Boing Boing: Shmoo Group exploit: 0wn any domain, no defense exists

Boing Boing: Shmoo Group exploit: 0wn any domain, no defense exists:

A new exploit was demo’d by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here (202). We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory here (79).

So there’s a workaround in play — requiring use of the Mozilla engine’s extensive list of tunables — but what about the IE cross-site scripting vulnerability that was reported six weeks ago? That was against XP with SP2, as new as it gets.

<UPDATED>

Mozilla and Firefox patch fixes exploit, 12 hours later:

Cory Doctorow:
Yesterday, I blogged about a new exploit that attacked internationalized browsers and made it easy to run “phishing” attacks against them. Frank sez, “ Firefox (5) and Mozilla (7) builds for last night repair the disableIDN toggle functionality so that it works as designed. Now you can permanently protect your browser from IDN miscreants.” As Waxy points out, that took about 12 hours.

(Thanks, Frank (2)!)

Now to wait for Safari . . . . I give Apple a week to get a patch out. Meanwhile, I’m using the G4/7450-optimized Firefox.

Now playing: Space Truckin’ by Deep Purple from the album “Machine Head”

Leave a Reply

Your email address will not be published. Required fields are marked *