FF 3.5.1 Vulnerable

Printable View

July 19th, 2009, 11:58 AM
nihil

FF 3.5.1 Vulnerable

FireFox 3.5.1 has a vulnerability:

http://isc.sans.org/diary.html?storyid=6829&rss

There is no patch yet

Quote:

Although Javascript access can be restricted with applications such as the NoScript Add-On, it may still be possible for the browser to be exploited if an untrusted website is loaded
July 20th, 2009, 10:22 AM
ByTeWrangler

Here is what Mozilla guys had to say about it

"We do not believe this is any kind of boundary condition, but a
non-exploitable denial-of-service due to memory exhaustion."

http://blog.mozilla.com/security/200...cve-2009-2479/

More :

http://isc.sans.org/diary.html?storyid=6838
July 20th, 2009, 10:24 AM
ByTeWrangler

WHY THE HELL ARE PEOPLE STILL USING FIREFOX ! :x
July 20th, 2009, 11:16 AM
t34b4g5

Quote:

Originally Posted by ByTeWrangler

WHY THE HELL ARE PEOPLE STILL USING FIREFOX ! :x

Because there are people who are ignorant and believe, worship the following statement.

Quote:

The Firefox Web Browser is the faster, more secure, and fully customizable way to surf the web.

Plus your not cool unless you tell everyone to ditch other browsers and use FF cause it's so much uber better then the others...;)
July 20th, 2009, 11:26 AM
nihil

Don't worry about it ByTe~, it really isn't a problem; the British government are still using IE6 :lildevil:

http ://antionline.com/showthread.php?t=278339

It does look as though this might be a cross browser problem though, as your link mentions that it was first tried on IE8? I notice that my Secunia PSI still shows IE8 as vulnerable to XSS due to character set inheritance.

FireFox and Opera share these plugin vulnerabilities with IE8:

Real Player 11.x
Sun Java JRE 1.6x/6x (x2)

Secunia have yet to mention the memory exhaustion issue.

All the vulnerabilities are unpatched :(

As for your question:

Quote:

WHY THE HELL ARE PEOPLE STILL USING FIREFOX ! :x

Because they still run Windows 2000, although the latest Opera will also run on that, and would possibly be a better bet?

Given that MS are still supporting Windows 2000, I am guessing that they must also be supporting IE6, as it is the latest version that will run with that OS.

I would still prefer FF and Opera to IE6 as they have more functionality and are likely to be more secure.

I will check an IE6/Windows 2000 box later today.

:)

EDIT:

On a fully patched Windows 2000/IE6 box the IE shows as vulnerable per-se, Opera and FF 3.0 do not.
July 20th, 2009, 02:02 PM
Falcis

So then what browser do you all recommend?

Falcis
July 20th, 2009, 05:30 PM
westin

I used K-Meleon for a few days... turns out that it is as much of a memory hog as FF, but more buggy. Haven't spent much time in IE8 yet, but I am thinking about giving it a shot. I have yet to find a browser that doesn't drive me to strong drink...
July 20th, 2009, 06:48 PM
ByTeWrangler

Use opera for all your browsing needs.

There are webpages where Opera will fail use IE there. However ensure every URL that you visit using IE is know (like microsoft, yahoo, windows live) but not links through google use !

You will never get infected through a webpage if you are visiting well known sites which take enough measure's to ensure integrity of their sites. But if you wander of searching through good it's better to use opera.
July 20th, 2009, 07:49 PM
westin

Quote:

Originally Posted by ByTeWrangler

Use opera for all your browsing needs.

There are webpages where Opera will fail use IE there. However ensure every URL that you visit using IE is know (like microsoft, yahoo, windows live) but not links through google use !

You will never get infected through a webpage if you are visiting well known sites which take enough measure's to ensure integrity of their sites. But if you wander of searching through good it's better to use opera.

Sounds like a great browsing solution. Use Opera for all of your browsing needs, except where it doesn't work... use a different browser there. :D
July 21st, 2009, 05:13 AM
seiferaistlinlp

Quote:

Originally Posted by westin

Sounds like a great browsing solution. Use Opera for all of your browsing needs, except where it doesn't work... use a different browser there. :D

And don't you dare go to websites you haven't heard of! Screw discovering new things!
July 21st, 2009, 09:50 AM
nihil
C'mon guys, give our friend ByTe a break! :D

My approach is very similar to his own:

1. FireFox 3.0.x with:
- IE browser support plugin
- NoScript plugin
- Ad Blocker Plus plugin
2. IE 6, 7 or 8

Use FF for general purpose browsing. If a site won't work just right click on it and use the display in IE option.

Put trusted sites in the trusted zone in IE and set the rest of the security aggressively.

Around here, FireFox is the next most popular browser after IE so if there is a PEBCAK or ID10T problem, the chances are the user can find someone locally to help out, and I don't want unpaid support calls ;)

I haven't bothered with FireFox 3.5.x yet. I knew that they were overrunning their time frame and would release it "warts and all", so I shall wait for it to stabilise :)

I am just about to look at Opera 10 beta2. No problems with that because I know that I am dealing with a beta, and with betas you report problems, you don't bitch about them.