Unpatched Firefox flaw lets fox into henhouse
Same sh*t, different zero-day
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Updated An unpatched memory corruption flaw in the latest version of Firefox creates a means for hackers to drop malware onto vulnerable systems.
Security notification firm Secunia reports that the security bug (which it describes as extremely critical) stems from errors in handling JavaScript code. The flaw has been confirmed in the latest 3.5 version of Firefox, released in late June.
Older versions of the popular alternative browser might also be affected, Secunia warns.
Exploit code has been uploaded onto recently revived security exploit website milw0rm, a factor that could hasten the development of more attack code.
Secunia advises Firefox users to avoid browsing untrusted websites or following untrusted links pending the availability of a fix from Mozilla.
In an advisorye, released Tuesday, Mozilla detailed available workarounds designed to address the problem.
The appearance of an unpatched vulnerability in Firefox could hardly have come at a worse time because it coincides with confirmation from Microsoft on Monday of a second unpatched ActiveX flaw affecting users of its Internet Explorer software.
Only one of these two security bugs is likely to be fixed later on Tuesday, when Microsoft publishes its monthly Patch Tuesday update. That prompted some security researchers, including those at the SANS Institute's Internet Storm Centre, to consider the use of an alternative browser on the grounds of security.
Selecting Firefox over IE when both have unresolved security problems fails to make much sense, leaving Windows users looking for more secure surfing software alternatives with a choice limited to Opera, Safari and Google Chrome. ®
COMMENTS
Noscript is besides the point
Most people here are fully aware of how to mitigate javascript flaws, we've been doing so for over a decade. I'd even go so far as to say most of us know how to surf using Microsoft Firefox Installer without getting enough malware to warrant a rebuild.
But this isn't the point. The point is that computers have been sold for well over 15 years on the principle that everyone should not only have one, but they should use it to communicate with their grandchildren or college friends and perhaps learn a little bit about the world we live in.
Worse they are then told a complete crock of shit when they're told that the expensive internet protection package they have bundled with the PC is going to make it safe to do so. Would it be so hard for one of these PC megastores to employ someone who has a clue and will not let anyone take a PC home without a decent firewall in place?
No because that would be something close to customer service, so instead they'll sell a dog turd of a system and charge a premium for it. Fact is if we are serious about continuing to earn our livings doing this or supporting the businesses that do this, we ought to be able to say with some confidence that you can surf corporate websites with no need to set up firewalls or install and then spend days answering questions from anti-javascript addons.
Noscript is not a piece of software you can give to someone who doesn't know how to copy photos from a digital camera memory stick. You might as well install it with a Simplified Chinese language pack for all the sense it will make to those that need it most.
If computers are the appliance that PC World and Best Buy claim they are, they should work with zero configuration required. And if they aren't then they shouldn't be sold to people without a cigarette warning on the box that tells them they'll need to spend months learning how to surf safely before connecting to the internet.
My own theory is that every PC should be bundled with 100 dvds stuffed full of the best porn and the network card safely configured with a screw driver and a mallet. Because what need for the internet if you've got what you wanted from it already?
unpatched ff
Golly, I sure miss opera.I miss it b/c I could not that 'lock'.
It just wasn't there.Plus, I had a site that was permanently blocked,
a popular site.
I don't like ff.Where is speed dial?
This has nothing to say about unpatched ff or the slow start-up of 3.5.
But, I worry about people using opera.Be careful.
The problem with "trusted sites" advice...
The problem with "trusted sites" advice is that no site that allows user content with scripts and links can be trusted. This includes pretty much all of the top 10 destinations, eBuy, FaceSpace, YouBoob, et al.
I don't know why sites like eBay allow lusers to post JavaScript. I guess for the "rich user experience." All I ever seen people do with it though is try to disable my ability to right click in a misguided attempt to prevent people from saving their precious images - how rich is that?
I've said all along - if I can't use your site without script and cookies I won't be there long.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
