Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Gaping Holes In Fully Patched IE7, Firefox 2

kdawson posted more than 7 years ago | from the just-when-you-thought-it-was-safe dept.

Security 303

Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.

Sorry! There are no comments related to the filter you selected.

Poll (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19390465)

What's better...

IE7 [impoll.net]
Firefox 2 [impoll.net]

Re:Poll (2, Interesting)

digitalchinky (650880) | more than 7 years ago | (#19391457)

Sorry, posting to undo an accidental negative moderation.

And Opera (-1, Troll)

Constantine XVI (880691) | more than 7 years ago | (#19390481)

No holes for Opera? Oh well...

(sits back in corner with large grin on face)

Re:And Opera (4, Funny)

WilliamSChips (793741) | more than 7 years ago | (#19390509)

Naw, Opera just randomly crashes and then has a default behavior of restarting the site that causes it to randomly crash.

Re:And Opera (0)

Anonymous Coward | more than 7 years ago | (#19390689)

Try using a... I don't know RECENT VERSION.

Re:And Opera (1)

MyLongNickName (822545) | more than 7 years ago | (#19390729)

What version are you using? I haven't noticed this behavior.

I have, however, noticed Firefox 2 crashing a lot more than it used to.

Re:And Opera (2, Informative)

Carlinya (622024) | more than 7 years ago | (#19390787)

I'm using the latest version of Opera (9.21), and it takes up more memory and crashes more often than FF does. In fact, sometimes opening two heavy flash windows causes it to be unresponsive and then crash shortly afterwards.

Re:And Opera (1)

Xeriar (456730) | more than 7 years ago | (#19390971)

Quicktime's FF plugin seems to be insanely unstable. I can only play a few files before it crashes Firefox. Otherwise it's been rock solid (aside from this exploit deal).

Re:And Opera (1)

McNihil (612243) | more than 7 years ago | (#19391109)

The problem is on some installs+assorted plugins when it opens up a window with the help of javascript. Running FF2 on Fedora 7 x64 now and it does not behave like that anymore.

Re:And Opera (4, Interesting)

Lisandro (799651) | more than 7 years ago | (#19390801)

I had Opera crashing on me on, say, 50-60 times in the past 5 years i've been using it (back from version 6). Of those, 60% were issues with that piece of shit Flash plugin for Linux, and even that got much better. Opera crashed? No problem, just hit "resume" when you restart.

Opera is as stable as FF (and way more stable than IE) with a fraction of the system requirements - and faster than both. Try an up to date version, you'll be surprised.

opera crashes once a month? (0)

Anonymous Coward | more than 7 years ago | (#19390889)

that is not stable.

crashes: probably exploitable (1)

r00t (33219) | more than 7 years ago | (#19390985)

A damn lot of crashes are exploitable.

Even something as harmless-looking as a NULL pointer read can indicate an exploitable crash. It may mean a stack overflow. It may just be a NULL pointer read, which is (almost unbelivably) exploitable on Windows because of the way plug-ins and exception handlers work.

Re:crashes: probably exploitable (3, Interesting)

Lisandro (799651) | more than 7 years ago | (#19391309)

On my experience, most of the crashes are plugin related. I was conservative with the (pulled off my ass :) 60% figure - Flash, until recent versions, was a guaranteed way of hanging your browser. I had some memory leaks back with version 7, which were promptly fixed in an update, and a crash when you opened and closed tabs in a certain way, which was also fixed quickly.

Other than that, i can't honestly recall major problems with Opera. Not that i had a lot of issues with Firefox either (outside Flash, that is), but it does run much faster and with less memory requirements.

Re:And Opera (1)

TitusC3v5 (608284) | more than 7 years ago | (#19391241)

I would be more inclined to use it if the default QT appearance for Opera didn't look like ass when running under non-KDE environments.

Re:And Opera (1)

Lisandro (799651) | more than 7 years ago | (#19391279)

It looks allright [homelinux.org] (using the static QT version) under XFCE, which happens to be a pure GTK+ desktop enviroment. Stock configuration - i only adjust toolbars and such.

Re:And Opera (1)

feedmetrolls (1108119) | more than 7 years ago | (#19391567)

Yesterday Firefox crashed on me TEN TIMES!!! Today it was about five. Before yesterday, hardly ever. Is it time to finally make the move to Linux? I think Ballmer has finally grabbed my browser by the balls, and there's nothing I can do...on Windows at least.

Re:And Opera (2, Insightful)

QuietLagoon (813062) | more than 7 years ago | (#19391027)

Opera just randomly crashes and then has a default behavior of restarting the site that causes it to randomly crash.

More than likely, Opera restarts with the site before the one that caused the crash.

Unfortunately for Opera, most sites are written according to IE's buggy standards. While Opera does try to accomodate the poor HTML written by web programmers who think the Internet is viewed only through IE-colored glasses, sometimes it is difficult to accomodate to flagrant stupidily that is IE's rendering engine.

And Elinks (2, Funny)

gumpish (682245) | more than 7 years ago | (#19390675)

No holes for elinks? Oh well...

(sits back in corner with large grin on face)

AND LYNX! (5, Funny)

Anonymous Coward | more than 7 years ago | (#19390745)

No holes for Lynx? Oh well...
(sits back with biggest grin on face)

And Natalie Portman? (0, Offtopic)

larry bagina (561269) | more than 7 years ago | (#19390797)

3 holes in Natalie Portman? Oh yeah!
(sits back with the biggest grin on his face)

Re:And Opera (0)

Anonymous Coward | more than 7 years ago | (#19390795)

And I'm browsing with Konquerer!

(struts around smugly until his browser crashes due to some plugin incompatibility bug)

Ah well (5, Informative)

GFree (853379) | more than 7 years ago | (#19390503)

Gaping Holes In Fully Patched IE7, Firefox 2
In other words, it doesn't matter which browser you use, you're gonna get F'd in the A regardless? Sounds painful.

Re:Ah well (0)

Anonymous Coward | more than 7 years ago | (#19390707)

I use wget.

Pr0n never looked so good....

Re:Ah well (5, Informative)

rts008 (812749) | more than 7 years ago | (#19390777)

RTFA...Try the demo's...It will reduce the FUD.

I tried the demo page/file and got no response whatever.

"2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
      Impact : keyboard snooping, content spoofing, etc
      Demo : http://lcamtuf.coredump.cx/ifsnatch/ [coredump.cx]
      Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=38268 6 [mozilla.org] [May 30]"
from:(http://lcamtuf.coredump.cx/ifsnatch/) which is from:2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
      Impact : keyboard snooping, content spoofing, etc
      Demo : http://lcamtuf.coredump.cx/ifsnatch/ [coredump.cx]
      Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=38268 6 [mozilla.org] [May 30]"

and this:"3) Title : Firefox file prompt delay bypass (MEDIUM)
      Impact : non-consentual download or execution of files
      Demo : http://lcamtuf.coredump.cx/ffclick2/ [coredump.cx]
      Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=37647 3 [mozilla.org] [Apr 04]"

I tried both link's test button and got no response whatever.

IMHO, this must be something related to running Windows, as my Kubuntu 7.04 Feisty w/ Firefox 2.0.04 (with NoScript, Adblock, Adblock Filterset, and Flashblock) just does not act on this.

I guess I need to install some version of Windows to experience this...I feel deprived and left out!

Does this work with Firefox w/ NoScript on Windows?

From past experience, I have no doubts that it works with any version of IE on any Windows platform.

Re:Ah well (3, Informative)

Sizzlebeast (987883) | more than 7 years ago | (#19390999)

Firefox 2.0.0.4 w/ NoScript and it won't work on windows either. I guess i have to allow it...not gonna happen :) I guess I'm safe

probably NoScript (3, Insightful)

r00t (33219) | more than 7 years ago | (#19391049)

You're a rare weirdo. Much of the web won't work without scripting, or at least won't work well.

You're missing out on the nicer wiki/blog editors, live updates to the price of a computer purchase as you add/remove components, tolerable web mail interfaces, and (if your CPU is fast) the experimental slashdot interface.

Those are just the nerd things. I'm told there are numerous non-nerd things on the web as well, with far more scripting.

