Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×

Hackers claim zero-day flaw in Firefox 398

An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."
This discussion has been archived. No new comments can be posted.

Hackers claim zero-day flaw in Firefox

Comments Filter:
  • Moo (Score:5, Funny)

    by Chacham ( 981 ) on Sunday October 01, 2006 @10:36AM (#16265391) Homepage Journal
    In response, Mozilla Corporation has stated that since the hackers did not submit the hack for verification, and they may not call it a "FireFox" hack, in compliance with their Trademark policy. Further, if anyone did take over a browser with this hack, they would have to change the icon or face vague threats.

    The hackers plan to release the next version of the hack under the name IceWeasel Hack, while grumbling about backports. Debian developers have been debating whether they should include the hack in Etch or not.
    • Re:Oink (Score:5, Funny)

      by BeeBeard ( 999187 ) on Sunday October 01, 2006 @10:41AM (#16265411)
      (sarcasm) Yes, our only hope is that Debian developers can patch the hole in time! (end sarcasm)

      • Doh. You were both faster than me.
        (sarcasm) Let's hope that the PoC passes DFSG so that debian can start working on a fix ASAP(/sarcasm)
      • by jZnat ( 793348 ) *
        Debian security has been quite fast to release fixes in my experience. That's one of the great things about Debian stable: you get a stable, secure system with security updates for quite a while after its release.
    • The real storry (Score:4, Informative)

      by augustz ( 18082 ) on Sunday October 01, 2006 @12:47PM (#16266579)
      To be clear:

      Firefox had a build switch that allowed folks to build it without branding (and do whatever they wanted to it) or build it with branding (and follow Mozilla's rules to create a consistent user experience).

      Debain dev's took that build switch and broke it, so that everyone wanting to modify or adjust the debian firefox packages would have to go through and hand edit out firefox if they wanted to remove branding. They then packaged this broken thing up, and still called it firefox.

      Mozilla said that was bogus, and they were right. Having that build switch makes it easier for folks to make changes to the package without worrying about branding. Redhat and others do exactly this with artwork/branding packages. We are ALL better off if such easy build time switches are available.

      I've been around a while, but the debian developers are way out of line here.... You can't create some crazy messed up debian distro and call it debian, you can't create a crazy redhat distro and call it redhat, why is firefox getting all this heat? The amount of fuss they are creating is bogus and dissapointing. I read through the snide commentary and it really is depressing. Even Mozilla Foundation suggests that a non-branded version of firefox would work better for them.

      • Re:The real storry (Score:4, Informative)

        by thebluesgnr ( 941962 ) on Sunday October 01, 2006 @10:49PM (#16272001)
        That's not the real story. In fact it's a bogus story that omits a very important detail, which is that Debian had permission from Mozilla (Gervase Markham) to use the Firefox branding the way they were using it. See the bug report for the real story: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3 54622 [debian.org]
        • False (Score:3, Informative)

          by augustz ( 18082 )
          I've read the entire bug. I've read the email thread. This is important to have the full context of this this on the record. The claim you state as a fact, that "Debian had permission from Mozilla to use the Firefox branding the way they were using it" is disputed. In fact, a careful read of the bug and associated email threads will show that it is a very weak claim.

          Here is a quote from an email from Mozilla that captures this nicely:

          At no time was any irrevocable and/or condition-free usage of the
          trademark

  • Slightly offtopic... (Score:4, Interesting)

    by I(rispee_I(reme ( 310391 ) on Sunday October 01, 2006 @10:41AM (#16265419) Journal
    but why doesn't this story have a "from the ____ department" subheader?
    • by dsanfte ( 443781 )
      Crap, I knew I forgot something in that script I sent him.
    • Re: (Score:3, Funny)

      by SeaFox ( 739806 )
      but why doesn't this story have a "from the ____ department" subheader?

      Taco was going to write "From the Firefox dept." but he wasn't interested in paying trademark licensing fees. Plus there was any place to include the logo and they cannot be separated!
  • by Anonymous Coward on Sunday October 01, 2006 @10:42AM (#16265421)
    What about NoScript? http://www.noscript.net/whats [noscript.net]
    • Ah, beat me to the punch. I've been using NoScript and Firefox ever since my Windows 2003 Server was compromised into nothingness after my IE browser hit a Google cache that loaded up some nasty Javascript. It actually gave me nightmares for months afterwards, sort of like those driving dreams where you can't control the car. In this case, I'd watch horrified as hackers took over my PC, none of my typed commands actually doing anything.

