Security Flaw + Firefox = Evil Browser

[Egaladeist]

Because I’m sure there are a lot of Firefox fans all over the Internet, I must disappoint you and report another vulnerability discovered in the Mozilla browser that can allow an attacker to
compromise an affected computer. No matter the version of the application, Firefox is affected by a highly critical security flaw due to a vulnerability discovered in Firebug, a Mozilla browser extension. If you’re already using the add-on, then you should know that Firebug is a JavaScript debugger with useful features like script explorer, dynamic console and CSS viewer and editor.

Security company Secunia discovered the vulnerability in all the versions released before the current 1.02, adding that the flaw is highly critical and all the users must update to the latest version of the extension. “Firebug does not properly sanitize input passed to the "console.log()" function. This can be exploited to e.g. execute arbitrary script code within the "chrome:" context by tricking a user into visiting a malicious website,” Secunia sustained in the security advisory.

http://news.softpedia.com/news/Secur...er-51374.shtml
Security Flaw + Firefox = Evil Browser - Mozilla’s browser is affected by a critical vulnerability - Softpedia

[nihil]

It saddens me that people get paid for writing this sort of garbage,

I must disappoint you and report another vulnerability discovered in the Mozilla browser

It is an extension to FF, not a part of the core browser application, it merely interfaces to it. These add-ons, extensions and plug-ins are written by third parties and are installed at the user's discretion and risk.

I don't think anyone would seriously expect that they would get away with saying: "I installed Microsoft Windows and a shed load of third party applications that made my system vulnerable, so its Microsoft's fault" Although I have seen the argument used against Linux when counting comparative number of vulnerabilities against Windows

Anyways, most FF users, myself included, need a JavaScript debugger like we need a boil on our butts which makes me wonder just how serious the exposure really is, and if anyone would seriously try to exploit it given a rather small and widely dispersed target population?

I have the same argument regarding MS products. I see some of these patches and think I don't have that, I don't do that, I don't use that. I still apply all the patches that will work, but only to keep my system "current" and in case there are some subtle changes that aren't mentioned in the documentation.

In this case, the vulnerability does not apply to the current version, so the discovery is a bit too late and pretty irrelevant, unless you happen to be some third rate hack journalist?

I also have this sneaking curiosity as to how easy it would be to persuade someone who actually understands a JavaScript debugger to visit a malicious website with the software running?

[acidtone]

Hmm

well i'm a gonna throw my 2cents into this thread, anyhooow just curious as to know why an outdated article is getting posted up?

It's really not as though this forum is desperate for content to be posted up regardless of how old it is , although there are a Few forums around that do encourage this..
I didn't realise that this place was having to resort to that though..

Secondly, the article is wrong in so many ways it's really amusing me.
{Either that or i really am drunk and didn't realise it....}

thirdly, i am really doubting wether the article writer knows what he/she is talking about. Because if they did then the article would of been written a little better and the facts would of been accurate, not mis-leading.

Well there's my 2cents thrown into a already crapped in thread....

Enjoy.

acidtone..

[nihil]

Hi acid~,

just curious as to know why an outdated article is getting posted up?

You must be thinking of something else mate. The article is dated 6th April 2007.

The original bug report was on 4th April and a fix v1.02 was released the same day. This was improved a little later to v1.03 and the latest v1.04 was released 5th April 2007.

So the guy who wrote that article just regurgitated Secunia's report without doing any personal research...............that would have taken him all of 30 seconds

[Egaladeist]

well i'm a gonna throw my 2cents into this thread, anyhooow just curious as to know why an outdated article is getting posted up?

nihil said it...the article was dated on the day I posted it...I assumed that Softpedia was not reporting on an already fixed problem as the article is very clear that it was reporting on an existing problem...unfortunately as nihil pointed out someone at Softpedia posted the article after the fact...

acidtone/echo....or whatever account you're using on any given day...before you go criticizing you should look desperately at your own contributions.

[acidtone]

Well Nihil i guess that'll teach me for drinking to much and attempting to post lol/

Anyhooooow the article still sucks, no matter witch waay you try to read it, or translate it..

Anyhow i got this article:>
http://www.securityfocus.com/bid/23315

confused with

this article:>
http://www.securityfocus.com/bid/23082

no excuse really, just throwing my 2cents into a already crapped in thread..
{And by crapped in thread, i am refering to the Article. }

Enjoy

acidtone..

[nihil]

Actually Eg~ I was slightly amused by the article.

I thought "what if I wanted to make that a totally partisan pro FF diatribe"

1. Secunia report flaw..............there is a quick fix within hours, then a tidied up version, then an even more secure version (somthing to do with HTML I think) All within the space of 24 hours.

2. Critics of open source complain about the lack of support and bug fixing speed. Can MS produce quickfix, final fix and enhancement within 24 hours?

3. Talking about MS, what about the great "animated cursor" scandal..........they knew about that back in December 2006 and didn't have a fix out 'till April 2007. The only reason the released it early was because serious malware was going live on the net..............

I think you can see how it could be slanted a full 180

[acidtone]

3. Talking about MS, what about the great "animated cursor" scandal..........they knew about that back in December 2006 and didn't have a fix out 'till April 2007. The only reason the released it early was because serious malware was going live on the net..............

Heres a Article about The Web site for computer parts manufacturer ASUStek Computer Inc. WebSite got pwned and started

serving up attack code that exploited a critical Windows vulnerability,

http://www.computerworld.com/action/...ce=rss_topic82

[alakhiyar]

So if Adobe has a bug in Flash, does that make Microsoft IE a bad browser? A crappy plugin is a crappy plugin; I don't see how it reflects on the security of the browser itself.

[nihil]

alakhiyar,

That was exactly the kind of point I was making. It seems that there is cadre of self-styled IT journalists who are hell bent on insulting our collective intelligences?

This article is a classic example, the guy doesn't know what the hell he is talking about...................or does he $$$$$$$$$$$$$$$???????