homepage Welcome to WebmasterWorld Guest from 54.211.73.232
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Browsers / Firefox Browser Usage and Support
Forum Library, Charter, Moderators: incrediBILL

Firefox Browser Usage and Support Forum

    
Hackers Claim Zero-Day Flaw In Firefox
engine

WebmasterWorld Administrator engine us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



 
Msg#: 3105107 posted 11:24 am on Oct 2, 2006 (gmt 0)

The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

Hackers claim zero-day flaw in Firefox [news.com.com]

 

webdoctor

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3105107 posted 12:24 pm on Oct 2, 2006 (gmt 0)

commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code

If you are running Firefox as a standard user (no administrator privileges), in what sense does the bad guy "commandeer the computer" with this exploit?

Is this JavaScript vulnerability also coupled with a privilege escalation? Can't imagine that works on Windows, OS X, *and* Linux all at once.

I suppose "commandeer the user account running the application" doesn't sound nearly as sexy.

texasville

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3105107 posted 2:03 pm on Oct 2, 2006 (gmt 0)

"commandeer the user account running the application"

good enough. that's a big flaw.

webdoctor

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3105107 posted 2:24 pm on Oct 2, 2006 (gmt 0)

good enough. that's a big flaw.

Yes, it's a big flaw.

The point is that firefox runs as a user-space application. Another browser that is regarded as being a part of the operating system, might be FAR MORE vulnerable if it had this kind of vulnerability.

Given the choice, I'd prefer a user-level compromise to a root-level compromise on a workstation hooked to my corporate network. I assume we all would.

bateman_ap

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3105107 posted 3:08 pm on Oct 2, 2006 (gmt 0)

If you are running Firefox as a standard user (no administrator privileges), in what sense does the bad guy "commandeer the computer" with this exploit?

I would say 99% of home users run with admin rights...

webdoctor

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3105107 posted 3:16 pm on Oct 2, 2006 (gmt 0)

I would say 99% of home users run with admin rights...

You're probably right.

What percentage of cyclists wear a cycle helmet? Not that many, but strangely there aren't many cyclists who'd argue that they're prefer to be knocked off their bike WITHOUT a helmet vs. WITH a helmet.... so just because not many people do 'X' doesn't mean that 'X' is a bad idea.

Put another way, if MSFT were writing the security bulletin for this issue, they'd say something like:
"Mitigating factors: In an attack of this exploit, customers would have to be running Firefox with Administrator rights. Best Practice and the MSFT blah-blah-blah deployment guides would ALWAYS suggest running with least privilege. Yes, it's a real pain, and No, most of our own applications won't work, but our lawyers say if suggest running with least privilege and you decide not to, it's your problem not ours."

Go check out [microsoft.com...] if you don't believe me :-)

amznVibe

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3105107 posted 5:29 pm on Oct 2, 2006 (gmt 0)

They are simply recycling an old trick with a new twist.
Relax, 1.5.0.8 is out next week or so:
[wiki.mozilla.org...]

[edited by: amznVibe at 5:35 pm (utc) on Oct. 2, 2006]

mattglet

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3105107 posted 7:03 pm on Oct 2, 2006 (gmt 0)

webdoctor, don't worry. God forbid anything be wrong with Firefox ;)

It'll be fixed, and this will all be forgotten.

motorhaven

10+ Year Member



 
Msg#: 3105107 posted 10:57 pm on Oct 2, 2006 (gmt 0)

I'm surprised that anyone would excuse a security flaw by saying "oh yeah, so and so product is worse!"

Gaining user access gains access to the machine, and then the person can hide out and take their time looking for permission and configurations that will gain root access.

