Comments on: milw0rm 9158 “stack overflow” crash not exploitable (CVE-2009-2479) http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/ Thu, 19 Nov 2009 15:36:11 -0800 http://wordpress.org/?v=2.8.6 hourly 1 By: Adam http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106947 Adam Sat, 15 Aug 2009 14:43:23 +0000 http://blog.mozilla.com/security/?p=120#comment-106947 http://milw0rm.com/exploits/9247 The above link contains the full POC code for an exploit based on Firefox 3.5 I am not happy that Mozilla have brushed this one off as it is a *serious* vulnerability and I a not aware of any patches being released. http://milw0rm.com/exploits/9247

The above link contains the full POC code for an exploit based on Firefox 3.5

I am not happy that Mozilla have brushed this one off as it is a *serious* vulnerability and I a not aware of any patches being released.

]]> By: mercohaulic http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106064 mercohaulic Thu, 23 Jul 2009 02:23:29 +0000 http://blog.mozilla.com/security/?p=120#comment-106064 Anyone know about this: http://www.securityfocus.com/advisories/17380 States that Mozilla Firefox has multiple vulnerabilities not found in versions 3.5 and 3.0.12. So Im guessing that the others are and we should patch them to either of these versions? Anyone know about this:
http://www.securityfocus.com/advisories/17380

States that Mozilla Firefox has multiple vulnerabilities not found in versions 3.5 and 3.0.12.
So Im guessing that the others are and we should patch them to either of these versions?

]]> By: cat http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106057 cat Tue, 21 Jul 2009 06:11:21 +0000 http://blog.mozilla.com/security/?p=120#comment-106057 I've read this post and the update to Security First. I've also read this article: http://www.theregister.co.uk/2009/07/20/firefox_flaw/ This paragraph concerns me: "Reports by security researchers at the Internet Storm Centre (here) and elsewhere suggest the flaw might lend itself to code injection. Worse still, proof of concept code has been published; a development that normally reduces the odds on whether hacking attacks might follow." To me (a lay person) this reads that it is a vulnerability and it is only a matter of time before this could become a security risk. Correct me if my interpretation is wrong. I would hope that Mozilla issues a priority patch asap in view of this. It is the swift correcting of actual and potential security issues that makes FF my preferred browser. I’ve read this post and the update to Security First. I’ve also read this article: http://www.theregister.co.uk/2009/07/20/firefox_flaw/

This paragraph concerns me:

“Reports by security researchers at the Internet Storm Centre (here) and elsewhere suggest the flaw might lend itself to code injection. Worse still, proof of concept code has been published; a development that normally reduces the odds on whether hacking attacks might follow.”

To me (a lay person) this reads that it is a vulnerability and it is only a matter of time before this could become a security risk. Correct me if my interpretation is wrong. I would hope that Mozilla issues a priority patch asap in view of this. It is the swift correcting of actual and potential security issues that makes FF my preferred browser.

]]> By: Michael Lefevre http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106049 Michael Lefevre Mon, 20 Jul 2009 15:29:13 +0000 http://blog.mozilla.com/security/?p=120#comment-106049 @Freezer: I'm sure they are not saying it isn't malicious instead of fixing it. They are saying it isn't malicious as well as fixing it (but I guess that will happen in one of the future regular updates, rather than having a special release just to fix this). It's an unfortunate fact that there are dozens of ways for web pages to crash or hang Firefox. The same applies to all other browsers. Which is why IE, Chrome, and in future Firefox, are putting different pages in different processes, so you only lose the one that has crashed. @Freezer: I’m sure they are not saying it isn’t malicious instead of fixing it. They are saying it isn’t malicious as well as fixing it (but I guess that will happen in one of the future regular updates, rather than having a special release just to fix this).

It’s an unfortunate fact that there are dozens of ways for web pages to crash or hang Firefox. The same applies to all other browsers. Which is why IE, Chrome, and in future Firefox, are putting different pages in different processes, so you only lose the one that has crashed.

