Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Firefox Vulnerability Revealed

Soulskill posted more than 5 years ago | from the whack-a-fox dept.

Mozilla 250

Not long after Firefox 3.5.1 was released to address a security issue, a new exploit has been found and a proof of concept has been posted. "The vulnerability is a remote stack-based buffer-overflow, triggered by sending an overly long string of Unicode data to the document.write method. If exploited, the resulting overflow could lead to code execution, or if the exploit attempts fail, a denial-of-service scenario." It's recommended that Firefox users disable Javascript until the issue is patched, though add-ons like NoScript should do the trick as well (unless a site on your whitelist becomes compromised).

Update: 07/20 00:09 GMT by KD : An anonymous reader informs us that the Mozilla security blog is indicating that this vulnerability is not exploitable; denial of service is as bad as it gets.

cancel ×

250 comments

Sorry! There are no comments related to the filter you selected.

Unbounded (5, Funny)

Mikkeles (698461) | more than 5 years ago | (#28748531)

So who's the moron using unbounded buffers?

Re:Unbounded (3, Interesting)

nathan.fulton (1160807) | more than 5 years ago | (#28748609)

Well, seeing as the bug was found in the Just-in-Time compiler (first link), probably someone who is concerned that the section of the code that they are working on will become a bottle neck, or someone that has to do special stuff that requires unbounded buffers.

Re:Unbounded (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28748647)

What are six words you never, ever want to hear?

Hai, I be yo new neighbuh!

Re:Unbounded (5, Funny)

EsbenMoseHansen (731150) | more than 5 years ago | (#28749163)

What are six words you never, ever want to hear?

"I have a headache tonight, dear"

Re:Unbounded (5, Informative)

maxume (22995) | more than 5 years ago | (#28748769)

This is another, different bug than the one talked about in the first link. None of the other links specify whether this second bug is from the JIT or not.

Re:Unbounded (1)

sjames (1099) | more than 5 years ago | (#28749219)

Nothing requires unbounded buffers! Nothing at all. There are places where they're faster (right up until the whole thing goes down in flames or worse). At most, some things require segmented buffers that might have to be gathered later once the final size is known. Or you can just allocate a really large buffer and if it goes over that return "error: whoever said this could be arbitrarily large was wrong".

Of course, in this case it's the document.write method which has no excuse for not knowing the size in advance.

A: Firefox users (4, Funny)

iYk6 (1425255) | more than 5 years ago | (#28748679)

If you use firefox, then you are the moron using unbounded buffers.

Re:Unbounded (1)

BZ (40346) | more than 5 years ago | (#28748863)

Good question. I don't see any unbounded buffer use here. Do you?

Re:Unbounded (4, Funny)

Torodung (31985) | more than 5 years ago | (#28749187)

I am shocked, shocked, to find unbounded buffer use in this open-source application.

--
Toro

Re:Unbounded (1)

BZ (40346) | more than 5 years ago | (#28749245)

Again, do you actually see any?

Defective by design (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28748549)

I'm sure this story will get tagged "defectivebydesign" since if this were Internet Explorer, everybody would be explaining how insecure closed source software is.

Re:Defective by design (4, Interesting)

TheRaven64 (641858) | more than 5 years ago | (#28748569)

Is this a new copy-and-paste troll? Almost the same post [slashdot.org] appeared in the Linux kernel exploit article. Apparently some people missed the Defective by Design campaign and are completely unaware that it relates to DRM, not to arbitrary bugs.

Re:Defective by design (2)

dave562 (969951) | more than 5 years ago | (#28748633)

Apparently some people missed the Defective by Design campaign and are completely unaware that it relates to DRM, not to arbitrary bugs.

It's safe to say that the meme has been co-opted. It seems to pop up in a fair number of articles these days.

Re:Defective by design (1)

Dachannien (617929) | more than 5 years ago | (#28748743)

It's not a meme [wikipedia.org] , though. Or, at least, it's not supposed to be.

Re:Defective by design (1)

dave562 (969951) | more than 5 years ago | (#28748859)

I might not have been originally intended to be a meme http://en.wikipedia.org/wiki/Meme [wikipedia.org] , but it seems to have become one. The idea that "DRM technology is Defective by Design" seems pretty memetic.

Re:Defective by design (1)

Darkness404 (1287218) | more than 5 years ago | (#28748953)

Not really a meme, but rather simply a statement, because really they are, defective by design.

