Slashdot Mirror
Hackers claim zero-day flaw in Firefox
An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."
Do they have proof? Did they do a demonstration?
In response, Mozilla Corporation has stated that since the hackers did not submit the hack for verification, and they may not call it a "FireFox" hack, in compliance with their Trademark policy. Further, if anyone did take over a browser with this hack, they would have to change the icon or face vague threats.
The hackers plan to release the next version of the hack under the name IceWeasel Hack, while grumbling about backports. Debian developers have been debating whether they should include the hack in Etch or not.
Have you read my journal today?
Why do they all say this in vulenrability reports? Do hackers carve their pages out of stone or something? Do they whittle them out of sticks? It makes me fucking sick!
If you had to pick between having a last name of "Spiegelmock" or "Wbeelsoi", which one would you go with? I'd have to pick Wbeelsoi, because it would be funny to watch most native English speakers trip over that "W+b" letter combination.
Isn't that a kid's cereal? We all know what Speigelmock is, though. Just a mag that makes fun of a German newspaper.
Where were you when the voynix came?
(sarcasm) Yes, our only hope is that Debian developers can patch the hole in time! (end sarcasm)
but why doesn't this story have a "from the ____ department" subheader?
What about NoScript? http://www.noscript.net/whats
For the October 1 branch nightly release, these fixes were included:
#353249 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354924 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354945 [Core:JavaScript Engine]-(undisclosed security fix) [All]
I wonder if these are related to the alleged flaws?
I'm the urban spaceman babe, but here comes the twist... I don't exist
Noscript is your friend. Been using it for a year or so now.
Yes, whitelisting sites is a pain, but Javascript is a remnant of a more innocent time and should probably be phased out anyway.
I assume this affects the 1.5.x branch, but what about the 2.x branch or the 3.x branch?
i have 1.5.0 (and 1.0.7) on a number of clients workstations and when i check for updates it says none are available
is the update system broken ? didnt last long
Intersting.... a searh of Slashdot for 'zero day' reveals that when it's an IE explot it's a certainty to exist but when it's a Firefox exploit it's `claimed`. Hackers claim zero-day flaw in Firefox Zero-Day IE Exploit In the Wild Sep 18, 2006 Microsoft Confirms Excel Zero-Day Attack MS Word Zero-Day Exploit Found PowerPoint 0-Day Points to Corporate Espionage Another Zero-Day IE Scripting Exploit Zero-Day IE Exploit Takes Control of PCs
Today the hackers have to work a bit harder so zero-day attacks are no longer rare. The vast majority of attacks are still from hackers who are reverse engineering the patches and distributing attacks before the patches are implemented.
If someone reports a new attack against open source code it is by definition unknown before it is reported. Therefore all bug reports with security implications are 'zero-day'.
What the idiots who released this exploit mean by 'zero day' was that they didn't allow time for the problem to be fixed before releasing the exploit.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Doh. You were both faster than me.
(sarcasm) Let's hope that the PoC passes DFSG so that debian can start working on a fix ASAP(/sarcasm)
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The link in the article is a click-through to the REAL article at http://news.zdnet.com/2100-1009_22-6121608.html
And if that's not obscure enough, there's always Lynx. ;)
That is a public slap in the face.
Why couldn't Javascript play nicely in a sandbox?
[Fuck Beta]
o0t!
From the Article
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.
The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.
First of all, guys, so you refuse to tell us what the bugs are, so we can't fix them and do this for the "greater good of the internet... setting up communication networks for black hats" WTF? What does having tens of thousands of additional zombie-machines that could DDoS or send SPAM do with the greater good of the internet. I almost hope you try to make money off the bugs (if you even know any more) so you get to know a nice prison cell and "Life without PC"(TM). Honestly, I think those guys are full of it, they probably don't know even one additional vulnerability and just try to show off how "big and powerful" they are.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
I disable javascript making 90% of browser security problems harmless. Curiously, 100% of correctly coded web sites still work perfectly, badly coded sites are another thing.
Enabling javascript lets people run arbitrary code, in my book that's a single security problem, not one every week.
Yawn.
"Firefox has become IE"
... which has had security flaws too.
Not even close.
"I guess it's time to start using Opera, instead."
If you're looking for a browser that never has any special security flaws to talk of that's still usable for modern web sites, you're up for a hell of a search.
Beware: In C++, your friends can see your privates!
I can turn a computer into a giant man eating robot with a few external peripherals and some malicious code in the Kernel.... Do you want some proof of that? Don't answer the door if you hear *in robot voice of course* "Humans detected... Num.... Num..... Num......"
Wow... that's the first time I've seen a comment duped in the same article!
Nope. I just miss the days when Firefox/Mozilla were such niche browsers that nobody bothered writing malicious web pages to target them.
The owls are not what they seem
>I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl[sic].
complete bullshit and FUD.
you know nothing about these ppl, they are blackhats, they ruin things for no other reason than to piss ppl off and have a laugh at their expense.
my password really is 'stinkypants'
"Hackers" yeah right. Lets do it boys, talk is cheap. Show us the java!
I'm curious, is there a policy for FireFox within SELinux and would it restrict what a hacker could do with this expoit if it were available?
have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
n +Firefox/2100-1002_3-6121608.html
n +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns
. . .
<jX> http://news.com.com/Hackers+claim+zero-day+flaw+i
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet
. . .
