Jump to content


Photo

Firefox Exploit


  • Please log in to reply
2 replies to this topic

#1 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,216 posts

Posted 07 May 2016 - 1036 AM

For those of you Neanderthals still using Firefox, check your extensions/addons against this list;

top-10-firefox-addons.png

Details here.

 

The vulnerability is the result of a lack of add-on isolation in the Firefox extension architecture. By design, Firefox allows all JavaScript extensions installed on a system to share the same JavaScript namespace, which is a digital container of specific identifiers, functions, methods, and other programming features used in a particular set of code. The shared namespace makes it possible for extensions to read from and write to global variables defined by other add-ons, to call or override other global functions, and to modify instantiated objects. The researchers said that a newer form of Firefox extension built on the alternative JetPack foundation theoretically provides the isolation needed to prevent cross-extension calls. In practice, however, JetPack extensions often contain enough non-isolated legacy code to make them vulnerable.

 

My conclusions:

 

1- This further supports my assertion that client-side scripting is the work of the Devil.

 

2- This further supports my assertion that JavaScript is the work of the Devil.

 

3- The academic CS community is still out to lunch concerning software architecture and development, particularly in translating the body of knowledge concerning secure programming practices into everyday processes and standards*.

 

I've been noodling around with the about:config settings in Firefox (well, Waterfox) and its blindingly obvious that the browser-dev community is operating far above its collective competence level (preloading content from hyperlinks on a page? Really?).

 

 

* How many decades did it take for the CS community to acknowledge that it had a monstrous problem with memory mismanagement in C programs?

 

 


  • 0

#2 CT96

CT96

    Deputy Assistant Secretary to the Dragon Slayer Apprentice

  • Members
  • PipPip
  • 3,624 posts

Posted 08 May 2016 - 2226 PM

If you have a computer, and you've ever connected it to the internet in any way, you are at risk. That's the reality of today. Even with best practices, you can still get pwned. 0-days are out in the wild, and you never know for sure if/when you've been nailed by one. 

 

That said, keep your shit updated, use best practices, and be careful what you actually put on anything that ever touches the internet. 

 

I have heard it said: "Those who can, do. Those who can't, program for the web." and I have seen very little to dissuade me from agreeing.  


  • 0

#3 rmgill

rmgill

    Strap-hanger

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 24,177 posts

Posted 08 May 2016 - 2257 PM

Uhhh.
  • 0