Re:probably NoScript (2, Informative)

MightyYar (622222) | more than 7 years ago | (#19391119)

But you can use NoScript and still allow useful scripts... that's the whole point! The whole advantage of NoScript is that you can click on any shady site that you wish with little-to-no chance of compromising your machine. Presumably, you won't allow scripts from said shady site... when you get to YouTube and the videos won't play, then you enable scripting.

Re:probably NoScript (3, Informative)

Barny (103770) | more than 7 years ago | (#19391509)

Yup, noscript doesn't let such nasties run, unless you give them permission, which seems to be half the problem for most internet users.

As for the person saying noscript is hard to use, its usually a matter of just clicking the script item (like a youtube vid that is being blocked) and it allows it to run temporarily, should be built in standard imho.

Combine it with a nice ad server blocker (kerio personal firewall for instance) and the web just suddenly starts working as it was meant to :)

Re:probably NoScript (1)

MightyYar (622222) | more than 7 years ago | (#19391601)

...which seems to be half the problem for most internet users.
Yeah, I really don't see any software product that will solve social engineering tactics.

Re:Ah well (4, Informative)

liquidpele (663430) | more than 7 years ago | (#19391093)

I tried the firefox demo for the iframe hijacking thing and it did indeed hijack an iframe on a google groups website, so that one is confirmed for FF in windows at least.

Re:Ah well (3, Interesting)

egr (932620) | more than 7 years ago | (#19391113)

first two works on my Fedora 7 (Firefox 2.0.0.4 without NoScript), NoScript is not a part of Firefox so I think it should be really tested without it, however the last one didn't work, instead it asked me to download html page with download manager

Re:Ah well (0)

Anonymous Coward | more than 7 years ago | (#19391127)

and this:"3) Title : Firefox file prompt delay bypass (MEDIUM)
            Impact : non-consentual download or execution of files
            Demo : http://lcamtuf.coredump.cx/ffclick2/ [coredump.cx]
            Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=37647 3 [mozilla.org] [Apr 04]"
That has got to be one of the worst attempts at getting me to open a file from the internet I've seen in a long time.

For those that didn't try it... it'll show the file download box, then it'll pop-up another window with a game inside it, that requires you to continuously press the "Enter" key for ~10 seconds. The pop-up disappears and the focus shifts back to the download dialog where a press of the "Enter" key will automatically download/open the file.

A) You have to somehow not notice the file download dialog appearing behind a pop-up window
B) You have to want to play a game you see in a random pop-up window
C) The file is only going to run as a very limited user account with the correct Firefox process permissions (yes, this can be done in Windows XP as well, although no one does it)
D) Executable files by default don't have an "Open" option when downloading a file in Firefox - you can only save them

Psst... Hey Slashdot, your bias is showing (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19390963)

And once again, Slashdot fails to mention that the exploit does not work if you are using Vista and IE7.

I guess they can't afford to admit how Firefox is old crap, so they keep failing to mention when the one-two punch combo of Vista and IE knocks them on their asses. Again. And again.

Re:Ah well (1)

Illogical Spock (1058270) | more than 7 years ago | (#19391501)

I'm glad I use Lynx...

Woot! (4, Funny)

Anonymous Coward | more than 7 years ago | (#19390531)

Wow, I'm so glad I installed Firefox so I'm immune to all of these IE bugs!

Oh, wait, what did that say?

-AC

Victim Statistics? (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19390539)

Perhaps I'm ignorant, but does anyone ever find themselves a victim of these "gaping holes"? I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses. Is there a site/blog that reports such statistics?

Re:Victim Statistics? (2, Informative)

eli pabst (948845) | more than 7 years ago | (#19390887)

There are a shitload of sites that host malicious code to intentionally infect vulnerable browsers. Even regular sites are occasionally hacked to host malicious code. The most recent big name one I can think of is the Miami Dolphins football team website during the last superbowl. A few years back a number of sites that produce banner advertisements were hacked, which resulted in widespread malicious banners getting hosted on tons of otherwise secure sites. I don't know of any database of malicious websites, but http://isc.sans.org/ [sans.org] usually has a good daily handlers report that lists widespread nastiness and other new developments.

