Firefox Security?

[roger2002]

CNET is reporting several security holes in all versions (Windows, Mac and Linux) of Firefox code here. Looks as if the discoverers are intent on exploiting them from what the story says. Is Safari still safe (for now)?

[Grasshopper]

My brother (in IT security) sent me an email with this info. I think the troubles have to do with versions prior to 1.5.x.x.

[teacher]

The bad thing is that javascript is crossplatform and it is possible this is in any browser. Without any details, it is hard to tell.

[roger2002]

It's frustrating that even on this site, when I tried disabling Javascript in Safari, I was not able to insert a link to another website without re-enabling it. One doesn't realize just how many things we use day-to-day won't work without it. I sometimes think that the internet is becoming so dangerous to surf that it is not worth the trouble. I switched from Windows because it was too frustrating and if Linux and Mac become as bad, I'm wondering what is left.

[zlim]

Grab the FF extension called Noscript http://www.noscript.net/whatsI have js disabled on almost every site. If I go to a site and know I can trust it, I temporarily enable it. On sites that you visit regularly and trust, you can enable js then if you click any link here, the site you go to js will be disabled and you can decide if you wish to enable it fulltime ot temporarily.I guess $500 isn't a big enough bounty.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets."I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

Unfortunately, the blackhats get more $$$$$ running a botnet. Edited October 2, 2006 by zlim

[Neil P]

Is Safari still safe (for now)?

Without knowing anything else about the flaw, I guess the answer is "yes". We've now got a competing thread over in B&E Central that I just posted to.As I said there, information on this exploit seems to be very scarce. NoScript would probably help, but again, the report is so vague that it's hard to say.

[teacher]

Ah Steeler, we are fine over here. No competition! I see we are in agreement that the report gives nothing you can work with to investigate.

[Marsden11]

What is there to investigate? Some folks have found a huge hole in FF and how it implements java. They found another stack overflow error... They can then inject code and control your machine... "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said. The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs. This is what I have been waiting for... the total arrogance of the Mozilla camp and the so called superiorty of FF over other browsers is finally blowing up in their faces...Bad press sucks dosen't it?

[Gary]

What is there to investigate? Some folks have found a huge hole in FF and how it implements java. They found another stack overflow error... They can then inject code and control your machine... "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said. The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs. This is what I have been waiting for... the total arrogance of the Mozilla camp and the so called superiorty of FF over other browsers is finally blowing up in their faces...Bad press sucks dosen't it?

30 unpatched Firefox flaws

That is about 1/2 of the unpatched flaws in IE.

[Marsden11]

So what! The issue here is FF. But by all means drag it off topic...

[Gary]

So what! The issue here is FF. But by all means drag it off topic...

This is what I have been waiting for... the total arrogance of the Mozilla camp and the so called superiorty of FF over other browsers is finally blowing up in their faces...

You post garbage like this and you complain that I am off topic.

[Guest LilBambi]

This is a flaw in the implementation of 'Javascripting' NOT "Java." They are talking like it's a Javascripting Virtual Machine, well, that's just not the case technically speaking. Java has a virtual machine.Running Javascripting code is something that ALL browsers have built in capability for -- separate from Java. You do not even need any Java (SUN or MS) installation to have javascripting on webpages work in your browser.And yes, it is sad that this has happened, and I think that all browsers are likely going to see that this is something they will all have to deal with. It's just that the problem with Firefox was exposed first. So much the better ... find it quicker, fix it quicker.Funny thing is, that folks who use Firefox generally do not see major issues with malware installations.Particularly, for those who, like Liz, makes use of the NoScript Extension.But if one feels the need for a safer browsing experience in the meantime ... there is always the now free Opera to fall back on.I always keep several browsers on hand just in case a browser problem comes up, then I switch temporarily to another browser that doesn't have the problem till it's fixed or use an Extension that mitigates the problem.

[Marsden11]

You post garbage like this and you complain that I am off topic.

One man's garbage is another man's treasure...All you have done Gary is deflect away from FF to IE... that's what people do when they have no defense. Had the FF team been actively doing what they claim on their website to be doing, then this would not be an issue. Edited October 3, 2006 by Marsden11

[Gary]

One man's garbage is another man's treasure...All you have done Gary is deflect away from FF to IE... that's what people do when they have no defense. Had the FF team been actively doing what they claim on their website to be doing, then this would not be an issue.

Somewhere along the way I posted that this affectys all browsers. Nowhere did I make a statement that

This is what I have been waiting for... the total arrogance of the Mozilla camp and the so called superiorty of FF over other browsers is finally blowing up in their faces...

I do not care for IE but I do not celebrate their misgivings.You might want to read THIS Edited October 3, 2006 by Gary

[teacher]

Glad to know it was all a joke. I guess folks don't always realize the implications of their words. We can all rest a little easier and perhaps look back at our computing habits to make sure we are running in the most secure manner possible.