-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony Edwards wrote:
A new, quite fascinating vulnerability was apparently discovered today, which allows attackers to craft custom JavaScript code in order to gain access to information contained in system RAM; all current versions of Mozilla Firefox are believed to be affected:
http://secunia.com/advisories/14820/
An intriguing test for this vulnerability (watch information contained in system memory echo to the screen!) appears here:
http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/
A temporary workaround is to disable JavaScript support, however SuSE will be releasing a patched version of Firefox presumably?
The exploit is only an error in the javascript code, which leads to the problem. You have to know what to read out ouf memory to get any useful effect as an attacker. If this works on firefox it will work on mozilla as well, as firefox is only the browser-component of mozilla. This means the error depends on mozilla. O.K. this is a big loss in security, as memory can be read out. In comparison to Internet Explorer no malicious code can be executed on the system. This is the benefit against Internet Explorer. If you program a webbrowser many security-related but even content-related features must be implemented for each page to be displayed right. Any found exploits for firefox depend on pishing and xss except the x-server related issue (not a problem of firefox) which was discussed ([suse-security] Firefox invocation allows unintended root access) and this one reading out memory. In the case of the root-problem this was done on a 32-bit-machine starting a x-term on a 64bit-machine. Seems this was related to a bug in xfree within 64-bit as there were much security-related errors within 64-bit-version in linux. So any problems are no real security-holes of firefox (first was a x-free problem, second is a problem of the java-script engine wich both are as I think not the problems of firefox-developers and java-script engine has to be fixed in mozilla and firefox). !!!_AND_!!! No write access to local fs was possible at all which could lead to execution of any code on the machine which accessed a webpage. I would think this is the best thing that possibly could happen: Browser is exploitable, but the security-hole doesn't make the machine intrudeable by a remote website which is the most problem within Windows, as the design-error called IE does allow this and there is no patch against this available, as the IE-team does work on a newer version and doesn't fix the errors it provided by adding more and more interfaces for third-party plugins and trojans and viruses. The more interfaces you provide the more problems you can possibly get, even if it's an integrated plugin, which is the java-script engine. Any loss of control of a system has not been possible right now. Any discussions reguarding problems on linux, after it gets more and more popular don't think about the fact that linux is under continuous developement even if packages are called stable. This means any future problems, even a mechanism to get access on a system can be changed. On other OS you don't have that benefit, as a) the code is too big to get any overview (and making it easy to find errors) and b) the developers only take time to get their software sold - and not to get it secure. So any discussion about that was the question when it would be changed and this doesn't depend on SuSE as they only prodie a distribution and update their packages from the providers of the different software, which is discussed in their security-related mailing-lists. Did anybody send an e-mail to mozilla-security-team to get this problem noticed and fixed asap? After mozilla/firefox-team fix this SuSE will get a newer version not in another way. SuSE provides the best software, which you can get on the net. If there are any problems reguarding config-problems depending on what SuSE did on the rpm's it's their fault. Next plot is, that a thread should sort it's content under the subcet of each mail. The last posts didn't talk about firefox, but ssh, so it would be nice to start a new thread, as all is sorted under firefox-problem. Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQlLdqkNg1DRVIGjBAQJKyQb+PpGq4WV6FljAUvdcPJ319DvCqm9M3PQt Ls1IS9Jpbq5YkdcWDb8lK+dKLzT0C+x0gOijNs4eHaDe3LmYGjj8y1PsOWjkoAAE X4k393tDW31orcuvL4+P5ukyeAlIAr844uXBBNpaSg2HeAQ+3bzl2M2Y8MTf0XEZ pX8hZfag+Qecn1+ba2Gq9vD08mG6u6Wncsp68YnRY/EyHGFPiAF/9uyCCxkd3bdM o0GV2lnCIoq84MaSueexHF8bBJFJPA1IgQCpVfWmBhbXkQNp4TW016FJKqm7quBp 6dgY1L46yb8= =DFiP -----END PGP SIGNATURE-----