Mozilla Flaw Lets Links Run Arbitrary Programs
With all the IE bashing going on recently, a flaw has been discovered in one of its competitor's browsers. The flaw affects both Mozilla and Firefox:
This is indeed a bit of a blow for the praised Mozilla browsers. On the plus side, however, a fix is already available. Get it here. It's good to know that even when such bugs are found, they are fixed promptly.Originally Posted by eWeek
Find the full article on eWeek.
So guys, what do you all make of this?
PHP Code:$s = new signature();
$s->sarcasm()->intellect()->font('Courier New')->display();
I think "all software has bugs"
A lot of bashing goes on when software is found to have flaws, I tend to take the view that it really comes down to how widespread use (and hence abuse) of software is - that will give an indication as to how many/often bugs are found which can be exploited.
The NetWare OS, for example, is used almost solely in corporate environments and not on a huge scale - it has horrible flaws which Novell have found over the years, only a handful have been picked up by white hats because noone has bothered to focus on attacking it.
The more market share a product has, the more likely it is to be targetted - as Mozilla gains users and functionality I think we'll see more attempts at exploiting holes in it.
~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3
A flaw in Windows more than anything. This patch stops Mozilla/Firefox being used to exploit the flaw. Look at the speed of response and ease of patching compared with IE too.
Yup, the problem was found and patched far more rapidly and easily than IE ever would be..
(\__/)
(='.'=)
(")_(")
good spot there kez. Pretty much ditto. there are always flaws. But at least it was fixed ASAP.
is this patch needed with 0.9.2?
edit never mind just seen it aint
remember, this exploit STILL exists in internet explorer, and has done for years.
the problem exists because firefox passes addresses to its host OS (macos, linux, windows) to retrieve an address - they didn't specifically have code there to say "windows can't even get that right, run for the hills"
have any of you actually read the slashdot writeup of this?
it wasn't picked up quickly - the question over whether or not to close the hole has been around in bugzilla for over TWO YEARS. It was only when an exploit was found recently that the patch was provided.
dothan 745 @ 2.4ghz | 2gb Corsair XMS (2-3-3-6) | dual raptors (raid0) | ATI 9700pro | CM201 | dual lg 1810
At least this got fixed like in the same day unlike IE that never seems to get fixed, also IE has the same vun and iirc has not been fixed !
So? As hexxy pointed out, IE still hasn't fixed the same bug, and tbh it's more of a windows handling bug than a specific flaw with the browser, as neither the Linux or Mac editions of the browser are vunerable to the exploit.
(\__/)
(='.'=)
(")_(")
that's not to say that this isn't an embarassment, but compared to internet explorer, the mozilla suite is still golden when it comes to security.
my point is its not possible to bash IE without bashing Mozilla here also - they waited almost TWO YEARS between knowing of the bug and actually fixing it. not only that, it was published on an open message board (bugzilla) where ANYONE could have written an exploit. At least with IE, the bugs aren't necessarily published (at least in such detail) so far before a fiz is released.
In addition, its more of a "feature" of the handler - IMO it should have been for Mozilla to not use said feature, rather than for Microsoft to provide it. Though this is debatable.
Having said this, I do feel safer using Firebird (not to mention the features...).
dothan 745 @ 2.4ghz | 2gb Corsair XMS (2-3-3-6) | dual raptors (raid0) | ATI 9700pro | CM201 | dual lg 1810
http://bugzilla.mozilla.org/show_bug.cgi?id=250180
seems the bug was opened on Opened: 2004-07-07 06:46 PDT
http://www.mccanless.us/mozilla/mozilla_bugs.htm to test it on your browser
if you knew this, then why didn't you write a patch to fix it? that is what bugzilla is for - it enables those with the know-how to fix problems.
anyhow, this is an exploit on a pre-release technology preview of a product. internet explorer is apparently finished, and a final release version.
Actually it affects Mozilla too, not just Firefox.
PHP Code:$s = new signature();
$s->sarcasm()->intellect()->font('Courier New')->display();
http://bugzilla.mozilla.org/show_bug.cgi?id=167475
Opened: 2002-09-09 04:41 PDT
Actually I only recently found out. And I'm not completely up to date with writing Mozilla extentions - neither should I be; there are plenty, more useful, technologies to learn about first.
dothan 745 @ 2.4ghz | 2gb Corsair XMS (2-3-3-6) | dual raptors (raid0) | ATI 9700pro | CM201 | dual lg 1810
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
