Full Disclosure mailing list archives
Re: FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO)
From: Nick Boyce <nick.boyce () gmail com>
Date: Thu, 10 Jul 2014 17:20:41 +0100
On 9 July 2014 18:50, Lee <curtlee2002 () gmail com> wrote:
I know nothing about this, but some friends kept posting a link to this video. I saw nothing about this in the mailing list, so I thought I would post it to see if others have more info. https://www.youtube.com/watch?v=BcCDETzk4zc
Well the video is allegedly uploaded by Don Bailey, who is the person who did the LZO/LZ4 bug research that was recently responsibly reported on the OSS list(s). And I did notice at the time that one of the postings [1] in the ensuing discussion, from Yves-Alexis Perez, gave a list of potentially affected open-source software which had been identified by a source-code-scanning service. That list included Firefox ... and since then I've been holding my breath waiting for the other shoe to drop. Maybe this is that other shoe. I know nothing about the Firefox source-code, or where exactly the vulnerable use of LZO/LZ4 might be. But it's odd that there hasn't been a peep out of Mozilla (e.g. no emergency release announced for ESR or any other channel), despite the vulnerability having been disclosed responsibly on private vendor mailing lists, with a patch available, and plenty of time to coordinate binary releases. Hey - maybe the bug is real, but the Youtube clip was uploaded by a Bad Guy pretending to be Don, and all those of us (367 at time of writing) who viewed the clip are now pwned :-) Dammit - if only we'd all signed up for keybase.io's weirdo GPG-key-identifying service [2] then we could all have known whether Youtube Don is really LZO Don ... Exciting times. [1] http://seclists.org/oss-sec/2014/q2/676 [2] http://seclists.org/fulldisclosure/2014/Jun/102 Cheers Nick -- Blessed are the peacemakers...for they shall be shot at from both sides. ~~ A.M. Greeley _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO) Lee (Jul 09)
- Re: FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO) Nick Boyce (Jul 10)
- Re: FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO) Brandon Perry (Jul 10)
- Re: FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO) Nick Boyce (Jul 10)