It affects firefox on all Operating Systems it looks like and can allow for remote code execution. The only workarounds suggested are the noscript extension and the possibility of browsing in a Virtual Machine.
It’s starting to look like THIS story may be falling apart….
The main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.
I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.
I apologize to everyone involved, and I hope I have made everything as clear as possible.
So, currently – the only flaw seems to be a remote browser crash. Still an issue, but not as bad as first claimed. Stay tuned.
Now, I’m not prepared to say don’t worry about this…. as incidents.org notes DoS attacks against IE in the past have had a tendency to resurface as remote code execution vulnerabities…. so I wouldn’t be quite content with where things stand at the moment. That much said, there are many reports out now that this is a hoax.
So, is firefox impervious to any and all web attacks – NO, just like any other software it has flaws, but the truth be told this does NOT appear to be the big problem we were initially led to believe. The SecurityFix has an angle on this that isn’t being covered too many other outlets. “We pretty much just wanted to have fun up there” and some other notes about their presentation and “research” on the flaw.
This leads me to conclude that they’ve pretty much succeeded in some ways towards one thing that they apparently urged people to do….
They ardently urged those in attendance to use their knowledge to “ruin things” as much as possible for Internet users.
The story of the boy that cried wolf comes to mind, ultimately crying wolf when there was none left the town defenseless when the wolf REALLY arrived. The same with computer security, we all lead busy lives and it’s important that if there’s a security problem it’s not a “crying wolf” incident. Too many incidents of JUST crying wolf over nothing and people ignore the warnings more and more. In fact, I think one reason many “average” people have such a hard time keeping their computers updated/antivirus up-to-date is the fact that there is just TOO much to keep up with. Windows, Office, Quicktime, Real player, Firefox, OpenOffice.org, AOL, Antivirus software, not to mention all the other add in toolbars and applications that people typically install. ALL these need to be kept up with updates and for many users you’ll find AT LEAST the list above installed on the system. Not to mention third party software that came with printers, digital cameras, etc. MANY times those 3rd party applications will act as a web client of sorts as well (for update notifications or who KNOWS what.) Add in to that the driver layer, like the Intel wireless drivers of recent note.
What they’ve done is muddy the waters and perhaps one more person has tuned out at this point, they found out firefox wasn’t safe and maybe it was a hoax, but many have the attitude they have nothing anyone would want to take anyway so they shouldn’t worry about computer security.
That much said, DoS vulnerabilities should be investigated and fixed, but this wasn’t quite the boogeyman it was built up to be.
Related PostsRelated Posts
- Remote Tech Support with x11vnc and wrapper script So, the idea is that I wanted something "like" the Ultranvnc Single Click download, only for linux. The main idea being is that if someone is looking for a bit of desktop tech support on linux, we don't need to be giving instructions for 5 different package managers, or source......
- Securing SSH I REALLY like secure shell (SSH) for remote access to linux machines. You can do more than just a "telnet" like remote shell with it. (Port forwarding.) However, the default configuraton for the openssh-server is sometimes a bit less tight than I would like. For that reason on a new......
- x11vnc recompiled to be as widely compatible as possible... As I said in the earlier posts, I was essentially looking for a "Single click" solution for linux VNC remote desktop support. A solution that doesn't require the remote support client to change firewall settings, install software, etc. What I've settled on is closer to a single cut and paste......
- 3 Ways in Which Coin Collector Software Has Change the Industry There have been many changes in the world of coin collecting over the years. These changes have mostly been in regards to which coins are prized above others. Every once in a while a toll will come along which will help those in the industry to enjoy collecting more or......
- Adobe Flash 11 and AIR 3 Help Developers Create More Engaging Apps Daniel Tew provides us with an Adobe update... Announced on the 20th of September by Adobe Systems, Flash Player 11 and AIR 3 are going to help developers create more engaging applications for all major platforms and devices. Mac, Windows, Apple iOS, BlackBerry OS, and Android users, will all be......
- World Wide Web Security Essentials Is Not A Real Spyware Remover. It Resembles The Functions And Looks World wide web Security Essentials is not a real spyware remover. It resembles the functions and looks of genuine spyware removal software but has no capacity to eliminate any virus, trojan or malware. Web Security Essentials is the newest addition to the growing list of rogue Antivirus programs. Internet Security......
- Exploit for Unpatched Internet Explorer vulnerability
- DoS Exploit for MS-053
- 3 Critical Microsoft Updates, 1 Important, 1 Moderate and 1 re-released
- January Patch Tuesday
- Apple Macbook pro and other wireless fixes