Author Topic: Two flaws found in Firefox  (Read 6174 times)

0 Members and 1 Guest are viewing this topic.

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Two flaws found in Firefox
« on: February 08, 2007, 04:31:23 AM »
A security company has reported two new flaws in the Mozilla Firefox browser that may leave locally saved files vulnerable to outside attacks


http://news.com.com:80/Security+company+announces+two+new+Firefox+flaws/2100-1002_3-6157307.html?tag=html.alert
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33496
  • malware fighter
Re: Two flaws found in Firefox
« Reply #1 on: February 08, 2007, 09:21:30 AM »
Hi marc57,

One of the flaws has been patched here:
https://bugzilla.mozilla.org/attachment.cgi?id=254137

The fix can be found on the Burning Edge for the Minefield version.
nsGlobalWindow originally was old Netscape code from 1998, sure it produced some flaw over the years, the code is pre-historical really. This code was also changed:
Code: [Select]
// XXXjst - Note that when this is fixed to work with multi-framed sites,
    //          also back out the fix for bug 343772 where
    //          nsGlobalWindow::CheckOpenAllow() was changed to also
    //          check if the top window's location is whitelisted.
    var uri = gBrowser.selectedBrowser.webNavigation.currentURI;
More than half of all the security issues in Firefox or Flock can be avoided by not allowing script to run inside a browser, only for those sites that can be considered safe (scan with scandoo or McAfeeSiteAdvisor and have the NoScript extension on, and lift this temporally only for those sites that are found to be secure). Clear Private Data or using Stealther can help considerably also. Secure browsing, whatever browser you use, is a matter of adopting the right attitudes. On the other hand, too much is "broken"on the Net. If we could start over again from scrap, this is a wish list that could alter the situation by heaps:

1. Complete language separation of JavaScript from HTML
2. Nuke Basic and Digest Auth for something way more secure, but just as simple.
3. HTTP stripped down and streamlined (no off-domain referers, no passive third-party cookies, native support for URL and cookie encryption)
4. Browsers only support well-formatted XHTML
5. Compliable web pages (HTML/JavaScript) into byte-codes
6. SSL certificates may contain trademarked logos that show up in the browser chrome
7. Browser integration of Secure Cache, Safe History, and Netcraft’s anti-XSS URL features in their toolbar
8. Implement Content Restrictions
9. Same-origin policy applied to the JavaScript Error Console
10. Restrict websites with public IP’s from including content from websites with non-routable IP address


polonus
« Last Edit: February 08, 2007, 09:35:55 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: Two flaws found in Firefox
« Reply #2 on: February 08, 2007, 05:28:53 PM »
Thanks for the update polonus, That's good to hear.
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

Hard_ROCKER

  • Guest
Re: Two flaws found in Firefox
« Reply #3 on: February 10, 2007, 11:16:49 AM »
Hello people !

Just wondering, does this affect Flock too ?

drhayden1

  • Guest
Re: Two flaws found in Firefox
« Reply #4 on: February 10, 2007, 11:39:18 AM »
thanks for the info polonus and marc57 :D
kiss still rules marc57 my friend ;D
« Last Edit: February 10, 2007, 11:41:15 AM by drhayden1 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87305
  • No support PMs thanks
Re: Two flaws found in Firefox
« Reply #5 on: February 10, 2007, 01:56:35 PM »
There was me thinking KISS was something entirely different, 'Keep It Simple Stupid' ;D

http://en.wikipedia.org/wiki/KISS_(band)
« Last Edit: February 10, 2007, 02:00:19 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33496
  • malware fighter
Re: Two flaws found in Firefox
« Reply #6 on: February 10, 2007, 07:39:42 PM »
Hi Hard_Rocker,

The patch I gave also can be saved in Flock, saven as nsGlobalWindow.cpp inside the components file. Whenever you run NoScript as an extension inside FF or Flock, you are secure from these kind of vulnerabilities. I for one think NoScript is one of the most valuable security extensions that goes into the Firefox or Flock browser.

Polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Hard_ROCKER

  • Guest
Re: Two flaws found in Firefox
« Reply #7 on: February 10, 2007, 08:47:19 PM »
OK so it affects Flock aswell , i have NoScript installed so i guess i'm fine.  :)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33496
  • malware fighter
Re: Two flaws found in Firefox
« Reply #8 on: February 10, 2007, 10:36:57 PM »
Hi Hard_Rocker,

With NoScript installed, my friend, you are not only safe now, but also in many, many cases for the future.
Insecure script is the main vector by choice for malware to enter onto your machine, and it is one of the main malware vectors in the case of flaws, and many 0-zero exploits can be explained as such as well.
Lift the NoScript barrier only for those sites you know to be secure, temporarily lift if you need access to some functionality on safe sites.
The extra security of Flock comes because it is a relative rather small platform (less chosen to be attacked).
The Flock code is based on Mozilla's, but there are different coding solutions, e.g. Clucene.cvs & CLucene_build.
As you have noticed Flock is smoother, and more stable.
Coders that code now, do this with more security at heart than in the old days.
It is the old dinosaur code (either Google's, Netscape's, IBM's) where they should give a second glance what complexity does..

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: Two flaws found in Firefox
« Reply #9 on: February 10, 2007, 11:48:23 PM »
thanks for the info polonus and marc57 :D
kiss still rules marc57 my friend ;D

Thanks drhayden, I've been in the KISS Army since 1975 and I still think they're the best.
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

drhayden1

  • Guest
Re: Two flaws found in Firefox
« Reply #10 on: February 11, 2007, 12:28:55 AM »
me since 1974 when i heard this album on "8-track"
and have seen them 6 times ;D
sorry about being off-topic on this :)

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: Two flaws found in Firefox
« Reply #11 on: February 11, 2007, 09:11:00 AM »
me since 1974 when i heard this album on "8-track"
and have seen them 6 times ;D
sorry about being off-topic on this :)


Don't worry about it being off-topic, It still serves it's purpose(to give people a heads up) and we get to talk about KISS!  ;D



« Last Edit: February 11, 2007, 09:16:43 AM by marc57 »
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!