<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+i
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before
you must be new here
my password really is 'stinkypants'
Starting now.
A fool throws a stone into a well and a thousand sages can not remove it.
I found a bug (feature?) last night which allows limited fingerprinting and surfing analysis in Firefox by looking at the way it grabs .ico files.
Details here.
Think of the Children; Sleep with your Sister
Well, Firebird, boy wonder, it may very well be ...
.. paranoid crackpot leftover from the days of Amiga.
The environment of a browser should be like a virtual machine. The Javascript or JavaApp running in it should be isolated from the rest of the system so that such exploits aren't possible. Mechanisms in the browser could be built in to allow you to still attach files to email in web based email sites whcih use Javascript while maintaining security.
Michael "TheZorch" Haney
thezorch@gmail.com
http://thezorch.googlepages.com/home
Nobody really bothers yet. Hackers find vulnerabilities but aside from 2 demo sites or a bash page there are not really much intention on exploiting the flaws, 10% is still too small compared to 90% so if a group wants to abuse exploits they rather go for the most used browser. Besides of the few possible targets Mozilla and Opera are also much faster releasing updates than MS so they wouldn't be able to exploit too much.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
You couldn't "commander" my computer unless I gave my web browser administrator privileges, and why would anyone do such a foolish thing? Heh.
Is it time for a fork of mozilla/firefox that just includes no Javascript?
I'd use it. And I'm sure it'd be waaaay less bloated and slow.
With a little tweaking of comment settings & a high res desktop you can even get them both on the same page.
You say, Running remote scripts sans security model is a quaint idea. What do you mean by a "security model"?
I googled for "javascript security model" and the very first link is pretty good article that seems to describe the JavaScript security model. It doesn't have many good things to say about it, but there clearly is a JavaScript security model.
So I think you overstate the case, but I don't really know what you mean.
Why are we making life so much easier for crackers?
I pick on Ubuntu in particular as it is by a large margin the most popular desktop Linux distro.
Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?
In fact, the public advertisement of a "zero day exploit" makes a lot of sense if you want to establish yourself as a seller of other undisclosed exploits. Publishing the exploit is a gambit. You will loose the exploit as soon as it gets fixed, but you get your name in the trade press, on Slashdot, etc. Doing so, you establish credibility as a merchant of malware. You can set up shop, and advertise 30 other previously undisclosed bugs. Now, the botnet herders, spammers and other DDOS extortionists know were to buy a new exploit if they need one.
Try hacking *my* browser...
$ telnet www.google.com 80
Host: www.google.com HTTP/1.1
Get /
First, let me Second the previous comments about NoScript. I've also been using it for about a year, and find whitelisting to be only a minor inconvenience. I'm saddened by some of the JS Crud that otherwise legitimate sites try to foist on you, such as "Google Analytics", or the Tacoda ad-targeting that Slashdot uses here (which I blacklist).
(this is not a
You know, there are folks out there who would call what these hackers are doing an act of terrorism.
They are deliberately creating a network for criminals to use for communication purposes, and doping so by stealing computing power from others.
It's theft, it's immoral and these jackasses should, at the very least be locked up on conspiracy charges.
The egotistical little bastards do NOT have the right to commandeer my computer for some kind of secret club for pimply faced assholes to trade exploits and horse porn.
"Live Free or Die." Don't like it? Then keep out of the USA
The only thing they're doing by holding onto the security bugs is making the internet a more dangerous place. Yes, Firefox should have been written better in the first place. Yes, the security team should have found these already. No, none of that justifies the childish actions they're taking now.
Or perhaps they're just talking smack, trying to look like big bad grayhats because they found a single flaw. I'd like to think that.
Laws do not persuade just because they threaten. --Seneca
use the noscript plugin...
https://addons.mozilla.org/firefox/722/ make a whitelist containing your REALLY trusted sites
never worry about this again...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Debian security has been quite fast to release fixes in my experience. That's one of the great things about Debian stable: you get a stable, secure system with security updates for quite a while after its release.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
I'm sure there are also plenty of criminals who would LOVE to get their hands on "over 30" unpatched vulnerabilities in a piece of software whose users are largely technologically inclined, smug about feeling more secure and likely to control some rather beefy servers.
These morons could just as easily be disappeared by a criminal element. As a matter of fact, criminals are probably more likely to actually kidnap and torture these guys.
US forces use some rather nasty torture techniques, but to the best of my knowledge, the CIA doesn't put extremities into deli slicers and run them until the subject talks.
"Live Free or Die." Don't like it? Then keep out of the USA
Besides flamebaiting news outlets, who starts off talking like this?
I'll admit: it is a factual statement with the wording just slightly rearranged from what is the normal English sentence flow. But rearranged in such a way as to maximize the outrage reaction, thus increasing readership. It's stupid reader puppeteering, and CmdrTaco knows better and he ought to knock this shit off.
You think a friend would say something to you like "You're a pathetic dickless loser, said these guys around the corner."? No! Only an asshole would say things that way.
Slashdot is not your friend. Slashdot is an asshole.
Yeah, it's offtopic, hence posting AC, but consider the possibility that I have a point.
final post!
You know, there are folks out there who would call what these hackers are doing an act of terrorism.
And now, with the elimination of habeas corpus, they should probably stay out of the U.S.
Wonder how the management at SixApart feels about a having a black hat work for them who brazenly scoffs at the notion of responsible full-disclosure and releases a 0-day exploit to the public. Sort of answers the question in an earlier Slashdot post about whether companies should hire blackhats to work for them. In this case, the answer is a resounding NO. SixApart should fire this guy's ass immediately.
>What does that even mean?
n g-an-industry-which-just-hurts-humanity/
This may offer some elucidation:
http://antisec.wordpress.com/2006/01/05/stop-aidi
my password really is 'stinkypants'
(sarcasm) Yes, our only hope is that Debian developers can patch the hole in time! (end sarcasm)
Debian releases security patches at least as fast as any other major distro. They're slow with *feature* patches. e.g., they're still using mysql 4.1.11 on sarge, which is about 18 months old.
However, it's a special version that includes all the *security* patches from the last 18 months.
Debian would be absolutely worthless if it wasn't for their frequent and rapid patching system. As it is, they release several security updates for the stable distro *every day*. If and when this hole is patched, there'll be an update to the Sarge version of IceWeasel within 24 hours.
No, this is the real article, three blogs down.
Lovin the LOLs, LOL is my will
MAYBE NONE OF, PROBABLY ALL OF, AND DEFINITELY MORE THAN:
New ways of getting your load onto your quivering victim's stack
Reaching into the hearts and minds (also the genitals) of users.
Firefox re-entrant threading lols
Patching BIOS for kernel-patching rootkit memory injections
Aggresive AIM attacks and escapades
Internet hilarity, sexual innuendo, LOLDONGS
Beware: In C++, your friends can see your privates!
I realize this was a joke, but there have been remote exploits for terminal programs in the past.
Google on "ansi bomb" for some classic examples.
"$ telnet www.google.com 80"
security by obscurity!
just wait till more people switch from FF to telnet.
To be clear:
Firefox had a build switch that allowed folks to build it without branding (and do whatever they wanted to it) or build it with branding (and follow Mozilla's rules to create a consistent user experience).
Debain dev's took that build switch and broke it, so that everyone wanting to modify or adjust the debian firefox packages would have to go through and hand edit out firefox if they wanted to remove branding. They then packaged this broken thing up, and still called it firefox.
Mozilla said that was bogus, and they were right. Having that build switch makes it easier for folks to make changes to the package without worrying about branding. Redhat and others do exactly this with artwork/branding packages. We are ALL better off if such easy build time switches are available.
I've been around a while, but the debian developers are way out of line here.... You can't create some crazy messed up debian distro and call it debian, you can't create a crazy redhat distro and call it redhat, why is firefox getting all this heat? The amount of fuss they are creating is bogus and dissapointing. I read through the snide commentary and it really is depressing. Even Mozilla Foundation suggests that a non-branded version of firefox would work better for them.
random@workstatiuntoo:~$ telnet www.google.com 80
Trying 72.14.203.104...
Connected to www.l.google.com.
Escape character is '^]'.
Get /
Connection closed by foreign host.
:x
Dude? Are you beeing paid to post this stuff? You already posted this on this article.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Please don't compare these black hats to people who flew planes into buildings. The Bush administration already doesn't need an excuse to throw people in jail without trial indefinitely. Putting these people in jail on the "terrorism" pretext only gives W that much more perceived credibility.
Never underestimate the power of stupid people in large groups.
So what you're saying is that my Debian installation of Firefox v. 0.80 will be patched soon?
Which is why it's smart to run NoScript. A Firefox extention that blocks the execution of any scripts on a webpage without user concent. So, if you're tired of Javascript taking over your Firefox, get NoScript.
https://addons.mozilla.org/firefox/722/
Breaking into people's personal computers is every bit as romantic as shooting someone in the face. The fact of the matter is that an arbitrary execution flaw will not be used to free up the flow of information, except for the flow of information about p3n1s p1lls onto every fresh patch of the `net, always provided to us graciously by zombie machines.
You want to wake up? Here's some up-waking for you: Hacking isn't about allowing "free speech" on the internet (which already exists), it's about getting big money from underground Mafias. These people aren't disclosing the flaws to Mozilla's bug bounty program simply because they think they can make more than $500 via spyware and virii.
My new blog
Anybody know how to run firefox as an untrusted X client? I tried, but I just get this:
http://outcampaign.org/
Lynx has an exploit of it's own: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-1617
Why UNIX?
Links. It can do it all.
Ironically, that appears to be by Bantown, the group who hacked LiveJournal (which I think is where Mischa Spiegelmock works).
But I can certainly appreciate your frustration as it's been quite apparent for some time now that there has been an increased trend of moderators modding based on a post's support or non-support of their viewpoint/agenda instead of modding based on the post's actual merit.
But if the majority of mods are 'voting' (with their mod points) for a particular slant on a given topic, then it can be concluded that the majority of the readership is of the same opinion. So they're getting what they want (to the detriment of rational discussion).
Yes, sadly, it's almost time to abandon slashdot... :-(
..until we boycott and shun enough javascript and active x and any other 'active', "we will slam unknown code on you from the web until you submit totally" site out there.
There is no fix for this. NONE
You either accept executables on web pages and assume the bulk of the websites out there will all use them (and it is getting that way now), or you don't.
We either will have a secure web, or an active web, you cannot have both.
Automated code generating tools will eventually force *multiple 0 day hacks on browsers*, possibly into the hundreds or thousands. You literally won't be able to keep up with the multitude of "emergency patches" required, and it is from a couple things primarily-buffer overflows and active scripting no matter the name of the script.
You cannot make javascript secure because of this "feature", it is *designed* to be an executable. Same with all the other looping zooming call this and bring down that AJAX candy and whatnot shyte.. And you won't get them to stop coding it until they are LIABLE FOR DAMAGES and are forced to offer consumer warranties on released code that is designed to surf the open internet, and I don't care which operating system or license you might care about either, code needs a warranty with it to make it suitable for purposes, just like every other CORPORATION has to offer with their PRODUCT. Once they are liable, they will stop coding crap using junk like javascript. MS is a coprporation that wants to make money, mozilla, the same now, opera, the same, apple, the same. That's where the bulk of the browsers used on the web come from, 99% or better. For-profit corporation, they need to be forced to offer a warranty, simple as that. Once that happens, the pressure will then switch bigtime from those companies literally saying they will not recommend their users go to pages that aren't blessed by no bad code, it will force the web designers to stop using crap that makes people vulnerable and that you are forced to use if you want to surf normally.
Sayng you can "turn off javascript" or use some patch hack is not a solution, that is just pure crap now and everyone knows it, and it never will be. There are too many sites now that require it, and the sites themselves are vulnerable to getting pwned because they use insecure active scripting directly on their web pages. See how this will never be fixable as it stands now?
There needs to be a complete revolution about this, a complete admission that the web has gone offcourse into mega-stupid-land in favor of blinking crap and eyecandy.
And before the first idiot troll reactionary numbnut claims that JS can be made secure-show us that code! Show us that exact magic code you have written in your uberleetness that will make all JS be secure, something every webmaster can go slap on right now and get rid of JS insecurity! Go ahead, you'll be rich!
The problems are we can't mod moderations "retarded"; and moderation is secret. These have always been serious slashdot problems. Metamoderation is out of context (and extremely inconvenient to put into context... you know more about the thread when you're reading it than you do when you're metamoderating.)
Slashdot improvement ideas (other than cosmetic) here.
I've fallen off your lawn, and I can't get up.
irony indeed.
my password really is 'stinkypants'
It should also be pointed out the Windows can run a browser from a sandbox, too. Just like Linux, privilege escalation exploits aren't uncommon. And just like Linux, a compromised browser is a major problem.
i did not write that document.
it's views are not mine.
see those things in the subject? they're called 'quotation marks'.
i was responding to the OP saying he could not understand Wbeelsoi's comment about 'helping the Internet' by using browser 0days to allow communication between blackhats. the document i linked to, which you were apparently able to read, explains what may have been meant by this.
my password really is 'stinkypants'
Determined not to be upstaged by the Mozilla developers, now that Firefox has a 0 day exploit too, Microsoft's IE team has announced that they've started working on technology that will allow their browser to have -1 day exploits.
There'll always be Idiots and Jerks, these two are the unfortunately not so rare combination of both. All in all, nothing to see here, go home.
Oh and since everyones recomended NoScript, I'd also recomend firewall tools like Sunbelt Keiro Personal Firewall (KPF), which can be configured to pop up a box every time your system attempts to run a program, very handy to stop any spyware/addware/anywhere you don't want loading on your system.
This exploit (or one similar) was mentioned in an episode of Security Now (about 3 weeks ago, I think). A potential solution was install a plugin called noscript, which allows the user to enable javascript on a per-site basis. I've used it since I heard about it, and I believe it can play a major role in preventing the execution of any rogue javascript.
One point is being missed here: how did they find these 0days? It's easy - they just study the source code and find flaws.
This is the other side of the "many eyes make bugs shallow" coin: many eyes make exploits shallow too. If your bad guys are more motivated than your good guys to find exploitable bugs (and why not, if they're worth $10K each!), open source can be inherently less secure than closed source.
It's just good that Firefox has only 10% of the market. If it ever goes over 50% we're in for a security nightmare.
If a hacker publically reveals a vulnerability to the degree where someone else can break into a system and do damage, and the hacker did not disclose the vulnerability, why wouldn't the hacker be liable to such damage? Wouldn't this be abetting a crime, if the crime were to occur?
I'd like to think that he was gnashing his teeth at the folks who wrote that original quote.
Or maybe he was being stupid. But I read it as a reply to the sanctimonious pricks who make a living enabling the Russian Mafia' spamming activities.
Laws do not persuade just because they threaten. --Seneca
Maybe you want to as well? This is absolutely retarded behavior.
= 16265621 )
From: [me]
Subject: Responsible disclosure and wreckless behavior
Date: 1 October 2006 14.23.23 GMT-04:00
To: mena@sixapart.com, ben@sixapart.com, brad@danga.com
Cc: mischa@sixapart.com
Hello,
I read this article on ZDNet describing how your employee Mischa Spiegelmock found and revealed a zero-day Firefox flaw:
http://news.zdnet.com/2100-1009_22-6121608.html
Mischa and his co-researcher Wbeelsoi refuse to reveal specific details on the flaw--or 30 others they found--to the Mozilla Foundation:
"The two hackers laughed off the comment. 'It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats, Wbeelsoi said."
Considering LiveJournal's recent security flaws causing everyone to change their passwords due to browser-based flaws, do you really want someone working for you who makes the problem worse? To be sure, there is merit to the argument that revealing the flaws would allow Mozilla to continue to use a badly buggy implementation; however, there seems to be more to this.
From FireFox's IRC channel, some dialogue from Jesse Ruderman of the Mozilla foundation, who attended (via Slashdot: http://it.slashdot.org/comments.pl?sid=198519&cid
" they claim they can make $10,000 or $20,000 selling a vuln in firefox
compared to $500 telling us about it
selling to other blackhats, anonymously, using onion networks, of course"
Is one of your employees looking to profit of vulnerabilities in Firefox? With the large number of huge enterprises using TypePad and SixApart software, do you really want to risk him embedding JavaScript code to activate this flaw in your products? If he's saving these flaws to profit from them, what's to say he won't look for the bigger payouts of actively punching holes in your products?
That's unlikely--but more likely is that your customers will hear about this and refuse to do business with you because you have an employee who is actively seeking to make the Internet a more dangerous place.
If I misunderstood anything in these articles, I apologize completely. However, what was described in the article was so outrageous that I had to write.
Best regards,
[me]
... but a compromised virtual machine can still operate a bot and spam the heck out of anybody it pleases, as well as capture any passwords you may type in and mail them back complete with appropriate URLs for your bank site, for as long as you keep the VM session running. Either of these strikes me as a good enough reason to not trust my security wholly to the VM, unless the VM has an *extremely* fine-grained permissions model. And I wouldn't want to have to be the guy who wrote that permissions model.
Help poke pirates in the eyepatch, arr.
You make some extremely good points in your journal entry. And of course, the moderation of your post is the icing on the irony cake...
Makes it fine for servers, the last thing I want on a server is to have to constantly upgrade programs solely for the sake that a newer version is avialable.
Get a few dozen Linux servers and try to stay updated and you will drive yourself nuts.
I hear SCO has a nice distro. Maybe you should switch.
Having to work for a living is the root of all evil.
There will always be exploits. Some jerk can always dig through code or disassembly and find a way. This means that our computing environments are inevitably disposable once they become popular (aka targets). One could accept this and use a technology that works for this model. If for example you made a Norton Ghost image of your computer once it was set up properly and then restored from this whenever things went awry, you'd only have to avoid browsing the sketchier parts of the web until you got your security updates. Some people are working on making this much simpler. If you were to browse inside a virtual machine that rolls back to a safe state each boot, then you would automagically throw away any exploits than dug their way into your system.
This is why I use NoScript. I decide whether or not I trust a site enough to run JavaScript or not. The only downside to this FF addon is that you really have to remember it is installed, or sometimes Flash sites or interactive menus just don't show up and you have no idea why... just remember to allow that site. ;p
This is one of the funniest things I've read on /. in 1d20+6 months. I wish I had mod points to give you, but instead I'll trash my own karma with this comment.
Thanks for making me laugh.
In the UK, interfering with any electronic system for political purposes is defined as terrorism. The same definition of terrorism is used in a more recent law that criminalises speech that glorifies terrorism.
Of course, that says more about the abuse of the word "terrorism" than it does about the morality of withholding exploits.
What about ELinks? It supports an amazing 256 colors and tabbed browsing?
Perhaps it's the result of another firefox exploit. :)
include pwn; pwn(); document.write ("1f j00 R r33d1n6 7h15, j00 h4v3 41r34dy 633n 9wn3d.");
And still I have no clue about what I need to do to prevent this without globally "disable javascript" (with noscript)
It sounds more like a Microsoft recommendation than anything.
I know some very intelligent people will be looking at the code at present, but a bit more information about possible timescales would be nice.
Before anyone says go look on mozilla forums, I have been there and the one thread on the subject has the same crap posted here.
No-one appears to be doing anything about it and that worries me.
Is it lack of details about the exploits? Is it lack of understanding? It is just a very complex bug being examined in private?
liqbase
A lot of bugs are posted in the bugzilla about thunderbird and firefox, and the team is reluctant to solve them. Instead they close the issues! Both teams are very slow developing open source software. Nothing to do with projects/foundations like OpenBSD, FreeBSD, NetBSD, Linux, Apache.
At least the mozilla foundatio have the balls to rate this Critical. MS would rate this low-med.
Firefox: Hackers "claim" zero-day flaw in Firefox
Biased much?
Anyone can "stand up for what they believe", but it takes a very brave individual to change what they believe. - Loundry
> A potential solution was install a plugin called noscript "Extension" or "Addon" called noscript, not a plugin. Plugins allow you to play with Java Applets or view Flash movies.
would this really be a firefox issue or a java issue?
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
I think the point is that there are laws regarding stuff like that. If not Patriot Act violations, you could probably make a strong case for organized crime.
Maybe that's why those apple wireless guys flaked too, decided that they can't show the demo for some reason.
Even if you turn off Javascript for all sites except those on some whitelist, there's no reason one of those sites can't be hacked and have malicious javascript inserted. There are only two ways to be safe from Javascript vulnerabilities:
1. Turn off Javascript completely for all sites.
2. Use a browser with a rock-solid Javascript implementation.
One is easy, but breaks functionality, as people rely on Javascript for everything nowadays -- Mostly for things that don't need it. As for two, Firefox will never be this browser unless it is fundamentally re-architected, as others have mentioned here. It seems like the only option currently is to pick the safest browser you can find (I run Safari, which has far less vulnerabilities reported than Firefox, although I realize that means little in an absolute sense), sandbox it as best you can, be wary of any site you go to, keep your data backed up, have good password policies (don't use the same password for Slashdot and your back account), and cross your fingers.
This sucks -- We're still paying for the browser feature race that Microsoft and Netscape had years ago. This is not to say that passing code to a client and having it run it to render something is a bad thing. No one is up in arms about Postscript. What we do need is some technology that is limited to certain very specific things, and is not depended on to interact with the browser itself in any major ways (as it currently is in Firefox). Saying "draw this line 10 times" is fine. Saying "open these tabs and turn off your bookmark bar" is not. Once you go past Postscript-level rendering and into client UI or system interaction, you're just asking for it.
OSS needs this in licenses. Forget the DRM stuff GPLv3 is trying to deal with, let's try to deal with a real problem that we can solve. This is a minor act of terrorism like behavior, they go out, announce they have a bunch of exploits that they aren't going to publish and basically say they would rather get them to other black hats rather than mozilla to fix them. That should be criminal and if it's not and since I don't trust the government to do it right, Mozilla should have recourse to sue these guys for damages and to figure out fixes to the problem.
Look at the apple wireless thing, same exact problem. We'll never know if there was a real exploit, it will never be released or actually demoed. Any time apple fixes anything in the wireless area (and they'll continue to fix stuff for years) a group of people will simply parrot that the whole thing was real, another group will do the same and echo the fraud charges. The fact remains that it is the least responsible disclosure, it is an attempt to generate fear that cannot be fixed and generate some fame and defame another company all at once.
RMS mandate full disclosure in the next GPL.
Maybe they want to drive people back to IE.
It drove me to Opera. Their plan didn't work so well.
The hackers claim to have 30 exploits that they do not intend to disclose to mozilla. Then Wbeelsoi says he intends to use the exploits maliciously, "we're setting up communication networks for black hats." The public bragging is plenty to establish probably cause. The second statement shows clear intent to break the law. There is no reason why these people should not be arrested and a warrant issued for all of their computers. At the very least they should be investigated, and when they sell the exploit to the russian or israeli mafia for big bucks then these boys could spend some hard time.
-- QED
That's too bad about FireFox being essentially written in JavaScript. SpiderMonkey, the JavaScript interpreter in Firefox, is BY FAR the worst programming language (in terms of speed and memory use) of them all, according to the Computer Language Shoot Out.
When you compare all the languages on CPU time, SpiderMonkey JavaScript is twice as slow as the second worst, Ruby.
When you compare all the languages on memory usage, SpiderMonkey is 1.7 times as bloated as the second worst, Smalltalk Visual Works.
When you compare all the languages on CPU time AND memory usage, SpiderMonkey is 2.1 times as bad as the second worst, Smalltalk GST.
Firefox would be much better off using Lua, which is much easier to integrate with C code than SpiderMonkey's nightmare sausage factory, much faster, much smaller, and a vastly better language design. The fact is, that good language design has a huge effect on speed and memory usage -- you can't just stick your head in the sand and pretend good language design isn't important, like the PHP and JavaScript designers originally did and still do. Bad design paints your bad implementation into a bad corner, and there it stays.
Here's how Lua and SpiderMonkey JavaScript stack up against each other. Lua TOTALLY smokes JavaScript, in every category, by a long shot. It's not even funny -- it's tragic. Face it: JavaScript is not only a horribly designed language, but SpiderMonkey is also a horrible implementation of that horribly designed language. So it's not surprise that SpiderMonkey has always had gaping security holes, to complement its horribly slow speed and extremely huge size.
-Don
Take a look and feel free: http://www.PieMenu.com
I've been using NoScript for over 6 months on all my computers, it's a must have extension if you use firefox. The ability to block java, flash and other plugins aswell is a very nice touch.
This probably isn't very interesting to the majority of slashdot readers, who we'd expect to have the knowedge and sense to have long ago turned off javascript and all other scripting things in their browsers. Right? Right .....
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Can anyone get it to work on FF on Mac OS X?
Are the extensions supposedly platform independent? Because if I go to the extensions menu from Mac OS X it offers up NoScript, it just doesn't work.
http://lkml.org/lkml/2005/8/20/95
Here's the "standard" way to add a bookmark to the current page in Firefox:
So it's a good thing that Firefox's JavaScript interpreter leaks references to internal functions that web scripts aren't supposed to access. Because some of them are useful, interesting functions that are fun to call!
-Don
Take a look and feel free: http://www.PieMenu.com
... in Linux and firefox is actually no concept at all. They could use process separation though SE Linux but no distro does it for critical desktop apps like ICQ messengers and browsers. And even if they do, the browsers themselves need to be deeply refactored: information flow must be controlled at a simple level and a good solution would probably be to detach and isolate a process depending on the remote website's SSL cert: that way even cross-site scripting attacks would have not been possible and password/cookie information theft could be prevented relatively securily. Security implies a concept. Just programming a scripting language such that it looks secure is not enough. You have to use simple and easy to understand barriers (like domain transitions).
And even that is no guarantee for security. Actually, with today's solution you cannot securely isolate process domains. You can still use bandwidth modulation (RAM, disk etc.) to send information to any other process on the system (it just needs to measure the bandwidth...). I think such problems can only be avoided if one uses a proven concept to build the whole OS.
But who am I to tell how to do such things. Wait a few years, and I'm usually proven to be right.
The question becomes; is it possible to code a truly "secure" browser app?
There's many answers, depending on what you mean by secure...
1. A browser in which no path throough the code can in principle be exploited. Technically, yes, but in practise you're unlikely to see such a browser in wide use because it wouldn't permit third party plug-ins nor would its scripting language allow many of the capabilities people are used to seeing.
2. A browser in which no security flaws can be practically exploited. This would be possible, if you don't count holes in third-party plugins. You would need to implement the browser in an inherently safe language and restrict the ability of scripts to only change the presentation of data, to communicate with plugins at a high level, and trigger events within the same document.
3. A browser in which no security flaws require changing the exposed API to be fixed. This is easily implemented, and Gecko is actually not far from it. Scripts would need to be somewhat restricted to prevent cross-site information exposure, but most of the problems with Firefox are at a higher level... for example, the use of the same scripting engine to implement user interface features and to execute untrusted scripts, or (and worse) the support code for XPI installs from the web that requires a hole in the sandbox to implement. A browser such as Camino that uses Gecko for rendering HTML but implements the user interface in native code is safer in principle.
4. A browser in which 'trusted' documents can run unsandboxed code, and which is still secure? Not possible. This is where Internet Explorer is. The difference between point 3 and point 4 is huge... you can build a class three secure browser using the Gecko engine with minor changes that don't effect the API. You can't make a class 4 browser secure without turning it into a class 3 browser, and to do that you have to fundamentally change the API. Microsoft could do it now, but it would have been much easier for them to do it in 1998.
If you tell mozilla there is a hole, then refuse to disclose it to them. Further you tell them
that you intend to use it to create a botnet. The only thing I can say is these crap heads should be labeled what they are, terrorist. Send them to gitmo with the rest of the terrorist, never to be heard or seen again.
Got Code?
I thank these guys for disclosing enough information to fix this one flaw at least. Too bad they didn't follow the better way of informing Mozilla first so that we could have had patch by now.
On the other hand, these guys are morons and criminals. They admitted to breaking into other people's computers. And they admitted to having more undisclosed exploits they either plan to sell to other criminals or to use them themselves to break into more people's computers to do whatever criminal things they are planning to do.
Whoever employs these guys should fire their sorry asses immediately, and report them to the police at the same time.
Any ideas anyone?
Javascript is not inherently insecure any more than java is, or flash is.
If the operations that javascript can perform are properly restricted (which they pretty much already are) and the implementation is properly sandboxed (which apparently it isn't right now on firefox) then you can ran an arbitrary javascript program without consequences.
Javascript is important to many companies business models, and if you haven't noticed already, the web has moved to using *more* javascript lately not less. People use javascript to deploy fairly thick clients, to assyncronously update a page without postbacks. Some web toolkits don't even render most html on the server, but send data to the client, and let the client handle display.
The bottom line is that businesses now widely use the web to distribute *applications* in a way that they used thin clients to distribute applications in the past. For them, the web is the new x forwarding. Using browsers sans javascript is not an option for them, so it is not going to happen.
What really needs to happen is better sandboxing. Also, sandboxing has to go further than it has in the past. One problem that javascript has is that it can use up a lot of processor time, and effectively bring the system to a halt, or at least cause usability problems in other applications. Browsers needs to regulate cpu and memory resources that javascript can use better to insure that this doesn't happen.
Also, what sort of drugs do you have to be on to name your kid "Window"?
Kind of like asking "what kind of relegious zealots do you have to be to name your kid after an apostle?", don't slander someones parents just because you think they have a silly name, ever consider that her parents may have named her using a language where "Window" means something other than a way of letting the sun in?
I've been explaining how Firefox is essentially written in JavaScript for ages and every time I explain it I get called a troll. It's true. Firefox is written in JavaScript, if you accept Firefox as the UI for a browser built out of the Mozilla libraries. Otherwise this can descend into definition wars and I'm not up for something that stupid.
This wasn't a Firefox-only decision, Mozilla has been built like this from day 1, and it's a VERY BAD THING. The same JavaScript engine is used to run privileged "chrome" script and unprivileged webpage script. By "same engine" I mean "the same instance of the same engine in the same memory space running in the same thread using the same objects". And, needless to say, this is a security vulnerability waiting to happen.
And it has. Repeatedly.
And it will continue. Repeatedly.
Which brings me to my other unpopular opinion: Firefox and Mozilla in general have hurt open source. They're sucking interest away from creating a real, good, open source browser. Konqueror is a better browser in some ways than Firefox, but it doesn't get anywhere near the attention that Firefox does. Unfortunately Konqueror is fairly heavily tied into KDE and doesn't really make a very good stand-alone, cross-platform browser.
But if Mozilla hadn't sucked all the interest away, it very well could be.
I'd love to see an open source project work on creating a powerful, cross-platform, SECURE browser to replace Firefox. Right now, that's not happening, and short of Firefox disappearing, it doesn't look like it ever will. And that's depressing.
Just watch out for message boards that you visit that may be vulnerable to a cross-site scripting attack. Lots of them rely heavily on Javascript, and lots of them are insecure.
Except you shouldn't be adding bookmarks to user's browser from your web pages. It falls into pretty much the same category as using BLINK tag.
Am I reading that code wrong, or does that automatically click on the button to add the bookmark, thereby not giving the user the chance to cancel?
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Each time there is a report for a vulnerability, the reason why this vulnerability exists is not mentioned at all, let alone analysed.
So, I am asking: is it because of flawed design or because of using C as the language to program firefox in?
