Daily Talk Forum
  • Advertise
  • Search
  • Member List
  • Calendar
Hello There, Guest! Login Register
Daily Talk Forum › General Discussions › Technology, Computers and the Internet v
« Previous 1 ... 35 36 37 38 39 ... 41 Next »

Firefox holes impossible to patch claims

Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode | Linear Mode
Firefox holes impossible to patch claims
forwardone Offline
Gold Member
*****
Gold Members

Posts: 6,705
Joined: May 2006
Reputation: 15
Post: #1
Firefox holes impossible to patch claims

"Impossible to patch": Hackers unearth Firefox hole

Published: Monday 2 October 2006

The open source Firefox web browser is critically flawed in the way it handles JavaScript, two hackers said on Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference in San Diego. The flaw affects Firefox on Windows, Apple's Mac OS X and Linux, they said.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess", he said, adding: "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation on Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, however.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty programme instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

Ruderman said: "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets."

The two hackers laughed off the comment. Wbeelsoi said: "It is a double-edged sword but what we're doing is really for the greater good of the internet, we're setting up communication networks for black hats."

Source: Silicon.com
10-02-2006 11:18 AM
Find all posts by this user Quote this message in a reply
forwardone Offline
Gold Member
*****
Gold Members

Posts: 6,705
Joined: May 2006
Reputation: 15
Post: #2
 

The security team at Mozilla is looking into a flaw in its Firefox Web browser that hackers exposed at a conference in San Diego over the weekend.

In a presentation at the ToorCon hacker conference, hackers Mischa Spiegelmock and Andrew Wbeelsoi demonstrated exploit code for a vulnerability in the way Firefox handles JavaScript.

Mozilla today said it was busy investigating the flaw, and did not offer any security researchers for comment because, according to spokesperson Mary Colvig, they were all "heads down" on the problem. The company also said it will patch the flaw if it deems that action necessary.
Memory Filler

The vulnerability could allow someone to execute a memory corruption attack on Firefox if a user browsed to a Web site that contained the exploit code, says Ken Dunham, director of the rapid-response team at security services company iDefense, a VeriSign company.

"If you were to go to a Web site that contained the exploit code, it would fill up the available memory on the computer," he says. This would create an environment in which an attacker could take over the computer to do something harmful, he adds.

Dunham says that iDefense labs tested the exploit code, and found that it was "unreliable" and crashed the Firefox browser. Because of this, he does not consider the exploit to be a critical threat to Firefox. However, "someone could make some changes to the exploit code and make it more reliable," Dunham says.

He adds that there are other, more critical unpatched flaws in both Firefox and Microsoft's Internet Explorer browser that are currently under attack by hackers.

PCWorld
10-03-2006 10:22 AM
Find all posts by this user Quote this message in a reply


« Next Oldest | Next Newest »
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  Fox News account hacked, claims Obama dead forwardone 4 3,941 11-30-2011 02:52 PM
Last Post: bonnes
  New Firefox 6 forwardone 2 2,386 09-20-2011 08:01 AM
Last Post: ItzAngel
  Firefox 4 Proving Popular forwardone 6 3,226 05-01-2011 01:50 PM
Last Post: Coffee Break
  Firefox Problem andrenhal 5 3,011 01-28-2010 05:31 AM
Last Post: Spunner
  Re: Can't install Google toolbar to Firefox 3.5.2 bondjerys 0 1,116 12-30-2009 06:32 AM
Last Post: bondjerys

  • View a Printable Version
  • Send this Thread to a Friend
  • Subscribe to this thread
Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Advertise on Daily Talk Forum
  • Webmaster Forum
  • Toronto
    • Contact Us
    • Daily Talk Forum
    • Return to Top
    • Lite (Archive) Mode
    • RSS Syndication
    • Help
    • Portal
    • Membership
    • Advertise
    • Banners
    • Privacy
    • Rules

    • Review DTF at Alexa
    • Review DTF at Nortons
    • Site Map

    • Links
    • Your Link Here
    Current time: 08-10-2022, 06:49 AM Powered By MyBB, © 2002-2022 MyBB Group Theme created by Justin S