New Firefox Vulnerability Revealed

Not long after Firefox 3.5.1 was released to address a security issue, a new exploit has been found and a proof of concept has been posted. "The vulnerability is a remote stack-based buffer-overflow, triggered by sending an overly long string of Unicode data to the document.write method. If exploited, the resulting overflow could lead to code execution, or if the exploit attempts fail, a denial-of-service scenario." It's recommended that Firefox users disable Javascript until the issue is patched, though add-ons like NoScript should do the trick as well (unless a site on your whitelist becomes compromised).

Update: 07/20 00:09 GMT by KD : An anonymous reader informs us that the Mozilla security blog is indicating that this vulnerability is not exploitable; denial of service is as bad as it gets.

Unbounded

[Mikkeles]

So who's the moron using unbounded buffers?

Re:Unbounded

[nathan.fulton]

Well, seeing as the bug was found in the Just-in-Time compiler (first link), probably someone who is concerned that the section of the code that they are working on will become a bottle neck, or someone that has to do special stuff that requires unbounded buffers.

Re:Unbounded

What are six words you never, ever want to hear?

Hai, I be yo new neighbuh!

Re:Unbounded

[maxume]

This is another, different bug than the one talked about in the first link. None of the other links specify whether this second bug is from the JIT or not.

Re:Unbounded

[BZ]

Good question. I don't see any unbounded buffer use here. Do you?

Re:Unbounded

[EsbenMoseHansen]

What are six words you never, ever want to hear?

"I have a headache tonight, dear"

Re:Unbounded

[Torodung]

I am shocked, shocked, to find unbounded buffer use in this open-source application.

--
Toro

Re:Unbounded

[sjames]

Nothing requires unbounded buffers! Nothing at all. There are places where they're faster (right up until the whole thing goes down in flames or worse). At most, some things require segmented buffers that might have to be gathered later once the final size is known. Or you can just allocate a really large buffer and if it goes over that return "error: whoever said this could be arbitrarily large was wrong".

Of course, in this case it's the document.write method which has no excuse for not knowing the size in advance.

Re:Unbounded

[BZ]

Again, do you actually see any?

Re:Unbounded

[Torodung]

Again? That was my first reply, and it's a joke referencing Casablanca. I can format it the other way, if you like:
 

I am shocked, shocked, to find half-baked misinformation on this Slashdot web-forum.

Your reply is a meme syntax error: Response Out Of Range: !Sense of Humor ;^)

--
Toro

Re:Unbounded

"I'm gonna fuck you anyway, bitch."

Re:Unbounded

[FatdogHaiku]

Ladies and Gentleman, President Jeb Bush.

Re:Unbounded

[DragonMantis]

Ladies and Gentleman, President Barack Obama.

Re:Unbounded

[Draek]

"wow, its so small and cute"

Re:Unbounded

There's a cat in there somewhere..

Re:Unbounded

[Frnknstn]

What's wrong with living next door to a lolcat?

Re:Unbounded

[asa]

No one. This is not a buffer overflow. http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/

Re:Unbounded

[nog_lorp]

It's not the JIT. It's the normal memory allocation it uses.

Re:Unbounded

[Kittenman]

Casablanca ... I'm here for you.

"Your winnings, sir".

Re:Unbounded

[BZ]

I know what your reference was, but the joke in Casablanca is that everyone knows there's gambling all along.

I can definitely agree with the rephrasing! ;)

Re:Unbounded

[Alex+Belits]

Invasion of /b/tards every Caturday?

Oh, I forgot, I am on Slashdot, we have them all week.

Re:Unbounded

[plastbox]

They set us up the bomb!

Re:Unbounded

[Tweenk]

As bonus points, "jeb" means "fuck" in Polish.

Re:Unbounded

My titlebar: "New Firefox Vulnerability Revealed - Mozilla Firefox"

Re:Unbounded

[vuffi_raa]

"It happens to all guys sometimes"

Defective by design

I'm sure this story will get tagged "defectivebydesign" since if this were Internet Explorer, everybody would be explaining how insecure closed source software is.

Re:Defective by design

[TheRaven64]

Is this a new copy-and-paste troll? Almost the same post appeared in the Linux kernel exploit article. Apparently some people missed the Defective by Design campaign and are completely unaware that it relates to DRM, not to arbitrary bugs.

Re:Defective by design

[dave562]

Apparently some people missed the Defective by Design campaign and are completely unaware that it relates to DRM, not to arbitrary bugs.

It's safe to say that the meme has been co-opted. It seems to pop up in a fair number of articles these days.

Re:Defective by design

Really? Taking a look at stories that have the defectivebydesign tag there are DRM stories as you point out. However, look at some of the stories in there:

* Critical security hole in Linux Wi-Fi
* Apple issues patches for 25 security holes
* Very severe hole in Vista UAC design
* Surprise, Windows listed as most secure OS
* Vista worse for user efficiency than XP
* Loophole in Windows random number generator
* Remote exploit of Vista speech control
* SP1 unsuccessful in preventing Vista hacks
* Data loss bug in OS X 10.5 Leopard

And so on. So yes, the majority of stories using the tag are DRM-related but there's an increasing usage towards general-purpose software bugs or exploits as shown by the articles I pointed out.

Re:Defective by design

[Goaway]

http://slashdot.org/tags/defectivebydesign

Some stories tagged "defectivebydesign" that are not at all related to DRM:

"Critical Security Hole in Linux Wi-Fi"
"Apple Issues Patches For 25 Security Holes"
""Very Severe Hole" In Vista UAC Design"
"MS Responds To Vista's Network / Audio Problems"
"Apple's IPhone 3G Firmware Update Bombs"
"QuickTime .MOV + Toshiba + Vista = BSOD"
"Vista Slow To Copy, Delete Files"
"Vista Runs Out of Memory While Copying Files"
"Mark Russinovich On Vista Network Slowdown"
"Microsoft Knew About Xbox 360 Damaging Discs"
"Vista Not Playing Nice With FPS Games"

That's as far as I can be bothered to read. Go look at it yourself. That tag is cheerfully applied to many, many stories about Windows or Apple bugs.

Re:Defective by design

[Dachannien]

It's not a meme, though. Or, at least, it's not supposed to be.

Re:Defective by design

[causality]

Apparently some people missed the Defective by Design campaign and are completely unaware that it relates to DRM, not to arbitrary bugs.

The primary difference being that bugs like this Firefox flaw are accidental and unintentional, whereas DRM is quite deliberate hence the "defective by design" nomenclature. That's such a sharp contrast, it's reasonable to assume that someone who fails to notice it is either speaking of what they know nothing about or purposely trolling. In other words, "highly advanced incompetence is indistinguishable from malice."

There were two ideas mentioned by GP, which were the "defective by design" label and the security reputation of IE. It's useful to know where those perceptions come from whether or not you actually agree with them. I'll make a very simplified (and therefore imperfect) summary of what I perceive as their bases.

The only reason why I see such a concept as "defective by design" applied to IE is a vague one. IE (and Microsoft in general) has something of a history of implementing ideas that were predictably unsound, the most notorious of which is probably ActiveX. That's mostly because ideas which are computationally sound are often orthogonal to ideas which are most easily marketed. True to the nature of a corporation, whenever these two are in conflict, the marketing concerns will win. This is where that perception of closed-source (that is, commercial) software that the GP mentioned comes from.

ActiveX is running untrusted code from a hostile network with no sandboxing and with the full privileges of the user running the browser. Before a single line of code is ever written to implement this, you can predict in advance that this is an unsound idea which invites trouble. Microsoft wrote the code and implemented the idea anyway. IMO that was a deliberate business decision because they felt the marketing and promotion of $SHINY_FEATURE would gain them more than they would lose from the PR problems of security issues. Because of how ignorant the general public tends to be about computer security, such decision-making has been largely successful. In other words, the people at Microsoft are not a bunch of idiots who didn't know what they were dealing with. They knew and they made their decision. Still, it's better to call that "faulty design" and "poor priorities" than to hijack a very specific term like "defective by design."

Re:Defective by design

[causality]

That's as far as I can be bothered to read. Go look at it yourself. That tag is cheerfully applied to many, many stories about Windows or Apple bugs.

... by people who fail to understand the difference between "design flaw" and "implementation flaw."

A simple heuristic: if you can submit a well-written bug report and at least an attempt is made to fix the issue, it's probably not a design flaw.

Re:Defective by design

[dave562]

I might not have been originally intended to be a meme http://en.wikipedia.org/wiki/Meme, but it seems to have become one. The idea that "DRM technology is Defective by Design" seems pretty memetic.

Re:Defective by design

[Compenguin]

As far as the Vista stories go, the network/copying/audio issues had to (or were believed to at the time) do with the DRM laden audio chain.

Re:Defective by design

[Darkness404]

Not really a meme, but rather simply a statement, because really they are, defective by design.

Re:Defective by design

[atraintocry]

Most of those could be argued to be hinting at the the Blu-ray-related DRM present in Vista and newer MacBooks. And the iPhone is a closed system. There's an earlier post with some examples completely unrelated to DRM, and I think in those cases it's a case of the person knowingly using it as a joke to say that whichever commercial os is referenced in the headline is never going to be any good.

As that happens more, it could mean the end of DbD as a DRM flag and just people using it because they heard it once and it sounded cool. But hopefully people will continue to parse the actual words in the phrase. I don't think I've seen it yet where I didn't think it was supposed to be applied humorously.

Of course, this being the internet, and Slashdot at that, sarcasm often goes undetected.

Re:Defective by design

[mysidia]

Well, at this stage, no evidence Firefox is defective by design, or that this bug is a result of a design defect.

And thus the problem of slashdot tagging. The tags show up on articles as if they were part of its text or an officially sanctioned categorization of the article.

And yet the tags require no justification, and users who don't understand what some of the tags are normally used for often apply them liberally to articles that have nothing to do with the marking.

Take a look at some of the articles that get tagged DRM: "Ford To Introduce Restrictive Car Keys For Parents", "Massive VMware Bug Shuts Systems Down"

Last I checked, DRM wasn't a general word for all restrictive computer systems. Only computer systems that manage rights to digital content (music and video) by encrypting, preventing copying, and (sometimes) phoning home.

Re:Defective by design

[causality]

Well, at this stage, no evidence Firefox is defective by design, or that this bug is a result of a design defect.

And thus the problem of slashdot tagging. The tags show up on articles as if they were part of its text or an officially sanctioned categorization of the article.

And yet the tags require no justification, and users who don't understand what some of the tags are normally used for often apply them liberally to articles that have nothing to do with the marking.

