PDA

View Full Version : Critical flaws found in Firefox



ReaperFett
May 10th, 2005, 03:08:03 PM
Lot of people use it here, so best to say:

http://news.bbc.co.uk/1/hi/technology/4532127.stm


Mozilla has responded by changing its update service and says people should temporarily turn off JavaScript code.

Shawn
May 10th, 2005, 04:29:48 PM
I'm not too sure how valid this is. Someone set up a page which is supposed to download and run a harmless batch file, as an example of how this exploit can be used. It was posted at another forum and no one, myself included, managed to get it to work as intended.

Link: http://greyhatsecurity.org/vulntests/ffrc.htm

Either way, I believe you can circumvent this just by unchecking "Allow websites to install software."

Morgan Evanar
May 10th, 2005, 08:13:55 PM
This exploit is incredibly difficult to use. I wouldn't worry about it.

Yog
May 11th, 2005, 03:02:11 AM
When it comes to security, there is and always been one important difference in particular between Internet Explorer and alternative browsers like Firefox or Opera.

Exploits in IE may potentially have far more serious repercussions. The reason for this is in how IE integrates with the operating system itself. These are called cross-zone scripting exploits; scripts which not only exploits and causes unintended behavior like DOS or crashes in your browser, but may even establish a backdoor which can compromise your entire system security.

Luckily, MS did put in preventive measures to avoid these kinds of exploits in service pack 2 for windows XP, however the local zone integration does still exist, and exploits of this nature is still possible. In addition there is IEs hazzardous implementation of Active X, iframes and java scripts which is a serious security hazzard on itself for the unaware user.

So what I am saying is, even if Secunia calls the flaws in firefox "Extremely Critical" its still a drop in the sea compared to the potential exploits in IE. I personally would not worry about this at all, and I concider myself fairly paranoid when it comes to Internet security.

There is however a 1.0.4 version on the way which adresses this issue. The beta can be found <a href=http://weblogs.mozillazine.org/asa/archives/008121.html>here</a>

Shawn
May 11th, 2005, 07:27:22 PM
Has anyone managed to get the link I posted above to work? For such a critical flaw, I can't seem to deliberately exploit it.

Cat Terrist
May 12th, 2005, 07:36:36 AM
Originally posted by Shawn
Has anyone managed to get the link I posted above to work? For such a critical flaw, I can't seem to deliberately exploit it.

No, because you have to change your default behaviour with a about:config change AND have java if I understand it right. It's realyl overblown to call it extremely critical. So, if something this difficult to exploit is called 'critical', WTF are the real and very serious issues with IE called that are still not addressed?

Yog
May 12th, 2005, 08:32:05 AM
My answer to that, IE is just an extremely critical mess of a browser :)

Morgan Evanar
May 12th, 2005, 11:04:14 AM
Originally posted by Cat Terrist
So, if something this difficult to exploit is called 'critical', WTF are the real and very serious issues with IE called that are still not addressed? A catastrophe.

edit: Firefox has a release which addresses this bug.

www.mozilla.org