Wlauzon

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3105107 posted 11:06 pm on Oct 2, 2006 (gmt 0)

...Symantec's biannual Internet Security Threat Report, the last six months saw a significant uptick in the number of security vulnerabilities found in web browsers. Leading the way was Firefox, with 47 bugs discovered. Researchers and hackers discovered 38 vulnerabilities in Internet Explorer...

icantthinkofone

5+ Year Member



 
Msg#: 3105107 posted 11:30 pm on Oct 2, 2006 (gmt 0)

Symantec's report counted many bugs that were actually Windows issues and such. Don't recall the details.

In any case, I don't think any one is discounting the fact that all browsers have security problems. The fact remains that FF and other are far more secure than IE and the developers are constantly working on improvements which can be issued at any time while IE developers can take years.

EDIT: And now PC World reports that iDefense, a division of VeriSign, does not consider this exploit critical and found the exploit to be 'unreliable'.

theBear

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3105107 posted 1:52 am on Oct 3, 2006 (gmt 0)

If an exploit making use of the vun has to resort in things appearing in a particular place in relation to something else then some existing protective elements would make the exploit unreliable.

The Javascript handling code has in the past exhibited a number of failures that involve memory curruption, this can be used to construct an exploit, but if things move because of any configuration options or location that code segments get loaded at relative to others and the exploit, things don't always go the way the exploit builder intended.

If the user is running as an user in Linux this isn't a major problem (compared to others), running as a user in the Windows world is probably not the norm, so it can really hurt.

All software has gotchas, some gotchas can cause more problems than others.

The golden rule is:

while (not the end of the universe)
{
find_a_bug();
fix-a-bug();
}

Please note there is no test for found last bug.

[edited by: theBear at 1:54 am (utc) on Oct. 3, 2006]

amznVibe

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3105107 posted 4:22 am on Oct 3, 2006 (gmt 0)

It's obvious every program has bugs and the more complete it is, the more they have.

If you load up a program with constant memory overflow checks it starts to crawl.

The difference is that IE is on a fixed 30 day cycle so the black-hats know they can release a deadly bug into the wild 24 hours after patch Tuesday and get a full month out of it (or more). Unless it's a DRM bug, and that will get fixed within a day or two.

Firefox responds much quicker once there is a threat. It's also far more customizable.

When IE has a bug like this they say to entirely disable the feature and you are stuck for at least a month like that (or more).

At least with Firefox you can instantly add an extension to toggle javascript off on unknown websites.

I don't use Firefox because I hate IE, I use Firefox because I don't know how I got anything else done before I used it!

TravelSite

10+ Year Member



 
Msg#: 3105107 posted 9:08 am on Oct 3, 2006 (gmt 0)

Well there is one simple solution to the Firefox Flaw - ditch Firefox and install IE.

[ LOL - At long last - payback for all the annoying "switch to Firefox" posts that Firefox users insist on posting whenever there's an (all too frequent) IE flaw :) ]

brakkar

10+ Year Member



 
Msg#: 3105107 posted 12:43 pm on Oct 3, 2006 (gmt 0)

The more people using firefox, the more hackers will focus on it, the more exploits will be found, the more people will realize that finally, Microsoft didn't do such a bad job with such a large share of market.

icantthinkofone

5+ Year Member



 
Msg#: 3105107 posted 2:25 pm on Oct 3, 2006 (gmt 0)

Not true. IIS has many more attacks than Apache, yet Apache controls 65% of web servers or more.

There is a book out that studies and discounts the 'more popular more attacks' theory. It addressed open source, particularly, and said it would not happen because open source is considered created by the proverbial 'we' and 'us'.

Another thought on this is to consider attacks on Firefox or Opera on Linux vs Windows systems. Many vulnerabilities are the result of weaknesses in the OS and not the browser.

System
redhat


 
Msg#: 3105107 posted 3:20 pm on Oct 3, 2006 (gmt 0)

The following 6 messages were cut out to new thread by engine. New thread at: firefox_browser/3108440.htm [webmasterworld.com]
6:25 pm on Oct. 4, 2006 (utc +1)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Browsers / Firefox Browser Usage and Support
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved