__/ [ arachnid ] on Tuesday 03 October 2006 04:59 \__
> This was reported a few days ago:
>
>
<http://news.com.com/Hackers+claim+zero-day+flaw+in+Firefox/2100-1002_3-6121608.html>
>
> Hackers claim zero-day flaw in Firefox
>
> SAN DIEGO--The open-source Firefox Web browser is critically flawed
> in the way it handles JavaScript, two hackers said Saturday
> afternoon. Hackers' presentation
>
> An attacker could commandeer a computer running the browser simply by
> crafting a Web page that contains some malicious JavaScript code,
> Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the
> ToorCon hacker conference here. The flaw affects Firefox on Windows,
> Apple Computer's Mac OS X and Linux, they said.
>
> <snip>
>
> The hackers claim they know of about 30 unpatched Firefox flaws. They
> don't plan to disclose them, instead holding onto the bugs.
>
> Turns out the vulnerability was a bit overstated by the press:
>
>
<http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon/>
>
> Update: Possible Vulnerability Reported at Toorcon
>
> We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker
> that reported the potential javascript security issue referenced
> earlier. He gave us more code to work with and also made this
> statement and agreed to let me post it here:
>
> The main purpose of our talk was to be humorous.
What happened to "it's impossible to patch"? Or "one can commandeer any Mac,
Linux, or Windows machine"? Sounds to me as thought they were posing. Humour
is only a lame excuse.
Firefox Still Tops IE for Browser Security
,----[ Quote ]
| "Mozilla is forthcoming about vulnerabilities," Levy said, whereas "it
| takes Microsoft far longer to acknowledge vulnerability."
|
| How much longer? "In the last reporting period, the second half of last
| year, Microsoft had acknowledged 13 vulnerabilities. We've now revised it
| to 31. The difference is that now Microsoft has acknowledged these
| vulnerabilities."
|
| [...]
|
| "Mozilla can turn around on a dime," Levy said. "Open-source programmers
| can recognize a problem and patch it in days or weeks."
|
| And as for Microsoft?
|
| "If a vulnerability is reported to Microsoft, Microsoft doesn't
| acknowledge it for at least a month or two. There's always a certain
| lag between knowing about a bug and acknowledging it," Levy said.
`----
http://www.eweek.com/article2/0,1759,1865087,00.asp?kc=EWEWKEMLP093006BOE1
|
|