Slashdot Mirror
Hackers claim zero-day flaw in Firefox
An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."
Do they have proof? Did they do a demonstration?
In response, Mozilla Corporation has stated that since the hackers did not submit the hack for verification, and they may not call it a "FireFox" hack, in compliance with their Trademark policy. Further, if anyone did take over a browser with this hack, they would have to change the icon or face vague threats.
The hackers plan to release the next version of the hack under the name IceWeasel Hack, while grumbling about backports. Debian developers have been debating whether they should include the hack in Etch or not.
Have you read my journal today?
If you had to pick between having a last name of "Spiegelmock" or "Wbeelsoi", which one would you go with? I'd have to pick Wbeelsoi, because it would be funny to watch most native English speakers trip over that "W+b" letter combination.
Isn't that a kid's cereal? We all know what Speigelmock is, though. Just a mag that makes fun of a German newspaper.
Where were you when the voynix came?
(sarcasm) Yes, our only hope is that Debian developers can patch the hole in time! (end sarcasm)
but why doesn't this story have a "from the ____ department" subheader?
What about NoScript? http://www.noscript.net/whats
For the October 1 branch nightly release, these fixes were included:
#353249 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354924 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354945 [Core:JavaScript Engine]-(undisclosed security fix) [All]
I wonder if these are related to the alleged flaws?
I'm the urban spaceman babe, but here comes the twist... I don't exist
Noscript is your friend. Been using it for a year or so now.
Yes, whitelisting sites is a pain, but Javascript is a remnant of a more innocent time and should probably be phased out anyway.
I assume this affects the 1.5.x branch, but what about the 2.x branch or the 3.x branch?
Today the hackers have to work a bit harder so zero-day attacks are no longer rare. The vast majority of attacks are still from hackers who are reverse engineering the patches and distributing attacks before the patches are implemented.
If someone reports a new attack against open source code it is by definition unknown before it is reported. Therefore all bug reports with security implications are 'zero-day'.
What the idiots who released this exploit mean by 'zero day' was that they didn't allow time for the problem to be fixed before releasing the exploit.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Doh. You were both faster than me.
(sarcasm) Let's hope that the PoC passes DFSG so that debian can start working on a fix ASAP(/sarcasm)
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The link in the article is a click-through to the REAL article at http://news.zdnet.com/2100-1009_22-6121608.html
And if that's not obscure enough, there's always Lynx. ;)
That is a public slap in the face.
Why couldn't Javascript play nicely in a sandbox?
[Fuck Beta]
o0t!
From the Article
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.
The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.
First of all, guys, so you refuse to tell us what the bugs are, so we can't fix them and do this for the "greater good of the internet... setting up communication networks for black hats" WTF? What does having tens of thousands of additional zombie-machines that could DDoS or send SPAM do with the greater good of the internet. I almost hope you try to make money off the bugs (if you even know any more) so you get to know a nice prison cell and "Life without PC"(TM). Honestly, I think those guys are full of it, they probably don't know even one additional vulnerability and just try to show off how "big and powerful" they are.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
Difference is either a) The exploit is announced by a credible soruce, or even the software vendor (Microsoft in those cases) or b) A Proof of Concept demonstration of the falw is provided.
Neither of which apply to this situation. An announcement from a crerdible source or a demonstration would clear things right up. Even if you consider whitedust.net to be a good source, the flaw was not found by them and they only reference a ZDNet article which contains slightly more information but not enough to really confirm anything. The people who found the exploit are deliberately keeping it secret and therefore will not produce a PoC.
=Smidge=
"Firefox has become IE"
... which has had security flaws too.
Not even close.
"I guess it's time to start using Opera, instead."
If you're looking for a browser that never has any special security flaws to talk of that's still usable for modern web sites, you're up for a hell of a search.
Beware: In C++, your friends can see your privates!
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Snyder said she isn't happy with the disclosure and release of an exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."
I can turn a computer into a giant man eating robot with a few external peripherals and some malicious code in the Kernel.... Do you want some proof of that? Don't answer the door if you hear *in robot voice of course* "Humans detected... Num.... Num..... Num......"
Wow... that's the first time I've seen a comment duped in the same article!
>I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl[sic].
complete bullshit and FUD.
you know nothing about these ppl, they are blackhats, they ruin things for no other reason than to piss ppl off and have a laugh at their expense.
my password really is 'stinkypants'
I'm curious, is there a policy for FireFox within SELinux and would it restrict what a hacker could do with this expoit if it were available?
have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
n +Firefox/2100-1002_3-6121608.html
n +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns
. . .
<jX> http://news.com.com/Hackers+claim+zero-day+flaw+i
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet
. . .
<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+i
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before
Why must most web pages HAVE to have javascript to convey textual information? I already have a browser, why do I need another mysterious program running to help me read?
you must be new here
my password really is 'stinkypants'
Starting now.
A fool throws a stone into a well and a thousand sages can not remove it.
I found a bug (feature?) last night which allows limited fingerprinting and surfing analysis in Firefox by looking at the way it grabs .ico files.
Details here.
Think of the Children; Sleep with your Sister
Well, Firebird, boy wonder, it may very well be ...
.. paranoid crackpot leftover from the days of Amiga.
