Firefox security issue, fix slated for next week

Gary · Mar 26, 2009, 07:26:16

"Online attack code has been released targeting a critical, unpatched flaw in the Firefox browser.

The attack code, written by security researcher Guido Landi was published on several security sites Wednesday, sending Firefox developers scrambling to patch the issue. Until the flaw is patched, this code could be modified by attackers and used to sneak unauthorized software onto a Firefox user's machine. By tricking a victim into viewing a maliciously coded XML file, an attacker could use this bug to install unauthorized software on a victim's system"

Just a warning to all us FF users to beware, till 3.08 is released next week, as there seems to be no way of reducing the attack vector at this time, at least it will get patched quickly.

Rik · Mar 26, 2009, 08:57:42

Thanks, Gary. So, that's us all off line for a week then?

Gary · Mar 26, 2009, 08:58:39

Quote from: Rik on Mar 26, 2009, 08:57:42
Thanks, Gary. So, that's us all off line for a week then?

Just duck and dive, Rik

That sounds like a dance......

Rik · Mar 26, 2009, 09:00:08

Or me playing tennis.

Gary · Mar 26, 2009, 09:02:14

Quote from: Rik on Mar 26, 2009, 09:00:08
Or me playing tennis.

or me asking Justina to paint the shed

Rik · Mar 26, 2009, 09:04:15

You need a more subtle approach.

Steve · Mar 26, 2009, 09:06:30

Go on Safari

Rik · Mar 26, 2009, 09:07:41

Swinging?

Steve · Mar 26, 2009, 09:10:57

My wife would not approve and I'd get the ugly one.

somanyholes · Mar 26, 2009, 09:13:26

for those that want to look further. The link below does not exploit the system...

http://www.milw0rm.com/exploits/8285

and yes the file you can download happily crashed my ff

Rik · Mar 26, 2009, 09:15:06

Quote from: stevethegas on Mar 26, 2009, 09:10:57
My wife would not approve and I'd get the ugly one.

Someone who wasn't into hi fi in the 60s.

Rik · Mar 26, 2009, 09:15:42

Quote from: somanyholes on Mar 26, 2009, 09:13:26
for those that want to look further. The link below does not exploit the system...

http://www.milw0rm.com/exploits/8285

and yes the file you can download happily crashed my ff

I just get:

// firefox XSL parsing remote memory corruption poc

// k`sOSe - works both in windows and linux

http://milw0rm.com/sploits/2009-ffox-poc.tar.gz

# milw0rm.com [2009-03-25]

Steve · Mar 26, 2009, 09:19:23

If you uncompress it and then open the file ff crashes.

Rik · Mar 26, 2009, 09:22:22

Ah, I wasn't that keen.

Gary · Mar 26, 2009, 09:25:39

Quote from: Rik on Mar 26, 2009, 09:04:15

You need a more subtle approach.

I tried that, Rik. I said the garden gate would only take an hour, it took 2 and a half

Rik · Mar 26, 2009, 09:45:05

I start at five minutes.

Sebby · Mar 26, 2009, 13:14:24

So which is the safest browser this week?

somanyholes · Mar 26, 2009, 13:31:51

i reckon links is

http://en.wikipedia.org/wiki/Links_(web_browser)

Lance · Mar 26, 2009, 13:40:57

Quote from: Sebby on Mar 26, 2009, 13:14:24
So which is the safest browser this week?

The oone on a computer not switched on

Rik · Mar 26, 2009, 14:48:30

It's becoming increasingly true, unfortunately.

Sebby · Mar 26, 2009, 18:59:54

Quote from: somanyholes on Mar 26, 2009, 13:31:51
i reckon links is

http://en.wikipedia.org/wiki/Links_(web_browser)

Never heard of it, so thanks.

somanyholes · Mar 27, 2009, 07:55:21

it's an old school text based browser sebby, that isn't much use in the web world today. The reason it's probably fairly secure is the fact that there's pretty much no addons that you can use and get owned by. No flash, pdf's active x so on and so forth. A neat little appp for basic text stuff though.

http://www.jikos.cz/~mikulas/links/screenshots/jpg.html

somanyholes · Mar 27, 2009, 08:08:48

interesting read

http://nsslabs.com/test-reports/NSS%20Labs%20Browser%20Security%20Test%20-%20Socially%20Engineered%20Malware.pdf

Rik · Mar 27, 2009, 08:56:35

And I so wanted to avoid IE8.

somanyholes · Mar 27, 2009, 08:59:27

give it time and it will all level out