Critical javascript security flaw in firefox

Discussion in 'Javascript' started by Matt Kruse, Oct 2, 2006.

  1. Matt Kruse

    Matt Kruse Guest

    http://news.zdnet.com/2100-1009_22-6121608.html

    Hackers claim zero-day flaw in Firefox
    09 / 30 / 06 | By Joris Evers

    SAN DIEGO--The open-source Firefox Web browser is critically flawed in the
    way it handles JavaScript, two hackers said Saturday afternoon.
    An attacker could commandeer a computer running the browser simply by
    crafting a Web page that contains some malicious JavaScript code, Mischa
    Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker
    conference here. The flaw affects Firefox on Windows, Apple Computer's Mac
    OS X and Linux, they said.

    "Internet Explorer, everybody knows, is not very secure. But Firefox is also
    fairly insecure," said Spiegelmock, who in everyday life works at blog
    company SixApart. He detailed the flaw, showing a slide that displayed key
    parts of the attack code needed to exploit it.

    The flaw is specific to Firefox's implementation of JavaScript, a
    10-year-old scripting language widely used on the Web. In particular,
    various programming tricks can cause a stack overflow error, Spiegelmock
    said. The implementation is a "complete mess," he said. "It is impossible to
    patch."

    The JavaScript issue appears to be a real vulnerability, Window Snyder,
    Mozilla's security chief, said after watching a video of the presentation
    Saturday night. "What they are describing might be a variation on an old
    attack," she said. "We're going to do some investigating."

    Snyder said she isn't happy with the disclosure and release of an apparent
    exploit during the presentation. "It looks like they had enough information
    in their slide for an attacker to reproduce it," she said. "I think it is
    unfortunate because it puts users at risk, but that seems to be their goal."

    At the same time, the presentation probably gives Mozilla enough data to fix
    the apparent flaw, Snyder said. However, because the possible flaw appears
    to be in the part of the browser that deals with JavaScript, addressing it
    might be tougher than the average patch, she added. "If it is in the
    JavaScript virtual machine, it is not going to be a quick fix," Snyder said.

    The hackers claim they know of about 30 unpatched Firefox flaws. They don't
    plan to disclose them, instead holding on to the bugs.

    Jesse Ruderman, a Mozilla security staffer, attended the presentation and
    was called up on the stage with the two hackers. He attempted to persuade
    the presenters to responsibly disclose flaws via Mozilla's bug bounty
    program instead of using them for malicious purposes such as creating
    networks of hijacked PCs, called botnets.

    "I do hope you guys change your minds and decide to report the holes to us
    and take away $500 per vulnerability instead of using them for botnets,"
    Ruderman said.

    The two hackers laughed off the comment. "It is a double-edged sword, but
    what we're doing is really for the greater good of the Internet, we're
    setting up communication networks for black hats," Wbeelsoi said.

    --
    Matt Kruse
    http://www.JavascriptToolbox.com
    http://www.AjaxToolbox.com
     
    Matt Kruse, Oct 2, 2006
    #1
    1. Advertising

  2. Matt Kruse

    VK Guest

    Matt Kruse wrote:
    > http://news.zdnet.com/2100-1009_22-6121608.html
    >
    > Hackers claim zero-day flaw in Firefox
    > 09 / 30 / 06 | By Joris Evers
    >
    > SAN DIEGO--The open-source Firefox Web browser is critically flawed in the
    > way it handles JavaScript, two hackers said Saturday afternoon.
    > An attacker could commandeer a computer running the browser simply by
    > crafting a Web page that contains some malicious JavaScript code, Mischa
    > Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker
    > conference here. The flaw affects Firefox on Windows, Apple Computer's Mac
    > OS X and Linux, they said.


    Firefox gets stable over 10% market share (not 20% this area / 2% this
    area, but 10% guaranteed any market area you take). That's the next
    important milestone (the first important one is 1%: "the level of
    asknowledgment" is passed way ago). The Empire strikes back to the most
    important promo of the competitor: to the security. Totally normal,
    nothing outside of the regular Big Business fights.

    10.02.06
    C.L.J. - someone called VK claims the possibility to do whatever he
    wants with any computer with IE installed. No JScript support is
    required: the fact itself that you are viewing my page using IE is
    self-sufficient. Hackers around the world are benefiting of the wide
    spread of this environment for many years in the row.


