Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Alleged 'Unfixable' Exploit in Firefox

By Scott M. Fulton, III, BetaNews

October 2, 2006, 11:52 AM

An overflow of stories concerning an alleged Firefox 1.5 exploit hit the Web over the weekend, emerging from an underground users' conference in San Diego. But after the dust has begun settling, evidence of the exploit's severity and even existence has yet to materialize from official sources, including the Mozilla organization responsible for Firefox's development.

A few weeks ago, a series of exploitable bugs involving Firefox's JavaScript interpreter were reported by Secunia in an official advisory, which continues to rate these flaws this morning as "highly critical."

"An error in the handling of JavaScript regular expressions containing a minimal quantifier," reads the Secunia advisory, "can be exploited to cause a heap-based buffer overflow." No more recent Firefox flaws have been added to Secunia's list since then.

The alleged flaw introduced last weekend at the ToorCon convention in San Diego was reported to also involve a buffer overflow triggered through the JavaScript interpreter, although reports have made it appear this is the first such flaw in Firefox's history - which is far from reality. The venue in which the alleged flaw was presented -- a session entitled "LOVIN THE LOLS - LOL IS MY WILL" -- promised attendees a mix of BIOS patches, AIM exploits and sexual innuendo.

There, amid the presumed innuendo, new Mozilla security chief Window Snyder -- a former @stake researcher recently hired away from Microsoft -- reportedly took seriously a video of the exploit shown at the conference, although reports do not go so far as to say whether Mozilla officials consider the exploit to be particularly novel.

In any event, characterizations of the apparently uniquely prepared exploit as "unpatchable" have spread faster than the average zero-day, without the aid of a professional security advisory to push it along.

BetaNews has contacted Mozilla.org officials for comment on the alleged flaw, which may yet be forthcoming.

Add a Comment (109 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By joeshmoe7

posted Oct 3, 2006 - 2:15 PM

hoax and/or propoganda, take your pick.

Unfixable, yeah that's cute.

Score: 0

By Shadow0kahn

edited Oct 3, 2006 - 2:11 PM

Actually this is turning out to be a hoax concocted by the hackers - I do appreciate the fact that Mozilla is still looking into it before shuffling it off 'as a joke'. Source: http://arstechnica.com/n...post/20061002-7885.html
*snip*
The after-story... there's no story at all?

Mozilla has been able to reproduce a DoS issue based on the information, according to a new post on the Mozilla Developer Center. So far, they have yet to determine whether code execution is a possibility, but say they are "still investigating" and promise updates as necessary. Nevertheless, it's beginning to look as though this was largely a prank.

Mischa Spiegelmock has now said that the talk "was to be humorous," and that the presentation covered a "previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution." In other words, they didn't discover a new flaw.

Spiegelmock said that the code they presented to attendees does not not actually work, lowering fears that a true zero-day exploit could be in the wild. To make matters more embarrassing, Spiegelmock also said that no one has successfully executed arbitrary code using the attack. "I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code," according to comments on Mozilla's developers blog.

As to the claim that there are 30 known exploits in Firefox, Spiegelmock said that the claim was made only by Wbeelsoi, and indicated that it, too, has not been verified.
*snip*

Score: 0

By anmol.2k4

posted Oct 3, 2006 - 2:01 PM

Opera 9:
Vendor Opera Software
Product Link View Here (Link to external site)
Affected By 1 Secunia advisories
Unpatched 0% (0 of 1 Secunia advisories)
Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.
-----------------------------------------------------
FF 1.x
Vendor Mozilla Organization
Product Link View Here (Link to external site)
Affected By 36 Secunia advisories
Unpatched 8% (3 of 36 Secunia advisories)
Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Mozilla Firefox 1.x, with all vendor patches applied, is rated Less critical
---------------------------------------------------
Is it just me or is there a significant difference in numbers ?
but then who really cares i mean security is for noobs now as we have grown mature since FF's launch date. And then others cannot and will not be able to satisfy our FLOSS fetish needs.

Score: 0

By perki

edited Oct 3, 2006 - 12:57 PM

It was all a hoax.
http://www.vnunet.com/vn...fox-hacker-back-peddles

Score: 0

By mjm01010101

posted Oct 3, 2006 - 12:23 PM

It's looking like this was a hoax. You gonna update the story?