Take a look at some of the articles that get tagged DRM: "Ford To Introduce Restrictive Car Keys For Parents", "Massive VMware Bug Shuts Systems Down"

Last I checked, DRM wasn't a general word for all restrictive computer systems. Only computer systems that manage rights to digital content (music and video) by encrypting, preventing copying, and (sometimes) phoning home.

The result? The tags end up being regarded as "just someone's opinion" like all other content (both online and in major media) should be regarded until demonstrated to have a basis in fact. So I would call this a self-correcting system.

Offtopic: I wonder if it's unusual that I have never, ever, not once, added a tag and then reloaded the Slashdot page and seen my tag in place. This has been the case for both commonly-occurring tags and unusual "more creative" tags.

Re:Defective by design

[Goaway]

Plenty of those posts are about explaining what is actually going on, yet they are still tagged defectivebydesign.

Re:Defective by design

[Goaway]

Most of those could be argued to be hinting at the the Blu-ray-related DRM present in Vista and newer MacBooks.

No, none of them are. There are other articles about that, but the ones I picked aren't.

Re:Defective by design

[atraintocry]

When I said "most of those" I meant the tag instance, not the articles. Again, you can't assume the tags were 100% serious.

Re:Defective by design

[Kingrames]

Not only DRM is defective by design.

This is a security vulnerability caused by the need for faster code.
As the old saying goes: Good, fast, cheap. pick two.

Re:Defective by design

[westlake]

The primary difference being that bugs like this Firefox flaw are accidental and unintentional, whereas DRM is quite deliberate hence the "defective by design" nomenclature.

Of course it's deliberate.

Insert disk. The movie plays.

That's what sells the slim-line HTPC with Blu-Ray drive and the video card with HDMI out.

The geek rants on and on about the horrors of DRM while his kids are next door watching WALL-E on the 80" DLP. Everyone is happy. Life goes on.

Re:Defective by design

ActiveX is running untrusted code from a hostile network with no sandboxing and with the full privileges of the user running the browser. Before a single line of code is ever written to implement this, you can predict in advance that this is an unsound idea which invites trouble.

It's not entirely untrusted. It either has to be signed, or the user has to explicitly state that they trust the source by confirming a dialog. Now, sure, it seems clear as day to us that this is totally insufficient. But that's only because of long experience with massive networks that's become ingrained into our psyches.

Remember, ActiveX was introduced in 1996. At that time, AOL had just become one of the biggest ISPs. The Internet was not something that ordinary people used. The entire idea of Internet viruses was only about eight years old. Botnets did not exist. Personally, I was eight, and I'm now entering graduate school.

Seriously, people. Watch out for hindsight bias, especially when it comes to The Enemy. Microsoft's error in ActiveX lay, if anything, in not retiring it aggressively enough. Even there, by the time the severity of their error was obvious, there was way too much existing content to just drop it. To say that they should have known that it would be disastrous, back in 1996 — that's just not reasonable.

(Posting as AC because of mod points.)

Re:Defective by design

[tpgp]

"Critical Security Hole in Linux Wi-Fi"...

*snip*

That tag is cheerfully applied to many, many stories about Windows or Apple bugs.

And linux bugs - not sure what your point is.

Re:Defective by design

[Goaway]

Try counting the instances for each OS, and perhaps you'll see.

Re:Defective by design

[tpgp]

Try counting the instances for each OS, and perhaps you'll see. ...that the majority of times the tag is incorrectly applied is for Windows? So why mention OS X or Linux at all?

Just patch it and let's move on.

If 24 hours go by without a patch/new release, THEN we got news..

Re:Just patch it and let's move on.

FTFA: The vulnerability was reported to SecurityFocus (BID 35707) on July 15.

4 days > 24 hours.

Re:Just patch it and let's move on.

[RichardJenkins]

Well, obviously he meant 24 hours after it was posted on Slashdot. As we all know, it's not real until it's on Slahdot.

Re:Just patch it and let's move on.

When was it reported to Mozilla (the actual people who'd have to see it to fix this)? What was the bug number?

If I report a Linux kernel bug by sending certified mail to my lawyer, and wait a year before I publicly release that information, does that mean the Linux kernel devs takes a year to fix bugs? Or just that I was an idiot that didn't tell anybody?

Re:Just patch it and let's move on.

Yes, you were an *idiot* who didn't tell anybody!

That's notthe first time

[VincenzoRomano]

That a remote stack-based buffer-overflow can be triggered to compromise FF.
But why on earth those friendly developers don't design, implement a damned solution to be used everywhere in the code???
Fix once, fix forever (until next smarter exploit).

Re:That's notthe first time

[defaria]

I've been saying the same thing about cancer and the cold for years now!

Re:That's notthe first time

[BZ]

Have you tried the POC? Ideally under a debugger? It's a null-dereference crash due to failure to check an allocation for out-of-memory conditions. It's not exploitable, as far as I can see. And it's not a stack buffer overflow, by any means.

It'd be nice if these various security advisory services actually double-checked milw0rm postings before echoing them. Half the ones I've seen are in fact crashes, but not the sort the poster claims and not exploitable....

Re:That's notthe first time

[ciroknight]

Fix once, fix forever

The bug is in the Just-in-Time compiler inside of SpiderMonkey (TraceMonkey). This is brand new code as of 3.5.x. Of course there will be a ton of bugs found in it (just like the ton of bugs that have cropped up in SquirrelFish and have been subsequently patched).

I have to wonder why it's taken so long for anybody's security team to look at this code though. You'd think they'd look at this code before release and not after.

Re:That's notthe first time

[Inda]

Worse POC evar

-----

<html>
<head>
<script language="JavaScript" type="Text/Javascript">
var str = unescape("%u4141%u4141");
var str2 = unescape("%u0000%u0000");
var finalstr2 = mul8(str2, 49000000);
var finalstr = mul8(str, 21000000);


document.write(finalstr2);
document.write(finalstr);

function mul8 (str, num) {
var i = Math.ceil(Math.log(num) / Math.LN2),
res = str;
do {
res += res;
} while (0 < --i);
return res.slice(0, str.length * num);
}
</script>
</head>
<body>
</body>
</html>
<html><body></body></html>

Re:That's notthe first time

[causality]

Fix once, fix forever

The bug is in the Just-in-Time compiler inside of SpiderMonkey (TraceMonkey). This is brand new code as of 3.5.x. Of course there will be a ton of bugs found in it (just like the ton of bugs that have cropped up in SquirrelFish and have been subsequently patched). I have to wonder why it's taken so long for anybody's security team to look at this code though. You'd think they'd look at this code before release and not after.

I think the point is that there are auditing tools which can automatically detect this kind of buffer overflow in source code. There are also libraries which offer versions of various functions that automatically include bounds checking that can help to prevent this kind of buffer overflow. You'd think that basic fuzz testing might find it as well. So far as I know, no such tools were used. New code or old code should not meaningfully change this scenario because new code need not be released and version numbers incremented until such tools have been used.

I'm more ignorant about software development than I would like to be, so I am hoping anyone can explain why the Mozilla team did not use such tools. I acknowledge there may be some reason unknown to me that explains why doing so would be impractical or unrealistic. However, I think something like this is what the GP had in mind with his "fix once, fix forever" comment.

Re:That's notthe first time

[BZ]

Well... That code _does_ crash the browser. Just not exploitably. ;)

Re:That's notthe first time

I think the point is that there are auditing tools which can automatically detect this kind of buffer overflow in source code.

We've futzed with these tools a million times at work, when every six months some salesman comes around with a new software package that will just Save Our Lives (tm). They never work as well as they think they do. I've seen middle schoolers fix bugs that these source code examiners have missed, and I've seen them warn and error out on perfectly reasonable code. In many cases, even your simple code debugger like gdb works better.

What's worse is that most of them are patently not free (not beer nor libre), they require ridiculously complicated build rigs (Mozilla's is already complicated enough without adding some proprietary code analysis tools to the mix), and they're slow (even orders of magnitude more slow than Valgrind). With Open Source development, any one of these alone would be a show stopper. Mozilla already has a security team and lots of tools, regression tests and community developers all working to make it faster and more secure, but sometimes things are missed. It's just odd that this code wasn't picked over with a very fine comb, since this kind of code is often a heavy source of attack vectors (VMs always are).

Re:That's notthe first time

[e9th]

Remember the Debian SSH debacle? Some guy wanted to stop valgrind's whining about uninitialized memory in the SSL key generator, so he helpfully zeroed the buffer in question. Valgrind stopped complaining, but his fix also reduced the entropy used in key generation down to about nothing. For two years, people were generating very weak key-pairs.

I'm not saying valgrind, etc. are bad, only that sometimes they can be misleading.

Re:That's notthe first time

[Shikaku]

Running this in Swiftfox 3.5.1 makes it eat all your RAM.

Ditto Opera 10. I had to kill Opera 10 though, I could close Swiftfox.

Re:That's notthe first time

ROTFL, now it's valgrind's fault and not the clueless idiot programmer's?

Re:That's notthe first time

What part of "I'm not saying valgrind, etc. are bad, only that sometimes they can be misleading" confounded you? In the Debian case, it misled a clueless programmer, and an arrogant upstream committer.

Re:That's notthe first time

[Anders]

I have to wonder why it's taken so long for anybody's security team to look at this code though. You'd think they'd look at this code before release and not after.

Announcing defects in beta software doesn't get you noticed.

Re:That's notthe first time

[multipartmixed]

Mozilla do both extensive static analysis and fuzz testing. The fact of the matter is, no set of automated tools is going to find every problem.

The bug in this article has nothing to do with the JIT, either. Basically, some guy forgot to check the return value from malloc, and when it returns NULL he tries to de-reference it and crash the browser. Big deal. Browser crashes *whooo*, guess I'll start it up and not visit that site with the malware again until it's patched (which I bet won't take long).

Turn off javascript...

[popo]

... and stop using all of your web-apps... sigh...

Re:Turn off javascript...

[girlintraining]

... and stop using all of your web-apps... sigh...

Yeah, and half the websites out there will stop rendering then. Sadly, the vast majority of them don't need javascript to do their job, but such is the epic lame that is the average web programmer.

Re:Turn off javascript...

Or just don't be a paranoid idiot and keep browsing anyway. Or change browsers if you're that much fucking worried.

Re:Turn off javascript...

[Teckla]

Yeah, and half the websites out there will stop rendering then. Sadly, the vast majority of them don't need javascript to do their job, but such is the epic lame that is the average web programmer.

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

I'm just sayin'.

Re:Turn off javascript...

The problem is--more than 1% of users have it turned off--and probably temporarily turn it on for your craptastic site. And the *moment* we find a site that doesn't require javascript or flash to get the content or tools your site has--we'll be gone for good.

