Hackers claim zero-day flaw in Firefox (ZDNet)
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. 'What they are describing might be a variation on an old attack,' she said. 'We're going to do some investigating.'" The presenters claim to know about another 30 undisclosed Firefox vulnerabilities.
Update: it seems that the presenters' claims may have been a little overblown, if not entirely fraudulent.
Posted Oct 1, 2006 14:02 UTC (Sun)
by ismail (subscriber, #11404)
[Link] (6 responses)
What is worse that Mozilla Foundation's security policy, which they make
Posted Oct 1, 2006 16:53 UTC (Sun)
by job (guest, #670)
[Link] (4 responses)
Sorry, I probably don't disagree with you at all, I'm just allergic to that expression. A lot of people use it as an excuse to choose obviously insecure software. While most software is not fully secure, the odds of finding holes as well as the impact of them is what's interesting.
Posted Oct 1, 2006 17:17 UTC (Sun)
by jfj (guest, #37917)
[Link] (2 responses)
Posted Oct 2, 2006 14:56 UTC (Mon)
by gerv (guest, #3376)
[Link] (1 responses)
Posted Oct 2, 2006 15:02 UTC (Mon)
by gerv (guest, #3376)
[Link]
However, back in the real world, if you want to experience the full web, Firefox (on Linux ;-) is the safest option.
Posted Oct 1, 2006 18:27 UTC (Sun)
by AJWM (guest, #15888)
[Link]
Probably because you're smart enough to recognize that that is the mantra of someone pushing insecure products. (So you might as well buy theirs).
Security is not a binary "is or is not" property. Security is a contiuum, and it depends on the value (to someone else) of what you're trying to secure and how much effort they're willing to go to to get it or damage it. So while Firefox may not be absolutely secure (as indeed, nothing is), it's more secure than a certain widely used other browser out there. There may well be other browsers that are more secure than Firefox -- or at least more secure in some aspects, perhaps less so than others.
It's like the old joke about two hikers who encounter an engraged grizzly bear, and one stops to put on sneakers. "Are you crazy? You'll never run faster than the bear" his buddy says. "I don't need to run faster than the bear, I just need to run faster than you." Unless you've got something of unique value on your system, your system just needs to be secure enough to encourage crackers to go elsewhere. (And yes, that's a moving target.)
Posted Oct 2, 2006 10:20 UTC (Mon)
by drag (guest, #31333)
[Link]
What is that.. VM FTW? (stupid saying, ftw)
Here is what you do: Set up one of the multitude of low resource vm/container-like items for linux. Like Linux-Vserver or OpenVZ or whatnot. There are at least 3 or 4 good options.
Take Debootstrap and setup a bare-bones install in a directory for Debian. Apt-get install Firefox. Whatever. Maybe busibox. Name your poison, the goal is to get a minimal Linux install in there seperate from your system to prepare the way to running your browser.
Setup that as a read-only portion for a UnionFS file system. Setup a shared directory so that files you want to download off the internet are made aviable to a specific directory in your home directory. That way you end up with a read-only base you can update as you feel like it, and a read-write portion that allows everything to function well, but is easily deleted.
Run Firefox from that container via X forwarding. (although that has it's own issues, doesn't it?) Every once in a while blow the 'read/write' directory away and update the 'read-only' portion. Hell automate it. Do it every third time you start a new browser session or something.
Then tell the zero-day'ers to go F- themselves. To me that seems the easiest way to get secure browsing done. Now you don't have to worry about browser hacks giving people access to install scripts, change your bashrc around, pulling sensitive information, or anything else of that nature..
I figure the name of the game with that is: "rm -- the ultimate anti-spyware"
Posted Oct 1, 2006 14:31 UTC (Sun)
by madscientist (subscriber, #16861)
[Link] (6 responses)
https://addons.mozilla.org/firefox/722/
Posted Oct 1, 2006 23:58 UTC (Sun)
by djabsolut (guest, #12799)
[Link] (5 responses)
Posted Oct 2, 2006 0:27 UTC (Mon)
by Arker (guest, #14205)
[Link] (3 responses)
Well designed pages normally work fine without it. The few that have a legitimate reason to be using it get whitelisted. When I'm going through dozens of random websites off a google search looking for information, the scripting gets blocked, any attempted exploits of scripting foiled, and braindead pages that don't work without it can be seen for the crap they are very quickly, which saves time.
Posted Oct 2, 2006 8:15 UTC (Mon)
by robdinn (guest, #30753)
[Link] (2 responses)
I used to to routinely run the browser with javascript
With the noscript extension, I no longer make that mistake.
Posted Oct 2, 2006 17:59 UTC (Mon)
by copsewood (subscriber, #199)
[Link] (1 responses)
Posted Oct 5, 2006 8:30 UTC (Thu)
by robdinn (guest, #30753)
[Link]
Posted Oct 2, 2006 5:10 UTC (Mon)
by madscientist (subscriber, #16861)
[Link]
If you have a site that needs JS, it takes literally two clicks to white list that site. Maybe your usage patterns are different but I tend to go to the same sites a lot, rather than different sites all the time, and most of the sites I use don't need JS enabled anyway.
Where's the downside?
Posted Oct 1, 2006 16:57 UTC (Sun)
by johnkarp (guest, #39285)
[Link]
"It is a double-edged sword, but what we're doing is really for the
Posted Oct 1, 2006 21:16 UTC (Sun)
by b7j0c (guest, #27559)
[Link]
there is a way to deal with this - run the NoScript extension. this lets
Posted Oct 2, 2006 1:22 UTC (Mon)
by tetromino (guest, #33846)
[Link]
<Jesse_> have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
. . .
