Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gaping Holes In Fully Patched IE7, Firefox 2

Posted by kdawson on from the just-when-you-thought-it-was-safe dept.

Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.

38 of 303 comments (clear)

  1. Ah well by GFree · · Score: 5, Informative

    Gaping Holes In Fully Patched IE7, Firefox 2
    In other words, it doesn't matter which browser you use, you're gonna get F'd in the A regardless? Sounds painful.
    1. Re:Ah well by rts008 · · Score: 5, Informative

      RTFA...Try the demo's...It will reduce the FUD.

      I tried the demo page/file and got no response whatever.

      "2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
            Impact : keyboard snooping, content spoofing, etc
            Demo : http://lcamtuf.coredump.cx/ifsnatch/
            Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=38268 6 [May 30]"
      from:(http://lcamtuf.coredump.cx/ifsnatch/) which is from:2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
            Impact : keyboard snooping, content spoofing, etc
            Demo : http://lcamtuf.coredump.cx/ifsnatch/
            Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=38268 6 [May 30]"

      and this:"3) Title : Firefox file prompt delay bypass (MEDIUM)
            Impact : non-consentual download or execution of files
            Demo : http://lcamtuf.coredump.cx/ffclick2/
            Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=37647 3 [Apr 04]"

      I tried both link's test button and got no response whatever.

      IMHO, this must be something related to running Windows, as my Kubuntu 7.04 Feisty w/ Firefox 2.0.04 (with NoScript, Adblock, Adblock Filterset, and Flashblock) just does not act on this.

      I guess I need to install some version of Windows to experience this...I feel deprived and left out!

      Does this work with Firefox w/ NoScript on Windows?

      From past experience, I have no doubts that it works with any version of IE on any Windows platform.

      --
      Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
    2. Re:Ah well by Sizzlebeast · · Score: 3, Informative

      Firefox 2.0.0.4 w/ NoScript and it won't work on windows either. I guess i have to allow it...not gonna happen :) I guess I'm safe

    3. Re:Ah well by egr · · Score: 3, Interesting

      first two works on my Fedora 7 (Firefox 2.0.0.4 without NoScript), NoScript is not a part of Firefox so I think it should be really tested without it, however the last one didn't work, instead it asked me to download html page with download manager

    4. Re:Ah well by Kelson · · Score: 5, Funny

      I use wget.

      You have not truly experienced the web until you have experienced it using telnet to port 80.

    5. Re:Ah well by jez9999 · · Score: 4, Funny

      I might be able to sneak Firefox in on her with some creative registry hacks, and some install/configure obfustications. We'll see.

      I'm glad to see the art of practicing trust in marriage is alive and well!

      --
      == Jez ==
      Do you miss Firefox? Try Pale Moon.
    6. Re:Ah well by MrSenile · · Score: 3, Funny

      New to marrage, are we? :)

  2. Re:And Opera by WilliamSChips · · Score: 4, Funny

    Naw, Opera just randomly crashes and then has a default behavior of restarting the site that causes it to randomly crash.

    --
    Please, for the good of Humanity, vote Obama.
  3. Woot! by Anonymous Coward · · Score: 4, Funny

    Wow, I'm so glad I installed Firefox so I'm immune to all of these IE bugs!

    Oh, wait, what did that say?

    -AC

    1. Re:Woot! by Mark_in_Brazil · · Score: 4, Funny

      Wow, I'm so glad I installed Firefox so I'm immune to all of these IE bugs!

      Oh, wait, what did that say?
      It said the only critical flaw in the bunch is in MSIE 6 only.

      This has been another edition of Easy Answers to Stupid Astroturfer Questions.
      --
      "It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
  4. Victim Statistics? by Anonymous Coward · · Score: 5, Insightful

    Perhaps I'm ignorant, but does anyone ever find themselves a victim of these "gaping holes"? I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses. Is there a site/blog that reports such statistics?

  5. Gaping holes? by Paktu · · Score: 5, Funny

    Article tagged as goatse.

    1. Re:Gaping holes? by evanbd · · Score: 3, Interesting

      Is it just me, or are the more humorous / inane tags showing up less? "duh" "haha" "itsatrap" and friends. Is this because the slashdot editors changed something, or because people are using them less?

    2. Re:Gaping holes? by dkf · · Score: 4, Interesting

      Taco changed the code; I'm guessing to disallow the stupid tags that got put on almost every story, like those you mentioned. Maybe to greylist those who kept tagging that way, too.
      I think there's a list of tags that are permitted (blacklisting tags would be easier to route around by finding alternate things that mean the same thing) but as far as I can see, there's no downside to using a non-blessed tag; it just gets dropped on the floor.

      I think it's a shame though; the old tagging system added a good bit of fun to the site, and the "joke" tags were sometimes very appropriate indeed. The new system is just boring crap that reproduces what is already in there from the article categories or a simple search of the part of the story on the front page; a search engine could do those tags, or even plain old grep, and so they add nothing of value. The old system was better because it provided a snapshot of what people thought about the story, despite being much more open to abuse.

