commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code

If you are running Firefox as a standard user (no administrator privileges), in what sense does the bad guy "commandeer the computer" with this exploit?

Is this JavaScript vulnerability also coupled with a privilege escalation? Can't imagine that works on Windows, OS X, *and* Linux all at once.

I suppose "commandeer the user account running the application" doesn't sound nearly as sexy.

"commandeer the user account running the application"

good enough. that's a big flaw.

good enough. that's a big flaw.

Yes, it's a big flaw.

The point is that firefox runs as a user-space application. Another browser that is regarded as being a part of the operating system, might be FAR MORE vulnerable if it had this kind of vulnerability.

Given the choice, I'd prefer a user-level compromise to a root-level compromise on a workstation hooked to my corporate network. I assume we all would.

If you are running Firefox as a standard user (no administrator privileges), in what sense does the bad guy "commandeer the computer" with this exploit?

I would say 99% of home users run with admin rights...

I would say 99% of home users run with admin rights...

You're probably right.

What percentage of cyclists wear a cycle helmet? Not that many, but strangely there aren't many cyclists who'd argue that they're prefer to be knocked off their bike WITHOUT a helmet vs. WITH a helmet.... so just because not many people do 'X' doesn't mean that 'X' is a bad idea.

Put another way, if MSFT were writing the security bulletin for this issue, they'd say something like:
"Mitigating factors: In an attack of this exploit, customers would have to be running Firefox with Administrator rights. Best Practice and the MSFT blah-blah-blah deployment guides would ALWAYS suggest running with least privilege. Yes, it's a real pain, and No, most of our own applications won't work, but our lawyers say if suggest running with least privilege and you decide not to, it's your problem not ours."

Go check out [microsoft.com...] if you don't believe me :-)

They are simply recycling an old trick with a new twist.
Relax, 1.5.0.8 is out next week or so:
[wiki.mozilla.org...]

[edited by: amznVibe at 5:35 pm (utc) on Oct. 2, 2006]

webdoctor, don't worry. God forbid anything be wrong with Firefox ;)

It'll be fixed, and this will all be forgotten.

I'm surprised that anyone would excuse a security flaw by saying "oh yeah, so and so product is worse!"

Gaining user access gains access to the machine, and then the person can hide out and take their time looking for permission and configurations that will gain root access.

...Symantec's biannual Internet Security Threat Report, the last six months saw a significant uptick in the number of security vulnerabilities found in web browsers. Leading the way was Firefox, with 47 bugs discovered. Researchers and hackers discovered 38 vulnerabilities in Internet Explorer...

Symantec's report counted many bugs that were actually Windows issues and such. Don't recall the details.

In any case, I don't think any one is discounting the fact that all browsers have security problems. The fact remains that FF and other are far more secure than IE and the developers are constantly working on improvements which can be issued at any time while IE developers can take years.

EDIT: And now PC World reports that iDefense, a division of VeriSign, does not consider this exploit critical and found the exploit to be 'unreliable'.

If an exploit making use of the vun has to resort in things appearing in a particular place in relation to something else then some existing protective elements would make the exploit unreliable.

The Javascript handling code has in the past exhibited a number of failures that involve memory curruption, this can be used to construct an exploit, but if things move because of any configuration options or location that code segments get loaded at relative to others and the exploit, things don't always go the way the exploit builder intended.

If the user is running as an user in Linux this isn't a major problem (compared to others), running as a user in the Windows world is probably not the norm, so it can really hurt.

All software has gotchas, some gotchas can cause more problems than others.

The golden rule is:

while (not the end of the universe)
{
find_a_bug();
fix-a-bug();
}

Please note there is no test for found last bug.

[edited by: theBear at 1:54 am (utc) on Oct. 3, 2006]

It's obvious every program has bugs and the more complete it is, the more they have.

If you load up a program with constant memory overflow checks it starts to crawl.

The difference is that IE is on a fixed 30 day cycle so the black-hats know they can release a deadly bug into the wild 24 hours after patch Tuesday and get a full month out of it (or more). Unless it's a DRM bug, and that will get fixed within a day or two.

Firefox responds much quicker once there is a threat. It's also far more customizable.

When IE has a bug like this they say to entirely disable the feature and you are stuck for at least a month like that (or more).

At least with Firefox you can instantly add an extension to toggle javascript off on unknown websites.

I don't use Firefox because I hate IE, I use Firefox because I don't know how I got anything else done before I used it!

Well there is one simple solution to the Firefox Flaw - ditch Firefox and install IE.

[ LOL - At long last - payback for all the annoying "switch to Firefox" posts that Firefox users insist on posting whenever there's an (all too frequent) IE flaw :) ]

The more people using firefox, the more hackers will focus on it, the more exploits will be found, the more people will realize that finally, Microsoft didn't do such a bad job with such a large share of market.

Not true. IIS has many more attacks than Apache, yet Apache controls 65% of web servers or more.

There is a book out that studies and discounts the 'more popular more attacks' theory. It addressed open source, particularly, and said it would not happen because open source is considered created by the proverbial 'we' and 'us'.

Another thought on this is to consider attacks on Firefox or Opera on Linux vs Windows systems. Many vulnerabilities are the result of weaknesses in the OS and not the browser.

The following 6 messages were cut out to new thread by engine. New thread at: firefox_browser/3108440.htm [webmasterworld.com]
6:25 pm on Oct. 4, 2006 (utc +1)