APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Firefox Javascript Exploit

© October 2006 Anthony Lawrence


A possibly very dangerous Javascript exploit for Firefox has been reported.

Before we get into the politics, you should install the Firefox "no script" plugin to counter this. Simply, this doesn't shut off Javascript, but instead allows you to control on a site basis whether or not it can run. This lets you leave Javascript running on sites you trust and shut it off on others. That's probably all you need to do to deal with this problem.

By the way, you'll probably find that the most common use of Javascript at most sites is for things like Google Ads. If you don't allow Google Syndication, ads disappear from view. That may be good or bad, depending on your point of view..

Now the politics. According to the report referenced above, the folks who found this exploit claim to know about thirty others and do not plan on helping the Firefox folk fix them. To say this annoys some people would be an understatement; here's just one quote from the comments:

(Laker Netman)

I'm not "free" to yell "Fire!" in a theatre. I'm not "free" to ignore traffic signals if they inconvenience me. I'm not "free" to jepordized the national security of my country.

These people shouldn't be "free" to expound on their intellectual prowess <cough> and then say "We know what's going on, but we're not telling". They are immature, little brats and should be made accountable to the system they are part of whether they realize or accept that fact or not.

I can understand the frustration and anger, but consider this: there's absolutely nothing anyone can do about it. Laws requiring disclosure of such hacks would simply be ignored, or trivialized with false information:

"Just type https://about:foobah to see the exploit.. what, you say that doesn't show it? Oops, my mistake - I was sure that it did."

Hacks and exploits are simply a fact of life. It's not at all a bad idea to do your browsing in a VM like www.vmware.com/vmtn/appliances/directory/browserapp.html (link dead, sorry) VMware's Browser Appliance if you are a habitual visitor of suspicious sites.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Firefox Javascript Exploit


Inexpensive and informative Apple related e-books:

Take Control of Apple Mail, Third Edition

Take Control of iCloud, Fifth Edition

Take Control of OS X Server

iOS 10: A Take Control Crash Course

Take Control of Preview

More Articles by © Anthony Lawrence

Tue Oct 3 18:51:46 2006: 2495   bruceg2004

Just a joke?

I guess this was more of an attempt to get people to install the noscript plugin? I just came across this site on digg:


- Bruce

Tue Oct 3 20:14:15 2006: 2496   TonyLawrence

Well, that sure was a knee slapper :-)

Wed Oct 4 10:15:12 2006: 2498   TonyLawrence

It's also possible that the "joke" is plausible denial - deny that it's real to dampen the interest?

Wed Oct 4 20:19:28 2006: 2502   bruceg2004

Dunno, but I did not slap my knees, more like my forehead when I first read it. I still don't know what to believe, do you? I guess anyone could say "Hey, your app has 30 security flaws, and I am not going to let you know what they are - good luck" and drive the dev team to insanity trying to comb through their code.

Although, they do point out that any kind of client side scripting, is a bad idea. Look where ActiveX got IE.

I guess time will tell, and if worse comes to worse, just have people disable javascript from any untrusted sites, and hope for the best.

- Bruce


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Silence is better than unmeaning words. (Pythagoras)

Linux posts

Troubleshooting posts

This post tagged:





Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode