LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-23-2010, 02:55 AM   #151
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269

Quote:
Originally Posted by Stroker View Post
From your link
Secunia Advisory

Follow the "Original Advisory" url in which it states:



Apparently, it's a MS problem and limited to XP an Vista only.
That's what I thought, the "execute arbitrary code" ones usually are.

Also, this may not even work on Window$, as per the blog and comments posted ... it is not reproducible.
 
Old 02-23-2010, 05:29 AM   #152
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by H_TeXMeX_H View Post
That's what I thought, the "execute arbitrary code" ones usually are.
Could you elaborate a bit, please? Is it your gut feeling or do you have statistics to back that up? I'm not attacking your claim, I'm just honestly curious as to how you've reached this conclusion.

Last edited by win32sux; 02-23-2010 at 05:34 AM.
 
Old 02-23-2010, 05:45 AM   #153
GazL
Senior Member
 
Registered: May 2008
Posts: 3,392

Rep: Reputation: 918Reputation: 918Reputation: 918Reputation: 918Reputation: 918Reputation: 918Reputation: 918Reputation: 918
From what I've seen so far, all we know is that the written 'exploit' is for Windows. There's nothing to suggest that the underlying 'vulnerability' isn't more widespread.
 
1 members found this post helpful.
Old 02-23-2010, 06:22 AM   #154
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by win32sux View Post
Could you elaborate a bit, please? Is it your gut feeling or do you have statistics to back that up? I'm not attacking your claim, I'm just honestly curious as to how you've reached this conclusion.
Well, think about it, "execute arbitrary code", how could this harm your system and what kind of code could it be. By far, statistically, the majority of malicious code is written for Window$, I doubt anyone anywhere will debate that. Furthermore, say you were running this arbitrary code on Linux, what is the worst it could do ? Erase your home folder, read your user's files and send them off, and that's about it. Now, what about on Window$, especially since most people run in admin mode ... it can do a lot more damage, it can install viruses, a rootkit, delete everything on the HDD, maybe even damage hardware. There also exist many bugs in the Window$ kernel that M$ fails to patch, these can be easily exploited even in user mode. Furthermore, when I see "execute arbitrary code" in a web browser context this means ActiveX in most cases, and this truly is dangerous, and Window$ only.

Well, you could just say it's a gut feeling, but not completely unsubstantiated.
 
Old 02-23-2010, 06:42 AM   #155
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by H_TeXMeX_H View Post
Well, think about it, "execute arbitrary code", how could this harm your system and what kind of code could it be. By far, statistically, the majority of malicious code is written for Window$, I doubt anyone anywhere will debate that. Furthermore, say you were running this arbitrary code on Linux, what is the worst it could do ? Erase your home folder, read your user's files and send them off, and that's about it. Now, what about on Window$, especially since most people run in admin mode ... it can do a lot more damage, it can install viruses, a rootkit, delete everything on the HDD, maybe even damage hardware. There also exist many bugs in the Window$ kernel that M$ fails to patch, these can be easily exploited even in user mode. Furthermore, when I see "execute arbitrary code" in a web browser context this means ActiveX in most cases, and this truly is dangerous, and Window$ only.

Well, you could just say it's a gut feeling, but not completely unsubstantiated.
Okay, I was actually kind of hoping it was more than a gut feeling. It would be very interesting to know whether arbitrary code execution vulnerabilities in Firefox are more prevalent for certain platforms. The potential effects of exploiting those vulnerabilities (and the circumstances in which they are exploited) is a completely separate issue which isn't what I was asking about. I might look into this matter if I get some free time. Thanks for the reply.

Last edited by win32sux; 02-23-2010 at 06:44 AM.
 
Old 02-23-2010, 10:32 AM   #156
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Every article I've seen on this is very vague, and the comments always mention the distinct possibility that it is a hoax. Well, even if it wasn't I bet it has something to do with activex.
 
Old 02-23-2010, 12:24 PM   #157
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by H_TeXMeX_H View Post
Every article I've seen on this is very vague, and the comments always mention the distinct possibility that it is a hoax. Well, even if it wasn't I bet it has something to do with activex.
Since when does Firefox do ActiveX?
 
Old 02-23-2010, 01:34 PM   #158
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Yeah, it doesn't, oh well.
 
Old 03-02-2010, 01:08 PM   #159
catilley1092
Member
 
Registered: Aug 2009
Location: East Coast, USA
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61

Rep: Reputation: 17
That's what I like about Firefox, none of that Active X crap.
 
Old 03-02-2010, 02:28 PM   #160
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Well, technically there is an activex plugin for FF ... who know who's crazy enough to use it ...
 
Old 03-02-2010, 10:53 PM   #161
catilley1092
Member
 
Registered: Aug 2009
Location: East Coast, USA
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61

Rep: Reputation: 17
I certainly would never use it. Active X controls are part of what makes IE a piece of crap for a browser, and makes Windows vulnerable to viruses. That's what I like about Mint and Linux in general, you don't have to go through the daily routine of scanning your system and still get infected, regardless of how careful you are.
 
