On Tue, 2005-02-15 at 22:41, jdow wrote:
> From: "jdow" <jdow@xxxxxxxxxxxxx>
> > From: "Jeff Vian" <jvian10@xxxxxxxxxxx>
> > > On Tue, 2005-02-15 at 17:13 -0800, jdow wrote:
> > > > From: "David Curry" <dsccable@xxxxxxxxxxx>
> > > >
> > > >
> > > > > jdow wrote:
> > > > >
> > > > > >Of course you do know of the recent exploits found for Mozilla,
> > aren't
> > > > > >you, Brian? What's this "No antivirus needed" I hear about for
> Linux?
> > > > > >
> > > > > >{^_-} The quibbler.
> > > > > >
> > > > > >
> > > > > "Recent exploits found for Mozilla" is news here. Care to elaborate
> > or
> > > > > point me in the right direction?
> > > >
> > > > Ran across it in the Dartmouth IRIA news summaries yesterday. It's
> > > > scrolled off. It appears to affect the core of Mozilla so it affects
> > > > FireFox as well. It should appear in the CERT advisories.
> > > >
> > > > It appears Mozilla is getting more attention from crackers now that
> > > > it is starting to command a noticeable market share. It's a matter of
> > > > time before more serious items appear. Of course, without things like
> > > > ActiveX it's a little harder to mash a Linux machine than a Windows
> > > > machine.
> > > >
> > > > {^_^}
>
> They had another reference today - it was a spyware application. If a
> spyware can be tossed onto the machine then a rootkit can, also.
>
> http://news.com.com/Spyware+takes+aim+at+Mozilla+browsers/2100-7349_3-5569635.html
>
> {^_^}
The recent exploit I read about was used more in phishing scams. They
used the internationalization features to display certificates and
prompts that looked like they came from legit sources so the users would
click on them.
The article above did not go into much detail but sounds like it is a
combination of the exploit which gets the users to click on accepting a
download of a program.
Why don't they just disable the whole function of downloading plugins
via the browser? It would be more secure to make the user go an extra
step or two in order to get to the point that code executes on the
system if they had to exit out to a different application. At least
that way the user would know that something was going on instead of just
clicking away blindly at the browser.
--
Scot L. Harris
webid@xxxxxxxxxx
Yesterday upon the stair
I met a man who wasn't there.
He wasn't there again today --
I think he's from the CIA.