The environment of a browser should be like a virtual machine. The Javascript or JavaApp running in it should be isolated from the rest of the system so that such exploits aren't possible. Mechanisms in the browser could be built in to allow you to still attach files to email in web based email sites whcih use Javascript while maintaining security.
Michael "TheZorch" Haney
thezorch@gmail.com
http://thezorch.googlepages.com/home
Nobody really bothers yet. Hackers find vulnerabilities but aside from 2 demo sites or a bash page there are not really much intention on exploiting the flaws, 10% is still too small compared to 90% so if a group wants to abuse exploits they rather go for the most used browser. Besides of the few possible targets Mozilla and Opera are also much faster releasing updates than MS so they wouldn't be able to exploit too much.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
You couldn't "commander" my computer unless I gave my web browser administrator privileges, and why would anyone do such a foolish thing? Heh.
Has the irony of Mozilla's security chief being called Window escaped everyone? And on an off-topic note what a ridiculous name. Some parents must want their kids to get bullied.
I turned my computer off, fixing 100% of all security problems. Made it even more useless than yours.
The revolution will not be televised... but it will have a page on Wikipedia
You say, Running remote scripts sans security model is a quaint idea. What do you mean by a "security model"?
I googled for "javascript security model" and the very first link is pretty good article that seems to describe the JavaScript security model. It doesn't have many good things to say about it, but there clearly is a JavaScript security model.
So I think you overstate the case, but I don't really know what you mean.
No, I commented on it too. Here's some food for thought:
http://www.matasano.com/log/window-snyder
http://www.blogger.com/profile/13043301
Someone with a hotmail address (windowsnyder@hotmail.com) as a security expert on XP? No wonder Windows is broken. My own tests show that more than 1% of all hotmail addresses are down temporarily on any particular day.
I am not a javascript hater, it is very useful. The fact that you can transfer some of the processing to the client is a very valuable thing in my book. Considering most forms are validated at the client level I wonder how you define correctly coded web sites working 100%. I suppose however there isn't anything stopping a server from validating if the client refuses, it just means twice the coding. I just got done with a hand rolled image gallery using javascript, if you want to download every thumbnail or see just a collection of links that is fine. I recently implemented AuthCookieDBI for session based authentication. Rather than my server worrying about the headers and directing to the appropriate user section, I named the client folders after the user name. With just onblur and getElementById the client appends and passes all the information I need. I think if most users disabled javascript my work would be much harder and their experience would be less enjoyable. As far as the security issues, I think after time we will see those steadily evaporate. Right now I feel comfortable enough to risk having it on.
Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?
In fact, the public advertisement of a "zero day exploit" makes a lot of sense if you want to establish yourself as a seller of other undisclosed exploits. Publishing the exploit is a gambit. You will loose the exploit as soon as it gets fixed, but you get your name in the trade press, on Slashdot, etc. Doing so, you establish credibility as a merchant of malware. You can set up shop, and advertise 30 other previously undisclosed bugs. Now, the botnet herders, spammers and other DDOS extortionists know were to buy a new exploit if they need one.
Try hacking *my* browser...
$ telnet www.google.com 80
Host: www.google.com HTTP/1.1
Get /
"and retains full functionality"
/me/ extra speed/functionality/ease of use), the idea of turning off javascript is about as ludicrous as turning off the computer. It would mean that I too would have to spend ages doing things that could otherwise be done much quicker. Instead I prefer just not going to dodgy sites that will try and hack my PC.
Fixing it does, yes. Turning it off doesn't, no.
As somebody who uses javascript loads (both in development, to offer extra speed/functionality/ease of use to my clients, and with websites I frequent that use it to offer
The revolution will not be televised... but it will have a page on Wikipedia
First, let me Second the previous comments about NoScript. I've also been using it for about a year, and find whitelisting to be only a minor inconvenience. I'm saddened by some of the JS Crud that otherwise legitimate sites try to foist on you, such as "Google Analytics", or the Tacoda ad-targeting that Slashdot uses here (which I blacklist).
(this is not a
You know, there are folks out there who would call what these hackers are doing an act of terrorism.
They are deliberately creating a network for criminals to use for communication purposes, and doping so by stealing computing power from others.
It's theft, it's immoral and these jackasses should, at the very least be locked up on conspiracy charges.
The egotistical little bastards do NOT have the right to commandeer my computer for some kind of secret club for pimply faced assholes to trade exploits and horse porn.
"Live Free or Die." Don't like it? Then keep out of the USA
The only thing they're doing by holding onto the security bugs is making the internet a more dangerous place. Yes, Firefox should have been written better in the first place. Yes, the security team should have found these already. No, none of that justifies the childish actions they're taking now.
Or perhaps they're just talking smack, trying to look like big bad grayhats because they found a single flaw. I'd like to think that.
Laws do not persuade just because they threaten. --Seneca
use the noscript plugin...
https://addons.mozilla.org/firefox/722/ make a whitelist containing your REALLY trusted sites
never worry about this again...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Not just Window, Window S.!
Debian security has been quite fast to release fixes in my experience. That's one of the great things about Debian stable: you get a stable, secure system with security updates for quite a while after its release.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
I'm sure there are also plenty of criminals who would LOVE to get their hands on "over 30" unpatched vulnerabilities in a piece of software whose users are largely technologically inclined, smug about feeling more secure and likely to control some rather beefy servers.
These morons could just as easily be disappeared by a criminal element. As a matter of fact, criminals are probably more likely to actually kidnap and torture these guys.
US forces use some rather nasty torture techniques, but to the best of my knowledge, the CIA doesn't put extremities into deli slicers and run them until the subject talks.
"Live Free or Die." Don't like it? Then keep out of the USA
She used to work for Microsoft y'know... ;p
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
You know, there are folks out there who would call what these hackers are doing an act of terrorism.
And now, with the elimination of habeas corpus, they should probably stay out of the U.S.
Wonder how the management at SixApart feels about a having a black hat work for them who brazenly scoffs at the notion of responsible full-disclosure and releases a 0-day exploit to the public. Sort of answers the question in an earlier Slashdot post about whether companies should hire blackhats to work for them. In this case, the answer is a resounding NO. SixApart should fire this guy's ass immediately.
>What does that even mean?
n g-an-industry-which-just-hurts-humanity/
This may offer some elucidation:
http://antisec.wordpress.com/2006/01/05/stop-aidi
my password really is 'stinkypants'
(sarcasm) Yes, our only hope is that Debian developers can patch the hole in time! (end sarcasm)
Debian releases security patches at least as fast as any other major distro. They're slow with *feature* patches. e.g., they're still using mysql 4.1.11 on sarge, which is about 18 months old.
However, it's a special version that includes all the *security* patches from the last 18 months.
Debian would be absolutely worthless if it wasn't for their frequent and rapid patching system. As it is, they release several security updates for the stable distro *every day*. If and when this hole is patched, there'll be an update to the Sarge version of IceWeasel within 24 hours.
unfortunately i don't think enough moderators will understand that to get you up to 5-funny
Snowden and Manning are heroes.
No, this is the real article, three blogs down.
Lovin the LOLs, LOL is my will
MAYBE NONE OF, PROBABLY ALL OF, AND DEFINITELY MORE THAN:
New ways of getting your load onto your quivering victim's stack
Reaching into the hearts and minds (also the genitals) of users.
Firefox re-entrant threading lols
Patching BIOS for kernel-patching rootkit memory injections
Aggresive AIM attacks and escapades
Internet hilarity, sexual innuendo, LOLDONGS
Beware: In C++, your friends can see your privates!
My product development company has used javascript for various things, like little boxes that are on your LAN that have too little smarts to really do it all, so push some work to the client. In this case, there's no possibility of a hack or exploit (memory not writable), and why would anyone want to break their own medical gear, for example? BUT -- client based validation is utterly stupid from any security standpoint. That's harsh, but still very true. Please post us some url's where you do this for ecommmerce so we can all order negative numbers of things and get our cards credited. It's so easy to capture source, edit, rerun and post back to a site that depends on this it is far from funny and is the subject of some older books on security (older because just about everyone knows this by now and it's not a relevant topic anymore). D'oh!
I realize this was a joke, but there have been remote exploits for terminal programs in the past.
Google on "ansi bomb" for some classic examples.
To be clear:
Firefox had a build switch that allowed folks to build it without branding (and do whatever they wanted to it) or build it with branding (and follow Mozilla's rules to create a consistent user experience).
Debain dev's took that build switch and broke it, so that everyone wanting to modify or adjust the debian firefox packages would have to go through and hand edit out firefox if they wanted to remove branding. They then packaged this broken thing up, and still called it firefox.
Mozilla said that was bogus, and they were right. Having that build switch makes it easier for folks to make changes to the package without worrying about branding. Redhat and others do exactly this with artwork/branding packages. We are ALL better off if such easy build time switches are available.
I've been around a while, but the debian developers are way out of line here.... You can't create some crazy messed up debian distro and call it debian, you can't create a crazy redhat distro and call it redhat, why is firefox getting all this heat? The amount of fuss they are creating is bogus and dissapointing. I read through the snide commentary and it really is depressing. Even Mozilla Foundation suggests that a non-branded version of firefox would work better for them.
random@workstatiuntoo:~$ telnet www.google.com 80
Trying 72.14.203.104...
Connected to www.l.google.com.
Escape character is '^]'.
Get /
Connection closed by foreign host.
:x
Dude? Are you beeing paid to post this stuff? You already posted this on this article.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Please don't compare these black hats to people who flew planes into buildings. The Bush administration already doesn't need an excuse to throw people in jail without trial indefinitely. Putting these people in jail on the "terrorism" pretext only gives W that much more perceived credibility.
Never underestimate the power of stupid people in large groups.
Which is why it's smart to run NoScript. A Firefox extention that blocks the execution of any scripts on a webpage without user concent. So, if you're tired of Javascript taking over your Firefox, get NoScript.
https://addons.mozilla.org/firefox/722/
Breaking into people's personal computers is every bit as romantic as shooting someone in the face. The fact of the matter is that an arbitrary execution flaw will not be used to free up the flow of information, except for the flow of information about p3n1s p1lls onto every fresh patch of the `net, always provided to us graciously by zombie machines.
You want to wake up? Here's some up-waking for you: Hacking isn't about allowing "free speech" on the internet (which already exists), it's about getting big money from underground Mafias. These people aren't disclosing the flaws to Mozilla's bug bounty program simply because they think they can make more than $500 via spyware and virii.
