Hackers claim zero-day flaw in Firefox

An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."

Proof?

Do they have proof? Did they do a demonstration?

Re:Proof?

Yes they did have a live exploit. The complaint is that they didn't even try to give Mozilla foundation an opportunity to patch the bug before the released it to the black-hats (along with the white hats) at the conference.

The only difference between a zero-day exploit and a normal exploit is whether the person who finds the exploit allows a fix to be crafted before (s)he releases the bug that allows it.

The main difference between Open Source groups like Mozilla and Microsoft is that (responsible) open source projects will fix potential security bugs whenever they're informed of them and whether or not there is an exploit available, while Microsoft seems to have a habit of holding off on fixing a bug unless the exploit is blatently obvious and/or there is an proof of concept exploit already in existence (and sometimes even in the wild).

Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.

you are deluded

>I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl[sic].

complete bullshit and FUD.

you know nothing about these ppl, they are blackhats, they ruin things for no other reason than to piss ppl off and have a laugh at their expense.

Re:you are deluded

you know nothing about these ppl, they are blackhats, they ruin things for no other reason than to piss ppl off and have a laugh at their expense.

This is why good security is done in layers. If your sole defense against having your user account, your root account, and possibly even your identity owned by some script kiddie is to depend on the maintainers of $PROGRAM to patch all exploitable flaws in a timely manner, this is what you call putting all of your eggs into one basket. For this, there are things like the Gentoo Hardened Project [gentoo.org], which ensure that a mere buffer overflow alone will not grant someone access to your system (of course this is not Gentoo-specific; Gentoo has merely organized such things as PaX and Grsecurity and the toolchain in such a way that it is a relatively simple matter to use the Hardened profile). In my opinion, you're crazy not to take some kind of extra measures like this, if you are going to use a potentially hostile network on a daily basis.

Ideally, the good people who maintain Firefox can stay on top of the arms race to improve the browser's security as fast as flaws can be found. But the odds are against them -- in order to succeed, they have to find every possible security flaw; the blackhats only need to find the one thing that they missed to have a workable exploit. If you don't like being exploited, then this situation is not good. There is no such thing as absolute security, and no programmer is perfect, but precisely because programmers make mistakes, there are non-executable stacks, random memory addresses, user-space SSP protections, chroot() jail restrictions, and many other measures one can take to ensure that security does not have a single point of failure.

Re:Proof?

Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.

Or perhaps, being black hat types, they are trying to discredit Firefox because it makes their jobs tougher than IE does. Maybe they want to drive people back to IE.

Re:Proof?

Yes they did have a live exploit.

No, they didn't have a live exploit. The original article is here http://news.zdnet.com/2100-1009_22-6121608.html [zdnet.com], not the site linked to by slashdot.

All they had was a video ... no code to display.

So, maybe they do, maybe they don't ... but you can't tell just from a video.

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night.

Also, what sort of drugs do you have to be on to name your kid "Window"? Brings to mind Frank Zappa naming his kid "Moon Unit".

Re:Proof?

Yes they did have a live exploit. The complaint is that they didn't even try to give Mozilla foundation an opportunity to patch the bug before the released it to the black-hats (along with the white hats) at the conference.

Welcome to real life. Firefox is getting large enough to be a target. And when a piece of software is a target, people aren't going to just file a bug report when they find an exploitable bug. Look at Windows/IE. Every time you hear about a new exploit on Windows/IE, it's because it's being exploited. It'd be nice if they filed a bug report first, but you definitely can't expect it. They're black hats for a reason, you know.

Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.

That is the most ridiculous thing I've heard all week. Black hat hackers release exploits all the time without warning the software's creator. The fact you think Microsoft is involoved says a lot more about you being a Firefox Fanboy than anything else. Get a clue.

Moo

In response, Mozilla Corporation has stated that since the hackers did not submit the hack for verification, and they may not call it a "FireFox" hack, in compliance with their Trademark policy. Further, if anyone did take over a browser with this hack, they would have to change the icon or face vague threats.

The hackers plan to release the next version of the hack under the name IceWeasel Hack, while grumbling about backports. Debian developers have been debating whether they should include the hack in Etch or not.

Re:Oink

(sarcasm) Yes, our only hope is that Debian developers can patch the hole in time! (end sarcasm)

The real storry

To be clear:

Firefox had a build switch that allowed folks to build it without branding (and do whatever they wanted to it) or build it with branding (and follow Mozilla's rules to create a consistent user experience).

Debain dev's took that build switch and broke it, so that everyone wanting to modify or adjust the debian firefox packages would have to go through and hand edit out firefox if they wanted to remove branding. They then packaged this broken thing up, and still called it firefox.

Mozilla said that was bogus, and they were right. Having that build switch makes it easier for folks to make changes to the package without worrying about branding. Redhat and others do exactly this with artwork/branding packages. We are ALL better off if such easy build time switches are available.

I've been around a while, but the debian developers are way out of line here.... You can't create some crazy messed up debian distro and call it debian, you can't create a crazy redhat distro and call it redhat, why is firefox getting all this heat? The amount of fuss they are creating is bogus and dissapointing. I read through the snide commentary and it really is depressing. Even Mozilla Foundation suggests that a non-branded version of firefox would work better for them.

Re:The real storry

That's not the real story. In fact it's a bogus story that omits a very important detail, which is that Debian had permission from Mozilla (Gervase Markham) to use the Firefox branding the way they were using it. See the bug report for the real story: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3 54622 [debian.org]

Offtopic: Nice last names, guys

If you had to pick between having a last name of "Spiegelmock" or "Wbeelsoi", which one would you go with? I'd have to pick Wbeelsoi, because it would be funny to watch most native English speakers trip over that "W+b" letter combination.

Slightly offtopic...

but why doesn't this story have a "from the ____ department" subheader?

Re:Slightly offtopic...

I am a Linux user. Yes, a Firefox exploit will not hose my box. It can certainly hose my ~/ however, possibly stealing data in the process.

Re:Back on topic...

This exploit (or one similar) was mentioned in an episode of Security Now (about 3 weeks ago, I think). A potential solution was install a plugin called noscript, which allows the user to enable javascript on a per-site basis. I've used it since I heard about it, and I believe it can play a major role in preventing the execution of any rogue javascript.

Impossible to patch?

What about NoScript? http://www.noscript.net/whats [noscript.net]

Re:Impossible to patch?

surf there with a locked down browser.

Or better yet, use a wide open browser inside a virtual machine.

Re:Impossible to patch?

Which is a perfect solution, in my opinion. QEMU took about 10 minutes to set up, and my Win2K disk image worked fine -- and I can get a copy of it in less than a second. Yes, it takes slightly more CPU time, but that is reasonable. The fact of the matter is that no major software can be 100% secure, but virtual machines provide a way out...unless the VM itself is compromised, but that is far easier to address...

Recent fixes

For the October 1 branch nightly release, these fixes were included:

#353249 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354924 [Core:JavaScript Engine]-(undisclosed security fix) [All]
#354945 [Core:JavaScript Engine]-(undisclosed security fix) [All]

I wonder if these are related to the alleged flaws?

Re:Recent fixes

No. Those three bugs were holes I found before ToorCon.

Good policies will often save you.

Noscript [mozilla.org] is your friend. Been using it for a year or so now.
 
Yes, whitelisting sites is a pain, but Javascript is a remnant of a more innocent time and should probably be phased out anyway.

Re:Good policies will often save you.

Mozilla is better at getting problems fixed and sets better policies than Microsoft, but I'm not convinced that it's written much better than IE.

Web browsers are, by their very nature, huge targets. Their job is to deal with arbitrary data from all over the damn place. The whole thing should probably be sandboxed, but short of that, it shouldn't be running code from random sites.

Re:Good policies will often save you.

Sandboxing the whole thing will help against system takeovers, but not against frauds within the browser - cross site scripting etc.

Running a sandboxed version of a scripting language within a browser should be pretty harmless if the language was available only in the sandbox and couldn't touch anything outside. Creating separate sandboxes for each website would prevent cross site scripting too.

The problem is it's impossible with Firefox. It's a very old design decision that is so deep all over the place that nothing short of redesigning and rewriting everything from scratch could help.

Essentially, Firefox is written in javascript.

