View Full Version : Hackers warn of critical flaw in Firefox

10-02-2006, 10:50 PM
Hackers warn of critical flaw in Firefox

02 October 2006 - Two hackers at the ToorCon hacker conference in San Diego said that they’ve found a critical flaw in Firefox that looks, to them at least, impossible to patch.

The hackers, who have been named as Mischa Spiegelmock and Andrew Wbeelsoi, said that someone could execute an attack simply by creating a webpage with malicious JavaScript code. In most attacks, hackers have to get a computer user to download something to the computer, but in this case, they won’t know what hit them.

Windows users are used to facing security threats, but smug Apple and Linux users aren’t immune to this bug, as it affects all versions of Firefox.

Spiegelmock said that malicious code could create a stack overflow error, and called the implementation “a complete mess”.

Mozilla’s security chief Window Snyder took the presentation completely seriously after watch a video of it; she said Mozilla would “do some investigating”, but isn’t happy of the release of the exploit to the wide world of hackers.

The reason that the flaw is so difficult to patch? It’s in the part of the browser that deals with JavaScript.

After hearing that the two hackers know of another 30 unpatched flaws in Firefox, Jesse Ruderman, a Mozilla security staffer, encouraged them to disclose the bugs to Mozilla, who gives away $500 per vulnerability.

Wbeelsoi simply said, “It’s a double-edged sword, but what we’re doing is really for the greater good of the Internet. We’re setting up a communication networks for black hats”.

Black hats are malicious hackers, and most want to exploit flaws for private gain. However, many promote accessibility over privacy and security, so why they want to target open-source software of the type Mozilla develops is anyone’s guess.


10-03-2006, 09:07 PM
I like many really like Fire Fox, are there any work arounds? How much of the net would you kill turning off Java?


10-23-2006, 01:51 PM
Mozilla Firefox 2.0 Final to Hit Web Tuesday
OCT 23, 2006 11:49:45 AM | Add Comment (0) | Permalink

Mozilla, maker of the popular open-source browser Firefox, will on Tuesday release its most recent upgrade to the software, dubbed Firefox 2.0, The Seattle Times reports.

Mozilla’s last browser upgrade, Firefox 1.5, was released during the fall 2005, according to the Times, and independent and company estimates say between 11 and 15 percent of the browser market employs Firefox.

Mozilla last week announced the availability of its latest test, or beta version of its browser, dubbed Firefox 2.0 Release Candidate 3 (RC3), and various experts and pundits speculated that the release could be the last test version before the final edition release.

Among Firefox 2.0’s new features will be improved phishing safeguards, enhanced spell-check options as well as boosted search capabilities, according to the Times.

Microsoft, which owns the browser space with its Internet Explorer (IE) browser, last week released its latest version, IE 7, and many of its new features are similar to those that will be featured in the Firefox 2.0 release. Microsoft also debuted a tabbed-browsing function, which enables users to view multiple Web pages in one browser window—a feature that’s already offered in Firefox 1.5.

Firefox 2.0 will be available for free download and will run on Microsoft, Apple and Linux operating systems.

rag top man
11-03-2006, 12:29 PM
...so, any idea if this "critical flaw" has been cured in the latest edition of Firefox??

11-08-2006, 09:48 AM
Internet Explorer and Safari will not keep me logged in to this site anymore so Firefox is the best.
Also this site does not display right with Safari?

Hacker backpedals on Firefox zero-day claim
By Joris Evers
Staff Writer, CNET News.com

Published: October 3, 2006, 1:59 PM PDT
TalkBack E-mail Print del.icio.us Digg this

A hacker who claimed to have found a serious zero-day bug in Firefox now says he was never able to exploit the supposed vulnerability to hijack computers.

On Saturday, Mischa Spiegelmock and Andrew Wbeelsoi told attendees at the ToorCon event in San Diego that Firefox is critically flawed in the way it handles JavaScript. An attacker could commandeer a computer running the open-source Web browser simply by crafting a Web page that contains some malicious JavaScript code, they said. They displayed some of that code.

But Spiegelmock has now backpedaled on those claims. In a statement provided to Mozilla, which coordinates development of Firefox, Spiegelmock said that the computer code displayed during the presentation does not fully compromise a PC running the browser.

"I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code," he wrote in the statement, which was posted on Mozilla's Web site on Monday.

"The main purpose of our talk was to be humorous," Spiegelmock wrote. "I apologize to everyone involved, and I hope I have made everything as clear as possible."

He pinned the claim that the hackers know of 30 yet-to-be-fixed flaws in Firefox entirely on his co-presenter, Wbeelsoi. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not," Spiegelmock wrote. Wbeelsoi could not immediately be reached for comment.

Video: Hackers claim Firefox zero-day flaw
Is the browser more vulnerable than thought?

Video: Hackers vs. Firefox
Mozilla antsy about expolited Firefox flaws.
The presentation at ToorCon caused a stir among Firefox developers. People worked through the weekend to investigate the issue, Window Snyder, Mozilla's security chief, said on Tuesday. Mozilla's bug-tracking Web site shows some evidence of that.

"At this point, Mischa is cooperating with us, and we're pleased that he has decided to work with us, but we're disappointed that so many people were spun up about this," she said. "It is an expensive operation in terms of resources and the individuals who lost time with their families over the weekend."

Based on the information Spiegelmock provided to Mozilla, the issue presented at ToorCon could still be a serious flaw, but so far, it looks like an innocuous crash, Snyder said. "We've got a potential issue, but at this point it is essentially a reliability issue. We have not been able to demonstrate code execution," she said.

In his statement, Spiegelmock wrote that the presentation included "a previously known Firefox vulnerability." Snyder, however, said that the potential issue is similar to an old bug, but is different.

CNET Reviews is gearing up to host the 2007 Best of CES Awards to recognize top new products at the show in 10 categories. The awards are open to exhibitors at CES 2007; submissions must be received by Dec. 1.
Submit now
"What they presented was a potential vulnerability," Snyder said. "Whenever you see a crash you want to investigate it completely, to evaluate whether or not there is any security impact. We have not exhausted all the options, so we're going to work on it...The right thing for Firefox users is to take it seriously and not dismiss anything."

Another security expert said the issue is nothing more than something that would cause Firefox to crash. "The test case from their slides is merely an out-of-memory crash bug and not a vulnerability," bug hunter Tom Ferris said. "Apparently, these guys just wanted to troll the media and the people at ToorCon."

Snyder couldn't say whether Mozilla would issue a patch to fix the reliability issue and potential vulnerability, or address it in a future release of the browser. "I can't say at this point, it requires further investigation," she said.