Posted: 10/2/2006 8:07:53 AM EDT
| nt |
Oh, those poor Mozilla people. I guess it is OK that Microsoft gets slammed daily about their products, but if something is wrong with theirs, they want people to keep quiet? Boo hoo. |
Yea, and then we can all just rely on software vendors to find fault in their products and patch them in a timely manner, cuz they're all far more concerned with reliability and security than they are with market share and public opinion.  Sounds like there are a couple snotty kids who found a serious vulnerability and want recognition from it. Also sounds like the software vendor would rather sweep things under the rug and continue to pretend that they're the rock solid alternative to their competitors which they are not. If automotive companies handled recalls like software companies handle security flaws, they'd all be out of business inside five years from wrongful death suits. MANY times the "hackers" find a flaw and notify the vendor only to have the vendor ignore them and the issue completely. Often full public disclosure is the only thing that gets the vendor working on a fix. Been going on that way for years. |
translation: our shit don't stink.  And who name their kid Window? |
You misunderstand. Mozilla wants to know what the problem is so they can fix it immediately. These clowns who discovered it are not releasing the details. |
Thus lives on the misuse of the term 'hacker'. You're talking about CRACKERS, not hackers. A cracker is someone who trys to break things, by finding exploits and flaws, and writes or propogates things like viruses and worms. Crackers intend to cause havoc and destruction. HACKERS on the other hand, are inventive people who try to get around common obstacles by coming up with new and inventive ways to solve problems. Anyway, that's the way it was, but the term 'hacker' or 'hacking' has been used for the malicious people. |
Oh please... Mozilla's has been caught several times hiding critical flaws they knew about for months and months. Now they are squealing when the public is warned.  |
I don't give a shit what they are called..they should be delt with, harshly. |
expsoing a flaw in a major web broswer is a BAD THING? then you should be hunting me down cause ive done much worse, ive, GASP, found flaws in MAJOR OPERATING SYSTEMS AND MADE BUG REPORTS. ohs nos! the horror! |
LOL... : "fix it immediately", Mozilla? "fix it immediately"  No Mozillia wants to hide the problem which is their SOP. In each of the last 4 quarters there have been more critical flaws discovered in Firefox than in IE… Mozillia does not want people to know this and they have been caught hiding flaws they knew about for months, these guys are doing a public service. |
First of all, they have an open bug submission system. Secondly, I'd like to know what exactly it is your referring to so I can understand whether you are being genuine or just a troll. Link? |
|
The only reason why IE is hated by everyone is because all of the hackers target it and try to crack the source code. They don't bother to target Firefox because 99% of the time companies do not use it, but use IE. MS has plugged so many holes that hackers are having a hard time exploiting IE. They are now turning to FF...... |
I'm not a tecno weeine, I live most of my life in the real world, with the exception of time I spend here, to whichI have scaled that back. What ever the shitbags are the enter and destroy networks and steal data, are called, they should delt with and harshly. If there are bonesacks that find flaws and help someone fix it that's fine. But they cross the line..off with their head. |
There is a thin line there but there is no doubt these 2 guy should be praised for doing a public service. The people bashing them now would have lauded them if they had publicly exposed an IE flaw… but they instead exposed a flaw in the scared cow of browsers Firefox and so must be vilified and punished. |
Here’s my gripe with the “warning the public” argument. 1) Every (and I do mean every) piece of software has flaws that are exploitable. 2) 0 day exploits that are made public are impossible to avoid (for anyone) 3) Given number one and two. Any informed individual can assume the “the public” is pre-fucking-warned. 4) These folks are not about “warning” anyone. They are about using security flaws to make money. Mostly illegally. |
Wow, I just almost posted something that would get me banned... over a browser troll. Hardly worth it. |
There are two general kinds of people in this arena: 1) Legitimate security researchers ("white hats") - These people find the flaw, notify the vendor, wait for a fix, and then release the details. 2) The fame-seeking "black hats" - These people release the exploit for fun and/or profit. The vendor is left to address the issue that is now in the wild. Historically speaking, Microsoft is much slower to address critical flaws. That is where most of the criticism within the community comes from. Even if the details are kept under wraps the flaw is still there so the longer it takes to get a patch the longer 'crackers' (number 2 above) have to find it. |
Guess what - you may develop a piece of software that is 100 percent hacker proof. Unfortunately, the man administering the software is late on his house payment due to alimony checks he pays to his two ex-wives, and for 10,000 dollars he will sell the password to the highest bidder. An unimagineable amount of labor went into constructing the Great Wall of China, all for nought - the mongols bribed the gatekeepers and walked right on through. NO MATTER how hacker proof you make a system, the human element will be the weak link in the chain. |
FUCKING CRACKERS......hey wait that don't sound right... 
|
That doesn't change the fact that people of this type should still be shot on sight. Likewise, thieves of any type, virus and malware writers and the like should be too. |
 Pathetic… |
MS has known about some critical flaws in IE and Windoze for years. Another zero-day threat hits Windows By Joris Evers http://news.com.com/Another+zero-day+threat+hits+Windows/2100-1002_3-6121236.html Story last modified Fri Sep 29 17:10:03 PDT 2006 Sample code is circulating on the Internet for an attack using a flaw that Microsoft knows about, but has not yet fixed. On Thursday, Microsoft warned people about a vulnerability in the Windows Shell, the part of the operating system that presents the user interface. The flaw affects Windows 2000, Windows XP and Windows Server 2003 and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, the company said in an advisory. "An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer," Microsoft said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user." While sample exploit code has been published, Microsoft said it has not yet seen any related attacks. The vulnerability was actually discovered two months ago, but the code only surfaced this week, according to the French Security Incident Response Team. Security monitoring company Secunia deems the issue "extremely critical," its most severe rating. Microsoft said it is working on a fix and plans to release it on Oct. 10 as part of its regular patch cycle. Meanwhile, it suggested several workarounds in its advisory to protect Windows systems. On Friday, security company Determina provided a third-party fix for the flaw. It is the second time in as many weeks that an outsider has patched a flaw in a Microsoft product. Microsoft does not recommend using such third-party fixes, saying they could cause compatibility problems. The Windows Shell bug is one of several flaws that are publicly known and for which exploit code is available, but which Microsoft has yet to patch. Cybercrooks are actively exploiting yet-to-be-fixed holes in PowerPoint, Word and IE, Microsoft has acknowledged. Miscreants are taunting Microsoft with zero-day code, or attack code released immediately after a flaw or patch is made public, experts have said. Some security watchers have started to coin the term "zero-day Wednesday" to come after "Patch Tuesday," Microsoft's patch day on the second Tuesday of each month. Microsoft put its patches on a schedule to give IT managers time to plan and prepare. Microsoft issued a "critical" security fix for Windows on Tuesday, two weeks before its October scheduled release date. The update repairs a flaw in a Windows component called "vgx.dll" that was being exploited widely in cyberattacks, experts said. |
|
Hackers claim zero-day flaw in Firefox By Joris Evers http://news.com.com/Hackers+claim+zero-day+flaw+in+Firefox/2100-1002_3-6121608.html Story last modified Mon Oct 02 09:44:01 PDT 2006 advertisement SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said. "Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it. The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch." The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating." Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal." At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder said. The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs. Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets. "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said. The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said. |