Re:Defective by design (2, Informative)

Anonymous Coward | more than 5 years ago | (#28748667)

Really? Taking a look at stories that have the defectivebydesign tag [slashdot.org] there are DRM stories as you point out. However, look at some of the stories in there:

* Critical security hole in Linux Wi-Fi
* Apple issues patches for 25 security holes
* Very severe hole in Vista UAC design
* Surprise, Windows listed as most secure OS
* Vista worse for user efficiency than XP
* Loophole in Windows random number generator
* Remote exploit of Vista speech control
* SP1 unsuccessful in preventing Vista hacks
* Data loss bug in OS X 10.5 Leopard

And so on. So yes, the majority of stories using the tag are DRM-related but there's an increasing usage towards general-purpose software bugs or exploits as shown by the articles I pointed out.

Re:Defective by design (4, Insightful)

Goaway (82658) | more than 5 years ago | (#28748675)

http://slashdot.org/tags/defectivebydesign [slashdot.org]

Some stories tagged "defectivebydesign" that are not at all related to DRM:

"Critical Security Hole in Linux Wi-Fi"
"Apple Issues Patches For 25 Security Holes"
""Very Severe Hole" In Vista UAC Design"
"MS Responds To Vista's Network / Audio Problems"
"Apple's IPhone 3G Firmware Update Bombs"
"QuickTime .MOV + Toshiba + Vista = BSOD"
"Vista Slow To Copy, Delete Files"
"Vista Runs Out of Memory While Copying Files"
"Mark Russinovich On Vista Network Slowdown"
"Microsoft Knew About Xbox 360 Damaging Discs"
"Vista Not Playing Nice With FPS Games"

That's as far as I can be bothered to read. Go look at it yourself. That tag is cheerfully applied to many, many stories about Windows or Apple bugs.

Re:Defective by design (4, Insightful)

causality (777677) | more than 5 years ago | (#28748849)

That's as far as I can be bothered to read. Go look at it yourself. That tag is cheerfully applied to many, many stories about Windows or Apple bugs.

... by people who fail to understand the difference between "design flaw" and "implementation flaw."

A simple heuristic: if you can submit a well-written bug report and at least an attempt is made to fix the issue, it's probably not a design flaw.

Re:Defective by design (1)

Compenguin (175952) | more than 5 years ago | (#28748895)

As far as the Vista stories go, the network/copying/audio issues had to (or were believed to at the time) do with the DRM laden audio chain.

Re:Defective by design (1)

atraintocry (1183485) | more than 5 years ago | (#28749063)

Most of those could be argued to be hinting at the the Blu-ray-related DRM present in Vista and newer MacBooks. And the iPhone is a closed system. There's an earlier post with some examples completely unrelated to DRM, and I think in those cases it's a case of the person knowingly using it as a joke to say that whichever commercial os is referenced in the headline is never going to be any good.

As that happens more, it could mean the end of DbD as a DRM flag and just people using it because they heard it once and it sounded cool. But hopefully people will continue to parse the actual words in the phrase. I don't think I've seen it yet where I didn't think it was supposed to be applied humorously.

Of course, this being the internet, and Slashdot at that, sarcasm often goes undetected.

Re:Defective by design (4, Insightful)

causality (777677) | more than 5 years ago | (#28748787)

Apparently some people missed the Defective by Design campaign and are completely unaware that it relates to DRM, not to arbitrary bugs.

The primary difference being that bugs like this Firefox flaw are accidental and unintentional, whereas DRM is quite deliberate hence the "defective by design" nomenclature. That's such a sharp contrast, it's reasonable to assume that someone who fails to notice it is either speaking of what they know nothing about or purposely trolling. In other words, "highly advanced incompetence is indistinguishable from malice."

There were two ideas mentioned by GP, which were the "defective by design" label and the security reputation of IE. It's useful to know where those perceptions come from whether or not you actually agree with them. I'll make a very simplified (and therefore imperfect) summary of what I perceive as their bases.

The only reason why I see such a concept as "defective by design" applied to IE is a vague one. IE (and Microsoft in general) has something of a history of implementing ideas that were predictably unsound, the most notorious of which is probably ActiveX. That's mostly because ideas which are computationally sound are often orthogonal to ideas which are most easily marketed. True to the nature of a corporation, whenever these two are in conflict, the marketing concerns will win. This is where that perception of closed-source (that is, commercial) software that the GP mentioned comes from.

ActiveX is running untrusted code from a hostile network with no sandboxing and with the full privileges of the user running the browser. Before a single line of code is ever written to implement this, you can predict in advance that this is an unsound idea which invites trouble. Microsoft wrote the code and implemented the idea anyway. IMO that was a deliberate business decision because they felt the marketing and promotion of $SHINY_FEATURE would gain them more than they would lose from the PR problems of security issues. Because of how ignorant the general public tends to be about computer security, such decision-making has been largely successful. In other words, the people at Microsoft are not a bunch of idiots who didn't know what they were dealing with. They knew and they made their decision. Still, it's better to call that "faulty design" and "poor priorities" than to hijack a very specific term like "defective by design."

