Security Flaw + Firefox = Evil Browser
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Security Flaw + Firefox = Evil Browser

  1. #1
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171

    Security Flaw + Firefox = Evil Browser

    Because I’m sure there are a lot of Firefox fans all over the Internet, I must disappoint you and report another vulnerability discovered in the Mozilla browser that can allow an attacker to
    compromise an affected computer. No matter the version of the application, Firefox is affected by a highly critical security flaw due to a vulnerability discovered in Firebug, a Mozilla browser extension. If you’re already using the add-on, then you should know that Firebug is a JavaScript debugger with useful features like script explorer, dynamic console and CSS viewer and editor.

    Security company Secunia discovered the vulnerability in all the versions released before the current 1.02, adding that the flaw is highly critical and all the users must update to the latest version of the extension. “Firebug does not properly sanitize input passed to the "console.log()" function. This can be exploited to e.g. execute arbitrary script code within the "chrome:" context by tricking a user into visiting a malicious website,” Secunia sustained in the security advisory.
    http://news.softpedia.com/news/Secur...er-51374.shtml
    Security Flaw + Firefox = Evil Browser - Mozilla’s browser is affected by a critical vulnerability - Softpedia

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    It saddens me that people get paid for writing this sort of garbage,

    I must disappoint you and report another vulnerability discovered in the Mozilla browser
    It is an extension to FF, not a part of the core browser application, it merely interfaces to it. These add-ons, extensions and plug-ins are written by third parties and are installed at the user's discretion and risk.

    I don't think anyone would seriously expect that they would get away with saying: "I installed Microsoft Windows and a shed load of third party applications that made my system vulnerable, so its Microsoft's fault" Although I have seen the argument used against Linux when counting comparative number of vulnerabilities against Windows

    Anyways, most FF users, myself included, need a JavaScript debugger like we need a boil on our butts which makes me wonder just how serious the exposure really is, and if anyone would seriously try to exploit it given a rather small and widely dispersed target population?

    I have the same argument regarding MS products. I see some of these patches and think I don't have that, I don't do that, I don't use that. I still apply all the patches that will work, but only to keep my system "current" and in case there are some subtle changes that aren't mentioned in the documentation.

    In this case, the vulnerability does not apply to the current version, so the discovery is a bit too late and pretty irrelevant, unless you happen to be some third rate hack journalist?

    I also have this sneaking curiosity as to how easy it would be to persuade someone who actually understands a JavaScript debugger to visit a malicious website with the software running?
    Last edited by nihil; April 7th, 2007 at 12:11 PM.

  3. #3
    Banned
    Join Date
    Jul 2006
    Location
    /
    Posts
    385
    Hmm

    well i'm a gonna throw my 2cents into this thread, anyhooow just curious as to know why an outdated article is getting posted up?

    It's really not as though this forum is desperate for content to be posted up regardless of how old it is , although there are a Few forums around that do encourage this..
    I didn't realise that this place was having to resort to that though..

    Secondly, the article is wrong in so many ways it's really amusing me.
    {Either that or i really am drunk and didn't realise it....}

    thirdly, i am really doubting wether the article writer knows what he/she is talking about. Because if they did then the article would of been written a little better and the facts would of been accurate, not mis-leading.

    Well there's my 2cents thrown into a already crapped in thread....

    Enjoy.

    acidtone..

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi acid~,

    just curious as to know why an outdated article is getting posted up?
    You must be thinking of something else mate. The article is dated 6th April 2007.

    The original bug report was on 4th April and a fix v1.02 was released the same day. This was improved a little later to v1.03 and the latest v1.04 was released 5th April 2007.

    So the guy who wrote that article just regurgitated Secunia's report without doing any personal research...............that would have taken him all of 30 seconds

  5. #5
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    well i'm a gonna throw my 2cents into this thread, anyhooow just curious as to know why an outdated article is getting posted up?
    nihil said it...the article was dated on the day I posted it...I assumed that Softpedia was not reporting on an already fixed problem as the article is very clear that it was reporting on an existing problem...unfortunately as nihil pointed out someone at Softpedia posted the article after the fact...

    acidtone/echo....or whatever account you're using on any given day...before you go criticizing you should look desperately at your own contributions.

  6. #6
    Banned
    Join Date
    Jul 2006
    Location
    /
    Posts
    385
    Well Nihil i guess that'll teach me for drinking to much and attempting to post lol/

    Anyhooooow the article still sucks, no matter witch waay you try to read it, or translate it..

    Anyhow i got this article:>
    http://www.securityfocus.com/bid/23315

    confused with

    this article:>
    http://www.securityfocus.com/bid/23082

    no excuse really, just throwing my 2cents into a already crapped in thread..
    {And by crapped in thread, i am refering to the Article. }

    Enjoy

    acidtone..
    Last edited by acidtone; April 7th, 2007 at 02:27 PM.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Actually Eg~ I was slightly amused by the article.

    I thought "what if I wanted to make that a totally partisan pro FF diatribe"

    1. Secunia report flaw..............there is a quick fix within hours, then a tidied up version, then an even more secure version (somthing to do with HTML I think) All within the space of 24 hours.

    2. Critics of open source complain about the lack of support and bug fixing speed. Can MS produce quickfix, final fix and enhancement within 24 hours?

    3. Talking about MS, what about the great "animated cursor" scandal..........they knew about that back in December 2006 and didn't have a fix out 'till April 2007. The only reason the released it early was because serious malware was going live on the net..............

    I think you can see how it could be slanted a full 180

  8. #8
    Banned
    Join Date
    Jul 2006
    Location
    /
    Posts
    385
    Quote Originally Posted by nihil
    3. Talking about MS, what about the great "animated cursor" scandal..........they knew about that back in December 2006 and didn't have a fix out 'till April 2007. The only reason the released it early was because serious malware was going live on the net..............
    Heres a Article about The Web site for computer parts manufacturer ASUStek Computer Inc. WebSite got pwned and started
    serving up attack code that exploited a critical Windows vulnerability,
    http://www.computerworld.com/action/...ce=rss_topic82

  9. #9
    Senior Member alakhiyar's Avatar
    Join Date
    Dec 2006
    Location
    Land of Oryx
    Posts
    255
    So if Adobe has a bug in Flash, does that make Microsoft IE a bad browser? A crappy plugin is a crappy plugin; I don't see how it reflects on the security of the browser itself.
    (\__/)
    (='.'=)
    (")_(")

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    alakhiyar,

    That was exactly the kind of point I was making. It seems that there is cadre of self-styled IT journalists who are hell bent on insulting our collective intelligences?

    This article is a classic example, the guy doesn't know what the hell he is talking about...................or does he $$$$$$$$$$$$$$$???????

Similar Threads

  1. Basic Unix security tutorial
    By \/IP3R in forum AntiOnline's General Chit Chat
    Replies: 16
    Last Post: March 7th, 2005, 10:25 PM
  2. A guide to proactive network security
    By SDK in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: December 1st, 2004, 12:45 AM
  3. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  4. Multiple browser timed document.write cross domain policy vulnerability
    By Szafran in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: September 7th, 2003, 10:41 PM
  5. NEWS: This weeks security news.
    By xmaddness in forum Security News
    Replies: 1
    Last Post: August 15th, 2002, 04:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •