hoax and/or propoganda, take your pick.

Unfixable, yeah that's cute.

Actually this is turning out to be a hoax concocted by the hackers - I do appreciate the fact that Mozilla is still looking into it before shuffling it off 'as a joke'. Source: http://arstechnica.com/n...post/20061002-7885.html
*snip*
The after-story... there's no story at all?

Mozilla has been able to reproduce a DoS issue based on the information, according to a new post on the Mozilla Developer Center. So far, they have yet to determine whether code execution is a possibility, but say they are "still investigating" and promise updates as necessary. Nevertheless, it's beginning to look as though this was largely a prank.

Mischa Spiegelmock has now said that the talk "was to be humorous," and that the presentation covered a "previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution." In other words, they didn't discover a new flaw.

Spiegelmock said that the code they presented to attendees does not not actually work, lowering fears that a true zero-day exploit could be in the wild. To make matters more embarrassing, Spiegelmock also said that no one has successfully executed arbitrary code using the attack. "I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code," according to comments on Mozilla's developers blog.

As to the claim that there are 30 known exploits in Firefox, Spiegelmock said that the claim was made only by Wbeelsoi, and indicated that it, too, has not been verified.
*snip*

Opera 9:
Vendor Opera Software
Product Link View Here (Link to external site)
Affected By 1 Secunia advisories
Unpatched 0% (0 of 1 Secunia advisories)
Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.
-----------------------------------------------------
FF 1.x
Vendor Mozilla Organization
Product Link View Here (Link to external site)
Affected By 36 Secunia advisories
Unpatched 8% (3 of 36 Secunia advisories)
Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Mozilla Firefox 1.x, with all vendor patches applied, is rated Less critical
---------------------------------------------------
Is it just me or is there a significant difference in numbers ?
but then who really cares i mean security is for noobs now as we have grown mature since FF's launch date. And then others cannot and will not be able to satisfy our FLOSS fetish needs.

It was all a hoax.
http://www.vnunet.com/vn...fox-hacker-back-peddles

It's looking like this was a hoax. You gonna update the story?

I mean *what* is the point of using opera, speed(page load and app load time) security (total patched un-patched vulnerabilities) features(IRC,mail,bit-torrent client built in) stronger pop-up blocker(in comparison with ff) etc etc.
Cuz few seconds will not kill me nor will few pop-ups and every app's vulnerability increases with its user base and features == bloat bloat bloat.
And the fact opera cannot open few sites (tried very hard but none are coming to my mind but for most ppl no. of incompatible sites/pages will be around 5-7).
And the fact FF is open source and Opera is not.

i don't get it.................................. exactly what was the biggest point of dumping and criticising Internet Explorer ?
ummm it maybe that Open Source fetish ;)

Cranbers :
I've already installed firefox rc1 .... i'm not able to go to any mozilla sites through any browser!!! i've already dloaded and installed firefox 4 times.... I use Spybot.....do you think that might be creating a problem

Blah Blah Blah...

Everyone who commented here (except me) is the Devil.

A lot of people here are talking about Java, you guys do that that Java is NOT the same thing as JavaScript right?

Although I do hate to see that da*# coffee cup loading a Java app.

At least it's not loaded with spyware, like microsh*ts IE.

"At least it's not loaded with spyware, like microsh*ts IE."

How intelligent. You know what? Your comment convinced me to switch to FireFox :/

Seriously, you must be a liberal since all you can do is talk from your unchangeable perspective.

You might want to look up the words liberal and conservative, let alone reign in your d*mning political bigotry ...

Definintions
Liberal: "open-minded or tolerant"
Conservative: "disposed to preserve existing conditions, and to limit change."

However incorrect the reply, it doesn't make BrettT1 any less ignorant.

Oh no! Yet another one? :D

One can always read varied opinions from different individuals,when such flaws are explored in browsers.One has to realize that this is a continuous process of improvisation,which is done in stages;known to us as "versions".

The next revolution in the IT industry would be of,a browser that is developed on the grounds of security.Security needs to be implemented on a hierarchical basis,rather than having it superficially!!

somehow i don't think you meant "improvisation" (inventing or performing with little or no preperation) ... i think you meant "improvement" :P

Mozilla has posted the following update today:
----------------------------------------------
"Possible Vulnerability Reported at Toorcon

When someone says they’ve identified a vulnerability, we treat it as real until we can verify otherwise. We immediately begin investigating and trying to fix it. This is how we’re able to ship fixes so quickly.

At Toorcon this weekend, two speakers claimed they found vulnerabilities in the Javascript VM. Of course we take that very seriously.

So far we’ve been able to reproduce a denial of service issue based on the information they gave during their talk. In some cases this causes a crash based on an out of memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. We’re still investigating and we’ll keep you updated.

-Window Snyder"

Here's another followup that's been posted:
---------------------------
"We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,
Mischa Spiegelmock

Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder"

thanks for the update guys ... the best two comments in the entire bunch.

agreed.

funny how there's so many people out there just waiting to stab firefox in the juggular... so many haters! this thing isn't even proven to be that serious and already everybody's like "I told you so"... LOL

Thanks for some real information.

Since JavaScript allows loops and dynamic allocation then a bad programmer or an evil one can write a loop that runs forever and uses up all available memory.

Tricky problem to know when to stop a runaway program.

funny how there's so many people out there just waiting to stab IE in the juggular... so many haters! things aren't even proven to be that serious and everybody's like "I told you so"... LOL

Unpatchable.. no way.. It's definatly patchable. It's probably that the hackers couldnt find a way to fix it so said it was: "Unpatchable"

As with all software.. if it can be made.. it can be hacked too.. Nothing is secure, we just have to prevent it.

If there were better browsers than firefox i would ditch it. Unfortunatly there aren't ;(

I use Firefox, but only because my customers do. Firefox is notorious for locking up and running the CPU at 100% when it encounters a Java error. This especially happens when a page is long, such as a forum-type page.

I've written to the Mozilla folks several times on this.

For my own purposes I use IE because it runs fast and doesn't fail me.

Didn't you know that IE is a huge magnet for Adware and Spyware. I've proved it over and over. Firefox just doesn't pick up even a fraction of what IE does. That's why we banned the use of IE in our institution.

I can guarantee if you show any mindless user FireFox, and demo it to the point where they understand and see the value in features they would switch in a heart beat. others, well they are just stuck in the old ways or just don't see value in it, or was not demoed properly.

I mean ie doesn't have a fraction of the features as FireFox does thanks to extensions that are readily available by the click of a button add tab browsing and customizable skins and you have a win win all the way, with 2.0 set to be released soon with even more built in features that will be helpful.

As for ie, it is a browser with limited features and follows as few standards as possible, I mean it is designed with Microsoft's Internet in mind. This itself is fricken ridiculous ie and Microsoft has single handed held the Internet back with a giant chain. I mean its 5 years old what do you expect. The Internet has probably grown by several billion websites. The current technology in use today was on the drawing board when ie was released. Most websites were based on Microsoft's standards which are sloppy and ridiculous.

It has vulnerabilities posted on a regular basis even after 5 years and well what good is there to say about it. it works, it browses the web. if that is all you want or need then be like the 90 sum percent of the users who don't know better.

As for problems, I can probably count on one hand the number of times it has locked up in 2 years. That is with over a dozen extensions running with it along with themes. As for lock ups I am going to assume it is Java's software not FireFox locking up. Update your version and I bet it will fix itself. I surf the web at least 75 hours a week, I view and look at every type and kind of website you can think of with zero problems.

yes if you surf the web for an extended period of time the memory usage does go up quite a bit if you have a large memory amount, over 1gb. This is because of the caching feature, it keeps all websites you visited in cache for quick forward and back clicks. I am sure they could cut it down to just a few sites instead of all of them until you close out.

