Firefox zero-day vulnerability (or is it?)



I saw a comment somewhere else that zero-day was overused and in essense ANY previously unknown vulnerability in open source software is technically zero day… the intent here though is to use the word in this context…. “vulnerability has been released without giving the vendor an opportunity to patch…” Yes, the fun vulnerability weekend seems to be continuing – there’s a javascript zdnet has coverage it’s “impossible to patch” (?) from the individuals that have publicized it. The announcement came at Toorcon.


It affects firefox on all Operating Systems it looks like and can allow for remote code execution. The only workarounds suggested are the noscript extension and the possibility of browsing in a Virtual Machine.

(10/2/06 update)

It’s starting to look like THIS story may be falling apart….

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.
Sincerely,
Mischa Spiegelmock

So, currently – the only flaw seems to be a remote browser crash. Still an issue, but not as bad as first claimed. Stay tuned.

–Update 10/3/06–

Now, I’m not prepared to say don’t worry about this…. as incidents.org notes DoS attacks against IE in the past have had a tendency to resurface as remote code execution vulnerabities…. so I wouldn’t be quite content with where things stand at the moment. That much said, there are many reports out now that this is a hoax.

Right now, I can say that the code presented at Toorcon apparently only leads to DoS and there have been no verifications of “30 exploits” for firefox’s javascript.

So, is firefox impervious to any and all web attacks – NO, just like any other software it has flaws, but the truth be told this does NOT appear to be the big problem we were initially led to believe. The SecurityFix has an angle on this that isn’t being covered too many other outlets. “We pretty much just wanted to have fun up there” and some other notes about their presentation and “research” on the flaw.

This leads me to conclude that they’ve pretty much succeeded in some ways towards one thing that they apparently urged people to do….

They ardently urged those in attendance to use their knowledge to “ruin things” as much as possible for Internet users.

The story of the boy that cried wolf comes to mind, ultimately crying wolf when there was none left the town defenseless when the wolf REALLY arrived. The same with computer security, we all lead busy lives and it’s important that if there’s a security problem it’s not a “crying wolf” incident. Too many incidents of JUST crying wolf over nothing and people ignore the warnings more and more. In fact, I think one reason many “average” people have such a hard time keeping their computers updated/antivirus up-to-date is the fact that there is just TOO much to keep up with. Windows, Office, Quicktime, Real player, Firefox, OpenOffice.org, AOL, Antivirus software, not to mention all the other add in toolbars and applications that people typically install. ALL these need to be kept up with updates and for many users you’ll find AT LEAST the list above installed on the system. Not to mention third party software that came with printers, digital cameras, etc. MANY times those 3rd party applications will act as a web client of sorts as well (for update notifications or who KNOWS what.) Add in to that the driver layer, like the Intel wireless drivers of recent note.

What they’ve done is muddy the waters and perhaps one more person has tuned out at this point, they found out firefox wasn’t safe and maybe it was a hoax, but many have the attitude they have nothing anyone would want to take anyway so they shouldn’t worry about computer security.

That much said, DoS vulnerabilities should be investigated and fixed, but this wasn’t quite the boogeyman it was built up to be.

Related Posts

Blog Traffic Exchange Related Posts
  • Securing SSH I REALLY like secure shell (SSH) for remote access to linux machines. You can do more than just a "telnet" like remote shell with it. (Port forwarding.) However, the default configuraton for the openssh-server is sometimes a bit less tight than I would like. For that reason on a new......
  • WMF vulnerability advisory update Microsoft has updated their security bulletin on the WMF vulnerability to note a couple things. One, they acknowledge that embedded images within a document can trigger the exploit. Previously they said this needed further investigation. Second, they are seconding what I've been finding that Windows 98 and other pre-XP systems......
  • Big Windows June update day Updates for Windows for the month of June are out today and it looks like some list! 12 updates covering 20 or more vulnerabilities. MANY of these are tagged as critical. (Critical vulnerabilities are considered remotely exploited or with little (or no) user interaction.) Sans has a good listing of......
Blog Traffic Exchange Related Websites
  • World Wide Web Security Essentials Is Not A Real Spyware Remover. It Resembles The Functions And Looks World wide web Security Essentials is not a real spyware remover. It resembles the functions and looks of genuine spyware removal software but has no capacity to eliminate any virus, trojan or malware. Web Security Essentials is the newest addition to the growing list of rogue Antivirus programs. Internet Security......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
  • Responses to "Is Software Development Slowly Killing Me?" I got a lot of intelligent responses my question of "Is software development slowly killing me?" I thought I'd like to cover a couple as a weekend bonus. Since it's a borderline personal finance topic, it may be worth skipping if you are not into that kind of thing. One......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site