Link to info on the Dolphins hack:
http://www.infoworld.com/article/07/02/02/HNdolphi nssiteshacked_1.html [infoworld.com]

Very Often (1, Informative)

Anonymous Coward | more than 7 years ago | (#19390915)

Most of the malware is for IE, but it's quite frequent for an advertising network or such to be compromised and to send out infected ads. Plenty of websites and ad networks have been hacked for no apparent reason other than to infect people. It's far from the only way they trick people, of course. They like to require special software to use their smileys, screen savers, programs to download some site's crap (especially for porn, like the porn dialers from the days when modems were common), fake anti-virus and spyware tools, etc. If you have to download some special tool to use a site, and it's not a well-known thing like a common media codec or something to extract RARs, etc., it seems like it's almost certainly illegitimate.

That said, I personally have not been affected, but I use Firefox (which has the less critical holes) + NoScript (which completely blocks the holes in TFA, not to mention many others). And even if they did get the exploit to work and had it steal my cookies, there's hardly anything in there because all cookies get deleted when I log out. And I have Adblock Plus, so I'm not going to get hit by any compromised ad networks or whatever to begin with, especially because I'm incredibly mistrustful about what programs I install.

If you want a blog to read, try F-Secure's blog [f-secure.com] .

Are you sure? (5, Insightful)

kybred (795293) | more than 7 years ago | (#19391189)

I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses that I know of.

There, fixed that for you.

Gaping holes? (5, Funny)

Paktu (1103861) | more than 7 years ago | (#19390567)

Article tagged as goatse.

Re:Gaping holes? (1)

mr_josh (1001605) | more than 7 years ago | (#19390653)

Mod. Parent. UP.

Re:Gaping holes? (0)

Anonymous Coward | more than 7 years ago | (#19390769)

That's really a good idea for a new slashdot icon for critical security flaw announcements. Long live goatse and OMG Ponies!!!

Re:Gaping holes? (3, Interesting)

evanbd (210358) | more than 7 years ago | (#19390875)

Is it just me, or are the more humorous / inane tags showing up less? "duh" "haha" "itsatrap" and friends. Is this because the slashdot editors changed something, or because people are using them less?

Re:Gaping holes? (1)

Nimey (114278) | more than 7 years ago | (#19391349)

Do you really think *this* crowd would use those tags less? Or any established Internet forum?

Taco changed the code; I'm guessing to disallow the stupid tags that got put on almost every story, like those you mentioned. Maybe to greylist those who kept tagging that way, too.

Taco, got anything to say?

Plug it (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19391211)

So, is this the solution [bottleguy.com] ? Plug that hole.

But in order to be affected... (1)

DaveWick79 (939388) | more than 7 years ago | (#19390569)

In order to be affected, doesn't one first have to go to the shady site that has this stuff scripted in the page? Yes, this may be a bug, but like a web page-bound virus, is one that the user has to inflict upon himself by going to a site he probably shouldn't be going to in the first place.

Re:But in order to be affected... (2, Insightful)

afidel (530433) | more than 7 years ago | (#19390723)

Hacker hijacks web server of popular site, but instead of simply defacing the front page the slip in a little bit of code to release a botnet installer or adware installer based on this type of vulnerability. It happens all the time.

Re:But in order to be affected... (5, Informative)

snowraver1 (1052510) | more than 7 years ago | (#19391167)

It's called a Man-in-the-middle attack. Say you go to google.ca (I'm Canadian) It goes something like this:

You> Yo DNS server, I wanna Talk to google.

DNS> Roger that! Go to 72.14.253.103.

You> Yo 72.14.253.103 Whacha got?

72.14.253.103>Index.html

You> Looks like Index.html says I need the google picture.

Eve (Eve is sitting at the same coffee shop as you. Eve is bad)> Ahem, err, sir, I have this envelope for you. It's from google. It contains your picture. *Sniker*. (You don't notice the snicker)

You> OH N0E$! TH3 P1CtUr3 us3d a buff3r ov3rflow vuln3rab1lity and n0w you have a virus that mak3s you typ3 lik3 a n00b!

For more information look here: http://en.wikipedia.org/wiki/Man_in_the_middle_att ack [wikipedia.org]

Re:But in order to be affected... (1)

I'm Don Giovanni (598558) | more than 7 years ago | (#19391473)

Two problems with your theory:
1. Hackers can post to message boards messages containing innocent-looking links to "bad" sites. This happened to me years ago at IGN's boards, before I started checking the status bar to see what the actual URL of a link was before clicking it.