My new blog
Anybody know how to run firefox as an untrusted X client? I tried, but I just get this:
http://outcampaign.org/
Lynx has an exploit of it's own: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-1617
Why UNIX?
Links. It can do it all.
Ironically, that appears to be by Bantown, the group who hacked LiveJournal (which I think is where Mischa Spiegelmock works).
..until we boycott and shun enough javascript and active x and any other 'active', "we will slam unknown code on you from the web until you submit totally" site out there.
There is no fix for this. NONE
You either accept executables on web pages and assume the bulk of the websites out there will all use them (and it is getting that way now), or you don't.
We either will have a secure web, or an active web, you cannot have both.
Automated code generating tools will eventually force *multiple 0 day hacks on browsers*, possibly into the hundreds or thousands. You literally won't be able to keep up with the multitude of "emergency patches" required, and it is from a couple things primarily-buffer overflows and active scripting no matter the name of the script.
You cannot make javascript secure because of this "feature", it is *designed* to be an executable. Same with all the other looping zooming call this and bring down that AJAX candy and whatnot shyte.. And you won't get them to stop coding it until they are LIABLE FOR DAMAGES and are forced to offer consumer warranties on released code that is designed to surf the open internet, and I don't care which operating system or license you might care about either, code needs a warranty with it to make it suitable for purposes, just like every other CORPORATION has to offer with their PRODUCT. Once they are liable, they will stop coding crap using junk like javascript. MS is a coprporation that wants to make money, mozilla, the same now, opera, the same, apple, the same. That's where the bulk of the browsers used on the web come from, 99% or better. For-profit corporation, they need to be forced to offer a warranty, simple as that. Once that happens, the pressure will then switch bigtime from those companies literally saying they will not recommend their users go to pages that aren't blessed by no bad code, it will force the web designers to stop using crap that makes people vulnerable and that you are forced to use if you want to surf normally.
Sayng you can "turn off javascript" or use some patch hack is not a solution, that is just pure crap now and everyone knows it, and it never will be. There are too many sites now that require it, and the sites themselves are vulnerable to getting pwned because they use insecure active scripting directly on their web pages. See how this will never be fixable as it stands now?
There needs to be a complete revolution about this, a complete admission that the web has gone offcourse into mega-stupid-land in favor of blinking crap and eyecandy.
And before the first idiot troll reactionary numbnut claims that JS can be made secure-show us that code! Show us that exact magic code you have written in your uberleetness that will make all JS be secure, something every webmaster can go slap on right now and get rid of JS insecurity! Go ahead, you'll be rich!
The problems are we can't mod moderations "retarded"; and moderation is secret. These have always been serious slashdot problems. Metamoderation is out of context (and extremely inconvenient to put into context... you know more about the thread when you're reading it than you do when you're metamoderating.)
Slashdot improvement ideas (other than cosmetic) here.
I've fallen off your lawn, and I can't get up.
irony indeed.
my password really is 'stinkypants'
It should also be pointed out the Windows can run a browser from a sandbox, too. Just like Linux, privilege escalation exploits aren't uncommon. And just like Linux, a compromised browser is a major problem.
You keep using the word "broken". I do not think it means what you think it means.
The revolution will not be televised... but it will have a page on Wikipedia
i did not write that document.
it's views are not mine.
see those things in the subject? they're called 'quotation marks'.
i was responding to the OP saying he could not understand Wbeelsoi's comment about 'helping the Internet' by using browser 0days to allow communication between blackhats. the document i linked to, which you were apparently able to read, explains what may have been meant by this.
my password really is 'stinkypants'
Determined not to be upstaged by the Mozilla developers, now that Firefox has a 0 day exploit too, Microsoft's IE team has announced that they've started working on technology that will allow their browser to have -1 day exploits.
There'll always be Idiots and Jerks, these two are the unfortunately not so rare combination of both. All in all, nothing to see here, go home.
Oh and since everyones recomended NoScript, I'd also recomend firewall tools like Sunbelt Keiro Personal Firewall (KPF), which can be configured to pop up a box every time your system attempts to run a program, very handy to stop any spyware/addware/anywhere you don't want loading on your system.
This exploit (or one similar) was mentioned in an episode of Security Now (about 3 weeks ago, I think). A potential solution was install a plugin called noscript, which allows the user to enable javascript on a per-site basis. I've used it since I heard about it, and I believe it can play a major role in preventing the execution of any rogue javascript.
One point is being missed here: how did they find these 0days? It's easy - they just study the source code and find flaws.
This is the other side of the "many eyes make bugs shallow" coin: many eyes make exploits shallow too. If your bad guys are more motivated than your good guys to find exploitable bugs (and why not, if they're worth $10K each!), open source can be inherently less secure than closed source.
It's just good that Firefox has only 10% of the market. If it ever goes over 50% we're in for a security nightmare.
I'd like to think that he was gnashing his teeth at the folks who wrote that original quote.
Or maybe he was being stupid. But I read it as a reply to the sanctimonious pricks who make a living enabling the Russian Mafia' spamming activities.
Laws do not persuade just because they threaten. --Seneca
Maybe you want to as well? This is absolutely retarded behavior.
