|
|
| Author |
Message |
Mary
SearchIRC Admin
Joined: 03 May 2003
Posts: 692
|
 Posted: Mar 09, 2005 8:50am Post subject: FireFox ChatZilla |
 |
|
Jason harassed me for months to toss out IE and try FireFox. When I did, I loved it. Quietly, Jason put a little blurb on the sidebar of our channel listings, telling people who use FireFox to download their new IRC plugin, ChatZilla. This morning I finally got around to taking it for a test drive...
I can't tell you how impressed I am.
Although experienced users won't be abandoning their favorite clients just yet, ChatZilla delivers what we had hoped we'd get with java clients. It interfaces with websites, incorporating javascript, html, and CSS. But here's the trick - it's FAST. It has commands and features we are accustomed to in our normal clients. The plugin is simple to install, no preconfiguration needed, VERY user friendly. After you install it, just click on the irc:// before the channel name in SearchIRC's listings, and the client pops up, connected to that channel. The people who are developing this know IRC and know what we want. Be still my heart!
This client is perfect for new and casual users, and any channel or network that needs an easy way for users to join their chats (isn't that everyone?)
The latest version is 0.9.67 at http://hacksrus.com/~ginda/chatzilla/
The ChatZilla FAQ can be found on: http://hacksrus.com/~ginda/chatzilla/faq/
ChatZilla help channel: irc://irc.mozilla.org/chatzilla
Try it, and let me know what you think! |
|
| Back to top |
|
 |
v3|0c17y
Eleet
Joined: 28 Jan 2005
Posts: 650
|
| Posted: Mar 09, 2005 9:59am Post subject: |
|
|
Firefox is a great browser, stable and fast, i have used it for quite a while and never really been disapointed with it except for some sites that require IE but mozilla's software is growing and most ppl are seeing how firefox is superior, IE has not updated for years except for its regular security patches here and there from windows update, firefox being mainly a open source software has gained the love and trust of millions despite the fact of its recent bad review and update for fixing "17 vulnerabilities" of course with a bigger public using it there will be more risk of finding vulnerabilities as hackers (lets call em crackers, real hackers have a bad name aleady which isnt true what most ppl think) try to stay in track and attack what has a bigger userbase.
| Quote: | Paul has reported a vulnerability in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.
The vulnerability is caused due to missing URI handler validation when dragging an image with a "javascript:" URL to the address bar. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging an image to the address bar.
The vulnerability has been reported in version 1.0 and 1.0.1. Other versions may also be affected.
Solution:
Do not drag images to the address bar.
Provided and/or discovered by:
Paul (greyhats) |
| Quote: | Secunia Research has discovered a vulnerability in Mozilla and Mozilla Firefox, which can be exploited by malicious people to trick users into downloading malicious files.
The problem is that the browser uses the URL to determine the file type association in the "Save Link As" download dialog, but uses the filename from the "Content-Disposition" HTTP header when saving the downloaded file. This can be exploited by a malicious web site to spoof file types in the "Save Link As" download dialog.
Successful exploitation can lead to malware being saved to the download directory (default is the desktop on Mozilla Firefox).
NOTE: Exploitation requires that the option "Hide extension for known file types" is enabled in Windows (default setting).
The vulnerability has been confirmed in Mozilla 1.7.3 and Mozilla Firefox 1.0 for Windows. Other versions may also be affected.
Solution:
The vendor has issued updated versions.
Mozilla Firefox 1.0.1:
http://www.mozilla.org/products/firefox/
Mozilla 1.7.5:
http://www.mozilla.org/products/mozilla1.x/
Provided and/or discovered by:
Andreas Sandblad, Secunia Research. |
| Quote: | Several security vulnerabilities in Firefox and the Mozilla Suite of Internet software put users of the open-source products at risk of hacker attacks, the Mozilla Foundation is warning.
The organization released Firefox 1.0.1, which fixes 17 security flaws in the popular Web browser. The most serious flaws could allow an attacker to gain full control over a victim's PC, the Mozilla Foundation says in a statement. Firefox 1.0 was released in November and has since been downloaded more than 27 million times.
Firefox 1.0.1 also includes several fixes to guard against spoofing of Web addresses and the security indicator on Web sites. These vulnerabilities could be exploited for phishing scams, which typically use spam e-mail messages to drive people towards fraudulent Web pages that look like legitimate e-commerce sites.
One of the changes made in Firefox 1.0.1 is in the way the browser handles international domain names (IDNs). These names are now displayed differently to make it easier to spot spoofed Web sites. Because of the way Firefox displayed IDNs, it was possible to register domain names with international characters that resembled other common characters, thus tricking users into believing they were on a trusted Web site.
For protection against possible exploitation of the security flaws, users should download and install the latest version of Firefox, the Mozilla Foundation says. The organization does not offer patches to fix the problems without having to install a new browser.
Most of these flaws also affect the Mozilla Suite, which includes a Web browser, an e-mail client, Internet Relay Chat client, and Web page editor. However users of the suite are left vulnerable because no fixes are yet available. Mozilla 1.7.6, the update that fixes the issues, is due out in "a couple of weeks," according to a Mozilla Foundation spokesperson.
False Sense of Security?
The public warning of the security vulnerabilities is evidence that the Mozilla Foundation's products give a false sense of security, says Thor Larholm, a senior security researcher with PivX Solutions in Newport Beach, California.
