For all you Firefox Mozilla Lovers out there who like to Dis IE

pmsl: crashing the application with a url,,, hahahahahaha lol

Mozilla vulnerabilities identified


07.01.2005 11:54:08

Most serious bug affects all versions of Mozilla prior to 1.7.5 and could result in system crash

By Matthew Broersma, Techworld

Users of the Mozilla and Firefox browsers and the Thunderbird e-mail client may be vulnerable to flaws that could allow an attacker to spy on or take over a system, according to security researchers.



The most serious bug affects all versions of Mozilla earlier than 1.7.5, and could result in a system crash or the execution of malicious code, the Mozilla Project said. A boundary error in the way Mozilla handles "news://" addresses can be used to cause a heap-based buffer overflow, which crashes the application and may allow for code execution, according to an advisory from Maurycy Prodeus of iSEC Security Research, who discovered the flaw.

An attacker could exploit the bug by creating an overly-long "news://" link, distributed in an e-mail or on a Web page, and enticing a user to click on it. Such methods have been successfully used to spread worms. Mozilla Version 1.7.5 fixes the problem. Independent security research firm Secunia gave the bug a "highly critical" rating.

To exploit the flaw, the attacker must point to a real news server that is accessible. Prodeus created a proof-of-concept file that demonstrates the bug.

Firefox and Thunderbird are affected by less serious problems. The first is a vulnerability in the way they store temporary files -- the files are sometimes stored with predictable names and in a format that allows anyone to read them. This means a local attacker could easily read the contents of another user's attachments or downloads, according to researchers.

Finally, a Secunia researcher discovered a way of spoofing the names of file downloads in Firefox. A malicious site could use the bug to disguise the true nature of files the user is downloading, or to get information on the presence of specific files on the local system.

These bugs are all fixed in Firefox 1.0 and newer, and Thunderbird 0.9 and newer.

In recent months many users have begun switching to browsers such as Firefox and Mozilla because of increasingly serious security risks affecting Microsoft's (Profile, Products, Articles) dominant Internet Explorer. However, the newfound popularity of the Mozilla-based browsers has been accompanied by greater scrutiny by security researchers, and the regular discovery of new flaws.



Firefox phishing vulnerability discovered


06.01.2005 17:44:11

Ingrid Marson
ZDNet UK
January 05, 2005, 15:30 GMT

A newly discovered flaw in Firefox could allow cybercriminals to take advantage of Web surfers

A vulnerability in Firefox could make users of the open source browser more likely to fall for phishing scams.

The flaw in Mozilla Firefox 1.0, details of which were published by Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box which pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.

Mikko Hypp�nen, director of antivirus research at F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," said Hypp�nen.

To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed Web site and then download malware from the site, which would appear to be downloaded from a legitimate site.

This flaw was given a severity rating of two out of a possible five by Secunia.

David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said it is unlikely that phishers will take advantage of this exploit in Firefox because Microsoft's Internet Explorer still dominates the browser market.

"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," said Emm. "After all, Firefox has a much, much smaller install base than IE and it's likely that hackers will continue to pay more attention to [IE] instead."

This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based browsers, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.

The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.







[edit on 7-1-2005 by Andy Robins]

So.. thats 1 or 2 bugs compared to IEs 1 billions and growing.. you point in this is exactly what...

The reason people use FF and Linux, is for the simple fact its more reliable than windows...

plain and simple.. plus its open source...

A link to the articles you copy-pasted without credit would be nice.
Please edit your post accordingly.

[edit on 7-1-2005 by Banshee]

Yes, this will be fixed in hours but IE wouldnt be fixed in months but dont let the facts get in the way of you making a fool of yourself.

I'm sorry, but I lose a lot of respect for someone when they engage in the ultimate geek fest, "My Browsers Better Than Yours". Use whatever gives you least trouble and forget about it, there are a billion and one more constructive things to talk about.

[edit on 7-1-2005 by chebob]

Well, yeah, FF is nice and I use it sometimes. But, it locks on me all too often.
Since I installed Avant over IE, it is my main browser. It speeds up IE, a lot.

Ok, so the beta version had bugs.
Almost all of this refers to BETA versions of the browser.
Big deal.

As far as the Phishing exploit, don't assume you're safe just because the article didn't mention IE.

Massive IE phishing exploit discovered
Even SP2 versions of Microsoft's Internet Explorer are vulnerable to a spoofing exploit published yesterday

A vulnerability researcher posted details of a dangerous Internet Explorer (IE) flaw on Thursday that allows phishers to spoof Web sites more realistically than ever before.

According to security company Secunia, Paul from Greyhats -- a research group -- has published details of a vulnerability that can be exploited to spoof the content of any Web site.

Using the exploit, scammers are able to manipulate all versions of IE, including Windows XP SP2 -- the latest and most secure version of the browser -- and spoof the URL and SSL signature padlock located at the bottom of the browser screen.

articles can be found on astalavista.com since i cant edit that post now

I need not get envolved in snides at one another over witch is better, since they all have problems of their own. some are better for some things some are better for others.

linux is great, I love it, does a great job running both of my webservers.. Good its not the No1 home operating system though, for if it was it would be target no1 for the virus writers and computer nitwits.

Re: IE vs FF

First and foremost I'll say up front that I use Opera, so I don't really have a personal stake in the IE vs FF debate.

