Slashdot Mirror
Gaping Holes In Fully Patched IE7, Firefox 2
Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.
Naw, Opera just randomly crashes and then has a default behavior of restarting the site that causes it to randomly crash.
Please, for the good of Humanity, vote Obama.
Wow, I'm so glad I installed Firefox so I'm immune to all of these IE bugs!
Oh, wait, what did that say?
-AC
Perhaps I'm ignorant, but does anyone ever find themselves a victim of these "gaping holes"? I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses. Is there a site/blog that reports such statistics?
Article tagged as goatse.
And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.
Well there's always Opera?
I use Lynx, you insolent clod! Get off my lawn!
I am using the latest Firefox 1.5. I went to the demo page : http://lcamtuf.coredump.cx/ifsnatch/ . The first test shows that it is possible to rewrite the content of an iframe. That is rather dangerous in situations involving trusted messages.
The 2nd demo was supposed to snoop on the keyboad, but it invoked a pop-up, which was immediately blocked by the pop-up blocker. So unconfimed as far as I know. However, the demo page did open a CNN.com page.
Anyone has better "luck" to demo the keyboard snooping?
Fantasy: http://ferrisfantasy.blogspot.com/
cookie STEALING, page HIJACKING, memory CORRUPTION, code EXECUTION, and URL bar spoofing ATTACKS.
So where the fuck is home land security when you need them.
Keeps all of that Firefox JavaScript nastiness at bay, plus flash ads to boot. :)
No holes for elinks? Oh well...
(sits back in corner with large grin on face)
http://impoll.net/cgi-bin/v.cgi?p=1585&r=1
following could cause cookie stealing, page hijacking, memory corruption, code execution or URL bar spoofing attacks !!
Mongrel News all the news that fits and froths
Hacker hijacks web server of popular site, but instead of simply defacing the front page the slip in a little bit of code to release a botnet installer or adware installer based on this type of vulnerability. It happens all the time.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
No holes for Lynx? Oh well...
(sits back with biggest grin on face)
I had Opera crashing on me on, say, 50-60 times in the past 5 years i've been using it (back from version 6). Of those, 60% were issues with that piece of shit Flash plugin for Linux, and even that got much better. Opera crashed? No problem, just hit "resume" when you restart.
Opera is as stable as FF (and way more stable than IE) with a fraction of the system requirements - and faster than both. Try an up to date version, you'll be surprised.
Anyone want to wager on who has this hole fixed first, IE or Firefox?
1) If Article Posted about IE security bugs
- Regular mudfest, everyone throwing mud on Microsoft
& IE. Everyone saying I have FF/Linux/Safari whatever,
so I am safe. Nobody talks about changing settings,
disabling javascript or Activex as a good workaround.
2) If Article Posted about FF security bugs
- Lot of workarounds posted - disable Javascript,
get some plugin, change some settings, don't go to
the website etc. How great that the it is open source,
someone will fix the bug in one hour & release patch.
Bugs are avenues to show how great open source is.
Now both are posted together, let's collate responses
at the end of the day
More than likely, Opera restarts with the site before the one that caused the crash.
Unfortunately for Opera, most sites are written according to IE's buggy standards. While Opera does try to accomodate the poor HTML written by web programmers who think the Internet is viewed only through IE-colored glasses, sometimes it is difficult to accomodate to flagrant stupidily that is IE's rendering engine.
You're a rare weirdo. Much of the web won't work without scripting, or at least won't work well.
You're missing out on the nicer wiki/blog editors, live updates to the price of a computer purchase as you add/remove components, tolerable web mail interfaces, and (if your CPU is fast) the experimental slashdot interface.
Those are just the nerd things. I'm told there are numerous non-nerd things on the web as well, with far more scripting.
Comment removed based on user account deletion
Thor Larholm also announced a Firefox hole today. Wasn't completely patched in the last release.
.. paranoid crackpot leftover from the days of Amiga.
It's called a Man-in-the-middle attack. Say you go to google.ca (I'm Canadian) It goes something like this:
t ack
You> Yo DNS server, I wanna Talk to google.
DNS> Roger that! Go to 72.14.253.103.
You> Yo 72.14.253.103 Whacha got?
72.14.253.103>Index.html
You> Looks like Index.html says I need the google picture.
Eve (Eve is sitting at the same coffee shop as you. Eve is bad)> Ahem, err, sir, I have this envelope for you. It's from google. It contains your picture. *Sniker*. (You don't notice the snicker)
You> OH N0E$! TH3 P1CtUr3 us3d a buff3r ov3rflow vuln3rab1lity and n0w you have a virus that mak3s you typ3 lik3 a n00b!
For more information look here: http://en.wikipedia.org/wiki/Man_in_the_middle_at
Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
There, fixed that for you.
On my experience, most of the crashes are plugin related. I was conservative with the (pulled off my ass :) 60% figure - Flash, until recent versions, was a guaranteed way of hanging your browser. I had some memory leaks back with version 7, which were promptly fixed in an update, and a crash when you opened and closed tabs in a certain way, which was also fixed quickly.
Other than that, i can't honestly recall major problems with Opera. Not that i had a lot of issues with Firefox either (outside Flash, that is), but it does run much faster and with less memory requirements.
Ive renamed Firefox "CrashZilla", it would be nice to browse the web for more than 1 hour without it freezing up or crashing. Yes I have the latest version and all the latest plugins. I have no issues with Konqueror on KDE 3.5.7 (using the same plugins) and Firefox 1.5.* ran for days without crashes.
