What is Digg?78 Comments
- asadotzler, on 10/12/2007, -6/+81The vulnerability was FIXED. A crash remains, but it is not a security vulnerability. This post is completely inaccurate.
Asa Dotzler
Mozilla - jackmaninov, on 10/12/2007, -8/+68Firefox devs have been stating over and over: this is no longer a vulnerability. It *was* fixed in 1.5.0.5. What remains is a crash, which is a DOS, not a vulnerability.
- maninblac1, on 10/12/2007, -7/+53Okay, i hate firefox as much as well, no one else. But let's get one thing straight here, the "vulnerability" in question is a race condition. Which means that this "vulnerability" is iffy at best. So if you lose the race, i.e. it doesn't turn out just the right way, there is no vulnerability. It may be exploitable, but how many times does it succeed and how many times does it fail. If it only works 1 in a 1000, is that so big a deal?
Race conditions are not considered severe because specific circumstances must arise before you can enter the race, and then only some of the time does the problem occur. - Cl1mh4224rd, on 10/12/2007, -4/+33This is what a Firefox developer had to say about the problem over on Slashdot:
"First, as to the 'critical security hole', as we've already stated in numerous other places, the actual exploitable hole was patched long ago. A non-exploitable crash does remain and will eventually be fixed. Anyone who reports this as a security hole has not done their due diligence."
http://it.slashdot.org/comments.pl?sid=203284&cid=16629982 - M4v3R, on 10/12/2007, -6/+30This page loads 3MB big XML file filled with tags on and on. It could crash any browser with little tuning probably. You really can't blame FF devs for that.
- radu79, on 10/12/2007, -3/+23It ALMOST crashed Opera (froze). But after a while I was able to close that tab.
- randomc0de, on 10/12/2007, -6/+18Precisely. I followed through and ran the test, it just crashed my browser. I reopened it, clicked the "restore session" button, and got all my websites back. Maybe if every website in the world used this to DOS my browser I would care, but for now, I go to any reputable website and this won't happen. Not a security vulnerability, not even a minor annoyance.
What pisses me off is now someone has to spend a week or so fixing this non-issue of a bug, all because some dick on the internet decides to pick on the libre browser. Why doesn't the author here go fix it himself? - jhuebel, on 10/12/2007, -2/+12Marked as inaccurate, both for the misinformation and the sensational title.
- mbthompson, on 10/12/2007, -3/+12As said above:
"Firefox devs have been stating over and over: this is no longer a vulnerability. It *was* fixed in 1.5.0.5. What remains is a crash, which is a DOS, not a vulnerability."
Marked as inaccurate. - inactive, on 10/12/2007, -2/+9At least now your browser will be restored if it does crash. :P
- Cl1mh4224rd, on 10/12/2007, -4/+11Unimportant? No, of course not. A critical security vulnerability? Not a chance.
- YourDoom123, on 10/12/2007, -4/+11I'm running firefox 2.0, and the test does not crash my browser.
- jgruber, on 10/12/2007, -4/+9Randomc0de... good comment.
Everyone who is complaining about this bug, please understand why the open source method of browser development is so superior to the Opera or IE alternatives. YOU (that's not pural, but I guess it could be.. either way it you that are empowered) CAN fix it YOURSELF, post YOUR fix code in the wild. If you can post the exploit in the wild, you can post the fix in the wild. In an open source world, there are the people who exploit and there are people who exploit the exploit and fix things. The project leaders will decide if the fix needs to be recoded to better match the project (goals/style/etc), but at least you can post the fix. If the project guys here make the choice not to fix this race condition, you can decide to disagree and fix your own browser. So far they have been more than honorable in their dealings and desire our graditude for a great product. YOU can also TEACH yourself from the posted exploits and fixes. EVERYONE GETS SMARTER. EDUCATION AND BETTERMENT ARE WHAT MAKE OPEN SOURCE THE FORCE IT IS.
I will take some objection to your comment however, randomc0de, as I think you can not cut the exploiter out without cutting out some of the genius too. Sure there are exploits of closed code, but there are limits on their genius in the fix by its nature. At most a small team learns the thinking of the fix. I think we'll except the trade. That notion of learning is what the folks inside the house that Redmond built understand, but as a business front struggle with. Maybe they can hire the world, but I doubt it. Commerical software enables the masses to perform standard things in a standard way. GREAT.. lets make money. Open source educates the willing and desirous to do what they want and can dream up. To do it the commerical way is likened to paint by the numbers. Everyone can make the dog look like a dog now, but you never get a new artistic form with the lines on the page for you. Especially when you have no choice to paint outside the lines.
Now there is always the notion of getting paid for your efforts, but that's not the complainer's issue now is it? Again... genius figures out a way to satisfy their needs and wants. Society learns to pay the artists.
My hope is that the creativity of the masses proves out over our greed and need for cash. The complainers turn into thinkers and coders themselves. It is the kid around the world who opens the source code and learns to read it that will be the source of the next great idea for the open source movement. I just hope that kid stays true to his beginnings and remembers there should always be the kid that will read his code. That the culture of growth that should make the difference. Even with a "race" condition in the code. The "race" condition spawns a very different "race"; a race of thought and energy on the part of a now alive player in the field... not just a spectator.
So.. I don't mind this race enough to mess with it. If you do.. get in the race. - Grayfox777, on 10/12/2007, -1/+5Inaccurate. I wish I could also mark it as lame.
- KnightMareInc, on 10/12/2007, -2/+7Why are people STILL trying to make this something worth talking about?I swear its like the folks from MS are throwing money around or something.
- Terc, on 10/12/2007, -2/+6Mark this crap "story" as inaccurate.
- caspy7, on 10/12/2007, -1/+5Alright people, please do your part in burying stories that are innacurate.
Stories like this. - creativewarrior, on 10/12/2007, -0/+3This has been fixed by firefox already even before the release of FF 2 . These and other FF 2 issues along with the IE 7 issues have been written in this article. http://infopowered.blogspot.com/2006/10/ie-7-and-firefox-2-vulnerabilities.html If you check it you would see that this particular issue brought forward by bugtraq was already addressed and taken care of and even secunia has reported it as a zero issue now. The link to the secunia report on the bugtraq issue is also in that article.
- cuposmuck, on 10/12/2007, -1/+4yawn.... here is the link to crash the browser...
http://lcamtuf.coredump.cx/ffoxdie.html
Im AM using ff 2.0... and no crash... i checked it with a massive cpu load and disk load as well.. no problem... its a race condition so it not grantee to crash 100% anyway... - geminitojanus, on 10/12/2007, -0/+2"AND I SUPPOSE A CRASH IS COMPLETELY UNIMPORTANT."
*shrug*. Crashing is the preferred behavior for malformed data. The fact that browsers don't crash (or other programs that receive malformed data and run with it) has caused our protocols to fall into shame. Look at HTML for example, people can pass off almost anything as HTML, simply because the browsers will continue to display it. And because the browsers are re-enforcing such bad behavior, people continue to do so. If it were a C program you were trying to compile instead, it'd bail out and scream bloody murder.
And now that Firefox has the nice session-save-on-crash feature, crashing becomes even less worrisome. At worst, you lose a minute of work and possibly a link or two you forgot to bookmark. Beats the browser being exploited any day of the week. - nubnub, on 10/12/2007, -3/+5The vulnerability is in fact fixed, but it can still crash the browser. Anyways it doesn't matter download noscript and it'll block any javascript you don't want.
- inactive, on 10/12/2007, -1/+3If someone posts an inaccurate article about your closed-source Opera, you'd get your panties in a bunch, so stop being a tool.
- RADicalSatDude, on 10/12/2007, -2/+4radu79, I launched both test cases in Opera 9.02 together but felt no slow down, freeze or any other unusual behavior. Windows Task Manager showed no jumps in memory or CPU usage as well.
- easycheez, on 10/12/2007, -3/+5I upgraded to IE7 a couple days ago just for ***** and giggles, I like my software updated, but I haven't gotten to use it yet because it crashes before even coming up,.. it says connecting.. on one of the tabs and then I have to terminate it every time because it locks up, i could probably uninstall and reinstall it to get it to work,.. but why bother when I have FF?
*Adding to the point that no browser is perfect* - cthellis, on 10/12/2007, -0/+2@Jessehk
"You would not be as forgiving if this happened with IE.
Careful that you don't start making a double standard."
Others ARE reporting that it happens with IE 7.0 as well. The author should be careful to test more cases before he lodges his complaint, too.
Personally, I found it amusing to watch Firefox simply wipe out when I went to the page. ^_^ Of course it came back and restored the session just fine, and I had to specifically tell my NoScript extension TO allow the site to kill everything to begin with! Heh... - deadbaby, on 10/12/2007, -4/+6Crashing is actually a pretty good way to handle this type of issue. You bail out before any exploiting is done and you give the user a nice firm slap on the hand for clicking on a dangerous link. It's a win-win solution.
- djdigital, on 10/12/2007, -3/+4http://lcamtuf.coredump.cx/ffoxdie.html
- tylerl, on 10/12/2007, -1/+2This is a race condition tha could potentially result in a double-free, triggering an exception and closing the browser. It's a DOS at best, though why an attack that inhibits your own web page from being viewed could be considered "critical" is beyond me. I declare shinanagans!
- maninblac1, on 10/12/2007, -0/+1Now, i'm going to go out on a limb here, since i'm not 100% sure of exactly what the vulnerability was. However, a crash while explicitely not a vulnerability, does allow the execution of exception handling code, which if done properly could be mapulated via buffer overflow/underflow or any number of tricks. So if the crash remains, is there any potential in exploiting the EHC executiong to perform the attack instead of the initial vulnerability? And if so, wouldn't this still be a true vulnerability?
If none of that made sense, it's okay. - alphanerd, on 10/12/2007, -1/+2Even though this is a race condition it is still important. I remember using a race condition to bypass a sandboxed pc to get it out to the internet. Also the crash is very important. Most buffer overflows are discovered by causing a crash. The crash is most likely caused by the return address being overwritten. Changing the return address to shell code can give you a remote command prompt on the target. As for the people who are bagging security focus with comments like:
''Stupid Security Site is Out of Date''
Security Focus is one of the few security sites that:
1) contains almost every security vulnerability known to man
2) proof reads their exploit code befor putting up a POC. Yes all you script kiddies who can't read shell code and are actually joing yourselvs to botnets.
3) Is the primary reference site for several security tools like symantecs netcon, nessus and many more. - Darkness123, on 10/12/2007, -1/+2It crashed Firefox but I just restored the session. Closed the tab straight away so it did not crash again.
- IQ70, on 10/12/2007, -0/+11. The vulnerability deletes the clipboard.
2. The vulnerability does not occur on K-Meleon/K-Ninja.
The vulnerability can be fixed and has not been fixed. - Ankh, on 10/12/2007, -3/+4good, the second test crashed my firefox 1.5.0.7 and firefox 2.0 on os x 10.4.8 but safari survived and I was asked by the page "you did use firefox, right?"
- maninblac1, on 10/12/2007, -0/+1@jgruber
Well it's nice and all that you think this way. But this is not how the world works, specifically, this is not how america works.
You work for a living right, you get paid for your services and expertise, and that makes you no different than the "corporations" that you claim must be toppled by the open source movement.
Let us face cold hard reality, it's painful i know, but everyone comes this point in their lives. Our country is built on capitalism, we pay for the best, because it's the best, or we use the cheapest because it's cheapest.
The computing world you suggest is a communist one, and while it's true that communism can work, it can not work on a large scale. Linux is not large scale because of this, i mean honostly, how on earth can microsoft beat the price of "FREE" for a comparable product, it can't. So why aren't the masses fawning over linux, Ubuntu, even SUSE and mandriva have made for quite capable "relatively" user friendly environments. There's a good reason to use linux, yet few people do. Why?
Well the answer has been mulled over a thousand times on digg, but all those comparison's don't matter.
There's a few key differences, first is accountability, closed source always has an owner...someone who is responsible for the product, open source can often be impossible to determine who did what, so who is accountable when something goes wrong. Who do you blame when the traffic controller powered by linux causes a 13 car and 20 death accident.
The other is trust, which goes hand in hand with accountability. This may seem like a backwards argument, but understand how the consumer thinks. In open source anyone can contribute, just about anything they want, good and bad. Those who aren't smart enough to read the code and find the bad well, they must trust the developers to not be doing things that they shouldn't be. Closed source, they can't even read the code, but there is a group of people overseeing that ensuring it's quality, so if there is something that shouldn't be there, at least the consumer knows who to sue.
Open source if a lovely fluffy cuddly thing, but it doesn't make a good business model. Look at google, sure it all looks free, but you miss the business model underneath because of the ad-blocking. - ShadowMasterSRC, on 10/12/2007, -1/+2FUD.
Buried as inaccurate. - inactive, on 10/12/2007, -2/+3The second test crashed IE7 as well as Firefox.
- maninblac1, on 10/12/2007, -0/+1Not excatly, a crash still executes exception handling code, code which could be changed in theory to malicious code.
- ThsGuyRightHere, on 10/12/2007, -0/+0@Spider-man is absolutely right, a DoS is still a vulnerability. Sure, you wouldn't normally consider a browser locking up to be the worst thing in the world, but what if the browser lockup manages to affect sessions for every user on the machine, say in a Citrix or TermServ environment? For a member of the firefox dev team to attack bug posters as not exercising due diligence is a tactic pulled straight from the Microsoft playbook. Lemme guess, it's a feature right? Definitely not the response I would expect.
- subgeniusd, on 10/12/2007, -1/+1Checked the exploit link:
"CONGRATULATIONS!
Your browser is probably
NOT VULNERABLE, or your
computer is too fast."
Opera 9.02. CPU only 1.2Ghz. Panties unbunched. - kneeare, on 10/12/2007, -1/+1it wasnt fixed, check urself
http://lcamtuf.coredump.cx/ffoxdie_orig.html - Hellfire51, on 10/12/2007, -3/+2If you go to the Proof of concept, it even says that the first testcase is totally fixed (does not crash Firefox nor represent a vulnerability) and the second testcase still results in a crash but no remote code execution. Marked as inaccurate.
- inactive, on 10/12/2007, -4/+3Oh, we *got* the joke. It just wasn't funny.
- spider-man, on 10/12/2007, -2/+1Within the professional security industry pretty much any DoS is absolutely considered a vulnerability. You may be able to argue how serious of one it is, but the fact still remains that it is a vulnerability.
- etnu, on 10/12/2007, -2/+1Making any web browser crash is trivial. Just keep eating memory (by sending huge amounts of data and / or creating a ton of DOM nodes). Eventually the system will run out of memory and the app will die, or, better yet, the OS will simply become unusable.
Hardly a "security vulnerability". - Whoblah, on 10/12/2007, -5/+3Uhh I'm running Firefox 2.0 on Kubuntu Edgy and those did nothing, _nothing at all_.
I don't even have NoScript installed... - inactive, on 10/12/2007, -5/+31 in 1000 bad? Try 1 in 1 - that's the number of entirely vulnerable Windows machines - that's right - 100% vulnerable!
- Giever, on 10/12/2007, -9/+7Wow, okay, yes. A crash can be important. However, it isn't a vulnerability. Are you saying that diggers wouldn't be mad about an article that said a girl was raped and killed, when she was actually just kidnapped?
-
Show 51 - 76 of 76 discussions
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2009
— Content created and posted by Digg users is