back to article Hackers plant Firefox 0day on Nobel Peace Prize website

Malicious hackers have exploited an unpatched vulnerability in the latest version of Firefox to attack people visiting the Nobel Peace Prize website, a Norway-based security firm said on Tuesday. Mozilla representatives confirmed a "critical vulnerability" in versions 3.5 and 3.6 of the open-source browser. It came several …

COMMENTS

This topic is closed for new posts.
  1. asdf
    FAIL

    friggin China

    Well I am sure the Chinese are not happy with Norway for affecting their reality distortion view of a harmonious society (funny how the poor there liked Avatar so much due to empathy with the natives in the movie getting screwed by the rich). China and its 1 party government not accountable to the people again making IT busy work for the developed world.

  2. Maverick
    Unhappy

    waste of time

    who gives a shit?

    they awarded one to Al Gore (OK, jointly with IPCC) - so this is meaningless POS organisation

    Norwegians (and Swedes to some extent) should hang their heads in shame at the political pawn it has become

    DDOS for the FTW!

    where are you Anonymous when we REALLY need you to do something REALLY useful? <sigh>

    1. Destroy All Monsters Silver badge
      FAIL

      Oh yeah?

      Apparently awarding one to President Bomborama just because he was either a community organizer or not Bush doesn't fit on your radar screen?

      Sphincter!

    2. Anonymous Coward
      FAIL

      Too true

      Obama got one for doing nothing. Trimble & Hume got one just for being typical politicians. This is one Nobel that isn't worth the paper it's written on, and anyone accepting it should be ashamed to do so.

    3. Lukin Brewer

      Kissinger got one too...

      ...as did Teddy Roosevelt, Sadat and Begin, Arafat, Rabin and Peres. It reminds me of the redemption of Darth Vader at the end of Return of the Jedi - after whole careers spent using conflict as a tool, they managed a little peacemaking and got a Nobel for it.

      The Chinese reaction isn't surprising: they weren't at all happy about the Dalai Lama getting his Peace Prize in 1989, nor was the Soviet Bloc about Lech Walesa '83, South Africa about Archbishop Tutu in '84, or the country formerly known as Burma about Aung San Suu Kyi in '91. To paraphrase Ogden Nash, you can't work against oppression unless you're prepared to piss off the oppressor.

  3. Anonymous Coward
    Anonymous Coward

    Iframe...meh.

    No thanks PLA.

    Thanks Maone.

  4. Michael Stepniczka
    Happy

    And...

    A yellow smiley because it's yellow. Just sayin'

  5. heyrick Silver badge

    "or installing the NoScript extension"

    Oh, okay... I can go back to sleep then...

    1. ph0b0s

      Yay noscript...

      I could not agree more. I keep on wanting to move to faster browsers like Chrome etc, but will not do so while they do not have noscript type functionality. Because no matter how secure the browser is with sandboxes etc they always get caught by these JavaScript issues. I used to have a trusted JavaScript list on I.E before noscripts as well, but Microsoft really made you jump through hoops to set it up. I know Chrome is starting to get the message and there is an add on that allows blocking of javascript, but I read it does not work for some sites, like Google's own. So hopefully soon it will get there and I will have more browser choice....

  6. Mike VandeVelde
    Go

    IT busy work?

    Doesn't software normally get released with bugs, that may get exploited, and then get patched?

    China 1 party system = definition of evil?

    USA 2 party system = half as terrible!

    Because "western civilization" is all about accountability to the people </hilarity>

    Weren't the natives in Avatar getting screwed by capitalists? Heh so are the poor in China, I see your point ;-)

    (pedants: what's the right tense for what happened / will happen / was going to happen in a movie about the future that I watched in the past?)

  7. Pascal Monett Silver badge

    Maybe a dry run ?

    Conspiracy theories with China are certainly interesting, but I'm thinking of a different scenario.

    By hacking a site that is high-profile with a 0-day, the miscreants had to know that their attack would be quickly discovered.

    I fear that they chose the site on purpose to evaluate what the reaction time would be, and what the damage would be.