      In any case, NoScript works great, greatly reduces advertisements,
  • Recent fixes (Score:5, Interesting)

    by grondu ( 239962 ) on Sunday October 01, 2006 @10:42AM (#16265423)
    For the October 1 branch nightly release, these fixes were included:

    #353249 [Core:JavaScript Engine]-(undisclosed security fix) [All]
    #354924 [Core:JavaScript Engine]-(undisclosed security fix) [All]
    #354945 [Core:JavaScript Engine]-(undisclosed security fix) [All]

    I wonder if these are related to the alleged flaws?
  • by failure-man ( 870605 ) <.moc.liamg. .ta. .nameruliaf.> on Sunday October 01, 2006 @10:44AM (#16265437)
    Noscript [mozilla.org] is your friend. Been using it for a year or so now.
     
    Yes, whitelisting sites is a pain, but Javascript is a remnant of a more innocent time and should probably be phased out anyway.
    • Re: (Score:3, Insightful)

      by Timesprout ( 579035 )
      So we should not use anything that might dent the firefox is perfect myth? Maybe firefox should just fix their javascript implementation just like MS has to when these things arise and the rest of us can get back to enjoying the web.
      • by failure-man ( 870605 ) <.moc.liamg. .ta. .nameruliaf.> on Sunday October 01, 2006 @10:54AM (#16265503)
        Mozilla is better at getting problems fixed and sets better policies than Microsoft, but I'm not convinced that it's written much better than IE.

        Web browsers are, by their very nature, huge targets. Their job is to deal with arbitrary data from all over the damn place. The whole thing should probably be sandboxed, but short of that, it shouldn't be running code from random sites.
        • by Vo0k ( 760020 ) on Sunday October 01, 2006 @11:47AM (#16265977) Journal
          Sandboxing the whole thing will help against system takeovers, but not against frauds within the browser - cross site scripting etc.

          Running a sandboxed version of a scripting language within a browser should be pretty harmless if the language was available only in the sandbox and couldn't touch anything outside. Creating separate sandboxes for each website would prevent cross site scripting too.

          The problem is it's impossible with Firefox. It's a very old design decision that is so deep all over the place that nothing short of redesigning and rewriting everything from scratch could help.

          Essentially, Firefox is written in javascript.

          There are underlying frameworks written in C++ and others, the renderer engine etc etc. But the glue that binds all these functions together is Javascript on steroids. XUL files-databases that define the looks of the UI, XUL renderer, which displays them, and thousands of lines of javascript bound to every single gadget, button, field, box, dialog. This javascript performs all the basic processing and the whole high-level work of the browser program. And it calls system/framework functions to perform the low-level work - which is strictly forbidden for a sandboxed language.

          Developers of Mozilla try to prevent access to all this low-level heavyweight stuff from javascript originating from webpages while allowing it from the system files. Sandbox javascript from one source, run javascript from the other source at full privledges all the time. Can you smell how fragile this is? I'm afraid these exploits will keep popping up. There's no natural barrier of "contained sandbox environment + scripting language" vs "low-level system layer", with no trace of bindings to the system layer within the sandbox, no hook, no crack to exploit by interfacing with the outside. There's an artificial wall which limits "javascript from webpages" and allows "extended javascript from interface", where both sides are essentially the same thing.

          This is the old firewalling problem - policy of "deny all, allow essential" vs "allow all, block dangerous". Except currently there is no easy way to switch from one to the other.
          • That's too bad about FireFox being essentially written in JavaScript. SpiderMonkey, the JavaScript interpreter in Firefox, is BY FAR the worst programming language (in terms of speed and memory use) of them all, according to the Computer Language Shoot Out [debian.org].

            When you compare all the languages on CPU time, SpiderMonkey JavaScript is twice as slow as the second worst, Ruby.

            When you compare all the languages on memory usage, SpiderMonkey is 1.7 times as bloated as the second worst, Smalltalk Visual Works.

      • Re: (Score:3, Insightful)

        by nwbvt ( 768631 )
        Well if you want to make it secure, the only real way to fix the javascript implementation is to remove it. Aside from all these vulnerabilities in the browser, problems in web applications like XSS vulnerabilites are all too common. And lets not forget about non-security issues such as memory leaks or endless loops that kill the browser. The plain fact of the matter is, I don't want to execute code from some random website. Just because I trust them enough to read their content does not mean I trust th
        • by jimicus ( 737525 )
          Javascript per se is perfectly secure - in theory, there's pretty much nothing nasty you can do in it.

          In theory.

          However, it seems nobody's yet come up with an implementation which doesn't resemble chicken wire in terms of "number of holes".
        • by x2A ( 858210 ) on Sunday October 01, 2006 @11:41AM (#16265909)
          "the only real way to fix the javascript implementation is to remove it"

          No... the only real way to fix it is to leave it there, so you can keep finding and fixing the problems. Removing something doesn't fix it... it removes it and all the functionality that it provides.

          Javascript within the browser should be for accessing and manipulating the DOM, and is extremely useful. Whether you are capable of conceiving of uses for it or not says nothing except for the limit of your own imagination.

          Javascript is an interpreted language, there are absolutely no fundamental reasons why security holes in implementations should exist, other than that programmers can make mistakes. How many security flaws have been found in document viewers, compression/encryption libraries etc, where no code in the data is run at all?

        • "The plain fact of the matter is, I don't want to execute code from some random website."

          I've been saying for some time that the two worst things to ever happen to the web browser are (in descending order of brain-damage):

          1) ActiveX
          2) Javascript and Java applets.

          For interactive web sites, the browser should be nothing more than a dumb terminal with graphical layout and form submission abilities. All logic processing needs to be kept on the server. If the browser continues to be abused, the web will slide
      • Re: (Score:2, Insightful)

        by Vexorian ( 959249 )

        Do you have any reference to a Mozilla person stating "Firefox is perfect" or "firefox won't ever have any security flaw" ?

        Just don't let random sites use Javascript you are letting random sites run code in your computer, with or without security flaws javascript is not going to be safe, it doesn't matter if it is IE, firefox, opera or konqueror.

        And mozilla fixes bugs much faster than MS...

  • Branches? (Score:3, Interesting)

    by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Sunday October 01, 2006 @10:46AM (#16265447) Homepage
    I assume this affects the 1.5.x branch, but what about the 2.x branch or the 3.x branch?
  • by Zeinfeld ( 263942 ) on Sunday October 01, 2006 @10:47AM (#16265455) Homepage
    The term zero-day attack has become meaningless. In the days before there were mechanisms in place for rapidly distributing updates the majority of attacks used by hackers were age-old.

    Today the hackers have to work a bit harder so zero-day attacks are no longer rare. The vast majority of attacks are still from hackers who are reverse engineering the patches and distributing attacks before the patches are implemented.

    If someone reports a new attack against open source code it is by definition unknown before it is reported. Therefore all bug reports with security implications are 'zero-day'.

    What the idiots who released this exploit mean by 'zero day' was that they didn't allow time for the problem to be fixed before releasing the exploit.

  • The link in the article is a click-through to the REAL article at http://news.zdnet.com/2100-1009_22-6121608.html [zdnet.com]
  • The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

    ...

    "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman [a Mozilla security staffer] said.

    The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for bl

    • Re: (Score:3, Insightful)

      "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats..."

      If I were them, I'd stay away from the US. We can now use torture to get information about the other 30 exploits. Actually, if I were them, I'd also be looking over my shoulder frequently, as we can use kidnapping and special rendition, too. You know that "black hat" is just a code word for cyber-terrorist!

      • I'm sure there are also plenty of criminals who would LOVE to get their hands on "over 30" unpatched vulnerabilities in a piece of software whose users are largely technologically inclined, smug about feeling more secure and likely to control some rather beefy servers.

        These morons could just as easily be disappeared by a criminal element. As a matter of fact, criminals are probably more likely to actually kidnap and torture these guys.

        US forces use some rather nasty torture techniques, but to the best of m
    • Maybe we should send a couple of guys over to their house to send a message they can share via their "communicate networks", for the greater good of the internet.

      Thugs are thugs.

