gave us more code to work with and also made this
statement and agreed to let me post it here:
The main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously
known Firefox vulnerability that could result in a stack overflow
ending up in remote code execution. However, the code we
presented did not in fact do this, and I personally have not
gotten it to result in code execution, nor do I know of anyone
who has.
I have not succeeded in making this code do anything more than
cause a crash and eat up system resources, and I certainly
haven't used it to take over anyone else's computer and
execute arbitrary code.
I do not have 30 undisclosed Firefox vulnerabilities, nor did I
ever make this claim. I have no undisclosed Firefox
vulnerabilities. The person who was speaking with me made this
claim, and I honestly have no idea if he has them or not.
I apologize to everyone involved, and I hope I have made
everything as clear as possible. |
|
| Back to top |
|
 |
Roy Schestowitz
External
Since: Jun 26, 2005
Posts: 26141
|
Posted: Tue Oct 03, 2006 10:12 am Post subject: Re: [News] Firefox flaw overrated [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
__/ [ arachnid ] on Tuesday 03 October 2006 04:59 \__
> This was reported a few days ago:
>
>
<http://news.com.com/Hackers+claim+zero-day+flaw+in+Firefox/2100-1002_3-6121608.html>
>
> Hackers claim zero-day flaw in Firefox
>
> SAN DIEGO--The open-source Firefox Web browser is critically flawed
> in the way it handles JavaScript, two hackers said Saturday
> afternoon. Hackers' presentation
>
> An attacker could commandeer a computer running the browser simply by
> crafting a Web page that contains some malicious JavaScript code,
> Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the
> ToorCon hacker conference here. The flaw affects Firefox on Windows,
> Apple Computer's Mac OS X and Linux, they said.
>
> <snip>
>
> The hackers claim they know of about 30 unpatched Firefox flaws. They
> don't plan to disclose them, instead holding onto the bugs.
>
> Turns out the vulnerability was a bit overstated by the press:
>
>
<http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon/>
>
> Update: Possible Vulnerability Reported at Toorcon
>
> We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker
> that reported the potential javascript security issue referenced
> earlier. He gave us more code to work with and also made this
> statement and agreed to let me post it here:
>
> The main purpose of our talk was to be humorous.
What happened to "it's impossible to patch"? Or "one can commandeer any Mac,
Linux, or Windows machine"? Sounds to me as thought they were posing. Humour
is only a lame excuse.
Firefox Still Tops IE for Browser Security
,----[ Quote ]
| "Mozilla is forthcoming about vulnerabilities," Levy said, whereas "it
| takes Microsoft far longer to acknowledge vulnerability."
|
| How much longer? "In the last reporting period, the second half of last
| year, Microsoft had acknowledged 13 vulnerabilities. We've now revised it
| to 31. The difference is that now Microsoft has acknowledged these
| vulnerabilities."
|
| [...]
|
| "Mozilla can turn around on a dime," Levy said. "Open-source programmers
| can recognize a problem and patch it in days or weeks."
|
| And as for Microsoft?
|
| "If a vulnerability is reported to Microsoft, Microsoft doesn't
| acknowledge it for at least a month or two. There's always a certain
| lag between knowing about a bug and acknowledging it," Levy said.
`----
http://www.eweek.com/article2/0,1759,1865087,00.asp?kc=EWEWKEMLP093006BOE1 |
|
| Back to top |
|
|
arachnid
External
Since: Nov 03, 2006
Posts: 192
|
Posted: Tue Oct 03, 2006 10:12 am Post subject: Re: [News] Firefox flaw overrated [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
On Tue, 03 Oct 2006 10:12:23 +0100, Roy Schestowitz wrote:
> What happened to "it's impossible to patch"? Or "one can commandeer any Mac,
> Linux, or Windows machine"? Sounds to me as thought they were posing. Humour
> is only a lame excuse.
Windows I could believe. With Linux or OS-X, all a firefox hole would
gain them is user-level access. |
|
| Back to top |
|
|
Mark Kent
External
Since: Feb 09, 2005
Posts: 5565
|
Posted: Wed Oct 04, 2006 6:59 am Post subject: Re: [News] Firefox flaw overrated [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
begin oe_protect.scr
arachnid <none.TakeThisOut@goawayspammers.com> espoused:
> On Tue, 03 Oct 2006 10:12:23 +0100, Roy Schestowitz wrote:
>
>> What happened to "it's impossible to patch"? Or "one can commandeer any Mac,
>> Linux, or Windows machine"? Sounds to me as thought they were posing. Humour
>> is only a lame excuse.
>
> Windows I could believe. With Linux or OS-X, all a firefox hole would
> gain them is user-level access.
>
Ho ho ho ho, I smell the blood of Redmond money.
--
| Mark Kent -- mark at ellandroad dot demon dot co dot uk |
Q: Heard about the <ethnic> who couldn't spell?
A: He spent the night in a warehouse. |
|
| Back to top |
|
|
Roy Schestowitz
External
Since: Jun 26, 2005
Posts: 26141
|
Posted: Wed Oct 04, 2006 2:07 pm Post subject: Re: [News] Firefox flaw overrated [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
__/ [ Mark Kent ] on Wednesday 04 October 2006 06:59 \__
> begin oe_protect.scr
> arachnid <none RemoveThis @goawayspammers.com> espoused:
>> On Tue, 03 Oct 2006 10:12:23 +0100, Roy Schestowitz wrote:
>>
>>> What happened to "it's impossible to patch"? Or "one can commandeer any
>>> Mac, Linux, or Windows machine"? Sounds to me as thought they were
>>> posing. Humour is only a lame excuse.
>>
>> Windows I could believe. With Linux or OS-X, all a firefox hole would
>> gain them is user-level access.
>>
>
> Ho ho ho ho, I smell the blood of Redmond money.
I guess that beast of Redmond has no blood, so money is where it stores its
life reserves. It's amazing how often they get away from illegal prctices by
paying for damages that only hurt them in the short term (c/f Netscape,
RealNetworks). As Ballard says, Microsoft perceives itself as an entity that
is above the law. It seems as though the employees cannot be jailed, so it's
a game of "offend, get slapped on the wrist and then carry on as usual".
Frankly, I think the EU and Korea have had enough of this. |
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
| |
|
|
Linux