Slashdot Mirror
Hackers claim zero-day flaw in Firefox
An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."
What about NoScript? http://www.noscript.net/whats
Noscript is your friend. Been using it for a year or so now.
Yes, whitelisting sites is a pain, but Javascript is a remnant of a more innocent time and should probably be phased out anyway.
Difference is either a) The exploit is announced by a credible soruce, or even the software vendor (Microsoft in those cases) or b) A Proof of Concept demonstration of the falw is provided.
Neither of which apply to this situation. An announcement from a crerdible source or a demonstration would clear things right up. Even if you consider whitedust.net to be a good source, the flaw was not found by them and they only reference a ZDNet article which contains slightly more information but not enough to really confirm anything. The people who found the exploit are deliberately keeping it secret and therefore will not produce a PoC.
=Smidge=
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Snyder said she isn't happy with the disclosure and release of an exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."
have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
n +Firefox/2100-1002_3-6121608.html
n +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns
. . .
<jX> http://news.com.com/Hackers+claim+zero-day+flaw+i
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet
. . .
<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+i
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before
No, they didn't have a live exploit. The original article is here http://news.zdnet.com/2100-1009_22-6121608.html, not the site linked to by slashdot.
All they had was a video ... no code to display.
So, maybe they do, maybe they don't ... but you can't tell just from a video.
Also, what sort of drugs do you have to be on to name your kid "Window"? Brings to mind Frank Zappa naming his kid "Moon Unit".
It is, in just about every browser except IE (Well, okay, it seems to be there in IE7, but time will tell if it's garbage). The problem is that no code is perfect; a seemingly benign function can have, for example, a bufferr overflow that allows some JS to insert code into the browser and have it run...
How to enable garbage collection on a system without protected memory: #define malloc() ((void *) rand())
Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?
If CNET hadn't cut off my quote mid-sentence, it would have been clear that that was what (jokingly) saying too. I was not trying to bribe them. I was trying to say that I hoped they would change their minds and report the holes to Mozilla despite the fact that they (claimed they) could make much more money exploiting the holes or selling information about the vulnerabilities on the black market.
The shareholder is always right.
No. Those three bugs were holes I found before ToorCon.
The shareholder is always right.
To be clear:
Firefox had a build switch that allowed folks to build it without branding (and do whatever they wanted to it) or build it with branding (and follow Mozilla's rules to create a consistent user experience).
Debain dev's took that build switch and broke it, so that everyone wanting to modify or adjust the debian firefox packages would have to go through and hand edit out firefox if they wanted to remove branding. They then packaged this broken thing up, and still called it firefox.
Mozilla said that was bogus, and they were right. Having that build switch makes it easier for folks to make changes to the package without worrying about branding. Redhat and others do exactly this with artwork/branding packages. We are ALL better off if such easy build time switches are available.
I've been around a while, but the debian developers are way out of line here.... You can't create some crazy messed up debian distro and call it debian, you can't create a crazy redhat distro and call it redhat, why is firefox getting all this heat? The amount of fuss they are creating is bogus and dissapointing. I read through the snide commentary and it really is depressing. Even Mozilla Foundation suggests that a non-branded version of firefox would work better for them.
Which is why it's smart to run NoScript. A Firefox extention that blocks the execution of any scripts on a webpage without user concent. So, if you're tired of Javascript taking over your Firefox, get NoScript.
https://addons.mozilla.org/firefox/722/
This exploit (or one similar) was mentioned in an episode of Security Now (about 3 weeks ago, I think). A potential solution was install a plugin called noscript, which allows the user to enable javascript on a per-site basis. I've used it since I heard about it, and I believe it can play a major role in preventing the execution of any rogue javascript.
Run it using another user. Works under windows too, even with IE.
;). I've had Mozilla use 1GB of mem before.
Just most Windows/Linux users don't know that, or do that.
You need to set up permissions so that your downloads can be accessible (and deletable) from your main account, but that's not too difficult under Windows, and fiddling with some ACLs on Linux. In fact I found it harder to do the permissions thing on Linux.
The other option is to run in in a virtual machine. The other benefit is firefox/mozilla can't use more RAM than the VM limit
In the UK, interfering with any electronic system for political purposes is defined as terrorism. The same definition of terrorism is used in a more recent law that criminalises speech that glorifies terrorism.
Of course, that says more about the abuse of the word "terrorism" than it does about the morality of withholding exploits.
That's too bad about FireFox being essentially written in JavaScript. SpiderMonkey, the JavaScript interpreter in Firefox, is BY FAR the worst programming language (in terms of speed and memory use) of them all, according to the Computer Language Shoot Out.
When you compare all the languages on CPU time, SpiderMonkey JavaScript is twice as slow as the second worst, Ruby.
When you compare all the languages on memory usage, SpiderMonkey is 1.7 times as bloated as the second worst, Smalltalk Visual Works.
When you compare all the languages on CPU time AND memory usage, SpiderMonkey is 2.1 times as bad as the second worst, Smalltalk GST.
Firefox would be much better off using Lua, which is much easier to integrate with C code than SpiderMonkey's nightmare sausage factory, much faster, much smaller, and a vastly better language design. The fact is, that good language design has a huge effect on speed and memory usage -- you can't just stick your head in the sand and pretend good language design isn't important, like the PHP and JavaScript designers originally did and still do. Bad design paints your bad implementation into a bad corner, and there it stays.
Here's how Lua and SpiderMonkey JavaScript stack up against each other. Lua TOTALLY smokes JavaScript, in every category, by a long shot. It's not even funny -- it's tragic. Face it: JavaScript is not only a horribly designed language, but SpiderMonkey is also a horrible implementation of that horribly designed language. So it's not surprise that SpiderMonkey has always had gaping security holes, to complement its horribly slow speed and extremely huge size.
-Don
Take a look and feel free: http://www.PieMenu.com
A simple fix would be to use the NoScript extension and just allow javascript on the few trusted sites you visit that require javascript. You can also block java, flash and other plugins with NoScript.
A buffer overflow exploit can allow attackers to gain the same privileges as the user who is running the browser. A regular user account is sufficient to participate in a botnet (including DDoS attacks), become a spam zombie, or become some script kiddie's "warez" fileshare. Consider also that most of your data would be stored in your user's home directory, and you now have a potential identity theft (depending on your habits and whether you use strong encryption). This is not as bad as, say, an Internet Explorer exploit that gives complete "Administrator" access to to the entire machine and all accounts on it, but (as you mentioned) it could be followed up by privilege escalation attacks which could then lead to root access.
To dismiss regular user accounts as unworthy of protection is a big mistake. When discussing remote exploits (as opposed to local security), the user system is more like a form of damage control.
It is a miracle that curiosity survives formal education. - Einstein
You are an amazingly dishonest person. You stated, in no uncertain terms, that a browser flaw was only an issue in Windows, not Linux. "No problem here. Hijack my browser all you want, you're sandboxed." You now admit that is bogus, but you try to weasle your way out by falsely accusing me of taking the argument out of context. There is a problem when running a hijacked browser on Linux, as several people have clearly demonstrated to you. You know, you could just admit it when you're wrong and move along, instead of acting like a child.
Here is a quote from an email from Mozilla that captures this nicely:
A couple things are important here. First, does that look like things were agreed to on a license grant? I read this as debian deciding to ignore the policy. Second, does debian have the right to sublicense their supposed grant to avoid the artwork and change the packages to other groups who want to use firefox? I doubt it, even under the debian interpretation of a grant. So you've broken the DFSG with the community who would use debian, and is going to be stuck tearing out references to firefox by hand now if they want to create works based on debian.
The choices here seem pretty clear. Fight a legal fight (that despite your "fact" you are likely to loose becuase you expressely state you are going to ignore the policy), or make a small and simple change that will avoid the whole issue together.
This is a losing debate I think for debian, because regardless of what legal technicalities you try and hang your hat on, you are going to find little support for your actions, because almost EVERY open source project actively discourages your type of activity, which is striping visual identity, changing packages, but keeping a trademarked name. I suspect debian would take the SAME position with others creating versions of debian and calling them debian.
Why then fight so hard to do something that you would make a stink about elsewhere, even if you think you can get away with it, especially given how very weak the case is to someone who has actually read the entire bug and entire email thread.
It seems time could be better spent on other things.