There are underlying frameworks written in C++ and others, the renderer engine etc etc. But the glue that binds all these functions together is Javascript on steroids. XUL files-databases that define the looks of the UI, XUL renderer, which displays them, and thousands of lines of javascript bound to every single gadget, button, field, box, dialog. This javascript performs all the basic processing and the whole high-level work of the browser program. And it calls system/framework functions to perform the low-level work - which is strictly forbidden for a sandboxed language.

Developers of Mozilla try to prevent access to all this low-level heavyweight stuff from javascript originating from webpages while allowing it from the system files. Sandbox javascript from one source, run javascript from the other source at full privledges all the time. Can you smell how fragile this is? I'm afraid these exploits will keep popping up. There's no natural barrier of "contained sandbox environment + scripting language" vs "low-level system layer", with no trace of bindings to the system layer within the sandbox, no hook, no crack to exploit by interfacing with the outside. There's an artificial wall which limits "javascript from webpages" and allows "extended javascript from interface", where both sides are essentially the same thing.

This is the old firewalling problem - policy of "deny all, allow essential" vs "allow all, block dangerous". Except currently there is no easy way to switch from one to the other.

Re:Good policies will often save you.

"the only real way to fix the javascript implementation is to remove it"

No... the only real way to fix it is to leave it there, so you can keep finding and fixing the problems. Removing something doesn't fix it... it removes it and all the functionality that it provides.

Javascript within the browser should be for accessing and manipulating the DOM, and is extremely useful. Whether you are capable of conceiving of uses for it or not says nothing except for the limit of your own imagination.

Javascript is an interpreted language, there are absolutely no fundamental reasons why security holes in implementations should exist, other than that programmers can make mistakes. How many security flaws have been found in document viewers, compression/encryption libraries etc, where no code in the data is run at all?

Branches?

I assume this affects the 1.5.x branch, but what about the 2.x branch or the 3.x branch?

All security bugs are zero-day

The term zero-day attack has become meaningless. In the days before there were mechanisms in place for rapidly distributing updates the majority of attacks used by hackers were age-old.

Today the hackers have to work a bit harder so zero-day attacks are no longer rare. The vast majority of attacks are still from hackers who are reverse engineering the patches and distributing attacks before the patches are implemented.

If someone reports a new attack against open source code it is by definition unknown before it is reported. Therefore all bug reports with security implications are 'zero-day'.

What the idiots who released this exploit mean by 'zero day' was that they didn't allow time for the problem to be fixed before releasing the exploit.

Real article

The link in the article is a click-through to the REAL article at http://news.zdnet.com/2100-1009_22-6121608.html [zdnet.com]

All Your Base Are Belong To Them

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

...

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman [a Mozilla security staffer] said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

Ouch.

That is a public slap in the face.

Why couldn't Javascript play nicely in a sandbox?

Bastards.

but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats,

What does that even mean? I've read it a dozen times now, and I still can't tell what he's saying.

The only thing they're doing by holding onto the security bugs is making the internet a more dangerous place. Yes, Firefox should have been written better in the first place. Yes, the security team should have found these already. No, none of that justifies the childish actions they're taking now.

Or perhaps they're just talking smack, trying to look like big bad grayhats because they found a single flaw. I'd like to think that.

"For the greater good of the Internet" ???

From the Article
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

First of all, guys, so you refuse to tell us what the bugs are, so we can't fix them and do this for the "greater good of the internet... setting up communication networks for black hats" WTF? What does having tens of thousands of additional zombie-machines that could DDoS or send SPAM do with the greater good of the internet. I almost hope you try to make money off the bugs (if you even know any more) so you get to know a nice prison cell and "Life without PC"(TM). Honestly, I think those guys are full of it, they probably don't know even one additional vulnerability and just try to show off how "big and powerful" they are.

Re:"For the greater good of the Internet" ???

Most black-hats have that scientology mindset. They really do believe their own bullshit, no matter how insane it sounds to real people.

Selling bugs to the highest bidder

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?

In fact, the public advertisement of a "zero day exploit" makes a lot of sense if you want to establish yourself as a seller of other undisclosed exploits. Publishing the exploit is a gambit. You will loose the exploit as soon as it gets fixed, but you get your name in the trade press, on Slashdot, etc. Doing so, you establish credibility as a merchant of malware. You can set up shop, and advertise 30 other previously undisclosed bugs. Now, the botnet herders, spammers and other DDOS extortionists know were to buy a new exploit if they need one.

Re:Selling bugs to the highest bidder

Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?

If CNET hadn't cut off my quote mid-sentence, it would have been clear that that was what (jokingly) saying too. I was not trying to bribe them. I was trying to say that I hoped they would change their minds and report the holes to Mozilla despite the fact that they (claimed they) could make much more money exploiting the holes or selling information about the vulnerabilities on the black market.

What about me?

I can turn a computer into a giant man eating robot with a few external peripherals and some malicious code in the Kernel.... Do you want some proof of that? Don't answer the door if you hear *in robot voice of course* "Humans detected... Num.... Num..... Num......"

SElinux

I'm curious, is there a policy for FireFox within SELinux and would it restrict what a hacker could do with this expoit if it were available?

IRC

<Jesse_> have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
<Ryan> "Firefox re-entrant threading"?
<reed> http://www.toorcon.org/2006/conference.html?id=13
<Jesse_> yeah, that one
<reed> Jesse_: Did you go to that particular one?
<Jesse_> yes
<Jesse_> i also went up on stage to "debate" "disclosure" with them
<Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
<Jesse_> these guys were *against* disclosure
<Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
<Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
<Jesse_> compared to $500 telling us about it
<Jesse_> selling to other blackhats, anonymously, using onion networks, of course
<dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns

. . .

<jX> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html
<jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
<dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
<dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet

. . .

<Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
<zach> Jesse_: they dragged you up on stage during their talk?
<jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
<Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
<Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
<Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
<jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
<zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
<Jesse_> zach: they left a lot of time after their slides, and asked me to come up
<Jesse_> zach: they told me before the talk that they might ask me to come up
<Jesse_> dveditz: yeah, about 20 minutes before

15 minutes

Starting now.

By coincidence

I found a bug (feature?) last night which allows limited fingerprinting and surfing analysis in Firefox by looking at the way it grabs .ico files.

Details here [revis.co.uk].

Holey Browser, FirefoxMan ...

is it time to break out the third party patchers [slashdot.org]?

Well, Firebird, boy wonder, it may very well be ...

How Java Script Should Be Handled

The environment of a browser should be like a virtual machine. The Javascript or JavaApp running in it should be isolated from the rest of the system so that such exploits aren't possible. Mechanisms in the browser could be built in to allow you to still attach files to email in web based email sites whcih use Javascript while maintaining security.

I don't ask for trouble

You couldn't "commander" my computer unless I gave my web browser administrator privileges, and why would anyone do such a foolish thing? Heh.

The J in AJAX

First, let me Second the previous comments about NoScript. I've also been using it for about a year, and find whitelisting to be only a minor inconvenience. I'm saddened by some of the JS Crud that otherwise legitimate sites try to foist on you, such as "Google Analytics", or the Tacoda [tacoda.com] ad-targeting that Slashdot uses here (which I blacklist).

NoScript plugin

use the noscript plugin...
https://addons.mozilla.org/firefox/722/ [mozilla.org] make a whitelist containing your REALLY trusted sites
never worry about this again...

One of these guys works for SixApart

Wonder how the management at SixApart feels about a having a black hat work for them who brazenly scoffs at the notion of responsible full-disclosure and releases a 0-day exploit to the public. Sort of answers the question in an earlier Slashdot post about whether companies should hire blackhats to work for them. In this case, the answer is a resounding NO. SixApart should fire this guy's ass immediately.

Re:One of these guys works for SixApart

[...] Spiegelmock, who in everyday life works at blog company SixApart.

This guy is simply a liability for SixApart, and should get fired immediately. Imagine what could happen if he manages to get the exploit code for this or one of the other 30 exploits they claim to have discovered into one of SixApart's blogging tools.

But what do we know, maybe they have already done so. Judging from their strange "for the greater good" believes, I wouldn't be surprised about it. I sure as hell wont advise anyone to use any of their products until they've reviewed their code to make sure it doesn't sport one of Spiegelmock's toys.

So I wrote to SixApart

Maybe you want to as well? This is absolutely retarded behavior.

