Coffeehouse Thread

17 posts

And so it begins.

Back to Forum: Coffeehouse
  • User profile image
    ScanIAm

    Turns out, that just as I thought, Firefox is just as full of security holes as any other software. 

    Hopefully, we won't have to hear any more sanctimonious crap about how 'secure' it is.

    http://illmob.org/files/0day/firefox-download-and-execute.html

  • User profile image
    Cairo

    You have a little schadenfreude on your chin.

    It's not perfect. But it is still better than IE.


  • User profile image
    ScanIAm

    Cairo wrote:
    You have a little schadenfreude on your chin.


    Shhhhh...Nobody's noticed yet.

  • User profile image
    CyberGeek

    Um... ok, so a batch file is supposed to run, right? It looks like it's supposed to write out and maybe execute a batch file that tells me how it could've been a virus.

    Not happening. I click and the page reloads or something, is there something I'm doing wrong?

    Edit: Ok, looking a bit closer at the Javascript source, the .bat file is supposed to pause after writing some stuff to the console, so I don't imagine it would simply be closing before I have the chance to see it.

    Edit 2: Upon clicking in the page the Javascript Console says that 'install' is not defined, so unless it's supposed to execute code by running illegal Javascript or something I don't think it works.

  • User profile image
    gman

    and don't forget that a massive hole in Apple Tiger OS was just exposed as well. Apparently the Safari web browser will happily download and run executables without prompting the user in any way.

    OK, Mac and Linux apologists, start your excuse-making!

  • User profile image
    MasterPi

    gman wrote:
    and don't forget that a massive hole in Apple Tiger OS was just exposed as well. Apparently the Safari web browser will happily download and run executables without prompting the user in any way.

    OK, Mac and Linux apologists, start your excuse-making!



    Of course since it's Apple, an excuse can easily be made saying "You can just turn this off and you wont be vulnerable".

    Slashdot | Malicious Web Pages Can Install Dashboard Widgets

    I'm just curious...has Apple been paying attention at all to the internet.  Come on, at least they could learn from Windows mistakes somewhat.. 

    BTW, I clicked using IE. Nothing happened.

    mVPstar

  • User profile image
    CyberGeek

    It's probably meant to exploit some flaw in Firefox's handling of Javascript. It outputs a .bat file, which would be windows-specific. On my Windows box here (and on a Windows laptop I tried it on) I was unable to notice anything being done. No .bat file being created (did a search of my whole hard drive.) No .bat file being run telling me it could've been a virus.

  • User profile image
    mrservices

    Hello, I just installed latest Firefox and ran it under a limited user account, latest XP security patches. No console box appeared on my machine.

    Roger

  • User profile image
    geek2max

    Right now i'm using fluxbox on linux and firefox as browser, i anyway prefer internet explorer and its javascript interpreter is way faster than this one (I use to write AJAX web apps, trust me), btw i love the JavaScript console:).

  • User profile image
    AndyC

    Beer28 wrote:

    It's not as good as FFox on linux. I'm thinking they should have released that IE for unix for real that mainsoft made so there would be a native version for linux.



    They did, doesn't work on poor mans unix clones like Linux though...

  • User profile image
    otech

    AndyC wrote:
    Beer28 wrote:
    It's not as good as FFox on linux. I'm thinking they should have released that IE for unix for real that mainsoft made so there would be a native version for linux.



    They did, doesn't work on poor mans unix clones like Linux though...



    touché! haha

  • User profile image
    Cairo

    gman wrote:
    and don't forget that a massive hole in Apple Tiger OS was just exposed as well. Apparently the Safari web browser will happily download and run executables without prompting the user in any way.

    OK, Mac and Linux apologists, start your excuse-making!



    We know it warms your heart, special ed. You always pop up in these types of threads.

  • User profile image
    ScanIAm

    The exploit may not work on your system, and in fact, I personally never installed FF, so I can't even guarantee that it is anything more than a broken demo.  That isn't why I posted this, I did so because this forum was chock full o' IE bashers no more than 4 months ago who extolled the virtues of FF's security. 

    Perhaps, in the future, we can cut down on the "The sky is falling, IE Suxxor's" crap and stick to "There's a hole in software X, and here's the patch".

    Of course, I'm sure that on Linux, the site would have never caused a problem.  In fact, I'm sure that on Linux, it would have washed my car and mowed my lawn.  Cuz linux is so coool.

  • User profile image
    Bogusrabin

    ScanIAm wrote:
    Of course, I'm sure that on Linux, the site would have never caused a problem.  In fact, I'm sure that on Linux, it would have washed my car and mowed my lawn.  Cuz linux is so coool.


    I'm not 100% sure, but I think that exploit is fixed in FF 1.0.3

    And why always MS vs Mac vs Linux vs whatever. Isn't it nice if people find Linux perfect to their use? For example I do things in Linux which I can't do in Windows so Windows is not alternative for me. No, I don't hate Windows.
    If people are saying Windows/Linux/etc. sucks, so what?! If you don't like, don't use it.
    Thanks.

  • User profile image
    Cider

    Bogusrabin wrote:
    ScanIAm wrote: Of course, I'm sure that on Linux, the site would have never caused a problem.  In fact, I'm sure that on Linux, it would have washed my car and mowed my lawn.  Cuz linux is so coool.


    I'm not 100% sure, but I think that exploit is fixed in FF 1.0.3

    And why always MS vs Mac vs Linux vs whatever. Isn't it nice if people find Linux perfect to their use? For example I do things in Linux which I can't do in Windows so Windows is not alternative for me. No, I don't hate Windows.
    If people are saying Windows/Linux/etc. sucks, so what?! If you don't like, don't use it.
    Thanks.


    Well, that is, of course, correct, but you can hardly blame people for turning to attack Beer, when he comes on here with that attitude.

    As it goes, about this issue, it is unpatched and will work on Linux as well.  It just happens that in this example, it generates a batch file in order to show a proof of concept of remote code execution.

    What this bug really shows is the biggest weakness in Firefox - the XPCOM system.  To be honest, this is as powerful but as dangerous as ActiveX.  In fact, it shares much of the conceptual design of ActiveX.

    The point overall is this is not a Windows, Mac or Linux issue.  The execution platform is Firefox.

    And, as a further aside, the original posted exploit wont work now because of server-side changes made by Mozilla themselves.

  • User profile image
    AndyC

    Beer28 wrote:


    Linux is the poor man's unix clone, but it works on solaris and solaris 10 works on x86, the poor man's box and is free. Explain that one?



    'twas only available of Sparc Solaris (Solaris x86 wasn't available back then) and I don't think Solaris was free then either. In any case, Sparc hardware was a long way from cheap. 

    Beer28 wrote:


    Also, I don't see a download link. Did they release a source package,


    No. IE isn't open source, so why would they? I'm not sure you can download it any more as IE 5 is no longer a supported piece of software and IE 6 never made it to Unix.

  • User profile image
    AndyC

    Beer28 wrote:


    Yeah, but solaris is free now, I guess I see your point about it not being free back then.
    I'm still shopping for a solaris box for testing.
    I found some pretty good deals on refurbs here
    http://www.anysystem.com/e220r-special-1.html

    They have ultra5's for like a hundred bucks.


    Well worth it. They aren't the most powerful boxes in the world but they do alright for low capacity stuff, a fair chunk of the network services here run on Sparc Ultra 5s.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.