Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers claim zero-day flaw in Firefox

Posted by ryuzaki0 on

An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."

11 of 398 comments (clear)

  1. Slightly offtopic... by I(rispee_I(reme · · Score: 3, Interesting

    but why doesn't this story have a "from the ____ department" subheader?

    1. Re:Slightly offtopic... by Anonymous Coward · · Score: 1, Interesting

      And Why Isn't The Title Capitalized?

    2. Re:Slightly offtopic... by RockClimbingFool · · Score: 2, Interesting
      Why is it so hard to understand that virus makers do not want to hose the OS? They want their virus package to mutiply to other computers, run spyware, steal data, phish out information, etc.

      "Man, that virus didn't break my OS, so I am the roxor!!!" But it stole your identity, charged up your credit cards and ruined your credit rating, all in user space.

  2. Recent fixes by grondu · · Score: 4, Interesting

    For the October 1 branch nightly release, these fixes were included:

    #353249 [Core:JavaScript Engine]-(undisclosed security fix) [All]
    #354924 [Core:JavaScript Engine]-(undisclosed security fix) [All]
    #354945 [Core:JavaScript Engine]-(undisclosed security fix) [All]

    I wonder if these are related to the alleged flaws?

    --

    I'm the urban spaceman babe, but here comes the twist... I don't exist

  3. Branches? by The+MAZZTer · · Score: 2, Interesting

    I assume this affects the 1.5.x branch, but what about the 2.x branch or the 3.x branch?

  4. Re:Impossible to patch? by betterunixthanunix · · Score: 4, Interesting

    Which is a perfect solution, in my opinion. QEMU took about 10 minutes to set up, and my Win2K disk image worked fine -- and I can get a copy of it in less than a second. Yes, it takes slightly more CPU time, but that is reasonable. The fact of the matter is that no major software can be 100% secure, but virtual machines provide a way out...unless the VM itself is compromised, but that is far easier to address...

    --
    Palm trees and 8
  5. One of these guys works for SixApart by Anonymous Coward · · Score: 5, Interesting

    Wonder how the management at SixApart feels about a having a black hat work for them who brazenly scoffs at the notion of responsible full-disclosure and releases a 0-day exploit to the public. Sort of answers the question in an earlier Slashdot post about whether companies should hire blackhats to work for them. In this case, the answer is a resounding NO. SixApart should fire this guy's ass immediately.

  6. Re:Good policies will often save you. by Anonymous Coward · · Score: 2, Interesting
    Essentially, Firefox is written in javascript.
    Which also has a nasty side-effect of having internal functions and properties bleed out to web pages. That, in turn, sometimes leads to "the IE way" and "the Gecko way" codepaths, shunning other browsers.

    One of Opera's employees has an interesting blog in which he explains what he has to do in Opera browser.js patches. There's also a Firefox category, where he occasionally rants about things such as object.prototype.eval, event.originalTarget, etc.

    Even if you're not interested in Opera, check the blog out, there's some really interesting WTF material there in all categories.
  7. Re:Impossible to patch? by FLEB · · Score: 2, Interesting

    All you'd really need are three VM disk images-- one for the "insecure", one for the "secure", and one "fresh" copy. Use the "insecure" one for regular browsing. Use the "insecure" one for banking, etc., and copy over the file with the "fresh" one after every session.

    --
    Information wants to be free.
    Entertainment wants to be paid.
    You just want to be cheap.
  8. RMS are your listening? by Anonymous Coward · · Score: 1, Interesting
    IBM, Oracle and MS, among numerous other companies, already have EULAs which prohibit certain actions on the part of "users" of their system. Such as publishing unauthorized benchmarks. It's a small tweak to outlaw sales of exploits. Or if not outlawing them, define some things you can and cannot do with them (like disclose or advertise them for sales without full disclosure to the vendor) Full disclosure is great, give them credit but if they chose to disclose it in a different way, then sue the fuckers.


    OSS needs this in licenses. Forget the DRM stuff GPLv3 is trying to deal with, let's try to deal with a real problem that we can solve. This is a minor act of terrorism like behavior, they go out, announce they have a bunch of exploits that they aren't going to publish and basically say they would rather get them to other black hats rather than mozilla to fix them. That should be criminal and if it's not and since I don't trust the government to do it right, Mozilla should have recourse to sue these guys for damages and to figure out fixes to the problem.


    Look at the apple wireless thing, same exact problem. We'll never know if there was a real exploit, it will never be released or actually demoed. Any time apple fixes anything in the wireless area (and they'll continue to fix stuff for years) a group of people will simply parrot that the whole thing was real, another group will do the same and echo the fraud charges. The fact remains that it is the least responsible disclosure, it is an attempt to generate fear that cannot be fixed and generate some fame and defame another company all at once.


    RMS mandate full disclosure in the next GPL.

  9. a lot of ignorant nonsense by sentientbrendan · · Score: 2, Interesting

    Javascript is not inherently insecure any more than java is, or flash is.

    If the operations that javascript can perform are properly restricted (which they pretty much already are) and the implementation is properly sandboxed (which apparently it isn't right now on firefox) then you can ran an arbitrary javascript program without consequences.

    Javascript is important to many companies business models, and if you haven't noticed already, the web has moved to using *more* javascript lately not less. People use javascript to deploy fairly thick clients, to assyncronously update a page without postbacks. Some web toolkits don't even render most html on the server, but send data to the client, and let the client handle display.

    The bottom line is that businesses now widely use the web to distribute *applications* in a way that they used thin clients to distribute applications in the past. For them, the web is the new x forwarding. Using browsers sans javascript is not an option for them, so it is not going to happen.

    What really needs to happen is better sandboxing. Also, sandboxing has to go further than it has in the past. One problem that javascript has is that it can use up a lot of processor time, and effectively bring the system to a halt, or at least cause usability problems in other applications. Browsers needs to regulate cpu and memory resources that javascript can use better to insure that this doesn't happen.