newsfactor.com — "It doesn't really matter if Moore is doing this for publicity or to promote public safety on the Internet," said Gartner analyst Avivah Litan. "The fact remains that the browsers have too many vulnerabilities and we are all better off if Moore exposes them before the criminals exploit them."
Jul 7, 2006 View in Crawl 4
electricketchupJul 7, 2006
It seems like every time H D Moore publicly discloses information about vulnerabilities, someone always complains that he should have waited for the vendors to release a fix. That is BS. He always gives them plenty of time to fix the bugs, and only when the software vendors seem to not give a care in the world, he tells the world so that we can all know what to look out for. It sounds like this time he didn't give out enough information for others to reproduce the problem, so at least there won't be any script kiddies at first.If he doesn't disclose this kind of information, and the vendors don't give a s**t, then only the evil hackers will know about the vulnerabilities. I'm glad he's there to keep them in check.
mooniniteJul 7, 2006
hockeygoon, it is fixed. It just freezes your browser for about 10 seconds because it is refreshing very rapidly.
swedishfriendJul 7, 2006
No exploits revealed for Opera... Yet.Who still uses Internet Explorer? One would figure once the Dept. of homeland security tells people to stop using it then that would be it. I don't even bother checking my websites for Explorer compatability... I got to help move things forward... As long as you call it a defacto standard and make a separate Explorer version for your websites, nothing will ever change. On the other hand if Web developers put a warning on their sites admonishing against Explorer and recommended one of the other standards compliant browsers then things would change withing months... People are fickle!-Karl
isepicJul 7, 2006
Open source has delays in patches too - did you even read the f**king article?
harley999Jul 7, 2006
Key Phrase:"The vendors have been notified and the time has come to start publishing the results,"
doghoundJul 7, 2006
mooninite, you should probably do a bit of research before saying that it's fixed (it took me less time to find out the below than it did for me to type this). Now, it may not crash Firefox, but it still does produce some interesting results... very interesting.I'm running FF 1.5.0.4 as well and after running exploit demonstration #4 3 glitches DO occur. First off, yes the browser freezes for 10 seconds, but we all know this is nothing more than the exploit attempting to do its work. Anyway, after that's done:Glitch 1) Hit the back button to return to the main page listing the exploits. That ENTIRE page basically becomes one huge text box. Everything can be deleted and text can be added. Image can be found here (this was not edited in any other way than as described above... minus an MSpaint crappy text box and handdrawn arrow)<a class="user" href="http://img259.imageshack.us/my.php?image=mspaintedhahaha1ts.jpg">http://img259.imageshack.us/my.php?image=mspaintedhahaha1ts.jpg</a>Glitch 2) Any website with tables that is loaded from now on can have their table cells' heights and widths messed with. This doesn't correct itself until the bugged window is closed.Glitch 3) JavaScript seems to become disabled.Image showing Glitch 2 and 3: <a class="user" href="http://img248.imageshack.us/my.php?image=glitch2and36ou.jpg">http://img248.imageshack.us/my.php?image=glitch2and36ou.jpg</a>Notice the drag boxes around the table cells. Those are never there when you normally visit google.com or yahoo.com.So, hockeygoon was right in a way. The exploit may be patched, but glitches still occur; at least after running the demo on his page.