Re:Defective by design (1)

mysidia (191772) | more than 5 years ago | (#28749157)

Well, at this stage, no evidence Firefox is defective by design, or that this bug is a result of a design defect.

And thus the problem of slashdot tagging. The tags show up on articles as if they were part of its text or an officially sanctioned categorization of the article.

And yet the tags require no justification, and users who don't understand what some of the tags are normally used for often apply them liberally to articles that have nothing to do with the marking.

Take a look at some of the articles that get tagged DRM [slashdot.org] : "Ford To Introduce Restrictive Car Keys For Parents", "Massive VMware Bug Shuts Systems Down"

Last I checked, DRM wasn't a general word for all restrictive computer systems. Only computer systems that manage rights to digital content (music and video) by encrypting, preventing copying, and (sometimes) phoning home.

Just patch it and let's move on. (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28748557)

If 24 hours go by without a patch/new release, THEN we got news..

Re:Just patch it and let's move on. (4, Insightful)

Anonymous Coward | more than 5 years ago | (#28748587)

FTFA: The vulnerability was reported to SecurityFocus (BID 35707) on July 15.

4 days > 24 hours.

Re:Just patch it and let's move on. (2, Funny)

RichardJenkins (1362463) | more than 5 years ago | (#28748631)

Well, obviously he meant 24 hours after it was posted on Slashdot. As we all know, it's not real until it's on Slahdot.

That's notthe first time (1)

VincenzoRomano (881055) | more than 5 years ago | (#28748565)

That a remote stack-based buffer-overflow can be triggered to compromise FF.
But why on earth those friendly developers don't design, implement a damned solution to be used everywhere in the code???
Fix once, fix forever (until next smarter exploit).

Re:That's notthe first time (1)

defaria (741527) | more than 5 years ago | (#28748683)

I've been saying the same thing about cancer and the cold for years now!

Re:That's notthe first time (4, Informative)

BZ (40346) | more than 5 years ago | (#28748803)

Have you tried the POC? Ideally under a debugger? It's a null-dereference crash due to failure to check an allocation for out-of-memory conditions. It's not exploitable, as far as I can see. And it's not a stack buffer overflow, by any means.

It'd be nice if these various security advisory services actually double-checked milw0rm postings before echoing them. Half the ones I've seen are in fact crashes, but not the sort the poster claims and not exploitable....

Re:That's notthe first time (2, Informative)

Inda (580031) | more than 5 years ago | (#28748909)

Worse POC evar

-----

<html>
<head>
<script language="JavaScript" type="Text/Javascript">
var str = unescape("%u4141%u4141");
var str2 = unescape("%u0000%u0000");
var finalstr2 = mul8(str2, 49000000);
var finalstr = mul8(str, 21000000);


document.write(finalstr2);
document.write(finalstr);

function mul8 (str, num) {
var i = Math.ceil(Math.log(num) / Math.LN2),
res = str;
do {
res += res;
} while (0 < --i);
return res.slice(0, str.length * num);
}
</script>
</head>
<body>
</body>
</html>
<html><body></body></html>

Re:That's notthe first time (1)

BZ (40346) | more than 5 years ago | (#28749159)

Well... That code _does_ crash the browser. Just not exploitably. ;)

Re:That's notthe first time (3, Interesting)

ciroknight (601098) | more than 5 years ago | (#28748865)

Fix once, fix forever

The bug is in the Just-in-Time compiler inside of SpiderMonkey (TraceMonkey). This is brand new code as of 3.5.x. Of course there will be a ton of bugs found in it (just like the ton of bugs that have cropped up in SquirrelFish and have been subsequently patched).

I have to wonder why it's taken so long for anybody's security team to look at this code though. You'd think they'd look at this code before release and not after.

Re:That's notthe first time (1)

causality (777677) | more than 5 years ago | (#28748913)

Fix once, fix forever

The bug is in the Just-in-Time compiler inside of SpiderMonkey (TraceMonkey). This is brand new code as of 3.5.x. Of course there will be a ton of bugs found in it (just like the ton of bugs that have cropped up in SquirrelFish and have been subsequently patched). I have to wonder why it's taken so long for anybody's security team to look at this code though. You'd think they'd look at this code before release and not after.

I think the point is that there are auditing tools which can automatically detect this kind of buffer overflow in source code. There are also libraries which offer versions of various functions that automatically include bounds checking that can help to prevent this kind of buffer overflow. You'd think that basic fuzz testing might find it as well. So far as I know, no such tools were used. New code or old code should not meaningfully change this scenario because new code need not be released and version numbers incremented until such tools have been used.

