The following was written by my web designer, Gareth Ballester, in response to an article I found discussing Mozilla’s security problems with it’s ever more popular browser, Firefox. The September 30th article from CNET discusses how a couple of hackers have found some serious JavaScript flaws in Firefox… remember that Firefox is the “secure” browser when compared to Internet Explorer…

“Stack overflow and buffer overflow are the method of 99% of vulnerabilities in software today, including web browsers. Basically, an application has multiple layers and function calls (it’s object-oriented). Each layer and function has to validate the data it receives, and in turn, the data it passes to the next layer/function has to be validated. Programmers don’t validate it at every point in the system to save development time, or they don’t always think of it.

So every operating system and every application, including browsers, undoubtedly has multiple “Achilles’ heels” or weak points that could be overflowed. If you pass X amount of data to a function and then tack on some malicious code on the end, but X is the expected amount of data, the receiving function will then put that value in memory. If you put it in the right spot in memory, it can execute. In the past 5 years this has become more and more evident. It wasn’t so much of an issue before the web gained popularity as a place for “applications” and not just static pages.

This is why Windows Vista has a million more layers of security and why processors now have an execute bit (or it’s called an NX… not my specialty), so even the CPU can defend from viruses. Every single communication between different processes on a system has to identify itself in a non-spoofable way (basically, be “trusted”), and validate the data being passed.

I can see why the hackers didn’t take the $500. If you release the info to the public it will just force Mozilla to take it more seriously and fix it faster.

I could see discovering vulnerabilities like this in JavaScript now that JavaScript is being utilized to a greater extent to develop AJAX/web 2.0 applications. If you’re programming an advanced AJAX application, and you get some kind of error, there’s a chance you overflowed something by accident and then you could take that knowledge and use it maliciously.”