Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla First To Patch Pwn2Own Browser Vulnerability

Posted by Soulskill on from the comparatively-quick dept.

Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."

2 of 141 comments (clear)

  1. Seen how insecure web browsers are... by Anonymous Coward · · Score: 4, Interesting

    Seen how insecure web browsers are, what would be a good way to surf under Linux?

    I have an account that I use only for GMail and my bank's website (the latter using a physical device answering cryptographic challenge so nobody is abusing that [when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that]).

    Then I have an account only for browsing. The user owning this account on my machine has user ID 1007.

    This user is not even allowed to connect to localhost. I don't want to know. All he can do is surf the web, using iptables like this:

    iptables -I OUTPUT -m owner --uid-owner 1007 -j REJECT
    iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 80 -j ACCEPT
    iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 443 -j ACCEPT
    iptables -I OUTPUT -m owner --uid-owner 1007 -p udp --dport 53 -j ACCEPT

    Are there others simple things I could do to deal with security hazard that these browsers are?

    Things I could do about this user's home directory permissions? Disable his SSH? etc.

    Basically I think I'd like to have an account that can "do nothing but run Firefox".

    Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

    In other words, I consider the "security" of all the browsers to be a bad joke and I regard running a browser basically the same as executing "omgWindozeServer2012Crack.exe" on my machine and I'd like any hint from people who are surfing in a "safer" way.

    1. Re:Seen how insecure web browsers are... by siride · · Score: 5, Interesting

      You could try not freaking the fuck out about browser security, unless you plan on visiting Russian spam sites and whatnot. I use Firefox on Linux and I've never had an issue. I use Flashblock, Adblock and occasionally Noscript. Just exercise reasonable caution and you should be fine. Heck, even under Windows I never got viruses or spyware, and I used IE!