back to article Firefox leak could divulge sensitive info

A security researcher has discovered a vulnerability in Firefox that could allow criminals to remotely siphon private information stored in plugins and call sensitive functions. According to an entry on the 0x000000 blog, Firefox generously enumerates all variables and registered objects that are present inside javascript files …

COMMENTS

This topic is closed for new posts.
  1. Dillon Pyron

    That's funny!

    "As usual, the best workaround in the interim is NoScript, provided the site exploiting site has not been authorized to run javascript. ®"

    That's really funny. I'll bet if you do that, they'll also have a list of your NoScript whitelist and blacklist. I'm guessing that these exploits can be tagged into any suitably vulnerable site, so that could actually be a hazard.

    Now that's not very funny!

  2. yeah, right.

    Noscript

    As usual, it's a javascript exploit. As usual, those of us who run with Noscript enabled are relatively immune unless we do something to shoot ourselves in the foot.

    I've tried running several other browsers, but the combination of Adblock and Noscript keeps me coming back to Firefox. Between those two, my surfing is a lot more productive, and a lot less distracting.

  3. Ken Lord

    Ajax is Javascript

    Ajax is nothing more than using Javascript a particular way with some compatible tools. Just a buzzword really.

    Remember how the world swooned over Ajax? Even though every good computer user knows that they must not ever use anything related to Javascript (at least according to most people who post to slashdot or similar forums)

    Funny how all those javascript haters fell in love with Ajax.

    But I digress, really my point is this:

    Use Firefox and get owned just like users of internet explorer! Open source isn't perfect! Now that Firefox has a larger market share, they are getting hit by more hackers! I told you so!

  4. Anonymous Coward
    Anonymous Coward

    yeah yeah

    And once again it won't be used in the wild

    proof of concept is as far as it will go I wouldn't

    waste my time trying to get someones settings

    from their plugins they might not have for a bare

    one in twenty hits and of course if memory serves

    there have always been firefox vulns and as yet

    very few wholesale ownings none that I know of

    so STFU just as I said.

  5. Steve Roper

    @Ken Lord

    Yes, vulnerabilities will turn up in Firefox just as in Internet Explorer, and yes, as Firefox becomes more popular it will become a target for criminal hackers. The difference is that when a vulnerability is found in Firefox, the open-source community gets on it right away so it is usually fixed within 24-48 hours; while Microsoft usually takes weeks or even months to sort out vulnerabilities in Internet Explorer. So even if Firefox becomes the majority browser (speed the day!) I would still use it for that reason alone, notwithstanding its customisability and huge range of useful plugins.

  6. Tim J

    Re: Noscript

    "I've tried running several other browsers, but the combination of Adblock and Noscript keeps me coming back to Firefox. Between those two, my surfing is a lot more productive, and a lot less distracting."

    Eh?!

    But surfing is *supposed* to be distracting, and since when was it a productive activity!

    The ultimate in productive and non-distracting surfing on would surely be the yet to be released NetBlock plug-in, or should that be plug-out...

  7. yeah, right.

    re: re: Noscript

    Yes, surfing is non-productive. Generally. But Noscript/Adblock keeps this non-productive time much more productive. IYSWIM.

  8. Anonymous Coward
    Anonymous Coward

    More FUD

    I'd hate to point it out, but using phrases like 'remotely scan all variables' implies that they're somehow connecting to your Firefox application and reading all your data.

    The truth of the matter is that a boring bit of Javascript can run when you're browsing a web-page and post which plugins you're using off somewhere. That's so scary, they might find out that I use Firebug, alert the authorities.

    Believe it or not, you can run methods in ActiveX/COM objects through Javascript in IE, run to the hills!

  9. Anonymous Coward
    Anonymous Coward

    Javascript

    "Even though every good computer user knows that they must not ever use anything related to Javascript "

    That's just a load of rubbish. There is nothing wrong with javascript as long as the site still works with it turned off - it can be used to enhance functionality, as long as it doesn't replace it.

  10. Anonymous Coward
    Anonymous Coward

    Swings and roundabouts

    You have to be careful when discussing browser fix times.

    Microsoft may fix a problem in 1 hour flat. However they may not publish it for a month, unless extremely urgent.

    Unlike much Open Source (note: much, not all), MS have a single point of contact and they deal with VERY arge businesses.

    If they release a fix that then turns out to cripple every system going, they can be held liable. i.e sued. It's difficult to sue a bunch of looselt collected people.

    Also MS actually did the month patch fixing in response to alrge number of Admins asking for this. This means they can take the patches. Pilot them and then roll them out. If they have to do this 1 - 5 times a week (remeber we are talking about apps, DB's as well as browsers), Admins get completely bogged down.

    So the quick turn around by the OS community is great , but bear in mind, it can also be a burden.

  11. fon

    Title

    "But surfing is *supposed* to be distracting, and since when was it a productive activity!"

    er, since this....

    - buying tickets for a concert, buying tickets for gloasto , buyinmg tickets for a plane trip & holiday...

    - checking my stuff is in stock in argos, finding details about a new LCD, PC, etc...

    - getting technical manuals in minutes, not the usual 30 days by post... productive enough??

    you are living in the past, almost everything is on the internet now....

  12. Anonymous Coward
    Anonymous Coward

    re: Swings and roundabouts

    Stu - Microsoft's real problem is that half the code for IE is used by the OS for other things so fixing something in IE will, more than likely, blow something up somewhere else (some of that being down to undocumented entry points being used). Firefox has the advantage that its code is only used by it - so if it doesn't blow itself up then its OK.

    Actually I don't think you can sue MS if their patch takes your system out - its bound to be covered in the novella length EULAs you've supposedly read.

  13. Anonymous Coward
    Anonymous Coward

    re: re: re: Noscript

    "Yes, surfing is non-productive."

    Sometimes you want it to appear to be more productive than it really is. For this, however, I recommend browsing El Reg using lynx in an xterm (on cygwin if you must), rather than the combo of Firefox / Adblock / NoScript.

  14. Tim J

    @fon Re: unproductive surfing

    "you are living in the past, almost everything is on the internet now...."

    And you, my friend, are living without a sense of humour...

    (And however much you might surf around for one, I'm not really too sure the internet is going to be of much help to you on that front - Amazon certainly don't seem to stock them...)

  15. Anonymous Coward
    Anonymous Coward

    We don't need no stinking plugins

    Dan Goodin calls 'em "plugins" (adapters for viewing specialized content within the browser, e.g., Flash), but he means "extensions" (add-ons that customize the browser's behavior or extend its functionality).

    Got any nits you want picked?

  16. fon

    @Tim J

    "since when was it a productive activity!" was the point .... sure I know that was 'tongue in cheek', but I think you took my comment far too seriously!! :D

    - the internet is so much like 'real life' these days... you can be 'very unproductive' just staring at the mags in a shop, etc, etc, but this is your time to waste! :)

    The comment by 'yeah, right' was more directed at the fact it takes much more time to get to the thing he wants, ie a not so productive implementation of a website... blocking the distracting flashy stuff, pop-ups that get in the way, etc lets you quickly see the thing you want..

    These are just the same as the loud salemen at the front of a dept store, that you have to get past, to get the simple thing you want....

    - you can also use a 'unpretty browsing interface' and it looks to your boss like you are 'working' when you just have a bit of 'relaxion' online...

    but we are waaaay offtopic......

This topic is closed for new posts.