That's what I thought, but I have posted several critical comments and they were approved. I expect it was because I did so in a *polite and constructive* manner.
>>I guess I've never seen anyone do this with machines that aren't their own or their employers. Do you?
>What is your point? If one of my machines , or my employer's machines is compromised, am I supposed to send an email to the hacker saying "you got me, fair game, here are all my root passwords"?
>>If you say so.
>Don't take my word for it, rtfa.
I did. It says: "Any remote X client can gain root privileges on the X server using the proof of concept program attached".
>>A random web page crashing my machine is still not a "non-issue".
>It crashes X, not the whole box. And it's got a pretty simple solution: if you go to a website that crashes your xsession, just don't go back there. Ok, so 'nonissue' is a little strong, but it's not something you're likely to see much of, since it's such a self-limiting 'attack'.
Here at least we agree; but as I said, I would prefer to not take the risk that another way to exploit the vulnerability is discovered. There are other ways to exploit Firefox than by sending it dodgy HTML code.
I don't want them to release OSS drivers. I just want them to release the information that we need to create our own drivers.
But thanks to this thread I've discovered the Matrox G550 cards. They are only a little bit more expensive than the entry level OEM NVIDIA cards I have been shipping until now, and of comparable performance.
Ok, well I supppose the 4 people who run large xservers on x86 machines with nvidia cards have a legitimate gripe. If any of them would like to speak up, I'll listen. The rest of us have no business opening up xsessions to the internet.
I don't do that. I use SSH's X11 connection forwarding feature. This vulnerability puts me at risk if a machine I connect to is compromised by an attacker.
Not through a web page it can't. The exploit can be demonstrated as a ridiculously-long INPUT element, and in that case is simply a DoS attack that crashes X - or at least that's how I read the exploit report. Web-based DoS exploits like this kind of limit themselves, because the user has to direct their browser to the page they (hopefully) eventually realize is crashing their stuff.
If you say so. I would prefer not to take the chance. A random web page crashing my machine is still not a "non-issue".
The drivers on that page are "BETA". Not released.
It is interesting that when someone holds back the disclosure of a vulnerability in Microsoft software they are praised for practicing "responsible disclosure", but when these Rapid7 people do the same they are accused of foaming at the mouth needlessly since a fixed driver is allegedly already released.
Good companies do not hide the existence of a vulnerability in their products that allows a remote attacker to execute arbitrary code on a machine as root for two years.
Why not? Are you going to pay for it? What if they can't afford it? Will you pay for their travel and legal expenses? Why should they have to care, since the only thing they stand to lose is control over the spamhaus.org domain?
Slashdot Mirror
That is a Firefox(tm) bug.
1 3
https://bugzilla.mozilla.org/show_bug.cgi?id=9554
https://bugzilla.mozilla.org/show_bug.cgi?id=8738
That's what I thought, but I have posted several critical comments and they were approved. I expect it was because I did so in a *polite and constructive* manner.
Well I'm sorry to hear that you are not using Debian. ;)
/usr/lib/mozilla/plugins and putting the library there. I bet your mozilla-based programs try that directory anyway.
As a workaround, try creating
You should punch your packagers if their Firefox packages don't always load plugins from /usr/lib/mozilla/plugins and ~/.mozilla/plugins.
http://www.us.debian.org/CD/vendors/#us
You mean Mozilla doesn't do this? I am concerned!
Speak Out against this madness. Get our country out of the EU!
http://www.speakout.co.uk/
I would say it is possible because Gentoo will stick any buggy unfinished piece of crap into portage. :)
It has been pushed back to 3.0.
I wish they'd provde an MSI package instead. It would help make Firefox a little bit more suitable for deployment in large networks.
Imendio are working on it: http://developer.imendio.com/projects/gtk-macosx
It will be built in to Windows and available by default without requiring the user to go to the effort of installing third party software.
>>I guess I've never seen anyone do this with machines that aren't their own or their employers. Do you?
>What is your point? If one of my machines , or my employer's machines is compromised, am I supposed to send an email to the hacker saying "you got me, fair game, here are all my root passwords"?
>>If you say so.
>Don't take my word for it, rtfa.
I did. It says: "Any remote X client can gain root privileges on the X server using the proof of concept program attached".
>>A random web page crashing my machine is still not a "non-issue".
>It crashes X, not the whole box. And it's got a pretty simple solution: if you go to a website that crashes your xsession, just don't go back there. Ok, so 'nonissue' is a little strong, but it's not something you're likely to see much of, since it's such a self-limiting 'attack'.
Here at least we agree; but as I said, I would prefer to not take the risk that another way to exploit the vulnerability is discovered. There are other ways to exploit Firefox than by sending it dodgy HTML code.
I don't want them to release OSS drivers. I just want them to release the information that we need to create our own drivers.
But thanks to this thread I've discovered the Matrox G550 cards. They are only a little bit more expensive than the entry level OEM NVIDIA cards I have been shipping until now, and of comparable performance.
That's pretty amazing. The card starts at £30!
http://www.shopmagenta.com/product/SD0G608A.aspx
But it goes up to £70-120... do you know what the difference is (if any)?
That is what I do. However, if the machine I SSH to is compromised it should not be able to take over the machine my X server runs on.
That is exactly what I was thinking. :)
Or send him a link to a "cool" web site you just created^Wdiscovered...
But just think what NVIDIA's Digital Vibrance technology could do for the quality of your image viewing experience!
The drivers on that page are "BETA". Not released.
It is interesting that when someone holds back the disclosure of a vulnerability in Microsoft software they are praised for practicing "responsible disclosure", but when these Rapid7 people do the same they are accused of foaming at the mouth needlessly since a fixed driver is allegedly already released.
Wait for Xorg 7.2. Input and Output hotplugging may just eliminate the X server's config file forever!
Good companies do not hide the existence of a vulnerability in their products that allows a remote attacker to execute arbitrary code on a machine as root for two years.
Why not? Are you going to pay for it? What if they can't afford it? Will you pay for their travel and legal expenses? Why should they have to care, since the only thing they stand to lose is control over the spamhaus.org domain?