http://news.zdnet.com/2100-1009_22-6121608.html

Eenteresting.

I'm still sticking with FF, anyway.

that page crashed my firefox

do I have 24 hours?

foxhole lol

You mean those holes where 90% of the french army and a former dictator of Iraq use quite frequently?

Sucky.

I'm using IE 7. Firefox had to be put down and I hate opera.

Do you also mean 90% if the American, German, Canadian, British and Japanese used quite frequently...?

Anyway, it hasn't been shown that this exploit can do anything more than crash the browser yet. The guys who found it are being ******* and not releasing it to Mozilla (despite a $500 exploit reward program), preferring instead to sell it to blackhats for profit. They claim it's for the good of the internet.

I rarely say this...but those hackers need to get laid. Seriously.

As the site said quite ambiguously:


To clarify, it's a scripting language that has no necessary usage for you on most sites that you'll ever visit, and much like Flash, it is used by "10-year-old" web scrubs (opposed to "masters" or "designers") to plague your browser with annoyances such as pop-ups, advertisements, and apparently "foxholes".

This contradicts and outweighs the positive things (yes, I am not completely against javascript, it has its uses) such as image rollovers, and form-checking. The latter which has to be done by the server sided script for security reasons anyway in order to prevent yet more malicious BS such as SQL injection, but can immediately alert the user that he put something stupid in the text field and that he is wrong without unnecessary strain on the server through having to send another entire page just to say "The character '.' is not allowed".

Unfortunately, unlike Firefox'es options for 'cookies', one can not set up a white-list, (a list in which rather than specifically banning 99.9% of the Internet, instead only allows sites that you specify to have the privileges to write such potentially malicious files), for Javascript, Firefox either allows you to have it on, or off, and gives you minimum control of what's "in between".

Fortunately, however, there is software which can 'disappear' javascripts from sites which are not specifically in a user defined white-list. Agnitum Outpost's main purpose is the firewall, and an excellent firewall it is, but comes shipped with an "active content" plugin as default which allows you to turn off the BS at the main is one such piece of software, however it's not free. Some Googling might wield some freeware results, though, if not, it looks like the best bet is just to uncheck 'enable javascript' when you're not on any sites that you trust which explicitly requires it in order to function (such as some features on this forum).

"Blackhat" and "for the good of the Internet" used in conjunction make for an interesting oxymoron as "blackhat" is just another term for "malicious programmer", or since in this case, it involves a scripting language, "malicious script kiddie". I can't imagine too many babies being saved by "blackhats", but I'm sure some important (or not so much important as personal) files somewhere will be deleted/exploited, and/or some credit cards will be stolen. In most cases¹, that is not a good thing.

Anyway, not to start a browser war or anything, don't use IE7. It's the small bus of browsers, a few cookies short of a session, a few screws loose of a soon to be screwed system. I wrote a killer review with a screenshot of IE7 in action that is so devastating that you would think that Firefox'es "hole" is more of a superficial scrape, but I won't post the link because discussion about IE7 is a waste of bandwidth at most forums, unless it's a complete review written solely by me, or the forum is a complete waste of bandwidth in itself. IE is much like Konqueror on KDE for Linux (okay, so Konqueror is MUCH better), it comes with the OS, but it's just there as a novelty item with no practical use, kind of like Notepad vs Word, one is quick and dirty and gets around, but if you desire power, dependability, and professionalism, you'll have to get it in a separate package. Not to start a browser war, or anything (I've done dropped the a-bomb, anyway).

¹ Bwa ha ha HA HA HA HA HMUA HA HA AH! HA! HA! HA!

What do you have to say now, oh GBK?

You lost at this sentence. Why the hell would anyone use javascript for image rollovers? The purpose of javascript is to enhance website behaviour, it should never be required for the site to work, but there's nothing wrong with using it to make the experience better.

I don't get what the issue is, as far as I know, Javascript is the only way to get an image to change when the mouse is hovering over it, opposed to something "heavy" like Flash, which is certain to break if someone has it disabled/not installed. Then again, maybe it can be done in CSS, and I am not thinking clearly, which in that case, Javascript should not be used for image rollovers.

Still, something like a roll-over isn't terribly important, and you're absolutely right that any good javascript should break down properly in the even that the browser doesn't support it, eg. it's turned off.

Javascript has it's legitimate uses, but it's a peeve of mine when I see it used as a crutch for an otherwise poorly designed site.

hehe... FoxHole

Image rollovers are actually quite important for accessibility purposes, and they should be done using CSS.

GOOD CSS, that works in all browsers, as not to rely on things that make a navigation menu inaccessable in other browsers.

I've never got CSS rollovers to work correctly on most elements and in all browsers. JS has to stay i'm afraid.

you do it on the anchor element... you know the one that actually has hover support in IE<7

Detty speaks truth.

There's actually a few other ways, but they don't work in Mac IE, and are sort of broken in *unix browsers. Sadly, they're kind of popular methods.

nobody cares about Mac IE, it's officially dead.

http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon/

Possibly a bunch of crap. Just lettin ya'll know if you didn't see the link.

The work with CSS here: http://www.outlaw5.frih.net/index.php

I guess? Or am I missing something?

Also, thanks for the link Mr. Matty.

Those rollovers aren't done very well. All the states of all the links should be in the same image file, you just adjust the background-position rules. By using just one image the rollover state is loaded at the same time as the normal state so there's no delay whilst you wait for the hover state to load on the first rollover.

Here's an example of a navigation matrix that i'm no longer using. Each menu item has 4 different states, for: normal link, current section, normal + hover, current + hover.

Does anyone else find it mildly ironic that the head of Mozilla security is named Window?

Oh noes! Browsers have holes!

ALERT THE MEDIA! THIS CANNOT GO UNNOTICED!

Yeah, if you didn't notice, that was sarcasm.

I'm still going to use firefox, because I expect this exploit to be patched in short order.


IE is still much worse-- Microsoft only hurries to patch something if an exploit allows DRM to be broken.

There's reports that the latest "flaw" was a hoax to begin with.

1) Crashing the browser != system hyjack
2) If there is anything to the "threat", the Mozilla guys will fix it ASAP....unlike Microsoft.

Guess what, she originally worked for Microsoft!

I call gbk the winner of this thread!

The original claim was that it allowed execution of malicious code via stack overflow, which can possibly allow for a system hijack.

It's all irrelevant, because it was just a joke.

Semi related, I remember that I read a comment by this one guy who was all like "LOL FIREFOX HAS BUGS, IE IS BETTER". So I was like "LOL IE HAS BUGS, FIREFOX IS BETTER", and my statement was more true even when I just switched words around. Sadly he never replied back.