APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Firefox Javascript Exploit


2006/10/02

A possibly very dangerous Javascript exploit for Firefox has been reported.

Before we get into the politics, you should install the Firefox "no script" plugin to counter this. Simply, this doesn't shut off Javascript, but instead allows you to control on a site basis whether or not it can run. This lets you leave Javascript running on sites you trust and shut it off on others. That's probably all you need to do to deal with this problem.

By the way, you'll probably find that the most common use of Javascript at most sites is for things like Google Ads. If you don't allow Google Syndication, ads disappear from view. That may be good or bad, depending on your point of view..

Now the politics. According to the report referenced above, the folks who found this exploit claim to know about thirty others and do not plan on helping the Firefox folk fix them. To say this annoys some people would be an understatement; here's just one quote from the comments:

(Laker Netman)

I'm not "free" to yell "Fire!" in a theatre. I'm not "free" to ignore traffic signals if they inconvenience me. I'm not "free" to jepordized the national security of my country.

These people shouldn't be "free" to expound on their intellectual prowess <cough> and then say "We know what's going on, but we're not telling". They are immature, little brats and should be made accountable to the system they are part of whether they realize or accept that fact or not.

I can understand the frustration and anger, but consider this: there's absolutely nothing anyone can do about it. Laws requiring disclosure of such hacks would simply be ignored, or trivialized with false information:

"Just type http://about:foobah to see the exploit.. what, you say that doesn't show it? Oops, my mistake - I was sure that it did."

Hacks and exploits are simply a fact of life. It's not at all a bad idea to do your browsing in a VM like www.vmware.com/vmtn/appliances/directory/browserapp.html (link dead, sorry) VMware's Browser Appliance if you are a habitual visitor of suspicious sites.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Firefox Javascript Exploit


4 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Tue Oct 3 18:51:46 2006: 2495   bruceg2004


Just a joke?

I guess this was more of an attempt to get people to install the noscript plugin? I just came across this site on digg:

(link)

- Bruce







Tue Oct 3 20:14:15 2006: 2496   TonyLawrence

gravatar
Well, that sure was a knee slapper :-)



Wed Oct 4 10:15:12 2006: 2498   TonyLawrence

gravatar
It's also possible that the "joke" is plausible denial - deny that it's real to dampen the interest?



Wed Oct 4 20:19:28 2006: 2502   bruceg2004


Dunno, but I did not slap my knees, more like my forehead when I first read it. I still don't know what to believe, do you? I guess anyone could say "Hey, your app has 30 security flaws, and I am not going to let you know what they are - good luck" and drive the dev team to insanity trying to comb through their code.

Although, they do point out that any kind of client side scripting, is a bad idea. Look where ActiveX got IE.

I guess time will tell, and if worse comes to worse, just have people disable javascript from any untrusted sites, and hope for the best.

- Bruce




------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





One in a million is next Tuesday. (Gordon Letwin)

As an experimental psychologist, I have been trained not to believe anything unless it can be demonstrated in the laboratory on rats or sophomores. (Steven Pinker)







This post tagged: