Comments on: Firefox 3.6’s “0-Day” and You http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/ Giorgio Maone's answers to the Web, the Universe, and Everything Wed, 08 Feb 2012 11:49:35 +0000 http://wordpress.org/?v=2.2.3 By: hackademix.net » Why NoScript Blocks Web Fonts http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22774 hackademix.net » Why NoScript Blocks Web Fonts Wed, 24 Mar 2010 11:05:22 +0000 http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22774 [...] Firefox 3.6’s “0-Day” and You 24 03 2010 [...] […] Firefox 3.6’s “0-Day” and You 24 03 2010 […]

]]> By: Twitter Trackbacks for hackademix.net » Firefox 3.6's "0-Day" and You [hackademix.net] on Topsy.com http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22773 Twitter Trackbacks for hackademix.net » Firefox 3.6's "0-Day" and You [hackademix.net] on Topsy.com Wed, 24 Mar 2010 10:59:28 +0000 http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22773 [...] hackademix.net » Firefox 3.6's "0-Day" and You hackademix.net/2010/03/22/firefox-36s-0-day-and-you – view page – cached Bürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30^th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but: 1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been... Read moreBürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30^th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but: 1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been given access to a working exploit since February the 1^st. View page Filter tweets [...] […] hackademix.net » Firefox 3.6’s "0-Day" and You hackademix.net/2010/03/22/firefox-36s-0-day-and-you – view page – cached Bürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30^th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but: 1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been… Read moreBürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30^th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but: 1. There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been given access to a working exploit since February the 1^st. View page Filter tweets […]

]]> By: Giorgio http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22771 Giorgio Tue, 23 Mar 2010 16:40:56 +0000 http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22771 @<a href="http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22770" rel="nofollow">BC</a>: Exactly this kind of scenario. Current font parsers are rather old, and have been implemented without the "fonts as a possible remote attack vector" mindset. Now that any web page can feed them, fonts are much more dangerous than simple images (which still, from time to time, suffer from codec bugs) and at least as dangerous as generic plugin content. @BC:
Exactly this kind of scenario.
Current font parsers are rather old, and have been implemented without the “fonts as a possible remote attack vector” mindset.
Now that any web page can feed them, fonts are much more dangerous than simple images (which still, from time to time, suffer from codec bugs) and at least as dangerous as generic plugin content.

]]> By: BC http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22770 BC Tue, 23 Mar 2010 14:35:26 +0000 http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22770 What was the original reasoning for blocking embedded fonts? What was the original reasoning for blocking embedded fonts?

]]> By: How do I manually rid my computer of malware and spyware that hijacks my internet browser? | Malware Bouncer | Malware Bites http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22769 How do I manually rid my computer of malware and spyware that hijacks my internet browser? | Malware Bouncer | Malware Bites Tue, 23 Mar 2010 14:31:07 +0000 http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22769 [...] hackademix.net » Firefox 3.6’s “0-Day” and You [...] […] hackademix.net » Firefox 3.6’s “0-Day” and You […]

]]> By: Giorgio http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22764 Giorgio Tue, 23 Mar 2010 08:36:39 +0000 http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22764 @<a href="http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22763" rel="nofollow">Faust</a>: No, it is not Java-related, but don't forget that "embedding" blocked by NoScript are not limited to Java :) Anyway, having analyzed the bug in question <em>before</em> making it, I can confirm that my statement about NoScript protection is correct. <strong>Edit 2010-03-23</strong> Now that details are not embargoed anymore, I can tell you that exploitation required the browser to download a specially crafted web font. The relevant (default) NoScript setting against this is <em>NoScript Options|Embeddings|Forbid @font-face</em>. @Faust:
No, it is not Java-related, but don’t forget that “embedding” blocked by NoScript are not limited to Java :)

Anyway, having analyzed the bug in question before making it, I can confirm that my statement about NoScript protection is correct.

Edit 2010-03-23
Now that details are not embargoed anymore, I can tell you that exploitation required the browser to download a specially crafted web font. The relevant (default) NoScript setting against this is NoScript Options|Embeddings|Forbid @font-face.

]]> By: Faust http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22763 Faust Tue, 23 Mar 2010 05:50:10 +0000 http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22763 So I assume from #3 that this exploit involves java? Haven't yet seen that confirmed. So I assume from #3 that this exploit involves java? Haven’t yet seen that confirmed.

]]> By: Social networkers scared of scam as identity theft hits Russian sites | SocialDaily.info http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22762 Social networkers scared of scam as identity theft hits Russian sites | SocialDaily.info Mon, 22 Mar 2010 21:08:17 +0000 http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/#comment-22762 [...] hackademix.net » Firefox 3.6's "0-Day" and You [...] […] hackademix.net » Firefox 3.6’s "0-Day" and You […]

]]>