Monday, October 02, 2006

Hackers claim zero-day flaw in Firefox


SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

Link to Hackers claim zero-day flaw in Firefox | Tech News on ZDNet

Firefox has increasingly been finding favour with users around the world. Our own web logging statistics show a dramatic increase in visitors to our site using Firefox over the past year, and I use Firefox as my "first choice" browser. Whether or not (as the hackers's claim) it will be easy to patch, remains to be seen, but there is already a good solution out there for this issue. Because of the "open source" nature of Firefox, there are a plethora of "extensions" available to add features to the browser, and I would recommend installing noscript as a matter of course. Noscript stops java scripts running automatically, whilst giving you the option to allow sites, that you trust to run Java. Javascripts add great functionality to sites, but can run malicious and damaging code, whether you are using internet explorer or Firefox. Download here.


Technorati tags: , ,

No comments: