Netscape/Mozilla flaw exposes hard drives

[Zombie9920]

An Israeli software firm has discovered a flaw in Netscape and Mozilla software that allows code hidden in a Web page to read files from the user's PC. The bug is a more serious variant of one patched in Microsoft's Internet Explorer in February.

GreyMagic Software reported that the problem affects XMLHttpRequest, which allows Web pages in the browser to send and receive XML data via HTTP, the standard Web transfer protocol. XML is an Internet language for describing just about any sort of data.


Full story here. http://zdnet.com.com/2100-1104-896099.html

Mozilla is just so great let me tell you. ;P

[ May 01, 2002: Message edited by: Zombie9920 ]

[psyjax]

Thank god I don't use an insecure OS like windoze!!! That gives permision to any program to access files so easely.

Windoze is SO great let me tell you ;P

[Zombie9920]

quote:Originally posted by psyjax:
Thank god I don't use an insecure OS like windoze!!! That gives permision to any program to access files so easely.

Windoze is SO great let me tell you ;P

It isn't so much that Windows is unsecure. It is more like the Mac users to Windows users is like 1 to 100 so people don't take thier time to exploit Mac flaws.

[psyjax]

quote:Originally posted by Zombie9920:


It isn't so much that Windows is unsecure. It is more like the Mac users to Windows users is like 1 to 100 so people don't take thier time to exploit Mac flaws.

Find the flaws in FreeBSD

[gnomez]

See, Zombie won't answer that because he knows FreeBSD is far, far more secure than his Windoze XP he keeps screaming about.

[Zombie9920]

quote:Originally posted by psyjax:


Find the flaws in FreeBSD

A few FreeBSD flaws.

http://www.linuxmax.net/news/00640.html

http://www.sans.org/topten.htm (there are suggested solutions to the flaws mentioned on this page..keep in mind that BSD is a Unix system)

http://online.securityfocus.com/archive/1/72698

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=209141+0+archive/1998/freebsd-security/19981115.freebsd-security" target="_blank">http://docs.freebsd.org/cgi/getmsg.cgi?fetch=209141+0+archive/
1998/freebsd-security/19981115.freebsd-security (This one is about NetBSD...but is BSD nonetheless)

All OSes have flaws...learn it and live it buddy.

<edited purely to make it fit horizontally on the page - Calum>

[ May 02, 2002: Message edited by: Calum ]

[Calum]

as for your first link:  

quote:The squid port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains thousands of third- party applications in a ready-to-install format.

so the flaw is in third party software. You seem to make a habit of arguing about an operating system based on the third party software available for it. why not stop doing that since it's pointless and useless?

re: your second link, the only mention of BSD i could find on the page was a link to this page which is a guide to how to configure your BSD so it's as secure as possible. Hardly a flaw. Keeping in mind that BSD is a UNIX system is irrelevant here, since the page you linked to seems to claim at least as many windows security risks as any other system.

regarding your 3rd link,  

quote:The CVS code was not even designed to be a
secure subsystem, let alone audited to ensure that it is one.

this is a post from a guy saying CVS is not secure, and someody else saying it was never meant to be, but incidentally it can be made fairly secure even though that is not its job. Again, hardly a BSD flaw, is it?

Your last link need only be clicked and read to find out just how unconnected with BSD flaws it really is.
It's a thread entitled "Would This Make BSD More Secure?". Hardly a flaw that people are always trying to make it more secure is it? unlike Windows NT. If they had a similar bulleting board, it would be full of threads with names like "How Can We Fleece The Punters Out Of Even More Dough Without Actually Putting In Any Real Effort?"

This was a pretty poor effort, even for you.
Lastly, here's a link which i think is relevant here:

www.zombie9920.com/myresume/

[ May 02, 2002: Message edited by: Calum ]

[psyjax]

Granted, this is an old story, but the magnitude of this security hole is not to be underestimated:

http://www.pcworld.com/news/article/0,aid,93803,00.asp

Though it has been patched. The fact that M$ let such a thing slip thrugh it's fingers is inexcusable IMHO. Casts doubt on their products as a whole.