I'm more ignorant about software development than I would like to be, so I am hoping anyone can explain why the Mozilla team did not use such tools. I acknowledge there may be some reason unknown to me that explains why doing so would be impractical or unrealistic. However, I think something like this is what the GP had in mind with his "fix once, fix forever" comment.

Turn off javascript... (4, Insightful)

popo (107611) | more than 5 years ago | (#28748579)

... and stop using all of your web-apps... sigh...

Re:Turn off javascript... (0)

girlintraining (1395911) | more than 5 years ago | (#28748657)

... and stop using all of your web-apps... sigh...

Yeah, and half the websites out there will stop rendering then. Sadly, the vast majority of them don't need javascript to do their job, but such is the epic lame that is the average web programmer.

Re:Turn off javascript... (4, Insightful)

Teckla (630646) | more than 5 years ago | (#28748779)

Yeah, and half the websites out there will stop rendering then. Sadly, the vast majority of them don't need javascript to do their job, but such is the epic lame that is the average web programmer.

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

I'm just sayin'.

Re:Turn off javascript... (0)

Anonymous Coward | more than 5 years ago | (#28748815)

The problem is--more than 1% of users have it turned off--and probably temporarily turn it on for your craptastic site. And the *moment* we find a site that doesn't require javascript or flash to get the content or tools your site has--we'll be gone for good.

Re:Turn off javascript... (1)

judgexktf (1382625) | more than 5 years ago | (#28748955)

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

I'm just sayin'.

Let me fix that for you:

Or maybe most COMPANIES don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

There, fixed. And to be honest; I can't say I blame them.

Re:Turn off javascript... (0, Troll)

Blakey Rat (99501) | more than 5 years ago | (#28748957)

Especially since the only reason people turn off Javascript is so they can post snooty messages on Slashdot about how cool they are since they keep Javascript turned off. (See also: Flash)

Re:Turn off javascript... (3, Insightful)

commodore64_love (1445365) | more than 5 years ago | (#28748961)

Wouldn't avoiding javascript make webpages smaller & therefore load faster? Perhaps you've got a megawide connection, but when I'm traveling all I have is 50k dialup. Even at home I'm limited to a relatively slow 700k. I'd prefer a web that's mainly text and images without the bloat.

Back in the 90s web programmers were taught to optimize and compress their pages as small as possible. It appears this lesson is no longer being taught in the schools.

Re:Turn off javascript... (4, Informative)

Xest (935314) | more than 5 years ago | (#28748981)

Looking at W3Schools stats on it it's about 5%. I've seen some stats suggest as high as 16% around 3 years ago:

http://www.w3schools.com/browsers/browsers_stats.asp [w3schools.com]

I feel Javascript is an important technology and rather than fucking around with all the proprietary crap like Flash we should be strengthening Javascript so it's more secure and more useful, in fact, a lot of browser vendors seem to be doing this, and those Chrome demos posted a few months back were agood example.

But I also think it's silly to assume and design for Javascript unless Javascript is the whole point of your site. There's so many sites out there that use Javascript for things like drop down menus and sometimes even positioning where CSS would suffice and not require Javascript support it's silly. To turn away 1 in 20 users doesn't seem the brightest idea unless you're building a web application where absolutely the only way to do what you want to do is to use Javascript.

Javascript shouldn't be a requirement for the vast majority of the web, only for those sites that truly need it.

Re:Turn off javascript... (2, Interesting)

atraintocry (1183485) | more than 5 years ago | (#28749117)

But I also think it's silly to assume and design for Javascript

According to 95% [w3schools.com] of users have JS on. There's no reason to essentially design two separate sites to support the other 5%. And it could be argued that that 5% could either easily turn it back on if they choose (in which case, they're the lazy one), or is using something really really old and has no need to, or doesn't want to.

I'm not a web developer, but it seems obvious to me that while it's possible and often sensible to include the other 5% (which may include spiders, which you typically want), ignoring them because you don't have time for two designs is not at all silly. They may not even be the type of people you want on your site anyway.

Re:Turn off javascript... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28748991)

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

Funny reasoning : defending actually complicating a link (for both the writer as well as the viewer of the webpage) by doing it the javascript way by claiming that most all man-and-dog have JS on anyways.

Thats like defending robbery because allmost everyone has insurance for it ...

Re:Turn off javascript... (1)

pbhj (607776) | more than 5 years ago | (#28749247)

Yeah, and half the websites out there will stop rendering then. Sadly, the vast majority of them don't need javascript to do their job, but such is the epic lame that is the average web programmer.

Or maybe most web programmers don't want to spend a lot of time and money supporting the 1% of users out there that don't have or disable JavaScript.

I'm just sayin'.

I'm finding a lot of sites now using javascript for simple image display. Not even progressively enhancing a basic grid with jQuery, just a simple 3x2 grid (or whatever) of images. Javascript for that, really?

I'm a web designer. I can't understand the rationale for such a design choice.

Re:Turn off javascript... (1)

morcego (260031) | more than 5 years ago | (#28748947)

Actually, I had some issues where I was forced to use Javascript on a website for no better reason than staying compliant with XHTML 1.1. I wanted to do something that was perfectly possible to do with only HTML 4 (no JS), but was not possible with XHTML 1.1 without either breaking the standard compliance, or using JS.

I'm not sure, but I think I wanted a link to open on a new window. But it is entirely possible it was something else.

Re:Turn off javascript... (0)

Anonymous Coward | more than 5 years ago | (#28748727)

Or just don't be a paranoid idiot and keep browsing anyway. Or change browsers if you're that much fucking worried.

You can't be serious! (4, Insightful)

jeffliott (1558799) | more than 5 years ago | (#28748581)

I don't know anything about JavaScript or Firefox internals, but a public sounding central function call like "DOCUMENT.WRITE" having a length related buffer overflow is just unacceptable. This call is used all the time right? How could this be missed?

Did YOU look for it? (-1, Troll)

Colin Smith (2679) | more than 5 years ago | (#28748699)

I don't know anything about JavaScript or Firefox internals,

But you thought you'd bitch to Slashdot anyway?

This call is used all the time right?

Didn't you just say you don't know shit about JavaScript or Firefox?

 

Re:Did YOU look for it? (1)

Toonol (1057698) | more than 5 years ago | (#28748751)

Well, the small amount he evidently knows stil allowed him to make a reasonable question, which actually resembles bitching far less then your response does.

Rudeness is uncalled for. Let's keep this civil! (0)

Anonymous Coward | more than 5 years ago | (#28748759)

Reread the GP's post. He doesn't know anything about JavaScript and Firefox internals. Any fool can tell you that document.write is one of the most public function calls JavaScript uses, and his point is valid.

Nice strike... (0)

Anonymous Coward | more than 5 years ago | (#28748789)

with your Zealot-fu...

Re:You can't be serious! (2, Insightful)

TopSpin (753) | more than 5 years ago | (#28748745)

This is my feeling as well. FYI: document.write is the JavaScript equivalent of write(2). It is used liberally in modern web content; I doubt there are any popular contemporary pages that don't use it.

This code path should be impervious to any overflow exploit that might conceivably appear. Obviously document.write can and is used to exploit other more subtle flaws in a browser as it is capable of producing arbitrary document content, but that's not what we have here. Here we have long strings breaking document.write itself.

Unacceptable. Fix it now. Sunday.

Re:You can't be serious! (5, Informative)

BZ (40346) | more than 5 years ago | (#28748833)

It's not a buffer overflow. It's a missing OOM check leading to a non-exploitable (well, if your kernel is sane; some Linux versions are not) null-dereference crash.

Note also that the article linked to is misreporting this in other ways as well; unfortunately I'm not at liberty to go into details on that yet. :(

omg (0)

Anonymous Coward | more than 5 years ago | (#28749033)

It's not a buffer overflow. It's a missing OOM check

You see... right there is the cause of this crap. A "missing OOM check" IS A GOD DAMN BUFFER OVERFLOW. The buffer you overflow is whatever heap you take for granted when you DELIBERATELY IGNORE the failure of some allocation. A heap is just an elaborate managed "buffer."

Allocations fail. Even if you don't think they can and have never witnessed it. Even if your boss's design assumes they can't and lacks any way to deal with it. Even if it takes more effort to handle a failure than your deadline will permit. Stop ignoring allocation failures.

Re:You can't be serious! (1)

atraintocry (1183485) | more than 5 years ago | (#28749149)

Not at liberty? Isn't Firefox open source?

Re:You can't be serious! (1)

BZ (40346) | more than 5 years ago | (#28749225)

Yes, it is. That's not related to the issue at hand.

Re:You can't be serious! (1)

dkf (304284) | more than 5 years ago | (#28749257)

Not at liberty? Isn't Firefox open source?

He may have voluntarily agreed to hold off discussing a related known problem until it is fixed. I've done that a few times for other software (no, I don't feel like telling you what even though the fixes have been done for many years now) and with responsive OSS projects - either because they've got someone who really cares about this sort of thing, or because they've got lots of effort anyway - such issues tend to get fixed very rapidly. To be fair, that's true of the good commercial developers too; nobody conscientious likes having a security problem about as they tend to make for other difficulties too.

