katakorinthia Posted October 3, 2006 Share Posted October 3, 2006 ZDNet posted: -------------------------------------------------------------------------------- By Joris Evers, CNET News.com Published on ZDNet News: September 30, 2006, 10:57 PM PT SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said. "Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it. The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch." The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating." Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal." At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said. The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs. Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets. "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said. The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said. Quote Link to comment Share on other sites More sharing options...
Raeda Posted October 3, 2006 Share Posted October 3, 2006 Nope, it's a hoax. link to eweek's response Quote Link to comment Share on other sites More sharing options...
Waldonnis Posted October 3, 2006 Share Posted October 3, 2006 Nope, it's a hoax.link to eweek's response I figured it might be (saw the hoax story earlier today). Any time someone claims that there is a security flaw that "cannot be fixed", I'm suspicious. Extensive recoding required, sure, but cannot be fixed at all? There is a sliver of truth that the hoax was built upon, though. There is a denial-of-service attack that could be executed against the JavaScript code that has been known about for a moderate amount of time (in FireFox terms)...think they're still figuring out how to fix that. The original claim was that the same mechanism that could be used to start the DoS could be used to execute the malicious code. In all, they got press, which isn't difficult since there aren't many journalists that know crap about technology and couldn't research a story if their lives depended on it. Hope their "OMGWESKERDTEHWORLD" 15mins of fame was enjoyable since I'll have to spend the next 15 days redefending my choice of FireFox use at work now... Quote Link to comment Share on other sites More sharing options...
Kantus Posted October 12, 2006 Share Posted October 12, 2006 Hope their "OMGWESKERDTEHWORLD" 15mins of fame was enjoyable since I'll have to spend the next 15 days redefending my choice of FireFox use at work now... See Waldy, it turned out to be not so bad. Your assumption was that the people at work would actually have read enough of the news to know that there was a) a flaw and b) it was (mostly) a hoax. Yey for lazy (this time.) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.