Nekochan Net

Official Chat Channel: #nekochan // irc.nekochan.net
It is currently Mon Jul 28, 2014 6:34 pm

All times are UTC - 8 hours


Forum rules


Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.



Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Firefox security hole...
Unread postPosted: Tue May 10, 2005 11:04 am 
Offline

Joined: Mon Apr 19, 2004 3:25 pm
Posts: 2783
Location: Los Angeles, CA
Nice...

Quote:
Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.

The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.

A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

The flaws were confidentially reported to the Foundation on 2 May, but by Saturday details had been leaked and were reported by several security organisations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.


Top
 Profile  
 
Unread postPosted: Tue May 10, 2005 7:14 pm 
Offline

Joined: Tue Feb 24, 2004 4:10 pm
Posts: 9460
unixmuseum wrote:
The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.


IF you have "let websites install software" turned on. Sigh.

Quote:
In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

"Industry observers" = bootlicking Microsoft toady apologists, e.g. Ziff-Davis nitwits exploiting the ignorance of the general public. IF you leave "let websites install software" turned on and if you then go to a website you have no knowledge of and if you then ask that site to install some programs without even looking at them, then you are at risk of compromising your (most likely Windows) computer. (Doubt very much that Internet Exploder spyware or viruses will install on my SGI computers.)

This fearsome risk certainly has me quivering under the bed at night.

Quote:
By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

Agreed. The Mozilla people have turned to shit as well, what with their "send email as html" and garbage browser defaults. Still, the Mozo products can easily be reconfigured or dumped entirely. IE, with half its dll's intricately entwined into the os'es guts, is another matter entirely. But this "industry observers" crap, jesus. Whatta crock.


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue May 10, 2005 7:56 pm 
Offline

Joined: Mon Apr 19, 2004 3:25 pm
Posts: 2783
Location: Los Angeles, CA
You know, it's the exact same issue as with IE: the circumstances for which a system would be compromised with firefox seem outrageous to you and me, but guess what? The numbnuts who get 500 spywares on their PC within 30 minutes of web browsing with IE have been told there is no way it could happen with firefox, so they're plugging away just the same, ignoring the simplest common sense, "because it doesn't happen with firefox"... Turns out it does, which we both know it does...


Top
 Profile  
 
 Post subject:
Unread postPosted: Wed May 11, 2005 12:56 am 
Offline

Joined: Tue Feb 24, 2004 4:10 pm
Posts: 9460
unixmuseum wrote:
You know, it's the exact same issue as with IE: the circumstances for which a system would be compromised with firefox seem outrageous to you and me, but guess what? ....

I have to agree that the people creating Mozilla have become Yet Another Group of Morons. The default settings stink :-(


Top
 Profile  
 
 Post subject:
Unread postPosted: Thu May 12, 2005 7:45 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Thu Jan 23, 2003 1:31 am
Posts: 7970
Location: Pleasanton, California
Looks like Firefox 1.0.4 was released today - hopefully foetz will have an IRIX build for us soon.

_________________
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.


Top
 Profile  
 
 Post subject:
Unread postPosted: Fri May 13, 2005 3:02 pm 
Offline
User avatar

Joined: Mon Apr 14, 2003 3:34 am
Posts: 5096
nekonoko wrote:
Looks like Firefox 1.0.4 was released today - hopefully foetz will have an IRIX build for us soon.


running at the moment :D :D
in my folder soon...


however, the latest nightlies are based on 1.8b2 so they should be safe.
current firefox and thunderbird version are still based on 1.7.x.

_________________
r-a-c.de


Top
 Profile  
 
 Post subject:
Unread postPosted: Fri May 13, 2005 5:30 pm 
Offline
User avatar

Joined: Mon Apr 14, 2003 3:34 am
Posts: 5096
out now :D

_________________
r-a-c.de


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group