      Bring back the open tags! Please!
      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
  6. Didn't learn lesson from javascript by mrcaseyj · · Score: 5, Insightful
    They said they could make javascript secure but it's still a huge source of holes. Instead of learning our lesson, Flash, another executable web format is taking over. Don't use flash because it's cool. Only use it if you really need it for your web page.


    And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.

  7. alternatives by sudo · · Score: 5, Insightful

    Well there's always Opera?

  8. One of the demos on Firefox doesn't work by ericferris · · Score: 4, Informative

    I am using the latest Firefox 1.5. I went to the demo page : http://lcamtuf.coredump.cx/ifsnatch/ . The first test shows that it is possible to rewrite the content of an iframe. That is rather dangerous in situations involving trusted messages.

    The 2nd demo was supposed to snoop on the keyboad, but it invoked a pop-up, which was immediately blocked by the pop-up blocker. So unconfimed as far as I know. However, the demo page did open a CNN.com page.

    Anyone has better "luck" to demo the keyboard snooping?

    --
    Fantasy: http://ferrisfantasy.blogspot.com/
  9. Sounds like Terrorist to me. by 3seas · · Score: 5, Funny

    cookie STEALING, page HIJACKING, memory CORRUPTION, code EXECUTION, and URL bar spoofing ATTACKS.

    So where the fuck is home land security when you need them.

    1. Re:Sounds like Terrorist to me. by Anonymous Coward · · Score: 5, Funny

      what's so terrible about urls?

  10. Go old NoScript by Nutsquasher · · Score: 5, Insightful

    Keeps all of that Firefox JavaScript nastiness at bay, plus flash ads to boot. :)

    1. Re:Go old NoScript by MLease · · Score: 3, Insightful

      When I want to allow flash or a script to run, it's easy enough to do. The point of NoScript is that nothing runs without my explicit consent, just because I happened to visit a website. If I allow something malicious to run, it's my own fault.

      -Mike

      --
      I'm sorry; I don't know what I was thinking!
    2. Re:Go old NoScript by tomhudson · · Score: 4, Funny

      "When are people going to wake-up to this bullshit? "Web apps" give you all the performance of regular apps running on an old 286, with half the features. Wow!"

      Hey, I'm running this on a 286, you insensitive clod!

  11. read b4 clicking, warning , danger ! by weighn · · Score: 4, Funny
    http://impoll.net/cgi-bin/v.cgi?p=1585&r=0
    http://impoll.net/cgi-bin/v.cgi?p=1585&r=1

    following could cause cookie stealing, page hijacking, memory corruption, code execution or URL bar spoofing attacks !!

    --
    Mongrel News all the news that fits and froths
  12. AND LYNX! by Anonymous Coward · · Score: 5, Funny

    No holes for Lynx? Oh well...
    (sits back with biggest grin on face)

  13. Re:And Opera by Lisandro · · Score: 4, Interesting

    I had Opera crashing on me on, say, 50-60 times in the past 5 years i've been using it (back from version 6). Of those, 60% were issues with that piece of shit Flash plugin for Linux, and even that got much better. Opera crashed? No problem, just hit "resume" when you restart.

    Opera is as stable as FF (and way more stable than IE) with a fraction of the system requirements - and faster than both. Try an up to date version, you'll be surprised.

  14. Slashdot responses by Frankie70 · · Score: 5, Insightful

    1) If Article Posted about IE security bugs
        - Regular mudfest, everyone throwing mud on Microsoft
    & IE. Everyone saying I have FF/Linux/Safari whatever,
    so I am safe. Nobody talks about changing settings,
    disabling javascript or Activex as a good workaround.

    2) If Article Posted about FF security bugs
        - Lot of workarounds posted - disable Javascript,
    get some plugin, change some settings, don't go to
    the website etc. How great that the it is open source,
    someone will fix the bug in one hour & release patch.
    Bugs are avenues to show how great open source is.

    Now both are posted together, let's collate responses
    at the end of the day

  15. probably NoScript by r00t · · Score: 3, Insightful

    You're a rare weirdo. Much of the web won't work without scripting, or at least won't work well.

    You're missing out on the nicer wiki/blog editors, live updates to the price of a computer purchase as you add/remove components, tolerable web mail interfaces, and (if your CPU is fast) the experimental slashdot interface.

    Those are just the nerd things. I'm told there are numerous non-nerd things on the web as well, with far more scripting.

    1. Re:probably NoScript by Barny · · Score: 3, Informative

      Yup, noscript doesn't let such nasties run, unless you give them permission, which seems to be half the problem for most internet users.

      As for the person saying noscript is hard to use, its usually a matter of just clicking the script item (like a youtube vid that is being blocked) and it allows it to run temporarily, should be built in standard imho.

      Combine it with a nice ad server blocker (kerio personal firewall for instance) and the web just suddenly starts working as it was meant to :)

      --
      ...
      /me sighs
  16. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  17. Another Firefox vulnerability posted today by whitehatlurker · · Score: 3, Informative

    Thor Larholm also announced a Firefox hole today. Wasn't completely patched in the last release.