Score: 0

By anmol.2k4

posted Oct 3, 2006 - 12:04 PM

I mean *what* is the point of using opera, speed(page load and app load time) security (total patched un-patched vulnerabilities) features(IRC,mail,bit-torrent client built in) stronger pop-up blocker(in comparison with ff) etc etc.
Cuz few seconds will not kill me nor will few pop-ups and every app's vulnerability increases with its user base and features == bloat bloat bloat.
And the fact opera cannot open few sites (tried very hard but none are coming to my mind but for most ppl no. of incompatible sites/pages will be around 5-7).
And the fact FF is open source and Opera is not.

i don't get it.................................. exactly what was the biggest point of dumping and criticising Internet Explorer ?
ummm it maybe that Open Source fetish ;)

Score: 0

By midnighter_9999

posted Oct 3, 2006 - 11:37 AM

Cranbers :
I've already installed firefox rc1 .... i'm not able to go to any mozilla sites through any browser!!! i've already dloaded and installed firefox 4 times.... I use Spybot.....do you think that might be creating a problem

Score: 0

By Joe Dirt

posted Oct 3, 2006 - 11:21 AM

Blah Blah Blah...

Everyone who commented here (except me) is the Devil.

Score: 0

By jshurst

edited Oct 3, 2006 - 8:45 AM

A lot of people here are talking about Java, you guys do that that Java is NOT the same thing as JavaScript right?

Although I do hate to see that da*# coffee cup loading a Java app.

Score: 0

By BrettT1

edited Oct 3, 2006 - 8:25 AM

At least it's not loaded with spyware, like microsh*ts IE.

Score: 0

By bourgeoisdude

edited Oct 3, 2006 - 10:07 AM

"At least it's not loaded with spyware, like microsh*ts IE."

How intelligent. You know what? Your comment convinced me to switch to FireFox :/

Seriously, you must be a liberal since all you can do is talk from your unchangeable perspective.

Score: 0

By haydesigner

edited Oct 3, 2006 - 12:35 PM

You might want to look up the words liberal and conservative, let alone reign in your d*mning political bigotry ...

Definintions
Liberal: "open-minded or tolerant"
Conservative: "disposed to preserve existing conditions, and to limit change."

Score: 0

By THZGryphon

posted Oct 3, 2006 - 2:09 PM

However incorrect the reply, it doesn't make BrettT1 any less ignorant.

Score: 0

By DaveBG

posted Oct 3, 2006 - 5:30 AM

Oh no! Yet another one? :D

Score: 0

By Mr.knowhow

posted Oct 3, 2006 - 12:40 AM

One can always read varied opinions from different individuals,when such flaws are explored in browsers.One has to realize that this is a continuous process of improvisation,which is done in stages;known to us as "versions".

The next revolution in the IT industry would be of,a browser that is developed on the grounds of security.Security needs to be implemented on a hierarchical basis,rather than having it superficially!!

Score: 0

By Paradise-FH-

edited Oct 3, 2006 - 1:10 AM

somehow i don't think you meant "improvisation" (inventing or performing with little or no preperation) ... i think you meant "improvement" :P

Score: 0

By amnar

posted Oct 2, 2006 - 6:54 PM

Mozilla has posted the following update today:
----------------------------------------------
"Possible Vulnerability Reported at Toorcon

When someone says they’ve identified a vulnerability, we treat it as real until we can verify otherwise. We immediately begin investigating and trying to fix it. This is how we’re able to ship fixes so quickly.

At Toorcon this weekend, two speakers claimed they found vulnerabilities in the Javascript VM. Of course we take that very seriously.

So far we’ve been able to reproduce a denial of service issue based on the information they gave during their talk. In some cases this causes a crash based on an out of memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. We’re still investigating and we’ll keep you updated.

-Window Snyder"

Score: 0

By Scotch Moose

posted Oct 3, 2006 - 10:27 AM

Thanks for some real information.

Since JavaScript allows loops and dynamic allocation then a bad programmer or an evil one can write a loop that runs forever and uses up all available memory.

Tricky problem to know when to stop a runaway program.

Score: 0

By mcm

posted Oct 2, 2006 - 9:51 PM

Here's another followup that's been posted:
---------------------------
"We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,
Mischa Spiegelmock

Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder"

Score: 0

By Paradise-FH-

posted Oct 3, 2006 - 1:10 AM

thanks for the update guys ... the best two comments in the entire bunch.

