More Firefox vulnerabilities

It’s getting old already. Not Firefox, mind you. What upsets, bores, or downright outrages me, are those “impartial” vulnerability reports that newspapers, blogs and web sites publish, regarding both IE and Firefox bugs and exploits.

The last one, so far, I found at menéame. Their source of info is an article at Hispasec. In the name of “political correctness”, they reveal a bug in IE, and another one in Firefox. The reader gets the impression, not only that no browser is perfect (which is true), but that both have comparable vulnerabilities, which is a screaming lie.

The IE vulnerability they report is that a web page with specially crafted OBJECT tags can stop IE from working, and leave it in a state where arbitrary code could be injected into it and then executed. Pretty scary news, if the second part is true.

The Firefox vulnerability, on the other hand, consists on a JavaScript code piece than can crash Firefox. The code snippet can be found here, or directly tested visiting this page. Beware that the latter will cause your Firefox to crash.

Now, they are comparing apples to oranges again. The IE vulnerability can render it in a potentially dangerous state, whereas the Firefox bug merely crashes it. Yes, it is grave. Yes, it is annoying. But it is not risky for your computer. Secondly, I visited the link above, and… hey! nothing happens here! What is this bug they talk about? Well, as it happens, I have the NoScript extension installed, so the rogue page could not execute its malicious JavaScript code and make my browser crash. I had to manually accept the site in the list of sites that my Firefox accepts JavaScript to be executed from, in order to have it crash my browser.

Which bug would you prefear to bear with, even not taking into account that the Firefox bug will be fixed much faster?

Leave a Comment