Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gaping Holes In Fully Patched IE7, Firefox 2

Posted by kdawson on from the just-when-you-thought-it-was-safe dept.

Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.

14 of 303 comments (clear)

  1. Ah well by GFree · · Score: 5, Informative

    Gaping Holes In Fully Patched IE7, Firefox 2
    In other words, it doesn't matter which browser you use, you're gonna get F'd in the A regardless? Sounds painful.
    1. Re:Ah well by rts008 · · Score: 5, Informative

      RTFA...Try the demo's...It will reduce the FUD.

      I tried the demo page/file and got no response whatever.

      "2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
            Impact : keyboard snooping, content spoofing, etc
            Demo : http://lcamtuf.coredump.cx/ifsnatch/
            Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=38268 6 [May 30]"
      from:(http://lcamtuf.coredump.cx/ifsnatch/) which is from:2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
            Impact : keyboard snooping, content spoofing, etc
            Demo : http://lcamtuf.coredump.cx/ifsnatch/
            Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=38268 6 [May 30]"

      and this:"3) Title : Firefox file prompt delay bypass (MEDIUM)
            Impact : non-consentual download or execution of files
            Demo : http://lcamtuf.coredump.cx/ffclick2/
            Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=37647 3 [Apr 04]"

      I tried both link's test button and got no response whatever.

      IMHO, this must be something related to running Windows, as my Kubuntu 7.04 Feisty w/ Firefox 2.0.04 (with NoScript, Adblock, Adblock Filterset, and Flashblock) just does not act on this.

      I guess I need to install some version of Windows to experience this...I feel deprived and left out!

      Does this work with Firefox w/ NoScript on Windows?

      From past experience, I have no doubts that it works with any version of IE on any Windows platform.

      --
      Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
    2. Re:Ah well by Sizzlebeast · · Score: 3, Informative

      Firefox 2.0.0.4 w/ NoScript and it won't work on windows either. I guess i have to allow it...not gonna happen :) I guess I'm safe

    3. Re:Ah well by QuoteMstr · · Score: 2, Informative

      You couldn't be more wrong, sir. Error handling in CSS is defined in great detail in the CSS spec, and it's important that browsers handle it properly so that future CSS revisions can provide new properties and syntax without breaking old clients. ACID2 ensures that browsers are forward-compatible with future versions of CSS.

  2. One of the demos on Firefox doesn't work by ericferris · · Score: 4, Informative

    I am using the latest Firefox 1.5. I went to the demo page : http://lcamtuf.coredump.cx/ifsnatch/ . The first test shows that it is possible to rewrite the content of an iframe. That is rather dangerous in situations involving trusted messages.

    The 2nd demo was supposed to snoop on the keyboad, but it invoked a pop-up, which was immediately blocked by the pop-up blocker. So unconfimed as far as I know. However, the demo page did open a CNN.com page.

    Anyone has better "luck" to demo the keyboard snooping?

    --
    Fantasy: http://ferrisfantasy.blogspot.com/
  3. Re:Victim Statistics? by eli+pabst · · Score: 2, Informative

    There are a shitload of sites that host malicious code to intentionally infect vulnerable browsers. Even regular sites are occasionally hacked to host malicious code. The most recent big name one I can think of is the Miami Dolphins football team website during the last superbowl. A few years back a number of sites that produce banner advertisements were hacked, which resulted in widespread malicious banners getting hosted on tons of otherwise secure sites. I don't know of any database of malicious websites, but http://isc.sans.org/ usually has a good daily handlers report that lists widespread nastiness and other new developments.

    Link to info on the Dolphins hack:
    http://www.infoworld.com/article/07/02/02/HNdolphi nssiteshacked_1.html

  4. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  5. Re:probably NoScript by MightyYar · · Score: 2, Informative

    But you can use NoScript and still allow useful scripts... that's the whole point! The whole advantage of NoScript is that you can click on any shady site that you wish with little-to-no chance of compromising your machine. Presumably, you won't allow scripts from said shady site... when you get to YouTube and the videos won't play, then you enable scripting.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  6. Another Firefox vulnerability posted today by whitehatlurker · · Score: 3, Informative

    Thor Larholm also announced a Firefox hole today. Wasn't completely patched in the last release.

    --
    .. paranoid crackpot leftover from the days of Amiga.
  7. Re:But in order to be affected... by snowraver1 · · Score: 5, Informative

    It's called a Man-in-the-middle attack. Say you go to google.ca (I'm Canadian) It goes something like this:

    You> Yo DNS server, I wanna Talk to google.

    DNS> Roger that! Go to 72.14.253.103.

    You> Yo 72.14.253.103 Whacha got?

    72.14.253.103>Index.html

    You> Looks like Index.html says I need the google picture.

    Eve (Eve is sitting at the same coffee shop as you. Eve is bad)> Ahem, err, sir, I have this envelope for you. It's from google. It contains your picture. *Sniker*. (You don't notice the snicker)

    You> OH N0E$! TH3 P1CtUr3 us3d a buff3r ov3rflow vuln3rab1lity and n0w you have a virus that mak3s you typ3 lik3 a n00b!

    For more information look here: http://en.wikipedia.org/wiki/Man_in_the_middle_att ack

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
  8. CrashZilla by EEPROMS · · Score: 2, Informative

    Ive renamed Firefox "CrashZilla", it would be nice to browse the web for more than 1 hour without it freezing up or crashing. Yes I have the latest version and all the latest plugins. I have no issues with Konqueror on KDE 3.5.7 (using the same plugins) and Firefox 1.5.* ran for days without crashes.

  9. Re:probably NoScript by Barny · · Score: 3, Informative

    Yup, noscript doesn't let such nasties run, unless you give them permission, which seems to be half the problem for most internet users.

    As for the person saying noscript is hard to use, its usually a matter of just clicking the script item (like a youtube vid that is being blocked) and it allows it to run temporarily, should be built in standard imho.

    Combine it with a nice ad server blocker (kerio personal firewall for instance) and the web just suddenly starts working as it was meant to :)

    --
    ...
    /me sighs
  10. Re:probably NoScript by Keeper+Of+Keys · · Score: 2, Informative

    You might find they've fixed that. NoScript is under very active development and release a couple of updates a month. I have to agree with all the positive things that are said about it. I tend to enable scripting permanently only for trusted sites which I know require javascript (and smile a smug standardista smile to myself to think that I would never let a bit of javascript functionality go un-fall-backed). You see a lot less ads with NoScript, too.

  11. They're already working on this by Giorgio+Maone · · Score: 2, Informative
    Content restriction is hot topic, especially after MySpace debacles: And for users? good ole NoScript :)
    --
    There's a browser safer than Firefox, it is Firefox, with NoScript