SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

Link: -> FireFlaw.... errr... Fox

__________________________

Cheers from your intrepid webreporter

Fortunately, Firefox makes it easy to disable java script: Tools > Options > Content, uncheck "Enable JavaScript". Good idea to do that for sites you don't definitely know are safe, especially since those boneheads publicly released exploit code for this vulnerability.

Or, you could use the NoScript extension, which disables JavaScript, Java, etc, except for sites you choose to allow.

Added to frontpage.

You might want to update that, turns out it was mostly a hoax. All it was, really, was a script that crashes Firefox - no exploit code. Mozilla Developer News » Blog Archive » Update: Possible Vulnerability Reported at Toorcon

<edit> I found the bug that's been filed about this. Careful, the testcase will cause a crash! https://bugzilla.mozilla.org/show_bug.cgi?id=355069