Old 03-19-2010, 11:56 AM   #162
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Update on Secunia Advisory SA38608

Quote:
Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue. The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix.
Complete Post [mozilla.com]

Last edited by win32sux; 03-19-2010 at 12:00 PM.
 
Old 03-19-2010, 11:58 AM   #163
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Mozilla To Fix Vulnerability Claimed To Be Fake...

Quote:
A month ago, Secunia issued an advisory, SA38608, for a vulnerability reported in Firefox 3.6 by Evgeny Legerov and with an exploit bundled in VulnDisco Pack.

Some people were very eager to claim that this vulnerability report was fake - both on the Mozilla blog and our own forum - but Mozilla has now fixed this vulnerability in their Beta build and it will also be included in the upcoming version 3.6.2.

It was not surprising to see some people claim that the vulnerability report was fake; the very weak arguments being made and assumptions these were based on did, however, surprise and can probably be listed as:

1) The vulnerability report is fake because the researcher has not provided details to Mozilla.

2) The vulnerability report is fake because no public details are available.

3) The vulnerability report is fake because the reporter did not adhere to what is commonly referred to as "responsible" disclosure, hence he is a "blackhat", and hence he is not to be trusted.
Complete Post [secunia.com]

Last edited by win32sux; 03-19-2010 at 12:00 PM.
 
Old 03-20-2010, 08:46 PM   #164
catilley1092
Member
 
Registered: Aug 2009
Location: East Coast, USA
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61

Rep: Reputation: 17
Look, for the most part, this is only going to affect Windows users. Mozilla a taking a unfair beating here. It seems perfectly fine that a billionaire corporation (Micro$oft) doesn't release a browser on a regular basis, and IE8 is the same piece of crap that it was a year ago. Mozilla, a corporation largely funded by donations and staffed by volunteers, releases a new browser on a regular basis. They are constantly hard at work fighting a billionaire corporation for market share. I feel far more secure with Firefox than with IE, even on FF's worst day. When there's a problem with FF, they give us a way to report it, they do have to find a workaround for the problem. Remember here, there's not dozens of programmers at Mozilla making six-digit figures, sitting around drinking coffee, then after lunch, going to play golf, like at Micro$oft. The Mozilla staff is hard at work every day, making progress every day, on a shoestring budget. If you don't feel that you're secure with FF, install Wine and use IE6 for a while. I have it on Mint 8 (64 bit), and can't even get the damn thing to update, although there are two critical updates for it. After a couple of days of using that piece of crap, there will be a renewed appreciation for FF.
 
Old 03-20-2010, 09:04 PM   #165
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by catilley1092 View Post
Look, for the most part, this is only going to affect Windows users. Mozilla a taking a unfair beating here. It seems perfectly fine that a billionaire corporation (Micro$oft) doesn't release a browser on a regular basis, and IE8 is the same piece of crap that it was a year ago. Mozilla, a corporation largely funded by donations and staffed by volunteers, releases a new browser on a regular basis. They are constantly hard at work fighting a billionaire corporation for market share. I feel far more secure with Firefox than with IE, even on FF's worst day. When there's a problem with FF, they give us a way to report it, they do have to find a workaround for the problem. Remember here, there's not dozens of programmers at Mozilla making six-digit figures, sitting around drinking coffee, then after lunch, going to play golf, like at Micro$oft. The Mozilla staff is hard at work every day, making progress every day, on a shoestring budget. If you don't feel that you're secure with FF, install Wine and use IE6 for a while. I have it on Mint 8 (64 bit), and can't even get the damn thing to update, although there are two critical updates for it. After a couple of days of using that piece of crap, there will be a renewed appreciation for FF.
Uh, why are you getting all defensive about this? Besides, AFAIK it wasn't Mozilla that was taking a beating, it was Secunia. Mozilla had even gone ahead and let it be known on their security blog that they had no idea what the problem was.

Last edited by win32sux; 03-20-2010 at 09:16 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Mozilla Thunderbird to Find New Home as Mozilla Foundation Focuses on Mozilla Firefox LXer Syndicated Linux News 0 07-27-2007 09:16 AM
LXer: Mozilla Firefox 1.5.0.8 and Mozilla Thunderbird 1.5.0.8 Released LXer Syndicated Linux News 0 11-09-2006 05:21 PM
LXer: Mozilla Corporation Signs Mozilla Firefox Distribution Deal with RealNetworks LXer Syndicated Linux News 0 08-03-2006 03:21 PM
LXer: Mozilla Firefox and Mozilla Thunderbird 1.5.0.5 Community Test Day LXer Syndicated Linux News 0 07-14-2006 08:54 AM
Mozilla flaws could allow attacks, data access into Firefox & Mozilla web browsers! t3gah Linux - Security 6 04-09-2006 04:00 AM


All times are GMT -5. The time now is 03:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration