Can anyone give me the low down on the (questionable) FireFox JavaScript vulnerabilities ?
Many thanks in advance,
Aaron
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Tue, 10 2006, Aaron Gray wrote:

Can anyone give me the low down on the (questionable) FireFox JavaScript
vulnerabilities ?

they're very real, and in the interests of anti-disclosure, i'm not going
to say more than that. if you would've been there, you would've known.

STP DISCLSING.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Tue, 10 2006, Pink Hat wrote:

FUD.

isn't that the sound of boxes being compromised everywhere?

i thought so.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

FUD.

10/10/06, darkcube <darkcube (AT) datavibe (DOT) netwrote:

Tue, 10 2006, Aaron Gray wrote:

Can anyone give me the low down on the (questionable) FireFox JavaScript
vulnerabilities ?

they're very real, and in the interests of anti-disclosure, i'm not going
to say more than that. if you would've been there, you would've known.

STP DISCLSING.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Tue, 10 2006, Pink Hat wrote:

Prove it or its FUD. You and your crackhead friend already ****ed it
up at Toorcon so now you are trying here.

i think you have me confused with someone else -- most likely my two
crackhead friends that i got ****ed up with *at* toorcon. i wasn't on
stage, but i definitely was in a few of the slides.

i'm a bit unfamiliar with this 'FUD' term you keep throwing around. sounds
like one of those awesome furry terms, or something.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Prove it or its FUD. You and your crackhead friend already ****ed it
up at Toorcon so now you are trying here.

10/10/06, darkcube <darkcube (AT) datavibe (DOT) netwrote:

Tue, 10 2006, Pink Hat wrote:

FUD.

isn't that the sound of boxes being compromised everywhere?

i thought so.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Tue, 10 2006, Pink Hat wrote:

Who let you off of IRC? Shouldn't you be chasing AEmpire around
offering to suck his **** for meth?

seeing that pink's a whitened shade of red, wouldn't a pinkhat be a
whitehat using redhat?

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Tue, 10 2006, Brad Causey wrote:

At this point the accusations made at toorcon have no validity to them. They

says you.

i'm staring at an IDA window that says otherwise.

Firefox. However, I think this a good shock to the community. Just because
something is open source and holds the number two slot for the browser
marketshare, doesn't make it bulletproff. People have a bad habbit of
assuming that because it's not Microsoft that it is super secure.

that's such an awesome opinion to be so profoundly formulated and cast
about like any real infosec warrior would!

(btw, fix your ****ing spellcheck.)

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Tue, 10 2006, Brad Causey wrote:

Good for you, follow the proper disclosure procedures. You can't expect for
me (or anyone else) to just take your word for it. When I say validity, I
mean that these vulnerabilities haven't been verified by a reliable
authority.

**** the proper disclosure procedures. that's how bugs get patched, and
that's how halfwit infosec professionals retain unjustifiable jobs with
unjustifiable pay.

keep it 0day, as long as you can. secret blackhat handshakes, both IRL and
on the wire.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

10/10/06, darkcube <darkcube (AT) datavibe (DOT) netwrote:
--
Tue, 10 2006, Brad Causey wrote:

At this point the accusations made at toorcon have no validity to them.
They

says you.

i'm staring at an IDA window that says otherwise.

Good for you, follow the proper disclosure procedures. You can't expect for
me (or anyone else) to just take your word for it. When I say validity, I
mean that these vulnerabilities haven't been verified by a reliable
authority.

Firefox. However, I think this a good shock to the community. Just because
something is open source and holds the number two slot for the browser
marketshare, doesn't make it bulletproff. People have a bad habbit of
assuming that because it's not Microsoft that it is super secure.

that's such an awesome opinion to be so profoundly formulated and cast
about like any real infosec warrior would!

Thanks?

(btw, fix your ****ing spellcheck.)

I didn't realize I had misspelled anything is the previous post. If I did,
then I apologize.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

All,

At this point the accusations made at toorcon have no validity to them. They
were made as "joke" by two individuals that seemed to have a need for
publicity. This is not to say that Firefox is better or worse than IE. I'm
sure that both have their fair share of vulnerabilities. But factually, no
excessive amount of Java vulnerabilities have been validated in Mozilla
Firefox. However, I think this a good shock to the community. Just because
something is open source and holds the number two slot for the browser
marketshare, doesn't make it bulletproff. People have a bad habbit of
assuming that because it's not Microsoft that it is super secure.
-Brad

10/10/06, darkcube <darkcube (AT) datavibe (DOT) netwrote:
--
Tue, 10 2006, Pink Hat wrote:

Prove it or its FUD. You and your crackhead friend already ****ed it
up at Toorcon so now you are trying here.

i think you have me confused with someone else -- most likely my two
crackhead friends that i got ****ed up with *at* toorcon. i wasn't on
stage, but i definitely was in a few of the slides.

i'm a bit unfamiliar with this 'FUD' term you keep throwing around. sounds
like one of those awesome furry terms, or something.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Hi
This is not portal to show obscene stuff.Dont take
it wrong but this is not the right way.
Pink Hat wrote:
Prove it or its FUD. You and your crackhead friend already ****ed it
up at Toorcon so now you are trying here.
>
>
>
10/10/06, darkcube <darkcube (AT) datavibe (DOT) netwrote:

>Tue, 10 2006, Pink Hat wrote:
>>
>
FUD.

>isn't that the sound of boxes being compromised everywhere?
>>
>i thought so.
>>
>- 'cube [DTM/uH/wouldntyouliketoknow?]
>>
>
>Full-Disclosure - We believe in it.
>Charter:
>Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

FUD= Fear, Uncertainty and Doubt.

A marketing trick to scare people into buying your
product/idea/service. Typically vague statements not based on any
known form of reality.

10/10/06, darkcube <darkcube (AT) datavibe (DOT) netwrote:

Tue, 10 2006, Pink Hat wrote:

Prove it or its FUD. You and your crackhead friend already ****ed it
up at Toorcon so now you are trying here.

i think you have me confused with someone else -- most likely my two
crackhead friends that i got ****ed up with *at* toorcon. i wasn't on
stage, but i definitely was in a few of the slides.

i'm a bit unfamiliar with this 'FUD' term you keep throwing around. sounds
like one of those awesome furry terms, or something.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

10/10/06, Philosophil <flosofl (AT) gmail (DOT) comwrote:
FUD= Fear, Uncertainty and Doubt.

A marketing trick to scare people into buying your
product/idea/service. Typically vague statements not based on any
known form of reality.

its not just a marketing trick to sell products but also a
trick to sell false skill.

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Tue, 10 2006, Pink Hat wrote:

its not just a marketing trick to sell products but also a
trick to sell false skill.

it doesn't take much skill to be a security professional nowadays, or to
find most vulnerabilities, or to disclose them, or even to patch them.

the skill lies in avoiding detection while actively exploiting these
vulnerabilities for fun and profit. if one can do so while
actively maintaining the facade of a 'security professional' and holding
down a serious paycheck, more power to him.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

10/10/06, darkcube <darkcube (AT) datavibe (DOT) netwrote:

it doesn't take much skill to be a security professional nowadays, or to
find most vulnerabilities, or to disclose them, or even to patch them.

You are only partially right there. But I'll give it to you.

the skill lies in avoiding detection while actively exploiting these
vulnerabilities for fun and profit. if one can do so while
actively maintaining the facade of a 'security professional' and holding
down a serious paycheck, more power to him.

Agreed, but use your so called zero day against the wrong target and
you will get caught. Unfortunately, the majority of so called
professionals, wouldn't detect a 10 inch black cock in their ass let
alone detect an unknown attack.

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Tue, 10 2006, Pink Hat wrote:

Agreed, but use your so called zero day against the wrong target and
you will get caught. Unfortunately, the majority of so called
professionals, wouldn't detect a 10 inch black cock in their ass let
alone detect an unknown attack.

real blackhats rarely get caught, and you're on point about the majority
of security professionals -- you hear of them gallivanting about with
combined yards of angry southern purple radiator hose all the time

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

10/10/06, darkcube <darkcube (AT) datavibe (DOT) netwrote:

real blackhats rarely get caught,

and smart ones get jobs as whitehats and make some dollars playing both sides.

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

FUD = Fear Uncertainty Doubt.

In other words you are no better than the FUD spreading security
vendors that care more about their stockholders than they do actual
security.

Who let you off of IRC? Shouldn't you be chasing AEmpire around
offering to suck his **** for meth?

10/10/06, darkcube <darkcube (AT) datavibe (DOT) netwrote:

Tue, 10 2006, Pink Hat wrote:

Prove it or its FUD. You and your crackhead friend already ****ed it
up at Toorcon so now you are trying here.

i think you have me confused with someone else -- most likely my two
crackhead friends that i got ****ed up with *at* toorcon. i wasn't on
stage, but i definitely was in a few of the slides.

i'm a bit unfamiliar with this 'FUD' term you keep throwing around. sounds
like one of those awesome furry terms, or something.

- 'cube [DTM/uH/wouldntyouliketoknow?]

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/