Quantcast

Mozilla's Firefox Exploit

Discussion in 'Computers & Technology' started by N8 v2.0, Dec 14, 2005.

  1. N8 v2.0

    N8 v2.0 Not the sharpest tool in the shed

    Rep/Likes:
    17 / 149
    Joined:
    Oct 18, 2002
    Messages:
    11,008
    Location:
    The Cleft of Venus
    Attack Targets Mozilla
    Robert McMillan, IDG News Service
    Tue Dec 13,10:00 AM ET


    Computer users who have not upgraded to the latest version of Mozilla's Firefox browser may now have an extra incentive to do so, thanks to a hacker who has posted an exploit.

    Exploit Shown

    On Sunday, a hacker going by the name of Aviv Raff published sample code that could be used to take over the computers of Firefox users running version 1.0.4 or earlier of the browser. The exploit takes advantage of a known bug in the way Firefox processes the popular Javascript Web programming language.

    "I think it's been enough time for people to upgrade from v1.0.4. of Firefox. So, here is the PoC [proof of concept] exploit for the... vulnerability," he wrote on his blog.

    The bug was fixed in Mozilla version 1.0.5, which was released during the summer, and has also been fixed in version 1.7.9 of the Mozilla Suite, said Mike Schroepfer, vice president of engineering with Mozilla. "As long as users keep updated to the latest version, they're, in general, very safe."

    Similar to IE Flaw

    In some ways, this latest exploit is similar to highly publicized attack code that has been circulating for the Microsoft Internet Explorer browser, said Russ Cooper, editor of the NTBugtraq newslist and a scientist with security vendor Cybertrust.

    "It can install and run code of the attacker's choice if a victim visits a malicious Web site," he said of the IE bug in an interview via instant message.

    Users who are not already in the habit of frequently updating their browsers should change their ways, because browsers are "historically broken," Cooper said. "That means they have vulnerabilities regularly," he added. "You should keep them updated within 30 days of patches being made available, regardless of what the patch is for."

    The IE code, which was published in November, takes advantage of a Javascript problem that has not yet been patched.

    Many security experts expect Microsoft to patch its Javascript bug on Tuesday, but the Redmond, Washington, software giant has not confirmed that this will be the case.
     

    Please register to disable this ad.

  2. binary visions

    binary visions The voice of reason

    Rep/Likes:
    80 / 354
    Joined:
    Jun 13, 2002
    Messages:
    21,633
    Location:
    NC
    Why, N8? Why must you pollute every forum?

    :(
     
  3. Tenchiro

    Tenchiro Attention K Mart Shoppers

    Rep/Likes:
    5 / 0
    Joined:
    Jul 19, 2002
    Messages:
    5,407
    Location:
    New England
    Good thing I usually upgrade when a new version comes out.
     
  4. BUCKET

    BUCKET Monkey

    Rep/Likes:
    0 / 0
    Joined:
    Apr 30, 2004
    Messages:
    369
    Location:
    Rocktown, VA
    The newest version has some major flaws as well. Might want to hold out on upgrading - I'm sure a new maint. release will be coming soon.

    http://www.securityfocus.com/brief/73