Topic: FF3 exploit

[toasty0]

Firefox 3 Vulnerability Found


Thought some of the users of FF might like to know.

[Nemesis]

Good to see you back toasty0.   

[Bonk]

The vulnerability affects "Firefox 3.0 as well as prior versions of Firefox 2.0.x". So there will be a fix for FF2 users as well I assume. This report appears responsible, in that it has not been revealed publicly. I'm not worried.

http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30

[Nemesis]

There does seem to be a lack of information on this bug at present.  For example is it cross platform?  Are there steps you can take to limit it?  I'm running 2.0.0.14 on LinuxMint and my mother has it on WinXP (soon to be upgraded to V3) are they both vulnerable or only one of them?

How soon will there be a patch?  My guess is by Monday.  Just a guess though.

[Bonk]

Fixed:

http://www.mozilla.org/security/announce/2008/mfsa2008-34.html

[KBF MalaK]

Fixed:

http://www.mozilla.org/security/announce/2008/mfsa2008-34.html

Fixed- disable javascript.

LOL, some fix.

[Bonk]

Fixed- disable javascript.

LOL, some fix.

no, no... NOTE:

Workaround

Disable JavaScript until a version containing these fixes can be installed.

Title: Remote code execution by overflowing CSS reference counter
Impact: Critical
Announced: July 15, 2008
Reporter: TippingPoint Zero Day Initiative
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.1
  Firefox 2.0.0.16
  Thunderbird 2.0.0.16
  SeaMonkey 1.1.11

It is fixed.

Javascript is evil anyway. It will be the undoing of FF.

Besides, youll find most Firefox users run NoScript anyway.

[KBF MalaK]

Cool, thanks for the 'noscript' link, it seems ALL my computers with FF have been forcibly updated by Mozilla in the last week and all now have a fix'd version installed. I can now re-enable java/javascript and put 'noscript' on them. Thanks again for the 'heads-up'.

[jualdeaux]

I wonder how long it would have taken MS to put out a fixed version?

[Pestalence_XC]

Why would MS put out a new version when you can just DL a patch?  Besides MS patches every 2 weeks with fixes to vunerabilities.

[knightstorm]

Why would MS put out a new version when you can just DL a patch?  Besides MS patches every 2 weeks with fixes to vunerabilities.

You do know that noone's going to let MS live down that 200 day waiting period they gave us a while back.

[Pestalence_XC]

You mean when they were building IE 8?

[knightstorm]

No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.

[toasty0]

No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.

Yeah, that's always coming up in conversation. Just the other day when a group of were discussing the new Datagrid control in .Net 3.5 someone brought up the 'old' days of IE6. 

[toasty0]

I wonder how long it would have taken MS to put out a fixed version?

Probably infinity and beyond. MS has their own browser product. 

[knightstorm]

No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.

Yeah, that's always coming up in conversation. Just the other day when a group of were discussing the new Datagrid control in .Net 3.5 someone brought up the 'old' days of IE6. 

In the world of software, and incident that happened 4 years ago is the old days.  My point was that MS has moved on since then, and made security a much higher priority.  However, the damage to its reputation has already been done.

[Javora]

Why would MS put out a new version when you can just DL a patch?  Besides MS patches every 2 weeks with fixes to vunerabilities.

Really??  I thought it was the second Tuesday of every month?

[Pestalence_XC]

Depends on the severity of Vunerabilities..

The second Tuesday of the month, MS releases fixes to their OS as well as put out any fixes to things like Media Player or .NET

2 weeks later, if there are is a major fix needed, MS will put out more security fixes.. not just major fixes, but what they have ready.

Also if you have Vista, which has Windows Defender (or XP users that have installed Windows Defender), that gets updated 2 to 3 times per week.. sometimes more through windows update.

[Javora]

Ok, cool thanks.

[toasty0]

No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.

Yeah, that's always coming up in conversation. Just the other day when a group of were discussing the new Datagrid control in .Net 3.5 someone brought up the 'old' days of IE6. 

In the world of software, and incident that happened 4 years ago is the old days.  My point was that MS has moved on since then, and made security a much higher priority.  However, the damage to its reputation has already been done.

I thought you were acknowledging that you were flogging the proverbial dead horse with your 'old day's' reference.