Furthermore, this hole has nothing to do with 3rd party software or improper configurations on behalf of the user.

But M$'s own software that is constantly thrust upon it's users proves to be security risks within themselves. Take for instance the legacy of Lookout Express. Aparantly the years of viruses and system holes has done little to remedy it's vulnrability:

http://www.infoworld.com/articles/hn/xml/02/04/02/020402hnxpflaws.xml

Ultimately however, the question of flaws in security, despite which OS is more secure. Is made void by the fact that you have to relly on M$ for a security patch if something is found. Hell, they may even make you pay for that patch, and it may take weeks for it to be released.

With BSD, and even OSX considering that the kernel is open source, you could allways patch the hole yourself. Get the word out in to the comunity and have the hole patched in record time if you don't have the resources. Plus, it will be free and good, because everyone is benifiting from it.

EDIT: Incidently. The bug has been squashed in the latest NIGHTLY Mozilla Build.

[ May 02, 2002: Message edited by: psyjax ]

[voidmain]

As opposed to M$'s tiny list of security holes:
http://www.trustworthycomputing.com/

[Ctrl Alt Del 123]

The original topic was that Mozilla and Nutscrape having a huge hole. No software is perfect and flawless. IE may be flawed, but so is Nutscrape and Mozilla.

[voidmain]

You can't be serious if you think Netscape/Mozilla has problems anywhere near IE. Maybe you should go do a little more research.

[Kintaro]

Hmmm and the bug is fixed moron... read it next time:
 

quote:
The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms

and
 

quote:
The flaw doesn't affect Mozilla 1.0 release candidate 1

ZOMBIE FOR THE LAST TIME WE DONT NEED YOUR GAY PRO MICROSOFT OPINION HERE, THEY AND THERE PRODUCTS SUCK

[Zombie9920]

quote:The flaw doesn't affect Mozilla 1.0 release candidate 1 because XMLHttpRequest appears to be broken in that release

The line you pointed out in your post doesn't mean it is fixed you fucking reject. The reason it doesn't affect Mozilla RC-1 is because XMLHttpRequest is broken meaning it doesn't work properly(You conveniantly left out the broken part in the line you pointed out..didn't you). Surely when Mozilla 1.0 final is released it wont have known broken features will it? If it has working XMLHttpRequest then the bug will live again in 1.0 Final.

Don't go around and try to call broken browser features a fix. LmFaO.

LmFaO, even the beta versions of IE6 didn't have broken features. Apparently Mozilla sucks for offering downloads of thier browsers which have stuff that don't work in them. I wonder what else is broken in Mozilla other than XMLHttpRequest? HaHaHa.

[ May 03, 2002: Message edited by: Zombie9920 ]

[psyjax]

X11 was wrong. But if you check the mozilla home page, and look under known bugs. It sites that that particular bug has ben fixed and to download the nightly build. The nightly build, I'm assuming, has the XML enabled.

And no, the final will not have XML broken.

So yes, the bug has been fixed, like I said above. In the latest nightly build.

EDIT:

In case you don't belive me Zombie7487654484, here is the link:

http://bugzilla.mozilla.org/show_bug.cgi?id=141061

This bug was found in late April, it has been fixed. Pretty quick compared to certain closed source web browsers  

[ May 03, 2002: Message edited by: psyjax ]

[Zombie9920]

quote:Originally posted by psyjax:
X11 was wrong. But if you check the mozilla home page, and look under known bugs. It sites that that particular bug has ben fixed and to download the nightly build. The nightly build, I'm assuming, has the XML enabled.

And no, the final will not have XML broken.

So yes, the bug has been fixed, like I said above. In the latest nightly build.

EDIT:

In case you don't belive me Zombie7487654484, here is the link:

http://bugzilla.mozilla.org/show_bug.cgi?id=141061

This bug was found in late April, it has been fixed. Pretty quick compared to certain closed source web browsers    

[ May 03, 2002: Message edited by: psyjax ]

And now I believe that the bug is fixed. Thank you psyjax for telling how it is with credible proof(something that most of the members of this site including X11 doesn't do). ;P