Hackers claim zero-day flaw in Firefox
By Joris Evers, CNET News.com
Published on ZDNet News: September 30, 2006, 10:57 PM PT

" The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch." "

" The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs. "

http://news.zdnet.com/2100-1009-6121608.html

DH

As noted, there's a Firefox extension NoScript (https://addons.mozilla.org/firefox/722/) that lets you decide whether to run javascript on a website or not. Up to you to choose if it's safe or if the site is a little hinky.

As noted, there's a Firefox extension NoScript (https://addons.mozilla.org/firefox/722/) that lets you decide whether to run javascript on a website or not. Up to you to choose if it's safe or if the site is a little hinky.
I'm in the process of trying NOSCRIPT for the n-th time. It always crashes FF while composing mail in yahoo mail for me on Win 98. (I think I might add LINUX before I try Win XP.) Maybe I'll just stop using Yahoo mail. Or put up with the crashing.

I may switch to Opera too. I hope they can make enough money to stay in business.

DH

I'm in the process of trying NOSCRIPT for the n-th time. It always crashes FF while composing mail in yahoo mail for me on Win 98. (I think I might add LINUX before I try Win XP.) Maybe I'll just stop using Yahoo mail. Or put up with the crashing.Have you told NoScript to accept scripts at yahoo mail? That might do it.

Have you told NoScript to accept scripts at yahoo mail? That might do it. Yes, that does not seem to help at all.
Temporarily enabling scripts globally seems to avoid the crash, but then I forget to globally disable again :(

DH

.then I forget to globally disable again :(.Hmmm... I can't remember -- can you set it to permit scripts always on that page only?

Hmmm... I can't remember -- can you set it to permit scripts always on that page only?

That, in fact, is the MAIN PURPOSE of the extension. I.e. enable scripts by domain. However it does crash Yahoo mail regularly when I send mail.

As we now know, with the release of the info about the bug (I posted here yesterday) in Firefox script engine, that part of Firefox is allegedly crap. I assume that extensions also do "scripty" kinds of things. Therefore, tentative conclusion: not to expect Firefox extensions to be highly reliable.

And, moreover, the fact that McAfee siteadvisor crashes FF on W98 for me still leaves open the possibility that FF and W98 are to blame, in addition to McAfee crappiness.

I used to write a lot of software. I know how crappy it can be. Get the features out the door as fast as possible. If the customer does not sue you or cancel future contracts, you're ok.

Now with opensource, the hackers can do their own "code review" to find holes to attack instead of plug. All we need is a little more "values clarification" and "situational ethics" and the world will be hunky dory.

DH

That, in fact, is the MAIN PURPOSE of the extension. I.e. enable scripts by domain. However it does crash Yahoo mail regularly when I send mail.

As we now know, with the release of the info about the bug (I posted here yesterday) in Firefox script engine, that part of Firefox is allegedly crap. I assume that extensions also do "scripty" kinds of things. Therefore, tentative conclusion: not to expect Firefox extensions to be highly reliable.

And, moreover, the fact that McAfee siteadvisor crashes FF on W98 for me still leaves open the possibility that FF and W98 are to blame, in addition to McAfee crappiness.

I used to write a lot of software. I know how crappy it can be. Get the features out the door as fast as possible. If the customer does not sue you or cancel future contracts, you're ok.

Now with opensource, the hackers can do their own "code review" to find holes to attack instead of plug. All we need is a little more "values clarification" and "situational ethics" and the world will be hunky dory.

DH

David,

K-Meleon has a privacy tool bar which allows you to toggle such things as Java, Javascript, among other web standards on the fly. Being the non-XML and non-Active X browser (using macro scripting languages instead) it is both more secure and less full-featured. The Javascript thing makes me use the toggle in Privacy Bar turned to "off" unless I need it for a particular site, such as Yahoo which is all about javascript.

David,

K-Meleon has a privacy tool bar which allows you to toggle such things as Java, Javascript, among other web standards on the fly. Being the non-XML and non-Active X browser (using macro scripting languages instead) it is both more secure and less full-featured. The Javascript thing makes me use the toggle in Privacy Bar turned to "off" unless I need it for a particular site, such as Yahoo which is all about javascript.
Sounds interesting. After 10 years of this nonsense, I don't think browsers are going to get any more secure. So defaulting to no glitz is much more sensible. Trouble is some users won't put up with the slightest fiddling, all or nothing, whatever. Can't satisfy everybody.

I already have Opera installed but might try K-Meleon someday.

DH

NoScript hasn't caused any problems for me. I just tried sending from Yahoo mail, and it didn't crash. <shrug>

NoScript hasn't caused any problems for me. I just tried sending from Yahoo mail, and it didn't crash. <shrug> I suspect it's a problem involving an interaction between FF, NoScript, and Win 98. Since all three are probably non-trivial software, then "by definition" there are one or more bugs involved.

So the extension may well work fine on XP or Linux, etc.

DH

Dunham said that iDefense labs tested the exploit code, and it was "unreliable" and crashed the Firefox browser. Because of this, he does not consider the exploit to be a critical threat to Firefox. However, "someone could make some changes to the exploit code and make it more reliable," Dunham said.

He added that there are other, more critical unpatched flaws in both Firefox and Microsoft's Internet Explorer browser that are currently under attack by hackers.

http://www.networkworld.com/news/2006/100206-mozilla-investigating-new-firefox.html?fsrc=rss-security

DH

Reportedly, about 30 undisclosed flaws exist.

Update (October 3, 2006): This BID is being retired as reports indicate that these issues are a hoax. The researchers responsible for disclosing these vulnerabilities have claimed that their original reports were not correct. It is possible that a remote denial of service vulnerability affects the browser; however this has not been confirmed. A new BID will be created if subsequent reports confirm the possibility of the potential denial of service issue. Please see references for more information.

http://www.securityfocus.com/bid/20294/discuss

DH

NoScript hasn't caused any problems for me. I just tried sending from Yahoo mail, and it didn't crash. <shrug>

Mike,

K-Meleon has macros to invoke both No-Script and AdBlock, if you are inclined to use them. Some of the KM developers are looking for other alternatives, as both solutions cause problems from time to time. I just stick with the Javascript toggle button and turn it on only when absolutely necessary.

reports indicate that these issues are a hoax

I was wondering about that... When the news broke, all the articles were pretty much paraphrasing the same source, referring to Spiegelmock as working his day job at SixApart, which is the company that owns MovableType, TypePad, and LiveJournal. Google shows that he has been at SixApart a bit over a year after starting out as an intern in his senior year of high school. I had a feeling that Spiegelmock would come under some pressure from SixApart after indirectly associating them with a statement about knowing 30 undiscovered security holes in Firefox that he and his colleague, "Wbeelsoi" (a pseudonym), intended to share with other blackhats.

Here are two articles with more details about the hoax and Spiegelmock's retraction:

Firefox hackers exposed as fraud (http://www.vnunet.com/vnunet/news/2165546/fifefox-hacker-back-peddles)

This one has the most details:

The Truth About a Claimed Firefox Exploit (http://blog.washingtonpost.com/securityfix/2006/10/zeroday_firefox_exploit_claime.html)

I find it very interesting that the second article says Wbeelsoi is associated with a group that claimed responsibility for finding a security hole in LiveJournal's use of javascript and using it to compromise nearly a million accounts last January. I wonder if that connection added to the pressure put on Spiegelmock by his employers after this story broke.