= 16265621 )
From: [me]
Subject: Responsible disclosure and wreckless behavior
Date: 1 October 2006 14.23.23 GMT-04:00
To: mena@sixapart.com, ben@sixapart.com, brad@danga.com
Cc: mischa@sixapart.com
Hello,
I read this article on ZDNet describing how your employee Mischa Spiegelmock found and revealed a zero-day Firefox flaw:
http://news.zdnet.com/2100-1009_22-6121608.html
Mischa and his co-researcher Wbeelsoi refuse to reveal specific details on the flaw--or 30 others they found--to the Mozilla Foundation:
"The two hackers laughed off the comment. 'It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats, Wbeelsoi said."
Considering LiveJournal's recent security flaws causing everyone to change their passwords due to browser-based flaws, do you really want someone working for you who makes the problem worse? To be sure, there is merit to the argument that revealing the flaws would allow Mozilla to continue to use a badly buggy implementation; however, there seems to be more to this.
From FireFox's IRC channel, some dialogue from Jesse Ruderman of the Mozilla foundation, who attended (via Slashdot: http://it.slashdot.org/comments.pl?sid=198519&cid
" they claim they can make $10,000 or $20,000 selling a vuln in firefox
compared to $500 telling us about it
selling to other blackhats, anonymously, using onion networks, of course"
Is one of your employees looking to profit of vulnerabilities in Firefox? With the large number of huge enterprises using TypePad and SixApart software, do you really want to risk him embedding JavaScript code to activate this flaw in your products? If he's saving these flaws to profit from them, what's to say he won't look for the bigger payouts of actively punching holes in your products?
That's unlikely--but more likely is that your customers will hear about this and refuse to do business with you because you have an employee who is actively seeking to make the Internet a more dangerous place.
If I misunderstood anything in these articles, I apologize completely. However, what was described in the article was so outrageous that I had to write.
Best regards,
[me]
Curiously, 100% of correctly coded web sites still work perfectly
Where "correctly coded" is defined as "works perfectly when I've turned off Javascript", right? God, what a useless statement to make.
... but a compromised virtual machine can still operate a bot and spam the heck out of anybody it pleases, as well as capture any passwords you may type in and mail them back complete with appropriate URLs for your bank site, for as long as you keep the VM session running. Either of these strikes me as a good enough reason to not trust my security wholly to the VM, unless the VM has an *extremely* fine-grained permissions model. And I wouldn't want to have to be the guy who wrote that permissions model.
Help poke pirates in the eyepatch, arr.
I hear SCO has a nice distro. Maybe you should switch.
Having to work for a living is the root of all evil.
There will always be exploits. Some jerk can always dig through code or disassembly and find a way. This means that our computing environments are inevitably disposable once they become popular (aka targets). One could accept this and use a technology that works for this model. If for example you made a Norton Ghost image of your computer once it was set up properly and then restored from this whenever things went awry, you'd only have to avoid browsing the sketchier parts of the web until you got your security updates. Some people are working on making this much simpler. If you were to browse inside a virtual machine that rolls back to a safe state each boot, then you would automagically throw away any exploits than dug their way into your system.
Oh yeah, "self-referential irony". That's the ticket. Definitely not technophobic snobbishness or anything.
This is why I use NoScript. I decide whether or not I trust a site enough to run JavaScript or not. The only downside to this FF addon is that you really have to remember it is installed, or sometimes Flash sites or interactive menus just don't show up and you have no idea why... just remember to allow that site. ;p
This is one of the funniest things I've read on /. in 1d20+6 months. I wish I had mod points to give you, but instead I'll trash my own karma with this comment.
Thanks for making me laugh.
In the UK, interfering with any electronic system for political purposes is defined as terrorism. The same definition of terrorism is used in a more recent law that criminalises speech that glorifies terrorism.
Of course, that says more about the abuse of the word "terrorism" than it does about the morality of withholding exploits.
What about ELinks? It supports an amazing 256 colors and tabbed browsing?
"Yes, sadly, it's almost time to abandon slashdot... :-("
Almost? Hell, it's long since past time. Not much left here but crappy "editing", Slashvertisements, Roland Piquepaille, and the rising flux of poorly-crafted (and thus lacking even entertainment value) A/C troll posts. "News for Nerds, Stuff that Matters" has been replaced by "News We Don't Have to Work For, Stuff That Generates Page Views".
Hey, and if I quit hanging around here, maybe I can get some work done!
Ce n'est pas un vrai mouvement de robot!
Perhaps it's the result of another firefox exploit. :)
And still I have no clue about what I need to do to prevent this without globally "disable javascript" (with noscript)
It sounds more like a Microsoft recommendation than anything.
I know some very intelligent people will be looking at the code at present, but a bit more information about possible timescales would be nice.
Before anyone says go look on mozilla forums, I have been there and the one thread on the subject has the same crap posted here.
No-one appears to be doing anything about it and that worries me.
Is it lack of details about the exploits? Is it lack of understanding? It is just a very complex bug being examined in private?
liqbase
At least the mozilla foundatio have the balls to rate this Critical. MS would rate this low-med.
Firefox: Hackers "claim" zero-day flaw in Firefox
Biased much?
Anyone can "stand up for what they believe", but it takes a very brave individual to change what they believe. - Loundry
> A potential solution was install a plugin called noscript "Extension" or "Addon" called noscript, not a plugin. Plugins allow you to play with Java Applets or view Flash movies.
would this really be a firefox issue or a java issue?
