Author Topic: Hackers claim zero-day flaw in Firefox  (Read 10529 times)

0 Members and 1 Guest are viewing this topic.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Hackers claim zero-day flaw in Firefox
« Reply #15 on: October 03, 2006, 04:59:11 PM »
Quote
Update (October 3, 2006): This BID is being retired as reports indicate that these issues are a hoax. The researchers responsible for disclosing these vulnerabilities have claimed that their original reports were not correct. It is possible that a remote denial of service vulnerability affects the browser; however this has not been confirmed. A new BID will be created if subsequent reports confirm the possibility of the potential denial of service issue. Please see references for more information.

http://www.securityfocus.com/bid/20294/discuss
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Hackers claim zero-day flaw in Firefox
« Reply #16 on: October 03, 2006, 07:17:20 PM »
Hi FwF,

Haven't I told you we have arrived in the hype world of Web 2.0 sensations: this farce with a tinge of reality (real old vulnerability tweaked), remember the Browzar hoax, pumped up into a big security realization, later it was all fudge with a tiny bit of cream. Information and mis-information intertwine in such a way people don't know where to lay their hats (or ears for that matter),

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Mastertech

  • Guest
Re: Hackers claim zero-day flaw in Firefox
« Reply #17 on: October 03, 2006, 07:39:30 PM »
For me, one of the problems with IE and OE are that they are historically heavily integral to Windows, which is the part of the reason I wouldn't like them to communicate with "strangers."  If they are exploited, it can also mean the exploitation of the OS itself.
This is Myth. IE's integration has nothing to do with it's security.

http://blogs.msdn.com/dmassy/archive/2005/03/22/400689.aspx

Quote
The issue of not being part of the Operating System is an interesting one though that is frequently the subject of misunderstanding. IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. IE in turn relies on Operating System functionality to do it's job. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows. The security of any browser is irrelevant to if it is part of the operating system. If we are to debate security of browsers then let's bring in relevant arguments and accurate details about different possible attacks rather than rely on the irrational fear that because IE is part of the operating system it must be exposing OS functionality to the web. This is not the case as any software has access to the same set of OS APIs and can therefore expose the same set of OS functionality as IE.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Hackers claim zero-day flaw in Firefox
« Reply #18 on: October 03, 2006, 09:29:24 PM »
Firefox: the next Internet Explorer?

Quote
Reports of the flaw come less than a week after Symantec's biannual Internet Security Threat Report indicated that the number of browser vulnerabilities is on the rise. Firefox led the pack both in terms of absolute number of vulnerabilities disclosed on the last six months, and in terms of percentage growth over the year. The report also noted that Firefox had the lowest "window of vulnerability," meaning that the time between identification and fix was comparatively shorter that for other browsers. Nevertheless, the current state of affairs has led many readers to start joking, "Firefox: the next Internet Explorer."

The zero-day debate

Spiegelmock and Wbeelsoi declined to discuss how they identified the exploit, but it has occasioned a return to arguments over the security of open source software. Opponents have long argued that open source software is inherently unsafe because Bad People™ can pore over the source code looking for exploits. Opponents liken it to publishing the blueprints to a fortress. Open source advocates have argued the opposite, namely that publishing source code ultimately results in more security. The more eyes that pore over the source code, it is argued, the more likely it is that vulnerabilities will be discovered and fixed.

The truth is likely somewhere in-between. Publishing source code certainly does raise the possibility of an exploit being found via that same source code. It's what happens after the flaws are found that seems to stir so much debate. Human nature being fickle, there's little to recommend predicting one outcome over another, especially in an environment where exploits can be sold to the highest bidder for nefarious means.

http://arstechnica.com/news.ars/post/20061002-7885.html
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Hackers claim zero-day flaw in Firefox
« Reply #19 on: October 03, 2006, 09:39:01 PM »
Hi FwF,

If you train your coders on finding bugs, then that is what they will do, create bugs, and then later fix them. And what to think that even Google gives out an API to make attacks possible with the notorious AttackAPI. Give coders somethink to tinker with, and they come up with the weirdest of creations. And if you pay the kiddos $ 500 per alleged zero-exploit, they come to cash in even when it appears to be partly a hoax or a joke afterwards. It is a strange world, my dear Watson, it certainly is.