2. Hackers sometimes hack legit sites and inject script code into them (normally at the end of the page), so that visiting a legit sites runs mal-script.

Re:But in order to be affected... (5, Interesting)

Bob of Dole (453013) | more than 7 years ago | (#19391519)

Don't be so sure that avoiding "shady" sites will protect you.
I run a few perfectly un-shady sites (an imageboard, a specialized search engine, and a funny images repository), but recently some users started complaining about the popups that were trying to install spyware.
I don't have any popups on my sites! (I don't even use target="_new"!) but still users were getting spyware popups. The popups were so evil that the only way to avoid getting redirected to the spyware site was to disable javascript (Even in firefox. in IE it just installed the spyware automatically, but firefox at least you had to click "download". Still, it made my site unusable)

I went into my advertisers control panel, checked for anything remotely shady. Nothing. I tried turning off all third party advertisers (like doubleclick), figuring maybe one of them was redirecting users. Nope, some users still got popups. Worst of all, I NEVER got the popup, no matter what browser I was using.

It turns out it's cause I'm an American. The advertiser had specified that the advert with the embedded redirect only show up in every country except America. That stopped me from seeing it on the site, but what about the control panel? I could see all the ads there, even the ones not targeted at my location. Here's what they did in actionscript: (pseudocode)

if getTimeZone() in EUROPE_TIMEZONES:
    redirectToSpyware()
else:
    displayHarmlessAdvert()

So even when I checked the ads in the control panel they looked fine.

My point is, don't think there's a scary corner of the internet where all the spyware/exploits hang out. The bastards making this crap know that most people don't go to those kinds of places, so they'll do anything they can to sneak their crap onto legitimate sites. (MySpace got hit with one of these a few months back, I think)

Re:But in order to be affected... (1)

shadowmas (697397) | more than 7 years ago | (#19391603)

unless because he went to the site by accident by typo error like www.goggle.com. i don't know but you but i've made plenty of typos while typing web addresses.

Didn't learn lesson from javascript (5, Insightful)

mrcaseyj (902945) | more than 7 years ago | (#19390573)

They said they could make javascript secure but it's still a huge source of holes. Instead of learning our lesson, Flash, another executable web format is taking over. Don't use flash because it's cool. Only use it if you really need it for your web page.


And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.

Re:Didn't learn lesson from javascript (1)

Crazy Taco (1083423) | more than 7 years ago | (#19390897)

Yeah!! DOWN with teh flash and javascript! Time to move on to something better. Silverlight, here I come!!!11!one :D.

Re:Didn't learn lesson from javascript (1)

mrcaseyj (902945) | more than 7 years ago | (#19391021)

Yeah!! DOWN with teh flash and javascript! Time to move on to something better. Silverlight, here I come!!!11!one :D.
OK Crazy Taco, to even suggest something like Silverlight, proves that the excess hot sauce has gotten to your brain. We're your friends and we're here to help. Slowly step away from the keyboard.

have you ever tried to do anything local w/ flash? (0)

Anonymous Coward | more than 7 years ago | (#19391209)

i'll give it this, even though it's HIGHLY frustrating when trying to create truly rich experience applications: Flash is now amazingly sandboxed. so much so that it's actually quite handicapped. you can go so far as to disallow hyperlinks from flash domain-wide, as myspace has now done after flash was used in an XSS attack - which, incidentally, is not so much the fault of javascript as it is poorly sanitising input on the part of web developers.

Me too: Javascript is evil (1)

Charles Dodgeson (248492) | more than 7 years ago | (#19391595)

I don't know if anyone has done a count, but it seems like every time I look at a report of a major security problem in some browser it is Javascript or ActiveX or something similar where the browser locally executes code served up by the server.

We all knew back in the early days of Javascript that it would be a security nightmare. But we (collectively) went ahead with it. We put together web pages that depended on it, so browsers had to support it and users had to enable it. Now we've waited so long that it seems impossible to undo what we've done. But maybe it isn't completely impossible to undo. And keep in mind that the longer we wait, the harder it will be to undo.

alternatives (5, Insightful)

sudo (194998) | more than 7 years ago | (#19390577)

Well there's always Opera?

