Jump to content

Recommended Posts

For those of you Neanderthals still using Firefox, check your extensions/addons against this list;

Details here.


The vulnerability is the result of a lack of add-on isolation in the Firefox extension architecture. By design, Firefox allows all JavaScript extensions installed on a system to share the same JavaScript namespace, which is a digital container of specific identifiers, functions, methods, and other programming features used in a particular set of code. The shared namespace makes it possible for extensions to read from and write to global variables defined by other add-ons, to call or override other global functions, and to modify instantiated objects. The researchers said that a newer form of Firefox extension built on the alternative JetPack foundation theoretically provides the isolation needed to prevent cross-extension calls. In practice, however, JetPack extensions often contain enough non-isolated legacy code to make them vulnerable.


My conclusions:


1- This further supports my assertion that client-side scripting is the work of the Devil.


2- This further supports my assertion that JavaScript is the work of the Devil.


3- The academic CS community is still out to lunch concerning software architecture and development, particularly in translating the body of knowledge concerning secure programming practices into everyday processes and standards*.


I've been noodling around with the about:config settings in Firefox (well, Waterfox) and its blindingly obvious that the browser-dev community is operating far above its collective competence level (preloading content from hyperlinks on a page? Really?).



* How many decades did it take for the CS community to acknowledge that it had a monstrous problem with memory mismanagement in C programs?



Link to post
Share on other sites

If you have a computer, and you've ever connected it to the internet in any way, you are at risk. That's the reality of today. Even with best practices, you can still get pwned. 0-days are out in the wild, and you never know for sure if/when you've been nailed by one.


That said, keep your shit updated, use best practices, and be careful what you actually put on anything that ever touches the internet.


I have heard it said: "Those who can, do. Those who can't, program for the web." and I have seen very little to dissuade me from agreeing.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...