]]> By: Transcontinental http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106046 Transcontinental Mon, 20 Jul 2009 13:27:05 +0000 http://blog.mozilla.com/security/?p=120#comment-106046 I'm not saying this is, but I assume it could be now or it may be one day: as the browsers' war is becoming tougher, as Firefox is gaining more and more users as popularity, assertions of insecurity will rise based on the slightest cough. This is still our world: do it, should it be by all means. Firefox has always been and remains the leader in terms of security and privacy, patches are issued quickly, but let not the fact of transparency blind us to an insecurity which would not be the case of other browsers' because of opacity in publication of flaws. I remain puzzled to observe how some bloggers shoot - or try to shoot - a browser on the first opportunity they have. Future is that of fairness and fraternity, also because common problems concern all, browsers included. I remain A Firefox user, not only for the browser I experiment 16 hours a day as secure, fast, stable, but also as an admirer of the Mozilla philosophy. I’m not saying this is, but I assume it could be now or it may be one day: as the browsers’ war is becoming tougher, as Firefox is gaining more and more users as popularity, assertions of insecurity will rise based on the slightest cough. This is still our world: do it, should it be by all means.
Firefox has always been and remains the leader in terms of security and privacy, patches are issued quickly, but let not the fact of transparency blind us to an insecurity which would not be the case of other browsers’ because of opacity in publication of flaws.
I remain puzzled to observe how some bloggers shoot – or try to shoot – a browser on the first opportunity they have. Future is that of fairness and fraternity, also because common problems concern all, browsers included.
I remain A Firefox user, not only for the browser I experiment 16 hours a day as secure, fast, stable, but also as an admirer of the Mozilla philosophy.

]]> By: Larry Seltzer http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106045 Larry Seltzer Mon, 20 Jul 2009 13:22:27 +0000 http://blog.mozilla.com/security/?p=120#comment-106045 I've followed up on this on Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=504342) I’ve followed up on this on Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=504342)

]]> By: Daniel Veditz http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106040 Daniel Veditz Mon, 20 Jul 2009 06:52:51 +0000 http://blog.mozilla.com/security/?p=120#comment-106040 We're saying it isn't malicious because press reports are spreading incorrect information and scaring people. We’re saying it isn’t malicious because press reports are spreading incorrect information and scaring people.

]]> By: Freezer http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106039 Freezer Mon, 20 Jul 2009 06:43:02 +0000 http://blog.mozilla.com/security/?p=120#comment-106039 Oh please! It doesn't convince me. I'm a layman and a diehard firefox user and i would expect you to fix it instead of saying it isn't malicious. Please fix it because i like FF so much. Oh please! It doesn’t convince me. I’m a layman and a diehard firefox user and i would expect you to fix it instead of saying it isn’t malicious. Please fix it because i like FF so much.

]]> By: buzza http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106038 buzza Mon, 20 Jul 2009 04:36:19 +0000 http://blog.mozilla.com/security/?p=120#comment-106038 yes nice to know that mozilla is kind enough to test firefox ON linux (NOT). Yet another reason why i can't wait for chrome to become better. yes nice to know that mozilla is kind enough to test firefox ON linux (NOT). Yet another reason why i can’t wait for chrome to become better.

]]> By: cat http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/comment-page-1/#comment-106037 cat Mon, 20 Jul 2009 03:48:10 +0000 http://blog.mozilla.com/security/?p=120#comment-106037 This post is about this > http://www.malwarebytes.org/forums/index.php?showtopic=19644 right? Could you please clarify if it is safe to enable JavaScript in FF 3.5.1? I read your post and decided it was, until I read the edit re FF crashing on PoC on Windows and now I'm confused. (The edit and the details of Larry Seltzer's comment go way above my head, so I just want to be sure). Thanks. :) This post is about this > http://www.malwarebytes.org/forums/index.php?showtopic=19644 right?

Could you please clarify if it is safe to enable JavaScript in FF 3.5.1? I read your post and decided it was, until I read the edit re FF crashing on PoC on Windows and now I’m confused. (The edit and the details of Larry Seltzer’s comment go way above my head, so I just want to be sure).

Thanks. :)

]]>