Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Firefox Exploit

  • 09-05-2005 5:22am
    #1
    Registered Users, Registered Users 2 Posts: 21,264 ✭✭✭✭


    Just heads up for anyone who doesn't read Mozillazine. There currently exists an exploit in Firefox. Fix is in progress (as well as mozilla website changed to mitigate the exploit).

    Anyway quick and short of it is if you are worried, disable javascript until the next patch. Tools->Options menu, select web features and then switch off javascript.

    The exploit requires that you whitelist the site in question that wants to install the exploit.

    http://www.mozillazine.org/
    http://secunia.com/advisories/15292/

    Another (probably better) solution is to switch off the ability for websites to install software on your machine, and blank the whitelist (overkill).


Comments

  • Registered Users, Registered Users 2 Posts: 1,184 ✭✭✭causal


    Just to make this easy if you're not too familiar with Firefox (like me)

    Navigate to: Tools > Options > Web Features

    Personally, I have unchecked (i.e. disabled):
    - Allow websites to install software
    - Enable Java
    - Enable Javascript

    causal


  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    Java is not the same as Javascript (the fact that people think it is, and still spread this disinformation makes me weep sometimes), you won't need to disable that.


  • Registered Users, Registered Users 2 Posts: 1,184 ✭✭✭causal


    Java is not the same as Javascript (the fact that people think it is, and still spread this disinformation makes me weep sometimes), you won't need to disable that.
    I never said nor implied that Java was Javascript :mad:
    I disabled Java because it can be used to get your internal IP address.

    causal


  • Registered Users, Registered Users 2 Posts: 4,573 ✭✭✭Infini


    Here as well.
    http://informationweek.com/story/showArticle.jhtml?articleID=163100338
    Also you can disable the allow websites to install plugins feature in the web Features section. Wouldn't that help?


  • Registered Users, Registered Users 2 Posts: 1,184 ✭✭✭causal


    To see why you should consider disabling Java in your browser:

    Go here http://www.auditmypc.com/whats-my-ip.asp
    - try it with Java enabled
    - then try it with Java disabled

    Note that certain browser functions won't work when you disable the items I described in my earlier post.

    causal


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,865 ✭✭✭Syth


    Firefox doesn't let the user install stuff unless they explicitly allow a site to install software. I don't know if it's possible to allow any site to install software (maybe using wildcards in the 'allowed sites' field), but then again you'd have to go out of your way to do it. My worry level is low.


  • Closed Accounts Posts: 731 ✭✭✭jman0


    Syth wrote:
    Firefox doesn't let the user install stuff unless they explicitly allow a site to install software. I don't know if it's possible to allow any site to install software (maybe using wildcards in the 'allowed sites' field), but then again you'd have to go out of your way to do it. My worry level is low.

    You should read about the security hole

    "According to MozillaZine an independent Mozilla news, community and advocacy site. The second flaw is more serious and involves the software installation dialogue, which is used to ask the user if they wish to install software (such as an extension) from a website.

    “In Mozilla Firefox (but not the Mozilla Application Suite), this dialogue can include an icon, which is supplied by the site as a URL to an image file. Due to insufficient checking, this icon URL can actually be a piece of JavaScript code, which is run with no further prompting. As this code actually runs from the software installation dialogue, rather than a webpage, it is executed with 'full chrome privileges', meaning that it can do anything that the user running Firefox can, including installing software or deleting files. This is the more serious flaw, allowing arbitrary software execution, and only affects Mozilla Firefox. It can prevented by disabling software installation"
    http://www.pocket-lint.co.uk/news.php?newsId=1196


  • Registered Users, Registered Users 2 Posts: 1,865 ✭✭✭Syth


    Oh my bad. Wow, pretty impressive exploit.


Advertisement