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
Even if you turn off Javascript for all sites except those on some whitelist, there's no reason one of those sites can't be hacked and have malicious javascript inserted. There are only two ways to be safe from Javascript vulnerabilities:
1. Turn off Javascript completely for all sites.
2. Use a browser with a rock-solid Javascript implementation.
One is easy, but breaks functionality, as people rely on Javascript for everything nowadays -- Mostly for things that don't need it. As for two, Firefox will never be this browser unless it is fundamentally re-architected, as others have mentioned here. It seems like the only option currently is to pick the safest browser you can find (I run Safari, which has far less vulnerabilities reported than Firefox, although I realize that means little in an absolute sense), sandbox it as best you can, be wary of any site you go to, keep your data backed up, have good password policies (don't use the same password for Slashdot and your back account), and cross your fingers.
This sucks -- We're still paying for the browser feature race that Microsoft and Netscape had years ago. This is not to say that passing code to a client and having it run it to render something is a bad thing. No one is up in arms about Postscript. What we do need is some technology that is limited to certain very specific things, and is not depended on to interact with the browser itself in any major ways (as it currently is in Firefox). Saying "draw this line 10 times" is fine. Saying "open these tabs and turn off your bookmark bar" is not. Once you go past Postscript-level rendering and into client UI or system interaction, you're just asking for it.
OSS needs this in licenses. Forget the DRM stuff GPLv3 is trying to deal with, let's try to deal with a real problem that we can solve. This is a minor act of terrorism like behavior, they go out, announce they have a bunch of exploits that they aren't going to publish and basically say they would rather get them to other black hats rather than mozilla to fix them. That should be criminal and if it's not and since I don't trust the government to do it right, Mozilla should have recourse to sue these guys for damages and to figure out fixes to the problem.
Look at the apple wireless thing, same exact problem. We'll never know if there was a real exploit, it will never be released or actually demoed. Any time apple fixes anything in the wireless area (and they'll continue to fix stuff for years) a group of people will simply parrot that the whole thing was real, another group will do the same and echo the fraud charges. The fact remains that it is the least responsible disclosure, it is an attempt to generate fear that cannot be fixed and generate some fame and defame another company all at once.
RMS mandate full disclosure in the next GPL.
The hackers claim to have 30 exploits that they do not intend to disclose to mozilla. Then Wbeelsoi says he intends to use the exploits maliciously, "we're setting up communication networks for black hats." The public bragging is plenty to establish probably cause. The second statement shows clear intent to break the law. There is no reason why these people should not be arrested and a warrant issued for all of their computers. At the very least they should be investigated, and when they sell the exploit to the russian or israeli mafia for big bucks then these boys could spend some hard time.
-- QED
I'm sorry if the big words confused you.
That's too bad about FireFox being essentially written in JavaScript. SpiderMonkey, the JavaScript interpreter in Firefox, is BY FAR the worst programming language (in terms of speed and memory use) of them all, according to the Computer Language Shoot Out.
When you compare all the languages on CPU time, SpiderMonkey JavaScript is twice as slow as the second worst, Ruby.
When you compare all the languages on memory usage, SpiderMonkey is 1.7 times as bloated as the second worst, Smalltalk Visual Works.
When you compare all the languages on CPU time AND memory usage, SpiderMonkey is 2.1 times as bad as the second worst, Smalltalk GST.
Firefox would be much better off using Lua, which is much easier to integrate with C code than SpiderMonkey's nightmare sausage factory, much faster, much smaller, and a vastly better language design. The fact is, that good language design has a huge effect on speed and memory usage -- you can't just stick your head in the sand and pretend good language design isn't important, like the PHP and JavaScript designers originally did and still do. Bad design paints your bad implementation into a bad corner, and there it stays.
Here's how Lua and SpiderMonkey JavaScript stack up against each other. Lua TOTALLY smokes JavaScript, in every category, by a long shot. It's not even funny -- it's tragic. Face it: JavaScript is not only a horribly designed language, but SpiderMonkey is also a horrible implementation of that horribly designed language. So it's not surprise that SpiderMonkey has always had gaping security holes, to complement its horribly slow speed and extremely huge size.
-Don
Take a look and feel free: http://www.PieMenu.com
I've been using NoScript for over 6 months on all my computers, it's a must have extension if you use firefox. The ability to block java, flash and other plugins aswell is a very nice touch.
This probably isn't very interesting to the majority of slashdot readers, who we'd expect to have the knowedge and sense to have long ago turned off javascript and all other scripting things in their browsers. Right? Right .....
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Can anyone get it to work on FF on Mac OS X?
Are the extensions supposedly platform independent? Because if I go to the extensions menu from Mac OS X it offers up NoScript, it just doesn't work.
http://lkml.org/lkml/2005/8/20/95
Here's the "standard" way to add a bookmark to the current page in Firefox:
So it's a good thing that Firefox's JavaScript interpreter leaks references to internal functions that web scripts aren't supposed to access. Because some of them are useful, interesting functions that are fun to call!
