Firefox Javascript Exploit

A possibly very dangerous Javascript exploit for Firefox has been reported.

Before we get into the politics, you should install the Firefox "no script" plugin to counter this. Simply, this doesn't shut off Javascript, but instead allows you to control on a site basis whether or not it can run. This lets you leave Javascript running on sites you trust and shut it off on others. That's probably all you need to do to deal with this problem.

By the way, you'll probably find that the most common use of Javascript at most sites is for things like Google Ads. If you don't allow Google Syndication, ads disappear from view. That may be good or bad, depending on your point of view..

Now the politics. According to the report referenced above, the folks who found this exploit claim to know about thirty others and do not plan on helping the Firefox folk fix them. To say this annoys some people would be an understatement; here's just one quote from the comments:

(Laker Netman)

I'm not "free" to yell "Fire!" in a theatre. I'm not "free" to ignore traffic signals if they inconvenience me. I'm not "free" to jepordized the national security of my country.

These people shouldn't be "free" to expound on their intellectual prowess <cough> and then say "We know what's going on, but we're not telling". They are immature, little brats and should be made accountable to the system they are part of whether they realize or accept that fact or not.

I can understand the frustration and anger, but consider this: there's absolutely nothing anyone can do about it. Laws requiring disclosure of such hacks would simply be ignored, or trivialized with false information:

"Just type http://about:foobah to see the exploit.. what, you say that doesn't show it? Oops, my mistake - I was sure that it did."

Hacks and exploits are simply a fact of life. It's not at all a bad idea to do your browsing in a VM like VMware's Browser Appliance if you are a habitual visitor of suspicious sites.

Click here to add your comments




Tue Oct 3 18:51:46 2006: Subject:   bruceg2004


Just a joke?

I guess this was more of an attempt to get people to install the noscript plugin? I just came across this site on digg:

http://www.heise-security.co.uk/news/78970

- Bruce





Tue Oct 3 20:14:15 2006: Subject:   TonyLawrence


Well, that sure was a knee slapper :-)



Wed Oct 4 10:15:12 2006: Subject:   TonyLawrence


It's also possible that the "joke" is plausible denial - deny that it's real to dampen the interest?



Wed Oct 4 20:19:28 2006: Subject:   bruceg2004


Dunno, but I did not slap my knees, more like my forehead when I first read it. I still don't know what to believe, do you? I guess anyone could say "Hey, your app has 30 security flaws, and I am not going to let you know what they are - good luck" and drive the dev team to insanity trying to comb through their code.

Although, they do point out that any kind of client side scripting, is a bad idea. Look where ActiveX got IE.

I guess time will tell, and if worse comes to worse, just have people disable javascript from any untrusted sites, and hope for the best.

- Bruce


Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Take Control of Sharing Files in Snow Leopard

Take Control of Exploring & Customizing Snow Leopard

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.