Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gaping Holes In Fully Patched IE7, Firefox 2

Posted by kdawson on from the just-when-you-thought-it-was-safe dept.

Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.

14 of 303 comments (clear)

  1. Re:And Opera by Lisandro · · Score: 4, Interesting

    I had Opera crashing on me on, say, 50-60 times in the past 5 years i've been using it (back from version 6). Of those, 60% were issues with that piece of shit Flash plugin for Linux, and even that got much better. Opera crashed? No problem, just hit "resume" when you restart.

    Opera is as stable as FF (and way more stable than IE) with a fraction of the system requirements - and faster than both. Try an up to date version, you'll be surprised.

  2. Re:Gaping holes? by evanbd · · Score: 3, Interesting

    Is it just me, or are the more humorous / inane tags showing up less? "duh" "haha" "itsatrap" and friends. Is this because the slashdot editors changed something, or because people are using them less?

  3. Re:First to fix? by KarmaMB84 · · Score: 2, Interesting

    Microsoft has to be a lot more careful about breaking third party crap with a browser fix so obviously Firefox will get patched first.

  4. Re:Ah well by egr · · Score: 3, Interesting

    first two works on my Fedora 7 (Firefox 2.0.0.4 without NoScript), NoScript is not a part of Firefox so I think it should be really tested without it, however the last one didn't work, instead it asked me to download html page with download manager

  5. Re:crashes: probably exploitable by Lisandro · · Score: 3, Interesting

    On my experience, most of the crashes are plugin related. I was conservative with the (pulled off my ass :) 60% figure - Flash, until recent versions, was a guaranteed way of hanging your browser. I had some memory leaks back with version 7, which were promptly fixed in an update, and a crash when you opened and closed tabs in a certain way, which was also fixed quickly.

    Other than that, i can't honestly recall major problems with Opera. Not that i had a lot of issues with Firefox either (outside Flash, that is), but it does run much faster and with less memory requirements.

  6. Re:Poll by digitalchinky · · Score: 2, Interesting

    Sorry, posting to undo an accidental negative moderation.

  7. Re:But in order to be affected... by Bob+of+Dole · · Score: 5, Interesting
    Don't be so sure that avoiding "shady" sites will protect you.
    I run a few perfectly un-shady sites (an imageboard, a specialized search engine, and a funny images repository), but recently some users started complaining about the popups that were trying to install spyware.
    I don't have any popups on my sites! (I don't even use target="_new"!) but still users were getting spyware popups. The popups were so evil that the only way to avoid getting redirected to the spyware site was to disable javascript (Even in firefox. in IE it just installed the spyware automatically, but firefox at least you had to click "download". Still, it made my site unusable)

    I went into my advertisers control panel, checked for anything remotely shady. Nothing. I tried turning off all third party advertisers (like doubleclick), figuring maybe one of them was redirecting users. Nope, some users still got popups. Worst of all, I NEVER got the popup, no matter what browser I was using.

    It turns out it's cause I'm an American. The advertiser had specified that the advert with the embedded redirect only show up in every country except America. That stopped me from seeing it on the site, but what about the control panel? I could see all the ads there, even the ones not targeted at my location. Here's what they did in actionscript: (pseudocode)

    if getTimeZone() in EUROPE_TIMEZONES:
        redirectToSpyware()
    else:
        displayHarmlessAdvert()

    So even when I checked the ads in the control panel they looked fine.

    My point is, don't think there's a scary corner of the internet where all the spyware/exploits hang out. The bastards making this crap know that most people don't go to those kinds of places, so they'll do anything they can to sneak their crap onto legitimate sites. (MySpace got hit with one of these a few months back, I think)
    --
    I respond to your sigs
  8. Re:crashes: probably exploitable by Kelson · · Score: 2, Interesting

    I've actually found Flash to be less stable lately. It's not uncommon for a couple of Flash ads to start chewing up all my CPU until I have a chance to close the tab.

    I'm seriously considering backing down to Flash 7, despite the horrible audio sync problems with the Linux version.

  9. I've had something similar with nedstat ... by freaker_TuC · · Score: 2, Interesting

    I've been using their "free" basic service for years; it was always their small little 16x16/32x32 icon; not really intrusive.

    Then suddenly my pages using their stats service had a nasty pop-under. I've seen this at other sites too and found out the "new" advertisement ways after a few weeks when I started getting bothered seeing the same pop-unders over and over while I wasn't even on any other sites.

    These pop-unders were all activated under Firefox and it's clearly in their TOS they can advertise on websites; only; which I had on my website was all except "good" for my site; the pop-under involved pornography because of a reference to some articles about STD's a couple of years ago. It made me sick to always get that XXX-commercial on my own website and got rid of Nedstat ever since.

    webalizer for the win! less eye candy but still enough stats to chew on without all the nastyness...

    --
    --- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
  10. Re:probably NoScript by TheSeer2 · · Score: 2, Interesting

    NoScript blocks certain activities by default without any option of re-enabling them. I used to use NoScript but after it interfered with a website I used regularly (this was on my NoScript allow list) I had to abandon it.

  11. Brilliant by zCyl · · Score: 4, Interesting

    ok, i'm not a web developer so i wouldn't know, but is there any way to force your advertisers (malicious or otherwise) to not use javascript/flash/whatever? since it's essentially running code we don't trust on the client's computer...

    essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.

    That's the most brilliant idea I've seen in this entire thread so far. We need a <noscript>, or perhaps a <sandbox></sandbox> tag which allows us to specify what can be done inside of a frame, embedded object, or anything else linked to from a remote site.

    That would make a huge difference.
  12. Re:Gaping holes? by dkf · · Score: 4, Interesting

    Taco changed the code; I'm guessing to disallow the stupid tags that got put on almost every story, like those you mentioned. Maybe to greylist those who kept tagging that way, too.
    I think there's a list of tags that are permitted (blacklisting tags would be easier to route around by finding alternate things that mean the same thing) but as far as I can see, there's no downside to using a non-blessed tag; it just gets dropped on the floor.

    I think it's a shame though; the old tagging system added a good bit of fun to the site, and the "joke" tags were sometimes very appropriate indeed. The new system is just boring crap that reproduces what is already in there from the article categories or a simple search of the part of the story on the front page; a search engine could do those tags, or even plain old grep, and so they add nothing of value. The old system was better because it provided a snapshot of what people thought about the story, despite being much more open to abuse.

    Bring back the open tags! Please!
    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  13. Re:Didn't learn lesson from javascript by foniksonik · · Score: 2, Interesting

    When the browsers provide support for seamless SVG that gets push data from a socket connection I'll stop using Flash. When browsers provide seamless client side data validation and inline error prompting for forms, I'll stop using Javascript.

    Any web page that can't benefit from the above uses of the technology probably isn't all that more informative than an email would be.

    Static information is useful but stateless information is becoming useless. This is interactive media... not a book that you can access over a phone line. Keeping state on the server is too slow... it's great for long term session storage but very bad for user-time interaction.

    --
    A fool throws a stone into a well and a thousand sages can not remove it.
  14. Re:Victim Statistics? by Anonymous Coward · · Score: 1, Interesting

    These kind of holes are way too sophisticated for your local script kiddie to exploit. The real use for these kind of holes is in industrial espionage scenarios - consider Evil Inc. that wants to get a $50 million contract at all costs - they can be persuaded to pay someone of Zalewsky's calibre something like $500K to unleash such an exploit on the CEO of Competitor LLC. who is also bidding for the same contract. Such an exploit can potentially allow the attacker to grab confidential files from the CEO's workstation or even their document management system.