FireFox Vulnerability

[UBT - Halifax-lad]

The open-source FireFox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon

You wanna see the messages between some users my God its like a war zone

[UBT - Mikee]

That's a bit scary.

Apparantly, the easy fix is NOT to go to any Java pages, but as that's a bit impracticle install a 'noScript' extension. Will only allow Java if you say so. Not perfect as a page you allow may have malicious code in it anyway unless it's a site you know of.

This has got some good feedback if anyone wants to try it!

[UBT - Halifax-lad]

Update: Possible Vulnerability Reported at Toorcon
We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier.  He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously.  We will continue to investigate.

-Window Snyder