But the problem is Java, not Firefox. Java has got to be the most buggy platform I've ever encountered, regardless of browser. And it's a REAL pain to fix on 9x-based machines. :p

No they wouldn't.

Then disable Java

for some people ie is good enough. they're not looking to power surf ... they just want to get on and read cnn and check their stocks.

"I can guarantee if you show any mindless user FireFox, and demo it to the point where they understand and see the value in features they would switch in a heart beat. others, well they are just stuck in the old ways or just don't see value in it, or was not demoed properly."

Perhaps the mindless ones, yes...but I know better :) (it's a joke, people)

"It has vulnerabilities posted on a regular basis even after 5 years and well what good is there to say about it."

Do you honestly think Firefox 4.0, 5.0 or whatever, will not have newly discovered flaws in 5 years? Even Safari has it's share of patches, cranbers. As long as the problems are addressed promptly, there's no big problem.

"it works, it browses the web. if that is all you want or need then be like the 90 sum percent of the users who don't know better."

I must question your logic here. By basically calling 90% of the computer users stupid, telling them that IE just "works" and "browses the web", this will convince them to repent of their stupidity and join the Firefox bandwagon? Newsflash: 99% OF STUPID PEOPLE WILL ALWAYS BE STUPID. If you haven't learned that yet from US politics, I'm telling you now. Why? Because most stupid people are arrogant and hard-headed, because they REFUSE to be proven wrong, regardless of whether they are wrong or not.

I'm just saying, there are better ways to recruit a userbase for Firefox. That's all.

"Didn't you know that IE is a huge magnet for Adware and Spyware. I've proved it over and over. Firefox just doesn't pick up even a fraction of what IE does. That's why we banned the use of IE in our institution."

Institution, eh? Nah--I won't go there :)

"Didn't you know that IE is a huge magnet for Adware and Spyware."

Magnet? Of course it is, since it dominates the market. Time will tell--if FireFox becomes par with IE in market share--well, we will see what happens.

By the way, we ban the use of any web browser other than IE, and have had 0 outbreaks of viruses/trojans for over 3 years I've worked here. I know that there is no way you would believe IE is more secure than FireFox (which not even I can agree with), but know that it is quite possible to use IE without problems...and trust me, there are many people here who are experts at downloading viruses--they've definately tried, too.

"An error in the handling of JavaScript regular expressions..."

JavaScript != Java.

I've had user sites voluntarily and deliberately ban MSIE from their networks after users have sucked down virussy things with it which have blown the entire LAN to pieces.

I was on one such site about ten minutes before this type of policy decision was made, and watched Mr EvolutionInAction hit a warez site, pull down a nasty and trash the entire LAN with it in about two minutes. I didn't have to say a word.

In every case, they've used Firefox as the replacement (except for one, which is a small place which is now 100% Linux, and they use a mixture of Firefox and Konqueror) and had no attacks.

I have been notifying Firefox for months now about a flaw in Java execution. Maybe it is because I am running the net at 56kbps, but Java locks up everything in a firefox browser (including other tabs) until loaded and it keeps a systray icon for Java on until the browser, including all tabs is closed.

Maybe its related, maybe not, but Firefox definitely has Java issues that have not been resolved even up to and including Firefox 2.0 RC1

Java?

Have you tested this in another
browser? Java requires the 3rd
party plugin (much like flash)
to operate. The p[roblem may
be related more to that plugin
than the browser itself.

That would also explain why it
is spanning versions.

I am right now running Firefox with a java page and everything is locked up. At the same time I am running Opera 9.01 with two Java laden pages running in tabs and each works fine, I can see the graphic content as it loads and I can run other sites in other tabs while waiting for the Java to load.

What I find amazing is that nobody is talking about this bug in Firefox.

Cause it's a bug only a select few seem to have. Probably the people with extremely old systems.

Likely not. Likely people with software problems elsewhere are having these problems though, whether malware related or not.

By your argument, since only a "select few" businesses have IE problems, they are unimportant, right?

