473,287 Members | 1,866 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,287 software developers and data experts.

Critical javascript security flaw in firefox

http://news.zdnet.com/2100-1009_22-6121608.html

Hackers claim zero-day flaw in Firefox
09 / 30 / 06 | By Joris Evers

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the
way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by
crafting a Web page that contains some malicious JavaScript code, Mischa
Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker
conference here. The flaw affects Firefox on Windows, Apple Computer's Mac
OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also
fairly insecure," said Spiegelmock, who in everyday life works at blog
company SixApart. He detailed the flaw, showing a slide that displayed key
parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a
10-year-old scripting language widely used on the Web. In particular,
various programming tricks can cause a stack overflow error, Spiegelmock
said. The implementation is a "complete mess," he said. "It is impossible to
patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder,
Mozilla's security chief, said after watching a video of the presentation
Saturday night. "What they are describing might be a variation on an old
attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent
exploit during the presentation. "It looks like they had enough information
in their slide for an attacker to reproduce it," she said. "I think it is
unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix
the apparent flaw, Snyder said. However, because the possible flaw appears
to be in the part of the browser that deals with JavaScript, addressing it
might be tougher than the average patch, she added. "If it is in the
JavaScript virtual machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't
plan to disclose them, instead holding on to the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and
was called up on the stage with the two hackers. He attempted to persuade
the presenters to responsibly disclose flaws via Mozilla's bug bounty
program instead of using them for malicious purposes such as creating
networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us
and take away $500 per vulnerability instead of using them for botnets,"
Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but
what we're doing is really for the greater good of the Internet, we're
setting up communication networks for black hats," Wbeelsoi said.

--
Matt Kruse
http://www.JavascriptToolbox.com
http://www.AjaxToolbox.com
Oct 2 '06 #1
8 1896
VK
Matt Kruse wrote:
http://news.zdnet.com/2100-1009_22-6121608.html

Hackers claim zero-day flaw in Firefox
09 / 30 / 06 | By Joris Evers

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the
way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by
crafting a Web page that contains some malicious JavaScript code, Mischa
Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker
conference here. The flaw affects Firefox on Windows, Apple Computer's Mac
OS X and Linux, they said.
Firefox gets stable over 10% market share (not 20% this area / 2% this
area, but 10% guaranteed any market area you take). That's the next
important milestone (the first important one is 1%: "the level of
asknowledgment" is passed way ago). The Empire strikes back to the most
important promo of the competitor: to the security. Totally normal,
nothing outside of the regular Big Business fights.

10.02.06
C.L.J. - someone called VK claims the possibility to do whatever he
wants with any computer with IE installed. No JScript support is
required: the fact itself that you are viewing my page using IE is
self-sufficient. Hackers around the world are benefiting of the wide
spread of this environment for many years in the row.
P.S. Is Firefox made by Gods? Sure not, by the same humans. It means
that the axiom of "Super Hacker limit" works for it as well. It will
never be able to become an *absolutely* safe environment. It can only
resolve the equation with more and more better results up to (ideally
but fantastically) a totally unbreakable system and an only person in
the world able to break it (lim->1, never 0).

Oct 2 '06 #2
VK wrote:
Matt Kruse wrote:
>http://news.zdnet.com/2100-1009_22-6121608.html

Hackers claim zero-day flaw in Firefox
09 / 30 / 06 | By Joris Evers

SAN DIEGO--The open-source Firefox Web browser is critically flawed in
the way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by
crafting a Web page that contains some malicious JavaScript code, Mischa
Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon
hacker conference here. The flaw affects Firefox on Windows, Apple
Computer's Mac OS X and Linux, they said.

Firefox gets stable over 10% market share (not 20% this area / 2% this
area, but 10% guaranteed any market area you take). That's the next
important milestone (the first important one is 1%: "the level of
asknowledgment" is passed way ago). The Empire strikes back to the most
important promo of the competitor: to the security. Totally normal,
nothing outside of the regular Big Business fights.

10.02.06
C.L.J. - someone called VK claims the possibility to do whatever he
wants with any computer with IE installed. No JScript support is
required: the fact itself that you are viewing my page using IE is
self-sufficient. Hackers around the world are benefiting of the wide
spread of this environment for many years in the row.
P.S. Is Firefox made by Gods? Sure not, by the same humans. It means
that the axiom of "Super Hacker limit" works for it as well. It will
never be able to become an *absolutely* safe environment. It can only
resolve the equation with more and more better results up to (ideally
but fantastically) a totally unbreakable system and an only person in
the world able to break it (lim->1, never 0).
Well, don't take it so lightly.
I am NOT happy with 20 securityholes in FF.
Not at all.
The fact that one of the hackers called the JS implentation in FF 'a total
mess so don't expect a patch soon' or something along that lines, didn't
help either...

