[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Warnings on the download page (Re: QuickJava update req)

Thus spake Mike Perry (mikepery@xxxxxxxxxx):

> Thus spake light zoo (lightzook@xxxxxxxxx):
> > 
> > --- Mike Perry <mikepery@xxxxxxxxxx> wrote:
> > 
> > > Perhaps he would be amenable to fixing his
> > > extension against moore's on-the-fly HTML
> > > generation.  However his email address is not
> > > listed on the author page :(
> > 
> > Well it looks like Mr. Greene prefers to receive
> > feature requests on his blog, not email.  He seems
> > very open to feature requests and suggestions:
> > 
> > Quote Mr. Green:
> > --
> > Please leave comments for feature requests here to be
> > considered.
> > --
> > 
> > Mr. Green's blog entry page:
> > http://www.blogger.com/comment.g?blogID=17969172&postID=112982970672088922
> Yeah, I left a feature request for him. 
> http://quickjavaplugin.blogspot.com/2006/12/features-requested.html
> On further investigation his plugin seems to rely on the Firefox
> setting 'security.enable_java', so perhaps he would have direct
> ability in fixing this bug.. But on the plus side, maybe the fact that

Err. rather he probably has NO direct ability to fix it.

> this setting is under 'security' and can still be bypassed will
> warrant prompt response from the Firefox team.. I'm probably occupied
> for today.. If anyone wants to test this option for firefox 1.5 and
> 2.0 latest with moore's page please do so and post here. Note it's
> hard to tell if the applet is running. You probably have to use
> wireshark and filter on udp while hitting the page with tor disabled.
> The udp packet is to red.metasploit.com. It is easy to see with a
> filter of 'udp'.

http://metasploit.com/research/misc/decloak/ is his url (mentioned in
a previous post). Hit that with JS enabled but java disabled to test.
The more platforms + JVM combos we have the better our odds are of
someone at firefox listening to us and fixing it promptly and
correctly. It's possible the behavior of this 'security.enable_java'
flag is OS+JVM dependent. I will do what I can, but I'm probably
going to be pretty occupied for the next few days with other things.

Also, as much as we have given him shit, HD Moore does deserve some
thanks about providing an open example of all this for us to test.
That is much better than the others who have studied this have done.
(Though I do suspect he may in fact simply hate Tor, at least his
security and research ethics are intact).

Mike Perry
Mad Computer Scientist
fscked.org evil labs