Re:alternatives (1)

nothing now (1062628) | more than 7 years ago | (#19391111)

And for your mac Safari or Camino!

Lynx (2, Funny)

Anonymous Coward | more than 7 years ago | (#19390581)

I use Lynx, you insolent clod! Get off my lawn!

Re:Lynx (2, Funny)

rustalot42684 (1055008) | more than 7 years ago | (#19390735)

If you can't do it from the command line, you shouldn't do it at all! Who needs pictures, anyways?

Re:Lynx (1)

technopinion (469686) | more than 7 years ago | (#19391087)


Lynx is for Lusers. The cool kids are all using telnet these days.

What about Flock? (0, Troll)

ringfinger (629332) | more than 7 years ago | (#19390589)

Anyone have info on how stacks up to IE/FF? http://30days.itious.com/ [itious.com]

Re:What about Flock? (1)

dn15 (735502) | more than 7 years ago | (#19391203)

I'm in no hurry to test the exploits but I suspect they'd work in Flock as well -- after all, Flock is essentially Firefox with a new theme and a few extra extensions bundled in.

One of the demos on Firefox doesn't work (4, Informative)

ericferris (1087061) | more than 7 years ago | (#19390597)

I am using the latest Firefox 1.5. I went to the demo page : http://lcamtuf.coredump.cx/ifsnatch/ [coredump.cx] . The first test shows that it is possible to rewrite the content of an iframe. That is rather dangerous in situations involving trusted messages.

The 2nd demo was supposed to snoop on the keyboad, but it invoked a pop-up, which was immediately blocked by the pop-up blocker. So unconfimed as far as I know. However, the demo page did open a CNN.com page.

Anyone has better "luck" to demo the keyboard snooping?

Re:One of the demos on Firefox doesn't work (0)

Anonymous Coward | more than 7 years ago | (#19390871)

The second one is really lame. It's supposed to fool you into pushing the enter key repeatedly and then prematurely close the window which had attempted to open a file or executable. I did it in the interest of seeing the exploit but I don't think any power user would let a file dialog sit open. It has to be in that order because the download/open dialog popping up normally has a delay. Completely clueless people maybe.

Wonderful (0)

Saint Stephen (19450) | more than 7 years ago | (#19390609)

Just frickin' wonderful. In every version of the browser, totally massive security holes, all announced at the same time. Sheer beauty.

Get to cuttin, boys!

Oh I have to enable javascript on the site? (1)

McNihil (612243) | more than 7 years ago | (#19390627)

oh well... most if not all sites that I frequent that use javascript I tend to trust... if they have a backend exploit then they would rather take other info without bothering us web surfers.

Sounds like Terrorist to me. (5, Funny)

3seas (184403) | more than 7 years ago | (#19390629)

cookie STEALING, page HIJACKING, memory CORRUPTION, code EXECUTION, and URL bar spoofing ATTACKS.

So where the fuck is home land security when you need them.

Re:Sounds like Terrorist to me. (5, Funny)

Anonymous Coward | more than 7 years ago | (#19390895)

what's so terrible about urls?

Re:Sounds like Terrorist to me. (0)

Anonymous Coward | more than 7 years ago | (#19391103)

The letters were already capitalized?

Go old NoScript (5, Insightful)

Nutsquasher (543657) | more than 7 years ago | (#19390643)

Keeps all of that Firefox JavaScript nastiness at bay, plus flash ads to boot. :)

Re:Go old NoScript (0, Troll)

MightyYar (622222) | more than 7 years ago | (#19390713)

I wish NoScript were the default behavior.

Re:Go old NoScript (2, Insightful)

Bender0x7D1 (536254) | more than 7 years ago | (#19390855)

Yes, that is a solution, but it isn't a good solution.

If we continue down that line of thought we end up at the point where we just go back to static pages with no scripting. Now, in general, I prefer static pages without all the extra "eye-candy", but I also understand the benefits of having scripting, (and even flash) running. By even having a preference for static pages, I think I am in the minority of people on the Internet. Let's face it, the average person likes all of the "extras" that come with scripting.

With this preference for synamic content, we also have to accept that there are going to be some security problems. We can blame Microsoft. We can blame the users. We can blame the Flying Spaghetti Monster for forsaking us. We can blame the hackers who produce the infectious content. However, what matters is that with new things on the web appearing so quickly, there hasn't been time to stop, take a deep breath and look for the security holes that exist. This means that the bad guys have the advantage and we have problems. If you don't like it, use Lynx and practice safe hex.

Re:Go old NoScript (3, Insightful)

MLease (652529) | more than 7 years ago | (#19390997)

When I want to allow flash or a script to run, it's easy enough to do. The point of NoScript is that nothing runs without my explicit consent, just because I happened to visit a website. If I allow something malicious to run, it's my own fault.

-Mike

Re:Go old NoScript (0)

Anonymous Coward | more than 7 years ago | (#19391035)

If we continue down that line of thought we end up at the point where we just go back to static pages with no scripting.

Could we? Please?

The only good uses for client side web scripts and flash:

  • Disguise lack of content
  • Pitiful attempts to make "web applications" not seem like cluster fucks

When are people going to wake-up to this bullshit? "Web apps" give you all the performance of regular apps running on an old 286, with half the features. Wow!

"Web applications" are abuses of HTTP and HTML. It's not clever, it's just fucking dumb.

Re:Go old NoScript (4, Funny)

tomhudson (43916) | more than 7 years ago | (#19391145)

"When are people going to wake-up to this bullshit? "Web apps" give you all the performance of regular apps running on an old 286, with half the features. Wow!"

Hey, I'm running this on a 286, you insensitive clod!

Re:Go old NoScript (1)

Matt Perry (793115) | more than 7 years ago | (#19391321)

It is an excellent solution. Your post leaves me with the impression that you don't know what NoScript [noscript.net] is. NoScript is a Firefox extension that allows a user to selectively enable JavaScript for web sites.

If we continue down that line of thought we end up at the point where we just go back to static pages with no scripting.

I already do that. I only have JavaScript enabled for about 20 web sites. I've found out that I'm not missing anything as most web sites function perfectly without JavaScript enabled. If there's a site that just has to have JavaScript to work then I can click a button in the status bar to temporarily allow it for that domain for that browsing session.

I've also learned that many times the only reason that JavaScript is enabled is for some useless effect like fading in and out [aculo.us] .

Doesn't work... (0, Redundant)

TheRealPhilKenSebben (1011981) | more than 7 years ago | (#19390645)

if Javascript is turned off. Move along, nothing to see here.

Re:Doesn't work... (0)

Anonymous Coward | more than 7 years ago | (#19390705)

Neither do many web sites.

not just browsers... (1)

X10 (186866) | more than 7 years ago | (#19390701)

Train stations have bugs too, apparently.

Re:not just browsers... (0, Flamebait)

larry bagina (561269) | more than 7 years ago | (#19390821)

Kathleen Fent's crotch has bugs too.

Does this require javascript to work? (1)

sycomonkey (666153) | more than 7 years ago | (#19390809)

I'm not familiar with iframes, but would not running javascript on untrusted webpages protect from this?

Firefox 1.5 (0, Flamebait)

vanyel (28049) | more than 7 years ago | (#19390815)

And they want to drop support of 1.5 this month, when 2.0 isn't even really ready yet? When did Microsoft take over the Mozilla Foundation?

Re:Firefox 1.5 (1)

bunratty (545641) | more than 7 years ago | (#19391157)

2.0 has been out since November. I reported one problem in it (actually a problem that was worse in 1.5 and partially fixed in 2.0) and the problem was fully fixed in 2.0.0.1. It's been working great for me. In what way isn't it "really ready yet"?

Re:Firefox 1.5 (1)

vanyel (28049) | more than 7 years ago | (#19391289)

See parent article.

First to fix? (2, Insightful)

doctor_nation (924358) | more than 7 years ago | (#19390827)

Anyone want to wager on who has this hole fixed first, IE or Firefox?

Re:First to fix? (1)

Nero Nimbus (1104415) | more than 7 years ago | (#19391061)

I think this is probably some sort of public science experiment to see who can fix what first.