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline OrangeCrate

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 798
Re: Hackers claim zero-day flaw in Firefox
« Reply #20 on: October 03, 2006, 09:58:47 PM »
This is Myth. IE's integration has nothing to do with it's security.

http://blogs.msdn.com/dmassy/archive/2005/03/22/400689.aspx

Quote
The issue of not being part of the Operating System is an interesting one though that is frequently the subject of misunderstanding. IE is part of the Windows Operating System so that parts of the OS and other applications can rely on the functionality and APIs being present. IE in turn relies on Operating System functionality to do it's job. To be clear there are no Operating System APIs that IE uses that are not documented on MSDN as part of the platform SDK and available to other browsers and any other software that runs on Windows. The security of any browser is irrelevant to if it is part of the operating system. If we are to debate security of browsers then let's bring in relevant arguments and accurate details about different possible attacks rather than rely on the irrational fear that because IE is part of the operating system it must be exposing OS functionality to the web. This is not the case as any software has access to the same set of OS APIs and can therefore expose the same set of OS functionality as IE.
Quote


I don't believe it's a myth.

Dave Massy is a Microsoft employee (Senior Program Manager for Internet Explorer). What else would you expect he'd say?

Edit:

By the way, I just read the entire thread on his blog, that you drew your quote from. He got ripped pretty good, by a whole bunch of people.

That said, I think Microsoft has come a long way with security, and I look forward to seeing what they will have accomplished overall with Vista.

However, for me personally, I think once my old box finally gives up, I'll probably look seriously at one of the Linux desktop distributions.
« Last Edit: October 03, 2006, 10:37:02 PM by OrangeCrate »

Mastertech

  • Guest
Re: Hackers claim zero-day flaw in Firefox
« Reply #21 on: October 03, 2006, 10:11:20 PM »
I don't believe it's a myth.

Dave Massy is a Microsoft employee (Senior Program Manager for Internet Explorer).

What else would you expect he'd say?
You don't believe it is a Myth? ::) Of course you don't, you want it to be true like all the other Myths. What he states is very clear, using IE does not expose OS functionality to the web. This is one of many irrational fears about IE spread on the Web. Why do you think the IE vulnerabilities that allow an attacker to gain "system access" can only access system functionality based on the security account level?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Hackers claim zero-day flaw in Firefox
« Reply #22 on: October 04, 2006, 10:21:31 AM »
Quote
The Truth About a Claimed Firefox Exploit

A colorful duo of young hackers at the Toorcon security conference presented evidence Saturday that suggested a previously undocumented flaw in Mozilla's Firefox Web browser is actively being exploited to compromise machines of users cruising the Web with the browser. This story has been pretty widely reported over the past few days, but a few key facts have been absent from most of the coverage I've seen, and I wanted to try to help set the record straight on this.

http://blog.washingtonpost.com/securityfix/2006/10/zeroday_firefox_exploit_claime.html

EDIT: The original story from c|net has been updated, and now includes this comment:

Quote
"Apparently, these guys just wanted to troll the media and the people at ToorCon."

http://news.com.com/Hacker+backpedals+on+Firefox+zero-day/2100-7349_3-6122317.html?part=rss&tag=6122317&subj=news&tag=sc.th

I guess this story is now dead. One of the comments aptly sums it up:

Quote
15 minutes....

Reader post by: Sboston
Posted on: October 3, 2006, 3:00 PM PDT
Story: Hacker backpedals on Firefox zero-day

And your time is up!
« Last Edit: October 04, 2006, 01:59:56 PM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Hackers claim zero-day flaw in Firefox
« Reply #23 on: October 04, 2006, 02:17:17 PM »
However, the fallout continues:

Quote
Two of the presenters at the ToorCon 8 event embarrassed themselves by pulling a prank on the media and Mozilla.

http://blogs.zdnet.com/Ou/?p=338

Looks like they also embarrassed not only themselves but also the blog author George Ou, who was quick to run the story:

http://blogs.zdnet.com/Ou/?p=333



     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline cheater87

  • Sr. Member
  • ****
  • Posts: 208
Re: Hackers claim zero-day flaw in Firefox
« Reply #24 on: October 04, 2006, 03:04:38 PM »
yay for the noscript extension heh heh
I have Opera, WOT, K9 Web Protection, Avast Free web shield and Behavior blocker only, Comodo Internet Security 10, and common sense. ^_^