Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Exploit Adds Fuel to Browser Security Feud

Posted by Zonk on from the patch-early-patch-often dept.

An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."

4 of 510 comments (clear)

  1. Exploits as remote administration tool? by Sirfrummel · · Score: 5, Interesting
    "...effectively letting the bad guys control the victim computer from afar."

    I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?
  2. Re:Browser shmouser by AKAImBatman · · Score: 5, Interesting

    Arguably, if the OS is secure enough, then you should not have problems with programs that can start executing code without permissions.

    Eh, it's multi-faceted. The problem is that many of the greatest security threats today are from buffer overflow attacks. (Or heap overflow in this case.) This is frustrating because we've had the technology for more than 20 years to write code that is invulnerable to these sorts of attacks. Unfortunately, the majority of OS and Desktop software has continued to rely on C and C++, making these holes not only possible, but probable.

    If the buffer overflow attack were solved once and for all, then attackers would have to move higher up the stack. e.g. Embedded scripts in emails that run with full permission. This sort of attack is why Java has a built-in security manager that can prevent access to secure resources. Should our security problems ever escalate to this level, I'm sure you'll see a lot of similar security managed environments showing up.

    --
    Javascript + Nintendo DSi = DSiCade
  3. Automatic Updates by Paul+Slocum · · Score: 5, Interesting

    They do patch stuff fast, but until automatic updates work correctly, it's not going to do much good for the average idiot user. And someone will eventually start trying to take advantage of these exploits. I'm running 1.0.6 and there's no update icon showing. When I say Check Now: "Firefox was not able to find any updates." -paul

  4. GPL Exploits -- interesting side effects. by Stephen+Samuel · · Score: 4, Interesting
    If someone uses the exploit code to build a worm and doesn't include the full source code with the 'distribution', the originl worm writer could sue them for copyright violation.

    This, of course presumes that (1) the original exploit author is a proper white-hat, and (2) we catch the person who creates the worm.

    --
    Free Software: Like love, it grows best when given away.