-Don
Take a look and feel free: http://www.PieMenu.com
... in Linux and firefox is actually no concept at all. They could use process separation though SE Linux but no distro does it for critical desktop apps like ICQ messengers and browsers. And even if they do, the browsers themselves need to be deeply refactored: information flow must be controlled at a simple level and a good solution would probably be to detach and isolate a process depending on the remote website's SSL cert: that way even cross-site scripting attacks would have not been possible and password/cookie information theft could be prevented relatively securily. Security implies a concept. Just programming a scripting language such that it looks secure is not enough. You have to use simple and easy to understand barriers (like domain transitions).
And even that is no guarantee for security. Actually, with today's solution you cannot securely isolate process domains. You can still use bandwidth modulation (RAM, disk etc.) to send information to any other process on the system (it just needs to measure the bandwidth...). I think such problems can only be avoided if one uses a proven concept to build the whole OS.
But who am I to tell how to do such things. Wait a few years, and I'm usually proven to be right.
The question becomes; is it possible to code a truly "secure" browser app?
There's many answers, depending on what you mean by secure...
1. A browser in which no path throough the code can in principle be exploited. Technically, yes, but in practise you're unlikely to see such a browser in wide use because it wouldn't permit third party plug-ins nor would its scripting language allow many of the capabilities people are used to seeing.
2. A browser in which no security flaws can be practically exploited. This would be possible, if you don't count holes in third-party plugins. You would need to implement the browser in an inherently safe language and restrict the ability of scripts to only change the presentation of data, to communicate with plugins at a high level, and trigger events within the same document.
3. A browser in which no security flaws require changing the exposed API to be fixed. This is easily implemented, and Gecko is actually not far from it. Scripts would need to be somewhat restricted to prevent cross-site information exposure, but most of the problems with Firefox are at a higher level... for example, the use of the same scripting engine to implement user interface features and to execute untrusted scripts, or (and worse) the support code for XPI installs from the web that requires a hole in the sandbox to implement. A browser such as Camino that uses Gecko for rendering HTML but implements the user interface in native code is safer in principle.
4. A browser in which 'trusted' documents can run unsandboxed code, and which is still secure? Not possible. This is where Internet Explorer is. The difference between point 3 and point 4 is huge... you can build a class three secure browser using the Gecko engine with minor changes that don't effect the API. You can't make a class 4 browser secure without turning it into a class 3 browser, and to do that you have to fundamentally change the API. Microsoft could do it now, but it would have been much easier for them to do it in 1998.
If you tell mozilla there is a hole, then refuse to disclose it to them. Further you tell them
that you intend to use it to create a botnet. The only thing I can say is these crap heads should be labeled what they are, terrorist. Send them to gitmo with the rest of the terrorist, never to be heard or seen again.
Got Code?
Any ideas anyone?
Javascript is not inherently insecure any more than java is, or flash is.
If the operations that javascript can perform are properly restricted (which they pretty much already are) and the implementation is properly sandboxed (which apparently it isn't right now on firefox) then you can ran an arbitrary javascript program without consequences.
Javascript is important to many companies business models, and if you haven't noticed already, the web has moved to using *more* javascript lately not less. People use javascript to deploy fairly thick clients, to assyncronously update a page without postbacks. Some web toolkits don't even render most html on the server, but send data to the client, and let the client handle display.
The bottom line is that businesses now widely use the web to distribute *applications* in a way that they used thin clients to distribute applications in the past. For them, the web is the new x forwarding. Using browsers sans javascript is not an option for them, so it is not going to happen.
What really needs to happen is better sandboxing. Also, sandboxing has to go further than it has in the past. One problem that javascript has is that it can use up a lot of processor time, and effectively bring the system to a halt, or at least cause usability problems in other applications. Browsers needs to regulate cpu and memory resources that javascript can use better to insure that this doesn't happen.
Also, what sort of drugs do you have to be on to name your kid "Window"?
Kind of like asking "what kind of relegious zealots do you have to be to name your kid after an apostle?", don't slander someones parents just because you think they have a silly name, ever consider that her parents may have named her using a language where "Window" means something other than a way of letting the sun in?
Just watch out for message boards that you visit that may be vulnerable to a cross-site scripting attack. Lots of them rely heavily on Javascript, and lots of them are insecure.
Except you shouldn't be adding bookmarks to user's browser from your web pages. It falls into pretty much the same category as using BLINK tag.
Many KDE 4 apps including konqueror are being ported to windows and osx where it will run natively. Also khtml is not as tied to kde as you might think, there is a reason that apple chose it as the base for safari. I have to admit I am really looking forward to being able to use konqueror under windows like I do on my linux boxes instead of firefox. Konqueror runs faster, renders more pages accurately, looks to have a better security system and requires a tiny fraction of the memory and cpu time of firefox. In order of browers I would say that safari/konqueror are the best followed by opera and then a ways after that would be gecko systems and then IE. The reason I don't like opera as much is that getElementById in opera is wrong. It makes the name and id namespaces which is should not do. It is a reported bug and it seems they won't fix it which is a pain.
Computer modeling for biotech drug manufacturing is HARD!
Am I reading that code wrong, or does that automatically click on the button to add the bookmark, thereby not giving the user the chance to cancel?
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Each time there is a report for a vulnerability, the reason why this vulnerability exists is not mentioned at all, let alone analysed.
So, I am asking: is it because of flawed design or because of using C as the language to program firefox in?
If it is the latter, then maybe we (i.e. the software community) shall consider stop using C and move to a safer environment (e.g. Cyclone).
