Absolutely not true, there is a version of the ByteVerify Java attack that affects Sun's JRE 1.4.2_05 and older -- and Firefox users can be infected. If you have this older JRE then it's most definitely NOT harmless.
Dan, what do you refer to exactly ?
I've seen some discussions like what you say in the "2005-02-14 - Summary of mozilla.org staff", but nowhere else.
Secunia refers to Trojan.ByteVerify only as the trojan that exploits the MS03-011 vulnerability of the Microsoft JVM, no reference .
SUN too describes this as a Microsoft only vulnerability :
http://www.java.com/en/download/help/cache_virus.xml
" 1. Trojan.ByteVerify [...]
However, in this instance, storing these applets in the cache directory can not cause any harm to your computer because they are designed to exploit a vulnerability in the Microsoft VM, not the Sun JVM. "
I've been checking the list of corrections in that release, but still don't see what you could refer to :
http://java.sun.com/j2se/1.4.2/ReleaseNotes.html#142_06
There might be variants of trojan incorporating the ByteVerify attack, that also incorporate something else to attack the SUN JVM, but I stand by my word that the ByteVerify attack does not affects the SUN JVM.
Are you referring to the Sandbox Security Bypass Vulnerability ??? : http://secunia.com/advisories/13271/
Firefox has many site-specific settings already (images, popups, xpinstall whitelisting, cookie blocking), I wouldn't say this is against anyone's philosophy. There are a lot of people wanting to control plugins/applets per site, there are probably some extensions that can do it already (there's the flash-specific "FlashBlock", for example).
I referred not to per-site settings, but to per site security level.
There's a common comment that it's a good thing that FF only has one security zone, which removes the risk of priveledge escalation attacks. When arguing with FF developpers that *properly* used signing for extensions would be better as a better security measure than xpinstall whitelisting, I was replied that xpinstall whitelisting is not intended to be a security measure strictly talking.
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
