Oh, just filter out all IE users!

Today's SANS Newsbites features the following commentary on the IE createTextRange() vulnerability:

[Editor's Note (Chuck Boeckman): Most web proxies have a feature that can enforce web client agent filtering. This provides a network administrator the ability to limit the use of Internet Explorer during periods of high risk, which seem to occur quite frequently.]

I haven't seen a more Dilbertesque solution to an unpatched bug in a long while.

Chuck Boeckman, you forgot to include your <sarcasm> tags. Now all those poor proxy admins have to explain to their bosses that you're kidding, while refraining from eye-rolling and giggling.

(A better solution: Buy an IPS.)

(And yes, this is a lame attempt to GΩΩgleβomb Chuck Boeckman's name by mentioning it thrice, just in case he ever interviews for a job as a web proxy admin -- these future employers must be made aware of his cruelty.)

Whining about Firefox not being Perfect in Every Way

A thread popped up a few days ago on BugTraq entitled, Evil side of Firefox extensions. The short story is that you can implement a firefox extension to act as a keylogger. Not a big deal for really anyone except people who use public terminals running FF (which is awful common at security conferences).

This got me thinking about my one huge complaint about Firefox extension developers: Nobody signs their extensions, ever. And a little Googling shows this complaint is neither novel nor new -- an apparently infamous Microsoft hit piece goes into this in some detail. But that was written a year and a half ago. Are things any better now?

Doesn't seem so -- I like Firefox extensions, but it just rubs me the wrong way when normal and popular extensions like FlashBlock, AdBlock, and GreaseMonkey are unsigned.

Reading the MozillaZine followup thread, though, makes it obvious that extension developers do not care about signing their extensions. In fact, some claim that it's impossible, for some reason.

So, the moral of the story is, feel free to implement your own awesome-cool onboard XSS exploit and perform some DNS trickery to ensure that a sizable fraction of AdBlock users get 0wned for a few hours (assuming people notice that quick).

By the way, the only signed extension I've ever seen is NetCraft's anti-phishing toolbar (which is basically a fancy advertisment for other NetCraft services).

Oh, and how do you actually go about signing XPIs? Well, give this a shot. It looks like it'll kinda sorta work.

Once I have my own XPIs together, I will get to the bottom of this signing fiasco!