Gaping Holes In Fully Patched IE7, Firefox 2

← Back to Stories (view on slashdot.org)

Gaping Holes In Fully Patched IE7, Firefox 2

Posted by kdawson on Monday June 4, 2007 @01:34PM from the just-when-you-thought-it-was-safe dept.

Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.

7 of 303 comments (clear)

Min score:

Reason:

Sort:

Victim Statistics? by Anonymous Coward · 2007-06-04 13:41 · Score: 5, Insightful

Perhaps I'm ignorant, but does anyone ever find themselves a victim of these "gaping holes"? I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses. Is there a site/blog that reports such statistics?
Didn't learn lesson from javascript by mrcaseyj · 2007-06-04 13:44 · Score: 5, Insightful

They said they could make javascript secure but it's still a huge source of holes. Instead of learning our lesson, Flash, another executable web format is taking over. Don't use flash because it's cool. Only use it if you really need it for your web page.

And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.
alternatives by sudo · 2007-06-04 13:46 · Score: 5, Insightful

Well there's always Opera?
Go old NoScript by Nutsquasher · 2007-06-04 13:50 · Score: 5, Insightful

Keeps all of that Firefox JavaScript nastiness at bay, plus flash ads to boot. :)
Slashdot responses by Frankie70 · 2007-06-04 14:22 · Score: 5, Insightful

1) If Article Posted about IE security bugs
- Regular mudfest, everyone throwing mud on Microsoft
& IE. Everyone saying I have FF/Linux/Safari whatever,
so I am safe. Nobody talks about changing settings,
disabling javascript or Activex as a good workaround.

2) If Article Posted about FF security bugs
- Lot of workarounds posted - disable Javascript,
get some plugin, change some settings, don't go to
the website etc. How great that the it is open source,
someone will fix the bug in one hour & release patch.
Bugs are avenues to show how great open source is.

Now both are posted together, let's collate responses
at the end of the day
Are you sure? by kybred · 2007-06-04 14:56 · Score: 5, Insightful

I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses that I know of.
There, fixed that for you.
Re:But in order to be affected... by beyondkaoru · 2007-06-04 16:38 · Score: 5, Insightful

ok, i'm not a web developer so i wouldn't know, but is there any way to force your advertisers (malicious or otherwise) to not use javascript/flash/whatever? since it's essentially running code we don't trust on the client's computer...

essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.

--
the privacy of one's mind is important.
you do have something to hide.