Announcement

Collapse
No announcement yet.

Firefox 120 Ready With Global Privacy Control, WebAssembly GC On By Default

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • qarium
    replied
    Originally posted by ssokolow View Post
    I guessed that. I was wondering how the exploit works.
    looks like i found something:
    CVE-2023-6212



    "
    CVE-2023-6212
    Memory safety bugs present in Firefox 119, Firefox 115.4,...

    Unreviewed Published Nov 21, 2023 to the GitHub Advisory Database • Updated Nov 23, 2023

    Package
    No package listed— Suggest a package

    Affected versions
    Unknown

    Patched versions
    Unknown

    Description
    Memory safety bugs present in Firefox 119, Firefox 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox < 115.5, and Thunderbird < 115.5.0.
    ReferencesPublished by the National Vulnerability Database Nov 21, 2023

    Published to the GitHub Advisory Database Nov 21, 2023

    Last updated Nov 23, 2023

    Severity
    Unknown

    Weaknesses
    No CWEs

    CVE ID
    CVE-2023-6212

    GHSA ID
    GHSA-4cv2-qh42-x2j4

    "

    Leave a comment:


  • qarium
    replied
    Originally posted by ssokolow View Post
    I guessed that. I was wondering how the exploit works.
    I guessed that. I was wondering what their goal was (i.e. how much OS access they needed to achieve their trojan-ing goals), which you just explained.
    uMatrix is like NoScript on steroids. It lets you do stuff like saying "Allow frames from foo.com on site X but not site Y. Allow JavaScript on Site X when I navigate to it in the address bar but not when it's used for third-party assets on other sites. etc. etc. etc."
    I already ordered a "C't Desinfec't" usb stick to then scan the harddrive.
    and in 3 days i will order a new SSD for my computer. after that i will try to find out what happened extracting log files checking the autostart function what was installed to start after next boot.
    if i find something i will send it to Citizen Lab.

    "how the exploit works."

    at this point i honestly don't know.

    i will try to find out.

    Leave a comment:


  • ssokolow
    replied
    Originally posted by qarium View Post
    the Vulnerability was in the language package of firefox.
    I guessed that. I was wondering how the exploit works.

    Originally posted by qarium View Post
    Flatpak Firefox in a sandbox would maybe stop harddrive access but if you have web telegram and web whatsapp open they get this anyway...
    I guessed that. I was wondering what their goal was (i.e. how much OS access they needed to achieve their trojan-ing goals), which you just explained.

    Originally posted by qarium View Post
    blocking or disable javascript makes the web unuseable but some people use noscript and whitelist trusted websites...
    uMatrix is like NoScript on steroids. It lets you do stuff like saying "Allow frames from foo.com on site X but not site Y. Allow JavaScript on Site X when I navigate to it in the address bar but not when it's used for third-party assets on other sites. etc. etc. etc."

    Leave a comment:


  • qarium
    replied
    Originally posted by ssokolow View Post
    Anywhere we can read up on the exploit in question? I know I haven't clicked any links like that, but I'm curious whether having uMatrix apply Javascript whitelisting and running Firefox inside Flatpak would have tripped it up.
    the Vulnerability was in the language package of firefox.

    i have the exploid on my harddrive but i need to perform desaster recovery.
    i did know after 10seconds something is wrong and like 1-2 minutes later i plucked off the power.

    i was informed the attackers plan to leak/release my search history and chatlog of telegram and whatsapp. and whatever they could get in this short time.

    Flatpak Firefox in a sandbox would maybe stop harddrive access but if you have web telegram and web whatsapp open they get this anyway...

    blocking or disable javascript makes the web unuseable but some people use noscript and whitelist trusted websites...

    i also think native firefox will disapear in fedora and they make flatpak firefox the default.





    Leave a comment:


  • yump
    replied
    Originally posted by pgeorgi View Post

    From the MDN link I posted in comment #1, it seems that the "Global Privacy Control" is about third party sharing (or selling) of data, while "Do Not Track" is about, well, tracking. Those are very similar but not quite the same (sharing with third parties might be for non-tracking purposes, tracking could be done by the first party).

    The other aspect is that Microsoft poisoned the well for DNT when they made it default-on in IE10 (https://en.wikipedia.org/wiki/Do_Not...ng_controversy). With that, website operators started claiming that "how are we supposed to know that it's a user intent? Let's track!!!1" Just using a new name might be enough to reset the clock on that, although recently there was finally a lawsuit where "we ignore DNT" had consequences (https://stackdiary.com/german-court-...track-signals/)
    Meh. Pointless, like every other evil bit. Evildoers won't set the evil bit because they'd rather you not know they were doing evil, and they won't obey your do-no-evil bit because they're evil.

    The only ways to solve adtech are prison and penury.

    Leave a comment:


  • yump
    replied
    Originally posted by ssokolow View Post

    Anywhere we can read up on the exploit in question? I know I haven't clicked any links like that, but I'm curious whether having uMatrix apply Javascript whitelisting and running Firefox inside Flatpak would have tripped it up.
    It's nonsense. He's lost his marbles again.

    Leave a comment:


  • yump
    replied
    Originally posted by Flaburgan View Post
    Pity it's nightly-only and doesn't show release versions.

    Leave a comment:


  • ssokolow
    replied
    Originally posted by qarium View Post
    Michael

    my email to [email protected]:

    Multible Phoronix.com forum users infected with Trojan because of zeroday Vulnerability in Firefox version 119 and firefox-language package.
    Attackers did spread links in the forum to infected webservers with fraudulent intel cpu benchmarks.
    You should warn your audience and delete the dangerous forum links. they did post the links in multible forum topics about amd threadripper 7000.​
    Anywhere we can read up on the exploit in question? I know I haven't clicked any links like that, but I'm curious whether having uMatrix apply Javascript whitelisting and running Firefox inside Flatpak would have tripped it up.

    Leave a comment:


  • qarium
    replied
    Michael

    my email to [email protected]:

    Multible Phoronix.com forum users infected with Trojan because of zeroday Vulnerability in Firefox version 119 and firefox-language package.
    Attackers did spread links in the forum to infected webservers with fraudulent intel cpu benchmarks.
    You should warn your audience and delete the dangerous forum links. they did post the links in multible forum topics about amd threadripper 7000.​

    Leave a comment:


  • cynic
    replied
    Originally posted by cj.wijtmans View Post
    If we could get rid of scripts on the web that would be great. Complex CSS already got rid of a lot of JS bloat. Now we just need html variables or something that can be updated through a link or button loading a html patcher, replacing AJAX. I feel like in the recent years we got so much APIs and APP stuff just to take control from the user, spy on you and force ads. Want anything more? Run a real program and not an inefficient web app.
    i 100% agree with you.
    unfortunately the trend is more and more moving things on the web and making more and more code running inside the browser (just thinking to WASM).

    beside being inefficient and ugly, it's a (undesiderable) going back to the mainframe-era paradigm.

    Leave a comment:

Working...
X