It affects firefox on all Operating Systems it looks like and can allow for remote code execution. The only workarounds suggested are the noscript extension and the possibility of browsing in a Virtual Machine.
It’s starting to look like THIS story may be falling apart….
The main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.
I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.
I apologize to everyone involved, and I hope I have made everything as clear as possible.
So, currently – the only flaw seems to be a remote browser crash. Still an issue, but not as bad as first claimed. Stay tuned.
Now, I’m not prepared to say don’t worry about this…. as incidents.org notes DoS attacks against IE in the past have had a tendency to resurface as remote code execution vulnerabities…. so I wouldn’t be quite content with where things stand at the moment. That much said, there are many reports out now that this is a hoax.
So, is firefox impervious to any and all web attacks – NO, just like any other software it has flaws, but the truth be told this does NOT appear to be the big problem we were initially led to believe. The SecurityFix has an angle on this that isn’t being covered too many other outlets. “We pretty much just wanted to have fun up there” and some other notes about their presentation and “research” on the flaw.
This leads me to conclude that they’ve pretty much succeeded in some ways towards one thing that they apparently urged people to do….
They ardently urged those in attendance to use their knowledge to “ruin things” as much as possible for Internet users.
The story of the boy that cried wolf comes to mind, ultimately crying wolf when there was none left the town defenseless when the wolf REALLY arrived. The same with computer security, we all lead busy lives and it’s important that if there’s a security problem it’s not a “crying wolf” incident. Too many incidents of JUST crying wolf over nothing and people ignore the warnings more and more. In fact, I think one reason many “average” people have such a hard time keeping their computers updated/antivirus up-to-date is the fact that there is just TOO much to keep up with. Windows, Office, Quicktime, Real player, Firefox, OpenOffice.org, AOL, Antivirus software, not to mention all the other add in toolbars and applications that people typically install. ALL these need to be kept up with updates and for many users you’ll find AT LEAST the list above installed on the system. Not to mention third party software that came with printers, digital cameras, etc. MANY times those 3rd party applications will act as a web client of sorts as well (for update notifications or who KNOWS what.) Add in to that the driver layer, like the Intel wireless drivers of recent note.
What they’ve done is muddy the waters and perhaps one more person has tuned out at this point, they found out firefox wasn’t safe and maybe it was a hoax, but many have the attitude they have nothing anyone would want to take anyway so they shouldn’t worry about computer security.
That much said, DoS vulnerabilities should be investigated and fixed, but this wasn’t quite the boogeyman it was built up to be.
Related PostsRelated Posts
- Version 2 of the WMF exploit vs Windows 98 SE Ok, I wasn't quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that's now up to 4 or 5 days or so... Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for......
- Remote Tech Support with x11vnc and wrapper script So, the idea is that I wanted something "like" the Ultranvnc Single Click download, only for linux. The main idea being is that if someone is looking for a bit of desktop tech support on linux, we don't need to be giving instructions for 5 different package managers, or source......
- How to Remove SystemWarrior | SystemWarrior Removal Guide SystemWarrior is a rogue security application from the Wini family. It was the last in a long line of Wini rogues to use the older user interface before the release of AntiAid (you never know - they may reuse this interface, but there are a lot of rogues in this......
- Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
- 3 Ways in Which Coin Collector Software Has Change the Industry There have been many changes in the world of coin collecting over the years. These changes have mostly been in regards to which coins are prized above others. Every once in a while a toll will come along which will help those in the industry to enjoy collecting more or......
- Encryption: Never Leave Home Without It As portable drives have gotten physically smaller and larger in storage capacity, they've become an indespensible gadget for many. If you use yours to store vital and sensitive information, you need to secure that information with encryption. I should not need to tell you about the long list of......
- Exploit for Unpatched Internet Explorer vulnerability
- DoS Exploit for MS-053
- 3 Critical Microsoft Updates, 1 Important, 1 Moderate and 1 re-released
- January Patch Tuesday
- Apple Macbook pro and other wireless fixes