1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News New Firefox vulnerability confirmed

Discussion in 'Article Discussion' started by Sifter3000, 20 Jul 2009.

  1. Sifter3000

    Sifter3000 I used to be somebody

    Joined:
    11 Jul 2006
    Posts:
    1,766
    Likes Received:
    26
  2. Tyrmot

    Tyrmot New Member

    Joined:
    12 Mar 2008
    Posts:
    309
    Likes Received:
    1
    Quote from Mozilla's VP of engineering:

    "In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug."

    ie there is a bug, but it's not exploitable - apparently it can just crash Firefox
     
  3. impar

    impar Well-Known Member

    Joined:
    24 Nov 2006
    Posts:
    3,101
    Likes Received:
    41
  4. andrew8200m

    andrew8200m Well-Known Member

    Joined:
    4 May 2009
    Posts:
    2,192
    Likes Received:
    124
    And they most certainly will wise up if people such as yourselves keep broadcasting it over the internet! How stupid can people get? If things like this are wanted to be kept quiet to keep other safe from those who wish to do harm, why even mention it? Its basically an invitation to one of these sorts of prople to be shown where the loop holes are and how to use them. Ridiculous!

    Andy
     
  5. bowman

    bowman Member

    Joined:
    7 Apr 2008
    Posts:
    363
    Likes Received:
    10
    Nothing ventured, nothing gained. The TraceMonkey javascript engine is new and needs to work out its kinks. Testing is fine but not enough people download betas and release candidates. Some times things just have to be dropped out and sink or swim. Then append floaties as needed afterwards. :p

    As for andy..

    http://en.wikipedia.org/wiki/Full_disclosure
     
  6. andrew8200m

    andrew8200m Well-Known Member

    Joined:
    4 May 2009
    Posts:
    2,192
    Likes Received:
    124
    Thats just ridiculous. Yes it may make the public aware but it also makes those who need not know (for obvious reasons) aware... where is the logic in that? Keeping everyone in the dark keeps those who shouldnt know in the dark. Its the safest bet so this "full disclosure policy" is some what flawed.

    Andy
     
  7. thehippoz

    thehippoz New Member

    Joined:
    19 Dec 2008
    Posts:
    5,780
    Likes Received:
    174
    it's open source andrew.. if the security experts can find these bugs and point them out- so can anyone else for whatever reason, just imagine what the experts don't find and puppetmasta does- he'll have his hand up your computers ass in no time
     
  8. Otto69

    Otto69 New Member

    Joined:
    6 Oct 2007
    Posts:
    253
    Likes Received:
    3
    WTF, are people still using strcpy instead of strncpy, or is this some new class of buffer overrun?
     
  9. asadotzler

    asadotzler New Member

    Joined:
    20 Jul 2009
    Posts:
    1
    Likes Received:
    0
    "The vulnerability, which comes about from the software's Unicode text handling system, allows a remote attacker to execute arbitrary code simply by embedding it into a web site: as soon as the visitor hits the affected page, "

    This is absolutely false. This is not a security vulnerability. it does not allow for any code execution.

    "With a simple exploit already available, it's fair to say that if the ne'er-do-wells aren't already using this as an attack vector it won't take them long to wise up."

    There is no exploit available. That's just a simple browser crash and there's no evidence that it's exploitable. None. All evidence points to just the opposite, that it's not exploitable.

    http://blog.mozilla.com/security/20...overflow-crash-not-exploitable-cve-2009-2479/
     
  10. Nicb

    Nicb Let's discuss among ourselves

    Joined:
    12 Nov 2008
    Posts:
    211
    Likes Received:
    4
    I'm all for security update news. People that know how to exploit the newest Ver. of browsers do not depend on the news to find out. They simply just run through their library of vulnerability test of code, malware, adware, bla bla bla.

    This article has personal assumptions that falsely imply that this is harmful to users. It's a bug not a vulnerability. Programs crash when they cannot complete a process. I don't like scaring people over nothing, This is for the most part the wrong comunity to shove PC fears down are throats. These articles are for a different audience.

    “People are stupid. They will believe a lie because they want to believe it’s true, or because they are afraid it might be true.”

    —-Wizard’s First Rule – By Terry Goodkind

    You know what Bit-Tech members would really think was cool??? If your found articles like the one you just wrote and then called it BS, and then counteracted to it with the words similar to the comments that we have. I'm not being sarcastic, I would seriously love to see that.

    That's what this community is all about learning and knowing what others don't. Because of that by our nature we will always question what is being said.

    Gareth, I'm a big fan, this is just a little criticism, nothing else.
     
  11. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,007
    Likes Received:
    2,127
    No personal assumptions on my part - I was going by a SecurityFocus posting which claimed that it was remotely exploitable. There's even an exploit linked to in the article. I see that the posting has now been modified, but at the time of writing it claimed both denial of service and code execution capabilities.

    The Google cached copy - which still shows the original version - is available here. For when that gets updated, here's a picture:

    [​IMG]

    Without the time to test to see if the exploit did what the SecurityFocus posting claimed, I could only go on the evidence presented: at the time of writing, Mozilla - as far as I'm aware - had not repudiated the claims.

    Criticism noted, however - and taken on board.
     
    Last edited: 20 Jul 2009
  12. Nicb

    Nicb Let's discuss among ourselves

    Joined:
    12 Nov 2008
    Posts:
    211
    Likes Received:
    4
    aaahhhh. Well the switch up really got us going. Haha

    You think they would be more hesitant to put up the word "vulnerability", "execute code", "attack", until they had solid evidence.

    To each his own......... browser. :)
     
  13. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,007
    Likes Received:
    2,127
    Aye - you'll notice the browser I'm using in the screenshot... ;)
     
  14. Nicb

    Nicb Let's discuss among ourselves

    Joined:
    12 Nov 2008
    Posts:
    211
    Likes Received:
    4
    Haha yeah I notice now.

    I've played around with other browsers but I find FF better suits me because of how far you can customize it's security. You can really get underneath the hood and make it your own, plus their are also some good add-ons. I believe no browser is good to use if it is left to default untouched.

    To me Firefox gives you back the Linux feel in windows.
     
  15. Byron C

    Byron C No liability accepted as a result of this post

    Joined:
    12 Apr 2002
    Posts:
    5,706
    Likes Received:
    759
    It's a difficult balance. On the one hand, you risk increasing the potential for exploitation by exposing the flaw to the world + dog, but on the other hand you risk malicious parties discovering it and also keeping quiet, whilst silently infecting millions of machines.
     
Tags: Add Tags

Share This Page