    P.S. Is Firefox made by Gods? Sure not, by the same humans. It means
    that the axiom of "Super Hacker limit" works for it as well. It will
    never be able to become an *absolutely* safe environment. It can only
    resolve the equation with more and more better results up to (ideally
    but fantastically) a totally unbreakable system and an only person in
    the world able to break it (lim->1, never 0).
     
    VK, Oct 2, 2006
    #2
    1. Advertising

  3. Matt Kruse

    Erwin Moller Guest

    VK wrote:

    > Matt Kruse wrote:
    >> http://news.zdnet.com/2100-1009_22-6121608.html
    >>
    >> Hackers claim zero-day flaw in Firefox
    >> 09 / 30 / 06 | By Joris Evers
    >>
    >> SAN DIEGO--The open-source Firefox Web browser is critically flawed in
    >> the way it handles JavaScript, two hackers said Saturday afternoon.
    >> An attacker could commandeer a computer running the browser simply by
    >> crafting a Web page that contains some malicious JavaScript code, Mischa
    >> Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon
    >> hacker conference here. The flaw affects Firefox on Windows, Apple
    >> Computer's Mac OS X and Linux, they said.

    >
    > Firefox gets stable over 10% market share (not 20% this area / 2% this
    > area, but 10% guaranteed any market area you take). That's the next
    > important milestone (the first important one is 1%: "the level of
    > asknowledgment" is passed way ago). The Empire strikes back to the most
    > important promo of the competitor: to the security. Totally normal,
    > nothing outside of the regular Big Business fights.
    >
    > 10.02.06
    > C.L.J. - someone called VK claims the possibility to do whatever he
    > wants with any computer with IE installed. No JScript support is
    > required: the fact itself that you are viewing my page using IE is
    > self-sufficient. Hackers around the world are benefiting of the wide
    > spread of this environment for many years in the row.
    >
    >
    > P.S. Is Firefox made by Gods? Sure not, by the same humans. It means
    > that the axiom of "Super Hacker limit" works for it as well. It will
    > never be able to become an *absolutely* safe environment. It can only
    > resolve the equation with more and more better results up to (ideally
    > but fantastically) a totally unbreakable system and an only person in
    > the world able to break it (lim->1, never 0).


    Well, don't take it so lightly.
    I am NOT happy with 20 securityholes in FF.
    Not at all.
    The fact that one of the hackers called the JS implentation in FF 'a total
    mess so don't expect a patch soon' or something along that lines, didn't
    help either...

    You can say 'the empire strikes back' and calling it 'business as usual' and
    be done with it, but that is just putting your head in the sand.
    FF is insecure in its current state. Period.
    Yes, that sucks.
    Of course I hope they'll patch it anyway soon because I love that browser.

    Regards,
    Erwin Moller
     
    Erwin Moller, Oct 3, 2006
    #3
  4. Matt Kruse

    Dag Sunde Guest

    Matt Kruse wrote:
    > http://news.zdnet.com/2100-1009_22-6121608.html
    >
    > Hackers claim zero-day flaw in Firefox
    > 09 / 30 / 06 | By Joris Evers
    >
    > SAN DIEGO--The open-source Firefox Web browser is critically flawed
    > in the way it handles JavaScript, two hackers said Saturday afternoon.
    > An attacker could commandeer a computer running the browser simply by
    > crafting a Web page that contains some malicious JavaScript code,
    > Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the
    > ToorCon hacker conference here. The flaw affects Firefox on Windows,
    > Apple Computer's Mac OS X and Linux, they said.
    >
    > "Internet Explorer, everybody knows, is not very secure. But Firefox
    > is also fairly insecure," said Spiegelmock, who in everyday life
    > works at blog company SixApart. He detailed the flaw, showing a slide
    > that displayed key parts of the attack code needed to exploit it.
    >
    > The flaw is specific to Firefox's implementation of JavaScript, a
    > 10-year-old scripting language widely used on the Web. In particular,
    > various programming tricks can cause a stack overflow error,
    > Spiegelmock said. The implementation is a "complete mess," he said.
    > "It is impossible to patch."
    >
    > The JavaScript issue appears to be a real vulnerability, Window
    > Snyder, Mozilla's security chief, said after watching a video of the
    > presentation Saturday night. "What they are describing might be a
    > variation on an old attack," she said. "We're going to do some
    > investigating."
    > Snyder said she isn't happy with the disclosure and release of an
    > apparent exploit during the presentation. "It looks like they had
    > enough information in their slide for an attacker to reproduce it,"
    > she said. "I think it is unfortunate because it puts users at risk,
    > but that seems to be their goal."
    > At the same time, the presentation probably gives Mozilla enough data
    > to fix the apparent flaw, Snyder said. However, because the possible
    > flaw appears to be in the part of the browser that deals with
    > JavaScript, addressing it might be tougher than the average patch,
    > she added. "If it is in the JavaScript virtual machine, it is not
    > going to be a quick fix," Snyder said.
    > The hackers claim they know of about 30 unpatched Firefox flaws. They
    > don't plan to disclose them, instead holding on to the bugs.
    >
    > Jesse Ruderman, a Mozilla security staffer, attended the presentation
    > and was called up on the stage with the two hackers. He attempted to
    > persuade the presenters to responsibly disclose flaws via Mozilla's
    > bug bounty program instead of using them for malicious purposes such
    > as creating networks of hijacked PCs, called botnets.
    >
    > "I do hope you guys change your minds and decide to report the holes
    > to us and take away $500 per vulnerability instead of using them for
    > botnets," Ruderman said.
    >
    > The two hackers laughed off the comment. "It is a double-edged sword,
    > but what we're doing is really for the greater good of the Internet,
    > we're setting up communication networks for black hats," Wbeelsoi
    > said.


