

Vulnerability in FireFox 3.5.1 confirmed; exploit PoC - arantius
http://isc.sans.org/diary.html?storyid=6829&rss
... a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS ...
======
tptacek
There are apparently a bunch more of these coming in a week and a half, when
Dowd and co. take the stage at Black Hat.

------
cookiecaper
Kind of scared to do this, because the last time I admitted to not knowing an
acronym I got -8, but what is PoC?

EDIT: Oh, just figured it out reading a new comment. PoC = proof of concept,
for anyone else who may not be running full-speed on a Saturday.

~~~
BrentRitterbeck
I'm really curious about the whole "karma" concept, so don't take my question
as an attack. Is a meaningless number so important to you that you would value
it over knowledge? It seems you were almost on the edge of not asking simply
because you thought you might be downvoted.

~~~
saikat
The whole point of karma is to have meaning and to discourage users from
posting a certain type of comment or question. Googling just "PoC" or
"software PoC" pretty immediately answers his question - my guess is this is
why the downvotes happened last time. I probably wouldn't downvote a question
like this, but I can see why others would discourage it.

~~~
BrentRitterbeck
I can understand that, but it's just a number. My opinion of someone is not
going to be any different if their karma is 1 versus 10000. Why would someone
worry about that when they have a legitimate question that they want answered?
The only thing I use karma for is to decide if something is worth reading.
Chances are that if it has been voted up highly it's probably worth reading.

~~~
philh
In theory, signal gets upvoted and noise gets downvoted. If I get downvoted,
my post was probably noise. I don't want to increase the noise level, and I
accept that I may not be the best judge of my own comments' quality.

It makes sense to care about karma as an indicator of whether the community
thinks my contributions are good or not.

~~~
BrentRitterbeck
Yeah, but my point was that it's the same as being afraid to ask a question in
class because the question may be viewed as stupid. There's no such thing as a
stupid question. I think it's kind of silly to worry what people think about
your question if it is a legitimate question.

~~~
derefr
There may not be such a thing as a stupid question, but there are definitely
people that not ony think there is, but that I emotionally value the judgement
of, _even when that judgement is bases on invalid logic_. To point at a pop-
psychological basis, pretend it was your father that said "that's a stupid
question." You might argue against it to hell and back, but there's no way you
would be unaffected by the statement.

~~~
BrentRitterbeck
Yeah, but my father is not one of the people on Hacker News.

EDIT: These are just normal people, albeit a group of successful
entrepreneurs. We've all had things we wish knew. If you have a question, why
not ask it?

------
devicenull
Had a number of people try this, and it doesn't work.. well it freezes up the
browser for a minute or two, but then FF catches it and lets you stop it.

------
drhowarddrfine
I'm confused. While the title is for v3.5.1, the details say v3.5.

It should be noted that this is a medium vulnerability and the chances of
running into is are impossible according to one commenter.

~~~
tptacek
The debate you're referring to is whether this is exploitable if you block
Javascript with NoScript. Most of us don't.

~~~
reduxredacted
Thanks. That's what I was looking for. The write-up didn't indicate what was
vulnerable...I had to look at the PoC code.

I'd bet most of this community uses NoScript. My wife and family do not. I
don't bother installing it on their systems because my experience has been
that they simply whitelist everything that "doesn't work".

There's no point to installing NoScript on Firefox used by someone who
whitelists a site he clicked on from a spam message because there was an
appropriately placed breast, or claims of such of the appropriate size.

