Dailydave mailing list archives
Re: Firefox bugs
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 03 Oct 2006 13:21:45 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Right, where one of the dude's claim it's all a joke and that his blackhat friend weev hasn't shown him the bug. Seemed like blatant lieing because his company pressured him. A weblog company can't be known to have remote 0day on browsers...no one would ever visit their web page again... - -dave security curmudgeon wrote:
http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon On Tue, 3 Oct 2006, Dave Aitel wrote: Didn't you post on your weblog some stuff about Chrome: being buggy? It's completely believable to have a chrome: context issue in Firefox. I recall you said something about iterators, but I don't have a Mozilla developer account so I can't look at the diff. Are the slides/full PoC available publicly? -dave Thor Larholm wrote:Their PoC, both the one in their slides and the full PoC, is nothing more than an out-of-memory crash, of which Firefox already has plenty. They were still struggling to write a working exploit days after the presentation, even though they claimed to have just that during the presentation.Long story short, the bug is just a bug - not a vulnerability.Regards Thor LarholmDave Aitel wrote:For those of you under a rock, there's a new firefox bug: http://developer.mozilla.org/devnews/I read somewhere that the PoC was posted to the web, but I can't find it anywhere.For those of you who watched the HP testemony on cspan.org, you may have noticed that ReadNotify was used in a prior DD posting. DD goes out to maybe 2500 people last time I checked...and I got under a hundred readnotify responses. This corresponds with my last use of web bugs against someone trying to blackmail one of my clients. It just didn't work. This was the one big tool in the FBI/NYPD's toolbox, and it's been broken during the fight against spammers. We had to do a statistical analysis of all the web page accesses to get close.Anyways, our congresscritters think that SPYWARE==WEB BUG. And it's not true. Someone needs to call them and explain it slowly.-dave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (Cygwin) iD8DBQFFIpwptehAhL0gheoRAjLqAJ9mwg5+hSSZ0io0ZYdKZecPiq8xYQCfVEHY fljbC2M6DLTlcGfLD+9DupA= =54CG -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Firefox bugs Dave Aitel (Oct 03)
- Re: Firefox bugs Thor Larholm (Oct 03)
- Re: Firefox bugs Dave Aitel (Oct 03)
- Re: Firefox bugs security curmudgeon (Oct 03)
- Re: Firefox bugs Dave Aitel (Oct 03)
- Re: Firefox bugs H D Moore (Oct 03)
- Re: Firefox bugs Dave Aitel (Oct 03)
- Re: Firefox bugs Thor Larholm (Oct 03)
- Re: Firefox bugs Thor Larholm (Oct 03)
- Re: Firefox bugs Matt (Oct 03)
- Re: Firefox bugs Dave Aitel (Oct 03)
- Re: Firefox bugs endrazine (Oct 03)
- Re: Firefox bugs [iRant] Bas Alberts (Oct 03)
- Re: Firefox bugs [iRant] Jared DeMott (Oct 04)
- Re: Firefox bugs Rob Lemos (Oct 04)
- Re: Firefox bugs James (njan) Eaton-Lee (Oct 04)