Hackers claim zero-day flaw in Firefox 398
An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."
Moo (Score:5, Funny)
The hackers plan to release the next version of the hack under the name IceWeasel Hack, while grumbling about backports. Debian developers have been debating whether they should include the hack in Etch or not.
Re:Oink (Score:5, Funny)
Re: (Score:2)
(sarcasm) Let's hope that the PoC passes DFSG so that debian can start working on a fix ASAP(/sarcasm)
Re: (Score:2)
The real storry (Score:4, Informative)
Firefox had a build switch that allowed folks to build it without branding (and do whatever they wanted to it) or build it with branding (and follow Mozilla's rules to create a consistent user experience).
Debain dev's took that build switch and broke it, so that everyone wanting to modify or adjust the debian firefox packages would have to go through and hand edit out firefox if they wanted to remove branding. They then packaged this broken thing up, and still called it firefox.
Mozilla said that was bogus, and they were right. Having that build switch makes it easier for folks to make changes to the package without worrying about branding. Redhat and others do exactly this with artwork/branding packages. We are ALL better off if such easy build time switches are available.
I've been around a while, but the debian developers are way out of line here.... You can't create some crazy messed up debian distro and call it debian, you can't create a crazy redhat distro and call it redhat, why is firefox getting all this heat? The amount of fuss they are creating is bogus and dissapointing. I read through the snide commentary and it really is depressing. Even Mozilla Foundation suggests that a non-branded version of firefox would work better for them.
Re:The real storry (Score:4, Informative)
False (Score:3, Informative)
Here is a quote from an email from Mozilla that captures this nicely:
Slightly offtopic... (Score:4, Interesting)
Re: (Score:2)
Re: (Score:3, Funny)
Taco was going to write "From the Firefox dept." but he wasn't interested in paying trademark licensing fees. Plus there was any place to include the logo and they cannot be separated!
Re: (Score:2, Insightful)
This seems to be par for the course for ANY application running on Windows. Hackers are now targeting the applications to get to the OS rather than the OS itself. Just about all Windows applications can be comprimised and have been in recent news. This is as much a problem
Re:Slightly offtopic... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re:Back on topic... (Score:5, Informative)
"sandbox" is a pathetic rationalization here (Score:3, Insightful)
Your comment is so wrong on so many levels, it's difficult to know where to start correcting you. Let's start here, though: Do you ever enter secret information like user ids and passwords using your browser? Do you do any banking or investing online? How good does your san
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
"Man, that virus didn't break my OS, so I am the roxor!!!" But it stole your identity, charged up your credit cards and ruined your credit rating, all in user space.
Re: (Score:3, Informative)
Just most Windows/Linux users don't know that, or do that.
You need to set up permissions so that your downloads can be accessible (and deletable) from your main account, but that's not too difficult under Windows, and fiddling with some ACLs on Linux. In fact I found it harder to do the permissions thing on Linux.
The other option is to run in in a virtual machine. The other benefit is firefox/mozilla can't use more RAM than the VM limit
Impossible to patch? (Score:3, Informative)
Re: (Score:2)
In any case, NoScript works great, greatly reduces advertisements,
Re:Impossible to patch? (Score:5, Informative)
Re:Impossible to patch? (Score:5, Interesting)
Correct me if I'm wrong... (Score:3, Insightful)
Recent fixes (Score:5, Interesting)
#353249 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354924 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354945 [Core:JavaScript Engine]-(undisclosed security fix) [All]
I wonder if these are related to the alleged flaws?
Re:Recent fixes (Score:5, Informative)
Good policies will often save you. (Score:4, Informative)
Yes, whitelisting sites is a pain, but Javascript is a remnant of a more innocent time and should probably be phased out anyway.
Re: (Score:3, Insightful)
Re:Good policies will often save you. (Score:4, Insightful)
Web browsers are, by their very nature, huge targets. Their job is to deal with arbitrary data from all over the damn place. The whole thing should probably be sandboxed, but short of that, it shouldn't be running code from random sites.
Re:Good policies will often save you. (Score:5, Informative)
Running a sandboxed version of a scripting language within a browser should be pretty harmless if the language was available only in the sandbox and couldn't touch anything outside. Creating separate sandboxes for each website would prevent cross site scripting too.
The problem is it's impossible with Firefox. It's a very old design decision that is so deep all over the place that nothing short of redesigning and rewriting everything from scratch could help.
Essentially, Firefox is written in javascript.
There are underlying frameworks written in C++ and others, the renderer engine etc etc. But the glue that binds all these functions together is Javascript on steroids. XUL files-databases that define the looks of the UI, XUL renderer, which displays them, and thousands of lines of javascript bound to every single gadget, button, field, box, dialog. This javascript performs all the basic processing and the whole high-level work of the browser program. And it calls system/framework functions to perform the low-level work - which is strictly forbidden for a sandboxed language.
Developers of Mozilla try to prevent access to all this low-level heavyweight stuff from javascript originating from webpages while allowing it from the system files. Sandbox javascript from one source, run javascript from the other source at full privledges all the time. Can you smell how fragile this is? I'm afraid these exploits will keep popping up. There's no natural barrier of "contained sandbox environment + scripting language" vs "low-level system layer", with no trace of bindings to the system layer within the sandbox, no hook, no crack to exploit by interfacing with the outside. There's an artificial wall which limits "javascript from webpages" and allows "extended javascript from interface", where both sides are essentially the same thing.
This is the old firewalling problem - policy of "deny all, allow essential" vs "allow all, block dangerous". Except currently there is no easy way to switch from one to the other.
Too bad JavaScript is THE WORST language (Score:3, Informative)
That's too bad about FireFox being essentially written in JavaScript. SpiderMonkey, the JavaScript interpreter in Firefox, is BY FAR the worst programming language (in terms of speed and memory use) of them all, according to the Computer Language Shoot Out [debian.org].
When you compare all the languages on CPU time, SpiderMonkey JavaScript is twice as slow as the second worst, Ruby.
When you compare all the languages on memory usage, SpiderMonkey is 1.7 times as bloated as the second worst, Smalltalk Visual Works.
Re: (Score:3, Insightful)
Re: (Score:2)
In theory.
However, it seems nobody's yet come up with an implementation which doesn't resemble chicken wire in terms of "number of holes".
Re:Good policies will often save you. (Score:4, Insightful)
No... the only real way to fix it is to leave it there, so you can keep finding and fixing the problems. Removing something doesn't fix it... it removes it and all the functionality that it provides.
Javascript within the browser should be for accessing and manipulating the DOM, and is extremely useful. Whether you are capable of conceiving of uses for it or not says nothing except for the limit of your own imagination.
Javascript is an interpreted language, there are absolutely no fundamental reasons why security holes in implementations should exist, other than that programmers can make mistakes. How many security flaws have been found in document viewers, compression/encryption libraries etc, where no code in the data is run at all?
Re: (Score:2)
I've been saying for some time that the two worst things to ever happen to the web browser are (in descending order of brain-damage):
1) ActiveX
2) Javascript and Java applets.
For interactive web sites, the browser should be nothing more than a dumb terminal with graphical layout and form submission abilities. All logic processing needs to be kept on the server. If the browser continues to be abused, the web will slide
Re: (Score:2, Insightful)
Do you have any reference to a Mozilla person stating "Firefox is perfect" or "firefox won't ever have any security flaw" ?
Just don't let random sites use Javascript you are letting random sites run code in your computer, with or without security flaws javascript is not going to be safe, it doesn't matter if it is IE, firefox, opera or konqueror.
And mozilla fixes bugs much faster than MS...
What do you mean? (Score:2)
I googled for "javascript security model" and the very first link [devarticles.com] is pretty good article that seems to describe the JavaScript security model. It doesn't have many good things to say about it, but there clearly is a JavaScript security model.
So I think you overstate the case, but I don't really know what you mean.
Re: (Score:2)
Of course, this is no different from a lot of scripting languages. The difference in Javascript is that the script is potentially malicious. Expecting a scripting engine to execute code that may be malicious safely seems akin to trying to pet a rabid raccoon.
Branches? (Score:3, Interesting)
All security bugs are zero-day (Score:5, Insightful)
Today the hackers have to work a bit harder so zero-day attacks are no longer rare. The vast majority of attacks are still from hackers who are reverse engineering the patches and distributing attacks before the patches are implemented.
If someone reports a new attack against open source code it is by definition unknown before it is reported. Therefore all bug reports with security implications are 'zero-day'.
What the idiots who released this exploit mean by 'zero day' was that they didn't allow time for the problem to be fixed before releasing the exploit.
Real article (Score:2)
All Your Base Are Belong To Them (Score:2)
Re: (Score:3, Insightful)
If I were them, I'd stay away from the US. We can now use torture to get information about the other 30 exploits. Actually, if I were them, I'd also be looking over my shoulder frequently, as we can use kidnapping and special rendition, too. You know that "black hat" is just a code word for cyber-terrorist!
Don't forget the Mafia (Score:2)
These morons could just as easily be disappeared by a criminal element. As a matter of fact, criminals are probably more likely to actually kidnap and torture these guys.
US forces use some rather nasty torture techniques, but to the best of m
Re: (Score:2)
Thugs are thugs.
Re: (Score:3, Insightful)
Bastards. (Score:4, Insightful)
The only thing they're doing by holding onto the security bugs is making the internet a more dangerous place. Yes, Firefox should have been written better in the first place. Yes, the security team should have found these already. No, none of that justifies the childish actions they're taking now.
Or perhaps they're just talking smack, trying to look like big bad grayhats because they found a single flaw. I'd like to think that.
Re:"Non-disclosure is a heroic endeavor. Be a hero (Score:3, Insightful)
Breaking into people's personal computers is every bit as romantic as shooting someone in the face. The fact of the matter is that an arbitrary execution flaw will not be used to free up the flow of information, except for the flow of information about p3n1s p1lls onto every fresh patch of the `net, always provided to us graciously by zombie machines.
You want to wake up? Here's some up-waking for you: Hacking isn't about allowing "free speech" on the inter
"For the greater good of the Internet" ??? (Score:5, Insightful)
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.
The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.
First of all, guys, so you refuse to tell us what the bugs are, so we can't fix them and do this for the "greater good of the internet... setting up communication networks for black hats" WTF? What does having tens of thousands of additional zombie-machines that could DDoS or send SPAM do with the greater good of the internet. I almost hope you try to make money off the bugs (if you even know any more) so you get to know a nice prison cell and "Life without PC"(TM). Honestly, I think those guys are full of it, they probably don't know even one additional vulnerability and just try to show off how "big and powerful" they are.
Re: (Score:2)
Re:"For the greater good of the Internet" ??? (Score:4, Insightful)
Selling bugs to the highest bidder (Score:5, Insightful)
Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?
In fact, the public advertisement of a "zero day exploit" makes a lot of sense if you want to establish yourself as a seller of other undisclosed exploits. Publishing the exploit is a gambit. You will loose the exploit as soon as it gets fixed, but you get your name in the trade press, on Slashdot, etc. Doing so, you establish credibility as a merchant of malware. You can set up shop, and advertise 30 other previously undisclosed bugs. Now, the botnet herders, spammers and other DDOS extortionists know were to buy a new exploit if they need one.
Re:Selling bugs to the highest bidder (Score:4, Informative)
If CNET hadn't cut off my quote mid-sentence, it would have been clear that that was what (jokingly) saying too. I was not trying to bribe them. I was trying to say that I hoped they would change their minds and report the holes to Mozilla despite the fact that they (claimed they) could make much more money exploiting the holes or selling information about the vulnerabilities on the black market.
Terrorist Actions?? At least Criminal (Score:3, Insightful)
They are deliberately creating a network for criminals to use for communication purposes, and doping so by stealing computing power from others.
It's theft, it's immoral and these jackasses should, at the very least be locked up on conspiracy charges.
The egotistical little bastards do NOT have the right to commandeer my computer for some kind of secret club for pimply faced assholes to trade exploits and horse
Re: (Score:3, Informative)
In the UK, interfering with any electronic system for political purposes is defined as terrorism [opsi.gov.uk]. The same definition of terrorism is used in a more recent law that criminalises speech that glorifies terrorism [opsi.gov.uk].
Of course, that says more about the abuse of the word "terrorism" than it does about the morality of withholding exploits.
SElinux (Score:2)
IRC (Score:5, Informative)
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns
. . .
<jX> http://news.com.com/Hackers+claim+zero-day+flaw+i
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet
. . .
<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+i
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before
Re: (Score:3, Insightful)
Ah, but supply and demand are two separate variables. IE vulnerabilities are a dime a dozen, are they not?
- RG>
15 minutes (Score:2)
By coincidence (Score:2)
Details here [revis.co.uk].
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Holey Browser, FirefoxMan ... (Score:2)
Well, Firebird, boy wonder, it may very well be ...
How Java Script Should Be Handled (Score:4, Insightful)
Re: (Score:2, Informative)
I don't ask for trouble (Score:2, Insightful)
You couldn't "commander" my computer unless I gave my web browser administrator privileges, and why would anyone do such a foolish thing? Heh.
The J in AJAX (Score:2)
First, let me Second the previous comments about NoScript. I've also been using it for about a year, and find whitelisting to be only a minor inconvenience. I'm saddened by some of the JS Crud that otherwise legitimate sites try to foist on you, such as "Google Analytics", or the Tacoda [tacoda.com] ad-targeting that Slashdot uses here (which I blacklist).
