MSMVPS.COM

The Ultimate Destination for Blogs by Current and Former Microsoft Most Valuable Professionals.
Welcome to MSMVPS.COM Sign in | Help
in Search
Home Blogs Media Groups

Harry Waldron - Microsoft MVP Blog

Security News and Best Practices for corporate and home users

Mozilla Firefox - New Javascript Vulnerabilities

The NoScript extension can be added to point out potentially hostile JS scripts.  Safe email processing (avoid all URLs) and browsing only at trusted sites and will also help. The ZDNET article also notes that this could be a fairly complicated and lengthy fix. 

0day vulnerabilities in Firefox, with source
http://blogs.securiteam.com/index.php/archives/657

This quote describes why no browser can be considered completely safe:

QUOTE: Browsers are inherently insecure by design, not because of any one vendors particular implementation. Their objective is to retrieve arbitrary textual content from an untrusted network location, parse that text into a set of processing instructions and then render a visual representation of the document. Browsers are semi-compilers with a range of legacy deviations that all add up to enormously complex parsing environments, the perfect hunting ground for vulnerabilities caused by developer oversight. Adding Javascript on top of that only increases the complexity linearly instead of exponentially.


Hackers claim zero-day flaw in Firefox
http://news.zdnet.com/2100-1009_22-6121608.html

QUOTE: The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said.

Only published comments... Oct 02 2006, 12:22 PM by Harry Waldron

Leave a Comment

(required) 
(optional)
(required) 
Submit

This Blog

Syndication

Recent Posts

Archives

Personal Links


Copyright © is the original authors. Blog site is an independent site not sponsored by Microsoft. The Yoda blog server and the Brianna SQL server would like to thank www.ownwebnow.com and www.exchangedefender.com. They wouldn't be here and broadcasting without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems