Slashdot Mirror
Gaping Holes In Fully Patched IE7, Firefox 2
Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.
I am using the latest Firefox 1.5. I went to the demo page : http://lcamtuf.coredump.cx/ifsnatch/ . The first test shows that it is possible to rewrite the content of an iframe. That is rather dangerous in situations involving trusted messages.
The 2nd demo was supposed to snoop on the keyboad, but it invoked a pop-up, which was immediately blocked by the pop-up blocker. So unconfimed as far as I know. However, the demo page did open a CNN.com page.
Anyone has better "luck" to demo the keyboard snooping?
Fantasy: http://ferrisfantasy.blogspot.com/
I'm using the latest version of Opera (9.21), and it takes up more memory and crashes more often than FF does. In fact, sometimes opening two heavy flash windows causes it to be unresponsive and then crash shortly afterwards.
1 + 1 = 3?
There are a shitload of sites that host malicious code to intentionally infect vulnerable browsers. Even regular sites are occasionally hacked to host malicious code. The most recent big name one I can think of is the Miami Dolphins football team website during the last superbowl. A few years back a number of sites that produce banner advertisements were hacked, which resulted in widespread malicious banners getting hosted on tons of otherwise secure sites. I don't know of any database of malicious websites, but http://isc.sans.org/ usually has a good daily handlers report that lists widespread nastiness and other new developments.
i nssiteshacked_1.html
Link to info on the Dolphins hack:
http://www.infoworld.com/article/07/02/02/HNdolph
Most of the malware is for IE, but it's quite frequent for an advertising network or such to be compromised and to send out infected ads. Plenty of websites and ad networks have been hacked for no apparent reason other than to infect people. It's far from the only way they trick people, of course. They like to require special software to use their smileys, screen savers, programs to download some site's crap (especially for porn, like the porn dialers from the days when modems were common), fake anti-virus and spyware tools, etc. If you have to download some special tool to use a site, and it's not a well-known thing like a common media codec or something to extract RARs, etc., it seems like it's almost certainly illegitimate.
That said, I personally have not been affected, but I use Firefox (which has the less critical holes) + NoScript (which completely blocks the holes in TFA, not to mention many others). And even if they did get the exploit to work and had it steal my cookies, there's hardly anything in there because all cookies get deleted when I log out. And I have Adblock Plus, so I'm not going to get hit by any compromised ad networks or whatever to begin with, especially because I'm incredibly mistrustful about what programs I install.
If you want a blog to read, try F-Secure's blog.
Comment removed based on user account deletion
But you can use NoScript and still allow useful scripts... that's the whole point! The whole advantage of NoScript is that you can click on any shady site that you wish with little-to-no chance of compromising your machine. Presumably, you won't allow scripts from said shady site... when you get to YouTube and the videos won't play, then you enable scripting.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Thor Larholm also announced a Firefox hole today. Wasn't completely patched in the last release.
.. paranoid crackpot leftover from the days of Amiga.
It's called a Man-in-the-middle attack. Say you go to google.ca (I'm Canadian) It goes something like this:
t ack
You> Yo DNS server, I wanna Talk to google.
DNS> Roger that! Go to 72.14.253.103.
You> Yo 72.14.253.103 Whacha got?
72.14.253.103>Index.html
You> Looks like Index.html says I need the google picture.
Eve (Eve is sitting at the same coffee shop as you. Eve is bad)> Ahem, err, sir, I have this envelope for you. It's from google. It contains your picture. *Sniker*. (You don't notice the snicker)
You> OH N0E$! TH3 P1CtUr3 us3d a buff3r ov3rflow vuln3rab1lity and n0w you have a virus that mak3s you typ3 lik3 a n00b!
For more information look here: http://en.wikipedia.org/wiki/Man_in_the_middle_at
Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
Ive renamed Firefox "CrashZilla", it would be nice to browse the web for more than 1 hour without it freezing up or crashing. Yes I have the latest version and all the latest plugins. I have no issues with Konqueror on KDE 3.5.7 (using the same plugins) and Firefox 1.5.* ran for days without crashes.
Yup, noscript doesn't let such nasties run, unless you give them permission, which seems to be half the problem for most internet users.
:)
As for the person saying noscript is hard to use, its usually a matter of just clicking the script item (like a youtube vid that is being blocked) and it allows it to run temporarily, should be built in standard imho.
Combine it with a nice ad server blocker (kerio personal firewall for instance) and the web just suddenly starts working as it was meant to
...
It's a bit simplistic to assume that $browser will always keep you safe.
Indeed yes. And as the big targets (e.g. IE, FF on Windows) become more hardened against attacks, malware authors will move over to lesser-used targets. There have been vulnerabilities in Opera, Lynx, in fact probably every browser ever. Almost certainly, some still exist.
Browser security is such a serious problem that my gf not only uses Opera, but uses it within a virtual machine (VMware). The only apps that run outside the VM are "trusted" apps that must be protected from keyloggers, such as WoW. Using this VM scheme means that she is safe from unpatched Opera vulnerabilities as well as unpatched vulnerabilities in other net-facing software such as Messenger, Flash, Winamp and Teamspeak. I just hope that VMware is as safe as it is supposed to be.
You might find they've fixed that. NoScript is under very active development and release a couple of updates a month. I have to agree with all the positive things that are said about it. I tend to enable scripting permanently only for trusted sites which I know require javascript (and smile a smug standardista smile to myself to think that I would never let a bit of javascript functionality go un-fall-backed). You see a lot less ads with NoScript, too.
-
Brendan Eich, the father of JavaScript, proposes a <JAIL> tag to block scripting (PDF slides warning)
-
RSnake's take on content restrictions proposals.
And for users? good ole NoScriptThere's a browser safer than Firefox, it is Firefox, with NoScript