If it is the latter, then maybe we (i.e. the software community) shall consider stop using C and move to a safer environment (e.g. Cyclone).
nt
Pretend that I don't know, and that I care.
If you were blocking sigs, you wouldn't have to read this.
Ok kids, when you release el8 0-day sploits, make sure google doesn't return this:
as the first hit on a search on your name!
Consumating - A new way to find people who don't suck...
Exactly what his profile espouses, wtg!
PS: I admit I googled him in the first place because I wanted to see if he was as hot as Mischa Barton, whats up with guys with girls names anyway?
I put on my devils advocate hat and robe:
Maybe they realize the impending segmentation of the Internet by large corporate interests (i.e. a non-neutral net) and they're setting up a system to "strike back" at the man? They see a future of the Internet where the big companies really do rule the roost and they're just getting a nice stockpile of ammo to throw around.
Think about it, some of the same things are said about terrorists. If we open up laws to make is easier to hunt down and eliminate them, then they'll up the ante in ways to help insure their continued survival. They also think what they're doing is for the greater good of mankind.
I'm a fiscal conservative, it's a pity we don't have a political party anymore
if they get deluged by outraged email, hopefully they will get the boot real quick. but still, how to trust sixapart again, unless they do a complete code review (as if!)?
There was a thread on this at digg.com a day or two ago. It's not that they're withholding the exploits. What they claim to be doing is creating Zombie PCs to build a Darknet for "Black Hats" to communicate.
In other words, the SOBs are selling exploit code to organized crime.
We're dealing with punks who need a good long stay in a Federal Penitentiary.
"Live Free or Die." Don't like it? Then keep out of the USA
So it exploits Firefox. What about Mozilla? Or the other browsers from the same source?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Here is a quote from an email from Mozilla that captures this nicely:
A couple things are important here. First, does that look like things were agreed to on a license grant? I read this as debian deciding to ignore the policy. Second, does debian have the right to sublicense their supposed grant to avoid the artwork and change the packages to other groups who want to use firefox? I doubt it, even under the debian interpretation of a grant. So you've broken the DFSG with the community who would use debian, and is going to be stuck tearing out references to firefox by hand now if they want to create works based on debian.
The choices here seem pretty clear. Fight a legal fight (that despite your "fact" you are likely to loose becuase you expressely state you are going to ignore the policy), or make a small and simple change that will avoid the whole issue together.
This is a losing debate I think for debian, because regardless of what legal technicalities you try and hang your hat on, you are going to find little support for your actions, because almost EVERY open source project actively discourages your type of activity, which is striping visual identity, changing packages, but keeping a trademarked name. I suspect debian would take the SAME position with others creating versions of debian and calling them debian.
Why then fight so hard to do something that you would make a stink about elsewhere, even if you think you can get away with it, especially given how very weak the case is to someone who has actually read the entire bug and entire email thread.
It seems time could be better spent on other things.
...cute: http://www.consumating.com/profiles/Mischa_Spiegel mock
That "thumbs down" icon looks very tempting though...
It isn't irony, it's the 'puzzle' starting to fit together, where do you think they got the source code to find the XSS bugs for LJ? (which by the way, they never 'hacked' lj, they were stealing peoples cookies)
So you're saying it's ok for the browser to leak references to internal functions, because your user interface guidelines dictate that it's a bad idea to call those particular functions (even if my clients dictate they want a button that does that on their web page)?
My point, in case you missed the sarcasm, is that Firefox's JavaScript implementation is so complex and tangled that it leaks pointers to functions that web based scripts should not be able to call. If you can call the function to add a bookmark, then what kind of other functions are sitting there waiting to be cherry picked and called by maliscious scripts?
-Don
Take a look and feel free: http://www.PieMenu.com
Yes, you're reading the code wrong, because it's very tricky. The event is not used to click on a confirmation button (that would be impossible), it's used to trick the browser into executing a JavaScript function in a different (trusted) context, where it can directly call the addBookmarkForBrowser function (which normally can't be called by untrusted code). The way it does that is to add a getter method hook to the head element "ownerDocument" property, so the hook gets called in a totally different (trusted) context when the dummy event is handled. The trusted event handling code foolishly accesses the head element's "ownerDocument" property, which calls the code provided by the untrusted web page, in a trusted context.
-Don
Take a look and feel free: http://www.PieMenu.com
http://developer.mozilla.org/devnews/index.php/200 6/10/02/update-possible-vulnerability-reported-at- toorcon/
"The main purpose of our talk was to be humorous."
Yes, they achieved it.
Or maybe he just read this.
Run it for long enough, you'll find out.
Security focus is quoting Mozilla developer blogs to claim that the demo was a hoax. Dont know if the demo is a hoax or this report is a hoax. Another UK site too is claiming that it is a joke. But on the otherhand thousands of newspapers and websites and blogs are claiming that Firefox is so broken it is unfixable.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It isn't irony, it's the 'puzzle' starting to fit together, where do you think they got the source code to find the XSS bugs for LJ? (which by the way, they never 'hacked' lj, they were stealing peoples cookies)
Errm... from the publicly-accesible SVN repository? The LiveJournal code is open-source - actually, I have a copy lying around here somwhere (though it's out of date by now). And I think hijacking accounts en masse via XSS holes and flooding the official announcements with large numbers of comments using them definitely counts as hacking (though there are much more destructive things they could've done with them...).
I see (sort of :). Thanks for the explanation.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
you must be new here