"The only reason Mozilla and Firefox have a good track record in security with a low number of security vulnerabilities is simply because they don't tell anyone about them," Larholm says via e-mail.
"The Mozilla Foundation has fixed hundreds if not thousands of security vulnerabilities over the last few years without notifying the world and without providing security patches, instead they have simply just told their users to upgrade," he says. "We have to remember that all software has security vulnerabilities, the only difference is in how we anticipate them and inform the world about their existence." |
| Quote: | Details have been released about several vulnerabilities in Firefox, Mozilla and Thunderbird. These can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user's system.
1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.
2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).
This is similar to:
SA12712
3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.
4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.
5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.
6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.
7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.
Successful exploitation requires that the malicious website is allowed to request installations.
 It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.
9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.
Solution:
Firefox:
Update to version 1.0.1.
http://www.mozilla.org/products/firefox/
Mozilla:
The vulnerabilities have been fixed in the CVS repository and will be included in the upcoming 1.7.6 version.
Thunderbird:
The vulnerabilities have been fixed in the CVS repository and will be included in the upcoming 1.0.1 version. |
despite all this said about in recent updates to firefox, i have never encountered such problems |
|
| Back to top |
|
|
Ofloo
none
Joined: 16 Jan 2004
Posts: 24
|
| Posted: Mar 10, 2005 4:54am Post subject: |
|
|
don't mean to be a pain but IE most of the ssl options ive checked, that firefox doesn't, firefox is a new outdated chat client, altho i prefer to use firefox cause i realy like it verry mutch, i must say that your assumtions on when a program updates are just crap, something that is being developed always updates more then something that is already developed.
try to get a ssl session above 128kbit i think ur not even able to with firefox !!!
i forgot the exact numbers and tests i did all i could conclude was that firefox had still a long way to go !
but its a client i would recommend every one that is for sure. |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: Mar 10, 2005 5:07am Post subject: |
|
|
| Ofloo wrote: | don't mean to be a pain but IE most of the ssl options ive checked, that firefox doesn't, firefox is a new outdated chat client, altho i prefer to use firefox cause i realy like it verry mutch, i must say that your assumtions on when a program updates are just crap, something that is being developed always updates more then something that is already developed.
try to get a ssl session above 128kbit i think ur not even able to with firefox !!!
i forgot the exact numbers and tests i did all i could conclude was that firefox had still a long way to go !
but its a client i would recommend every one that is for sure. |
err?
they both use the same standard openssl libraries... |
|
| Back to top |
|
|
Jason
SearchIRC Developer
Joined: 03 May 2003
Posts: 1199
Location: Tampa, FL
|
| Posted: Mar 10, 2005 6:36am Post subject: |
|
|
| Ofloo wrote: | | i must say that your assumtions on when a program updates are just crap, something that is being developed always updates more then something that is already developed. |
Microsoft had no reason to update MSIE once they owned the web browser market. |
|
| Back to top |
|
|
v3|0c17y
Eleet
Joined: 28 Jan 2005
Posts: 650
|
| Posted: Mar 10, 2005 5:04pm Post subject: |
|
|
| this is just the same story of a few years ago when windows 95-98 were popular and there was a war between IE and Netscape, truth is whatever gets a bigger ammount of users will get more and more vulnerabilities in time as mentioned in my old post "hackers" keep in track with what has a bigger audience. |
|
| Back to top |
|
|
ORenyRen
none
Joined: 28 Jun 2004
Posts: 38
|
| Posted: Mar 18, 2005 3:08pm Post subject: |
|
|
I've been using FF and CZ for more than a year now and I haven't had any problems. It's a wonderful browser and a wonderful extension. The only time I don't use them is when I'm not home.
And as for the comment that says that the Mozilla Foundation doesn't tell anyone about the security flaws and therefore no one knows about, MS does the opposite. They tell everyone about the flaw and then hackers know how to exploit it. Clearly that isn't a good model to follow  |
|
| Back to top |
|
|
codemastr
Idler
Joined: 05 Feb 2004
Posts: 353
|
| Posted: Mar 18, 2005 5:01pm Post subject: |
|
|
| braindigitalis wrote: |
err?
they both use the same standard openssl libraries... |
No. Microsoft uses the MS CryptoAPI. And OpenSSL is far from a "standard"library! |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: Mar 18, 2005 8:24pm Post subject: |
|
|
i believe openssl is much closer to netscape's original standards documents than the cryptoAPI ever will be  |
|
| Back to top |
|
|
codemastr
Idler
Joined: 05 Feb 2004
Posts: 353
|
| Posted: Mar 18, 2005 11:14pm Post subject: |
|
|
| braindigitalis wrote: | | i believe openssl is much closer to netscape's original standards documents than the cryptoAPI ever will be |
Even if that were true, and even if that meant anything, it still would not make openssl a "standard" library. libc is a standard library. libstdc++ is a standard library. libopenssl is not. |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: Mar 19, 2005 6:19am Post subject: |
|
|
| codemastr wrote: | | braindigitalis wrote: | | i believe openssl is much closer to netscape's original standards documents than the cryptoAPI ever will be |
Even if that were true, and even if that meant anything, it still would not make openssl a "standard" library. libc is a standard library. libstdc++ is a standard library. libopenssl is not. |
libopenssl is 'standard' in the fact that it adheres to netscape's SSL standards as laid down by them when they defined the protocol.
This is what i meant by standard, sorry for any confusion codemastr |
|
| Back to top |
|
|
|
|
| |
Register
Log in