    • Bastards. (Score:4, Insightful)

      by Grendel Drago ( 41496 ) on Sunday October 01, 2006 @11:54AM (#16266037) Homepage
      but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats,
      What does that even mean? I've read it a dozen times now, and I still can't tell what he's saying.

      The only thing they're doing by holding onto the security bugs is making the internet a more dangerous place. Yes, Firefox should have been written better in the first place. Yes, the security team should have found these already. No, none of that justifies the childish actions they're taking now.

      Or perhaps they're just talking smack, trying to look like big bad grayhats because they found a single flaw. I'd like to think that.
  • by CharonX ( 522492 ) on Sunday October 01, 2006 @10:49AM (#16265483) Journal
    From the Article
    The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

    Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

    "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

    The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

    First of all, guys, so you refuse to tell us what the bugs are, so we can't fix them and do this for the "greater good of the internet... setting up communication networks for black hats" WTF? What does having tens of thousands of additional zombie-machines that could DDoS or send SPAM do with the greater good of the internet. I almost hope you try to make money off the bugs (if you even know any more) so you get to know a nice prison cell and "Life without PC"(TM). Honestly, I think those guys are full of it, they probably don't know even one additional vulnerability and just try to show off how "big and powerful" they are.
    • Good point. These two probably aren't nearly as knowledgeable as they claim. As pointed out in another post, it's quite possible that the exploit that they demonstrated was already fixed in a nightly branch build. So that would be a pretty slimy thing to do--to take advantage of the open source concept by consulting recent Firefox patches to see what has already been addressed, and then go back and claim the vulnerability as your own, with your proof of concept being that it affects binary-only releases
    • by Ant P. ( 974313 ) on Sunday October 01, 2006 @11:08AM (#16265619)
      Most black-hats have that scientology mindset. They really do believe their own bullshit, no matter how insane it sounds to real people.
    • by louarnkoz ( 805588 ) on Sunday October 01, 2006 @11:41AM (#16265913)
      The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

      Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?

      In fact, the public advertisement of a "zero day exploit" makes a lot of sense if you want to establish yourself as a seller of other undisclosed exploits. Publishing the exploit is a gambit. You will loose the exploit as soon as it gets fixed, but you get your name in the trade press, on Slashdot, etc. Doing so, you establish credibility as a merchant of malware. You can set up shop, and advertise 30 other previously undisclosed bugs. Now, the botnet herders, spammers and other DDOS extortionists know were to buy a new exploit if they need one.

      • by jesser ( 77961 ) on Sunday October 01, 2006 @12:42PM (#16266519) Homepage Journal
        Yeah, right. What they are really saying is, why give away a bug for $500 when we can sell it for much more on the black market?

        If CNET hadn't cut off my quote mid-sentence, it would have been clear that that was what (jokingly) saying too. I was not trying to bribe them. I was trying to say that I hoped they would change their minds and report the holes to Mozilla despite the fact that they (claimed they) could make much more money exploiting the holes or selling information about the vulnerabilities on the black market.
    • You know, there are folks out there who would call what these hackers are doing an act of terrorism.

      They are deliberately creating a network for criminals to use for communication purposes, and doping so by stealing computing power from others.

      It's theft, it's immoral and these jackasses should, at the very least be locked up on conspiracy charges.

      The egotistical little bastards do NOT have the right to commandeer my computer for some kind of secret club for pimply faced assholes to trade exploits and horse
      • Re: (Score:3, Informative)

        by mrogers ( 85392 )

        You know, there are folks out there who would call what these hackers are doing an act of terrorism.

        In the UK, interfering with any electronic system for political purposes is defined as terrorism [opsi.gov.uk]. The same definition of terrorism is used in a more recent law that criminalises speech that glorifies terrorism [opsi.gov.uk].

        Of course, that says more about the abuse of the word "terrorism" than it does about the morality of withholding exploits.