    Looks like we been had...

    http://developer.mozilla.org/devnew...e-possible-vulnerability-reported-at-toorcon/

    --
    Dag.
     
    Dag Sunde, Oct 3, 2006
    #4
  5. Matt Kruse

    Erwin Moller Guest

    Erwin Moller, Oct 3, 2006
    #5
  6. Matt Kruse

    VK Guest

    > Well, don't take it so lightly.
    > I am NOT happy with 20 security holes in FF.
    > Not at all.


    I'm not taking it lightly, I'm taking it philosophically :) An
    absolutely secure web-browsing can be only via command-line telnet app.
    At least it was such so far. If this kind of "browsing" becomes popular
    enough a hack will be found even for this :)

    Any attempt to prove that "Firefox is not Absolutely Secure" is mute
    because it is a proof of obvious (see my prev post), so let's us put it
    more reality-bound: the amount of situations where your security is
    compromised is dramatically lower for FF in comparison with IE.

    Also Mozilla and the success of their Firefox goes against of the "Big
    Pacification" plan. They've made Jobs to finish the "fight with Big
    Brother" epoch which started with the famous "be different!" slogan.
    Year earlier they forced McNealy to stop fighting with Windows using
    Java. It is interesting that in both cases the "ending" was set as a
    public conference with nearly theatrical scenario.
    A war is expensive for owners: different standards to support (and
    which one will win?), extra sets of egg-heads and hairy guys :) on the
    payroll (for different directions), this and that... As one guy on a
    business meeting said (by memory quote): "I don't give a damn what
    browser is used, as long as it's the only one to deal with. Internet
    Explorer is the most used one, so let it be only Internet Explorer. We
    had enough of fight in the past to start it over".

    > The fact that one of the hackers called the JS implementation in FF 'a total
    > mess so don't expect a patch soon' or something along that lines, didn't
    > help either...


    I'm not a professional C++ programmer neither hacker to comment on
    Gecko source codes. But taking into account that all top level
    interface of Firefox is written in JavaScript: maybe it should be said
    instead "because of a high level of integration of the application
    interface with JavaScript engine some exploits are not so easy to fix
    because a quick'n'durty option's lock is often is not an option". So
    far nearly every second attack on Gecko was going by the same
    scenario: at attempt to penetrate into the program execution context
    using stack overflow. So far it lead only to the browser crash.

    > You can say 'the empire strikes back' and calling it 'business as usual' and
    > be done with it, but that is just putting your head in the sand.


    see the beginning of this post.

    > FF is insecure in its current state. Period.


    to be fixed... and new found... to be fixed... Ellipsis :)

    > Yes, that sucks.


    Yep.
    Actually I strongly believe that a 100,000 - million bucks fine and a
    year or two of public works (each time announced in news) do much much
    more for the Internet security than any sophisticated programming
    protection. IMHO.

    > Of course I hope they'll patch it


    You can count on it.


    > I love that browser.


    I don't really love Firefox neither I hate IE. I like a competition and
    I hate monopoly (== stagnation).


    P.S.
    > ... Spiegelmock and Andrew Wbeelsoi said in a presentation
    > at the ToorCon hacker conference ...


    <http://www.toorcon.org/2006/sponsors.html>
    Platinum: Microsoft, ...
    That means nothing of course, Microsoft sincerly helps to many
    organizations and funds. Just came into my eyesight.
     
