Have you ever seen a live demo of one of those critical vulnerabilities that Firefox publishes? Is it possible to run a program (i.e. Notepad) or download/install a new one, without user intervention, just visiting an URL? That's what Mozilla assures in the security advisories. https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/ I've asked for help in other sites, and even offered a bounty, but no such luck. Note that I'm not talking about a new unpublished exploit, I just want to see one of those bugs that are public. I don't even need to see the source code, just a live demo. The last demo of that type I saw was in 2000, affecting IE 5. http://www.guninski.com/chmtemp-desc.html
Asked
Active
Viewed 99 times
-2
-
joeqwerty, EEAA, Zoredache, Tero Kilkanen, Katherine Villyard. What part of my question didn't you understand? Moderator Shane Madden understood it perfectly. The only thing I understand clearly is that your are more willing to block this inconvenient question, than letting others contribute. – John Doe Feb 23 '15 at 08:59
1 Answers
2
No, it's not a myth. Exploit DB is the best place to find proof-of-concept attacks for publicly disclosed vulnerabilities. Obviously not every vulnerability gets published there, but plenty do - the latest one I'm seeing against Firefox is from April of last year.
Another good source of.. proof?.. of vulnerabilities in the major browsers is the Pwn2Own competition; which last year had 4 different zero-day attacks used against Firefox.
Shane Madden
- 114,520
- 13
- 181
- 251
-
I've searching exploit-db.com for hours, and I've downloaded the old FF versions, but I only find scripts that crash FF. Besides, some of them applied to Add-ons, or required Java. Anyway, I think I'm not going to find any true remote code execution in versions newer than FF 4.0 or 11.0 – John Doe Feb 22 '15 at 22:02