  • I'm curious, is there a policy for FireFox within SELinux and would it restrict what a hacker could do with this expoit if it were available?
  • IRC (Score:5, Informative)

    by Anonymous Coward on Sunday October 01, 2006 @11:08AM (#16265621)
    <Jesse_> have you guys heard about the supposed vuln in firefox disclosed at toorcon today?
    <Ryan> "Firefox re-entrant threading"?
    <reed> http://www.toorcon.org/2006/conference.html?id=13
    <Jesse_> yeah, that one
    <reed> Jesse_: Did you go to that particular one?
    <Jesse_> yes
    <Jesse_> i also went up on stage to "debate" "disclosure" with them
    <Jesse_> when i said "debate" "disclosure", i didn't mean the usual "how much time should security researchers give vendors to write and deploy patches before making the holes or exploits public" debate
    <Jesse_> these guys were *against* disclosure
    <Jesse_> preferring to keep the status quo of lots of vulnerabilities, large botnets (so they can be anonymous), etc. or maybe they were joking, it was hard to tell.
    <Jesse_> they claim they can make $10,000 or $20,000 selling a vuln in firefox
    <Jesse_> compared to $500 telling us about it
    <Jesse_> selling to other blackhats, anonymously, using onion networks, of course
    <dveditz> TippingPoint and iDEFENSE will pay up to $10K for IE and probably firefox vulns

    . . .

    <jX> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html
    <jX> "...what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," How exactly is that for the greater GOOD?
    <dveditz> the black hats crusade for our freedom (and credit cards) against the evil fascist empire
    <dveditz> they *earn* everything they steal by doing all the good they do keeping "the man" from owning the internet

    . . .

    <Jesse_> http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html quotes me out of context in a way that makes it look like i'm trying to bribe them with $500 bug bounties :(
    <zach> Jesse_: they dragged you up on stage during their talk?
    <jX> Jesse_: Yeah, doesn't reallyt make anyone look good, that article..
    <Jesse_> "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets" is pretty close to the BEGINNING of a sentence i said
    <Jesse_> the REST of the sentence was " or selling them to other blackhats for ten thousand dollars"
    <Jesse_> with the whole sentence, it's clear that i'm hoping they'll change for ethical reasons, and that i'm not trying to bribe them
    <jX> Jesse_: Yeah, but quoting you out of context makes for better copy.
    <zach> Jesse_: did they actually drag you on stage during their talk as the article suggusts?
    <Jesse_> zach: they left a lot of time after their slides, and asked me to come up
    <Jesse_> zach: they told me before the talk that they might ask me to come up
    <Jesse_> dveditz: yeah, about 20 minutes before
  • Starting now.
  • I found a bug (feature?) last night which allows limited fingerprinting and surfing analysis in Firefox by looking at the way it grabs .ico files.

    Details here [revis.co.uk].
    • Nothing that the browser doesn't send already really. Fingerprinting by the behaviour of your target is old.. heck, I even do it in some of my apps to enable special compatibility flags. nmap can do it just using random packets to determine your OS.
    • Have you tested Epiphany and Safari?
      • by also-rr ( 980579 )
        Not yet. For what it's worth since it seems to be related to tabs, which are part of the UI, browsers that use Gecko may not all be affected. Equally browsers that use khtml/webkit won't all be immune just because Konqueror is.
  • is it time to break out the third party patchers [slashdot.org]?

    Well, Firebird, boy wonder, it may very well be ...

  • by TheZorch ( 925979 ) <thezorch.gmail@com> on Sunday October 01, 2006 @11:18AM (#16265683) Homepage
    The environment of a browser should be like a virtual machine. The Javascript or JavaApp running in it should be isolated from the rest of the system so that such exploits aren't possible. Mechanisms in the browser could be built in to allow you to still attach files to email in web based email sites whcih use Javascript while maintaining security.
    • Re: (Score:2, Informative)

      It is, in just about every browser except IE (Well, okay, it seems to be there in IE7, but time will tell if it's garbage). The problem is that no code is perfect; a seemingly benign function can have, for example, a bufferr overflow that allows some JS to insert code into the browser and have it run...
  • You couldn't "commander" my computer unless I gave my web browser administrator privileges, and why would anyone do such a foolish thing? Heh.

  • First, let me Second the previous comments about NoScript. I've also been using it for about a year, and find whitelisting to be only a minor inconvenience. I'm saddened by some of the JS Crud that otherwise legitimate sites try to foist on you, such as "Google Analytics", or the Tacoda [tacoda.com] ad-targeting that Slashdot uses here (which I blacklist).

