| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Mozilla flaws could allow attacks, data access | |
|
||
| Time: 15:27 EST/20:27 GMT | News Source: News.com | Posted By: Jonathan Tigner | ||
|
Multiple vulnerabilities that could allow an attacker to install malicious code or steal personal data have been discovered in the Mozilla Suite and the Firefox open-source browser. Details of the nine flaws were published on Mozilla's security Web site over the weekend. Ian Latter, senior security consultant at Internet security specialist Pure Hacking, said most of the vulnerabilities are based on the way the applications handle JavaScript. "There are some permission issues related to running JavaScript at an escalated privilege level. They remove some of the security measures used to keep JavaScript sandboxed and allow it to potentially do malicious things to your computer," Latter said. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 150 Last | Next |
The time now is
3:42:55 PM
ET.
Any comment problems? E-mail us |
| #1 By 10896 (64.140.196.109) at 4/18/2005 4:37:54 PM |
| 9 more for Firebox and the total since 1.0 is now 41. Anybody know the record for major security deficiencies in one year? Looks like Firefox is going to runaway with that record, if they keep up the current pace they will have well over a 100 in one year. Let's not even count all the bugs that have been fixed. Where are all those open source eyes that fix bugs and security deficiencies before the product is released. The whole Firefox program has been a joke. |
| #2 By 13030 (198.22.121.120) at 4/18/2005 5:29:53 PM |
|
And more pathetic is how billions of dollars, a desktop monopoly, years of undisputed browser dominance, and some of the smartest poeple in the business still can't secure IE and it's shared component dependency mess. To paraphrase #1, where are all those salaried eyes that fix bugs and security deficiencies before the product is released. I use Firefox, but I own MS stock and I'm pissed.
According to secunia.com (http://secunia.com/product/4227/ and http://secunia.com/product/11/), Firefox has had 15 so far for 2004 and 2005. IE 6.x has had 40 for 2004 and 2005. The first for FF is from early August 2004, but let's just say we have only six months. At the current rate FF will have 30 in a year; while IE's record is 34. Futhermore, for all vulnerabilities found for 2003 - 2005, only 13% of FF vulnerabilities have been rated high or extreme. IE blows that apart with an astounding 42%! |
| #3 By 10896 (24.25.182.11) at 4/18/2005 6:25:01 PM |
|
I dont know about Secunia, but the Mozill foundation lists 41 since the 1.0 version of Firefox.
ch go here to see: http://www.mozilla.org/projects/security/known-vulnerabilities.html |
| #4 By 10896 (24.25.182.11) at 4/18/2005 6:29:09 PM |
|
Mozilla also has a policy of hiding security bugs frrom organizations such as Secunia.
see: mozilla.org has adopted the following general policies for handling bug reports related to security vulnerabilities: * Security bug reports can be treated as special and handled differently than "normal" bugs. In particular, the mozilla.org Bugzilla system will allow bug reports related to security vulnerabilities to be marked as "Security-Sensitive," and will have special access control features specifically for use with such bug reports. However a security bug can revert back to being a normal bug (by having the "Security-Sensitive" flag removed), in which case the access control restrictions will no longer be in effect. * Full information about security bugs will be restricted to a known group of people, using the Bugzilla access control restrictions described above. However that group can and will be expanded as necessary and appropriate. * As noted above, information about security bugs can be held confidential for some period of time; there is no pre-determined limit on how long that time period might be. However this is offset by the fact that the person reporting a bug has visibility into the activities (if any) being taken to address the bug, and has the power to open the bug report for public scrutiny. |
| #5 By 10896 (24.25.182.11) at 4/18/2005 6:32:07 PM |
|
Mozilla also has a policy of hiding security bugs frrom organizations such as Secunia.
see: mozilla.org has adopted the following general policies for handling bug reports related to security vulnerabilities: * Security bug reports can be treated as special and handled differently than "normal" bugs. In particular, the mozilla.org Bugzilla system will allow bug reports related to security vulnerabilities to be marked as "Security-Sensitive," and will have special access control features specifically for use with such bug reports. However a security bug can revert back to being a normal bug (by having the "Security-Sensitive" flag removed), in which case the access control restrictions will no longer be in effect. * Full information about security bugs will be restricted to a known group of people, using the Bugzilla access control restrictions described above. However that group can and will be expanded as necessary and appropriate. * As noted above, information about security bugs can be held confidential for some period of time; there is no pre-determined limit on how long that time period might be. However this is offset by the fact that the person reporting a bug has visibility into the activities (if any) being taken to address the bug, and has the power to open the bug report for public scrutiny. |
| #6 By 15406 (216.191.227.90) at 4/19/2005 9:01:14 AM |
| I notice with Firefox that you hear about the flaw after the fix has been released, while with MS you hear about the flaw and then wait for MS to get off its ass. A few weeks/months later there's a patch. |
| #7 By 15406 (216.191.227.90) at 4/19/2005 1:40:25 PM |
|
*cough* http://www.theinquirer.net/?article=22649 *cough*
I had read somewhere that knowing about the vulnerability beforehand is helpful to the highest-level virus guru. The rest just wait for the patch and reverse-engineer it to see what it fixed, then write the exploit based on that info. There has been lots of back & forsth about full disclosure versus security by obscurity. I don't have an informed opinion of which is best as they both have their positives & negatives. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 150 Last | Next |
The time now is
3:42:55 PM
ET.
Any comment problems? E-mail us |