    VK, Oct 3, 2006
    #6
  7. Matt Kruse

    RobG Guest

    Re: Critical javascript security flaw in firefox - bogus

    Erwin Moller wrote:
    [...]
    > Well, don't take it so lightly.
    > I am NOT happy with 20 securityholes in FF.
    > Not at all.
    > The fact that one of the hackers called the JS implentation in FF 'a total
    > mess so don't expect a patch soon' or something along that lines, didn't
    > help either...


    Then you'll be happy to know that the claim of being able to take over
    a PC was completely bogus, and the claim of 30 undisclosed security
    holes us utterly unsubstantiated (and therefore probaby bogus too).

    <URL: http://news.zdnet.com/2100-1009-6122317.html >


    --
    Rob
     
    RobG, Oct 3, 2006
    #7
  8. Matt Kruse

    Ivan Marsh Guest

    On Tue, 03 Oct 2006 09:51:09 +0200, Erwin Moller wrote:

    > VK wrote:
    >
    >> Matt Kruse wrote:
    >>> http://news.zdnet.com/2100-1009_22-6121608.html
    >>>
    >>> Hackers claim zero-day flaw in Firefox
    >>> 09 / 30 / 06 | By Joris Evers
    >>>
    >>> SAN DIEGO--The open-source Firefox Web browser is critically flawed in
    >>> the way it handles JavaScript, two hackers said Saturday afternoon.
    >>> An attacker could commandeer a computer running the browser simply by
    >>> crafting a Web page that contains some malicious JavaScript code, Mischa
    >>> Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon
    >>> hacker conference here. The flaw affects Firefox on Windows, Apple
    >>> Computer's Mac OS X and Linux, they said.

    >>
    >> Firefox gets stable over 10% market share (not 20% this area / 2% this
    >> area, but 10% guaranteed any market area you take). That's the next
    >> important milestone (the first important one is 1%: "the level of
    >> asknowledgment" is passed way ago). The Empire strikes back to the most
    >> important promo of the competitor: to the security. Totally normal,
    >> nothing outside of the regular Big Business fights.
    >>
    >> 10.02.06
    >> C.L.J. - someone called VK claims the possibility to do whatever he
    >> wants with any computer with IE installed. No JScript support is
    >> required: the fact itself that you are viewing my page using IE is
    >> self-sufficient. Hackers around the world are benefiting of the wide
    >> spread of this environment for many years in the row.
    >>
    >>
    >> P.S. Is Firefox made by Gods? Sure not, by the same humans. It means
    >> that the axiom of "Super Hacker limit" works for it as well. It will
    >> never be able to become an *absolutely* safe environment. It can only
    >> resolve the equation with more and more better results up to (ideally
    >> but fantastically) a totally unbreakable system and an only person in
    >> the world able to break it (lim->1, never 0).

    >
    > Well, don't take it so lightly.
    > I am NOT happy with 20 securityholes in FF.
    > Not at all.
    > The fact that one of the hackers called the JS implentation in FF 'a total
    > mess so don't expect a patch soon' or something along that lines, didn't
    > help either...


    Turns out that was a hoax. You shouldn't be so gullible.
     
    Ivan Marsh, Oct 3, 2006
    #8
  9. Matt Kruse

    Erwin Moller Guest

    Ivan Marsh wrote:


    > Turns out that was a hoax. You shouldn't be so gullible.


    Wise words afterwards. :p

    And yes, I knew that 12 hours ago.
    (See this very thread)

    Regards,
    Erwin Moller
     
    Erwin Moller, Oct 4, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Steffer [MCP]

    Security Flaw in dll (or am I wrong?)

    Kevin Steffer [MCP], Jun 14, 2005, in forum: ASP .Net
    Replies:
    11
    Views:
    606
    Kevin Spencer
    Jun 16, 2005
  2. cwdjrxyz
    Replies:
    1
    Views:
    298
    Chris F.A. Johnson
    Oct 3, 2006
  3. aeromarine
    Replies:
    15
    Views:
    1,531
    Martin
    Feb 18, 2008
  4. Rob Muhlestein

    WEBrick DOS Security Flaw

    Rob Muhlestein, Dec 29, 2006, in forum: Ruby
    Replies:
    1
    Views:
    131
    Rob Muhlestein
    Dec 29, 2006
  5. Sudar
    Replies:
    2
    Views:
    83
    Matt Kruse
    Sep 19, 2005
Loading...

Share This Page