Re: Firefox bugs

[Thor Larholm <thor () polypath com>]

Their PoC, both the one in their slides and the full PoC, is nothing 
more than an out-of-memory crash, of which Firefox already has plenty. 
They were still struggling to write a working exploit days after the 
presentation, even though they claimed to have just that during the 
presentation.

Long story short, the bug is just a bug - not a vulnerability.


Regards
Thor Larholm


Dave Aitel wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> For those of you under a rock, there's a new firefox bug:
> http://developer.mozilla.org/devnews/
>
> I read somewhere that the PoC was posted to the web, but I can't find
> it anywhere.
>
> For those of you who watched the HP testemony on cspan.org, you may
> have noticed that ReadNotify was used in a prior DD posting. DD goes
> out to maybe 2500 people last time I checked...and I got under a
> hundred readnotify responses. This corresponds with my last use of web
> bugs against someone trying to blackmail one of my clients. It just
> didn't work. This was the one big tool in the FBI/NYPD's toolbox, and
> it's been broken during the fight against spammers. We had to do a
> statistical analysis of all the web page accesses to get close.
>
> Anyways, our congresscritters think that SPYWARE==WEB BUG. And it's
> not true. Someone needs to call them and explain it slowly.
>
> - -dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.1 (Cygwin)
>
> iD8DBQFFIpLEtehAhL0gheoRAiDNAJsGEs7d3I4yNNuBWzmehQ2Eb3kLDwCeNIqO
> QEM6Hw9878MM59bzFVpJUQs=
> =iwXJ
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>  

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave