Topic: FF3 exploit  (Read 6219 times)

0 Members and 1 Guest are viewing this topic.

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
FF3 exploit
« on: June 18, 2008, 11:15:45 pm »
Firefox 3 Vulnerability Found


Thought some of the users of FF might like to know.
MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: FF3 exploit
« Reply #1 on: June 19, 2008, 06:30:30 am »
Good to see you back toasty0.   :thumbsup:
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: FF2 & FF3 exploit
« Reply #2 on: June 19, 2008, 08:07:56 am »
The vulnerability affects "Firefox 3.0 as well as prior versions of Firefox 2.0.x". So there will be a fix for FF2 users as well I assume. This report appears responsible, in that it has not been revealed publicly. I'm not worried.

http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30


Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: FF3 exploit
« Reply #3 on: June 19, 2008, 08:22:07 am »
There does seem to be a lack of information on this bug at present.  For example is it cross platform?  Are there steps you can take to limit it?  I'm running 2.0.0.14 on LinuxMint and my mother has it on WinXP (soon to be upgraded to V3) are they both vulnerable or only one of them?

How soon will there be a patch?  My guess is by Monday.  Just a guess though.
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: FF3 exploit
« Reply #4 on: July 17, 2008, 02:49:09 pm »

Offline KBF MalaK

  • Just Another Target
  • Lt.
  • *
  • Posts: 673
Re: FF3 exploit
« Reply #5 on: July 17, 2008, 03:12:46 pm »
"Artificial Intelligence is not a suitable substitute for natural stupidity"                                                                                                                                                                                                                                                                       

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: FF3 exploit
« Reply #6 on: July 17, 2008, 04:24:29 pm »

Fixed- disable javascript.

LOL, some fix.


no, no... NOTE:
Quote
Workaround

Disable JavaScript until a version containing these fixes can be installed.


Quote
Title: Remote code execution by overflowing CSS reference counter
Impact: Critical
Announced: July 15, 2008
Reporter: TippingPoint Zero Day Initiative
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.1
  Firefox 2.0.0.16
  Thunderbird 2.0.0.16
  SeaMonkey 1.1.11


It is fixed.

Javascript is evil anyway. It will be the undoing of FF.

Besides, youll find most Firefox users run NoScript anyway.

Offline KBF MalaK

  • Just Another Target
  • Lt.
  • *
  • Posts: 673
Re: FF3 exploit
« Reply #7 on: July 18, 2008, 11:29:02 am »
Cool, thanks for the 'noscript' link, it seems ALL my computers with FF have been forcibly updated by Mozilla in the last week and all now have a fix'd version installed. I can now re-enable java/javascript and put 'noscript' on them. Thanks again for the 'heads-up'.
"Artificial Intelligence is not a suitable substitute for natural stupidity"                                                                                                                                                                                                                                                                       

Offline jualdeaux

  • The Quiet One
  • Global Moderator
  • Commander
  • *
  • Posts: 2758
Re: FF3 exploit
« Reply #8 on: July 19, 2008, 08:46:00 pm »
I wonder how long it would have taken MS to put out a fixed version?
Only in America .....do we use the word 'politics' to describe the process so well: 'Poli' in Latin meaning 'many' and 'tics' meaning 'bloodsucking creatures'.

Offline Pestalence_XC

  • "The Terminator"
  • Commander
  • *
  • Posts: 2636
  • Gender: Male
  • "The Terminator" Pestalence_XC, Xenocorp
Re: FF3 exploit
« Reply #9 on: July 20, 2008, 01:20:39 am »
Why would MS put out a new version when you can just DL a patch?  Besides MS patches every 2 weeks with fixes to vunerabilities.
"You still don't get it, do you?......That's what he does. That's all he does! You can't stop him! It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop, ever, until you are dead!"

Member :
Xenocorp / Dynaverse.net Moderator & Beta Test Team
SFC 4 Project QA Coordinator
Taldren Beta Test Team
14 Degrees East Beta Test Team
Activision Visioneers SFC 3 Beta Test Team

Offline knightstorm

  • His Imperial Highness, Norton II, Emperor of the United States and Protector of Mexico
  • Lt. Commander
  • *
  • Posts: 2106
Re: FF3 exploit
« Reply #10 on: July 20, 2008, 02:31:06 am »
Why would MS put out a new version when you can just DL a patch?  Besides MS patches every 2 weeks with fixes to vunerabilities.


You do know that noone's going to let MS live down that 200 day waiting period they gave us a while back.

Offline Pestalence_XC

  • "The Terminator"
  • Commander
  • *
  • Posts: 2636
  • Gender: Male
  • "The Terminator" Pestalence_XC, Xenocorp
Re: FF3 exploit
« Reply #11 on: July 20, 2008, 02:58:10 am »
You mean when they were building IE 8?
"You still don't get it, do you?......That's what he does. That's all he does! You can't stop him! It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop, ever, until you are dead!"

Member :
Xenocorp / Dynaverse.net Moderator & Beta Test Team
SFC 4 Project QA Coordinator
Taldren Beta Test Team
14 Degrees East Beta Test Team
Activision Visioneers SFC 3 Beta Test Team

Offline knightstorm

  • His Imperial Highness, Norton II, Emperor of the United States and Protector of Mexico
  • Lt. Commander
  • *
  • Posts: 2106
Re: FF3 exploit
« Reply #12 on: July 20, 2008, 03:03:20 am »
No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.
« Last Edit: July 20, 2008, 05:13:54 am by knightstorm »

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
Re: FF3 exploit
« Reply #13 on: July 20, 2008, 10:05:30 am »
No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.

