Gaping Holes In Fully Patched IE7, Firefox 2

Continent1106 writes "Hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE6, IE7 and Firefox 2.0. The vulnerabilities could cause cookie stealing, page hijacking, memory corruption, code execution, and URL bar spoofing attacks." Here is Zalewski's post to Full Disclosure.

Victim Statistics?

[Anonymous Coward]

Perhaps I'm ignorant, but does anyone ever find themselves a victim of these "gaping holes"? I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses. Is there a site/blog that reports such statistics?

Didn't learn lesson from javascript

[mrcaseyj]

They said they could make javascript secure but it's still a huge source of holes. Instead of learning our lesson, Flash, another executable web format is taking over. Don't use flash because it's cool. Only use it if you really need it for your web page.

And if Ubuntu was really concerned about security they would ship it by default with a web browser already set up under a separate username with strict selinux policies.

alternatives

[sudo]

Well there's always Opera?

Go old NoScript

[Nutsquasher]

Keeps all of that Firefox JavaScript nastiness at bay, plus flash ads to boot. :)

Re:But in order to be affected...

[afidel]

Hacker hijacks web server of popular site, but instead of simply defacing the front page the slip in a little bit of code to release a botnet installer or adware installer based on this type of vulnerability. It happens all the time.

First to fix?

[doctor_nation]

Anyone want to wager on who has this hole fixed first, IE or Firefox?

Re:Go old NoScript

[Bender0x7D1]

Yes, that is a solution, but it isn't a good solution.

If we continue down that line of thought we end up at the point where we just go back to static pages with no scripting. Now, in general, I prefer static pages without all the extra "eye-candy", but I also understand the benefits of having scripting, (and even flash) running. By even having a preference for static pages, I think I am in the minority of people on the Internet. Let's face it, the average person likes all of the "extras" that come with scripting.

With this preference for synamic content, we also have to accept that there are going to be some security problems. We can blame Microsoft. We can blame the users. We can blame the Flying Spaghetti Monster for forsaking us. We can blame the hackers who produce the infectious content. However, what matters is that with new things on the web appearing so quickly, there hasn't been time to stop, take a deep breath and look for the security holes that exist. This means that the bad guys have the advantage and we have problems. If you don't like it, use Lynx and practice safe hex.

Slashdot responses

[Frankie70]

1) If Article Posted about IE security bugs
    - Regular mudfest, everyone throwing mud on Microsoft
& IE. Everyone saying I have FF/Linux/Safari whatever,
so I am safe. Nobody talks about changing settings,
disabling javascript or Activex as a good workaround.

2) If Article Posted about FF security bugs
    - Lot of workarounds posted - disable Javascript,
get some plugin, change some settings, don't go to
the website etc. How great that the it is open source,
someone will fix the bug in one hour & release patch.
Bugs are avenues to show how great open source is.

Now both are posted together, let's collate responses
at the end of the day

Re:Go old NoScript

[MLease]

When I want to allow flash or a script to run, it's easy enough to do. The point of NoScript is that nothing runs without my explicit consent, just because I happened to visit a website. If I allow something malicious to run, it's my own fault.

-Mike

Re:And Opera

[QuietLagoon]

Opera just randomly crashes and then has a default behavior of restarting the site that causes it to randomly crash.

More than likely, Opera restarts with the site before the one that caused the crash.

Unfortunately for Opera, most sites are written according to IE's buggy standards. While Opera does try to accomodate the poor HTML written by web programmers who think the Internet is viewed only through IE-colored glasses, sometimes it is difficult to accomodate to flagrant stupidily that is IE's rendering engine.

probably NoScript

[r00t]

You're a rare weirdo. Much of the web won't work without scripting, or at least won't work well.

You're missing out on the nicer wiki/blog editors, live updates to the price of a computer purchase as you add/remove components, tolerable web mail interfaces, and (if your CPU is fast) the experimental slashdot interface.

Those are just the nerd things. I'm told there are numerous non-nerd things on the web as well, with far more scripting.

Are you sure?

[kybred]

I can't say as I've ever browsed on to a site and found myself the victim of a compromised computer or ended up with viruses that I know of.

There, fixed that for you.

Re:And Opera

[Kelson]

It's a bit simplistic to assume that $browser will always keep you safe. On the other hand, it's important to remember that there are many alternatives [alternativ...liance.com] available. The good thing about this is that each engine has its own vulnerabilities, so for the same malware to target Firefox, IE, Opera and Safari, it would have to target four different exploits. At least with intended behavior of HTML/DOM/CSS, Gecko, Trident, etc. are (ostensibly) aiming at the same target.

Ever notice that the only vulnerabilities which are really cross-browser tend to be misuse of functionality (like the Unicode domain spoofing attacks a few years back), rather than exploits of bugs?

Re:Go old NoScript

[Kelson]

When are people going to wake-up to this bullshit? "Web apps" give you all the performance of regular apps running on an old 286, with half the features. Wow!

The point of web applications isn't performance, it's ubiquity. Hotmail (and remember, it was one of the first big web apps, even before Microsoft bought it) didn't take off because it performed better or had more features than Eudora, Outlook, Netscape or Pegasus -- it took off because you didn't need to install it and you could access it from any computer with an Internet connection and a web browser.

But you knew that, didn't you?

Re:But in order to be affected...

[beyondkaoru]

ok, i'm not a web developer so i wouldn't know, but is there any way to force your advertisers (malicious or otherwise) to not use javascript/flash/whatever? since it's essentially running code we don't trust on the client's computer...

essentially, do the noscript thing on your own servers, or host ads (i assume they're mostly just pictures with links) on your own servers somehow.

Doesn't seem to bother us

[myxiplx]

Here at work we use IE6 on XP SP2 workstations and not a single one of those vulnerabilities affects us.

Why? Because we don't let IE run scripts of any kind unless it's from a site we trust. IE has had security zones for years yet hardly anyone uses them. A single group policy object enforces our list of trusted sites, nobody's computer can run javascript on any site we've not already decided is safe.

Ok, there's a small risk of someone hacking one of our trusted sites, but I can live with that.

So far we've had 2 years of uninterrupted browsing, with nobody at our company getting a single piece of malware on their machine.

And the best bit: It's surprisingly low maintenance. We get maybe one request a month now to add a new site to the list.

Re: NoScript is a ridiculous measure

[Omnifarious]

I don't care what you think, nobody is going to use that extension by default and it will never be enabled by default. Your attempt to make measurements of Firefox security with it enabled are reminiscent of Microsoft's attempts to get C2 certification for Windows NT when it wasn't connected to a network.

The most meaningful measurement of security for an application is looking at the default installation. Most people will never get beyond that.

Odd double standard

[bigwave111]

For how much Slashdotters rip apart the DRM industry, which spends millions upon millions only to have their key's hacked in a day, we sure do expect a lot from our browsers.

The hard thing about NoScript

[ukemike]

The hard thing about NoScript is when a page totally fails to load anything useful and you have to decide to allow one or more of three scripts each from different domain. Often it is easy, you're on yahoo so you allow yahoo. Sometimes it is far from obvious. To get some yahoo pages to work you have to allow yming.com to run scripts, and you have to pick that one from a list including several cryptically named advertiser sites. I don't mind this extra step, and with the current web model I don't see another way around it, but I hardly expect Joe Casual Surfer to even know what a script is.