Score: 0

By alexweber15

posted Oct 3, 2006 - 9:18 AM

agreed.

funny how there's so many people out there just waiting to stab firefox in the juggular... so many haters! this thing isn't even proven to be that serious and already everybody's like "I told you so"... LOL

Score: 0

By THZGryphon

posted Oct 3, 2006 - 2:06 PM

funny how there's so many people out there just waiting to stab IE in the juggular... so many haters! things aren't even proven to be that serious and everybody's like "I told you so"... LOL

Score: 0

By gaz25

edited Oct 2, 2006 - 6:26 PM

Unpatchable.. no way.. It's definatly patchable. It's probably that the hackers couldnt find a way to fix it so said it was: "Unpatchable"

As with all software.. if it can be made.. it can be hacked too.. Nothing is secure, we just have to prevent it.

Score: 0

By Point Zero

posted Oct 2, 2006 - 5:50 PM

If there were better browsers than firefox i would ditch it. Unfortunatly there aren't ;(

Score: 0

By davidkaye

edited Oct 2, 2006 - 5:31 PM

I use Firefox, but only because my customers do. Firefox is notorious for locking up and running the CPU at 100% when it encounters a Java error. This especially happens when a page is long, such as a forum-type page.

I've written to the Mozilla folks several times on this.

For my own purposes I use IE because it runs fast and doesn't fail me.

Score: 0

By Tenoq

posted Oct 2, 2006 - 9:27 PM

But the problem is Java, not Firefox. Java has got to be the most buggy platform I've ever encountered, regardless of browser. And it's a REAL pain to fix on 9x-based machines. :p

Score: 0

By The-One

edited Oct 3, 2006 - 1:01 AM

Then disable Java

Score: 0

By bourgeoisdude

posted Oct 3, 2006 - 10:09 AM

"An error in the handling of JavaScript regular expressions..."

JavaScript != Java.

Score: 0

By cranbers

posted Oct 2, 2006 - 8:27 PM

I can guarantee if you show any mindless user FireFox, and demo it to the point where they understand and see the value in features they would switch in a heart beat. others, well they are just stuck in the old ways or just don't see value in it, or was not demoed properly.

I mean ie doesn't have a fraction of the features as FireFox does thanks to extensions that are readily available by the click of a button add tab browsing and customizable skins and you have a win win all the way, with 2.0 set to be released soon with even more built in features that will be helpful.

As for ie, it is a browser with limited features and follows as few standards as possible, I mean it is designed with Microsoft's Internet in mind. This itself is fricken ridiculous ie and Microsoft has single handed held the Internet back with a giant chain. I mean its 5 years old what do you expect. The Internet has probably grown by several billion websites. The current technology in use today was on the drawing board when ie was released. Most websites were based on Microsoft's standards which are sloppy and ridiculous.

It has vulnerabilities posted on a regular basis even after 5 years and well what good is there to say about it. it works, it browses the web. if that is all you want or need then be like the 90 sum percent of the users who don't know better.

As for problems, I can probably count on one hand the number of times it has locked up in 2 years. That is with over a dozen extensions running with it along with themes. As for lock ups I am going to assume it is Java's software not FireFox locking up. Update your version and I bet it will fix itself. I surf the web at least 75 hours a week, I view and look at every type and kind of website you can think of with zero problems.

yes if you surf the web for an extended period of time the memory usage does go up quite a bit if you have a large memory amount, over 1gb. This is because of the caching feature, it keeps all websites you visited in cache for quick forward and back clicks. I am sure they could cut it down to just a few sites instead of all of them until you close out.

Score: 0

By bourgeoisdude

posted Oct 3, 2006 - 9:50 AM

"I can guarantee if you show any mindless user FireFox, and demo it to the point where they understand and see the value in features they would switch in a heart beat. others, well they are just stuck in the old ways or just don't see value in it, or was not demoed properly."

Perhaps the mindless ones, yes...but I know better :) (it's a joke, people)

"It has vulnerabilities posted on a regular basis even after 5 years and well what good is there to say about it."

Do you honestly think Firefox 4.0, 5.0 or whatever, will not have newly discovered flaws in 5 years? Even Safari has it's share of patches, cranbers. As long as the problems are addressed promptly, there's no big problem.

"it works, it browses the web. if that is all you want or need then be like the 90 sum percent of the users who don't know better."