From: [me]
Subject: Responsible disclosure and wreckless behavior
Date: 1 October 2006 14.23.23 GMT-04:00
To: mena@sixapart.com, ben@sixapart.com, brad@danga.com
Cc: mischa@sixapart.com

Hello,

I read this article on ZDNet describing how your employee Mischa Spiegelmock found and revealed a zero-day Firefox flaw:

http://news.zdnet.com/2100-1009_22-6121608.html [zdnet.com]

Mischa and his co-researcher Wbeelsoi refuse to reveal specific details on the flaw--or 30 others they found--to the Mozilla Foundation:

"The two hackers laughed off the comment. 'It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats, Wbeelsoi said."

Considering LiveJournal's recent security flaws causing everyone to change their passwords due to browser-based flaws, do you really want someone working for you who makes the problem worse? To be sure, there is merit to the argument that revealing the flaws would allow Mozilla to continue to use a badly buggy implementation; however, there seems to be more to this.

From FireFox's IRC channel, some dialogue from Jesse Ruderman of the Mozilla foundation, who attended (via Slashdot: http://it.slashdot.org/comments.pl?sid=198519&cid= 16265621 [slashdot.org] )

" they claim they can make $10,000 or $20,000 selling a vuln in firefox
  compared to $500 telling us about it
  selling to other blackhats, anonymously, using onion networks, of course"

Is one of your employees looking to profit of vulnerabilities in Firefox? With the large number of huge enterprises using TypePad and SixApart software, do you really want to risk him embedding JavaScript code to activate this flaw in your products? If he's saving these flaws to profit from them, what's to say he won't look for the bigger payouts of actively punching holes in your products?

That's unlikely--but more likely is that your customers will hear about this and refuse to do business with you because you have an employee who is actively seeking to make the Internet a more dangerous place.

If I misunderstood anything in these articles, I apologize completely. However, what was described in the article was so outrageous that I had to write.

Best regards,
[me]

No-Script

...An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code...

Which is why it's smart to run NoScript. A Firefox extention that blocks the execution of any scripts on a webpage without user concent. So, if you're tired of Javascript taking over your Firefox, get NoScript.

https://addons.mozilla.org/firefox/722/ [mozilla.org]

Untrusted X client?

Anybody know how to run firefox as an untrusted X client? I tried, but I just get this:

$ sux --untrusted me-browser 'firefox'
The program 'firefox-bin' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAtom (invalid Atom parameter)'.
(Details: serial 3 error_code 5 request_code 20 minor_code 0)
(Note to programmers: normally, X errors are reported asynchronously;
that is, you will receive the error a while after causing it.
To debug your program, run it with the --sync command line
option to change this behavior. You can then get a meaningful
backtrace from your debugger if you break on the gdk_x_error() function.)

we will never have browser security...

..until we boycott and shun enough javascript and active x and any other 'active', "we will slam unknown code on you from the web until you submit totally" site out there.

There is no fix for this. NONE

      You either accept executables on web pages and assume the bulk of the websites out there will all use them (and it is getting that way now), or you don't.

    We either will have a secure web, or an active web, you cannot have both.

    Automated code generating tools will eventually force *multiple 0 day hacks on browsers*, possibly into the hundreds or thousands. You literally won't be able to keep up with the multitude of "emergency patches" required, and it is from a couple things primarily-buffer overflows and active scripting no matter the name of the script.

  You cannot make javascript secure because of this "feature", it is *designed* to be an executable. Same with all the other looping zooming call this and bring down that AJAX candy and whatnot shyte.. And you won't get them to stop coding it until they are LIABLE FOR DAMAGES and are forced to offer consumer warranties on released code that is designed to surf the open internet, and I don't care which operating system or license you might care about either, code needs a warranty with it to make it suitable for purposes, just like every other CORPORATION has to offer with their PRODUCT. Once they are liable, they will stop coding crap using junk like javascript. MS is a coprporation that wants to make money, mozilla, the same now, opera, the same, apple, the same. That's where the bulk of the browsers used on the web come from, 99% or better. For-profit corporation, they need to be forced to offer a warranty, simple as that. Once that happens, the pressure will then switch bigtime from those companies literally saying they will not recommend their users go to pages that aren't blessed by no bad code, it will force the web designers to stop using crap that makes people vulnerable and that you are forced to use if you want to surf normally.

    Sayng you can "turn off javascript" or use some patch hack is not a solution, that is just pure crap now and everyone knows it, and it never will be. There are too many sites now that require it, and the sites themselves are vulnerable to getting pwned because they use insecure active scripting directly on their web pages. See how this will never be fixable as it stands now?

There needs to be a complete revolution about this, a complete admission that the web has gone offcourse into mega-stupid-land in favor of blinking crap and eyecandy.

And before the first idiot troll reactionary numbnut claims that JS can be made secure-show us that code! Show us that exact magic code you have written in your uberleetness that will make all JS be secure, something every webmaster can go slap on right now and get rid of JS insecurity! Go ahead, you'll be rich!

Redmond's response

Determined not to be upstaged by the Mozilla developers, now that Firefox has a 0 day exploit too, Microsoft's IE team has announced that they've started working on technology that will allow their browser to have -1 day exploits.

One thing in life...

There'll always be Idiots and Jerks, these two are the unfortunately not so rare combination of both. All in all, nothing to see here, go home.

Oh and since everyones recomended NoScript, I'd also recomend firewall tools like Sunbelt Keiro Personal Firewall (KPF), which can be configured to pop up a box every time your system attempts to run a program, very handy to stop any spyware/addware/anywhere you don't want loading on your system.

Open source is more vulnerable to 0days

One point is being missed here: how did they find these 0days? It's easy - they just study the source code and find flaws.

This is the other side of the "many eyes make bugs shallow" coin: many eyes make exploits shallow too. If your bad guys are more motivated than your good guys to find exploitable bugs (and why not, if they're worth $10K each!), open source can be inherently less secure than closed source.

It's just good that Firefox has only 10% of the market. If it ever goes over 50% we're in for a security nightmare.

Why not browse in a discardable environment

There will always be exploits. Some jerk can always dig through code or disassembly and find a way. This means that our computing environments are inevitably disposable once they become popular (aka targets). One could accept this and use a technology that works for this model. If for example you made a Norton Ghost image of your computer once it was set up properly and then restored from this whenever things went awry, you'd only have to avoid browsing the sketchier parts of the web until you got your security updates. Some people are working on making this much simpler. If you were to browse inside a virtual machine that rolls back to a safe state each boot [moka5.com], then you would automagically throw away any exploits than dug their way into your system.

Well...

This is why I use NoScript [mozilla.org]. I decide whether or not I trust a site enough to run JavaScript or not. The only downside to this FF addon is that you really have to remember it is installed, or sometimes Flash sites or interactive menus just don't show up and you have no idea why... just remember to allow that site. ;p

I;ve been reading about this all day

And still I have no clue about what I need to do to prevent this without globally "disable javascript" (with noscript)
It sounds more like a Microsoft recommendation than anything.

I know some very intelligent people will be looking at the code at present, but a bit more information about possible timescales would be nice.

Before anyone says go look on mozilla forums, I have been there and the one thread on the subject has the same crap posted here.
No-one appears to be doing anything about it and that worries me.
Is it lack of details about the exploits? Is it lack of understanding? It is just a very complex bug being examined in private?

MS vs Mozilla

At least the mozilla foundatio have the balls to rate this Critical. MS would rate this low-med.

IE vs. Firefox

IE: Zero-Day IE Exploit In the Wild!! [slashdot.org]

Firefox: Hackers "claim" zero-day flaw in Firefox [slashdot.org]

Biased much?

is it really firefox

would this really be a firefox issue or a java issue?

Noscript doesn't solve anything

Even if you turn off Javascript for all sites except those on some whitelist, there's no reason one of those sites can't be hacked and have malicious javascript inserted. There are only two ways to be safe from Javascript vulnerabilities:

1. Turn off Javascript completely for all sites.
2. Use a browser with a rock-solid Javascript implementation.

One is easy, but breaks functionality, as people rely on Javascript for everything nowadays -- Mostly for things that don't need it. As for two, Firefox will never be this browser unless it is fundamentally re-architected, as others have mentioned here. It seems like the only option currently is to pick the safest browser you can find (I run Safari, which has far less vulnerabilities reported than Firefox, although I realize that means little in an absolute sense), sandbox it as best you can, be wary of any site you go to, keep your data backed up, have good password policies (don't use the same password for Slashdot and your back account), and cross your fingers.

