Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mozilla Firefox 1.0.3 Exploit

Posted by CmdrTaco on from the happens-to-every-browser dept.

An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."

3 of 596 comments (clear)

  1. Not an exploit of Firefox IMO by Anonymous Coward · · Score: 0, Flamebait

    You have to have the FlashGot extension *and* and download manager for this to work.

    I don't and I tried this several times and the c:\boom.bat was never created.

    Looks to me "security" "specialists" in France are quite clueless.

  2. Javascript ! Will it ever go away ? by zymano · · Score: 0, Flamebait

    This exploit just like a ton of others uses javascript. The language that has no purpose anymore.

    Why can't we modify it or find something to replace it ?

  3. Microsoft is a stagecoach company. by rice_burners_suck · · Score: 0, Flamebait
    Yeah, this is a big huge exploit. But Firefox on its worst day is still infinitely more secure than anything Microsoft is capable of producing even on their best day. Let me explain:

    If this were Microsoft Firefox, I'd give it four to ten years before Microsoft even addressed the problem. Then, the problem would be "fixed", meaning that Microsoft wouldn't repair the code that causes it, but would instead slap another 10,000 lines of buggy code on top of the problem to detect whether each web page accessed is going to do this, and then display a window that asks the user some obscure technical question with a "do you wish to continue? yes/no", to which, of course the user will answer "yes" (without even reading the question) and then it's not Microsoft's fault anymore. And then Norton, Symantec, McAfee, and ten other companies will release software that runs in the background, slows your computer to a crawl, detects the same problem, and puts up a similar warning.

    But this is not Microsoft Firefox. And the vulnerability wasn't posted on firefox-security or some obscure mailing list or blog. The vulnerability is posted all over the front page of Slashdot, where a million programmers are going to see it within the next fifteen minutes.

    I give it a couple of hours and Firefox 1.0.4 is out.

    And that, my friends, is why Firefox is more secure than MSIE. Microsoft. Where do you want to go today?