Sorry, posting to undo an accidental negative moderation.
I run a few perfectly un-shady sites (an imageboard, a specialized search engine, and a funny images repository), but recently some users started complaining about the popups that were trying to install spyware.
I don't have any popups on my sites! (I don't even use target="_new"!) but still users were getting spyware popups. The popups were so evil that the only way to avoid getting redirected to the spyware site was to disable javascript (Even in firefox. in IE it just installed the spyware automatically, but firefox at least you had to click "download". Still, it made my site unusable)
I went into my advertisers control panel, checked for anything remotely shady. Nothing. I tried turning off all third party advertisers (like doubleclick), figuring maybe one of them was redirecting users. Nope, some users still got popups. Worst of all, I NEVER got the popup, no matter what browser I was using.
It turns out it's cause I'm an American. The advertiser had specified that the advert with the embedded redirect only show up in every country except America. That stopped me from seeing it on the site, but what about the control panel? I could see all the ads there, even the ones not targeted at my location. Here's what they did in actionscript: (pseudocode)
So even when I checked the ads in the control panel they looked fine.
My point is, don't think there's a scary corner of the internet where all the spyware/exploits hang out. The bastards making this crap know that most people don't go to those kinds of places, so they'll do anything they can to sneak their crap onto legitimate sites. (MySpace got hit with one of these a few months back, I think)
I respond to your sigs
You young whippersnappers and your fancy shell doo-dads. In my day, we had to lick a live 10Base5 cable to browse gopher and that's the way we liked it!
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
It's a bit simplistic to assume that $browser will always keep you safe. On the other hand, it's important to remember that there are many alternatives available. The good thing about this is that each engine has its own vulnerabilities, so for the same malware to target Firefox, IE, Opera and Safari, it would have to target four different exploits. At least with intended behavior of HTML/DOM/CSS, Gecko, Trident, etc. are (ostensibly) aiming at the same target.
Ever notice that the only vulnerabilities which are really cross-browser tend to be misuse of functionality (like the Unicode domain spoofing attacks a few years back), rather than exploits of bugs?
I've actually found Flash to be less stable lately. It's not uncommon for a couple of Flash ads to start chewing up all my CPU until I have a chance to close the tab.
I'm seriously considering backing down to Flash 7, despite the horrible audio sync problems with the Linux version.
ok, i'm not a web developer so i wouldn't know, but is there any way to force your advertisers (malicious or otherwise) to not use javascript/flash/whatever? since it's essentially running code we don't trust on the client's computer...
essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.
the privacy of one's mind is important.
you do have something to hide.
Are you serious? Have you looked at that icon? There's a huge hole right in the middle, and no one seems to acknowledge it!
I've been using their "free" basic service for years; it was always their small little 16x16/32x32 icon; not really intrusive.
Then suddenly my pages using their stats service had a nasty pop-under. I've seen this at other sites too and found out the "new" advertisement ways after a few weeks when I started getting bothered seeing the same pop-unders over and over while I wasn't even on any other sites.
These pop-unders were all activated under Firefox and it's clearly in their TOS they can advertise on websites; only; which I had on my website was all except "good" for my site; the pop-under involved pornography because of a reference to some articles about STD's a couple of years ago. It made me sick to always get that XXX-commercial on my own website and got rid of Nedstat ever since.
webalizer for the win! less eye candy but still enough stats to chew on without all the nastyness...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
That's the most brilliant idea I've seen in this entire thread so far. We need a <noscript>, or perhaps a <sandbox></sandbox> tag which allows us to specify what can be done inside of a frame, embedded object, or anything else linked to from a remote site.
That would make a huge difference.
I run Microsoft Windows 95 unpatched, so I am safe. No-one targets this old piece of crap anymore!
== Jez ==
Do you miss Firefox? Try Pale Moon.
homeland security is a fairy tale.
Reduce, reuse, cycle
Here at work we use IE6 on XP SP2 workstations and not a single one of those vulnerabilities affects us.
Why? Because we don't let IE run scripts of any kind unless it's from a site we trust. IE has had security zones for years yet hardly anyone uses them. A single group policy object enforces our list of trusted sites, nobody's computer can run javascript on any site we've not already decided is safe.
Ok, there's a small risk of someone hacking one of our trusted sites, but I can live with that.
So far we've had 2 years of uninterrupted browsing, with nobody at our company getting a single piece of malware on their machine.
And the best bit: It's surprisingly low maintenance. We get maybe one request a month now to add a new site to the list.
-
Brendan Eich, the father of JavaScript, proposes a <JAIL> tag to block scripting (PDF slides warning)
-
RSnake's take on content restrictions proposals.
And for users? good ole NoScriptThere's a browser safer than Firefox, it is Firefox, with NoScript
For how much Slashdotters rip apart the DRM industry, which spends millions upon millions only to have their key's hacked in a day, we sure do expect a lot from our browsers.
The hard thing about NoScript is when a page totally fails to load anything useful and you have to decide to allow one or more of three scripts each from different domain. Often it is easy, you're on yahoo so you allow yahoo. Sometimes it is far from obvious. To get some yahoo pages to work you have to allow yming.com to run scripts, and you have to pick that one from a list including several cryptically named advertiser sites. I don't mind this extra step, and with the current web model I don't see another way around it, but I hardly expect Joe Casual Surfer to even know what a script is.
-- QED