The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said.

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs.

View: Full Story
News source: CNET News.com

I saw where some people have suggested using the NoScript extension to fix this problem. But it has always been shocking to me just how popular NoScript is. I mean, I hate JavaScript just as much as the next person, but by disabling JavaScript, you botch up about 75% of the sites on the Internet, making many of them completely unusable.

I use NoScript as a stop-gap solution. I enable it on sites I trust and temporarily on sites I think might be trustworthy until I know if they are. With this exploit, it appears you have to go to a web-site specifically set up to take advantage of it and if most people are smart and careful, it should reduce the risks of it successfully exploiting the flaw. For the time being, my trusted list is going to be restricted greatly though.

So, what else is new? Did anybody REALLY think Firefox was any better than IE? Does anybody REALLY think any browser is better than the other anymore?

If hackers/crackers or anybody REALLY wants to exploit any browser, I'm sure it can and could be done. Just that the fanboys have so many people turned on to Firefox, that it's time to start attacking it.

If anyone didn't know, the exploit was a HOAX

http://www.betanews.com/article/Firefox_Fl...aker/1159903320