hackers found critical flaw in Firefox

[vibebob]

I read this on Google News and thought it might be of interest to some.Two hackers at the ToorCon hacker conference in San Diego said that they’ve found a critical flaw in Firefox that looks, to them at least, impossible to patch.The hackers, who have been named as Mischa Spiegelmock and Andrew Wbeelsoi, said that someone could execute an attack simply by creating a webpage with malicious JavaScript code. In most attacks, hackers have to get a computer user to download something to the computer, but in this case, they won’t know what hit them.Windows users are used to facing security threats, but smug Apple and Linux users aren’t immune to this bug, as it affects all versions of Firefox.Spiegelmock said that malicious code could create a stack overflow error, and called the implementation “a complete mess”.Mozilla’s security chief Window Snyder took the presentation completely seriously after watch a video of it; she said Mozilla would “do some investigating”, but isn’t happy of the release of the exploit to the wide world of hackers.The reason that the flaw is so difficult to patch? It’s in the part of the browser that deals with JavaScript. After hearing that the two hackers know of another 30 unpatched flaws in Firefox, Jesse Ruderman, a Mozilla security staffer, encouraged them to disclose the bugs to Mozilla, who gives away $500 per vulnerability.Wbeelsoi simply said, “It’s a double-edged sword, but what we’re doing is really for the greater good of the Internet. We’re setting up a communication networks for black hats”.Black hats are malicious hackers, and most want to exploit flaws for private gain. However, many promote accessibility over privacy and security, so why they want to target open-source software of the type Mozilla develops is anyone’s guess.

[Atomb]

i saw this and spent sometime today googling around to find out if my NoScript extension will help prevent the Javascript vulnerability. Considering it won't let any javascript run until i allow it to run?anybody know for sure?

[northvibe]

atleast mozilla is trying to fix it by getting help from the hackors... unlike some...uh companies...Ms cough. Well i use safari on mac and ie7 on windows.. but i love firefox still. hope they can fix it up :S java script seems to be the cause of too many holes....good post!

[Atomb]

latest news: it was all a hoax.http://www.itwire.com.au/content/view/6015/53/

[zionzr2]

I thought I smelled something fishy about this whole story!

[ColonelPanic]

Quote, originally posted by northvibe »atleast mozilla is trying to fix it by getting help from the hackors... unlike some...uh companies...Ms cough. Well i use safari on mac and ie7 on windows.. but i love firefox still. hope they can fix it up It is good that they continue to investigate and find the cause. That's what separates the open source folks from the big evil monopoly. lol! They don't fix bad stuff when it is uncovered until who knows when, probably when the bean counters say it's ok to spend money on finding a fix. JavaScript is pretty evil at times. Not as evil as ActiveX, mind you. Glad I don't run platforms that support that virus. lol! Anyway, I'd say if you can disable JavaScript in your browser, you'd probably be safe. Does Firefox have an option like Opera has, where you can instantly disable all plugins? That rocks, it's come in handy many times when I encounter sites with annoying flash crap or javascript. Opera rules.

[Atomb]

i use noscript...doesn't let any javascript run unless i say it can run!