    Given that they chose to attack Firefox, I deduce two things : first, we will actually have a fix in the next 24 hours, instead of 24 months for IE. Second, Firefox is now important enough to be attacked on its own in a high-profile attack, instead of IE.

    In the end, once again NoScript proves invaluable. Historically, IE has always been wide open. IE 8 has slightly changed that, but there is no comparison with Firefox. Since each and every attack has mostly relied on javascript, even if you go to a hacked site with Firefox, as long as you have NoScript protecting you you are safe.

    So Firefox and NoScript are the two things that really make the web safer.

    1. copsewood
      Alert

      Mixing data with executable content is bad for security

      "In the end, once again NoScript proves invaluable."

      Useful I agree and probably not as bad as IE, but still not good enough. There are simply too many websites that don't function currectly without Javascript, that when I had NoScript installed I had to make too many choices as to which ones to allow and refuse. The problem here is also that the Nobel Peace prize site has the reputation of the Nobel prize itself, so regular visitors to this site using NoScript would be likely to have allowed Javascript from this site believing the site administration to be in good faith. I'm sure it was, but that doesn't make the site administration invincible.

      What is fundamentally broken here is having to run Javascript within such a complex and poorly sandboxed environment in order to make web browsing work to more than a very minimal degree without excluding many sites which would not work without Javascript at all. Linux users like myself have no reason to be smug that the attackers chose to have a Windows executable downloaded. The fact that a zero day on Firefox could plant and remotely execute a download on the client should not be enabling anyone to feel the current browser sandboxing and state retention model is safe by any means.

      We need better system partitioning than the current Javascript implementations provide for.

  8. Anonymous Coward
    Linux

    Engage smug mode

    A Windows executable? Okay then, my smugness is intact.

    1. Ian McNee

      Double smug mode: defence in depth

      As the article notes, this is a relatively rare occurrence, a critical 0day for Firefox. But it highlights an important security principle: defence in depth. In this case the vulnerability it either partially or totally mitigated by a number of other factors: (i) a secure OS like Linux; (ii) the ability to browse without your pants down (NoScript, AdBlock, etc.) and (iii) not using administrative logins for day to day usage.

  9. JDX Gold badge
    Grenade

    Quick, blame Microsoft

    Or am I being overly cynical of the forum members?

  10. Tigra 07
    Happy

    They made it!

    You know your browser is popular when you get malware attacks directed at just the one browser

  11. Count Ludwig
    FAIL

    How did they hack the website?

    But how did the perps manage to get their code placed on the Nobel Prize website?

    Probably something like:

    www.nobel.org/Administrator

    user: Admin

    pw: Alfr3d

  12. Anonymous Coward
    Coat

    An exploit on the Nobel Prize website?

    So no imminent danger to the actual computing community then, only the hoity-toity class.

  13. Anonymous Coward
    Paris Hilton

    Nobel prize for peace?

    Let's have a look at the 3 most recent awardees...

    Next year they'll just send it out in a randomly-selected Cheerios box I guess.

  14. Anonymous Coward
    Anonymous Coward

    Complacent Mozilla!

    WTF! We shouldn't have to use Noscript; I only run it because Mozilla are obviously clueless about scripting security, and even Noscript would be useless against approved, but compromised, sites. Browser Javascript should run in a sandbox, and never be allowed to access external resources without an explicit security policy, like Java has, but the retards failed to provide this! Race conditions only occur due to some clueless idiot writing un-thread-safe code, so find someone who can write proper thread-safe code!

    Javascript security is a fracking joke in Firefox and many other browsers and there is NO EXCUSE for this, you damned lazy scripting engine developers! Firefox should shame websites when it detects shoddy Javascript, to encourage them into fixing their broken Javascript. The extension website should also flag/block broken extensions, to humiliate the developers into fixing their broken code!

    1. Yag
      Troll

      heh...

      How long until someone reply the usual "Rewrite it yourself if you are not happy with it!"?

This topic is closed for new posts.

Other stories you might like