    --
    .. paranoid crackpot leftover from the days of Amiga.
  18. Re:But in order to be affected... by snowraver1 · · Score: 5, Informative

    It's called a Man-in-the-middle attack. Say you go to google.ca (I'm Canadian) It goes something like this:

    You> Yo DNS server, I wanna Talk to google.

    DNS> Roger that! Go to 72.14.253.103.

    You> Yo 72.14.253.103 Whacha got?

    72.14.253.103>Index.html

    You> Looks like Index.html says I need the google picture.

    Eve (Eve is sitting at the same coffee shop as you. Eve is bad)> Ahem, err, sir, I have this envelope for you. It's from google. It contains your picture. *Sniker*. (You don't notice the snicker)

    You> OH N0E$! TH3 P1CtUr3 us3d a buff3r ov3rflow vuln3rab1lity and n0w you have a virus that mak3s you typ3 lik3 a n00b!

    For more information look here: http://en.wikipedia.org/wiki/Man_in_the_middle_att ack

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
  19. Are you sure? by kybred · · Score: 5, Insightful
    I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses that I know of.

    There, fixed that for you.

  20. Re:crashes: probably exploitable by Lisandro · · Score: 3, Interesting

    On my experience, most of the crashes are plugin related. I was conservative with the (pulled off my ass :) 60% figure - Flash, until recent versions, was a guaranteed way of hanging your browser. I had some memory leaks back with version 7, which were promptly fixed in an update, and a crash when you opened and closed tabs in a certain way, which was also fixed quickly.

    Other than that, i can't honestly recall major problems with Opera. Not that i had a lot of issues with Firefox either (outside Flash, that is), but it does run much faster and with less memory requirements.

  21. Re:But in order to be affected... by Bob+of+Dole · · Score: 5, Interesting
    Don't be so sure that avoiding "shady" sites will protect you.
    I run a few perfectly un-shady sites (an imageboard, a specialized search engine, and a funny images repository), but recently some users started complaining about the popups that were trying to install spyware.
    I don't have any popups on my sites! (I don't even use target="_new"!) but still users were getting spyware popups. The popups were so evil that the only way to avoid getting redirected to the spyware site was to disable javascript (Even in firefox. in IE it just installed the spyware automatically, but firefox at least you had to click "download". Still, it made my site unusable)

    I went into my advertisers control panel, checked for anything remotely shady. Nothing. I tried turning off all third party advertisers (like doubleclick), figuring maybe one of them was redirecting users. Nope, some users still got popups. Worst of all, I NEVER got the popup, no matter what browser I was using.

    It turns out it's cause I'm an American. The advertiser had specified that the advert with the embedded redirect only show up in every country except America. That stopped me from seeing it on the site, but what about the control panel? I could see all the ads there, even the ones not targeted at my location. Here's what they did in actionscript: (pseudocode)

    if getTimeZone() in EUROPE_TIMEZONES:
        redirectToSpyware()
    else:
        displayHarmlessAdvert()

    So even when I checked the ads in the control panel they looked fine.

    My point is, don't think there's a scary corner of the internet where all the spyware/exploits hang out. The bastards making this crap know that most people don't go to those kinds of places, so they'll do anything they can to sneak their crap onto legitimate sites. (MySpace got hit with one of these a few months back, I think)
    --
    I respond to your sigs
  22. Re:But in order to be affected... by beyondkaoru · · Score: 5, Insightful

    ok, i'm not a web developer so i wouldn't know, but is there any way to force your advertisers (malicious or otherwise) to not use javascript/flash/whatever? since it's essentially running code we don't trust on the client's computer...

    essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.

    --
    the privacy of one's mind is important.
    you do have something to hide.
  23. No holes? by Kelson · · Score: 5, Funny

    No holes for Opera?

    Are you serious? Have you looked at that icon? There's a huge hole right in the middle, and no one seems to acknowledge it!

  24. Brilliant by zCyl · · Score: 4, Interesting

    ok, i'm not a web developer so i wouldn't know, but is there any way to force your advertisers (malicious or otherwise) to not use javascript/flash/whatever? since it's essentially running code we don't trust on the client's computer...

    essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.

    That's the most brilliant idea I've seen in this entire thread so far. We need a <noscript>, or perhaps a <sandbox></sandbox> tag which allows us to specify what can be done inside of a frame, embedded object, or anything else linked to from a remote site.

    That would make a huge difference.
  25. Doesn't seem to bother us by myxiplx · · Score: 3, Insightful

    Here at work we use IE6 on XP SP2 workstations and not a single one of those vulnerabilities affects us.

    Why? Because we don't let IE run scripts of any kind unless it's from a site we trust. IE has had security zones for years yet hardly anyone uses them. A single group policy object enforces our list of trusted sites, nobody's computer can run javascript on any site we've not already decided is safe.

    Ok, there's a small risk of someone hacking one of our trusted sites, but I can live with that.

    So far we've had 2 years of uninterrupted browsing, with nobody at our company getting a single piece of malware on their machine.

    And the best bit: It's surprisingly low maintenance. We get maybe one request a month now to add a new site to the list.