Re:Turn off javascript...

[morcego]

Actually, I had some issues where I was forced to use Javascript on a website for no better reason than staying compliant with XHTML 1.1. I wanted to do something that was perfectly possible to do with only HTML 4 (no JS), but was not possible with XHTML 1.1 without either breaking the standard compliance, or using JS.

I'm not sure, but I think I wanted a link to open on a new window. But it is entirely possible it was something else.

Re:Turn off javascript...

[judgexktf]

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

I'm just sayin'.

Let me fix that for you:

Or maybe most COMPANIES don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

There, fixed. And to be honest; I can't say I blame them.

Re:Turn off javascript...

[Blakey+Rat]

Especially since the only reason people turn off Javascript is so they can post snooty messages on Slashdot about how cool they are since they keep Javascript turned off. (See also: Flash)

Re:Turn off javascript...

[commodore64_love]

Wouldn't avoiding javascript make webpages smaller & therefore load faster? Perhaps you've got a megawide connection, but when I'm traveling all I have is 50k dialup. Even at home I'm limited to a relatively slow 700k. I'd prefer a web that's mainly text and images without the bloat.

Back in the 90s web programmers were taught to optimize and compress their pages as small as possible. It appears this lesson is no longer being taught in the schools.

Re:Turn off javascript...

[Xest]

Looking at W3Schools stats on it it's about 5%. I've seen some stats suggest as high as 16% around 3 years ago:

http://www.w3schools.com/browsers/browsers_stats.asp

I feel Javascript is an important technology and rather than fucking around with all the proprietary crap like Flash we should be strengthening Javascript so it's more secure and more useful, in fact, a lot of browser vendors seem to be doing this, and those Chrome demos posted a few months back were agood example.

But I also think it's silly to assume and design for Javascript unless Javascript is the whole point of your site. There's so many sites out there that use Javascript for things like drop down menus and sometimes even positioning where CSS would suffice and not require Javascript support it's silly. To turn away 1 in 20 users doesn't seem the brightest idea unless you're building a web application where absolutely the only way to do what you want to do is to use Javascript.

Javascript shouldn't be a requirement for the vast majority of the web, only for those sites that truly need it.

Re:Turn off javascript...

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

Funny reasoning : defending actually complicating a link (for both the writer as well as the viewer of the webpage) by doing it the javascript way by claiming that most all man-and-dog have JS on anyways.

Thats like defending robbery because allmost everyone has insurance for it ...

Re:Turn off javascript...

[atraintocry]

But I also think it's silly to assume and design for Javascript

According to 95% of users have JS on. There's no reason to essentially design two separate sites to support the other 5%. And it could be argued that that 5% could either easily turn it back on if they choose (in which case, they're the lazy one), or is using something really really old and has no need to, or doesn't want to.

I'm not a web developer, but it seems obvious to me that while it's possible and often sensible to include the other 5% (which may include spiders, which you typically want), ignoring them because you don't have time for two designs is not at all silly. They may not even be the type of people you want on your site anyway.

Re:Turn off javascript...

[pbhj]

Yeah, and half the websites out there will stop rendering then. Sadly, the vast majority of them don't need javascript to do their job, but such is the epic lame that is the average web programmer.

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

I'm just sayin'.

I'm finding a lot of sites now using javascript for simple image display. Not even progressively enhancing a basic grid with jQuery, just a simple 3x2 grid (or whatever) of images. Javascript for that, really?

I'm a web designer. I can't understand the rationale for such a design choice.

Re:Turn off javascript...

[Doorjam]

Solution: Continue use of javascript for web-apps, but temporarily discontinue surfing for porn and warez.

Re:Turn off javascript...

[julesh]

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

Last I checked the figure was more like 3%, and included all standard desktop users at a number of very large and important companies, mainly in the financial sector. Admittedly that was a couple of years ago.

Also, if users without javascript can't navigate your site, neither can googlebot et al.

Re:Turn off javascript...

[Just+Some+Guy]

Wouldn't avoiding javascript make webpages smaller & therefore load faster?

Nope. To the contrary, a well-designed AJAX page that dynamically reloads sections instead of the entire page can potentially be much faster. Take the example of registering for a site account. Old way:

1. User enters a username, submits the form.
2. That username is taken, so the server sends back the whole page plus the error message.

New way:

1. User enters a username, clicks or tabs to the next field.
2. Their browser sends a validation request via AJAX.
3. That username is taken, so the server sends back the error message.
4. The client displays the error message and returns focus to the username field.

Alternatively, look at Slashdot itself. Yeah, it has its issues, but I have to say that I love the dynamic content loading. That's so much better (and easier on bandwidth!) than having to load a whole page just to expose a collapsed comment.

Re:Turn off javascript...

[0123456]

I'm finding a lot of sites now using javascript for simple image display. Not even progressively enhancing a basic grid with jQuery, just a simple 3x2 grid (or whatever) of images. Javascript for that, really?

Could be worse: I'm finding more and more sites using _Flash_ for simple image display. That makes even using Javashit look good in comparison.

Re:Turn off javascript...

[CaptnMArk]

I've disabled it today and some sites are now really much faster than usually.

I guess I really need to invest into configuring noscript.

Re:Turn off javascript...

Probably because the 90s were almost 20 years ago and technology has moved on. Where are you using dialup? Better data rates exist. Go to any Cricket store.

Re:Turn off javascript...

[causality]

I've disabled it today and some sites are now really much faster than usually.

I guess I really need to invest into configuring noscript.

NoScript + Adblock Plus + Adblock Plus Element Hiding Helper + the Easylist and EasyElement subscriptions for ABP = the Web as it was meant to be.

Advertising business models and entitlement mentalities (regarding ad revenue) be damned. If a Webmaster somewhere does not like that my computer is my property and will load only what I want it to load up, I recognize that their site is their property and I celebrate their right to deny me access to their site so I can find another.

Re:Turn off javascript...

Whereas entitlement mentality regarding access to other people's content is fair game, right?

Re:Turn off javascript...

I'm a web designer. I can't understand the rationale for such a design choice.

That's the problem. How often is the design choice made due to aesthetic rather than technical merit? As with most things on the web the "this is easy and everyone does it" trumps "this is technically better but I'd have to learn/apply something new."

Re:Turn off javascript...

[izomiac]

Never been too far out of the city/suburbs have you? Some rural internet users are basically forced to choose between 28.8k dial-up or satellite (assuming there's a vender to install it in the area). Satellite isn't terribly fast anyway, and it's rather expensive for what are generally poor areas.

Re:Turn off javascript...

Alternatively, look at Slashdot itself. Yeah, it has its issues, but I have to say that I love the dynamic content loading. That's so much better (and easier on bandwidth!) than having to load a whole page just to expose a collapsed comment.

YOU.. HAVE.. TO.. BE.. FUCKING.. KIDDING.. ME! Maybe you enjoy clicking like a monkey while browsing on your beowulf cluster. Other people just want to read all the comments on a mobile device.

Slashdot is a fucking pig regarding CPU time and usability. The comments are fucking plain text. I can load that via GPRS in acceptable time. BUT NOOOO! The clueless idiots who think that da cool JahvahScreept is all the hype manage to package plain text (PLAIN TEXT FOR FUCK'S SAKE) into an unusable CPU massacre 50 comments at a time.

Just give me all the comments with a single click instead of moving your fucking retarded threshold slider - which doesn't even work correctly! - and then clicking 100 times on "More", wasting tons of cycles between each update.

Slashdot's design is so retarded I have no further words for it.

Re:Turn off javascript...

[Jah-Wren+Ryel]

New way:

You left off step 0 - the server sends over a ton of javascript code that would not be transfered in the non-javascript case. Since neither case requires the retransfer of any of the images, it is easy enough for your example to go either way based on just how much extra javascript gets transferred.

Furthermore, way too many sites have external javascript dependencies, like doubleclick, coremetrics, etc. By ignoring those we are pretty much guaranteed a faster experience.

Alternatively, look at Slashdot itself. Yeah, it has its issues, but I have to say that I love the dynamic content loading. That's so much better (and easier on bandwidth!) than having to load a whole page just to expose a collapsed comment.

Well, we are going to have agree to disagree here. For me, that interface is terrible. I fucking hate clicking every couple of seconds just to read what ought to be there in the first place, it totally kills the flow of reading the comments. I don't care how it is implemented, it is a terrible UI design.

Instead of going all dynamic with a ton of individual database accesses, a smart designer could pre-build entire pages of article comments for the handful of common settings (view at +5, +4, +3, etc) gzip them up and store them in ram every 15-30 seconds and hugely reduce the cpu load on the server, minimize bandwidth consumption and keep the UI human-friendly.

And if you wondering about my sig it is more about how some things now require javascript to get done on slashdot, there are no non-javascript alternatives. That's the kind of bad design that will chase off the most technical users.

Re:Turn off javascript...

> Especially since the only reason people turn off Javascript is so they can post snooty messages on Slashdot about how cool they are since they keep Javascript turned off. (See also: Flash)

What the hell are you talking about? I use NoScript to block all those exploits because many advertising servers and XSS code injection attacks are being performed against otherwise legitimate websites. I wouldn't bother mentioning this except that you're pretending that following sound security advice makes one an elitist or something.

Oh well. One of us will probably make $100 when you eventually bring your virus-laden PC in for repair.

Re:Turn off javascript...

[Jah-Wren+Ryel]

There's no reason to essentially design two separate sites to support the other 5%.

Apparently you missed that loud woooosh sound that occurred while you were typing.

The GP was talking about unnecessary use of javascript. That doesn't mean design the website twice. It means don't design with javascript in the first place unless there is a compelling requirement to do so. Many of the things javascript is used for don't even require javascript to get equivalent functionality, the examples given so far are drop-down menus and page layout positioning.

Re:Turn off javascript...

[risk+one]

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript. I'm just sayin'.

That's not really the point. Most websites are built on a lot of different client-side technologies. HTML, CSS, JavaScript, Flash, and god knows what else. And you're not implementing for just the few technologies you use, but for all four or five implementations of each technology by different major browsers. So if you use HTML/CSS/JavaScript and support the top five browsers, that that's fifteen implementations that can behave unexpectedly on your code. And that's just the ones you can test during development. In about a year ad a half, each of those browsers will have a new version out with new quirks and new unexpected behaviors.

The best way to ensure that your code won't embarrass you, is to make sure it degrades gracefully. That if one of those elements fails, the site will still work, and work in a way that you can reasonably predict. That means starting with working HTML. Adding CSS, making sure it works and then adding javascript (or perhaps doing the JS first, if your site relies on it for a lot of things).

