flat assembler
Message board for the users of flat assembler.

Index > Heap > Firefox Fix Due Next Week After Attack Is Published

Goto page Previous  1, 2, 3, 4  Next
Author
Thread Post new topic Reply to topic
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
tom tobias wrote:
Gosh, since this, and similar threads have appeared here, I have tried firefox and opera, and I find, gasp, shock, dismay, horrors, that I still prefer IE 7.
Opera in particular, while very nice, has one feature that I dislike so much that I no longer use it. When I click on the desktop icon, Opera doesn't commence. Instead a prompt appears, asking me if I wish to get started. Wow. Terrible. What a waste of my time.
Firefox seemed ok, at first, but then, the favorites section was so muddled and cluttered, that I switched back to IE 7.
I tried IE 8, must have been a beta version, quite awful....

Probably most of my inconvenience is due to laziness to discover how to manipulate the user interface....IE 7 is simply more intuitive, I find. I know how, through trial and error, not by reading the manual!!!, to eliminate as much of the fluff as possible, for example some of the "bars", like menu bar, or "status bar".....I think there is even an "air bar" or some such nonsense... The other day I reinstalled win95. Wow is it fast....


Smile
Figures that someone who hates good code would hate good browsers.
Post 16 Jul 2009, 23:12
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
The update should be available to everyone now, or shortly, as version 3.5.1. If you didn't get the alert, then you can click Help->Check for updates.
Post 17 Jul 2009, 12:15
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
And here we have the next vulnerability released to the public without notifying the vendor once more... http://xforce.iss.net/xforce/xfdb/51729

According to the source where I've grabbed that link it was discovered by Simon Berry-Byrne (same person that uncovered the previous 3.5 bug), and Andrew Haynes.

The exploit was published in July 15th (one day before releasing Firefox 3.5.1).
Post 19 Jul 2009, 14:49
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
And just like the previous one, it's completely stopped by NoScript or by manuelly disabling JavaScript.
Post 19 Jul 2009, 15:15
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:
Según eEye, NoScript puede que no mitigue por completo el problema. El fallo podría permitir la ejecución de código.

Quote:
According to eEye, NoScript may not mitigate the issue completely. The flaw may allow arbitrary code execution
Post 19 Jul 2009, 15:18
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
If the exploit requires document.write how can it be used when document.write can't be used?
Post 19 Jul 2009, 15:26
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8864
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
are we going to paranoid each time firefox got attacked??? or just ignore it and use lynx?
Post 19 Jul 2009, 16:42
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I'll keep using Firefox and without disabling JavaScript. However, I think I have to share this info to warn others not enter to any of those sites that try by all means to install you malware at the same time they give you the porn/crack/warez/etc you may want without taking some safety measures first.
Post 19 Jul 2009, 16:50
View user's profile Send private message Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
Secunia considers this a "medium" risk and, again, only possible under certain conditions. A known commenter (from others who also posted) on Storm stated this vulnerability is actually impossible to make happen for reasons I don't recall.

We can go almost every week about these things that creep up. Most of them are like this last one which has little ability to do any damage or even show up on a user's system. For example, every Firefox update fixes some security problem. Every Linux update I get does, too, and Windows has their weekly security updates. That doesn't mean I was in any real danger. It's just to close any open doors.

Firefox is still 3x more secure than any version of IE.
Post 19 Jul 2009, 17:03
View user's profile Send private message Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
Just to confirm, the second vulnerability mentioned above is, in fact, not exploitable. Link
Quote:
Following the release of Firefox 3.5.1, researchers Berry-Byrne and fellow researcher Andrew Hayes discovered another bug that can be exhibited in certain conditions with the "escape" function. They have published a demonstration of this second bug at milw0rm, but have incorrectly characterized it as a stack overflow issue. Contrary to the report issued by the national vulnerability database, this second bug is not, in fact, exploitable.
Post 20 Jul 2009, 04:07
View user's profile Send private message Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank
drhowarddrfine wrote:
Just to confirm, the second vulnerability mentioned above is, in fact, not exploitable. Link ...


From the same link:

Quote:
The security researchers would likely not have discovered the issue if it had been marked as hidden in Mozilla's bug tracker, which is a common practice that the organization uses when dealing with bugs that could have serious security implications. Gal commented that the emergence of an exploit was "self-inflicted" because this step wasn't taken.


I find this "hiding" of critical bugs the most disturbing aspect of the whole matter. When learning about a security-related bug, Mozilla consider it acceptable to not warn the users immediately? Ouch ... Imagine a car manufacturer detecting a serious problem with their cars' brakes -- and deciding not to warn their customers before a fix is ready. Such behavior would be considered outright irresponsible for a car manufacturer. I don't see why it should be acceptable for a browser manufacturer.
Post 20 Jul 2009, 05:51
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Frank wrote:
drhowarddrfine wrote:
Just to confirm, the second vulnerability mentioned above is, in fact, not exploitable. Link ...


From the same link:

Quote:
The security researchers would likely not have discovered the issue if it had been marked as hidden in Mozilla's bug tracker, which is a common practice that the organization uses when dealing with bugs that could have serious security implications. Gal commented that the emergence of an exploit was "self-inflicted" because this step wasn't taken.


I find this "hiding" of critical bugs the most disturbing aspect of the whole matter. When learning about a security-related bug, Mozilla consider it acceptable to not warn the users immediately? Ouch ... Imagine a car manufacturer detecting a serious problem with their cars' brakes -- and deciding not to warn their customers before a fix is ready. Such behavior would be considered outright irresponsible for a car manufacturer. I don't see why it should be acceptable for a browser manufacturer.
Nice.




I thought I'd seen some pretty bad analogies before, but damn, you really made my day LOL. That was so horrible it made me laugh. Thank you.


In case you actually don't get why it was so funny;

the analogies were the exact opposite of eachother! Disclosing full details on how to implement and use a remotely exploitable code execution exploit is what puts the users in danger, not the actual existance of it, so the best course of action is obviously just to fix it and and give the fix to everyone without going into details what was fixed (which is what Mozilla has done with all such exploits except the one in 3.5.0 (the 3.5.1 bug isn't even exploitable)). Where as with car brakes that are faulty, there is only a danger if people don't know about the fault!
Post 20 Jul 2009, 06:10
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank
Azu wrote:
Disclosing full details on how to implement and use a remotely exploitable code execution exploit is what puts the users in danger, not the actual existance of it


That statement is either poorly worded, or pure philosophy. If a tree falls in the forest but nobody is there to hear it, has it then made a sound at all? Do security flaws really exist before someone has shown how to exploit them?

Quote:
so the best course of action is obviously just to fix it and and give the fix to everyone without going into details what was fixed


... leaving the unsuspecting public wide open to the vulnerability while the fix is being made. I prefer to be told about security issues when they become known. Not hours / days / weeks later when the fix is ready.
Post 20 Jul 2009, 07:37
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Frank wrote:
Azu wrote:
Disclosing full details on how to implement and use a remotely exploitable code execution exploit is what puts the users in danger, not the actual existance of it


That statement is either poorly worded, or pure philosophy. If a tree falls in the forest but nobody is there to hear it, has it then made a sound at all? Do security flaws really exist before someone has shown how to exploit them?
Quote:
so the best course of action is obviously just to fix it and and give the fix to everyone without going into details what was fixed


... leaving the unsuspecting public wide open to the vulnerability while the fix is being made. I prefer to be told about security issues when they become known. Not hours / days / weeks later when the fix is ready.
Do you have difficulty reading, or did you purposefully avoid reading what I wrote before replying to it??
I'll give you the benefit of the doubt (assume it's the former) and try to spell it out for you even more; when bad people (black hats) learn how to do bad things (crack into people's computers), it is bad for the user. The vulnerability itself is no more damaging than a password is. Until the bad people find out what it is, they can not use it. So the sooner it is fixed, and the harder it is/longer it takes for the bad people to find it, the less chance of users' computers being cracked.

There is simply no excuse to tell everyone how to crack into the software using an unpatched vulnerability. After you have patched it, and made sure all vulnerable users have applied the patch, it is fine. But if you do it before then, you make it more likely for them to be hacked!



You like analogies, so here is one for you; if a vaccine for anthrax was created and applied to everyone before the terrorists found out how to make anthrax, nobody would have died from it. They would have been vulnerable to it, but not effected. That is why it is always best when the good guys have time to prevent stuff like this before the bad guys learn how to do it.