I must question your logic here. By basically calling 90% of the computer users stupid, telling them that IE just "works" and "browses the web", this will convince them to repent of their stupidity and join the Firefox bandwagon? Newsflash: 99% OF STUPID PEOPLE WILL ALWAYS BE STUPID. If you haven't learned that yet from US politics, I'm telling you now. Why? Because most stupid people are arrogant and hard-headed, because they REFUSE to be proven wrong, regardless of whether they are wrong or not.

I'm just saying, there are better ways to recruit a userbase for Firefox. That's all.

Score: 0

By Paradise-FH-

posted Oct 3, 2006 - 1:06 AM

for some people ie is good enough. they're not looking to power surf ... they just want to get on and read cnn and check their stocks.

Score: 0

By KSzostek

posted Oct 2, 2006 - 9:27 PM

No they wouldn't.

Score: 0

By clifton

posted Oct 2, 2006 - 6:46 PM

Didn't you know that IE is a huge magnet for Adware and Spyware. I've proved it over and over. Firefox just doesn't pick up even a fraction of what IE does. That's why we banned the use of IE in our institution.

Score: 0

By bourgeoisdude

edited Oct 3, 2006 - 9:58 AM

"Didn't you know that IE is a huge magnet for Adware and Spyware. I've proved it over and over. Firefox just doesn't pick up even a fraction of what IE does. That's why we banned the use of IE in our institution."

Institution, eh? Nah--I won't go there :)

"Didn't you know that IE is a huge magnet for Adware and Spyware."

Magnet? Of course it is, since it dominates the market. Time will tell--if FireFox becomes par with IE in market share--well, we will see what happens.

By the way, we ban the use of any web browser other than IE, and have had 0 outbreaks of viruses/trojans for over 3 years I've worked here. I know that there is no way you would believe IE is more secure than FireFox (which not even I can agree with), but know that it is quite possible to use IE without problems...and trust me, there are many people here who are experts at downloading viruses--they've definately tried, too.

Score: 0

By austux

posted Oct 4, 2006 - 1:47 AM

I've had user sites voluntarily and deliberately ban MSIE from their networks after users have sucked down virussy things with it which have blown the entire LAN to pieces.

I was on one such site about ten minutes before this type of policy decision was made, and watched Mr EvolutionInAction hit a warez site, pull down a nasty and trash the entire LAN with it in about two minutes. I didn't have to say a word.

In every case, they've used Firefox as the replacement (except for one, which is a small place which is now 100% Linux, and they use a mixture of Firefox and Konqueror) and had no attacks.

Score: 0

By who-da-pirate

edited Oct 2, 2006 - 4:49 PM

I have been notifying Firefox for months now about a flaw in Java execution. Maybe it is because I am running the net at 56kbps, but Java locks up everything in a firefox browser (including other tabs) until loaded and it keeps a systray icon for Java on until the browser, including all tabs is closed.

Maybe its related, maybe not, but Firefox definitely has Java issues that have not been resolved even up to and including Firefox 2.0 RC1

Score: 0

By Scotch Moose

edited Oct 3, 2006 - 10:21 AM

Java is from Sun not firefox. Go to sun.com and get an updated jre. But at 56 Kbps I would recommend you start the download late at night and go to bed.

Score: 0

By who-da-pirate

posted Oct 3, 2006 - 12:51 PM

Ah the illustrious boneheads of the net. a)All is java current, has been since 1.0 use of Firefox. b)If you are a Firefox hound, get a clue, use other browsers, i.e., Opera, IE, etc. all work with Java, no problemo. If Firefox is going to say it works with Java, it should. c)if you are young, never assume. It makes an [ass] out of [u] and [me].

Score: 0

By Real1tyczech

edited Oct 2, 2006 - 5:15 PM

Java?

Have you tested this in another
browser? Java requires the 3rd
party plugin (much like flash)
to operate. The p[roblem may
be related more to that plugin
than the browser itself.

That would also explain why it
is spanning versions.

Score: 0

By who-da-pirate

posted Oct 3, 2006 - 2:13 AM

I am right now running Firefox with a java page and everything is locked up. At the same time I am running Opera 9.01 with two Java laden pages running in tabs and each works fine, I can see the graphic content as it loads and I can run other sites in other tabs while waiting for the Java to load.

What I find amazing is that nobody is talking about this bug in Firefox.

Score: 0

By Ian C.

posted Oct 3, 2006 - 3:58 AM

Cause it's a bug only a select few seem to have. Probably the people with extremely old systems.