Pretend that I don't know, and that I care.
If you were blocking sigs, you wouldn't have to read this.
I put on my devils advocate hat and robe:
Maybe they realize the impending segmentation of the Internet by large corporate interests (i.e. a non-neutral net) and they're setting up a system to "strike back" at the man? They see a future of the Internet where the big companies really do rule the roost and they're just getting a nice stockpile of ammo to throw around.
Think about it, some of the same things are said about terrorists. If we open up laws to make is easier to hunt down and eliminate them, then they'll up the ante in ways to help insure their continued survival. They also think what they're doing is for the greater good of mankind.
I'm a fiscal conservative, it's a pity we don't have a political party anymore
if they get deluged by outraged email, hopefully they will get the boot real quick. but still, how to trust sixapart again, unless they do a complete code review (as if!)?
There was a thread on this at digg.com a day or two ago. It's not that they're withholding the exploits. What they claim to be doing is creating Zombie PCs to build a Darknet for "Black Hats" to communicate.
In other words, the SOBs are selling exploit code to organized crime.
We're dealing with punks who need a good long stay in a Federal Penitentiary.
"Live Free or Die." Don't like it? Then keep out of the USA
Yeah, a while ago I got frustrated and went to digg. I have to tell you, though, digg really sucks and bad. I just saw one too many 1337 PHP IS TEH ROXX0R posts for me to stick around any longer. It was pretty crappy. Needless to say, I am reading /. again.
blah blah blah
So it exploits Firefox. What about Mozilla? Or the other browsers from the same source?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Here is a quote from an email from Mozilla that captures this nicely:
A couple things are important here. First, does that look like things were agreed to on a license grant? I read this as debian deciding to ignore the policy. Second, does debian have the right to sublicense their supposed grant to avoid the artwork and change the packages to other groups who want to use firefox? I doubt it, even under the debian interpretation of a grant. So you've broken the DFSG with the community who would use debian, and is going to be stuck tearing out references to firefox by hand now if they want to create works based on debian.
The choices here seem pretty clear. Fight a legal fight (that despite your "fact" you are likely to loose becuase you expressely state you are going to ignore the policy), or make a small and simple change that will avoid the whole issue together.
This is a losing debate I think for debian, because regardless of what legal technicalities you try and hang your hat on, you are going to find little support for your actions, because almost EVERY open source project actively discourages your type of activity, which is striping visual identity, changing packages, but keeping a trademarked name. I suspect debian would take the SAME position with others creating versions of debian and calling them debian.
Why then fight so hard to do something that you would make a stink about elsewhere, even if you think you can get away with it, especially given how very weak the case is to someone who has actually read the entire bug and entire email thread.
It seems time could be better spent on other things.
It isn't irony, it's the 'puzzle' starting to fit together, where do you think they got the source code to find the XSS bugs for LJ? (which by the way, they never 'hacked' lj, they were stealing peoples cookies)
So you're saying it's ok for the browser to leak references to internal functions, because your user interface guidelines dictate that it's a bad idea to call those particular functions (even if my clients dictate they want a button that does that on their web page)?
My point, in case you missed the sarcasm, is that Firefox's JavaScript implementation is so complex and tangled that it leaks pointers to functions that web based scripts should not be able to call. If you can call the function to add a bookmark, then what kind of other functions are sitting there waiting to be cherry picked and called by maliscious scripts?
-Don
Take a look and feel free: http://www.PieMenu.com
Yes, you're reading the code wrong, because it's very tricky. The event is not used to click on a confirmation button (that would be impossible), it's used to trick the browser into executing a JavaScript function in a different (trusted) context, where it can directly call the addBookmarkForBrowser function (which normally can't be called by untrusted code). The way it does that is to add a getter method hook to the head element "ownerDocument" property, so the hook gets called in a totally different (trusted) context when the dummy event is handled. The trusted event handling code foolishly accesses the head element's "ownerDocument" property, which calls the code provided by the untrusted web page, in a trusted context.
-Don
Take a look and feel free: http://www.PieMenu.com
Security focus is quoting Mozilla developer blogs to claim that the demo was a hoax. Dont know if the demo is a hoax or this report is a hoax. Another UK site too is claiming that it is a joke. But on the otherhand thousands of newspapers and websites and blogs are claiming that Firefox is so broken it is unfixable.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It isn't irony, it's the 'puzzle' starting to fit together, where do you think they got the source code to find the XSS bugs for LJ? (which by the way, they never 'hacked' lj, they were stealing peoples cookies)
Errm... from the publicly-accesible SVN repository? The LiveJournal code is open-source - actually, I have a copy lying around here somwhere (though it's out of date by now). And I think hijacking accounts en masse via XSS holes and flooding the official announcements with large numbers of comments using them definitely counts as hacking (though there are much more destructive things they could've done with them...).
I see (sort of :). Thanks for the explanation.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
you must be new here
Perhaps I'll just drop in every few weeks, check comment replies (like this one), and see if the S/N has improved any. I'm not holding out much hope.
Ce n'est pas un vrai mouvement de robot!
I don't see which is supposed to apply to sites that use javascript to provide extra functionality... surely a browser that has this functionality disabled is the one that's broken.
The revolution will not be televised... but it will have a page on Wikipedia