• We've upgraded our forums. Please post any issues/requests in this thread.

New Firefox Vulnerability Exposed

Joined
Jan 15, 2005
Messages
5,458 (1.16/day)
Likes
242
Location
England
System Name Jimmy 2004's PC
Processor S754 AMD Athlon64 3200+ @ 2640MHz
Motherboard ASUS K8N
Cooling AC Freezer 64 Pro + Zalman VF1000 + 5x120mm Antec TriCool Case Fans
Memory 1GB Kingston PC3200 (2x512MB)
Video Card(s) Saphire 256MB X800 GTO @ 450MHz/560MHz (Core/Memory)
Storage 500GB Western Digital SATA II + 80GB Maxtor DiamondMax SATA
Display(s) Digimate 17" TFT (1280x1024)
Case Antec P182
Audio Device(s) Audigy 4 + Creative Inspire T7900 7.1 Speakers
Power Supply Corsair HX520W
Software Windows XP Home
#1
A serious new flaw in Mozilla’s browser, Firefox, has been discovered which could allow malicious sites to exploit a system using the browser with JavaScript enabled. Mozilla’s error tracking system classes the vulnerability as critical, and attackers could potentially access your system using a specially crafted HTML file and then run malware remotely. The recommendation from Mozilla is to disable JavaScript in Firefox until a fix is released, but another good idea may be to install the NoScript add-on which will allow you to control which sites can use Java and Flash. This flaw is present on all versions of Firefox, including the new 2.0.0.2 update, and is yet another illustration that Firefox is not immune to security exploits.

Show full news post
 
Joined
May 15, 2006
Messages
4,677 (1.11/day)
Likes
86
Location
Someone who's going to find NewTekie1 and teach hi
Processor DualCore AMD Athlon 64x2 4800+ (o/c 2801mhz STABLE (Ketxxx, POGE, Tatty One, ME))
Motherboard ASUS A8N-SLI Premium (PCIe x16, x4, x1)
Cooling PhaseChange Coolermaster CM754/939 (fan/heatsink), Thermalright heatspreaders + fan built on (RAM)
Memory 512mb PC-3200 DDR400 (set DDR-33 for o/c) by Corsair (matched pair, 2x256mb) 200.1/200mhz
Video Card(s) BFG GeForce 7900 GTX OC 512mb GDDR3 ram (o/c manually to 686 core/865 memory) - PhaseChange cooled
Storage Dual "Raptor X" 16mb 10krpm/RAID 0 Promise EX8350 x4 PCIe 128mb & Intel IO chip/CENATEK RocketDrive
Display(s) SONY 19" Trinitron MultiScan 400ps 1600x1200 75hz refresh 32-bit color
Case Antec Super-LanBoy (aluminum baby-tower w/ lower front & upper rear cooling exhaust fans)
Audio Device(s) RealTek AC97 onboard mobo stereo sound (Altec Lansing ACS-45 speakers - 10 yrs. still running!)
Power Supply Antec 500w ATX 2.0 "SmartPower" powersupply
Software Windows Server 2003 SP #1 fully patched, & massively tuned/tweaked to-the-max (plus latest drivers)
#2
A serious new flaw in Mozilla’s browser, Firefox, has been discovered which could allow malicious sites to exploit a system using the browser with JavaScript enabled. Mozilla’s error tracking system classes the vulnerability as critical, and attackers could potentially access your system using a specially crafted HTML file and then run malware remotely. The recommendation from Mozilla is to disable JavaScript in Firefox until a fix is released, but another good idea may be to install the NoScript add-on which will allow you to control which sites can use Java and Flash. This flaw is present on all versions of Firefox, including the new 2.0.0.2 update, and is yet another illustration that Firefox is not immune to security exploits.

Source: vunet.com
Another reason to TURN OFF JAVASCRIPT IN YOUR BROWSERS... gotta be the 2nd one this week alone.

(I've been saying this for Java, Javascript, ActiveX, & ActiveScripting since 1997 in various posts & articles etc. I have authored, & it's coming true, moreso now, than ever! I knew the days when this would get 'abused' were coming is why... I used it enough to see things you could do for "the good" could just as easily been used for "the bad" is why...)