I will say this though--all flaws are fixable, and the fact that the hacker claims this flaw is unfixable discredits his findings if you ask me.

Java is from Sun not firefox. Go to sun.com and get an updated jre. But at 56 Kbps I would recommend you start the download late at night and go to bed.

Ah the illustrious boneheads of the net. a)All is java current, has been since 1.0 use of Firefox. b)If you are a Firefox hound, get a clue, use other browsers, i.e., Opera, IE, etc. all work with Java, no problemo. If Firefox is going to say it works with Java, it should. c)if you are young, never assume. It makes an [ass] out of [u] and [me].

Not. HP Pavilion notebook (zv5340 with a gig of ram and an Amd 64 3200).

Could Microsoft paying for their beer party have anything to do with the flaw not being fixable???

http://www.toorcon.org/2006/conference.html

Cheers!

What was that, again?

Hey....Cant go to any mozilla related site....cant update anything!!! Anyone knows whats the problem.......desperate help needed!!

virus definetely. run a virus scan, uninstall and reinstall. Also try out antispyware. either that or your install is messed up. Try out firefox 2.0 rc1 see if that helps, download it using opera or ie if you can't get it to browse any mozilla sites.

Cranbers :
I've already installed firefox rc1 .... i'm not able to go to any mozilla sites through any browser!!! i've already dloaded and installed firefox 4 times.... I use Spybot.....do you think that might be creating a problem

No script rules!

I know at least I can pick whose script to run.

Unlike IE, sucks a** and horrible.

phenomnaruto says: "Where are all the Microsoft haters now?"

Right here, phenomnaruto, right here...

Where are the Microsoft haters now? they should be having a big sissy fit over this ... oh wait .. they're only good at talking trash about Microsoft products in the most biased of ways.

Don't you know, anonymity on the net give fanbois their hypocritical edge.

We could mention that Microsoft hasn't patched flaws found 3 years ago... :P

Why should we repeat ad nauseum what all Microsoft haters already know? (we are Microsoft haters for good reason) A bad version of Firefox is better that any good version of IE I have tried. From what I have read this flaw is no real threat, event the "hacker" who claims to have found and used it said he has never caused any real harm to a system. This is all smoke and mirrors.

"We could mention that Microsoft hasn't patched flaws found 3 years ago... :P "

You mean the ones discovered by Secunia that affected IE 5.0 SP3? How many of us use that version?

Yes, at the time there were quite a few--but the reason MS has not nor has any future plans to patch those flaws is because they exploit legacy versions of IE only and/or they aren't critical enough in the real world to spend the time and resources to fix.

Do you expect Mozilla to continue to fix flaws in FireFox 1.5x indefinately? Sure, they likely will support it even a time after 2.0 comes along, but only up to a certain point, right? IE 5 has been discontinued for quite some time now, heck even IE 6 (no SP) has been cut off from support, and IE6 SP1 will soon lose support as well. How many times have you heard of a specific virus/worm/etc. that exploited those 3-year-old flaws by the way?

So yeah, you could bring up issues about legacy browser versions, but face it, in 3 years, I doubt even Mozilla will care if FireFox 1.5x has a "new" vulnerability or not...

You need "at least" IE5 to run modern SQL Server packages, so it ain't dead yet (but pass me that stick and give me a few minutes...)

Three fundamental laws regarding computer data:

1. Everything can and will be copied, legally or illegally.

2. Programs can always work faster by optimising the code, regardless of hardware.

3. All software problems are fixable, given one has the time and resources to fix them; and all "fixable" software can be broken.

(bolded the applicable one)

I love all these clever fixes. Using things like the noscript plugin, that's great. But we could fix any browser by disabling just about everything useful every invented for browsing except to 'trusted' lists.

Personally, I think that's taking web browsing back a step. If you take forums, a lot of them are JS enchanced these days. vB, IPB 2.0, etc. Disable scripting, well, it's gonna lose a lot of what makes it feel modern and accessable, enable scripting and you never know if you're going to be exploited truly. Mistakes happen.

Just fix bugs, none of this silly trusted list crap.

Yea but NoScript allows you to choose which site to allow scripts to run that way not all scripts have access to run. Similar to a software firewall it doesn't allow all programs to access the internet you decide which ones connect.

Use the noscript plug-in and it's fixed.

Just one of the advantages of open source, open standards, and stable API's.

great advice ... disable a technology that 99% of the web uses. shall we disable flash and css as well?

Paradise-FH- +1

You said what I was thinking before I got it posted. We may as well go back to text-only browsers. :)

Spoken like someone who's never
used it.

NoScript is a whitelist program.
It does not disable scripting.
It allows the user to choose
which scripts they will allow to
run on their system.

Big difference.

I personally love text browsers they prevent alot of fecal.

Makes your browser as useful as links. If you want to go that far, you may as well browse with links browser...

Well you don't need a plug-in to do the same thing in IE... Not that I'm attacking Firefox or defending IE. Just that your comment was short sided.

In IE: Internet Options > Security > Custom Level > Active Scripting : Set it to "Prompt" rather than enable and it will ask you to run each javascript. The security zones *are* whitelisting, if you always want to allow a site, you add it to another zone.

lynx.

i have used it.

why would you want such control? in 10+ years of nearly daily usage i've never, ever run into a javascript exploit.

javascript isn't something that you should have to whitelist. it's along the same lines of whitelisting cookies ... it's just idiotic and paranoid.

Links

http://artax.karlin.mff.cuni.cz/~mikulas/links/

same idea i would presume ...

* Alynx
* ELinks
* Links
* Lynx
* Netrik
* w3m
* WebbIE
* DosLynx

mmm but you're only getting half the experience ... whether it be good or bad.

besides, adding adblock plus and EasyList does a great job of filtering out 99% of the crap that makes for a bad experience.

I am sorry, but... Never ever ran into a javascript exloit... There have been hundreds if not thousands of exploits involving javascript. I have ran into websites where I would never allow them to run, sites I just don't trust.

I usually don't want flasy intros or 6 million picture ads, I want the information and I want it now.

I don't use it alot, but its more comfortable to me.

Paradise-FH- said...

in 10+ years of nearly daily usage
i've never, ever run into a javascript
exploit.

Oh.

Well.

Since PAradise-FH- has never seen one,
I guess we're all safe then. I'll just
tell everyone I know that there's no
such thing a a JS exploit then and we
can all breath a big ol' sigh of relief.

I agree! If people stay away from porn and warez sites they won't have problems with exploits, spyware and viruses. I haven't had any of these problems in my 10+ years either.

If I did ALL my email via web mail I probably wouldn't run anti virus software at all. Surf safe, keep both hands on the keyboard!

Why disable CSS? It's just a style sheet.

go ahead and get your paranoia up.

you can get virus by just inserting a floppy into a drive ... do you tell people to disable their floppy drive?

javascript is such a minimal threat ... the press and twits like you just love to be paranoid over getting exploited when yuo surfs for teh kiddie prons.

who wants to spend time re-enabling all the menus, buttons and links that are broken when they visit a new site? no normal user that's for sure. they use this thing called antivirus to deal with it so they don't have to deal with it every time they go to a new site.

by your token though why don't we just remove everything that was ever exploited? we can clobber images, flash, java, javascript and not vist sites that use .net, tomcat and apached. let's blow ourselves back to the internet stone age!

in fact why not just stop right at the browser? that's the source of what, 90% of all exploits? let's all just stop using the internet ... that'll fix it!

what are you surfing though? myspace.com?

adblock gets rid of 99% of the ads and 100% of the respectable sites use flash in a responsible and useful manner.

it's all well that you personally prefer a shear text browser but their are [very good] ways to deal with your complaints.

how did you end up on such sites??? what were you looking for? cracks, warez, porn?

furthermore how many javascript exploits remain unpatched? there are plenty more core browser exploits unpatched ... why not just not use your browser until those are fixed?

i don't know ... maybe it can be used to run an exploit with the ie specific filter command or some hidden ie markup? maybe there's this collosal exploit just waiting to happen!!!

I don't like it. I want to surf, not tiptoe through a cow pasture. But you can find exploits anywhere not just the grimy corners of the web. Poorly managed sites have XSS exploits and IIS servers are hacked everyday. That is where you are more likely to be exposed to an exploit like this one.

I like NoScript because you can white list by domain. For instance betanews.com is okay but smarttargetting.com can target someone else.

Contrary to your ranting, there are
plenty of folks who use it and are
more than happy with it.

Arguing with you is like slamming
one's head against a wall. Painful
and pointless.

Disable their floppy drive?

Huh? Who uses one of those these days? CD-Rs/DVDs & Flash sticks pretty much obsolete floppies.

The article is also flawed, as the exploit was demonstrated live at the UUC. There are several unofficial Mozilla comments along the lines of "difficult to fix".

Firefix, Safer browing my ass, more like an ageing browser creaking at the seams, and suffering growing pains.

www.opera.com

Firefox has never claimed to be unexploitable.

Neither has Opera, good thing too:
http://www.google.com/se...ra+exploits&spell=1

You're not invincible. It ultimately doesn't matter what browser you use, but how savvy you are with computer security and smart web browsing. Wake up.

Opera 9: http://secunia.com/product/10615/
FireFix: http://secunia.com/product/4227/

And yet the supposed flaw above
is not listed.

I can show you a video of aliens
attacking New York. Does that
make it true?

I agree with MAZZTer. Security is only a myth, there are always holes, we just have to try and keep up with the exploiters.

The reason Firefox is safer is because IE has more novice users, therefor a bigger target.

i dont think thats so true anymore, alot of novice users i know use it.... what makes IE such a big target is that it is part of an os that most people use

hmmm ... lets give it a few days and see what happens.

"I can show you a video of aliens attacking New York. Does that make it true?"
http://video.google.com/...amp;q=wtc+ufo&hl=en

As if Opera is newer and fresher.

My God, I'm so sick of the browser fanboys. Use what you want and shut the heck up about it.

'sall I'm sayin'.

Hell, ya never know what them
aliens are going to do next...

Opera may also be mature, but it's very good track record on security, whilst keeping functionality is unmatched...

I'm glad you like it. Now leave us alone about it.

Besides, a better comparison is between Opera and Seamonkey. Firefox serves a totally different type of user.

Because???

Because Opera's feature set is more analogous to Seamonkey's, not Firefox's.

work your magic on religion, would you? i hear there was this carpenter who worked miracles and this guy who was the final prophet ... now there's something older than a day for you to debunk.

lmao..

Life is full of disappointment.

Get used to it.

Where is the link to the Secunia Advisory, I can't find it, and the one on this page doesn't work!

These are the same people who know of 30 security issues, and refused to tell Mozilla of them so they can fix them.

Does this issue exist, I believe it does, because they showed the code during their demo. Should we put alot of salt on what they claim in the future, depends if they ever actually tell Mozilla of the security issues instead of taking advantage of them ( which I got from another article which made me believe they already have and will ).

I'd be very surprised if it was 'Unpatchable'

"BetaNews has contacted Mozilla.org officials for comment on the alleged flaw, which may yet be forthcoming."

So wait for that one.

"Unpatchable"?????

Yeah right. Not.

bashers...here they come!

What goes around...

Is this also in Firefox 2.0? I am assuiming not, since Firefox has updated JavaScript in 2.0.

What I got from the article is that the very existance of this 'flaw' is in question as yet.

It may be a bit early in the game to start asking if it affects more than the current release as it may be nothing more than FUD.

Anybody heard of Sandboxie or GreenZone? They work just great on my already secure system with both Firefox and K-Meleon, and require no preferences or authorization changes at all...