New Firefox Vulnerability Exposed

Jimmy 2004 · Feb 26, 2007, 06:32 PM

A serious new flaw in Mozilla’s browser, Firefox, has been discovered which could allow malicious sites to exploit a system using the browser with JavaScript enabled. Mozilla’s error tracking system classes the vulnerability as critical, and attackers could potentially access your system using a specially crafted HTML file and then run malware remotely. The recommendation from Mozilla is to disable JavaScript in Firefox until a fix is released, but another good idea may be to install the NoScript add-on which will allow you to control which sites can use Java and Flash. This flaw is present on all versions of Firefox, including the new 2.0.0.2 update, and is yet another illustration that Firefox is not immune to security exploits.

Source: vunet.com

Alec§taar · Feb 26, 2007, 06:35 PM

Quote:

Originally Posted by Jimmy 2004

A serious new flaw in Mozilla’s browser, Firefox, has been discovered which could allow malicious sites to exploit a system using the browser with JavaScript enabled. Mozilla’s error tracking system classes the vulnerability as critical, and attackers could potentially access your system using a specially crafted HTML file and then run malware remotely. The recommendation from Mozilla is to disable JavaScript in Firefox until a fix is released, but another good idea may be to install the NoScript add-on which will allow you to control which sites can use Java and Flash. This flaw is present on all versions of Firefox, including the new 2.0.0.2 update, and is yet another illustration that Firefox is not immune to security exploits.

Source: vunet.com

Another reason to TURN OFF JAVASCRIPT IN YOUR BROWSERS... gotta be the 2nd one this week alone.

(I've been saying this for Java, Javascript, ActiveX, & ActiveScripting since 1997 in various posts & articles etc. I have authored, & it's coming true, moreso now, than ever! I knew the days when this would get 'abused' were coming is why... I used it enough to see things you could do for "the good" could just as easily been used for "the bad" is why...)

APK

P.S.=> For sites that DEMAND it? Turn it on... but, by default, keep it OFF... heck, "the infamous they" can hijack your routers now using it! See here, for those that did NOT see that:

COMPUTER ROUTERS FACE HIJACK RISK:

http://forums.techpowerup.com/showthread.php?t=25734

It's good stuff for INTRANET usage, but on the public internet? Heck, crank it off, & only use it, IF you HAVE to! apk

spectre440 · Feb 26, 2007, 07:33 PM

Quote:

Originally Posted by Jimmy 2004

yet another illustration that Firefox is not immune to security exploits.

of course its not immune to security exploits, nothing is...

but fact of the matter remains that firefox is still about a buhjillion (yes, i made that number up) times more secure than IE...

and yeah, turning off javascript and keeping it off unless you absolutly need it... definantly a good idea. regerdless of what you might define "secure" or "unsecure" or what kind of add-ons/plugins/whatever you are using.

Scavar · Feb 26, 2007, 07:54 PM

I recently turned it off after listening to Alecstar and the Hijack router thing, and I have to say, its amazing just how many sites use it, including even our very own techpowerup.

And I have to say it is mildly annoying to have to set things like this up. I wish humans were less malicious.

Alec§taar · Feb 26, 2007, 07:58 PM

Quote:

Originally Posted by Scavar

I recently turned it off after listening to Alecstar and the Hijack router thing, and I have to say, its amazing just how many sites use it, including even our very own techpowerup.

Yea, it is... but nice part about this forums & site is, that W1zzard doesn't make it MANDATORY to use Javascript...

E.G./I.E.-> Here, I use the site, just fine (maybe better imo) WITHOUT Javascript being set active in my webbrowsers!

Quote:

Originally Posted by Scavar

And I have to say it is mildly annoying to have to set things like this up.

Ah, it is... but, you go FASTER, if you do it right... & also go online quite a bit more securely (the TRUE bonus).

Quote:

Originally Posted by Scavar

I wish humans were less malicious.

So do I... but, there is a "bright-spot" too, because many of them WILL say how they created them, & how to work around them.