APK

P.S.=> For sites that DEMAND it? Turn it on... but, by default, keep it OFF... heck, "the infamous they" can hijack your routers now using it! See here, for those that did NOT see that:

COMPUTER ROUTERS FACE HIJACK RISK:

http://forums.techpowerup.com/showthread.php?t=25734

It's good stuff for INTRANET usage, but on the public internet? Heck, crank it off, & only use it, IF you HAVE to! apk
 
Joined
Jul 18, 2005
Messages
937 (0.21/day)
Likes
13
Location
Israel
Processor Athlon 64 x2 4000+ (65nm Brisbane)
Motherboard Abit AN-M2 (AM2) nForce 630a
Cooling Stock everything (for the time being), 2x120mm fans (intake & exhaust)
Memory 2GB (2x1024) OCZ Platinum PC2-6400 (4-4-4-15, 2T)
Video Card(s) PowerColor ATI HD 2600XT 256mb GDDR4 PCI-e
Storage Hitachi Deskstar 160GB SATA 3.0G/s, External USB2.0 WD 160GB
Display(s) LG 17' LCD (L1753TR)
Case HEC-Compucase 6A, black & grey
Audio Device(s) On-Board 7.1 (realtek)
Power Supply Spire Zeno 650W
Software WinXP Pro SP2 (32-bit, for the time being)
#3
yet another illustration that Firefox is not immune to security exploits.
of course its not immune to security exploits, nothing is...

but fact of the matter remains that firefox is still about a buhjillion (yes, i made that number up) times more secure than IE...

and yeah, turning off javascript and keeping it off unless you absolutly need it... definantly a good idea. regerdless of what you might define "secure" or "unsecure" or what kind of add-ons/plugins/whatever you are using.
 

Scavar

New Member
Joined
Aug 29, 2006
Messages
573 (0.14/day)
Likes
0
Location
Ft Lauderdale, FL
System Name ScarredWolf(Desktop), MBlackWolf(Laptop)
Processor E6600(Desktop), T7300(Laptop)
Motherboard EVGA 680i(Desktop), IFL90(Laptop)
Cooling Akasa EVO 120(Desktop), No idea(Laptop)
Memory G Skill PI 8GB 4x2gb(Desktop), G Skill 3GB 1GB/2GB(Laptop)
Video Card(s) 8800GTS 640mb(Desktop), 8600m GT(Laptop)
Storage 3x250GB 1x500GB(Desktop), 1x320GB(Laptop)
Display(s) Acer AL2216W 22"(Desktop), 15.4"(Laptop)
Case Cosmos 1000(Desktop), PowerPro J 10:15(Laptop)
Audio Device(s) CreativeX-Fi/Z-5500(Desktop), Realtek/No idea(Laptop)
Power Supply PC Power and Cooling Silencer 610w(Desptop), *shrug*(Laptop)
Software Windows Vista Ultimatex64 with tweaks(Both)
Benchmark Scores I'm too lazy to benchmark anything.
#4
I recently turned it off after listening to Alecstar and the Hijack router thing, and I have to say, its amazing just how many sites use it, including even our very own techpowerup.

And I have to say it is mildly annoying to have to set things like this up. I wish humans were less malicious.
 
Joined
May 15, 2006
Messages
4,677 (1.11/day)
Likes
86
Location
Someone who's going to find NewTekie1 and teach hi
Processor DualCore AMD Athlon 64x2 4800+ (o/c 2801mhz STABLE (Ketxxx, POGE, Tatty One, ME))
Motherboard ASUS A8N-SLI Premium (PCIe x16, x4, x1)
Cooling PhaseChange Coolermaster CM754/939 (fan/heatsink), Thermalright heatspreaders + fan built on (RAM)
Memory 512mb PC-3200 DDR400 (set DDR-33 for o/c) by Corsair (matched pair, 2x256mb) 200.1/200mhz
Video Card(s) BFG GeForce 7900 GTX OC 512mb GDDR3 ram (o/c manually to 686 core/865 memory) - PhaseChange cooled
Storage Dual "Raptor X" 16mb 10krpm/RAID 0 Promise EX8350 x4 PCIe 128mb & Intel IO chip/CENATEK RocketDrive
Display(s) SONY 19" Trinitron MultiScan 400ps 1600x1200 75hz refresh 32-bit color
Case Antec Super-LanBoy (aluminum baby-tower w/ lower front & upper rear cooling exhaust fans)
Audio Device(s) RealTek AC97 onboard mobo stereo sound (Altec Lansing ACS-45 speakers - 10 yrs. still running!)
Power Supply Antec 500w ATX 2.0 "SmartPower" powersupply
Software Windows Server 2003 SP #1 fully patched, & massively tuned/tweaked to-the-max (plus latest drivers)
#5
I recently turned it off after listening to Alecstar and the Hijack router thing, and I have to say, its amazing just how many sites use it, including even our very own techpowerup.
Yea, it is... but nice part about this forums & site is, that W1zzard doesn't make it MANDATORY to use Javascript...