Second, a sysadmin friend once replied, when asked what the best operating sytem was, "None, they all suck. They just suck in different ways." The same holds true for browsers. Heading tech support for an ISP, this is painfully clear to me

Now, on to the meat:

IE has a number of advantages right now: It's still the market leader, which means that it's the browser most web pages are written for. You can be pretty sure that any web page viewed in IE will display properly, any extra things (flash, java, etc) will function correctly, and so on. In addition, as the dominant browser, it's the one that all the "How to get around the Web" tutorials are written for. It's also free and comes with most new [Windows-based] computers, so you don't have to go out and find it. Finally, since most tech support call centers offer only minimal training, instead relying on poorly-paid kids who only really know how to read the answers off of the computer screen in front of them (yes, I'm a bitter ), with IE you've got a reasonable guarantee that if you have to call tech support, whether it's your ISPs or some web site's, that you'll get a good answer.

The drawbacks of IE are also numerous: First, as a free product, Microsoft spends a lot less time fixing any bugs that appear. Since they're not making money on IE, the motivation to constantly update it is somewhat limited. Second, IE support for older OSes is minimal: If you're using anything before Windows 2000, or ME (ghod help you), you're probably using now the most current version of IE you'll ever have. MS recently backed down on their pledge that they weren't going to update IE until Longhorn's release, but they're still not very quick with this stuff. Third, and most important to this discussion, is the reason that IE seems to have the most vulnerabilities:
IE is the current market leader. With still over 60% of web users using IE for their browser, if you're a malicious punk who wants to see his exploit on the news, you'll aim at one of IE's vulnerabilities. As FF has grown in popularity, though, we've seen more and more exploits taking aim at FF's vulnerability. Opera, with something like 5% market share, is almost never hit unless it's a vulnerability that crosses the browser barrier, not because it's so much better programmed (it is ), but because nobody cares.

FireFox also has it's strong and weak points. The quick response to vulnerabilities falls into both categories, ironically. Because of the nature of the Open Source community, it's pretty much guaranteed that any vulnerability will be identified and fixed in a matter of days if not hours. Because of this, however, new versions of the browser seem to be constantly coming out. A lot of casual users will skip multple updates simply because they don't want to deal with it every week. Were FF to impliment something like Microsoft's Automatic Updates, this may be fixed somewhat. Still, in the short term, a lot of casual users will stick with their 6 month old browser, never even knowing about the vulnerabilities. This is dangerous because it can lead to the "IE is the only vulnerable browser, with FF I'm completely safe" attitude. This false confidence will bite them in the end if FF ever becomes the dominant browser.

I don't dislike IE, i happily used it for many many years before i discovered Firefox. Personally I just think that Firefox is a superior product, not just the security but all the other features and extensions aswell.

All software has bugs, i doubt there will ever be a completely secure browser. Its just that some products have more bugs/vulnerabilities than overs.

When i first decided to give Firefox a try i was unsure about it, i had read quite a few reports about webpages not displaying properly. I decided to give it a try for a few days, that was back in last November. The only time i ever use IE since is for the windows update site

I have my opinion and i'll respect other peoples opinions and choices, just the same as in arguements between:
Windows Vs Linux Vs MAC
AMD Vs Intel
Ati Vs Nvidia
Java Vs C#
Apache Vs IIS
PHP Vs ASP

o and the other thing ive been testing today is MS new antispyware beta program..

www.microsoft.com...

at least the beta version of firefox wasnt as buggy as the beta version of internet explorer and windows

Well, I like to look at it this way:

1)
IE6 - Have to be VERY careful so i don't install those annoying "toolbars" that hides tons of adware.

Firefox - Beta version = unstable. 1.0 = awesome. NEVER had a problem, no spyware, adware, no annoying popups, nudder, zilch.

2)
IE6 - 50Mb download
Firefox 1.0 - 5Mb download

3)
IE6 - doesn't comply 100% with w3c standards.
Firefox 1.0 - 100% compliant with w3c standards.

4)
IE6 - Uses 20Mb memory (one page open - google.com)
Firefox 1.0 - Uses 15mb memory (5 pages open - google.com).

5)
IE6 - No tabbed browsing
Firefox 1.0 - Tabbed browsing

6)
IE6 - Average load time ~4seconds
Firefox 1.0 - average load time ~ 2seconds.

7)
IE6 - Embedded into OS (all those pretty folders, thumbnail views etc, you're actually looking at internet exploder.)
Firefox 1.0 - Don't like it?, uninstall and you're sweet.

But IE has nice features where web pages can send you viruses without your knowledge. It's always had problems with this but here's a new one.

secunia.com...

Firefox - Beta version = unstable. 1.0 = awesome. NEVER had a problem, no spyware, adware, no annoying popups, nudder, zilch.

Hmm obviously dont use many java websites, I had major trouble with it on about 1/2 of all websites I visted.

let point out first that not only does internet explorer have more bugs than firefox, but it is also more unstable.

IE is like AOL, people use it because they dont know enough about the alternatives and are ignorant to the better options out there.

But once you find the better options out there, youll never go back.

the only thing internet explorer is good for is internet banking and using secuire site

Originally posted by sexygeek
the only thing internet explorer is good for is internet banking and using secuire site

Well Firefox works perfectly with my bank.

Now even 3rd parties are fixing IE flaws before MS do!
www.neowin.net...
oh yes, what a wonderful and secure browser it is.

wat is the cipther sthrenght of fire fox and where can u find it out?