Coffeehouse Thread

28 posts

Firefox vunerability "impossible to patch"

Back to Forum: Coffeehouse
  • User profile image
    blowdart

    http://news.zdnet.com/2100-1009_22-6121608.html

    SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

    An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

    "Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

    The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

    .............

    The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

  • User profile image
    Sven Groot

    blowdart wrote:
    "Internet Explorer, everybody knows, is not very secure."

    Ah, blanket statements. Every attention seeker's best friend.

  • User profile image
    Xaero_​Vincent

    OMG... those hackers are complete idiots!

    "The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs."

    Mozilla's respose:

    "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets."

    Hacker's response:

    "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats."

    My response:

    30 * 500 = $15,000

    Those two hackers could have scored $15,000 to share amongst themselves by simply disclosing information about their findings.


    Regards,
    Vincent

  • User profile image
    Jason Cox

    I wonder how long until there is a flaw in the wild.

  • User profile image
    W3bbo

    Xaero_Vincent wrote:
    "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats."


    A slight contradiction, surely?

  • User profile image
    Xaero_​Vincent

    W3bbo wrote:
    A slight contradiction, surely?


    Indeed. They are consciously admitting to engagement in illegal activities and  suggesting that users ought to feel privileged to be exploited by them and their affiliates.


    Regards,
    Vincent

  • User profile image
    petknep_home

    Xaero_Vincent wrote:

    OMG... those hackers are complete idiots!

    <snip>

    My response:

    30 * 500 = $15,000

    Those two hackers could have scored $15,000 to share amongst themselves by simply disclosing information about their findings.


    Regards,
    Vincent


    The problem with your response that $15,000 for 30 exploits is basically nothing between two people. A given browser exploit for IE supposedly has a street value of $10,000. Assuming FireFox exploits are about the same in price, they make 20x by holding them back from MoFo.

    Not quite idiotic to hold them back if you have loose ethics. I doubt they have 30 exploits, but they probably take a great deal of pleasure making people with a (smug) sense of security scared again.

    Side note: IMO, they should be responsible and disclose them.

  • User profile image
    Grumpy

    Jason Cox wrote:
    I wonder how long until there is a flaw in the wild.


    In the mean time simply use NoScript to block JavaScript from being run on sites that you don't trust.

  • User profile image
    Another_​Darren

    Reminds me of a story about two Security guys who found a flaw in wifi cards that can hack any OS, they even demo'd it a mac laptop.

    Funny they had the same sort of statement, "we have found a real flaw but we don't want to tell people about it...." Bull<cough!>

    Since Mozilla are looking at all the code for JavaScript to see if there is an issue then if it exists there's a god chance it will be fixed soon.

  • User profile image
    WillemM

    blowdart wrote:
    http://news.zdnet.com/2100-1009_22-6121608.html

    The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."



    Isn't this a good reason to throw out the old implementation of javascript and start with a new one, that doesn't have these flaws?
    I think that would be a better idea than waiting for the hackers to use the holes for their blackhat communication framework, but that's just me Wink

  • User profile image
    MB

    When does software become impossible to patch ?

    These sort of statements always intrigue me.

  • User profile image
    Rossj

    WillemM wrote:
    
    Isn't this a good reason to throw out the old implementation of javascript and start with a new one, that doesn't have these flaws?



    I'd rather hear that it is impossible to patch from a FF dev rather than the hacker, given the fact they are not oblivious of the effects of over-generalisation (IE is insecure blah blah) then they may also be prone to overexageration.


  • User profile image
    Cyonix

    jaylittle wrote:
    
    Another_Darren wrote: Reminds me of a story about two Security guys who found a flaw in wifi cards that can hack any OS, they even demo'd it a mac laptop.

    Yeah and they were pretty much totally full of it.  The demo was done using a third party USB wireless device with a third party driver.  Hence by default Apple had nothing to do with it since the security hole was on the driver level.
    I'm not sure how they are full of it, didn't they state the above in the video Perplexed

  • User profile image
    Rossj

    On the plus side that fact that they refused to give Apple any information, even though claiming it was also possible with the Airport drivers, forced Apple to do a security audit and found two other issues Smiley

  • User profile image
    Sabot

    Sanctimonious bull-crap!

    Credibility -1

    Report the bugs for the good of the community, don't muck about.

    I hate all this "I'm not going to tell you because I've got some power over you".

    Black Hats? Who are they ... peers? Criminals? Bank-manager? Granny? I smell a rat.

    I'm annoyed now, ones things for sure it won't stop me from using Firefox, but it doesn't make me feel comfortable about using it either.

    Give me the hackers address, time to tell them exactly what I think of them!

    If only they lived in London ... I would knock on there doors, I really would!




  • User profile image
    Cybermagell​an

    petknep_home wrote:

    Side note: IMO, they should be responsible and disclose them.


    Especially when a company that you work for is disclosed in the article

    "who in everyday life works at blog company SixApart"

  • User profile image
    phreaks

    Cybermagellan wrote:
    
    petknep_home wrote:
    Side note: IMO, they should be responsible and disclose them.


    Especially when a company that you work for is disclosed in the article

    "who in everyday life works at blog company SixApart"


    I bet their website is getting bombarded. Lots of free advertising?

  • User profile image
    Another_​Darren

    Well looks like the black hatters don't have long to brag about their big find in FF.

    http://forums.mozillazine.org/viewtopic.php?t=469982

    Some JS bug fixes in and a new bug raised over the claims;

    https://bugzilla.mozilla.org/show_bug.cgi?id=355069

    Shows they have managed to recreate the flaw.

    I personally think if you found such a serious flaw and planned to use to for gain (personal network for black hatters for example) then you wouldn't brag about it!  I think it's a personal PR stunt.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.