One of these guys works for SixApart (Score:5, Interesting)
Re:One of these guys works for SixApart (Score:5, Insightful)
This guy is simply a liability for SixApart, and should get fired immediately. Imagine what could happen if he manages to get the exploit code for this or one of the other 30 exploits they claim to have discovered into one of SixApart's blogging tools.
But what do we know, maybe they have already done so. Judging from their strange "for the greater good" believes, I wouldn't be surprised about it. I sure as hell wont advise anyone to use any of their products until they've reviewed their code to make sure it doesn't sport one of Spiegelmock's toys.
So I wrote to SixApart (Score:5, Insightful)
From: [me]
Subject: Responsible disclosure and wreckless behavior
Date: 1 October 2006 14.23.23 GMT-04:00
To: mena@sixapart.com, ben@sixapart.com, brad@danga.com
Cc: mischa@sixapart.com
Hello,
I read this article on ZDNet describing how your employee Mischa Spiegelmock found and revealed a zero-day Firefox flaw:
http://news.zdnet.com/2100-1009_22-6121608.html [zdnet.com]
Mischa and his co-researcher Wbeelsoi refuse to reveal specific details on the flaw--or 30 others they found--to the Mozilla Foundation:
"The two hackers laughed off the comment. 'It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats, Wbeelsoi said."
Considering LiveJournal's recent security flaws causing everyone to change their passwords due to browser-based flaws, do you really want someone working for you who makes the problem worse? To be sure, there is merit to the argument that revealing the flaws would allow Mozilla to continue to use a badly buggy implementation; however, there seems to be more to this.
From FireFox's IRC channel, some dialogue from Jesse Ruderman of the Mozilla foundation, who attended (via Slashdot: http://it.slashdot.org/comments.pl?sid=198519&cid
" they claim they can make $10,000 or $20,000 selling a vuln in firefox
compared to $500 telling us about it
selling to other blackhats, anonymously, using onion networks, of course"
Is one of your employees looking to profit of vulnerabilities in Firefox? With the large number of huge enterprises using TypePad and SixApart software, do you really want to risk him embedding JavaScript code to activate this flaw in your products? If he's saving these flaws to profit from them, what's to say he won't look for the bigger payouts of actively punching holes in your products?
That's unlikely--but more likely is that your customers will hear about this and refuse to do business with you because you have an employee who is actively seeking to make the Internet a more dangerous place.
If I misunderstood anything in these articles, I apologize completely. However, what was described in the article was so outrageous that I had to write.
Best regards,
[me]
No-Script (Score:5, Informative)
Which is why it's smart to run NoScript. A Firefox extention that blocks the execution of any scripts on a webpage without user concent. So, if you're tired of Javascript taking over your Firefox, get NoScript.
https://addons.mozilla.org/firefox/722/ [mozilla.org]
Redmond's response (Score:5, Funny)
One thing in life... (Score:3, Insightful)
Oh and since everyones recomended NoScript, I'd also recomend firewall tools like Sunbelt Keiro Personal Firewall (KPF), which can be configured to pop up a box every time your system attempts to run a program, very handy to stop any spyware/addware/anywhere you don't want loading on your system.
Re: (Score:3, Funny)
Re: (Score:2, Insightful)
Not even close.
"I guess it's time to start using Opera, instead."
If you're looking for a browser that never has any special security flaws to talk of that's still usable for modern web sites, you're up for a hell of a search.
Re: (Score:2)
$ telnet www.google.com 80
Host: www.google.com HTTP/1.1
Get /
Re:Proof? (Score:5, Insightful)
The only difference between a zero-day exploit and a normal exploit is whether the person who finds the exploit allows a fix to be crafted before (s)he releases the bug that allows it.
The main difference between Open Source groups like Mozilla and Microsoft is that (responsible) open source projects will fix potential security bugs whenever they're informed of them and whether or not there is an exploit available, while Microsoft seems to have a habit of holding off on fixing a bug unless the exploit is blatently obvious and/or there is an proof of concept exploit already in existence (and sometimes even in the wild).
Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.
you are deluded (Score:5, Insightful)
complete bullshit and FUD.
you know nothing about these ppl, they are blackhats, they ruin things for no other reason than to piss ppl off and have a laugh at their expense.