Re:First to fix? (2, Interesting)

KarmaMB84 (743001) | more than 7 years ago | (#19391101)

Microsoft has to be a lot more careful about breaking third party crap with a browser fix so obviously Firefox will get patched first.

Slashdot responses (5, Insightful)

Frankie70 (803801) | more than 7 years ago | (#19390923)

1) If Article Posted about IE security bugs
    - Regular mudfest, everyone throwing mud on Microsoft
& IE. Everyone saying I have FF/Linux/Safari whatever,
so I am safe. Nobody talks about changing settings,
disabling javascript or Activex as a good workaround.

2) If Article Posted about FF security bugs
    - Lot of workarounds posted - disable Javascript,
get some plugin, change some settings, don't go to
the website etc. How great that the it is open source,
someone will fix the bug in one hour & release patch.
Bugs are avenues to show how great open source is.

Now both are posted together, let's collate responses
at the end of the day

Re:Slashdot responses (1)

GoodbyeBlueSky1 (176887) | more than 7 years ago | (#19391117)

That was awesome. You know, I'm not even going to read any further down the page, I think you've said all there is to be said.

Well... (1)

mattgreen (701203) | more than 7 years ago | (#19391195)

I run Microsoft Windows XP SP2, so I am safe. IE users can simply disable JavaScript in the control panel - any user of closed source knows how to do that! Plus, they don't even have to go to the web site. Microsoft will fix the bug by the next Tuesday of the next month, which is an AMAZING response time, don't you think! The best thing about closed source is you don't have hackers accessing it!

Now, as far as Firefox, that STUPID Mozilla Foundation makes some of the most amateur mistakes! They can't even forsee these sorts of bugs! What sort of poor excuse for a QA department do they have over there? I bet they employ high school kids just learning C to write their code for them. And, plus, they have the gall to be open source! I despise them with every ounce of my very being. Everything they do makes my blood boil!

Friends don't let friends install MZ junk!

Opera ftw (0, Flamebait)

Swizec (978239) | more than 7 years ago | (#19391011)

Why am I not surprised that the ever so awesome Opera isn't mentioned there and yet nobody seems to have any love for the one and only best browser in the universe.

I will never get it what is it with people that they will fight over whether white or black bread is better when they can have cookies.

Another Firefox vulnerability posted today (3, Informative)

whitehatlurker (867714) | more than 7 years ago | (#19391121)

Thor Larholm also announced a Firefox hole [larholm.com] today. Wasn't completely patched in the last release.

Fx/Windows not affected... (1)

sid0 (1062444) | more than 7 years ago | (#19391535)

while Fx/Linux or OS X are? This had to come some day. :P

What OS? (1)

baomike (143457) | more than 7 years ago | (#19391149)

Now I can figure IE is running on a MSFT product, but Firefox is a little more eclectic.
So is this a problem with Firefox on Linux, and on what flavor?

CrashZilla (2, Informative)

EEPROMS (889169) | more than 7 years ago | (#19391363)

Ive renamed Firefox "CrashZilla", it would be nice to browse the web for more than 1 hour without it freezing up or crashing. Yes I have the latest version and all the latest plugins. I have no issues with Konqueror on KDE 3.5.7 (using the same plugins) and Firefox 1.5.* ran for days without crashes.

Overhyped and undertested? (1)

ericmedici (990834) | more than 7 years ago | (#19391423)

I have yet to get the demo to work for the "bait and switch" attack. I'm running IE7 on Vista... Anyone had success getting the demo to work? Scratch that... As I was typing this a dialog prompted me my Google cookie info. OK... this "vulnerability" took over a minute to accomplish and my browser kept navigating back and forth between 2 different sites. It was pretty obvious that something malicious was going on and I hardly doubt that this will be leashed onto many unsuspecting web users. This is one hole that is far stretched... err... fetched.

with firefox use the noscript extension ... (1)

geraint-nz (214071) | more than 7 years ago | (#19391477)

then the demos don't work :-)

Opera... (1)

Unavoidable (1095973) | more than 7 years ago | (#19391487)

Bring out the Opera fan boys... (of which I must deny if asked if I am one... for safety purposes)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?