Many eyes makes for secure code (3, Insightful)

nacturation (646836) | more than 5 years ago | (#28748583)

Let's just hope that all those eyes are friendly. How many black hats are scouring the source code to generate exploits to sell underground? As quickly as Firefox releases patches, when these bugs aren't reported it's no better than a proprietary browser.

NICE TROLL BUDDY (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28748691)

Except in this case, NoScript still provides a small barrier unless you whitelisted every website.

Firefox isn't perfect but at least it's not a horribly-slow-to-fix pile of garbage like IE.

But you're also right: Unknown exploits and flaws are potentially harmful no matter which software you use. Thanks for the warning.

Re:NICE TROLL BUDDY (0)

Anonymous Coward | more than 5 years ago | (#28748777)

From TFA:

"Note: Although Javascript access can be restricted with applications such as the NoScript Add-On, it may still be possible for the browser to be exploited if an untrusted website is loaded (with/without the consent of the user, for example, via XSS or compromised-whitelisted website)"

Nice troll though.

Re:NICE TROLL BUDDY (0)

Anonymous Coward | more than 5 years ago | (#28749017)

You have dogs in your ass.

Re:Many eyes makes for secure code (2, Interesting)

dougisfunny (1200171) | more than 5 years ago | (#28748719)

Let's just hope that all those eyes are friendly. How many black hats are scouring the source code to generate exploits to sell underground? As quickly as Firefox releases patches, when these bugs aren't reported it's no better than a proprietary browser.

Except that other people are a lot more likely to find the same bug, and report it regardless of the black hats.

The code may not be that relevant (2, Interesting)

Sycraft-fu (314770) | more than 5 years ago | (#28748753)

After all, FF is open during development, not just after release. 3.5 has been a long time in coming, the code has been out there for lots to see and lots have looked, yet this was missed.

The thing is, open or closed, any major project has a lot of people looking at the code, and at least some of those people, perhaps most, are highly skilled. What this means is that it isn't likely there's an extremely obvious bug in the code. It isn't the sort of thing that someone would look at the source and go "Oh look they forgot to set getHacked = 0," or something like that. If it were obvious, the developers probably would have caught it. Instead the bugs are due to subtle interactions in teh code, that aren't easy to see.

So, more often than not, the way these things get found isn't someone pouring over the code, it is someone trying out attacks on the finished product. They try sending it bad data of various kinds to see how it reacts, or perhaps they see it react in a certain way to good data that gives them an idea how they might craft bad data to exploit it. Whatever the case, they are working on the finished product, and not particularly concerned with the source.

This is why you find bugs even in projects that many people are on, because developing something and looking at the code is real different from trying to exploit the finished product.

failed proof of concept (3, Informative)

Anonymous Coward | more than 5 years ago | (#28748615)

It looks like the proof of concept only shows how this could lead to a stack overflow. There is no concept about how this could lead to code execution, which makes this just just another way to crash a browser.
Crashing browsers is of course potentially a problem, but it quite boring while there are still so many ways to do real exploits.

Re:failed proof of concept (1)

X0563511 (793323) | more than 5 years ago | (#28748665)

Fool! A stack overflow can, by merits of exactly what it is, lead to code execution!

Re:failed proof of concept (0)

Anonymous Coward | more than 5 years ago | (#28748809)

It's a null-deref crash, and Mozilla thinks it's not exploitable.

Re:failed proof of concept (3, Informative)

BZ (40346) | more than 5 years ago | (#28748843)

> It looks like the proof of concept only shows how this could lead to a stack overflow

It actually doesn't even show that, if you try running it under a debugger... It shows a null dereference due to lack of out-of-memory check on an allocation.

fix: (5, Funny)

Anonymous Coward | more than 5 years ago | (#28748623)

document.write = function(){ alert("This website was designed by a fucking idiot."); };

Re:fix: (5, Funny)

nacturation (646836) | more than 5 years ago | (#28748689)

I tried this using greasemonkey and wanted to thank you for it, but I had to switch to Internet Explorer to post the reply as for some reason Slashdot started bringing up a million alert boxes.

Re:fix: (0)

Anonymous Coward | more than 5 years ago | (#28748755)

document.write = function(){ alert("This website was designed by a fucking idiot."); };

Which analytics tracker would you recommend instead of Google?

Slow News Day, Obviously (1, Funny)

Anonymous Coward | more than 5 years ago | (#28748641)

In other news, Apollo 11 was faked [rense.com] .