E.G.->

http://forums.techpowerup.com/showthread.php?t=26141

They're the "white hats", & they're NOT the ones to worry about!

... it's the "black hat" types that pull the tricks & don't tell others HOW they are doing it.

You can "head them off @ the pass" largely, nowadays, by turning off "features" in browsers, that CAN & DO work against you for both speed & security...

(Heck, you can @ the OS level, using things like HOSTS files for instance (& no 3rd party tools needed), for both more speed & stronger security, amongst others tweaks & tunings!)

APK

Easy Rhino · Feb 26, 2007, 08:14 PM

eeeeeew java script. and flash aint any better!

Scavar · Feb 26, 2007, 08:21 PM

I wish I knew how to do things, because it would be nice to make it so that like, you can actively scan the java, javascript, flash, like. Uhh the page loads without it, and it can scan the stuff while the page is loaded, and then load it. Or something. Because I mean they are nice features if they were safe.

I know some white hat type of people sort of. I mean by malicious I mean the people who really do it to mess with people, and never release information. If you do it, just to show that you can, and then talk about it. Thats different. Thats more like me building a better catapult system, destroying like one small town, and everyones freaking out, and then im like chill kingdoms near me, for this was just to prove I could do it. Look, this how it works. You can even do good things with it like blah blah blah....

Right so anyways you get my point. Ill just have to get use to being safer. Because well, less headaches with nonsense.

Alec§taar · Feb 26, 2007, 08:27 PM

Quote:

Originally Posted by Scavar

I wish I knew how to do things, because it would be nice to make it so that like, you can actively scan the java, javascript, flash, like. Uhh the page loads without it, and it can scan the stuff while the page is loaded, and then load it. Or something. Because I mean they are nice features if they were safe.

Stick around here, you'll learn a lot... I do, everyday, even if only 'little things' & imo, there IS nothing bigger, because they're the foundations of LARGER things imo!

Hey, I outline a few things thru the forums in regard to this type of thing, & other stuff, & so do others, via the methods THEY use vs. my own.

(Some are better than others, OVERALL, but most all of what I have seen noted by folks vs. methods I use, will work as well).

* 8 ways to China in this stuff... quite often.

APK

Jimmy 2004 · Feb 26, 2007, 09:05 PM

Like I've mentioned in the news post, NoScript on Firefox is a great way to control JavaScript - give it a go, I didn't think I'd like it but now I'm very glad I have it. It means I can let sites like TPU (which I trust... assuming W1zz doesn't have some secret plot) use JavaScript and flash, but I block any that I don't know about or don't trust - so I can still do what I want, and it's very easy to use. Obviously the safest thing is to remove Java from your system, but this gives you a good balance between security, features and ease-of-use.

WarEagleAU · Feb 27, 2007, 01:02 AM

Anything can be exploited. But it took them awhile to find out how to do it.

Benpi · Feb 27, 2007, 07:15 AM

Quote:

Originally Posted by WarEagleAU

Anything can be exploited. But it took them awhile to find out how to do it.

That's because 95% use IE. If you were going to hack a browser to better profit your company, why would you try to exploit a browser used by only 5 percent? You wouldn't as it would be a waste of time.

Avant Browser FTW!

kakazza · Feb 27, 2007, 08:04 AM

"Mozilla Firefox appears to have lost some momentum. In January, 13.7 percent of all internet users browsed using Firefox, down from 14% in December. In contrast, Apple's Safari is gaining market usage. In January, 4.7% of all browser users used Safari, up from 4.2% in December. This is most likely due to more people using Mac OS X, which could be caused by all sorts of things (creative advertising, Core 2 Duo based iMacs, etc). Microsoft's Internet Explorer still accounts for 79.8% of all internet browser use."

http://www.techpowerup.com/?26044

@Jimmy

Yeah, NoScript is nice. Even better is the developer version which has an experimental Blacklist instead of only the whitelist

Feb 26, 2007, 06:32 PM	#1
Jimmy 2004 Eligible for custom title Join Date: Jan 2005 Location: England Posts: 5,047 (1.65/day) Thanks: 134 Thanked 276 Times in 185 Posts System Specs	New Firefox Vulnerability Exposed A serious new flaw in Mozilla’s browser, Firefox, has been discovered which could allow malicious sites to exploit a system using the browser with JavaScript enabled. Mozilla’s error tracking system classes the vulnerability as critical, and attackers could potentially access your system using a specially crafted HTML file and then run malware remotely. The recommendation from Mozilla is to disable JavaScript in Firefox until a fix is released, but another good idea may be to install the NoScript add-on which will allow you to control which sites can use Java and Flash. This flaw is present on all versions of Firefox, including the new 2.0.0.2 update, and is yet another illustration that Firefox is not immune to security exploits. Source: vunet.com

System Name:	Jimmy 2004's PC
Processor:	S754 AMD Athlon64 3200+ @ 2640MHz
Motherboard:	ASUS K8N
Cooling:	AC Freezer 64 Pro + Zalman VF1000 + 5x120mm Antec TriCool Case Fans
Memory:	1GB Kingston PC3200 (2x512MB)
Video Card:	Saphire 256MB X800 GTO @ 450MHz/560MHz (Core/Memory)
Hard Disk:	500GB Western Digital SATA II + 80GB Maxtor DiamondMax SATA
Optical Drive:	LiteOn DVD & NEC DVD+/-RW DL
CRT/LCD Model:	Digimate 17" TFT (1280x1024)
Case:	Antec P182
Sound Card:	Audigy 4 + Creative Inspire T7900 7.1 Speakers
PSU:	Corsair HX520W
Software:	Windows XP Home

Processor:	DualCore AMD Athlon 64x2 4800+ (o/c 2801mhz STABLE (Ketxxx, POGE, Tatty One, ME))
Motherboard:	ASUS A8N-SLI Premium (PCIe x16, x4, x1)
Cooling:	PhaseChange Coolermaster CM754/939 (fan/heatsink), Thermalright heatspreaders + fan built on (RAM)
Memory:	512mb PC-3200 DDR400 (set DDR-33 for o/c) by Corsair (matched pair, 2x256mb) 200.1/200mhz
Video Card:	BFG GeForce 7900 GTX OC 512mb GDDR3 ram (o/c manually to 686 core/865 memory) - PhaseChange cooled
Hard Disk:	Dual "Raptor X" 16mb 10krpm/RAID 0 Promise EX8350 x4 PCIe 128mb & Intel IO chip/CENATEK RocketDrive
Optical Drive:	SONY DRU-810a Double-Sided DvD burner
CRT/LCD Model:	SONY 19" Trinitron MultiScan 400ps 1600x1200 75hz refresh 32-bit color
Case:	Antec Super-LanBoy (aluminum baby-tower w/ lower front & upper rear cooling exhaust fans)
Sound Card:	RealTek AC97 onboard mobo stereo sound (Altec Lansing ACS-45 speakers - 10 yrs. still running!)
PSU:	Antec 500w ATX 2.0 "SmartPower" powersupply
Software:	Windows Server 2003 SP #1 fully patched, & massively tuned/tweaked to-the-max (plus latest drivers)

Processor:	Athlon 64 x2 4000+ (65nm Brisbane)
Motherboard:	Abit AN-M2 (AM2) nForce 630a
Cooling:	Stock everything (for the time being), 2x120mm fans (intake & exhaust)
Memory:	2GB (2x1024) OCZ Platinum PC2-6400 (4-4-4-15, 2T)
Video Card:	PowerColor ATI HD 2600XT 256mb GDDR4 PCI-e
Hard Disk:	Hitachi Deskstar 160GB SATA 3.0G/s, External USB2.0 WD 160GB
Optical Drive:	Pioneer DVR-212D
CRT/LCD Model:	LG 17' LCD (L1753TR)
Case:	HEC-Compucase 6A, black & grey
Sound Card:	On-Board 7.1 (realtek)
PSU:	Spire Zeno 650W
Software:	WinXP Pro SP2 (32-bit, for the time being)

Feb 26, 2007, 07:54 PM	#4
Scavar Join Date: Aug 2006 Location: Ft Lauderdale, FL Posts: 497 (0.20/day) Thanks: 1 Thanked 1 Time in 1 Post System Specs	I recently turned it off after listening to Alecstar and the Hijack router thing, and I have to say, its amazing just how many sites use it, including even our very own techpowerup. And I have to say it is mildly annoying to have to set things like this up. I wish humans were less malicious. __________________ [img disabled]http://www.forumsigs.com/users/Scavar1190/banner.jpg[/img] Only time can save the world now. Immortality is your last hope. For my existence to be true, Hell's Fire must burn hotter then Heaven's Cold Gates can stand. Ashentech

System Name:	ScarredWolf(Desktop), MBlackWolf(Laptop)
Processor:	E6600(Desktop), T7300(Laptop)
Motherboard:	EVGA 680i(Desktop), IFL90(Laptop)
Cooling:	Akasa EVO 120(Desktop), No idea(Laptop)
Memory:	G Skill PI 8GB 4x2gb(Desktop), G Skill 3GB 1GB/2GB(Laptop)
Video Card:	8800GTS 640mb(Desktop), 8600m GT(Laptop)
Hard Disk:	3x250GB 1x500GB(Desktop), 1x320GB(Laptop)
Optical Drive:	2xSony All-in-one(Desktop), No clue All-on-one(Laptop)
CRT/LCD Model:	Acer AL2216W 22"(Desktop), 15.4"(Laptop)
Case:	Cosmos 1000(Desktop), PowerPro J 10:15(Laptop)
Sound Card:	CreativeX-Fi/Z-5500(Desktop), Realtek/No idea(Laptop)
PSU:	PC Power and Cooling Silencer 610w(Desptop), shrug(Laptop)
Software:	Windows Vista Ultimatex64 with tweaks(Both)
Benchmarks:	I'm too lazy to benchmark anything.

Feb 26, 2007, 08:14 PM	#6
Easy Rhino Linux Advocate Join Date: Nov 2006 Posts: 10,223 (4.29/day) Thanks: 1,206 Thanked 2,775 Times in 1,793 Posts System Specs	eeeeeew java script. and flash aint any better!

System Name:	The Rhinoceros
Processor:	Intel i7 980x @ 3.5 ghz
Motherboard:	Gigabyte EX-58 Extreme
Cooling:	Swiftech Polaris 120
Memory:	6 x 4 GB Corsair Vengence @ 1333mhz
Video Card:	EVGA GTX 570 @ 800/2000
Hard Disk:	3x 320GB SATA Software RAID 5 + 4x 1TB SAS Hardware RAID 5 LSI 512mb
Optical Drive:	LG DVD-RW
CRT/LCD Model:	Samsung 2494 HM 24" 1920x1080
Case:	Lancool PC-K60
Sound Card:	Onboard
PSU:	Seasonic X Series 750 Watt Gold
Software:	CentOS 6.4 + libvirtd(CentOS 6.4,CentOS 6.4,OEL 6,OEL 6,Windows 7)

Feb 26, 2007, 08:21 PM	#7
Scavar Join Date: Aug 2006 Location: Ft Lauderdale, FL Posts: 497 (0.20/day) Thanks: 1 Thanked 1 Time in 1 Post System Specs	I wish I knew how to do things, because it would be nice to make it so that like, you can actively scan the java, javascript, flash, like. Uhh the page loads without it, and it can scan the stuff while the page is loaded, and then load it. Or something. Because I mean they are nice features if they were safe. I know some white hat type of people sort of. I mean by malicious I mean the people who really do it to mess with people, and never release information. If you do it, just to show that you can, and then talk about it. Thats different. Thats more like me building a better catapult system, destroying like one small town, and everyones freaking out, and then im like chill kingdoms near me, for this was just to prove I could do it. Look, this how it works. You can even do good things with it like blah blah blah.... Right so anyways you get my point. Ill just have to get use to being safer. Because well, less headaches with nonsense. __________________ [img disabled]http://www.forumsigs.com/users/Scavar1190/banner.jpg[/img] Only time can save the world now. Immortality is your last hope. For my existence to be true, Hell's Fire must burn hotter then Heaven's Cold Gates can stand. Ashentech

Feb 26, 2007, 09:05 PM	#9
Jimmy 2004 Eligible for custom title Join Date: Jan 2005 Location: England Posts: 5,047 (1.65/day) Thanks: 134 Thanked 276 Times in 185 Posts System Specs	Like I've mentioned in the news post, NoScript on Firefox is a great way to control JavaScript - give it a go, I didn't think I'd like it but now I'm very glad I have it. It means I can let sites like TPU (which I trust... assuming W1zz doesn't have some secret plot) use JavaScript and flash, but I block any that I don't know about or don't trust - so I can still do what I want, and it's very easy to use. Obviously the safest thing is to remove Java from your system, but this gives you a good balance between security, features and ease-of-use.

Feb 27, 2007, 01:02 AM	#10
WarEagleAU Bird of Prey Join Date: Jul 2006 Location: Gurley, AL Posts: 9,994 (3.98/day) Thanks: 3,810 Thanked 557 Times in 521 Posts System Specs	Anything can be exploited. But it took them awhile to find out how to do it. __________________ =-TheEagle-= http://www.heatware.com/eval.php?id=62454 “You crazy? Surfing any website without an antivirus is like freaking with a dirty woman without protection” -OzzmanFloyd120 - Edited for content and clarity

System Name:	Boddha Getta
Processor:	AMD FX 6100 @ 4.432Ghz @1.401V
Motherboard:	ASUS M5A99X EVO AMD 990X AMD SB950
Cooling:	Custom Water. EK 240MM Kit, Supreme HSF - Runs 35C
Memory:	2 x 4GB Corsair Vengeance White LP @ 1.35V
Video Card:	XFX Radeon HD 6870 900/1050 (no OC yet)
Hard Disk:	WD Caviar Black 1.0TB, WD Caviar Green 1.0TB, WD 160GB
Optical Drive:	Samung SH22SL 22X Lightscribe DVD+/-R/RW LG BDRE Reader/Burner Lite ON Max Burner for burning Xbox
CRT/LCD Model:	Asus VH222/S 22: (21.5" Viewable) 1920x1080p HDMI LCD Monitor
Case:	NZXT White Phantom
Sound Card:	Onboard Realtek 5.1
PSU:	NZXT Hale 90 Gold Cert 750W Modular PSU
Software:	Windows 7 Pro 64 bit.
Benchmarks:	5.9 Windows Index rating 3D06 - 17472

Processor:	AMD X2 4400+
Memory:	2G
Video Card:	7950 GX2
Hard Disk:	2x 74g 10000rpm Raid:0
CRT/LCD Model:	Dell 1920x1200 widescreen
Software:	3dmark06 score: 7650

Feb 27, 2007, 08:04 AM	#12
kakazza Join Date: Aug 2006 Posts: 470 (0.19/day) Thanks: 3 Thanked 7 Times in 5 Posts	"Mozilla Firefox appears to have lost some momentum. In January, 13.7 percent of all internet users browsed using Firefox, down from 14% in December. In contrast, Apple's Safari is gaining market usage. In January, 4.7% of all browser users used Safari, up from 4.2% in December. This is most likely due to more people using Mac OS X, which could be caused by all sorts of things (creative advertising, Core 2 Duo based iMacs, etc). Microsoft's Internet Explorer still accounts for 79.8% of all internet browser use." http://www.techpowerup.com/?26044 @Jimmy Yeah, NoScript is nice. Even better is the developer version which has an experimental Blacklist instead of only the whitelist

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)