Three new Firefox vulnerabilities

[guardian alpha]

catch seems to have a problem with my post, claiming OMFGWTFBBQ I don't know when the exploit really existed.

To clear things up for others who have concerns about my comment regarding the old exploit in XP, not only do I assist in a ton of bug-testing and beta software development for Ms, but I have a good deal of friends within the MS coding departments. I KNOW when the bug was reintroduced and why. Why he chose to neg me for information that he can neither prove I know or disprove I know is beyond me.

[Und3ertak3r]

Its just that Microsoft is a company. Like Opera is too. But Firefox is not. Its Open source. So it will be interesting to see the differences in security methodoligy between the (in my eyes) Two major powers: Open and Closed source's.

That right FireFox is a Product produced by an organisation.. FF has never been a company.. Mozilla is an organisation Supported by a number of companies:

Mozilla partners include IBM, Sun Microsystems, Hewlett Packard, Red Hat and Lindows

so while they are "Open Source" they need work with the Big boys..
By the way guys if you hate Microsoft, treat Sun with respect it isnt a backwoods co, more Microsofts Brides Maid, and Fear IBM.. It certainly was not a clean player b4 1981.. MS is a choirboy compared to IBM

I would't mind I.E. if they would UPDATE the vulnerabilities that are THREE YEARS OR OLDER (Eeye statistics) and stop leaking my hard drive to the world.

Yeh and Mozilla havent fixed ALL the bugs in FF, and some of them have been around since the Firebird days..spew blelch

[KorpDeath]

Originally posted here by xierox
Then how come no one says this when IE gets patches? It's nothing personal. I was surprised at my own reaction when I saw the exploits, too. When I see that IE has more patches I'm like, "Ug. Not again..." With Firefox, "It's getting more secure!" It made me realize that I'm perhaps a little too anti-Microsoft.

- Xierox

There is no such thing as "too anti-M$". You do the world an injustice by saying that. M$ is just "another fevered ego tainting our collective unconscious."- Bill Hicks

[Tiger Shark]

Whine, moan, complain, bitch, whine again, stamp feet, throw the toys from the pram, take bat and ball and go home......

The biggest thing I have learned since starting playing with computers all the way back in 1982 is that no matter who writes it software has flaws... omg .... It's what I was exploiting back then, what people are exploiting today and what people will still be exploiting when I die.

You kids need to get over this "my **** is better then your **** because [insert rubbish here] attitude".... Either be instrumental in making your **** better or be quiet.....

Fair?

[sweet_angel]

Originally posted here by Tiger Shark
Whine, moan, complain, bitch, whine again, stamp feet, throw the toys from the pram, take bat and ball and go home......

The biggest thing I have learned since starting playing with computers all the way back in 1982 is that no matter who writes it software has flaws... omg .... It's what I was exploiting back then, what people are exploiting today and what people will still be exploiting when I die.

You kids need to get over this "my **** is better then your **** because [insert rubbish here] attitude".... Either be instrumental in making your **** better or be quiet.....

Fair?

Yes sir..fair enough

Btw I just testing my firefox

Firescrolling 2 - Proof-of-Concept
Designed for Firefox 1.0.1 | bugzilla #285438 | CAN-2005-0401 | Full Advisory

Even though Firefox 1.0.1 patched one of the key bugs behind my firescrolling exploit (the ability of plugins to load chrome files in a hidden frame) the ability to hijack a drag and drop operation and open a privileged xul file is still available.

The demo opens "chrome://global/content/alerts/alert.xul" when dragging the scrollbar the first time. This XUL file automaticly runs an inline script to turn the window into a tray notification alert. This demo is just an example of an annoying usage, but if the browser or an extension contains an inline script that uses an eval/setTimeout with a parameter an attacker can influence it turns into an arbitrary code execution bug. Also update or uninstall scripts could be a valuable target. I doubt most extension developers think about problems that could occure if a XUL file in their extensions is opened directly.

link http://www.mikx.de/firescrolling2/

[|3lack|ce]

TS - My **** is better than your ****. It stinks worse, attracts more flies, and stops up a toilet in one flush. The bad side is it gets buggy after it's been on the market for a short time. To the good side, I'm indeed instrumental in its manufacture...

[Kite]

Originally posted here by The Duck
Open source isn't always a good thing, sure you have the good people looking at securing it, but now you have the bad people that can look at how to attack it...

that is, in my humble opinion, a blessing in disguise. this is kind of similar to hiring somone to hack your network to find holes, except this is with coding and the hacker doesnt tell you what the holes are. but this allows the exploits to come faster, and therefore they are fixed faster. but that is just me.

[frpeter]

Hello,

I used to run Windows (started back with 3.1 and worked up to XP Pro). Each an every version has every M$ patch they put out. For me, each patch made it less stable and more prone to crashing and less secure. Since switching away from M$ completely, I've had no issues with security (in terms of leaks, breeches, and spyware). Being a programmer for 25 years, using different platforms is a mandated requirement, including the "good ole" punch card and punch ribbons.

If I were to compare M$ to ANY other system, even the most horridly slow system based on the 6502 would be more secure, IMHO. I don't consider myself anti-M$, but I am opposed to companies that put the $ before security, no matter who they are. and YES I have a few gripes about Linux and the 2.6 security models...

[Und3ertak3r]

opposed to companies that put the $ before security

Name one that dosen't put $ first.. at the end of the day any company is governed by the bottom line.. This is why some of the big corps are switching to Open source.. it isnt security it is $'s .. which would you prefer to pay 100 in house testers or 1000 FREE Opensource users who bother to report problems.. and the 1 in 100 who have the ability to write the odd patch for you.. IBM, Sun, H/P all want to be #1..

As for comparing M$ (a company) to an Operating system..wtf?.. The OS's based on 6502, 6809, 8088, 8086.. HUH..many of these were CLI's ??? those that weren't were basic or a crap GUI.. and Your interpretation of secure? Many of these DIDN'T have a Internet Browser.. many had a Terminal mode.. .. .. and their security was because they couldnt/wouldnt multitask.. but local security was **** poor.. and that is before we get to SE..

[frpeter]

Hello,

Name one that dosen't put $ first.. at the end of the day any company is governed by the bottom line.. This is why some of the big corps are switching to Open source.. it isnt security it is $'s .. which would you prefer to pay 100 in house testers or 1000 FREE Opensource users who bother to report problems.. and the 1 in 100 who have the ability to write the odd patch for you.. IBM, Sun, H/P all want to be #1..

I believe that is the entire point of Open Source and yes I am a big supporter.

As for comparing M$ (a company) to an Operating system..wtf?.. The OS's based on 6502, 6809, 8088, 8086.. HUH..many of these were CLI's ??? those that weren't were basic or a crap GUI.. and Your interpretation of secure? Many of these DIDN'T have a Internet Browser.. many had a Terminal mode.. .. .. and their security was because they couldnt/wouldnt multitask.. but local security was **** poor.. and that is before we get to SE..

Comparing M$ to Atari, Amiga, Commodore is more the point. Actually yes they were secure. Software writers had to THINK before they coded. Memory was fixed so wasted/old/out-dated code was ripped for the new code. Often times, a code section would easily be rewritten multiple times for better performance/security. No Internet Explorer did not exist then, but there was a large online community and NO viruses. The baud rate was a blistering unbelievable 300bps... My times have changed and so impatient is the younger generation....

Multitasking is a very nice feature and one I'd personally find hard to work without, but it isn't everything. Although it did exist LONG before Windows in the form of OS/2 or DesqView.

Yes the world did exist before M$...