New Firefox Vulnerability Exposed

[Jimmy 2004]

A serious new flaw in Mozilla's browser, Firefox, has been discovered which could allow malicious sites to exploit a system using the browser with JavaScript enabled. Mozilla's error tracking system classes the vulnerability as critical, and attackers could potentially access your system using a specially crafted HTML file and then run malware remotely. The recommendation from Mozilla is to disable JavaScript in Firefox until a fix is released, but another good idea may be to install the NoScript add-on which will allow you to control which sites can use Java and Flash. This flaw is present on all versions of Firefox, including the new 2.0.0.2 update, and is yet another illustration that Firefox is not immune to security exploits.

View at TechPowerUp Main Site

 

[Alec§taar]

A serious new flaw in Mozilla’s browser, Firefox, has been discovered which could allow malicious sites to exploit a system using the browser with JavaScript enabled. Mozilla’s error tracking system classes the vulnerability as critical, and attackers could potentially access your system using a specially crafted HTML file and then run malware remotely. The recommendation from Mozilla is to disable JavaScript in Firefox until a fix is released, but another good idea may be to install the NoScript add-on which will allow you to control which sites can use Java and Flash. This flaw is present on all versions of Firefox, including the new 2.0.0.2 update, and is yet another illustration that Firefox is not immune to security exploits.

Source: vunet.com

Another reason to TURN OFF JAVASCRIPT IN YOUR BROWSERS... gotta be the 2nd one this week alone.

(I've been saying this for Java, Javascript, ActiveX, & ActiveScripting since 1997 in various posts & articles etc. I have authored, & it's coming true, moreso now, than ever! I knew the days when this would get 'abused' were coming is why... I used it enough to see things you could do for "the good" could just as easily been used for "the bad" is why...)

APK

P.S.=> For sites that DEMAND it? Turn it on... but, by default, keep it OFF... heck, "the infamous they" can hijack your routers now using it! See here, for those that did NOT see that:

COMPUTER ROUTERS FACE HIJACK RISK:

http://forums.techpowerup.com/showthread.php?t=25734

It's good stuff for INTRANET usage, but on the public internet? Heck, crank it off, & only use it, IF you HAVE to! apk

 

[spectre440]

yet another illustration that Firefox is not immune to security exploits.

of course its not immune to security exploits, nothing is...

but fact of the matter remains that firefox is still about a buhjillion (yes, i made that number up) times more secure than IE...

and yeah, turning off javascript and keeping it off unless you absolutly need it... definantly a good idea. regerdless of what you might define "secure" or "unsecure" or what kind of add-ons/plugins/whatever you are using.

 

[Scavar]

I recently turned it off after listening to Alecstar and the Hijack router thing, and I have to say, its amazing just how many sites use it, including even our very own techpowerup.

And I have to say it is mildly annoying to have to set things like this up. I wish humans were less malicious.

 

[Alec§taar]

I recently turned it off after listening to Alecstar and the Hijack router thing, and I have to say, its amazing just how many sites use it, including even our very own techpowerup.

Yea, it is... but nice part about this forums & site is, that W1zzard doesn't make it MANDATORY to use Javascript...

E.G./I.E.-> Here, I use the site, just fine (maybe better imo) WITHOUT Javascript being set active in my webbrowsers!

And I have to say it is mildly annoying to have to set things like this up.

Ah, it is... but, you go FASTER, if you do it right... & also go online quite a bit more securely (the TRUE bonus).

I wish humans were less malicious.

So do I... but, there is a "bright-spot" too, because many of them WILL say how they created them, & how to work around them.

E.G.->

http://forums.techpowerup.com/showthread.php?t=26141

They're the "white hats", & they're NOT the ones to worry about!

... it's the "black hat" types that pull the tricks & don't tell others HOW they are doing it.

You can "head them off @ the pass" largely, nowadays, by turning off "features" in browsers, that CAN & DO work against you for both speed & security...

(Heck, you can @ the OS level, using things like HOSTS files for instance (& no 3rd party tools needed), for both more speed & stronger security, amongst others tweaks & tunings!)

APK

 

[Easy Rhino]

eeeeeew java script. and flash aint any better!

 

[Scavar]

I wish I knew how to do things, because it would be nice to make it so that like, you can actively scan the java, javascript, flash, like. Uhh the page loads without it, and it can scan the stuff while the page is loaded, and then load it. Or something. Because I mean they are nice features if they were safe.

I know some white hat type of people sort of. I mean by malicious I mean the people who really do it to mess with people, and never release information. If you do it, just to show that you can, and then talk about it. Thats different. Thats more like me building a better catapult system, destroying like one small town, and everyones freaking out, and then im like chill kingdoms near me, for this was just to prove I could do it. Look, this how it works. You can even do good things with it like blah blah blah....


Right so anyways you get my point. Ill just have to get use to being safer. Because well, less headaches with nonsense.

 

[Alec§taar]

I wish I knew how to do things, because it would be nice to make it so that like, you can actively scan the java, javascript, flash, like. Uhh the page loads without it, and it can scan the stuff while the page is loaded, and then load it. Or something. Because I mean they are nice features if they were safe.

Stick around here, you'll learn a lot... I do, everyday, even if only 'little things' & imo, there IS nothing bigger, because they're the foundations of LARGER things imo!

Hey, I outline a few things thru the forums in regard to this type of thing, & other stuff, & so do others, via the methods THEY use vs. my own.

(Some are better than others, OVERALL, but most all of what I have seen noted by folks vs. methods I use, will work as well).



* 8 ways to China in this stuff... quite often.

APK

 

[Jimmy 2004]

Like I've mentioned in the news post, NoScript on Firefox is a great way to control JavaScript - give it a go, I didn't think I'd like it but now I'm very glad I have it. It means I can let sites like TPU (which I trust... assuming W1zz doesn't have some secret plot) use JavaScript and flash, but I block any that I don't know about or don't trust - so I can still do what I want, and it's very easy to use. Obviously the safest thing is to remove Java from your system, but this gives you a good balance between security, features and ease-of-use.

 

[WarEagleAU]

Anything can be exploited. But it took them awhile to find out how to do it.

 

[Benpi]

Anything can be exploited. But it took them awhile to find out how to do it.

That's because 95% use IE. If you were going to hack a browser to better profit your company, why would you try to exploit a browser used by only 5 percent? You wouldn't as it would be a waste of time.

Avant Browser FTW!

 

[kakazza]

"Mozilla Firefox appears to have lost some momentum. In January, 13.7 percent of all internet users browsed using Firefox, down from 14% in December. In contrast, Apple's Safari is gaining market usage. In January, 4.7% of all browser users used Safari, up from 4.2% in December. This is most likely due to more people using Mac OS X, which could be caused by all sorts of things (creative advertising, Core 2 Duo based iMacs, etc). Microsoft's Internet Explorer still accounts for 79.8% of all internet browser use."

http://www.techpowerup.com/?26044



@Jimmy

Yeah, NoScript is nice. Even better is the developer version which has an experimental Blacklist instead of only the whitelist