You can say 'the empire strikes back' and calling it 'business as usual' and
be done with it, but that is just putting your head in the sand.
FF is insecure in its current state. Period.
Yes, that sucks.
Of course I hope they'll patch it anyway soon because I love that browser.

Regards,
Erwin Moller
Oct 3 '06 #3
Matt Kruse wrote:
http://news.zdnet.com/2100-1009_22-6121608.html

Hackers claim zero-day flaw in Firefox
09 / 30 / 06 | By Joris Evers

SAN DIEGO--The open-source Firefox Web browser is critically flawed
in the way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by
crafting a Web page that contains some malicious JavaScript code,
Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the
ToorCon hacker conference here. The flaw affects Firefox on Windows,
Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox
is also fairly insecure," said Spiegelmock, who in everyday life
works at blog company SixApart. He detailed the flaw, showing a slide
that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a
10-year-old scripting language widely used on the Web. In particular,
various programming tricks can cause a stack overflow error,
Spiegelmock said. The implementation is a "complete mess," he said.
"It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window
Snyder, Mozilla's security chief, said after watching a video of the
presentation Saturday night. "What they are describing might be a
variation on an old attack," she said. "We're going to do some
investigating."
Snyder said she isn't happy with the disclosure and release of an
apparent exploit during the presentation. "It looks like they had
enough information in their slide for an attacker to reproduce it,"
she said. "I think it is unfortunate because it puts users at risk,
but that seems to be their goal."
At the same time, the presentation probably gives Mozilla enough data
to fix the apparent flaw, Snyder said. However, because the possible
flaw appears to be in the part of the browser that deals with
JavaScript, addressing it might be tougher than the average patch,
she added. "If it is in the JavaScript virtual machine, it is not
going to be a quick fix," Snyder said.
The hackers claim they know of about 30 unpatched Firefox flaws. They
don't plan to disclose them, instead holding on to the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation
and was called up on the stage with the two hackers. He attempted to
persuade the presenters to responsibly disclose flaws via Mozilla's
bug bounty program instead of using them for malicious purposes such
as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes
to us and take away $500 per vulnerability instead of using them for
botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword,
but what we're doing is really for the greater good of the Internet,
we're setting up communication networks for black hats," Wbeelsoi
said.
Looks like we been had...

http://developer.mozilla.org/devnews...ed-at-toorcon/

--
Dag.
Oct 3 '06 #4
Dag Sunde wrote:
>
Looks like we been had...

http://developer.mozilla.org/devnews...ed-at-toorcon/
>
LOL, some humor...
/me goes off shooting the 'black hats'.

Regards,
Erwin Moller
Oct 3 '06 #5
VK
Well, don't take it so lightly.
I am NOT happy with 20 security holes in FF.
Not at all.
I'm not taking it lightly, I'm taking it philosophically :-) An
absolutely secure web-browsing can be only via command-line telnet app.
At least it was such so far. If this kind of "browsing" becomes popular
enough a hack will be found even for this :-)

Any attempt to prove that "Firefox is not Absolutely Secure" is mute
because it is a proof of obvious (see my prev post), so let's us put it
more reality-bound: the amount of situations where your security is
compromised is dramatically lower for FF in comparison with IE.

Also Mozilla and the success of their Firefox goes against of the "Big
Pacification" plan. They've made Jobs to finish the "fight with Big
Brother" epoch which started with the famous "be different!" slogan.
Year earlier they forced McNealy to stop fighting with Windows using
Java. It is interesting that in both cases the "ending" was set as a
public conference with nearly theatrical scenario.
A war is expensive for owners: different standards to support (and
which one will win?), extra sets of egg-heads and hairy guys :-) on the
payroll (for different directions), this and that... As one guy on a
business meeting said (by memory quote): "I don't give a damn what
browser is used, as long as it's the only one to deal with. Internet
Explorer is the most used one, so let it be only Internet Explorer. We
had enough of fight in the past to start it over".
The fact that one of the hackers called the JS implementation in FF 'a total
mess so don't expect a patch soon' or something along that lines, didn't
help either...
I'm not a professional C++ programmer neither hacker to comment on
Gecko source codes. But taking into account that all top level
interface of Firefox is written in javascript: maybe it should be said
instead "because of a high level of integration of the application
interface with JavaScript engine some exploits are not so easy to fix
because a quick'n'durty option's lock is often is not an option". So
far nearly every second attack on Gecko was going by the same
scenario: at attempt to penetrate into the program execution context
using stack overflow. So far it lead only to the browser crash.
You can say 'the empire strikes back' and calling it 'business as usual' and
be done with it, but that is just putting your head in the sand.
see the beginning of this post.
FF is insecure in its current state. Period.
to be fixed... and new found... to be fixed... Ellipsis :-)
Yes, that sucks.
Yep.
Actually I strongly believe that a 100,000 - million bucks fine and a
year or two of public works (each time announced in news) do much much
more for the Internet security than any sophisticated programming
protection. IMHO.
Of course I hope they'll patch it
You can count on it.

I love that browser.
I don't really love Firefox neither I hate IE. I like a competition and
I hate monopoly (== stagnation).
P.S.
... Spiegelmock and Andrew Wbeelsoi said in a presentation
at the ToorCon hacker conference ...
<http://www.toorcon.org/2006/sponsors.html>
Platinum: Microsoft, ...
That means nothing of course, Microsoft sincerly helps to many
organizations and funds. Just came into my eyesight.

Oct 3 '06 #6
Erwin Moller wrote:
[...]
Well, don't take it so lightly.
I am NOT happy with 20 securityholes in FF.
Not at all.
The fact that one of the hackers called the JS implentation in FF 'a total
mess so don't expect a patch soon' or something along that lines, didn't
help either...
Then you'll be happy to know that the claim of being able to take over
a PC was completely bogus, and the claim of 30 undisclosed security
holes us utterly unsubstantiated (and therefore probaby bogus too).

<URL: http://news.zdnet.com/2100-1009-6122317.html >
--
Rob

Oct 3 '06 #7
On Tue, 03 Oct 2006 09:51:09 +0200, Erwin Moller wrote:
VK wrote:
>Matt Kruse wrote:
>>http://news.zdnet.com/2100-1009_22-6121608.html

Hackers claim zero-day flaw in Firefox
09 / 30 / 06 | By Joris Evers

SAN DIEGO--The open-source Firefox Web browser is critically flawed in
the way it handles JavaScript, two hackers said Saturday afternoon.
An attacker could commandeer a computer running the browser simply by
crafting a Web page that contains some malicious JavaScript code, Mischa
Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon
hacker conference here. The flaw affects Firefox on Windows, Apple
Computer's Mac OS X and Linux, they said.

Firefox gets stable over 10% market share (not 20% this area / 2% this
area, but 10% guaranteed any market area you take). That's the next
important milestone (the first important one is 1%: "the level of
asknowledgment" is passed way ago). The Empire strikes back to the most
important promo of the competitor: to the security. Totally normal,
nothing outside of the regular Big Business fights.

10.02.06
C.L.J. - someone called VK claims the possibility to do whatever he
wants with any computer with IE installed. No JScript support is
required: the fact itself that you are viewing my page using IE is
self-sufficient. Hackers around the world are benefiting of the wide
spread of this environment for many years in the row.
P.S. Is Firefox made by Gods? Sure not, by the same humans. It means
that the axiom of "Super Hacker limit" works for it as well. It will
never be able to become an *absolutely* safe environment. It can only
resolve the equation with more and more better results up to (ideally
but fantastically) a totally unbreakable system and an only person in
the world able to break it (lim->1, never 0).

Well, don't take it so lightly.
I am NOT happy with 20 securityholes in FF.
Not at all.
The fact that one of the hackers called the JS implentation in FF 'a total
mess so don't expect a patch soon' or something along that lines, didn't
help either...
Turns out that was a hoax. You shouldn't be so gullible.

Oct 3 '06 #8
Ivan Marsh wrote:

Turns out that was a hoax. You shouldn't be so gullible.
Wise words afterwards. :P

And yes, I knew that 12 hours ago.
(See this very thread)

Regards,
Erwin Moller
Oct 4 '06 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Ringo Langly | last post by:
Hi everyone, We're using an outside vendor to provide some content for our website, and they use the http_referer variable to verify their content is only viewed from subscribing customers. ...
2
by: Sudar | last post by:
Web sites you visit can retrieve data from your clipboard depending on your security settings. Go to this page (www.clipboard.googlemyway.com) and see if anything shows up in the box. If you are...
28
by: Noone Here | last post by:
AIUI, it was not all that long ago when the threat to personal users, was attachments that when executed compromised machines with keyloggers, trojans, etc. Now it seems that the big problem is...
7
by: unacoder | last post by:
Is it possible to request the user's permission to be able to control IE or FireFox windows that are pointed to domains other than the base domain the script is running from? For example, if my...
3
by: Csaba Gabor | last post by:
Firefox's configuration settings (Prefs.js) can be accomplished via the interface at about:config. Q1. Is there any such setting that can be repeatedly altered via javascript (in a vanilla...
15
by: Phlip | last post by:
Javascripters: I have an outer page and an inner iframe. The outer page calculates some javascript, and wants the inner frame to run it. The inner frame should hit a page on the same (private)...
16
by: Eric | last post by:
I have a user of a web application written in Java/JSP that is unable to login to the site simply because certain links on the page do not run when they are clicked. Other popups using Javascript...
0
tolkienarda
by: tolkienarda | last post by:
hi all most of you have seen this form, mostly it has hidden attributes some of which can be changed to select boxes. the part that seems to be a security flaw is that people can edit live html...
1
by: Guy Macon | last post by:
Serious Security Flaw in Google Chrome: http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php -- Guy Macon <http://www.GuyMacon.com/>
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.