Firefox unpatched!

[General Nuisance]

found this..

-----

A new, unpatched flaw in that affects all versions of Firefox could let attackers surreptitiously run malicious code on users' PCs, a security researcher has warned.

The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday.

He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site.

The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC, Ferris said. An attacker could host a Web site containing the malicious code to exploit the flaw, he said. Though his proof of concept only crashes Firefox, Ferris claims he has been able to tweak it to run code.

Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood the buffer.

Ferris reported the bug to the Mozilla Foundation on Sunday, intending to go through the organization's bug-reporting process, he said. However, in an example of the uneasy alliance between security researchers and software makers, he decided to publicly disclose the flaw after a run-in with Mozilla staff, he said.

Mozilla, which coordinates development of Firefox and distributes the software, could not immediately comment on the flaw disclosure. However, a source close to the organization confirmed that Ferris had filed several bug reports, including this specific one.

Since the debut of Firefox 1.0 in November, usage of the open-source browser has grown. Security has been a main selling point for Firefox over Microsoft's Internet Explorer, which has begun to see its market share dip slightly--for the first time in years.

However, Firefox has had its own security woes. Several serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist

The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map.

Ferris has found bugs in Microsoft software before, including a yet-unpatched flaw in Internet Explorer that Microsoft still has under investigation.

Earlier this month Microsoft credited Ferris with reporting a bug in a Windows feature called Remote Desktop Protocol that could allow an attacker to remotely restart Windows systems.

------------

source: http://news.com.com/Unpatched+Firefo...l?tag=nefd.top

[atholon]

You can never be completely safe but it is good that people are trying to make it better.

[VooDoo-]

well .. it can't be worse then IE ..

[Lucky]

Quote:

Originally posted by VooDoo-
well .. it can't be worse then IE ..

true

[BADDOG]

Quote:

Originally posted by atholon
You can never be completely safe but it is good that people are trying to make it better.

I couldn't agree more Ath!!!!

Warm Regards

[katana*GFR*]

I agree with ath also, and i think FF is better then IE, just for the fact flaws and errors in the code are fixed quicker then in IE..

[Hellfighter]

if its in your PC a hacker will get their dirty hands into it, you can bit on that one.

Browsers, games, offices software, hackers love to "f" them up big time, they don't care.

you know what i don't care if a child or a full grown adult who is doing it, slam them in Fed/jail house rock for life or at lease 20yrs to max 40yrs. time they get out all computer system be anew stander and they be out dated
=========================================
on the lighter side of life last night i seen at a club two "blind" players? playing a LAN-game it was some thing like street fighter but up to date way cool.

these two player were really going at it. think it was Xbox game they was playing.

man they was going at it. yep they were blind as a bat but they can see each other some how in the death match, they did not have to look for each other and when the other player did something the other player known it was coming. wicket

there was a guy (not blind at all) there said he take on the winner if it was ok, Blind Vs the normal guy, but normal guy lasted 5min game over. OMFG blind guy was the winner

[SilentTrigger]

Quote:

Originally posted by katana*GFR*
I agree with ath also, and i think FF is better then IE, just for the fact flaws and errors in the code are fixed quicker then in IE..

Yeah because everyone in the world is able to change the source code of it, which in it self can pose a problem if it get official attention with a loop hole in it, like this.

[atholon]

I think the whole point is that it is UPDATED and security threats are taken more seriously by mozilla then by microsoft.

[Hellfighter]

Quote:

The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map.

next year they will fix this not sooner, sad news if there any bug i like it be fix asap not wait next year some jerk may start to look into this now even more.

by the way Microsoft is releasing the new IE7 or IE10 soon. think it is IE7 can't say off hand. Windows Xp family is getting a new "Service pack 3" soon too.

[Lakie]

a major security advantage that firefox and the like have over IE is that they are used by a vast minority, the lowlifes out there will 99% of the time try to target IE, simply because its used by 98% of people on the net. Ther life would be more hellish if everyone used firefox....

Also, the people that tend to use firefox and other non IE broswers, tend to be the more technologically savvy people and that because of this anything they release wont cause as much of a problem...

[SilentTrigger]

Quote:

Originally posted by atholon
I think the whole point is that it is UPDATED and security threats are taken more seriously by mozilla then by microsoft.

I doubt that its taken more seriously, secondly why not use Mozilla then? Its a hell of a lot better then FireFox

The issue isnt about caring, its about how fast you can work. FireFox is a very small target while IE is a really big target for hackers

Oh mike allready covered that part hehe