Score: 0

By who-da-pirate

posted Oct 3, 2006 - 1:03 PM

Not. HP Pavilion notebook (zv5340 with a gig of ram and an Amd 64 3200).

Score: 0

By bourgeoisdude

edited Oct 3, 2006 - 10:03 AM

Likely not. Likely people with software problems elsewhere are having these problems though, whether malware related or not.

By your argument, since only a "select few" businesses have IE problems, they are unimportant, right?

I will say this though--all flaws are fixable, and the fact that the hacker claims this flaw is unfixable discredits his findings if you ask me.

Score: 0

By zenarcher

posted Oct 2, 2006 - 4:17 PM

Could Microsoft paying for their beer party have anything to do with the flaw not being fixable???

http://www.toorcon.org/2006/conference.html

Score: 0

By austux

edited Oct 3, 2006 - 8:45 AM

Cheers!

What was that, again?

Score: 0

By midnighter_9999

posted Oct 2, 2006 - 3:21 PM

Hey....Cant go to any mozilla related site....cant update anything!!! Anyone knows whats the problem.......desperate help needed!!

Score: 0

By cranbers

posted Oct 2, 2006 - 8:32 PM

virus definetely. run a virus scan, uninstall and reinstall. Also try out antispyware. either that or your install is messed up. Try out firefox 2.0 rc1 see if that helps, download it using opera or ie if you can't get it to browse any mozilla sites.

Score: 0

By midnighter_9999

posted Oct 3, 2006 - 11:37 AM

Cranbers :
I've already installed firefox rc1 .... i'm not able to go to any mozilla sites through any browser!!! i've already dloaded and installed firefox 4 times.... I use Spybot.....do you think that might be creating a problem

Score: 0

By Black-Wolf

posted Oct 2, 2006 - 2:28 PM

No script rules!

I know at least I can pick whose script to run.

Unlike IE, sucks a** and horrible.

Score: 0

By bourgeoisdude

posted Oct 2, 2006 - 3:12 PM

phenomnaruto says: "Where are all the Microsoft haters now?"

Right here, phenomnaruto, right here...

Score: 0

By phenomnaruto

posted Oct 2, 2006 - 2:25 PM

Where are the Microsoft haters now? they should be having a big sissy fit over this ... oh wait .. they're only good at talking trash about Microsoft products in the most biased of ways.

Score: 0

By sophist_dreams

edited Oct 2, 2006 - 11:12 PM

Why should we repeat ad nauseum what all Microsoft haters already know? (we are Microsoft haters for good reason) A bad version of Firefox is better that any good version of IE I have tried. From what I have read this flaw is no real threat, event the "hacker" who claims to have found and used it said he has never caused any real harm to a system. This is all smoke and mirrors.

Score: 0

By Tenoq

posted Oct 2, 2006 - 9:29 PM

We could mention that Microsoft hasn't patched flaws found 3 years ago... :P

Score: 0

By bourgeoisdude

edited Oct 3, 2006 - 9:39 AM

"We could mention that Microsoft hasn't patched flaws found 3 years ago... :P "

You mean the ones discovered by Secunia that affected IE 5.0 SP3? How many of us use that version?

Yes, at the time there were quite a few--but the reason MS has not nor has any future plans to patch those flaws is because they exploit legacy versions of IE only and/or they aren't critical enough in the real world to spend the time and resources to fix.

Do you expect Mozilla to continue to fix flaws in FireFox 1.5x indefinately? Sure, they likely will support it even a time after 2.0 comes along, but only up to a certain point, right? IE 5 has been discontinued for quite some time now, heck even IE 6 (no SP) has been cut off from support, and IE6 SP1 will soon lose support as well. How many times have you heard of a specific virus/worm/etc. that exploited those 3-year-old flaws by the way?

So yeah, you could bring up issues about legacy browser versions, but face it, in 3 years, I doubt even Mozilla will care if FireFox 1.5x has a "new" vulnerability or not...

Score: 0

By austux

posted Oct 4, 2006 - 1:42 AM

You need "at least" IE5 to run modern SQL Server packages, so it ain't dead yet (but pass me that stick and give me a few minutes...)

Score: 0

By THZGryphon

posted Oct 2, 2006 - 3:04 PM

Don't you know, anonymity on the net give fanbois their hypocritical edge.

