http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon
On Tue, 3 Oct 2006, Dave Aitel wrote:
Didn't you post on your weblog some stuff about Chrome: being
buggy? It's completely believable to have a chrome: context issue
in Firefox. I recall you said something about iterators, but I
don't have a Mozilla developer account so I can't look at the diff.
Are the slides/full PoC available publicly? -dave
Thor Larholm wrote:
Their PoC, both the one in their slides and the full PoC, is
nothing more than an out-of-memory crash, of which Firefox
already has plenty. They were still struggling to write a working
exploit days after the presentation, even though they claimed to
have just that during the presentation.
Long story short, the bug is just a bug - not a vulnerability.
Regards Thor Larholm
Dave Aitel wrote:
For those of you under a rock, there's a new firefox bug:
http://developer.mozilla.org/devnews/
I read somewhere that the PoC was posted to the web, but I can't
find it anywhere.
For those of you who watched the HP testemony on cspan.org, you
may have noticed that ReadNotify was used in a prior DD posting.
DD goes out to maybe 2500 people last time I checked...and I got
under a hundred readnotify responses. This corresponds with my
last use of web bugs against someone trying to blackmail one of
my clients. It just didn't work. This was the one big tool in the
FBI/NYPD's toolbox, and it's been broken during the fight against
spammers. We had to do a statistical analysis of all the web page
accesses to get close.
Anyways, our congresscritters think that SPYWARE==WEB BUG. And
it's not true. Someone needs to call them and explain it slowly.
-dave
_______________________________________________ Dailydave mailing
list Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Intro