Yeah, that's always coming up in conversation. Just the other day when a group of were discussing the new Datagrid control in .Net 3.5 someone brought up the 'old' days of IE6.  ::)
MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
Re: FF3 exploit
« Reply #14 on: July 20, 2008, 10:06:54 am »
I wonder how long it would have taken MS to put out a fixed version?

Probably infinity and beyond. MS has their own browser product.  :angel:
MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline knightstorm

  • His Imperial Highness, Norton II, Emperor of the United States and Protector of Mexico
  • Lt. Commander
  • *
  • Posts: 2106
Re: FF3 exploit
« Reply #15 on: July 20, 2008, 04:38:59 pm »
No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.

Yeah, that's always coming up in conversation. Just the other day when a group of were discussing the new Datagrid control in .Net 3.5 someone brought up the 'old' days of IE6.  ::)

In the world of software, and incident that happened 4 years ago is the old days.  My point was that MS has moved on since then, and made security a much higher priority.  However, the damage to its reputation has already been done.
« Last Edit: July 20, 2008, 04:57:17 pm by knightstorm »

Offline Javora

  • America for Americans first.
  • Commander
  • *
  • Posts: 3002
  • Gender: Male
Re: FF3 exploit
« Reply #16 on: July 20, 2008, 06:37:07 pm »
Why would MS put out a new version when you can just DL a patch?  Besides MS patches every 2 weeks with fixes to vunerabilities.

Really??  I thought it was the second Tuesday of every month?

Offline Pestalence_XC

  • "The Terminator"
  • Commander
  • *
  • Posts: 2636
  • Gender: Male
  • "The Terminator" Pestalence_XC, Xenocorp
Re: FF3 exploit
« Reply #17 on: July 20, 2008, 07:21:36 pm »
Depends on the severity of Vunerabilities..

The second Tuesday of the month, MS releases fixes to their OS as well as put out any fixes to things like Media Player or .NET

2 weeks later, if there are is a major fix needed, MS will put out more security fixes.. not just major fixes, but what they have ready.

Also if you have Vista, which has Windows Defender (or XP users that have installed Windows Defender), that gets updated 2 to 3 times per week.. sometimes more through windows update.
"You still don't get it, do you?......That's what he does. That's all he does! You can't stop him! It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop, ever, until you are dead!"

Member :
Xenocorp / Dynaverse.net Moderator & Beta Test Team
SFC 4 Project QA Coordinator
Taldren Beta Test Team
14 Degrees East Beta Test Team
Activision Visioneers SFC 3 Beta Test Team

Offline Javora

  • America for Americans first.
  • Commander
  • *
  • Posts: 3002
  • Gender: Male
Re: FF3 exploit
« Reply #18 on: July 20, 2008, 07:27:32 pm »
Ok, cool thanks.

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
Re: FF3 exploit
« Reply #19 on: July 20, 2008, 07:56:05 pm »
No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.

Yeah, that's always coming up in conversation. Just the other day when a group of were discussing the new Datagrid control in .Net 3.5 someone brought up the 'old' days of IE6.  ::)

In the world of software, and incident that happened 4 years ago is the old days.  My point was that MS has moved on since then, and made security a much higher priority.  However, the damage to its reputation has already been done.

I thought you were acknowledging that you were flogging the proverbial dead horse with your 'old day's' reference.
MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline knightstorm

  • His Imperial Highness, Norton II, Emperor of the United States and Protector of Mexico
  • Lt. Commander
  • *
  • Posts: 2106
Re: FF3 exploit
« Reply #20 on: July 20, 2008, 07:57:34 pm »
No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.

Yeah, that's always coming up in conversation. Just the other day when a group of were discussing the new Datagrid control in .Net 3.5 someone brought up the 'old' days of IE6.  ::)

In the world of software, and incident that happened 4 years ago is the old days.  My point was that MS has moved on since then, and made security a much higher priority.  However, the damage to its reputation has already been done.

I thought you were acknowledging that you were flogging the proverbial dead horse with your 'old day's' reference.

I thought the old days reference was your sarcastic attempt to flame me

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
Re: FF3 exploit
« Reply #21 on: July 20, 2008, 08:03:22 pm »
No, back in the IE6 days.  It was a public relations disaster for MS, and still tarnishes its reputation.  As far as security patches go, MS can be a model citizen, but people will always think of that.

Yeah, that's always coming up in conversation. Just the other day when a group of were discussing the new Datagrid control in .Net 3.5 someone brought up the 'old' days of IE6.  ::)

In the world of software, and incident that happened 4 years ago is the old days.  My point was that MS has moved on since then, and made security a much higher priority.  However, the damage to its reputation has already been done.

I thought you were acknowledging that you were flogging the proverbial dead horse with your 'old day's' reference.

I thought the old days reference was your sarcastic attempt to flame me

My flames are always obvious, to the point, and very very pointed. Just ask any of the long timers here.

You'll know when I'm flaming...your first hint will be a big ball of flaming poop coming your way. :)
MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista