Firefox - Zero day exploit on Nobel Peace Prize website - Firefox Browser Usage and Support forum at WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Firefox - Zero day exploit on Nobel Peace Prize website

This one is dangerous says Mozilla

tangor

12:47 am on Oct 27, 2010 (gmt 0)

Install NoScript or turn Javascript off for this site (and possibly others)...

Malicious hackers have exploited an unpatched vulnerability in the latest version of Firefox to attack people visiting the Nobel Peace Prize website, a Norway-based security firm said on Tuesday.

Mozilla representatives confirmed a "critical vulnerability" in versions 3.5 and 3.6 of the open-source browser. It came several hours after the organization members were said to have made the same admission on this password-protected Bugzilla page.

According to Einar Oftedal, a detection executive at Norman ASA in Oslo, the official website for the Nobel Peace prize, nobelpeaceprize . org, was compromised so that it contained an iframe link to a malicious server.

[theregister.co.uk...]

Sgt_Kickaxe

2:49 am on Oct 27, 2010 (gmt 0)

Turn javascript off... and kiss adsense earnings goodbye too.

Javascript is getting some bad press of late, time to write an "if javascript turned off do such and such" script so your site doesn't lose ad revenue. I'm already seeing near 10% of my traffic having javascript off this month, according to analytics, but I don't know how much of that 10% is bots etc. 10% is already a lot.

edit: Link to incredibill post on "noscript" to avoid earnings loss related to having javascript turned off - [forums.searchenginewatch.com...]

[edited by: Sgt_Kickaxe at 3:00 am (utc) on Oct 27, 2010]

bill

2:57 am on Oct 27, 2010 (gmt 0)

Turn java off

ahem...it's JavaScript, not Java. They are two very different things that unfortunately have similar names.

yaix2

8:02 am on Oct 27, 2010 (gmt 0)

"...vulnerability in Firefox to force end users to install malware ... The Windows executable was created on Sunday..."

Looks like its only Javascript on FF on Windows?

tangor

8:14 am on Oct 27, 2010 (gmt 0)

Turn java off

ahem...it's JavaScript, not Java. They are two very different things that unfortunately have similar names.

bill... nobody is talking about Java!

Heck, nobody even has to have that installed! (I don't, for example)...

bill

9:13 am on Oct 27, 2010 (gmt 0)

bill... nobody is talking about Java!

Sgt_Kickaxe edited his post. It was quite different before. ;)

tangor

9:51 am on Oct 27, 2010 (gmt 0)

bill...

Apologies! (knew you knew better, shoulda kept mouth shut etc. ...)

Now I have egg on face! Thanks!

^{Somebody throw me a towel... or some Tabasco...}

r4bet

10:32 am on Oct 27, 2010 (gmt 0)

China -.-

SEOVisits

5:44 pm on Oct 27, 2010 (gmt 0)

The catch 22 is NoScript is one of the few ways to stay protected on the web.

Hugene

7:07 pm on Oct 27, 2010 (gmt 0)

Agreed r4bet, chances are China is behind this. Hilarious in a sickening way.

phranque

7:13 am on Oct 28, 2010 (gmt 0)

china

maybe related to liu xiaobo?

tangor

11:58 pm on Oct 28, 2010 (gmt 0)

I think FF has issued a patch... there was something that came through early morning/last night, but dang it I was tired and not paying attention when I clicked RESTART FIREFOX FOR UPDATES... Will go take a look, but if anyone has that info, please post... The Mozilla guys seem to take these exploit things very seriously.

tedster

12:21 am on Oct 29, 2010 (gmt 0)

They did fix a critical 0-day exploit in the just released version 3.6.12 - not sure if it is THE 0-day exploit or not, but I think so.

Fixed in Firefox 3.6.12
MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion

[mozilla.org...]

[bugzilla.mozilla.org...] has the Bug Report from 2010-10-25