If you start out coding JavaScript, the only way to be sure it keeps working is to test it every situation it might be used, and you can't test on browsers that haven't been released yet. That's why so many businesses are now stuck with IE6. Because the people that made their intranet software didn't feel like supporting some percentage of the market. It's not about support, it's about proper design.

Re:Turn off javascript...

[Just+Some+Guy]

Maybe you enjoy clicking like a monkey while browsing on your beowulf cluster. Other people just want to read all the comments on a mobile device.

Half my Slashdot browsing these days is on an iPod Touch. I'm unaware of any Beowulf clients on those; is there an app for that?

Re:Turn off javascript...

[Just+Some+Guy]

Step 0: use gzip server compression to cram the whole JS library into a few KB.

Your pre-generated comments section is very similar to an idea I had, but you'd still need a little client-side trickery to maintain the same functionality.

Re:Turn off javascript...

[atraintocry]

But the 95% percent of people with functioning browsers might appreciate those features, so why do the people stuck in 1996 get to dictate what's useful and what's not?

unless there is a compelling requirement to do so

Everyone has JS. There's no reason to have to justify it's use anymore. It's there, it can be used.

Re:Turn off javascript...

[atraintocry]

crap, I meant "its use"

Re:Turn off javascript...

[causality]

Whereas entitlement mentality regarding access to other people's content is fair game, right?

Way to entirely miss the fact that I addressed this point. Really now, reading comprehension is important. You may laugh at me for saying that, but really it seems to be on the decline. I often feel on online forums, including those which are far less trollish than this one, that there are two versions of my posts: the one I actually wrote that says what it says and doesn't say what it doesn't say, and the fictitious one to which someone else is responding. Considering the quality of most public education, you were probably shortchanged in this department unless you enjoy reading on your own and can see it as a skill to be honed like any other. Unfortunately, few people are so actively and deliberately involved in their own advancement. If reading comprehension does not come easily for you, be assured that any reasonable effort necessary to achieve it is worthwhile.

So, I did address the point. If you think I addressed this point in a faulty manner, feel free to explain where I erred and how my reasoning may be corrected. This is a concept known as constructive criticism, and its effects are twofold. First, it demonstrates that you really do have a superior point of view on which your objection is founded and that you are not just bitching, which is frankly what this looks like. Second, it shows why my view is inferior and needs to be abandoned and replaced by a better one, possibly yours.

Pretending like I have not addressed this point, as you have done, only reveals a glaring weakness on your part. Such weaknesses are not found in people who have a solid foundation for their position. It's a shame to see such weakness from a person who could choose something better (that's you!).

Should you decide that you have the decency and the fortitude to engage me on this subject, I'll help you out by revealing a premise behind my reasoning: I would never put content on the WWW, with no passwords or other restrictions, unless I wanted that content to be publically accessible by anyone who wants to download and view all or part of it in any way they please. To think otherwise is a total failure to understand the nature of the Internet. If the nature of the Internet doesn't suit me, including the freedom of users to control which content they download and how it is displayed, then it's my responsibility to find a medium which does suit me and publish my content there. It's quite simple.

The mentality you just displayed is trivially deconstructed, as I have partially done here. It does concern me that individuals don't seem to put any effort into similarly evaluating their own ideas. You're probably just a troll, and don't think for a moment that this hasn't crossed my mind. I probably just wasted my time with you, and that's alright. I like the chance, however slim, that maybe you aren't and maybe I haven't. My bet is that I'll never see your response to this, but occasionally people do surprise me.

Re:Turn off javascript...

[dmmiller2k]

Wait, wait!

You mean they teach this stuff?

Judging by the code I've seen (and continue to see regularly), I thought EVERYONE else learned this by doing it on their own, like me!

Re:Turn off javascript...

[Jah-Wren+Ryel]

But the 95% percent of people with functioning browsers might appreciate those features, so why do the people stuck in 1996 get to dictate what's useful and what's not?

What part of, "Many of the things javascript is used for don't even require javascript to get equivalent functionality," did you fail to understand?
Or what about, "There's so many sites out there that use Javascript for things ... where CSS would suffice..."?

Re:Turn off javascript...

[Jah-Wren+Ryel]

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

NoScript is the 4th most popular plugin for firefox. Awareness of javascript as a wellspring of exploits seems to be pretty widespread.

Re:Turn off javascript...

[Jah-Wren+Ryel]

Step 0: use gzip server compression to cram the whole JS library into a few KB.

Still, as the sizing is relative, since the login page is at least as easily compressible, that's an absolute improvement but still doesn't win the race.

Re:Turn off javascript...

[commodore64_love]

When I was on a longterm contract in Michigan, I lost my cable TV because the idiot hotel manager stopped paying his bill. For about three months time I was downloading the weekly episodes of Stargate SG1 and Atlantis over a noisy 19 or 24 kbit/s connection. Yes you can bittorent at those speeds, and no it's not fun.

So to answer your question: Yes. Been there, done that.

This is why web programmers need to make their pages as small as possible. Don't believe? Try connecting to your dialup provider and connecting to imdb.com. That site is so overloaded with javascript, flash, and other crap that it takes nearly five minutes to load. That's just ridiculous.

Re:Turn off javascript...

[drinkypoo]

I run noscript because millions of idiots who can't write decent Javascript are using it to try to make their songs sing and dance. When you have ten tabs open all trying to do that at once (not at all unlikely to happen while, say, shopping for vehicle upgrade parts) it makes Firefox (or whatever browser) whimper and die.

Since I started running noscript, not only have I not had Firefox crash, but it's a hell of a lot faster, too. As a side benefit, I find out which tech companies are incompetent. When a software company has a website that replaces every href with an onclick, I know they're fucking idiots.

Being able to brag about running noscript is a distant third.

Re:Turn off javascript...

[drinkypoo]

Step 0: use gzip server compression to cram the whole JS library into a few KB.

You usually use a pregenerated gzipped file with your includes. Further, you need to merge all your includes to reduce loads, so you stick them all into one file and gzip that. You don't want to use mod_gzip or similar, because then the CPU has to spin with every load.

I have the goofy new slashdot interface turned off because it is so pathetically slow. But whatever you like is fine I guess.

Re:Turn off javascript...

nobody gives a fuck about what you think

Re:Turn off javascript...

[commodore64_love]

>>>But the 95% percent of people with functioning browsers might appreciate those features

Nearly all those persons aren't even going to notice the difference between a Javascript dropdown menu and a CSS dropdown menu, so why bother with the larger JS version? I say follow the KISS principle - use CSS.

>>>why do the people stuck in 1996

That's not really the issue. Even today in 2009 there are people using slow dialup, satellite, or 500k DSL connections. You design your site so it loads quickly over these connections, instead of alienating your customers with 2-minute bloated pageloads.

Re:Turn off javascript...

[drinkypoo]

Nope. To the contrary, a well-designed AJAX page that dynamically reloads sections instead of the entire page can potentially be much faster.

Even when you're trying to "do the right thing" the XML transaction can be bigger than just reloading the whole page without any javascript, and it usually is.

Doing AJAX-like things without XML is smart. AJAX is usually dumb, because string handling is time consuming and XML requires that you do a lot more of it. How much javascript is it going to take to make the page interactive? As others have pointed out, just separating content from presentation with CSS is going to result in a smaller transfer than doing updates with AJAX in most cases. If your content isn't really interactive, using AJAX is probably the wrong thing to do.

Re:Turn off javascript...

entitlement mentalities (regarding ad revenue) be damned.

And you're entitled to do what you please with someone's site without giving them any incentive to actually keep maintaining it? If more people on the internet were as selfish as you are there wouldn't be any other sites for you to find. Hell, there wouldn't be any search engines to find them with anyways.

IT'S MY INTERNET AND I'LL TAKE WHATEVER I WANT OMGZ.

Re:Turn off javascript...

[Just+Some+Guy]

Agreed on all of the above. I just reject the idea that AJAX (or similar ideas) are inherently slow, big, and evil. The fundamental idea is sound even if it gets abused a lot.

Re:Turn off javascript...

[TBB303]

Funnily enough, whoever created the current Slashdot system obviously forgot to test it under the KDE web browser - a screw-up that shouldn't happen on a site full of Linux advocates. While AJAX surely is a good thing, speed is secondary compared to functionality; I'll gladly rather wait 10 seconds for a page to reload than start another browser every time because someone forgot to do testing...

Re:Turn off javascript...

You shouldn't be surprised. Though there is likely a larger than average percentage of Linux users here, the majority are still Windows users. If there was really a chance of affecting a significant number of users it would have been addressed.

Re:Turn off javascript...

[atraintocry]

In a case where the JS is:

- harder to implement
- 100% redundant to what CSS can do
- does not involve getting a framework in place where modifications and additions become easier down the road
- the percentage of users who know what a JS vulnerability is matter ...yes, in that somewhat contrived scenario, I'd agree that the JS should be left out.

I didn't include accessibility above. Even WebTV supports JS. Its inclusion doesn't commit any sins that images didn't already.

I'm not interested in continually moving the goalposts in order to back up the flawed "JS is automatically bad" meme. JS *can* be bad but I honestly think we're past the point where there is much to gain by taking even the slightest pain in order to use it sparingly.

I didn't misunderstand the GP, but I did miss the part where "JS should only be used where truly needed" follows logically from "JS is an important technology, which 95% of users have support for."

The technology is powerful and pervasive and mollifying your average /.er, myself included, is a very dark path for a web dev to embark on.

In short: it's reached the saturation level where those without it can safely be ignored. An extra 100k of libraries can be ignored too. I think that if it presents even a slight advantage to a designer in terms of development time then they should use it. Their client and the 95% of people viewing the page with JS on will appreciate the quicker turnaround.

Re:Turn off javascript...

[maxume]

Any notion about how many users that translates into?

The Mozilla Addons page says there have been nearly 50 million downloads, but I have trouble believing those are unique.

Re:Turn off javascript...

[Decker-Mage]

Actually it is more than likely much higher than 1% by a close order of magnitude. I have two layers of JavaScript white-listing here. The first layer applies to all content coming into the system as my proxy-server dynamically rewrites the HTML code as it is received. [It does much more than this.] Then each browser has its own settings that apply since I have role-specific settings.

For any site that tries to maintain stats on my systems, unless you are white-listed (and you don't get white-listed unless I like your code in the first place) I look like JS disabled. However once white-listed then I look like JS-enabled. I don't believe that I'm the only conditional JS user out there by a long shot. Same with Flash or any other active content (blinking text, cookie setting, sounds, etc. ad nauseum. So, how can you do a population survey that is actually meaningful? Simply put, you can't. Ergo, the assertion that web coders won't serve that segment means they are potentinally hurting their own market.