This sucks -- We're still paying for the browser feature race that Microsoft and Netscape had years ago. This is not to say that passing code to a client and having it run it to render something is a bad thing. No one is up in arms about Postscript. What we do need is some technology that is limited to certain very specific things, and is not depended on to interact with the browser itself in any major ways (as it currently is in Firefox). Saying "draw this line 10 times" is fine. Saying "open these tabs and turn off your bookmark bar" is not. Once you go past Postscript-level rendering and into client UI or system interaction, you're just asking for it.

RMS are your listening?

IBM, Oracle and MS, among numerous other companies, already have EULAs which prohibit certain actions on the part of "users" of their system. Such as publishing unauthorized benchmarks. It's a small tweak to outlaw sales of exploits. Or if not outlawing them, define some things you can and cannot do with them (like disclose or advertise them for sales without full disclosure to the vendor) Full disclosure is great, give them credit but if they chose to disclose it in a different way, then sue the fuckers.

OSS needs this in licenses. Forget the DRM stuff GPLv3 is trying to deal with, let's try to deal with a real problem that we can solve. This is a minor act of terrorism like behavior, they go out, announce they have a bunch of exploits that they aren't going to publish and basically say they would rather get them to other black hats rather than mozilla to fix them. That should be criminal and if it's not and since I don't trust the government to do it right, Mozilla should have recourse to sue these guys for damages and to figure out fixes to the problem.

Look at the apple wireless thing, same exact problem. We'll never know if there was a real exploit, it will never be released or actually demoed. Any time apple fixes anything in the wireless area (and they'll continue to fix stuff for years) a group of people will simply parrot that the whole thing was real, another group will do the same and echo the fraud charges. The fact remains that it is the least responsible disclosure, it is an attempt to generate fear that cannot be fixed and generate some fame and defame another company all at once.

RMS mandate full disclosure in the next GPL.

Probably won't affect many /. readers ...

This probably isn't very interesting to the majority of slashdot readers, who we'd expect to have the knowedge and sense to have long ago turned off javascript and all other scripting things in their browsers. Right? Right .....

The whole security concept...

... in Linux and firefox is actually no concept at all. They could use process separation though SE Linux but no distro does it for critical desktop apps like ICQ messengers and browsers. And even if they do, the browsers themselves need to be deeply refactored: information flow must be controlled at a simple level and a good solution would probably be to detach and isolate a process depending on the remote website's SSL cert: that way even cross-site scripting attacks would have not been possible and password/cookie information theft could be prevented relatively securily. Security implies a concept. Just programming a scripting language such that it looks secure is not enough. You have to use simple and easy to understand barriers (like domain transitions).

And even that is no guarantee for security. Actually, with today's solution you cannot securely isolate process domains. You can still use bandwidth modulation (RAM, disk etc.) to send information to any other process on the system (it just needs to measure the bandwidth...). I think such problems can only be avoided if one uses a proven concept to build the whole OS.

But who am I to tell how to do such things. Wait a few years, and I'm usually proven to be right.

Define "secure". No handwaving.

The question becomes; is it possible to code a truly "secure" browser app?

There's many answers, depending on what you mean by secure...

1. A browser in which no path throough the code can in principle be exploited. Technically, yes, but in practise you're unlikely to see such a browser in wide use because it wouldn't permit third party plug-ins nor would its scripting language allow many of the capabilities people are used to seeing.

2. A browser in which no security flaws can be practically exploited. This would be possible, if you don't count holes in third-party plugins. You would need to implement the browser in an inherently safe language and restrict the ability of scripts to only change the presentation of data, to communicate with plugins at a high level, and trigger events within the same document.

3. A browser in which no security flaws require changing the exposed API to be fixed. This is easily implemented, and Gecko is actually not far from it. Scripts would need to be somewhat restricted to prevent cross-site information exposure, but most of the problems with Firefox are at a higher level... for example, the use of the same scripting engine to implement user interface features and to execute untrusted scripts, or (and worse) the support code for XPI installs from the web that requires a hole in the sandbox to implement. A browser such as Camino that uses Gecko for rendering HTML but implements the user interface in native code is safer in principle.

