Variable leakage in Firefox

[polonus]

Hi malware fighters,


The Dutch security researcher Ronald van den Heetkamp has found a hole in Firefox through which attackers can steal confidential information like logins and passwords. According to Van den Heetkamp it is possible to read all variables and registered objects inside JavaScript files. Even calling certain functions is possible. It concerns local Mozilla config files and all registered extensions.

"It means anyone can reach every JavaScript file inside the chrome:// context through a simple Ajax instance and can log all this data on a server. System functions cannot be called. But plug in functions and extensions are freely accessible," as Van den Heetkamp mentions.

The researcher warns that an attacker can use the vulnerability for denial of service attacks, confidential data retention and other possible attacks, look here:.
http://www.0x000000.com/index.php?i=417

It is because of NoScript that I still feel secure using FF or Flock, but lately we have seen some undermining of the myth that FF is the more secure browser.

polonus

[bob3160]

but lately we have seen some undermining of the myth that FF is the more secure browser.

Maybe it's time to change back to IE

[CharleyO]

***

Hi malware fighters,


...... but lately we have seen some undermining of the myth that FF is the more secure browser.

polonus

I have been saying for years that whatever becomes popular (FF, Flock, etc) or the most used (Windows, IE, etc) will become vulnerable to attacks. No OS, browser, etc is perfect nor secure. Once it is used enough to become profitable to hackers, it will be attacked and become compromised.

Remember, what a person can code, another person can break. It is inevitable with time.


***

[polonus]

Hi bob3160,

No I do not think so, because in IE we do not know how many holes still are in that sieve of a browser & where the leaks and holes are situated etc., - closed source you know. And they will not fuzz it for to let us know. One could theoretically find a vulnerability in an extension, and by using this you could check if said extension is installed. As far as we know, what’s so bad about vulnerabilities in extensions is that the code runs in chrome://, which allows access to restricted things that one wouldn’t otherwise be able to access with scripts. Of course most of these attacks are rendered useless thanks to NoScript, but if you could somehow exploit an extension without using JavaScript, it would be bad news. So JavaScript and AJAX as such that make your browser insecure, and only from sites that are infected with malicious (embedded) code. The sandbox for JavaScript has been found to be a bubbling lava stream rather then a calm script surroundings. See what  Browser Recon: Swift, Silent & Deadly can do:

Complete Variable & Object Leakage. (below a couple of them)
http://www.0x000000.com/hacks/firefox/variables.html
(you have to temporarily disable NoScript on this page, to see all the code reveals)

polonus

[Kilia]

I just installed  the "NoScript" on my FF.  http://noscript.net/

Many thanks for the valuable info re: my favorite browser

[micky77]

So how exactly is the hole exploited by attackers,do you have to visit a dodgy website,open an unknown  email attatchment.Maybe I'm being naive, but I think if you start to worry so much,then whats the point using the internet.If you practice safe surfing,use anti virus/spyware programs,and keep windows and other programs updated,and use common sense,then thats enough.You will find holes in every program,my point is you have to draw a line ( for the very average user like me ) before you become parnoid.I certainly have no worries about firefox ( or comodo,thread closed, AT LAST )

[polonus]

Hi micky77,

This is a vulnerability that can be addressed remotely, but it has not been exploited as such, not yet!
re: http://www.theregister.co.uk/2007/08/13/firefox_remote_leakage/
But remember that the NoScript extension installed can secure you from former, this and future script holes and attacks. That is how strong this form of security is.
That is one. On the other hand you could decide to close your eyes for malicious JavaScript which can hide embedded on a website, so in that case you run certain risks with every browser you load up!
Being more secure is just an attitude, make your browser less vulnerable by searching with add-ons or search engines that warn you for websites with malicious code, you can use scandoo.com, you can use McAfeeSiteAdvisor or scan suspicious sites with DrWeb's av  hyperlink checker to see if they are clean before you click the link.
Blacklists won't help you much, because malicious coders change their infectious sites all the time.

On the other hand you can forget about NoScript (you feel it is a nag, it slows you down, and hitting an infectious site is such a remote possibility for you, and then it will hit other people  and not you), so you can also forget about real time scanning against sites that have malicious code (for more or less the same reasons, it is a nag, it slows your clicking tempo etc.),
but the situation on the Internet has changed to such an extent that that is a very, very, very unwise policy. Maybe you want to say after the American senator, who thinks that the Internet is "some system of tubes" and you can click on anything that is to be clicked on, right click and if that does not work left click, and if that does not give results you can also click it away, can't ye?

polonus