homepage Welcome to WebmasterWorld Guest from 184.73.52.98
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor
Home / Forums Index / Browsers / Firefox Browser Usage and Support
Forum Library, Charter, Moderators: incrediBILL

Firefox Browser Usage and Support Forum

    
Hackers Zero-Day Flaw In Firefox Was a Hoax
brakthepoet




msg:3106914
 3:20 pm on Oct 3, 2006 (gmt 0)


System: The following 6 messages were cut out of thread at: http://www.webmasterworld.com/firefox_browser/3105107.htm [webmasterworld.com] by engine - 6:25 pm on Oct. 4, 2006 (utc +1)


And now there might be very little to the whole thing. In a note on Mozilla Developoer Center from Mischa Spiegelmock, one of the speakers: [developer.mozilla.org]

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly havenít used it to take over anyone elseís computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

A DoS isn't good, but it's nowhere near as serious as commandeering a system.

 

encyclo




msg:3107140
 6:05 pm on Oct 3, 2006 (gmt 0)

[securityfocus.com...]

Update (October 3, 2006): This BID is being retired as reports indicate that these issues are a hoax. The researchers responsible for disclosing these vulnerabilities have claimed that their original reports were not correct. It is possible that a remote denial of service vulnerability affects the browser; however this has not been confirmed.

Wlauzon




msg:3107717
 2:43 am on Oct 4, 2006 (gmt 0)

Not true. IIS has many more attacks than Apache, yet Apache controls 65% of web servers or more.

I am not so sure about that.

We run 3 sites for our company websites. 2 are Apache, one is IIS.

During the past year I have had to clean up hacks and/or exploits on the Apache ones 4 times. I have yet to have any problems with IIS.

And yes, I know it is true that a lot of the hacks sneak in through other programs, such as PHPbb flaws, but the fact remains that I have yet to have a problem with our IIS server.

Wlauzon




msg:3107723
 2:47 am on Oct 4, 2006 (gmt 0)

They need to offer some REAL money for hacks.

Set up a couple of sites, one IIS and one Apache, with all the usual programs, like a website, forum, blog.

And then offer $10,000 to the first person to crash or hack each one :D

keyplyr




msg:3107853
 7:28 am on Oct 4, 2006 (gmt 0)

Relax - Hacker's claim found to be only a joke:

[technewsworld.com...]

icantthinkofone




msg:3108056
 12:27 pm on Oct 4, 2006 (gmt 0)

Wlauzon,
You can't compare personal experience with everyone else. All the security companies warn of the problems of IIS vs. Apache and IIS problems are well known.

engine




msg:3108444
 5:27 pm on Oct 4, 2006 (gmt 0)

A hacker who claimed to have found a serious zero-day bug in Firefox now says he was never able to exploit the supposed vulnerability to hijack computers.

On Saturday, Mischa Spiegelmock and Andrew Wbeelsoi told attendees at the ToorCon event in San Diego that Firefox is critically flawed in the way it handles JavaScript. An attacker could commandeer a computer running the open-source Web browser simply by crafting a Web page that contains some malicious JavaScript code, they said. They displayed some of that code.

But Spiegelmock has now backpedaled on those claims. In a statement provided to Mozilla, which coordinates development of Firefox, Spiegelmock said that the computer code displayed during the presentation does not fully compromise a PC running the browser.

Hackers Zero-Day Flaw In Firefox Was a Hoax
[news.com.com]

Frank_Rizzo




msg:3108504
 6:04 pm on Oct 4, 2006 (gmt 0)

If you are using Apache then set it to identify itself as IIS and vice versa. You shouldn't get many problems doing that.

:-)

brakthepoet




msg:3108523
 6:14 pm on Oct 4, 2006 (gmt 0)

The Washington Post's Brian Krebs has a little more on the other guy in this hoax:
[blog.washingtonpost.com ]
Also, Wbeelsoi, or "Weev" as he is called by friends, is part of a group that calls itself "Bantown," a loose-knit outfit that claimed responsibility for a fairly high-profile Javascript attack against close to a million LiveJournal users, an attack that Security Fix profiled in January.

I did little searching with the information from the article. It looks like the "Wbeelsoi" guy is little more than an Internet prankster.

My Firefox browser may still have some vulnerabilities, but it's unlikely that this guy knows any of them.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Browsers / Firefox Browser Usage and Support
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved