Polish security researcher Michal Zalewski, known for his seemingly unending stream of browser vulnerability discoveries, has struck again. This time he's reported four flaws that are sure to get the attention of bug squashers in both Microsoft and Mozilla camps. The most serious vulnerability could make it possible for cyber …
The reality of bugs
Finally, a good programmer who's out there looking for bugs and not looking to crush companies.
Too bad there was no safari bugs found today; guess he was just busy.
...using IE7 and Firefox to test personal websites against spambots :)
Another Firefox Bug
Firefox also seems to display another bug, where it displays two number 3 items on the Full Disclosure page, instead of 3 & 4.
I shall expect full details to be posted in due course...
What no Opera???
Seems Opera is OK here, but then it's pretty rare that Opera vunrabilities are discovered, and they are always nailed down within days...
Opera seems to be designed with security in mind, but Mozilla and IE have secuirty bolted on...
Also goes horrifically slowly if you open more than about 10 images. Its download manager (when open) locks the browser temporarily when adding downloads, it slows up when there are lots of images on the page.
Security vs user-friendliness
It appears that the more user-friendly a piece of software gets, the more vulnerable it becomes. The Holy Grail of systems developers is to find the ultimate secure system that wipes your bottom for you in addition to looking as sexy as whoever your dream mate is. As in real life, it's not going to happen.
Re: Another Firefox Bug
IE 7 Seems to display the same bug... how wierd is that? And both browsers display two number threes in the source code view as well!!!!
hmm, just Another Job for NoScript?
Preventing these and many other yet unknown exploits is just as easy as installing the NoScript firefox extension.
Security is all about giving away the minimum privileges to do the work, and never, NEVER to strangers.
NoScript just brings the abc of security in the browser.
why no opera....
...cos Opera is a lot older than most people realise, and was never designed to emulate IE in any way, thankfully.
Shame Mozilla/Netscape lost sight of such a vital "feature".
The question is, did he notify MS and Mozilla prior to post the vulns? If not he's not much better than a black hat. I've never posted without 30 days notice.
"Failed to obtain cookie in 120 seconds.
"Your browser might be not vulnerable, or your
network performance deviates from what this
script expects. Try again or give up."
...Doesn't mean it's *SAFE*, but is, at least, one datum for Mr. Zalewski.
No JS here either
'Preventing these and many other yet unknown exploits is just as easy as installing the NoScript firefox extension.'
Have to agree, the NoScript plug-in should be installed by default. Of course it wont because it breaks a lot of sites and it requires some thought to go through the denied scripts. Joe Public isnt going to put up with the learning curve that entails.
My Ubuntu is broken
I can't get the FF flaw to work.