Re:you are deluded (Score:5, Insightful)
This is why good security is done in layers. If your sole defense against having your user account, your root account, and possibly even your identity owned by some script kiddie is to depend on the maintainers of $PROGRAM to patch all exploitable flaws in a timely manner, this is what you call putting all of your eggs into one basket. For this, there are things like the Gentoo Hardened Project [gentoo.org], which ensure that a mere buffer overflow alone will not grant someone access to your system (of course this is not Gentoo-specific; Gentoo has merely organized such things as PaX and Grsecurity and the toolchain in such a way that it is a relatively simple matter to use the Hardened profile). In my opinion, you're crazy not to take some kind of extra measures like this, if you are going to use a potentially hostile network on a daily basis.
Ideally, the good people who maintain Firefox can stay on top of the arms race to improve the browser's security as fast as flaws can be found. But the odds are against them -- in order to succeed, they have to find every possible security flaw; the blackhats only need to find the one thing that they missed to have a workable exploit. If you don't like being exploited, then this situation is not good. There is no such thing as absolute security, and no programmer is perfect, but precisely because programmers make mistakes, there are non-executable stacks, random memory addresses, user-space SSP protections, chroot() jail restrictions, and many other measures one can take to ensure that security does not have a single point of failure.
Re: (Score:3, Informative)
A buffer overflow exploit can allow attackers to gain the same privileges as the user who is running the browser. A regular user account is sufficient to participate in a botnet (including DDoS attacks), become a spam zombie, or become some script kiddie's "warez" fileshare. Consider also that most of your data would be stored in your user's
Re:Proof? (Score:5, Insightful)
Re:Proof? (Score:5, Informative)
No, they didn't have a live exploit. The original article is here http://news.zdnet.com/2100-1009_22-6121608.html [zdnet.com], not the site linked to by slashdot.
All they had was a video ... no code to display.
So, maybe they do, maybe they don't ... but you can't tell just from a video.
Also, what sort of drugs do you have to be on to name your kid "Window"? Brings to mind Frank Zappa naming his kid "Moon Unit".
Re:Proof? (Score:5, Insightful)
Welcome to real life. Firefox is getting large enough to be a target. And when a piece of software is a target, people aren't going to just file a bug report when they find an exploitable bug. Look at Windows/IE. Every time you hear about a new exploit on Windows/IE, it's because it's being exploited. It'd be nice if they filed a bug report first, but you definitely can't expect it. They're black hats for a reason, you know.
That is the most ridiculous thing I've heard all week. Black hat hackers release exploits all the time without warning the software's creator. The fact you think Microsoft is involoved says a lot more about you being a Firefox Fanboy than anything else. Get a clue.
Re: (Score:2)
Re: (Score:2)
Bugs don't write themselves, however; someone wrote the code that the bug is in, and didn't write it as well as it could've been written. Happens to us all.
Re: Retarded moderaton (Score:3, Insightful)
The problems are we can't mod moderations "retarded"; and moderation is secret. These have always been serious slashdot problems. Metamoderation is out of context (and extremely inconvenient to put into context... you know more about the thread when you're reading it than you do when you're metamoderating.)
Slashdot improvement ideas (other than cosmetic) here [slashdot.org].
Re: (Score:2, Informative)
Neither of which apply to this situation. An announcement from a crerdible source or a demonstration would clear things right up. Even if you consider whitedust.net to be a good source, the flaw was not found by them and they only reference a ZDNet article which contains slightly more information but not enough to really
Re: (Score:3, Informative)
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Snyder said she isn't happy with the disclosure and release of an exploit during the presentation. "It looks like they had enough information in their slide for an attacker to repr
Re: (Score:2)
Re: (Score:2)
No, I commented on it too. Here's some food for thought:
http://www.matasano.com/log/window-snyder [matasano.com]
http://www.blogger.com/profile/13043301 [blogger.com]
Someone with a hotmail address (windowsnyder@hotmail.com) as a security expert on XP? No wonder Windows is broken. My own tests show that more than 1% of all hotmail addresses are down temporarily on any particular day.
Re: (Score:2)
Re: (Score:2)
you must be new here (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Fixing it does, yes. Turning it off doesn't, no.
As somebody who uses javascript loads (both in development, to offer extra speed/functionality/ease of use to my clients, and with websites I frequent that use it to offer
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
Bigger names than yours have made the same claims in bigger forums than Slashdot. The idea is far
a lot of ignorant nonsense (Score:3, Interesting)
If the operations that javascript can perform are properly restricted (which they pretty much already are) and the implementation is properly sandboxed (which apparently it isn't right now on firefox) then you can ran an arbitrary javascript program without consequences.
Javascript is important to many companies business models, and if you haven't noticed already, the web has moved to using *more* javascript lately not less. People use