E.G./I.E.-> Here, I use the site, just fine (maybe better imo) WITHOUT Javascript being set active in my webbrowsers!

And I have to say it is mildly annoying to have to set things like this up.
Ah, it is... but, you go FASTER, if you do it right... & also go online quite a bit more securely (the TRUE bonus).

I wish humans were less malicious.
So do I... but, there is a "bright-spot" too, because many of them WILL say how they created them, & how to work around them.

E.G.->

http://forums.techpowerup.com/showthread.php?t=26141

They're the "white hats", & they're NOT the ones to worry about!

... it's the "black hat" types that pull the tricks & don't tell others HOW they are doing it.

You can "head them off @ the pass" largely, nowadays, by turning off "features" in browsers, that CAN & DO work against you for both speed & security...

(Heck, you can @ the OS level, using things like HOSTS files for instance (& no 3rd party tools needed), for both more speed & stronger security, amongst others tweaks & tunings!)

APK
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#6
eeeeeew java script. and flash aint any better!
 

Scavar

New Member
Joined
Aug 29, 2006
Messages
573 (0.14/day)
Likes
0
Location
Ft Lauderdale, FL
System Name ScarredWolf(Desktop), MBlackWolf(Laptop)
Processor E6600(Desktop), T7300(Laptop)
Motherboard EVGA 680i(Desktop), IFL90(Laptop)
Cooling Akasa EVO 120(Desktop), No idea(Laptop)
Memory G Skill PI 8GB 4x2gb(Desktop), G Skill 3GB 1GB/2GB(Laptop)
Video Card(s) 8800GTS 640mb(Desktop), 8600m GT(Laptop)
Storage 3x250GB 1x500GB(Desktop), 1x320GB(Laptop)
Display(s) Acer AL2216W 22"(Desktop), 15.4"(Laptop)
Case Cosmos 1000(Desktop), PowerPro J 10:15(Laptop)
Audio Device(s) CreativeX-Fi/Z-5500(Desktop), Realtek/No idea(Laptop)
Power Supply PC Power and Cooling Silencer 610w(Desptop), *shrug*(Laptop)
Software Windows Vista Ultimatex64 with tweaks(Both)
Benchmark Scores I'm too lazy to benchmark anything.
#7
I wish I knew how to do things, because it would be nice to make it so that like, you can actively scan the java, javascript, flash, like. Uhh the page loads without it, and it can scan the stuff while the page is loaded, and then load it. Or something. Because I mean they are nice features if they were safe.

I know some white hat type of people sort of. I mean by malicious I mean the people who really do it to mess with people, and never release information. If you do it, just to show that you can, and then talk about it. Thats different. Thats more like me building a better catapult system, destroying like one small town, and everyones freaking out, and then im like chill kingdoms near me, for this was just to prove I could do it. Look, this how it works. You can even do good things with it like blah blah blah....


Right so anyways you get my point. Ill just have to get use to being safer. Because well, less headaches with nonsense.
 
Joined
May 15, 2006
Messages
4,677 (1.11/day)
Likes
86
Location
Someone who's going to find NewTekie1 and teach hi
Processor DualCore AMD Athlon 64x2 4800+ (o/c 2801mhz STABLE (Ketxxx, POGE, Tatty One, ME))
Motherboard ASUS A8N-SLI Premium (PCIe x16, x4, x1)
Cooling PhaseChange Coolermaster CM754/939 (fan/heatsink), Thermalright heatspreaders + fan built on (RAM)
Memory 512mb PC-3200 DDR400 (set DDR-33 for o/c) by Corsair (matched pair, 2x256mb) 200.1/200mhz
Video Card(s) BFG GeForce 7900 GTX OC 512mb GDDR3 ram (o/c manually to 686 core/865 memory) - PhaseChange cooled
Storage Dual "Raptor X" 16mb 10krpm/RAID 0 Promise EX8350 x4 PCIe 128mb & Intel IO chip/CENATEK RocketDrive
Display(s) SONY 19" Trinitron MultiScan 400ps 1600x1200 75hz refresh 32-bit color
Case Antec Super-LanBoy (aluminum baby-tower w/ lower front & upper rear cooling exhaust fans)
Audio Device(s) RealTek AC97 onboard mobo stereo sound (Altec Lansing ACS-45 speakers - 10 yrs. still running!)
Power Supply Antec 500w ATX 2.0 "SmartPower" powersupply
Software Windows Server 2003 SP #1 fully patched, & massively tuned/tweaked to-the-max (plus latest drivers)
#8
I wish I knew how to do things, because it would be nice to make it so that like, you can actively scan the java, javascript, flash, like. Uhh the page loads without it, and it can scan the stuff while the page is loaded, and then load it. Or something. Because I mean they are nice features if they were safe.
Stick around here, you'll learn a lot... I do, everyday, even if only 'little things' & imo, there IS nothing bigger, because they're the foundations of LARGER things imo!

Hey, I outline a few things thru the forums in regard to this type of thing, & other stuff, & so do others, via the methods THEY use vs. my own.

(Some are better than others, OVERALL, but most all of what I have seen noted by folks vs. methods I use, will work as well).

:)

* 8 ways to China in this stuff... quite often.

APK
 
Joined
Jan 15, 2005
Messages
5,458 (1.16/day)
Likes
242
Location
England
System Name Jimmy 2004's PC
Processor S754 AMD Athlon64 3200+ @ 2640MHz
Motherboard ASUS K8N
Cooling AC Freezer 64 Pro + Zalman VF1000 + 5x120mm Antec TriCool Case Fans
Memory 1GB Kingston PC3200 (2x512MB)
Video Card(s) Saphire 256MB X800 GTO @ 450MHz/560MHz (Core/Memory)
Storage 500GB Western Digital SATA II + 80GB Maxtor DiamondMax SATA
Display(s) Digimate 17" TFT (1280x1024)
Case Antec P182
Audio Device(s) Audigy 4 + Creative Inspire T7900 7.1 Speakers
Power Supply Corsair HX520W
Software Windows XP Home
#9
Like I've mentioned in the news post, NoScript on Firefox is a great way to control JavaScript - give it a go, I didn't think I'd like it but now I'm very glad I have it. It means I can let sites like TPU (which I trust... assuming W1zz doesn't have some secret plot) use JavaScript and flash, but I block any that I don't know about or don't trust - so I can still do what I want, and it's very easy to use. Obviously the safest thing is to remove Java from your system, but this gives you a good balance between security, features and ease-of-use.
 

WarEagleAU

Bird of Prey
Joined
Jul 9, 2006
Messages
10,809 (2.59/day)
Likes
529
Location
Gurley, AL
System Name Boddha Getta Boddha Getta Bah!
Processor AMD FX 6100 @ 4.432Ghz @1.382
Motherboard ASUS M5A99X EVO AMD 990X AMD SB950
Cooling Custom Water. EK 240MM Kit, Supreme HSF - Runs 35C
Memory 2 x 4GB Corsair Vengeance White LP @ 1.35V
Video Card(s) XFX Radeon HD 6870 980/1100
Storage WD Caviar Black 1.0TB, WD Caviar Green 1.0TB, WD 160GB
Display(s) Asus VH222/S 22: (21.5" Viewable) 1920x1080p HDMI LCD Monitor
Case NZXT White Switch 810
Audio Device(s) Onboard Realtek 5.1
Power Supply NZXT Hale 90 Gold Cert 750W Modular PSU
Software Windows 8.1 Profession 64 Bit
#10
Anything can be exploited. But it took them awhile to find out how to do it.
 

Benpi

New Member
Joined
Dec 14, 2006
Messages
415 (0.10/day)
Likes
3
Processor AMD X2 4400+
Memory 2G
Video Card(s) 7950 GX2
Storage 2x 74g 10000rpm Raid:0
Display(s) Dell 1920x1200 widescreen
Software 3dmark06 score: 7650
#11
Anything can be exploited. But it took them awhile to find out how to do it.
That's because 95% use IE. If you were going to hack a browser to better profit your company, why would you try to exploit a browser used by only 5 percent? You wouldn't as it would be a waste of time.

Avant Browser FTW!
 

kakazza

New Member
Joined
Aug 25, 2006
Messages
470 (0.11/day)
Likes
7
#12
"Mozilla Firefox appears to have lost some momentum. In January, 13.7 percent of all internet users browsed using Firefox, down from 14% in December. In contrast, Apple's Safari is gaining market usage. In January, 4.7% of all browser users used Safari, up from 4.2% in December. This is most likely due to more people using Mac OS X, which could be caused by all sorts of things (creative advertising, Core 2 Duo based iMacs, etc). Microsoft's Internet Explorer still accounts for 79.8% of all internet browser use."

http://www.techpowerup.com/?26044



@Jimmy

Yeah, NoScript is nice. Even better is the developer version which has an experimental Blacklist instead of only the whitelist :)