Anything goes - firefox javascript vulnerability Swynndla - 02.10.2006, 23:40 Uhr Titel: firefox javascript vulnerability
Due to:
http://it.slashdot.org/article.pl?sid=06/10/01/148202
it may be a good idea to install:
https://addons.mozilla.org/firefox/722/
... ie the "noscript" firefox extension, which blocks sites running java and javascript except for the ones that you allow.
Apparently the vulnerability lets people get access to your home directory.
It seems that a few people run the "noscript" extension because is also covers some past and also unknown future bugs. It also seems to stop some adds while it's at it.
DeepDayze - 03.10.2006, 15:09 Uhr Titel: RE: firefox javascript vulnerability
Perhaps there may be a fix for it...but the noscript extension is a great "patch" as well.
devil - 03.10.2006, 17:16 Uhr Titel: RE: firefox javascript vulnerability
swyndla,
this vulnerability exists, but cannot be used.
all i have as source is a reliable german site:
i have been using noscript for quite a while anyways.
greetz
devil
piper - 03.10.2006, 18:52 Uhr Titel: RE: firefox javascript vulnerability
"We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:
The main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.
I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.
I apologize to everyone involved, and I hope I have made everything as clear as possible.
Sincerely,
Mischa Spiegelmock
Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.
-Window Snyder"
Article can be found hereDeepDayze - 03.10.2006, 20:23 Uhr Titel: RE: firefox javascript vulnerability
Seems this must just been a lot of hoo-ha over small potatoes. I still stick to using noscript for blocking those unknown javascript bugs that can bite out of nowhere. Better safe than sorry IMO
Mike Shepard - 04.10.2006, 03:51 Uhr Titel: RE: firefox javascript vulnerability
I personally like the QuickJava extension over the NoScript extension. It puts two icons on the status bar, on for java and one for javascript. Just click the icon and the feature is disabled, click again and it is enabled. I find it much more convienient, check it out.