|
Hackers claim zero-day flaw in Firefox | CNET News.com by Rattle at 9:17 am EDT, Oct 1, 2006 |
The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
Ok, nothing shocking there.. "Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.
Irresponsible disclosure alarm starting to tingle.. The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating." Snyder said she isn't happy with the disclosure and release of an exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."
Now the irresponsible disclosure alarm is full on ringing. They didn't give the Mozilla people heads-up on this before presenting? That's _not_ the right way to go about things.. Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets. "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said. The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.
This is exactly the kind of crap that turns up the heat on everyone.. Vendors should be given a reasonable amount of heads-up when bugs are discovered before they are publicly presented. THAT is for the greater good of the Internet and users. Do any of the folks here in the MemeStreams community who are at ToorCon have any comments on this? Was anyone at the presentation? |
|
RE: Hackers claim zero-day flaw in Firefox | CNET News.com by Dagmar at 9:27 am EDT, Oct 1, 2006 |
The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.
This looks like pure asshattery to me. It can't be said that the FF devs are unresponsive to bug reports or that they don't give credit, or that they drag their feet on fixing bugs. Heck, they don't even seem to mind reporting the bugs themselves while they're still working on a patch. ...but to try to pretend that it's for the good of the Internet that these guys keep their private exploits so that they can have their own little botnet is just bullshit. |
|
|
RE: Hackers claim zero-day flaw in Firefox | CNET News.com by Decius at 2:14 pm EDT, Oct 1, 2006 |
Rattle wrote: Do any of the folks here in the MemeStreams community who are at ToorCon have any comments on this? Was anyone at the presentation?
This presentation was called "Lovin the LOLs, LOL is my will." I did not attend. |
|
| |
RE: Hackers claim zero-day flaw in Firefox | CNET News.com by Rattle at 8:43 pm EDT, Oct 1, 2006 |
This presentation was called "Lovin the LOLs, LOL is my will." I did not attend.
You have _got_ to be kidding me. I think these guys win the asshat award. |
|
|
On Six Apart and the dropping of the 0day by Acidus at 2:34 pm EDT, Oct 2, 2006 |
So to settle all this craziness about disclosing Firefox 0day, I decided to call Six Apart's press office, as Mischa Spiegelmock claimed he works there. A gal named Jane Anderson, who has a killer accent BTW, talked with me and here what I found out. -Mischa does work for Six Apart -Mischa didn't tell them he was doing this -The company has contacted Mozilla, but Six apart has nothing to do with getting the issue (issues?) resolved -Any future information regarding this flaw (flaws?) will not be released/discussed by Six Apart -Six Apart believes in responsible disclosure -It is the understanding of Six Apart that the presentation was supposed to be funny, but people didn't seem to take it that way. How exact stack overflows in FF's JavaScript interpreter are funny was never really explained to me -Jane has be *very* busy for the last day or so and this is causing them some major issues I thanked Jane for talking so frankly with me but truth be told, they need to fire this guy. Immediately. |
|
| |
RE: On Six Apart and the dropping of the 0day by Decius at 1:21 am EDT, Oct 3, 2006 |
Acidus wrote: So to settle all this craziness about disclosing Firefox 0day, I decided to call Six Apart's press office, as Mischa Spiegelmock claimed he works there.
He has gone on record saying that this was a joke and that they don't have code execution. |
|
| | |
RE: On Six Apart and the dropping of the 0day by k at 9:18 am EDT, Oct 3, 2006 |
Decius wrote: Acidus wrote: So to settle all this craziness about disclosing Firefox 0day, I decided to call Six Apart's press office, as Mischa Spiegelmock claimed he works there.
He has gone on record saying that this was a joke and that they don't have code execution.
I really don't get the joke. Maybe I'm not smart enough. Meantime the frontpage of google news shows headlines like "Firefox JavaScript security "a complete mess"" "Firefox zero-day exploit surfaces" "Critical Firefox flaw exposed" "Alleged 'Unfixable' Exploit in Firefox" None of them got the joke either. To be sure, there's some sensationalism and irresponsible journalism on the part of the authors of those stories, but that doesn't change the fact that this "joke" has become a media nightmare for the Firefox folks. You just know the tech media have been crouched and ready for bad Firefox news... after months of "FIREFOX IS AWESOME," you know they wanted some comeuppance, fair or otherwise. So here it is, a restoration of "fairness" (in which fair is defined in the only way people seem to permit these days -- bash both sides equally), and the takedown they've all been waiting for. And an undeserved one as well, from where I'm standing. If you can put a price on customer good will (you can) then they're suffering very real damages over this completely unfunny "joke." Unfortunately they're probably painted into a corner on legal remedies because everyone will *say* they're out to shut down security research if they sue. It sucks, and these tools should've fucking known better. |
|
| | | |
RE: On Six Apart and the dropping of the 0day by Shannon at 4:39 pm EDT, Oct 3, 2006 |
k wrote: If you can put a price on customer good will (you can) then they're suffering very real damages over this completely unfunny "joke." Unfortunately they're probably painted into a corner on legal remedies because everyone will *say* they're out to shut down security research if they sue. It sucks, and these tools should've fucking known better.
Depends on what they sue them for. |
|
| | | | |
RE: On Six Apart and the dropping of the 0day by k at 7:19 pm EDT, Oct 3, 2006 |
terratogen wrote: k wrote: If you can put a price on customer good will (you can) then they're suffering very real damages over this completely unfunny "joke." Unfortunately they're probably painted into a corner on legal remedies because everyone will *say* they're out to shut down security research if they sue. It sucks, and these tools should've fucking known better.
Depends on what they sue them for.
True, assuming people think about it. Not always a certainty... |
|
|
|