4. A browser in which 'trusted' documents can run unsandboxed code, and which is still secure? Not possible. This is where Internet Explorer is. The difference between point 3 and point 4 is huge... you can build a class three secure browser using the Gecko engine with minor changes that don't effect the API. You can't make a class 4 browser secure without turning it into a class 3 browser, and to do that you have to fundamentally change the API. Microsoft could do it now, but it would have been much easier for them to do it in 1998.

terrorist

If you tell mozilla there is a hole, then refuse to disclose it to them. Further you tell them
that you intend to use it to create a botnet. The only thing I can say is these crap heads should be labeled what they are, terrorist. Send them to gitmo with the rest of the terrorist, never to be heard or seen again.

The community is greater than a couple of hackers?

Can't we just fight back? We've got the manpower. The will. The spirit. The motivation. The cause. Can't someone just steal the remaining exploits from them? Its for the greater good of the community.

Any ideas anyone?

What was the reason for the security flaw?

Each time there is a report for a vulnerability, the reason why this vulnerability exists is not mentioned at all, let alone analysed.

So, I am asking: is it because of flawed design or because of using C as the language to program firefox in?

If it is the latter, then maybe we (i.e. the software community) shall consider stop using C and move to a safer environment (e.g. Cyclone).

Firefox. Mozilla?

So it exploits Firefox. What about Mozilla? Or the other browsers from the same source?

It is a joke

Security focus [securityfocus.com] is quoting Mozilla developer blogs to claim that the demo was a hoax. Dont know if the demo is a hoax or this report is a hoax. Another UK site [heise-security.co.uk] too is claiming that it is a joke. But on the otherhand thousands of newspapers and websites and blogs are claiming that Firefox is so broken it is unfixable.

Re:Firefox has become IE

And if that's not obscure enough, there's always Lynx. ;)

Re:Intersting Spin

Difference is either a) The exploit is announced by a credible soruce, or even the software vendor (Microsoft in those cases) or b) A Proof of Concept demonstration of the falw is provided.

Neither of which apply to this situation. An announcement from a crerdible source or a demonstration would clear things right up. Even if you consider whitedust.net to be a good source, the flaw was not found by them and they only reference a ZDNet article which contains slightly more information but not enough to really confirm anything. The people who found the exploit are deliberately keeping it secret and therefore will not produce a PoC.
=Smidge=

Re:Firefox has become IE

"Firefox has become IE"

Not even close.

"I guess it's time to start using Opera, instead." ... which has had security flaws too.

If you're looking for a browser that never has any special security flaws to talk of that's still usable for modern web sites, you're up for a hell of a search.

Re:Interesting Spin

Wow... that's the first time I've seen a comment duped in the same article!

Re:Javascript is the security problem

Why must most web pages HAVE to have javascript to convey textual information? I already have a browser, why do I need another mysterious program running to help me read?

Re:Javascript is the security problem

I turned my computer off, fixing 100% of all security problems. Made it even more useless than yours.

Re:Javascript is the security problem

I am not a javascript hater, it is very useful. The fact that you can transfer some of the processing to the client is a very valuable thing in my book. Considering most forms are validated at the client level I wonder how you define correctly coded web sites working 100%. I suppose however there isn't anything stopping a server from validating if the client refuses, it just means twice the coding. I just got done with a hand rolled image gallery using javascript, if you want to download every thumbnail or see just a collection of links that is fine. I recently implemented AuthCookieDBI for session based authentication. Rather than my server worrying about the headers and directing to the appropriate user section, I named the client folders after the user name. With just onblur and getElementById the client appends and passes all the information I need. I think if most users disabled javascript my work would be much harder and their experience would be less enjoyable. As far as the security issues, I think after time we will see those steadily evaporate. Right now I feel comfortable enough to risk having it on.

Re:Interesting Spin

Dude? Are you beeing paid to post this stuff? You already posted this on this article.

Re:Javascript is the security problem

Curiously, 100% of correctly coded web sites still work perfectly

Where "correctly coded" is defined as "works perfectly when I've turned off Javascript", right? God, what a useless statement to make.