Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gaping Holes In Fully Patched IE7, Firefox 2

Posted by kdawson on from the just-when-you-thought-it-was-safe dept.

Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.

10 of 303 comments (clear)

  1. Victim Statistics? by Anonymous Coward · · Score: 5, Insightful

    Perhaps I'm ignorant, but does anyone ever find themselves a victim of these "gaping holes"? I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses. Is there a site/blog that reports such statistics?

  2. Didn't learn lesson from javascript by mrcaseyj · · Score: 5, Insightful
    They said they could make javascript secure but it's still a huge source of holes. Instead of learning our lesson, Flash, another executable web format is taking over. Don't use flash because it's cool. Only use it if you really need it for your web page.


    And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.

  3. alternatives by sudo · · Score: 5, Insightful

    Well there's always Opera?

  4. Go old NoScript by Nutsquasher · · Score: 5, Insightful

    Keeps all of that Firefox JavaScript nastiness at bay, plus flash ads to boot. :)

    1. Re:Go old NoScript by MLease · · Score: 3, Insightful

      When I want to allow flash or a script to run, it's easy enough to do. The point of NoScript is that nothing runs without my explicit consent, just because I happened to visit a website. If I allow something malicious to run, it's my own fault.

      -Mike

      --
      I'm sorry; I don't know what I was thinking!
  5. Slashdot responses by Frankie70 · · Score: 5, Insightful

    1) If Article Posted about IE security bugs
        - Regular mudfest, everyone throwing mud on Microsoft
    & IE. Everyone saying I have FF/Linux/Safari whatever,
    so I am safe. Nobody talks about changing settings,
    disabling javascript or Activex as a good workaround.

    2) If Article Posted about FF security bugs
        - Lot of workarounds posted - disable Javascript,
    get some plugin, change some settings, don't go to
    the website etc. How great that the it is open source,
    someone will fix the bug in one hour & release patch.
    Bugs are avenues to show how great open source is.

    Now both are posted together, let's collate responses
    at the end of the day

  6. probably NoScript by r00t · · Score: 3, Insightful

    You're a rare weirdo. Much of the web won't work without scripting, or at least won't work well.

    You're missing out on the nicer wiki/blog editors, live updates to the price of a computer purchase as you add/remove components, tolerable web mail interfaces, and (if your CPU is fast) the experimental slashdot interface.

    Those are just the nerd things. I'm told there are numerous non-nerd things on the web as well, with far more scripting.

  7. Are you sure? by kybred · · Score: 5, Insightful
    I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses that I know of.

    There, fixed that for you.

  8. Re:But in order to be affected... by beyondkaoru · · Score: 5, Insightful

    ok, i'm not a web developer so i wouldn't know, but is there any way to force your advertisers (malicious or otherwise) to not use javascript/flash/whatever? since it's essentially running code we don't trust on the client's computer...

    essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.

    --
    the privacy of one's mind is important.
    you do have something to hide.
  9. Doesn't seem to bother us by myxiplx · · Score: 3, Insightful

    Here at work we use IE6 on XP SP2 workstations and not a single one of those vulnerabilities affects us.

    Why? Because we don't let IE run scripts of any kind unless it's from a site we trust. IE has had security zones for years yet hardly anyone uses them. A single group policy object enforces our list of trusted sites, nobody's computer can run javascript on any site we've not already decided is safe.

    Ok, there's a small risk of someone hacking one of our trusted sites, but I can live with that.

    So far we've had 2 years of uninterrupted browsing, with nobody at our company getting a single piece of malware on their machine.

    And the best bit: It's surprisingly low maintenance. We get maybe one request a month now to add a new site to the list.