All of these attacks rely on an xss entry point meaning that you need to
get data from a URL and print it out unsanitised somewhere in the document.
Firefox os applications don't allow for the most abused way to create this
which is cross origin data access. Each app needs to comply with a content
security policy which disallows for example the eval() command necessary to
execute malicious code from a third party source.
In any case turning off JavaScript doesn't protect you fully on the web
either. There are many xss attacks possible with css or malformed images
and videos.
Either of these attacks, however rely on a browser that isn't sandboxed and
can read and write content across domains and tabs - something a content
security policy prevents. Many of the listed attacks by sophos and others
also rely on plugins like flash, silver light or adobe reader, neither of
which are available in Firefox os.
Saying Firefox os is inherently insecure because is uses Firefox is like
saying cars are inherently lethal to humans because they can be driven too
fast. Good security is a mixture of filtering, sanitising and keeping a
system up to date. Demonizing one technology is good marketing if you are a
security company, but any can be exploited. If you really want a dangerous
technology think of Java exploits. Those give you full os access and
android is based on it.
> _______________________________________________
> Evangelism mailing list
>
Evang...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/evangelism
>