Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers claim zero-day flaw in Firefox

Posted by ryuzaki0 on

An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."

9 of 398 comments (clear)

  1. Moo by Chacham · · Score: 5, Funny

    In response, Mozilla Corporation has stated that since the hackers did not submit the hack for verification, and they may not call it a "FireFox" hack, in compliance with their Trademark policy. Further, if anyone did take over a browser with this hack, they would have to change the icon or face vague threats.

    The hackers plan to release the next version of the hack under the name IceWeasel Hack, while grumbling about backports. Debian developers have been debating whether they should include the hack in Etch or not.

    --
    Have you read my journal today?
  2. *Crafting* a web page? by MicrosoftRepresentit · · Score: 0, Funny

    Why do they all say this in vulenrability reports? Do hackers carve their pages out of stone or something? Do they whittle them out of sticks? It makes me fucking sick!

  3. Re:Oink by BeeBeard · · Score: 5, Funny

    (sarcasm) Yes, our only hope is that Debian developers can patch the hole in time! (end sarcasm)

  4. Re:Firefox has become IE by failure-man · · Score: 2, Funny

    And if that's not obscure enough, there's always Lynx. ;)

  5. What about me? by Rendo · · Score: 1, Funny

    I can turn a computer into a giant man eating robot with a few external peripherals and some malicious code in the Kernel.... Do you want some proof of that? Don't answer the door if you hear *in robot voice of course* "Humans detected... Num.... Num..... Num......"

  6. Re:Javascript is the security problem by shawn443 · · Score: 3, Funny

    I am not a javascript hater, it is very useful. The fact that you can transfer some of the processing to the client is a very valuable thing in my book. Considering most forms are validated at the client level I wonder how you define correctly coded web sites working 100%. I suppose however there isn't anything stopping a server from validating if the client refuses, it just means twice the coding. I just got done with a hand rolled image gallery using javascript, if you want to download every thumbnail or see just a collection of links that is fine. I recently implemented AuthCookieDBI for session based authentication. Rather than my server worrying about the headers and directing to the appropriate user section, I named the client folders after the user name. With just onblur and getElementById the client appends and passes all the information I need. I think if most users disabled javascript my work would be much harder and their experience would be less enjoyable. As far as the security issues, I think after time we will see those steadily evaporate. Right now I feel comfortable enough to risk having it on.

  7. Re:Proof? by init100 · · Score: 2, Funny

    What the fuck does Microsoft have to do with this?

    Because as everyone knows, Microsoft is evil, and thus they must be behind this. :)

  8. Redmond's response by Anonymous Coward · · Score: 5, Funny

    Determined not to be upstaged by the Mozilla developers, now that Firefox has a 0 day exploit too, Microsoft's IE team has announced that they've started working on technology that will allow their browser to have -1 day exploits.

  9. Re:Slightly offtopic... by SeaFox · · Score: 2, Funny
    but why doesn't this story have a "from the ____ department" subheader?

    Taco was going to write "From the Firefox dept." but he wasn't interested in paying trademark licensing fees. Plus there was any place to include the logo and they cannot be separated!