Just my $.02

Re:Turn off javascript...

[Decker-Mage]

I don't think you wasted your time as I quite agree that each party (server & content reader) has a right to only provide/accept according to their wishes. That is the defining characteristic of the Internet, not just the web. A great example is NNTP which is currently under fire as well since the puditocracy and politickians just don't get it.

More to the point, as you've noticed, there is a definite lack of capability in the realm of critical thinking in the US, and it seems to be spreading. It wasn't even a requirement in our state's education system here unless you went to college and even then, judging from the papers turned in, the students still didn't get it. Not good. The ability to think critically is fundamental to being more than just another industrial society wage-slave. Furthermore, the Constitution was predicated on the notion that the voters would have that capability as well. I can hear a collective "whoops!" from the founding fathers, although I wouldn't be surprised that the political class likes the current status-quo. I don't see the situation changes short of revolution and that's about as likely as an asteroid stirke, perhaps less.

Re:Turn off javascript...

[Decker-Mage]

"Try connecting to your dialup provider and connecting to imdb.com."

Is there something supposed to be there (imdb.com)? Big blank in the page area although I do see related links present. And that's with everything non-filtered.

I've been racking my brains to recall imdb.com and you finally brought back my ancient (in interent time) memory.

Re:Turn off javascript...

[Jah-Wren+Ryel]

I'm not interested in continually moving the goalposts in order to back up the flawed "JS is automatically bad" meme.

Huh? That's exactly what you've been doing all along, it is your meme after all and you keep stretching and stretching to make it apply.

Re:Turn off javascript...

[Xest]

Perhaps a more important point is that not all Javascript implementations work the same. Chances are if you build a site with heavy use of Javascript using Internet Explorer as your test browser, you will have to spend hours trying to make it work for Firefox, and then Safari and Opera. There are a lot of libraries that help with cross-browser development (e.g. jQuery) but I've yet to find one that works perfectly between browsers.

It goes further than that though, you're missing a massively important segment of the market - mobile users. Most people visiting W3Schools from where most the stats were pulled will be web developers and will almost certainly have a full feature site, it's also more likely to be listed as a trusted site for people who use Javascript whitelists.

If you're building a site to be accessible to as many people as possible then by using Javascript you're almost certainly writing off the majority of the mobile market (which is growing rapidly and is bad to ignore) and you're also probably throwing away at least 1 in 20 users, but probably at least 1 in 10.

Of people who do have Javascript there are still many with slow computers, older browsers who will simply hate your site for using Javascript and navigate away immediately. There are people with disabilities who rely on software such as screen readers that need easily and cleanly parsable markup. Again, there are many potential users in this category simply being thrown away by use of JS.

It's ignorant to suggest there's no excuse to avoid using Javascript now - in business you cannot simply throw away that many potential customers for nothing more than a few visual effects that ultimately wont have any benefit for you over a well designed site.

Re:Turn off javascript...

one, that there are two versions of my posts: the one I actually wrote that says what it says and doesn't say what it doesn't say, and the fictitious one to which someone else is responding. If you are getting this all the time, it is probably because your communication skills suck and not other people's reading comprehension.

Re:Turn off javascript...

Way to not comprehend (nor read, apparently) the post you're responding to.

Good job, there.

Re:Turn off javascript...

[commodore64_love]

As is often the case, theory and real-world results are different. When reading slashdot over my dialup connection, turning off javascript makes the page load much faster than having it on. Of course one of the reasons is because I'm using text compression to about 5% original size, whereas javascript/executables barely compress at all.

So using the pure HTML version of slashdot ends-up being faster than the Javascript version.

Re:Turn off javascript...

[commodore64_love]

If you were trying to be funny, you failed.

imdb.com is the Internet Movie DataBase and one of my favorite sites for finding movie or TV-related information. Unfortunately it's heavily-downloaded with a lot of junk, which makes it virtually unusable for dialup users, and it shouldn't be like that. They could just as easily replace their flash ads with smaller animated GIFs or PNGs, and eliminate the javascript with CSS.

Re:Turn off javascript...

[commodore64_love]

You keep throwing out the "5%" datapoint as if it means something, but the number of homes on slow dialup, satellite, or 500k DSL is far larger than that. Last I heard it's closer to 40%, therefore it's advantageous to use a few bytes of Cascading Style Sheets than a 100KB javascript implementation. The former makes the web user-friendly for those 30-40% stuck with slow connections, while the latter alienates them and makes you lose potential customers.

On the other hand-

Maybe that's the goal. What better way to get people to upgrade from slow internet to expensive $60/month Comcast internet than to burden them with 1 megabyte or larger pages? (No, no, I gotta take that back. Too conspiracy theory.)

Re:Turn off javascript...

[Keeper+Of+Keys]

I have seen it estimated that up to 10% of users have javascript turned off. I usually find that mentioning that NoScript is the #4 Firefox add-on persuades clients that providing scriptless fallbacks is important even before getting them thinking about accessibility concerns.

(I have to turn it off in Opera on my phone, mostly because Slashdot is unreadable with it on. Some phones browsers don't even have the choice)

Re:Turn off javascript...

[Keeper+Of+Keys]

When a software company has a website that replaces every href with an onclick, I know they're fucking idiots

Actually this is reasonably legitimate. I hate links which open in a new window as much as anyone, but if you have to do it, javascript is the way, rather than using the deprecated target attribute.

Re:Turn off javascript...

[Just+Some+Guy]

Of course one of the reasons is because I'm using text compression to about 5% original size, whereas javascript/executables barely compress at all.

Nope, I don't buy it. jQuery is an extremely popular "big" JS library. The current version is 120KB uncompressed and 19KB compressed. A common sortable table library is 9,544 bytes uncompressed and 3,242 bytes compressed.

Slashdot itself embeds small amounts of JavaScript in the comments page so you're downloading those whether or not you have JS enabled. It additionally includes jQuery, but if your browser is fetching that more than once, something is misconfigured.

In short, there's no way JavaScript should have a perceptible impact on download speeds, even over dialup.

Note: first modem was 300 baud; I'm keenly aware of slow downloads. This just isn't one of them.

Re:Turn off javascript...

[Keeper+Of+Keys]

Wait, wait!

You mean they teach this stuff?

Judging by the code I've seen (and continue to see regularly), I thought EVERYONE else learned this by doing it on their own, like me!

"They" do teach it, by which I mean the world community of web coders. Even the most enthusiastic teaching professional is no match for the aggregate of everyone who is actually doing that work. Sure, there is some misinformation and bad practise being passed around but in general the google hit rate for quality advice and guidance in web development is very high. If you only looked at w3schools (for boring details) and alistapart (for higher level discussion) you'd already be off to a great start.

This is one job where you definitely don't have to be on your own.

Re:Turn off javascript...

[Keeper+Of+Keys]

Everyone has JS.

No. Some mobile browsers don't have it, lynx users certainly don't have it, not every screenreader will execute it and nor will most search engines (Google being a very recent exception), plus a lot of us have noticed that javascript is the one consistent factor in browser vulnerabilities and choose to keep it switched off except when it's absolutely required (a number I'd be willing to bet is rising).

Re:Turn off javascript...

[Decker-Mage]

Actually I was being dead serious. I have useless links down the right side and bottom, nothing where there should be content. Weird.

Re:Turn off javascript...

[causality]

Really I didn't intend for my response to be this lenghty. It just turned out that way.

I don't think you wasted your time as I quite agree that each party (server & content reader) has a right to only provide/accept according to their wishes. That is the defining characteristic of the Internet, not just the web. A great example is NNTP which is currently under fire as well since the puditocracy and politickians just don't get it.

True. The whole emotional outrage that anyone would block ads is easy to summarize. Webmaster goes out of his way to knowingly place content onto a public network where it is freely accessible by anyone. Said Webmaster does not use a paywall, nor does he deny content to users who don't load the ads. When said content is freely accessed, Webmaster then says, in effect, "now you owe me something, so view my ads!" and feels cheated if they aren't viewed. He wants compensation for a thing at the same time that he is giving it away freely. He also wants me to honor an agreement in which I did not participate. This is the Webmaster's fault.

And that's alright; while I think it's silly, I also believe that website owners should be free to do this if they want to. I just refuse to be shamed or otherwise pressured into going along with someone else's faulty expectation. The need to try that on me is the red-flag indicator of the entitlement mentality I mentioned. It's the reason why I responded as I did, as most people who do this don't seem to realize that it's manipulative.

This is especially true when said pressure comes from people who have invested in similarly faulty expectations of their own. Most people don't seem to use ad blockers and they are not standard features of most browsers. In other words, most users have chosen, not actively but by default, to give up their potential control, allowing the remote site full control of page layout. For that reason, many ad-supported public sites have been successful. They should be thankful that mitigating factors can help flawed premises to produce desirable conclusions instead of concerning themselves with how I configure my browser. Besides, they can put that effort towards reconfiguring their servers.

More to the point, as you've noticed, there is a definite lack of capability in the realm of critical thinking in the US, and it seems to be spreading. It wasn't even a requirement in our state's education system here unless you went to college and even then, judging from the papers turned in, the students still didn't get it. Not good. The ability to think critically is fundamental to being more than just another industrial society wage-slave.

I'm glad whenever I see that someone understands the severity and long-term outcome of this problem. That understanding is one of the single most effective things you can personally do about it. I imagine that if you didn't see the problem, the tone of my previous post wouldn't make sense and either that post or this one would seem like too much of a rant (eh, too late).

I think "wage-slave" is a somewhat mild term. I'd go so far as to say "automaton forever deprived of the ability to live his own life." I've heard more cynical folks say that you can't miss something if you have never known what it was like, yet I've never met a person who could be described that way who was also happy. In a sense, the problem is hidden in plain sight. It's so widespread and so common that it is often accepted as normal.

Furthermore, the Constitution was predicated on the notion that the voters would have that capability as well. I can hear a collective "whoops!" from the founding fathers, although I wouldn't be surprised that the political class likes the current status-quo.

There's a bit more to it than that. If "political class" includes "19th century industrial tycoons" and their descendants, and there's no reason why it shoul

Re:Turn off javascript...

[WuphonsReach]

19KB compressed over dial-up is somewhere in the range of 3.8 to 6.3 seconds.

That's a fair length of time. The usual design goal back in the dial-up days was to have your page load in 5 seconds or less. Which generally means the entire content needs to be in the 30-50KB range. So a 19KB library, even if that's the compressed size, adds a number of seconds to the first page visit.

(I define dial-up as anywhere from 30-50Kbps, or about 3000-5000 bytes per second.)

Personally, I browse with Javascript turned off, except for a few handfuls of sites that I absolutely have a need to use and won't work without Javascript turned on.

Re:Turn off javascript...

[Just+Some+Guy]

But, it's only downloaded once unless he's completely disabled caching or clears it too regularly.

You can't be serious!

[jeffliott]

I don't know anything about JavaScript or Firefox internals, but a public sounding central function call like "DOCUMENT.WRITE" having a length related buffer overflow is just unacceptable. This call is used all the time right? How could this be missed?

Re:You can't be serious!

[TopSpin]

This is my feeling as well. FYI: document.write is the JavaScript equivalent of write(2). It is used liberally in modern web content; I doubt there are any popular contemporary pages that don't use it.

This code path should be impervious to any overflow exploit that might conceivably appear. Obviously document.write can and is used to exploit other more subtle flaws in a browser as it is capable of producing arbitrary document content, but that's not what we have here. Here we have long strings breaking document.write itself.

Unacceptable. Fix it now. Sunday.

Re:You can't be serious!

[BZ]

It's not a buffer overflow. It's a missing OOM check leading to a non-exploitable (well, if your kernel is sane; some Linux versions are not) null-dereference crash.

Note also that the article linked to is misreporting this in other ways as well; unfortunately I'm not at liberty to go into details on that yet. :(

Re:You can't be serious!

[atraintocry]

Not at liberty? Isn't Firefox open source?

Re:You can't be serious!

[BZ]

Yes, it is. That's not related to the issue at hand.

Re:You can't be serious!

[dkf]

Not at liberty? Isn't Firefox open source?

He may have voluntarily agreed to hold off discussing a related known problem until it is fixed. I've done that a few times for other software (no, I don't feel like telling you what even though the fixes have been done for many years now) and with responsive OSS projects - either because they've got someone who really cares about this sort of thing, or because they've got lots of effort anyway - such issues tend to get fixed very rapidly. To be fair, that's true of the good commercial developers too; nobody conscientious likes having a security problem about as they tend to make for other difficulties too.

Re:You can't be serious!

[BZ]

Ok, here's the full deal:

1) The crash is not exploitable, for anyone who's been able to reproduce it so far.
2) The crash is in system text-rendering libraries (which apparently don't check for
      out-of-memory much), not in Firefox code, for everyone who's been able to
      reproduce it so far.

Re:You can't be serious!

[Mad+Merlin]

FYI: document.write is the JavaScript equivalent of write(2). It is used liberally in modern web content; I doubt there are any popular contemporary pages that don't use it.

Aside from ads (where document.write() is relatively common), use of document.write is quite rare. The main reason is that document.write is largely useless after the page has loaded.

Perhaps you're thinking of elem.innerHTML? The use of which is extremely common.

Re:You can't be serious!

[aztracker1]

About the only place this is used is to inject ads, and tracking for 3rd party servers. Very few sits use this technique internally. Most modern development uses avstraction libraries which inject DOM nodes, or use innerHTML for post-render injection. it's actually pretty bad-form to rely on inline document.write functionality because of browser behavior.

Re:You can't be serious!

[aztracker1]

abstraction libraries even... damned tiny laptop keyboard.

Re:You can't be serious!

[atraintocry]

Just doing some chop-busting, should have added the wink.

Wink! ;)

Re:You can't be serious!

[Ant+P.]

Sounds familiar. I used to be able to reproducibly crash GTK apps just by throwing invalid unicode at them. 3 or 4 \x67890 characters were enough.

Re:You can't be serious!

[b4dc0d3r]

This should be pointed out in CS 101. You don't validate the memory manager returns a value, your code gets a security alert. You fail the assignment or the course, whichever is on the chopping block. And you can't graduate without at least one semester of a language that needs memory management.

Re:You can't be serious!

"In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability."

Mozilla Security

Re:You can't be serious!

[BZ]

> You don't validate the memory manager returns a value, your code gets a security alert.

Except in this case it's "You don't validate the memory manager returns a value, the code of whatever app is using your system library gets a security alert." No skin off the Apple or Microsoft employees who wrote the buggy code, right?

So it's not just CS 101 that doesn't "properly" deal with blame for ignoring OOM. Neither does the real world.

Re:You can't be serious!

[multipartmixed]

document.write() is a vestigial piece of crap left over for the 4-browser days. Once upon a time it was used to modify the contents of layers and divs in Netscape 4.

Nobody uses it anymore except for ad-mongers, web metricians, and their ilk. Nowadays people use something called DOM, the Document Object Model.

Many eyes makes for secure code

[nacturation]

Let's just hope that all those eyes are friendly. How many black hats are scouring the source code to generate exploits to sell underground? As quickly as Firefox releases patches, when these bugs aren't reported it's no better than a proprietary browser.

Re:Many eyes makes for secure code

[dougisfunny]

Let's just hope that all those eyes are friendly. How many black hats are scouring the source code to generate exploits to sell underground? As quickly as Firefox releases patches, when these bugs aren't reported it's no better than a proprietary browser.

Except that other people are a lot more likely to find the same bug, and report it regardless of the black hats.

failed proof of concept

It looks like the proof of concept only shows how this could lead to a stack overflow. There is no concept about how this could lead to code execution, which makes this just just another way to crash a browser.
Crashing browsers is of course potentially a problem, but it quite boring while there are still so many ways to do real exploits.

Re:failed proof of concept

[X0563511]

Fool! A stack overflow can, by merits of exactly what it is, lead to code execution!

Re:failed proof of concept

It's a null-deref crash, and Mozilla thinks it's not exploitable.

Re:failed proof of concept

[BZ]

> It looks like the proof of concept only shows how this could lead to a stack overflow

It actually doesn't even show that, if you try running it under a debugger... It shows a null dereference due to lack of out-of-memory check on an allocation.

fix:

document.write = function(){ alert("This website was designed by a fucking idiot."); };

Re:fix:

[nacturation]

I tried this using greasemonkey and wanted to thank you for it, but I had to switch to Internet Explorer to post the reply as for some reason Slashdot started bringing up a million alert boxes.

Re:fix:

document.write = function(){ alert("This website was designed by a fucking idiot."); };

Which analytics tracker would you recommend instead of Google?

Re:fix:

Which analytics tracker would you recommend instead of Google?

Why on Earth would you want a thing like that?

Re:fix:

[gkm34]

okey okey oyna okey oyunu bedava okey

Re:fix:

[multipartmixed]

Thanks for the literal "LOL"

Slow News Day, Obviously

In other news, Apollo 11 was faked.

Expect to see much more of this in the future..

[ickleberry]

.. as the horrible language that is JavaScript is extended ever more to try and emulate real desktop applications (and more pervasive advertising).

Mang, sometimes I wish I could still get by with a browser that doesn't support JS at all, but web devs insist on building websites that absolutely require JS. For example the free SMS service for my mobile phone network (Meteor) absolutely won't work with JS disabled.

Re:Expect to see much more of this in the future..

I don't know why you hate web applications so much but I agree that Javascript is a horrible language. The specification is gigantic and the language is overcomplicated.

Lua makes a much better Javascript than Javascript. Small, lightweight and fast. Besides the syntax differences Lua is otherwise semantically very similar to Javascript except with a much better design... and Lua does it with a minuscule language syntax and VM.

Re:Expect to see much more of this in the future..

[maxume]

This has entirely to do with the Firefox implementation of the document.write function, not javascript; it is likely that the flaw is actually in C++ code.

If you type 'javascript:document.write.toString()' into the url bar in Firefox, you will see 'function write() { [native code] }'.

Re:Expect to see much more of this in the future..

[the_womble]

The problem is that no one is going to switch to another language unless all the major browsers support it.

People have tried to promote alternatives before (TCL and VBScript at least, probably a lot more I do not know about), but they never got anywhere.

Re:Expect to see much more of this in the future..

[xlotlu]

Whoever modded the parent as troll is a moron. Offtopic maybe, but not troll. Go ahead and mod me down too.

The parent is right. I've had my paranoid period and tried NoScript; the web was so damn broken, and clicking to allow JS over and over again turned so tiresome that I turned to everything whitelisted by default, and finally uninstalled NoScript after the AdBlock fiasco.

About how bad of a language JavaScript is or isn't: I personally like it, though I'd prefer Lua, or say, Python; but JS is here to stay and it serves its purpose. Except that purpose isn't replacing HTML, or turning HTTP into something it was never meant to be. Back when I was coding JS, we were doing it to improve the user experience, not replace it altogether. Nowadays "web developers" use [insert random JS framework] for everything, but the problem is so, so many use it in braindead ways. You middle click on a thumbnail expecting to open the image in a new tab, but you just get the same page with a nice # added at the end. And then there's the idiots doing <a href="javascript:">, and the utter idiots with an attitude that do onclick="submit_something_via_post" and figure out they know better how the web is supposed to work... These are usually the same idiots that will do broken browser detection based on the User-Agent string, and usually fail miserably if your browser sends along "Gecko", but not "Firefox". Say, something like "Iceweasel". For a nice example of how far this stupidity goes, try browsing VIA's site.

You want to use XHR when clicking on a link? Or submitting a form? That's all fine and dandy, but don't break the web. It's becoming more and more like flash, with the sole difference you can view-source.

If you're building Google Docs or Meebo, all hail JavaScript. But for mostly everything else, lack of graceful degradation with JS disabled is pure idiocy. Not just because there's paranoid people browsing with JS disabled, but because there's blind people using the web, and people with antiquated handhelds, or simply stuck in a console trying to fix nvidia's latest fuck-up. Of course, it would take building the site / web app properly from the bottom up: HTML, server interaction, CSS, JavaScript. But the "developers" these day start with YUI or Dojo: some shiny animation is the end purpose in on itself, not an improvement to conveying information.

By the way: did you try GMail with JS disabled? It works. It probably works in lynx too, since it works in elinks just fine. That's the way JS is supposed to be used.

</rant>

Re:Expect to see much more of this in the future..

[ickleberry]

Well to answer the question I find it ridiculous that after years of upgrading to the latest Pentium or Core processor we decide to make the internet connection the new bottleneck and waste copious amounts of bandwidth running something on a remote server hundreds of miles away that would run far better locally. Using a browser to display a GUI also isn't the most efficient for anything other than the simplest of GUI's.

The convenience of having all your stuff accessible can be far better replicated using a rsync type protocol and file-browser interface built into an application but nobody has done that yet. then there is reliability and privacy issues of having everything on a remote server run by a big company with an EULA and a manager who is only too happy to help out the local Law enforcement agencies

Re:Expect to see much more of this in the future..

