tag:blogger.com,1999:blog-13756280.post5382121673359589421..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Hooray! Firefox 3 fixes some JavaScript MalwareJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-13756280.post-16586325714001924432008-03-03T05:57:00.000-08:002008-03-03T05:57:00.000-08:00Nice but we'll have to face what kind of new vulne...Nice but we'll have to face what kind of new vulnerabilities will be introduced in FF 3.x. Battle never finishes.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1576775512465174052008-02-28T11:32:00.000-08:002008-02-28T11:32:00.000-08:00Phishing filter bypass trick also doesn't work in ...Phishing filter bypass trick also doesn't work in FF3:<BR/><BR/><A HREF="http://www.mozilla.com/firefox//its-a-trap.html" REL="nofollow">Busted in FF3</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-5304572096105694182008-02-27T07:44:00.000-08:002008-02-27T07:44:00.000-08:00@Anton Rager, thanks for the tip, I'll have to tak...@Anton Rager, thanks for the tip, I'll have to take a look into that. Didn't even notice if that type of protection was introduced. Sounds really good to me.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-10176979310971490542008-02-26T08:32:00.000-08:002008-02-26T08:32:00.000-08:00Another enhancement (it's in bugzilla, but not sur...Another enhancement (it's in bugzilla, but not sure it's documented elsewhere) is FF3 now has document.domain restrictions on file:// URLs to prevent file:// from having access to entire system/shares (I think it limits effective document.domain to current directory). <BR/><BR/>This prevents the excessive file:// based trust that allowed Windows based file:// XSS hijacks to do full drive browsing, access other drives on system as well as SMB share invocation with UNC (file://///hostname/share, file://///ip.ip.ip.ip/share or admin shares).<BR/><BR/>I seem to recall they didn't do this with XSS hijack control in mind (ala my Sage + XSS-Proxy stuff), but it prevents that as well.<BR/><BR/>AntonAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-3299675031635909232008-02-24T09:10:00.000-08:002008-02-24T09:10:00.000-08:00@Wladimir, ahh nice. Those are worthwhile fixes. A...@Wladimir, ahh nice. Those are worthwhile fixes. And here I thought they weren't paying any attention to this stuff. Kudos to them!<BR/><BR/>@Yousif, yep. I guess now many of th webapp hackers will have to step up their game. It'll be getting harder now that the problem is being noticed.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1567096252017740782008-02-23T22:20:00.000-08:002008-02-23T22:20:00.000-08:00Wow, nice find. Firefox has changed in terms of it...Wow, nice find. Firefox has changed in terms of it's superior "Security". Haha, I bet Ronald will get a kick out of this release! Nice post Jeremiah, but they have a long way to go until Firefox becomes more stable in relation to web security.Yousif Yaldahttps://www.blogger.com/profile/17130171565447829176noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-23351397502170821992008-02-23T12:19:00.000-08:002008-02-23T12:19:00.000-08:00There is another small security improvement: the s...There is another small security improvement: the single quotation marks are now escaped in URLs in the same way it already happened for double quotation marks. This should stop quite a few XSS vectors.<BR/><BR/>And you can no longer set document.domain to a TLD like "com" or "co.uk" - quite a bunch of popular web sites were careless with document.domain and took a value for it from the URL.Anonymousnoreply@blogger.com