Expect to see much more of this in the future.. (2, Insightful)

ickleberry (864871) | more than 5 years ago | (#28748645)

.. as the horrible language that is JavaScript is extended ever more to try and emulate real desktop applications (and more pervasive advertising).

Mang, sometimes I wish I could still get by with a browser that doesn't support JS at all, but web devs insist on building websites that absolutely require JS. For example the free SMS service for my mobile phone network (Meteor) absolutely won't work with JS disabled.

Re:Expect to see much more of this in the future.. (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28748681)

I don't know why you hate web applications so much but I agree that Javascript is a horrible language. The specification is gigantic and the language is overcomplicated.

Lua [lua.org] makes a much better Javascript than Javascript. Small, lightweight and fast. Besides the syntax differences Lua is otherwise semantically very similar to Javascript except with a much better design... and Lua does it with a minuscule language syntax and VM.

Re:Expect to see much more of this in the future.. (1)

the_womble (580291) | more than 5 years ago | (#28749087)

The problem is that no one is going to switch to another language unless all the major browsers support it.

People have tried to promote alternatives before (TCL and VBScript at least, probably a lot more I do not know about), but they never got anywhere.

Re:Expect to see much more of this in the future.. (1, Troll)

maxume (22995) | more than 5 years ago | (#28748701)

This has entirely to do with the Firefox implementation of the document.write function, not javascript; it is likely that the flaw is actually in C++ code.

If you type 'javascript:document.write.toString()' into the url bar in Firefox, you will see 'function write() { [native code] }'.

Is That What's Crashing Xorg? (0, Interesting)

Anonymous Coward | more than 5 years ago | (#28748669)

I wonder if this bug what is causing Xorg to crash, as described in this blog post? [wordpress.com]

I thought they tested 3.5 prior to release.

Re:Is That What's Crashing Xorg? (2, Insightful)

Norsefire (1494323) | more than 5 years ago | (#28748735)

So because Firefox was open when it crashed, Firefox must have caused it? Couldn't be that because most people have their browser open 99% of the time chances are that it will be open when something goes wrong?

Re:Is That What's Crashing Xorg? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28748853)

Couldn't be that because most people have their browser open 99% of the time chances are that it will be open when something goes wrong?

Sure it COULD be coincidental. It COULD be caused by many things. But, it COULD also be Firefox. But wait! The blog post now confirms that it IS Firefox 3.5.x that is causing the Xorg crash.

But, thanks for your fanboish attempt to distract from the matter at hand. Lord knows we wouldn't want the light shone on the reality of your pet project.

The Captcha says "SOLVED". How does it know?

No... (1)

Sir_Lewk (967686) | more than 5 years ago | (#28749035)

Even if firefox is triggering it, it's clearly an issue with Xorg itself. Firefox, nomatter how crappy, should not be able to take out X.

Not just Firefox? (4, Informative)

Norsefire (1494323) | more than 5 years ago | (#28748677)

The proof of concept has crashed every browser I've tried it on; Firefox (obviously) (and the 3.6 nightly), Epiphany, Chromium, Opera and Android Browser. So is Firefox the only browser that is exploitable during the crash or other browsers affected?

Re:Not just Firefox? (3, Informative)

BZ (40346) | more than 5 years ago | (#28748875)

When I tried this, I see Firefox crashing with a null dereference. So not exploitable.

Do you see something different?

Re:Not just Firefox? (1)

Norsefire (1494323) | more than 5 years ago | (#28749113)

No, that's what I see on every browser. I thought I must be missing something but it looks like this entire "exploit" is a non-event.

Re:Not just Firefox? (2, Informative)

BZ (40346) | more than 5 years ago | (#28749173)

Well, the fact that SANS is blindly reposting known-unreliable things like milw0rm postins is something of an event, to me... Forgetting the fact that it tarnishes the reputations of whatever software they falsely accuse of being vulnerable, it leads to SANS being less reliable and less trusted. The whole crying wolf thing.

But yeah, I agree that this "exploit" is nothing of the kind.

Re:Not just Firefox? (2, Interesting)

Bacon Bits (926911) | more than 5 years ago | (#28749175)

It crashes FF 3.5.1 and Safari 4.0.2 for me, but not Chrome 2.0.172.37 or IE 8.

automate protection (4, Interesting)

Anonymous Coward | more than 5 years ago | (#28748693)

These recurring requests to turn off something are getting annoying. Why not automate the process? Set up a page somewhere like
www.mozilla.com/firefox/3.5.1/current-safety.txt

which would list something like
javascript: unsafe
java: safe
flash: safe

Then by default your browser would fetch that file and automatically implement Mozilla's recommendation of the day.

No Javascript? No Firefox. (2, Informative)

TheMCP (121589) | more than 5 years ago | (#28748739)

To say, for the contemporary web, "turn off javascript", is to say, "break everything". If I can't safely use the browser with Javascript, I can't safely use the browser.

Why the hell use Firefox 3.5? (0)

Anonymous Coward | more than 5 years ago | (#28748749)

It seems to conflict with the program Steam and other programs, issues with minimize/maximize, etc.

Two words: (1)

Norsefire (1494323) | more than 5 years ago | (#28748799)

Porn mode.

abc's (0)

Anonymous Coward | more than 5 years ago | (#28748797)

open source = security (at least that's what i've learned from every other slashdot post).

Re:abc's (1)

rysiek (1328591) | more than 5 years ago | (#28748877)

Nope. It's more like:
"Open source = code visibility", so that anybody is able to spot the bugs and fix them. This embiggens hugely chances that somebody will spot the bugs, and that somebody will fix them (as you have a potentially much larger dev base); but then again, it doesn't mean that - magically - "security will happen" just because it's OpenSource.

Also, I think you should be moderated "Troll"; but that would make this post "Redundant". Ah, well.

Re:abc's (0)

Anonymous Coward | more than 5 years ago | (#28748907)

A: "You should install Ubuntuâ"it's great!
B: "Nah, I'm ok with what I use now"
A: "But with Ubuntu you get access to the SOURCE CODE!"
B: "Uhhh...ok"
A: "That means it's secure because anyone can check it for bugs and exploits"
B: "Really? Have you checked through the code you're running on your Ubuntu?"
A: "Nah, other people do that"
B: "....."

Firefox sucks (5, Funny)

isa-kuruption (317695) | more than 5 years ago | (#28748915)

This is the reason why I avoid crappy software like Firefox and stick to MSIE! Firefox is riddled with bad, bloated code making it easily subjectable to these types of attacks. On top of that, the development model allows mistakes like this to get into the codebase without proper quality assurance.

If I have to /sarcasm, I will kill you.

Re:Firefox sucks (0)

Anonymous Coward | more than 5 years ago | (#28748949)

Deflect! Deflect! Deflect!

Re:Firefox sucks (0)

Anonymous Coward | more than 5 years ago | (#28749179)

You are an idiot.

here is what I want to know.... (1)

digibud (656277) | more than 5 years ago | (#28748935)

One hears about such vulnerabilities often, but I rarely get any sense of just how dangerous this is. How often do these vulnerabilities translate into compromised web pages that the average user who isn't going to download porn....how often do these exploits translate into people actually having their computers compromised and turned into bots? I know many, many computers are compromised...just not sure of the manner in which they are actually pwnd...

Welll. It is like aids (1)

SmallFurryCreature (593017) | more than 5 years ago | (#28749181)

Aids is very dangerous virus that can strike anyone who has sex. A true danger.

But you are on slashdot. You ain't having sex.

Be honest, how many "odd" sites do you visit? How many slutty url's do you follow home?

The danger really depends on what you do. I know people who follow any link, open any email and click on anything in sight. It is amazing what they can do to an innocent virgin computer in just a week.

This bug is already highly overrated, lots of people have tried and so far it only results in crashes. Big whoop.

Most bots are not created by crafty code or even by clever exploits or social engineering. It is just put a file online named Harry Potter The half blood prince.exe online and people will happily download it, install it, click on all security warnings and then wonder why they can't get their movies and complain to their ISP that their movie service sucks (I swear to god, this really happens).

Here is a hint. A movie is more then 10mb. It does NOT have the .exe at the end. WMV is only used people to force a payload via an automatic codec install.

being safe is about using your brain, not relying on some script.

Firefox Vulnerability (2, Funny)

DaveV1.0 (203135) | more than 5 years ago | (#28748937)

But, but, but, that's unpossible!

Re:Firefox Vulnerability (1)

maxume (22995) | more than 5 years ago | (#28748977)

Yeah, the 60 comments that got in before you are rife with such groupthink.

no evidence that this is exploitable (1)

asa (33102) | more than 5 years ago | (#28749049)

This is a browser out of memory crash. There is no evidence that this is exploitable while all evidence points to it not being exploitable. Pretty much all browsers crash from this but that doesn't mean that it's a security issue.

Run Linux Firefox with AppArmor (2, Informative)

dtschmitz (1601217) | more than 5 years ago | (#28749131)

Folks, Noscript will catch most Javascript exploits, but you should have a 'catch net'. AppArmor provides a 'sandbox' around any process you want. Firefox is a good example that I have written a how-to for creating an AppArmor Profile in Ubuntu 9.0.4 Read my blog here [dtschmitz.com] Be Safe. Dietrich T. Schmitz
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>