<jX> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html
. . .
<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
Posted Oct 3, 2006 4:47 UTC (Tue)
by notamisfit (guest, #40886)
[Link]
Isn't AFD about six months away?
Posted Oct 3, 2006 7:02 UTC (Tue)
by appie (guest, #34002)
[Link]
I hope this will get people to realize: Firefox is NOT secure, nothing is fully Hackers claim zero-day flaw in Firefox (ZDNet)
secure. Saying Firefox is secure is just a blind lie.
security bugs non-public , and even not timely fixing them. There was even a
security bug many-years old which got fixed after someone discovered the bug
and posted to bugtraq.
I really have a problem with the "nothing is fully secure" mantra. Of course everything can be abused in some way, but the design of a particular software may be more or less secure. Very well designed software is "secure" in a practical sense, such as QMail, Postfix or vsftpd. I'd be very surprised to see a hole in any of those, while not so much with Firefox.Hackers claim zero-day flaw in Firefox (ZDNet)
I'd like to second this comment. There is a general tendency these days "there is no security, just give it up. You'll never be secure and just trust your software provider". Well, wrong. If the code is well-written and small, people really can make a secure system. Part of mozilla's insecurities (which are probably more than IE) are due to the extreme complexity of the project. Ahh, welcome to the invasion of the *.Orgs: A couple of people controlling a huge code base through extreme complexity, in the hope to make a profit.Hackers claim zero-day flaw in Firefox (ZDNet)
Hackers claim zero-day flaw in Firefox (ZDNet)
"Part of mozilla's insecurities (which are probably more than IE) are due to the extreme complexity of the project."
Are you volunteering to write a web browser for today's web which isn't extremely complex?
Gerv
To elaborate: yes - small, simple and well designed makes things much more secure. We could tell everyone to stop using the web for five years while site owners go away and write sites in valid, semantic, easy to parse HTML and other web standards, while a free software group writes a small and simple browser for this new web from the ground up. The end result would be a lot more secure than Firefox.Hackers claim zero-day flaw in Firefox (ZDNet)
> I really have a problem with the "nothing is fully secure" mantra.Hackers claim zero-day flaw in Firefox (ZDNet)
Woot for Virtual Machines, I guess.Hackers claim zero-day flaw in Firefox (ZDNet)
As one of the comments on the ZDNet article points out, everyone should use the NoScript addon to FF: it lets you allow JS only in the sites you trust and disables them everywhere else. Very nice!Hackers claim zero-day flaw in Firefox (ZDNet)
... everyone should use the NoScript addon to FF: it lets you allow JS only in the sites you trust and disables them everywhere else. Very nice!
Hackers claim zero-day flaw in Firefox (ZDNet)
Disabling Javascript by default would be silly. Many sites use Javascript to good effect, which allows for a much better layout/navigation/interactivity etc. You can't do everything with HTML/CSS. No Javascript because 0.0000001% of sites may want to exploit some hole is bordering on using a cannon to kill a fly.
I use it, and I don't think it's silly at all. Hackers claim zero-day flaw in Firefox (ZDNet)
seconded!Hackers claim zero-day flaw in Firefox (ZDNet)
turned off, but turn it on for sites that needed it and
that I wanted to use. The danger is that you forget to
turn it back off again once you leave the site and you
don't learn that you made this mistake until a long time
latter. I made this mistake regularly.
That's a real security/usablity improvement.
Perhaps this extension could be improved by putting a default timeout on theHackers claim zero-day flaw in Firefox (ZDNet)
permission granted, allowing a user override on the timeout.
Good idea, but the extension author already thought of that!Hackers claim zero-day flaw in Firefox (ZDNet)
They have an option to temporarily allow a site (domain) to use javascript
for that invocation of the browser. Next time you start the browser
it defaults back to off. You can also permanently enable a site for
java script.
The same could be said about patching any vulnerability in IE etc.: there is a tiny fraction of people who want to or can exploit them. I doubt anyone would recommend that you not bother.Hackers claim zero-day flaw in Firefox (ZDNet)
An interesting quote at the end of the article:Hackers claim zero-day flaw in Firefox (ZDNet)
greater good of the Internet, we're setting up communication networks for
black hats"
it is almost impossible to secure javascript...beyond these architecturalRUN NOSCRIPT (and cookiesafe)
flaws, there are endless XSS attacks which are perfectly legal javascript,
yet are likely something you do not want to be executing.
you whitelist sites that are allowed to execute javascript. it also lets
you give "temporary" permission to sites you likely just want to use once.
running NoScript will also tell you about little issues like third party
javascript that is running where you wouldn't expect it....like my broker
of all companies, running (or at least TRYING to run) Doubleclick code on
their pages. cookiesafe works the same way, but for cookies. you simply
must run both of these in my opinion.
( from http://it.slashdot.org/comments.pl?sid=198519&cid=162... )Interesting bit from the /. discussion
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before
http://developer.mozilla.org/devnews/index.php/2006/10/02...Hackers claim zero-day flaw in Firefox (ZDNet)
0-day can be dropped from most security related articles as well.Hackers claim zero-day flaw in Firefox (ZDNet)
There's bugs, vulnerabilities, no fixes yet, let's call it 0-day, yay !
Looks like the "new" buzz-word atm.