  • by Anonymous Coward on Sunday October 01, 2006 @12:14PM (#16266241)
    Wonder how the management at SixApart feels about a having a black hat work for them who brazenly scoffs at the notion of responsible full-disclosure and releases a 0-day exploit to the public. Sort of answers the question in an earlier Slashdot post about whether companies should hire blackhats to work for them. In this case, the answer is a resounding NO. SixApart should fire this guy's ass immediately.
    • by dorkygeek ( 898295 ) on Sunday October 01, 2006 @12:34PM (#16266457) Journal
      [...] Spiegelmock, who in everyday life works at blog company SixApart.

      This guy is simply a liability for SixApart, and should get fired immediately. Imagine what could happen if he manages to get the exploit code for this or one of the other 30 exploits they claim to have discovered into one of SixApart's blogging tools.

      But what do we know, maybe they have already done so. Judging from their strange "for the greater good" believes, I wouldn't be surprised about it. I sure as hell wont advise anyone to use any of their products until they've reviewed their code to make sure it doesn't sport one of Spiegelmock's toys.

      • by Anonymous Coward on Sunday October 01, 2006 @02:25PM (#16267425)
        Maybe you want to as well? This is absolutely retarded behavior.

        From: [me]
        Subject: Responsible disclosure and wreckless behavior
        Date: 1 October 2006 14.23.23 GMT-04:00
        To: mena@sixapart.com, ben@sixapart.com, brad@danga.com
        Cc: mischa@sixapart.com

        Hello,

        I read this article on ZDNet describing how your employee Mischa Spiegelmock found and revealed a zero-day Firefox flaw:

        http://news.zdnet.com/2100-1009_22-6121608.html [zdnet.com]

        Mischa and his co-researcher Wbeelsoi refuse to reveal specific details on the flaw--or 30 others they found--to the Mozilla Foundation:

        "The two hackers laughed off the comment. 'It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats, Wbeelsoi said."

        Considering LiveJournal's recent security flaws causing everyone to change their passwords due to browser-based flaws, do you really want someone working for you who makes the problem worse? To be sure, there is merit to the argument that revealing the flaws would allow Mozilla to continue to use a badly buggy implementation; however, there seems to be more to this.

        From FireFox's IRC channel, some dialogue from Jesse Ruderman of the Mozilla foundation, who attended (via Slashdot: http://it.slashdot.org/comments.pl?sid=198519&cid= 16265621 [slashdot.org] )

        " they claim they can make $10,000 or $20,000 selling a vuln in firefox
          compared to $500 telling us about it
          selling to other blackhats, anonymously, using onion networks, of course"

        Is one of your employees looking to profit of vulnerabilities in Firefox? With the large number of huge enterprises using TypePad and SixApart software, do you really want to risk him embedding JavaScript code to activate this flaw in your products? If he's saving these flaws to profit from them, what's to say he won't look for the bigger payouts of actively punching holes in your products?

        That's unlikely--but more likely is that your customers will hear about this and refuse to do business with you because you have an employee who is actively seeking to make the Internet a more dangerous place.

        If I misunderstood anything in these articles, I apologize completely. However, what was described in the article was so outrageous that I had to write.

        Best regards,
        [me]
  • No-Script (Score:5, Informative)

    by Ice Wewe ( 936718 ) on Sunday October 01, 2006 @01:10PM (#16266769)
    ...An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code...

    Which is why it's smart to run NoScript. A Firefox extention that blocks the execution of any scripts on a webpage without user concent. So, if you're tired of Javascript taking over your Firefox, get NoScript.

    https://addons.mozilla.org/firefox/722/ [mozilla.org]

  • by Anonymous Coward on Sunday October 01, 2006 @01:59PM (#16267203)
    Determined not to be upstaged by the Mozilla developers, now that Firefox has a 0 day exploit too, Microsoft's IE team has announced that they've started working on technology that will allow their browser to have -1 day exploits.
  • by NoMercy ( 105420 ) on Sunday October 01, 2006 @02:00PM (#16267213)
    There'll always be Idiots and Jerks, these two are the unfortunately not so rare combination of both. All in all, nothing to see here, go home.

    Oh and since everyones recomended NoScript, I'd also recomend firewall tools like Sunbelt Keiro Personal Firewall (KPF), which can be configured to pop up a box every time your system attempts to run a program, very handy to stop any spyware/addware/anywhere you don't want loading on your system.

Life is a healthy respect for mother nature laced with greed.

Working...