That is why when you know a vulnerability, you should get it fixed before telling everyone how it works.
Post 20 Jul 2009, 08:15
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank
Back to the car analogy. Car manufacturer XYZ finds out that braking very hard makes the brakes in their cars fail. They work on a fix, but they don't tell anyone about the problem. In fact, they move customer reports about failing brakes out of public sight. Why? Because, if it was publicly known that XYZ cars cannot brake hard, some people might try (for fun, or for profit) to provoque situations where XYZ customers must brake hard.

Is the manufacturer's information hiding policy acceptable for you? Do you think it would be considered acceptable by, say, the Hawaiian traffic authorities?
Post 20 Jul 2009, 10:49
View user's profile Send private message Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
Bad analogy, Frank. Everyone uses their brakes every time they drive a car. No one uses the vulnerability at all and have no need to do so.

What Mozilla did is typical of what any smart developer would do. If you have a rip in your pants, you don't go around telling everyone. You cover it up till you get it fixed.
Post 20 Jul 2009, 11:13
View user's profile Send private message Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank
drhowarddrfine wrote:
Bad analogy, Frank. Everyone uses their brakes every time they drive a car. No one uses the vulnerability at all and have no need to do so.


That last statement makes no sense in the context of browsing the web with a Javascript-enabled browser. It is the website author who controls which Javascript gets used, not me. Or am I supposed to preview the HTML source before I let Firefox run it? "Hey, they have something that calls the fast native escape function there, I see no need to use that"?

Maybe we are talking about different bugs. The one I mean is this: https://bugzilla.mozilla.org/show_bug.cgi?id=503286 . For the other one Bugzilla shows me a big red box telling me that I am not authorized to even know how I am vulnerable ... could of course be anything.

Quote:
What Mozilla did is typical of what any smart developer would do. If you have a rip in your pants, you don't go around telling everyone. You cover it up till you get it fixed.


Leaving your unsuspecting users at risk all the while ... smart. That's inacceptable in the car industry. Again, I fail to see why "shoveling the risk over to the consumer" is considered acceptable in the software industry.
Post 20 Jul 2009, 12:58
View user's profile Send private message Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
Frank wrote:
That last statement makes no sense in the context of browsing the web with a Javascript-enabled browser. It is the website author who controls which Javascript gets used, not me.
You're switching gears now. You were complaining Mozilla hid the browser code until they could fix it. Now you are talking about the malicious code to execute the vulnerability. The point is to not let anyone know there is a problem till they can get to the fix, and apparently no one knew about it so it worked. I would not want Mozilla to go around telling everyone there is a problem and here's how to exploit it.
Quote:

Leaving your unsuspecting users at risk all the while ... smart. That's inacceptable in the car industry. Again, I fail to see why "shoveling the risk over to the consumer" is considered acceptable in the software industry.

Again you are missing the point. EVERYONE does this. If you left your front door unlocked, you wouldn't say so online. You still are trying to compare the car thing, which causes damage to everyone in normal operation, to this vulnerability, which caused NO damage to anyone in normal operation but you want everyone to know about it, including the black hats, as if this made things better.
Post 20 Jul 2009, 13:20
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
drhowarddrfine, good news. I just hope they are not mistakenly assuming that heap overflows can't be used for arbitrary code execution.
Post 20 Jul 2009, 15:15
View user's profile Send private message Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank
drhowarddrfine wrote:
You're switching gears now. You were complaining Mozilla hid the browser code until they could fix it.


Where did I complain that "Mozilla hid the browser code"? Did they actually do that?

Quote:
I would not want Mozilla to go around telling everyone there is a problem and here's how to exploit it.


Leave out the "here's how to exploit it" part, but the rest is exactly what I expect from a responsible manufacturer. A big, fat, red warning box on the front page, telling the users "Firefox 3.5: Please switch off Javascript for untrusted websites, we may have a security issue that we are currently looking into."

Quote:
You still are trying to compare the car thing


I could have used an aviation example instead, or something from the food industry, or something from the medical sector. In all of these areas, you would probably agree that it is not okay for manufacturers to hide away inconvenient facts from the public. Why should it be okay for the producers of software that people trust their banking information with?
Post 20 Jul 2009, 15:44
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.