Welcome to WebmasterWorld Guest from 54.145.53.251

Forum Moderators: incrediBILL

Message Too Old, No Replies

Hackers Zero-Day Flaw In Firefox Was a Hoax

     
3:20 pm on Oct 3, 2006 (gmt 0)

Full Member

10+ Year Member

joined:Oct 22, 2002
posts:217
votes: 0



System: The following 6 messages were cut out of thread at: http://www.webmasterworld.com/firefox_browser/3105107.htm [webmasterworld.com] by engine - 6:25 pm on Oct. 4, 2006 (utc +1)


And now there might be very little to the whole thing. In a note on Mozilla Developoer Center from Mischa Spiegelmock, one of the speakers: [developer.mozilla.org]

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly havenít used it to take over anyone elseís computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

A DoS isn't good, but it's nowhere near as serious as commandeering a system.

6:05 pm on Oct 3, 2006 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


[securityfocus.com...]

Update (October 3, 2006): This BID is being retired as reports indicate that these issues are a hoax. The researchers responsible for disclosing these vulnerabilities have claimed that their original reports were not correct. It is possible that a remote denial of service vulnerability affects the browser; however this has not been confirmed.
2:43 am on Oct 4, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 26, 2004
posts:1392
votes: 0


Not true. IIS has many more attacks than Apache, yet Apache controls 65% of web servers or more.

I am not so sure about that.

We run 3 sites for our company websites. 2 are Apache, one is IIS.

During the past year I have had to clean up hacks and/or exploits on the Apache ones 4 times. I have yet to have any problems with IIS.

And yes, I know it is true that a lot of the hacks sneak in through other programs, such as PHPbb flaws, but the fact remains that I have yet to have a problem with our IIS server.

2:47 am on Oct 4, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 26, 2004
posts:1392
votes: 0


They need to offer some REAL money for hacks.

Set up a couple of sites, one IIS and one Apache, with all the usual programs, like a website, forum, blog.

And then offer $10,000 to the first person to crash or hack each one :D

7:28 am on Oct 4, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:5804
votes: 64


Relax - Hacker's claim found to be only a joke:

[technewsworld.com...]

12:27 pm on Oct 4, 2006 (gmt 0)

Junior Member

5+ Year Member

joined:Sept 12, 2006
posts:140
votes: 0


Wlauzon,
You can't compare personal experience with everyone else. All the security companies warn of the problems of IIS vs. Apache and IIS problems are well known.
5:27 pm on Oct 4, 2006 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:22287
votes: 236


A hacker who claimed to have found a serious zero-day bug in Firefox now says he was never able to exploit the supposed vulnerability to hijack computers.

On Saturday, Mischa Spiegelmock and Andrew Wbeelsoi told attendees at the ToorCon event in San Diego that Firefox is critically flawed in the way it handles JavaScript. An attacker could commandeer a computer running the open-source Web browser simply by crafting a Web page that contains some malicious JavaScript code, they said. They displayed some of that code.

But Spiegelmock has now backpedaled on those claims. In a statement provided to Mozilla, which coordinates development of Firefox, Spiegelmock said that the computer code displayed during the presentation does not fully compromise a PC running the browser.

Hackers Zero-Day Flaw In Firefox Was a Hoax
[news.com.com]

6:04 pm on Oct 4, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1181
votes: 5


If you are using Apache then set it to identify itself as IIS and vice versa. You shouldn't get many problems doing that.

:-)

6:14 pm on Oct 4, 2006 (gmt 0)

Full Member

10+ Year Member

joined:Oct 22, 2002
posts:217
votes: 0


The Washington Post's Brian Krebs has a little more on the other guy in this hoax:
[blog.washingtonpost.com ]
Also, Wbeelsoi, or "Weev" as he is called by friends, is part of a group that calls itself "Bantown," a loose-knit outfit that claimed responsibility for a fairly high-profile Javascript attack against close to a million LiveJournal users, an attack that Security Fix profiled in January.

I did little searching with the information from the article. It looks like the "Wbeelsoi" guy is little more than an Internet prankster.

My Firefox browser may still have some vulnerabilities, but it's unlikely that this guy knows any of them.