1.0.4 is the proof I needed to escalate this again. IE made this mistake earlier on and I didn't want to go to the burden to write a proof of concept and that's why I posted my original not only in the java but also in the security newsgroup. I've kept quiet until the patch got distributed, but http://secunia.com/advisories/15292 was exactly what I was thinking off when writing my original post.
We definitely want to avoid articles like these: http://www.theregister.co.uk/2005/05/13/firefox_loses_shine/ So again: per site java plug-ins/applets control would make FireFox more secure... If no one (developer I mean) is working on this: where do I sign up? Yours Sincerely, Fabrizio Marana "Jean-Marc Desperrier" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Daniel Veditz wrote: > > Absolutely not true, there is a version of the ByteVerify Java attack > > that affects Sun's JRE 1.4.2_05 and older -- and Firefox users can be > > infected. If you have this older JRE then it's most definitely NOT > > harmless. > > Dan, what do you refer to exactly ? > I've seen some discussions like what you say in the "2005-02-14 - > Summary of mozilla.org staff", but nowhere else. > > Secunia refers to Trojan.ByteVerify only as the trojan that exploits the > MS03-011 vulnerability of the Microsoft JVM, no reference . > > SUN too describes this as a Microsoft only vulnerability : > http://www.java.com/en/download/help/cache_virus.xml > " 1. Trojan.ByteVerify [...] > However, in this instance, storing these applets in the cache directory > can not cause any harm to your computer because they are designed to > exploit a vulnerability in the Microsoft VM, not the Sun JVM. " > > I've been checking the list of corrections in that release, but still > don't see what you could refer to : > http://java.sun.com/j2se/1.4.2/ReleaseNotes.html#142_06 > > There might be variants of trojan incorporating the ByteVerify attack, > that also incorporate something else to attack the SUN JVM, but I stand > by my word that the ByteVerify attack does not affects the SUN JVM. > > Are you referring to the Sandbox Security Bypass Vulnerability ??? : > http://secunia.com/advisories/13271/ > > > Firefox has many site-specific settings already (images, popups, > > xpinstall whitelisting, cookie blocking), I wouldn't say this is against > > anyone's philosophy. There are a lot of people wanting to control > > plugins/applets per site, there are probably some extensions that can do > > it already (there's the flash-specific "FlashBlock", for example). > > I referred not to per-site settings, but to per site security level. > There's a common comment that it's a good thing that FF only has one > security zone, which removes the risk of priveledge escalation attacks. > When arguing with FF developpers that *properly* used signing for > extensions would be better as a better security measure than xpinstall > whitelisting, I was replied that xpinstall whitelisting is not intended > to be a security measure strictly talking. _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