Score: 0

By bourgeoisdude

posted Oct 2, 2006 - 2:08 PM

Three fundamental laws regarding computer data:

1. Everything can and will be copied, legally or illegally.

2. Programs can always work faster by optimising the code, regardless of hardware.

3. All software problems are fixable, given one has the time and resources to fix them; and all "fixable" software can be broken.

(bolded the applicable one)

Score: 0

By Babylon2x

posted Oct 2, 2006 - 2:00 PM

I love all these clever fixes. Using things like the noscript plugin, that's great. But we could fix any browser by disabling just about everything useful every invented for browsing except to 'trusted' lists.

Personally, I think that's taking web browsing back a step. If you take forums, a lot of them are JS enchanced these days. vB, IPB 2.0, etc. Disable scripting, well, it's gonna lose a lot of what makes it feel modern and accessable, enable scripting and you never know if you're going to be exploited truly. Mistakes happen.

Just fix bugs, none of this silly trusted list crap.

Score: 0

By CrisCr0ss

posted Oct 2, 2006 - 4:23 PM

Yea but NoScript allows you to choose which site to allow scripts to run that way not all scripts have access to run. Similar to a software firewall it doesn't allow all programs to access the internet you decide which ones connect.

Score: 0

By Scotch Moose

posted Oct 2, 2006 - 1:23 PM

Use the noscript plug-in and it's fixed.

Just one of the advantages of open source, open standards, and stable API's.

Score: 0

By Cool-Gui

posted Oct 2, 2006 - 3:07 PM

Well you don't need a plug-in to do the same thing in IE... Not that I'm attacking Firefox or defending IE. Just that your comment was short sided.

In IE: Internet Options > Security > Custom Level > Active Scripting : Set it to "Prompt" rather than enable and it will ask you to run each javascript. The security zones *are* whitelisting, if you always want to allow a site, you add it to another zone.

Score: 0

By Mark Gillespie

posted Oct 2, 2006 - 2:23 PM

Makes your browser as useful as links. If you want to go that far, you may as well browse with links browser...

Score: 0

By Real1tyczech

posted Oct 2, 2006 - 3:24 PM

lynx.

Score: 0

By Mark Gillespie

posted Oct 2, 2006 - 3:46 PM

Links

http://artax.karlin.mff.cuni.cz/~mikulas/links/

Score: 0

By Paradise-FH-

posted Oct 2, 2006 - 4:01 PM

same idea i would presume ...

* Alynx
* ELinks
* Links
* Lynx
* Netrik
* w3m
* WebbIE
* DosLynx

Score: 0

By Paradise-FH-

posted Oct 2, 2006 - 1:57 PM

great advice ... disable a technology that 99% of the web uses. shall we disable flash and css as well?

Score: 0

By morriscox

posted Oct 2, 2006 - 11:47 PM

Why disable CSS? It's just a style sheet.

Score: 0

By Paradise-FH-

posted Oct 3, 2006 - 1:04 AM

i don't know ... maybe it can be used to run an exploit with the ie specific filter command or some hidden ie markup? maybe there's this collosal exploit just waiting to happen!!!

Score: 0

By Real1tyczech

posted Oct 2, 2006 - 2:11 PM

Spoken like someone who's never
used it.

NoScript is a whitelist program.
It does not disable scripting.
It allows the user to choose
which scripts they will allow to
run on their system.

Big difference.

Score: 0

By Paradise-FH-

posted Oct 2, 2006 - 3:40 PM

i have used it.

why would you want such control? in 10+ years of nearly daily usage i've never, ever run into a javascript exploit.

javascript isn't something that you should have to whitelist. it's along the same lines of whitelisting cookies ... it's just idiotic and paranoid.

Score: 0

By bogey9000

edited Oct 2, 2006 - 6:53 PM

I agree! If people stay away from porn and warez sites they won't have problems with exploits, spyware and viruses. I haven't had any of these problems in my 10+ years either.

If I did ALL my email via web mail I probably wouldn't run anti virus software at all. Surf safe, keep both hands on the keyboard!

Score: 0

By Real1tyczech

posted Oct 2, 2006 - 4:36 PM

Paradise-FH- said...

in 10+ years of nearly daily usage
i've never, ever run into a javascript
exploit.

Oh.

Well.

Since PAradise-FH- has never seen one,
I guess we're all safe then. I'll just
tell everyone I know that there's no
such thing a a JS exploit then and we
can all breath a big ol' sigh of relief.

Score: 0

By Paradise-FH-

posted Oct 3, 2006 - 12:47 AM

go ahead and get your paranoia up.

you can get virus by just inserting a floppy into a drive ... do you tell people to disable their floppy drive?

javascript is such a minimal threat ... the press and twits like you just love to be paranoid over getting exploited when yuo surfs for teh kiddie prons.

who wants to spend time re-enabling all the menus, buttons and links that are broken when they visit a new site? no normal user that's for sure. they use this thing called antivirus to deal with it so they don't have to deal with it every time they go to a new site.

by your token though why don't we just remove everything that was ever exploited? we can clobber images, flash, java, javascript and not vist sites that use .net, tomcat and apached. let's blow ourselves back to the internet stone age!

in fact why not just stop right at the browser? that's the source of what, 90% of all exploits? let's all just stop using the internet ... that'll fix it!

Score: 0

By austux

posted Oct 4, 2006 - 1:51 AM

Disable their floppy drive?

Huh? Who uses one of those these days? CD-Rs/DVDs & Flash sticks pretty much obsolete floppies.

Score: 0

By Real1tyczech

posted Oct 3, 2006 - 2:26 PM

Contrary to your ranting, there are
plenty of folks who use it and are
more than happy with it.

Arguing with you is like slamming
one's head against a wall. Painful
and pointless.

Score: 0

By Scotch Moose

posted Oct 3, 2006 - 10:08 AM

I don't like it. I want to surf, not tiptoe through a cow pasture. But you can find exploits anywhere not just the grimy corners of the web. Poorly managed sites have XSS exploits and IIS servers are hacked everyday. That is where you are more likely to be exposed to an exploit like this one.

I like NoScript because you can white list by domain. For instance betanews.com is okay but smarttargetting.com can target someone else.

Score: 0

By pbarrett

posted Oct 2, 2006 - 4:21 PM

I am sorry, but... Never ever ran into a javascript exloit... There have been hundreds if not thousands of exploits involving javascript. I have ran into websites where I would never allow them to run, sites I just don't trust.

Score: 0

By Paradise-FH-

posted Oct 3, 2006 - 1:02 AM

how did you end up on such sites??? what were you looking for? cracks, warez, porn?

furthermore how many javascript exploits remain unpatched? there are plenty more core browser exploits unpatched ... why not just not use your browser until those are fixed?

Score: 0

By Babylon2x

edited Oct 2, 2006 - 2:02 PM

Paradise-FH- +1

You said what I was thinking before I got it posted. We may as well go back to text-only browsers. :)

Score: 0

By pbarrett

posted Oct 2, 2006 - 2:18 PM

I personally love text browsers they prevent alot of fecal.

Score: 0

By Paradise-FH-

posted Oct 2, 2006 - 4:04 PM

mmm but you're only getting half the experience ... whether it be good or bad.

besides, adding adblock plus and EasyList does a great job of filtering out 99% of the crap that makes for a bad experience.

Score: 0

By pbarrett

posted Oct 2, 2006 - 4:31 PM

I usually don't want flasy intros or 6 million picture ads, I want the information and I want it now.

I don't use it alot, but its more comfortable to me.

Score: 0

By Paradise-FH-

posted Oct 3, 2006 - 12:49 AM

what are you surfing though? myspace.com?

adblock gets rid of 99% of the ads and 100% of the respectable sites use flash in a responsible and useful manner.

it's all well that you personally prefer a shear text browser but their are [very good] ways to deal with your complaints.

Score: 0

By Mark Gillespie

edited Oct 2, 2006 - 2:04 PM

The article is also flawed, as the exploit was demonstrated live at the UUC. There are several unofficial Mozilla comments along the lines of "difficult to fix".

Firefix, Safer browing my ass, more like an ageing browser creaking at the seams, and suffering growing pains.

www.opera.com

Score: 0

By Desides

posted Oct 2, 2006 - 4:33 PM

As if Opera is newer and fresher.

My God, I'm so sick of the browser fanboys. Use what you want and shut the heck up about it.

Score: 0

By Mark Gillespie

posted Oct 2, 2006 - 5:22 PM

Opera may also be mature, but it's very good track record on security, whilst keeping functionality is unmatched...

Score: 0

By Desides

posted Oct 2, 2006 - 5:33 PM

I'm glad you like it. Now leave us alone about it.

Besides, a better comparison is between Opera and Seamonkey. Firefox serves a totally different type of user.

Score: 0

By Mark Gillespie

posted Oct 2, 2006 - 6:46 PM

Because???

Score: 0

By Desides

posted Oct 2, 2006 - 6:56 PM

Because Opera's feature set is more analogous to Seamonkey's, not Firefox's.

Score: 0

By The MAZZTer

posted Oct 2, 2006 - 1:40 PM

Firefox has never claimed to be unexploitable.

Neither has Opera, good thing too:
http://www.google.com/se...ra+exploits&spell=1

You're not invincible. It ultimately doesn't matter what browser you use, but how savvy you are with computer security and smart web browsing. Wake up.

Score: 0

By pbarrett

edited Oct 2, 2006 - 2:10 PM

I agree with MAZZTer. Security is only a myth, there are always holes, we just have to try and keep up with the exploiters.

The reason Firefox is safer is because IE has more novice users, therefor a bigger target.

Score: 0

By skags442

posted Oct 2, 2006 - 2:43 PM

i dont think thats so true anymore, alot of novice users i know use it.... what makes IE such a big target is that it is part of an os that most people use

Score: 0

By Mark Gillespie

posted Oct 2, 2006 - 2:02 PM

Opera 9: http://secunia.com/product/10615/
FireFix: http://secunia.com/product/4227/

Score: 0

By Real1tyczech

posted Oct 2, 2006 - 2:09 PM

And yet the supposed flaw above
is not listed.

I can show you a video of aliens
attacking New York. Does that
make it true?

Score: 0

By T3chDad

posted Oct 2, 2006 - 4:27 PM

"I can show you a video of aliens attacking New York. Does that make it true?"
http://video.google.com/...amp;q=wtc+ufo&hl=en

Score: 0

By Paradise-FH-

edited Oct 2, 2006 - 4:16 PM

hmmm ... lets give it a few days and see what happens.

Score: 0

By Real1tyczech

posted Oct 2, 2006 - 4:37 PM

'sall I'm sayin'.

Hell, ya never know what them
aliens are going to do next...

Score: 0

By Paradise-FH-

posted Oct 3, 2006 - 12:59 AM

work your magic on religion, would you? i hear there was this carpenter who worked miracles and this guy who was the final prophet ... now there's something older than a day for you to debunk.

Score: 0

By Real1tyczech

posted Oct 3, 2006 - 2:31 PM

lmao..

Life is full of disappointment.

Get used to it.

Score: 0

By Sammyc57

edited Oct 2, 2006 - 12:47 PM

Where is the link to the Secunia Advisory, I can't find it, and the one on this page doesn't work!

Score: 0

By Ramhound

posted Oct 2, 2006 - 12:43 PM

These are the same people who know of 30 security issues, and refused to tell Mozilla of them so they can fix them.

Does this issue exist, I believe it does, because they showed the code during their demo. Should we put alot of salt on what they claim in the future, depends if they ever actually tell Mozilla of the security issues instead of taking advantage of them ( which I got from another article which made me believe they already have and will ).

Score: 0

By Heero

posted Oct 2, 2006 - 12:42 PM

I'd be very surprised if it was 'Unpatchable'

Score: 0

By tipsyboy

posted Oct 2, 2006 - 12:37 PM

"BetaNews has contacted Mozilla.org officials for comment on the alleged flaw, which may yet be forthcoming."

So wait for that one.

Score: 0

By TC17

edited Oct 2, 2006 - 12:30 PM

"Unpatchable"?????

Yeah right. Not.

Score: 0

By pjlasl

posted Oct 2, 2006 - 12:15 PM

bashers...here they come!

Score: 0

By THZGryphon

posted Oct 2, 2006 - 1:00 PM

What goes around...

Score: 0

By digitalking

edited Oct 2, 2006 - 12:10 PM

Is this also in Firefox 2.0? I am assuiming not, since Firefox has updated JavaScript in 2.0.

Score: 0

By Real1tyczech

posted Oct 2, 2006 - 12:15 PM

What I got from the article is that the very existance of this 'flaw' is in question as yet.

It may be a bit early in the game to start asking if it affects more than the current release as it may be nothing more than FUD.

Score: 0

By jakkal

edited Oct 2, 2006 - 4:43 PM

Anybody heard of Sandboxie or GreenZone? They work just great on my already secure system with both Firefox and K-Meleon, and require no preferences or authorization changes at all...