[b4dc0d3r]

That's when you view source, save the page to your local system, and rewrite it to work without js. Don't even load their page with its adverts - load it, you can pre-fill lots of data this way, and submit. Warning: don't attempt with financial transactions, or if you do then don't come whining to me.

Is That What's Crashing Xorg?

I wonder if this bug what is causing Xorg to crash, as described in this blog post?

I thought they tested 3.5 prior to release.

Re:Is That What's Crashing Xorg?

[Norsefire]

So because Firefox was open when it crashed, Firefox must have caused it? Couldn't be that because most people have their browser open 99% of the time chances are that it will be open when something goes wrong?

Re:Is That What's Crashing Xorg?

Couldn't be that because most people have their browser open 99% of the time chances are that it will be open when something goes wrong?

Sure it COULD be coincidental. It COULD be caused by many things. But, it COULD also be Firefox. But wait! The blog post now confirms that it IS Firefox 3.5.x that is causing the Xorg crash.

But, thanks for your fanboish attempt to distract from the matter at hand. Lord knows we wouldn't want the light shone on the reality of your pet project.

The Captcha says "SOLVED". How does it know?

Re:Is That What's Crashing Xorg?

[Norsefire]

It's on the internet so it must be true?

Not just Firefox?

[Norsefire]

The proof of concept has crashed every browser I've tried it on; Firefox (obviously) (and the 3.6 nightly), Epiphany, Chromium, Opera and Android Browser. So is Firefox the only browser that is exploitable during the crash or other browsers affected?

Re:Not just Firefox?

[BZ]

When I tried this, I see Firefox crashing with a null dereference. So not exploitable.

Do you see something different?

Re:Not just Firefox?

[Norsefire]

No, that's what I see on every browser. I thought I must be missing something but it looks like this entire "exploit" is a non-event.

Re:Not just Firefox?

[BZ]

Well, the fact that SANS is blindly reposting known-unreliable things like milw0rm postins is something of an event, to me... Forgetting the fact that it tarnishes the reputations of whatever software they falsely accuse of being vulnerable, it leads to SANS being less reliable and less trusted. The whole crying wolf thing.

But yeah, I agree that this "exploit" is nothing of the kind.

Re:Not just Firefox?

[Bacon+Bits]

It crashes FF 3.5.1 and Safari 4.0.2 for me, but not Chrome 2.0.172.37 or IE 8.

A: Firefox users

[iYk6]

If you use firefox, then you are the moron using unbounded buffers.

Re:A: Firefox users

[ls671]

Well that's it ! I am switching to a java based browser where unbounded buffers do not exist ! ;-)))

NICE TROLL BUDDY

Except in this case, NoScript still provides a small barrier unless you whitelisted every website.

Firefox isn't perfect but at least it's not a horribly-slow-to-fix pile of garbage like IE.

But you're also right: Unknown exploits and flaws are potentially harmful no matter which software you use. Thanks for the warning.

Re:NICE TROLL BUDDY

From TFA:

"Note: Although Javascript access can be restricted with applications such as the NoScript Add-On, it may still be possible for the browser to be exploited if an untrusted website is loaded (with/without the consent of the user, for example, via XSS or compromised-whitelisted website)"

Nice troll though.

Re:NICE TROLL BUDDY

You have dogs in your ass.

automate protection

These recurring requests to turn off something are getting annoying. Why not automate the process? Set up a page somewhere like
www.mozilla.com/firefox/3.5.1/current-safety.txt

which would list something like
javascript: unsafe
java: safe
flash: safe

Then by default your browser would fetch that file and automatically implement Mozilla's recommendation of the day.

Re:automate protection

[aidan+folkes]

which would list something like
javascript: unsafe
java: safe
flash: safe

going outside: unsafe

Re:automate protection

[Anonymous+Brave+Guy]

You could add a useful automated statistic at the end of the list:

Websites where which our browser is useful today: 8%

Re:automate protection

WTF has Java or Flash have to do with Firefox?

Only javascript is in the browser, AFAIK.

Did YOU look for it?

[Colin+Smith]

I don't know anything about JavaScript or Firefox internals,

But you thought you'd bitch to Slashdot anyway?

This call is used all the time right?

Didn't you just say you don't know shit about JavaScript or Firefox?

 

Re:Did YOU look for it?

[Toonol]

Well, the small amount he evidently knows stil allowed him to make a reasonable question, which actually resembles bitching far less then your response does.

No Javascript? No Firefox.

[TheMCP]

To say, for the contemporary web, "turn off javascript", is to say, "break everything". If I can't safely use the browser with Javascript, I can't safely use the browser.

Re:No Javascript? No Firefox.

[aztracker1]

I already replied in this thread, but wish I had mod points.. just the same, noscript is a pretty decent solution, as long as the sites you use detect/prevent user injection of js.

Re:No Javascript? No Firefox.

[drinkypoo]

To say, for the contemporary web, "turn off javascript", is to say, "break everything". If I can't safely use the browser with Javascript, I can't safely use the browser.

It's a DoS exploit, it doesn't allow a remote hole or anything. It just crashes the browser. Furthermore, it crashes other browsers too. Don't let reality get in the way of badmouthing Firefox though.

Why the hell use Firefox 3.5?

It seems to conflict with the program Steam and other programs, issues with minimize/maximize, etc.

The code may not be that relevant

[Sycraft-fu]

After all, FF is open during development, not just after release. 3.5 has been a long time in coming, the code has been out there for lots to see and lots have looked, yet this was missed.

The thing is, open or closed, any major project has a lot of people looking at the code, and at least some of those people, perhaps most, are highly skilled. What this means is that it isn't likely there's an extremely obvious bug in the code. It isn't the sort of thing that someone would look at the source and go "Oh look they forgot to set getHacked = 0," or something like that. If it were obvious, the developers probably would have caught it. Instead the bugs are due to subtle interactions in teh code, that aren't easy to see.

So, more often than not, the way these things get found isn't someone pouring over the code, it is someone trying out attacks on the finished product. They try sending it bad data of various kinds to see how it reacts, or perhaps they see it react in a certain way to good data that gives them an idea how they might craft bad data to exploit it. Whatever the case, they are working on the finished product, and not particularly concerned with the source.

This is why you find bugs even in projects that many people are on, because developing something and looking at the code is real different from trying to exploit the finished product.

Rudeness is uncalled for. Let's keep this civil!

Reread the GP's post. He doesn't know anything about JavaScript and Firefox internals. Any fool can tell you that document.write is one of the most public function calls JavaScript uses, and his point is valid.

Nice strike...

with your Zealot-fu...

abc's

open source = security (at least that's what i've learned from every other slashdot post).

Re:abc's

[rysiek]

Nope. It's more like:
"Open source = code visibility", so that anybody is able to spot the bugs and fix them. This embiggens hugely chances that somebody will spot the bugs, and that somebody will fix them (as you have a potentially much larger dev base); but then again, it doesn't mean that - magically - "security will happen" just because it's OpenSource.

Also, I think you should be moderated "Troll"; but that would make this post "Redundant". Ah, well.

Re:abc's

A: "You should install Ubuntuâ"it's great!
B: "Nah, I'm ok with what I use now"
A: "But with Ubuntu you get access to the SOURCE CODE!"
B: "Uhhh...ok"
A: "That means it's secure because anyone can check it for bugs and exploits"
B: "Really? Have you checked through the code you're running on your Ubuntu?"
A: "Nah, other people do that"
B: "....."

Two words:

[Norsefire]

Porn mode.

Firefox sucks

[isa-kuruption]

This is the reason why I avoid crappy software like Firefox and stick to MSIE! Firefox is riddled with bad, bloated code making it easily subjectable to these types of attacks. On top of that, the development model allows mistakes like this to get into the codebase without proper quality assurance.

If I have to /sarcasm, I will kill you.

Re:Firefox sucks

Deflect! Deflect! Deflect!

Re:Firefox sucks

You are an idiot.

here is what I want to know....

[digibud]

One hears about such vulnerabilities often, but I rarely get any sense of just how dangerous this is. How often do these vulnerabilities translate into compromised web pages that the average user who isn't going to download porn....how often do these exploits translate into people actually having their computers compromised and turned into bots? I know many, many computers are compromised...just not sure of the manner in which they are actually pwnd...

Re:here is what I want to know....

[IRWolfie-]

Since from reading the other posts it's not an exploitable issue, so none.

Firefox Vulnerability

[DaveV1.0]

But, but, but, that's unpossible!

Re:Firefox Vulnerability

[maxume]

Yeah, the 60 comments that got in before you are rife with such groupthink.

Re:Firefox Vulnerability

And this time they would be right - the exploit is neither exploitable, nor Firefox's fault (http://tech.slashdot.org/comments.pl?sid=1307769&cid=28749279)

omg

It's not a buffer overflow. It's a missing OOM check

You see... right there is the cause of this crap. A "missing OOM check" IS A GOD DAMN BUFFER OVERFLOW. The buffer you overflow is whatever heap you take for granted when you DELIBERATELY IGNORE the failure of some allocation. A heap is just an elaborate managed "buffer."

Allocations fail. Even if you don't think they can and have never witnessed it. Even if your boss's design assumes they can't and lacks any way to deal with it. Even if it takes more effort to handle a failure than your deadline will permit. Stop ignoring allocation failures.

Re:omg

[0123456]

You see... right there is the cause of this crap. A "missing OOM check" IS A GOD DAMN BUFFER OVERFLOW.

No it's not: from what's been said here it's an out of memory error. In most cases if you run out of memory you get a NULL pointer back and you then access it and crash; it's possible that you allocate an 8GB buffer and then write 4GB into it which just happens to be where your stack is, but very, very few programs will do so... the vast majority will start writing at or near offset zero from the pointer they were allocated, and then the OS will kill the process if the pointer was NULL.

Now, not checking for null pointers from allocations in code where users can pass any old crap as a parameter is a significant bug that needs to be fixed, but trying to claim that it's some super-important buffer overflow flaw is silly. It's like claiming that shooting paper targets is suicide because shooting yourself in the head also involves firing a gun.

Re:omg

The pointer wasn't initialized a valid value first place (aka memory you have rights to) and wasn't the result of subsequent arithmetic preformed on the pointer. Not an overflow.

A buffer overflow is where I have a pointer initialized to point to a chunk of memory that I own or have rights to use. I then increment that pointer enough that it points to memory beyond what is mine. This is usually accomplished by some iterative means such as a loop in a memory copy routine.

The bug is a null-dereference as the result of a memory allocation failure. The pointer was assigned the value of 0. It never pointed to memory owned by me in the first place. Yes both result in accessing memory that doesn't belong to me, but they are not the same thing.

