[Dailydave] Firefox bugs
security curmudgeon
jericho at attrition.org
Tue Oct 3 17:16:58 Local tim 2006
http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon
On Tue, 3 Oct 2006, Dave Aitel wrote:
: -----BEGIN PGP SIGNED MESSAGE-----
: Hash: SHA1
:
: Didn't you post on your weblog some stuff about Chrome: being buggy?
: It's completely believable to have a chrome: context issue in Firefox.
: I recall you said something about iterators, but I don't have a
: Mozilla developer account so I can't look at the diff.
:
: Are the slides/full PoC available publicly?
: - -dave
:
: Thor Larholm wrote:
: > Their PoC, both the one in their slides and the full PoC, is
: > nothing more than an out-of-memory crash, of which Firefox already
: > has plenty. They were still struggling to write a working exploit
: > days after the presentation, even though they claimed to have just
: > that during the presentation.
: >
: > Long story short, the bug is just a bug - not a vulnerability.
: >
: >
: > Regards Thor Larholm
: >
: >
: > Dave Aitel wrote:
: >
: > For those of you under a rock, there's a new firefox bug:
: > http://developer.mozilla.org/devnews/
: >
: > I read somewhere that the PoC was posted to the web, but I can't
: > find it anywhere.
: >
: > For those of you who watched the HP testemony on cspan.org, you may
: > have noticed that ReadNotify was used in a prior DD posting. DD
: > goes out to maybe 2500 people last time I checked...and I got under
: > a hundred readnotify responses. This corresponds with my last use
: > of web bugs against someone trying to blackmail one of my clients.
: > It just didn't work. This was the one big tool in the FBI/NYPD's
: > toolbox, and it's been broken during the fight against spammers. We
: > had to do a statistical analysis of all the web page accesses to
: > get close.
: >
: > Anyways, our congresscritters think that SPYWARE==WEB BUG. And it's
: > not true. Someone needs to call them and explain it slowly.
: >
: > -dave
: >>
: _______________________________________________
: Dailydave mailing list
: Dailydave at lists.immunitysec.com
: http://lists.immunitysec.com/mailman/listinfo/dailydave
:
: >>
:
:
: -----BEGIN PGP SIGNATURE-----
: Version: GnuPG v1.4.2.1 (Cygwin)
:
: iD8DBQFFIphktehAhL0gheoRAnmaAJ9GrDismomXZ2IGvrhZ3mHSNuAbuACffNDP
: Pun6oHU9M1csKuJwcJs2EAM=
: =fVut
: -----END PGP SIGNATURE-----
:
: _______________________________________________
: Dailydave mailing list
: Dailydave at lists.immunitysec.com
: http://lists.immunitysec.com/mailman/listinfo/dailydave
:
More information about the Dailydave
mailing list