Re:omg

[BZ]

> A "missing OOM check" IS A GOD DAMN BUFFER OVERFLOW.

It's a pretty special case, though, since the pointer you get when you OOM points to a big hunk of memory which you can't overwrite (trying will just crash your process). Of course if you try to write too far into the buffer you could still lose.

So I definitely agree this needs to be fixed, and am all in favor of the system libraries involved fixing it. The missing OOM check isn't in Firefox code, note.

No...

[Sir_Lewk]

Even if firefox is triggering it, it's clearly an issue with Xorg itself. Firefox, nomatter how crappy, should not be able to take out X.

no evidence that this is exploitable

[asa]

This is a browser out of memory crash. There is no evidence that this is exploitable while all evidence points to it not being exploitable. Pretty much all browsers crash from this but that doesn't mean that it's a security issue.

Re:no evidence that this is exploitable

[Simetrical]

This is a browser out of memory crash. There is no evidence that this is exploitable while all evidence points to it not being exploitable. Pretty much all browsers crash from this but that doesn't mean that it's a security issue.

Chrome doesn't crash on the exploit. Not even a sad tab.

Run Linux Firefox with AppArmor

[dtschmitz]

Folks, Noscript will catch most Javascript exploits, but you should have a 'catch net'. AppArmor provides a 'sandbox' around any process you want. Firefox is a good example that I have written a how-to for creating an AppArmor Profile in Ubuntu 9.0.4 Read my blog here Be Safe. Dietrich T. Schmitz

Re:Run Linux Firefox with AppArmor

[multipartmixed]

Nice astroturfing. How does AppArmor prevent invalid unicode from entering the system?

Welll. It is like aids

[SmallFurryCreature]

Aids is very dangerous virus that can strike anyone who has sex. A true danger.

But you are on slashdot. You ain't having sex.

Be honest, how many "odd" sites do you visit? How many slutty url's do you follow home?

The danger really depends on what you do. I know people who follow any link, open any email and click on anything in sight. It is amazing what they can do to an innocent virgin computer in just a week.

This bug is already highly overrated, lots of people have tried and so far it only results in crashes. Big whoop.

Most bots are not created by crafty code or even by clever exploits or social engineering. It is just put a file online named Harry Potter The half blood prince.exe online and people will happily download it, install it, click on all security warnings and then wonder why they can't get their movies and complain to their ISP that their movie service sucks (I swear to god, this really happens).

Here is a hint. A movie is more then 10mb. It does NOT have the .exe at the end. WMV is only used people to force a payload via an automatic codec install.

being safe is about using your brain, not relying on some script.

NoScript

[metamatic]

Again, I think the NoScript UI should be part of the core Firefox product.

Yes, there are many sites that require JavaScript. That's the point of NoScript--you can enable JavaScript for just the source domains you trust (e.g. Facebook), in a couple of clicks, and leave it disabled for all the other random sites you browse.

And of course, the NoScript functionality would remain off by default, so naive users wouldn't be confused by it. Just like the functionality to not download images is off by default.

Re:NoScript

[Fnord666]

you can enable JavaScript for just the source domains you trust (e.g. Facebook), ...

You did not just say that. Tell me you did not just say that.

Re:NoScript

[metamatic]

I'm not aware of any malware having been launched from facebook.com.

No noscript

[DuctTape]

I stopped using NoScript after they did shenanigans with Adblock Plus subscription settings. If they're going to do that sort of behind-the-scenes tomfoolery, what else are they up to?

DT

Re:No noscript

[Onymous+Coward]

You gotta keep up, guy. Giorgio explains in detail.

http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

Re:No noscript

[DuctTape]

Uninstalled and off my radar by then. Fool me, once, etc.

People probably still buy Belkin products after their routers redirected http requests to their advertisements and they paid for faked reviews, too.

DT

Re:No noscript

[Onymous+Coward]

I expect the "one strike and you're out" philosophy is likely to cause you more problems than it solves.

please update this post

How about an update to the post, Soulskill. There are multiple Mozilla people here saying the report is incorrect yet the headline is propagating around the Web.

Slashdot is packed with double-standards

[bonch]

This site is full of double standards. This is the same website that is against copyrights when it comes to piracy because it gets them stuff for free, but for copyrights when it comes to a GPL violation because the GPL gets them stuff for free. Whichever is the self-serving position is the one that's adopted.

Re:Slashdot is packed with double-standards

[nicodoggie]

But then GPL is a copyleft. You probably took a wrong turn somewhere... :-P

Re:Slashdot is packed with double-standards

[bonch]

"The GPL assures the copyright of the software." - FSF website

Re:Slashdot is packed with double-standards

[Keeper+Of+Keys]

This site is full of double standards.

Indeed. If only all of Slashdot was written by the same person.

bugs me

[JosedeNoche]

everyone complaining too much about that firefox 3.5.1 bug, just let the mozilla team do its bets to fix it

bug misreported, not exploitable, not a stack over

[Mike+Shaver]

See http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/ for more details, including specifics about how the bug affects different platforms and versions (worst case: unexploitable crash in OS X system libraries).

cute

Hey, if she gets off on small and cute, who's to complain?

Re:cute

[joelpt]

May I direct you to http://postsecret.blogspot.com/

no reason?

[Joseph_Daniel_Zukige]

You mean, besides the problems that occur because Javascript was not really designed with security in mind?

The current bug under discussion is a programing error. It can be fixed.

mod anonymous parent up!

[Joseph_Daniel_Zukige]

The design of javascript has not been magically fixed.

So many of the flaws in the internet technologies were induced by people trying to hit an artificially early market window induced by Microsoft's snake-oil marketing claims.

Great!

[p5]

Was waiting for the day that IE would be safer than FF, IE 6.0, here I come!

not exploitable

[asa]

See what Mozilla has to say: http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/ In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability. On Windows, Firefox 3.0.x is terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code. In Firefox 3.5.x on Windows, the allocations are more robustly checked and no crash will result. On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code. We recommend that other developers who use these libraries consider a similar practice, and we have added mitigations in the past for similar bugs in these libraries. As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox. Further, we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly.

Re:not exploitable

[da_matta]

...so Mac is the only potentially exploitable environment? It doesn't actually say that, but recommending mitigation through coding around the problem sure sounds like it.

Re:not exploitable

[multipartmixed]

A NULL-dereference is not exploitable any modern platform. Coding around the Mac OS library calls would be necessary if Apple doesn't fix their stuff; basically what's going on is Firefox says "Here, render this string" and the Mac OS X library goes "ka-boom". The only thing Firefox can do is pre-validate every string to be rendered in this case. Which will be a real killer for people speaking languages whose character sets aren't in the BMP!

Note - I'm not an expert, just a guy reading bug reports.

Re:not exploitable

[rgviza]

I'm not touching this hubris with a 20 ft pole.

-Viz

Where it's not needed & on sites you do not tr

"But I also think it's silly to assume and design for Javascript unless Javascript is the whole point of your site. There's so many sites out there that use Javascript for things like drop down menus and sometimes even positioning where CSS would suffice and not require Javascript support it's silly. To turn away 1 in 20 users doesn't seem the brightest idea unless you're building a web application where absolutely the only way to do what you want to do is to use Javascript.

Javascript shouldn't be a requirement for the vast majority of the web, only for those sites that truly need it." - by Xest (935314) on Sunday July 19, @02:31PM (#28748981)

Agreed, 110% - As a user, a user of a webbrowser (or, email program, or even Adobe .pdf files etc. et al (i.e. -> Anything is capable of running javascript in essence)) should ONLY use & allow javascript for sites that DEMAND javascript, for absolutely FULL function (&, only on sites you trust)...

APK

P.S.=> It appears we can agree on some things... lol! Because, I get "into that topic" myself, here:

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=f95071c12d0fc4e3d6b3c8b08dd8c05d&showtopic=2662

----

And people that've applied it have seen results like this (going on 2++ yrs. testimonial below, & no malware/trojan/virus/spyware/keylogger/worm infestations, period):

----

http://www.xtremepccentral.com/forums/showthread.php?s=97c1e368dad75689a8da7df5a0e97418&t=28430&page=3

"Its 2009 - still trouble free!

I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA user @ xtremepccentral.com

----

And, on the same note as your statements here - I get into nearly exactly what you say, for security's sake, in it's 14th post, in the guide above (stop the delivery boy, the package never gets there (in bad javascript on bogus websites &/or bad adbanners))... apk

I had enough too

[Ilgaz]

I really started to wonder what kind of web this noscript lobby is browsing.

Every single damn bug found with every single lamer, they come here and lobby about noscript. I started to look for =referrer in URLs seriously.

If an updated browser (yes, I keep FF) can't work safely without turning off a central web feature, I move to another browser. Simple as that. Or, I use a decent AV solution which will have state of art heuristics enough to figure it out and stay away from random sites until bug fixed.

I use Omniweb now but Firefox has really became some kind of "internet operating system" these days with web services which would not exist if javascript didn't exist.

If one is that paranoid, there is no need for extensions. ANY site can be hacked for example to inject malicious code. Turn Javascript off and enjoy your nerd browsing.

Seriously, we aren't stupid, some of us are old enough to remember first javascript enabled version of netscape. Enough with noscript advertisements.

The vulnerability is not exploitable ?

http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/

Why did I code in JS? 'Cause it's there!

[Decker-Mage]

Simply put, just because something is there does not necessarily mean it should be used. I have Flash, Java, and numerous server-side and/or client-side tools here. Some of them are mighty obscure due to the fact that I started coding back in the early '70's. I can use them, and for many I even have code generators that create nicely formatted, validated, compact code. I'd dare even say I might be more productive. However that does not mean that they are the right tool for a particular task.

The examples brought out as evidence so far would be far more efficiently coded using CSS and templates. That they are stupidly coded in JS is just as silly as using C# or Java to generate static content. Templates are more efficient and why Include was created in the first place! You are utilizing a dynamic language to implement a static output which is absolutely silly and it is highly likely to flummox both the search spiders and the intelligence {if any} in your web server. You do know how to code for higher efficiency on your web server, don't you?

Turn off scripting

[some+guy+I+know]

Just turn off all scripting.
Problem solved.

It appears that over 90% of browser attacks are caused by exploiting vulnerabilities (bugs) in scripting code.
Turn off scripting, and you're not vulnerable to those attacks.
Of course, with scripting turned off, there are some things you can't do (like meta-moderate slashdot, thank you very much), but, for the most part, you don't need scripting at all.

Why "the hell" not?

[RPoet]

Not everybody is a Windows-using gamer, you know. I have not had a single issue with 3.5.

The PoC doesn't work ...

[gbitten]

... on Firefox 3.5.1 / Windows XP.