Slashdot Mirror
Firefox 0.10.1 Released, Fixes Security Hole
_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."
upgrade done in 3 seconds! :D
this is what i call being secured
For all the people who didn't bother reading the last article ...
Firefox 1.0 has *not* been released yet.
The current (Firefox 0.10.x) is a preview of what will become 1.0 when it is released (thus PR).
- Michael T. Babcock (Yes, I blog)
It is quite confusing. I believe that 1.0PR was called 0.10 in order to distinguish it better from 1.0RCs and above. THe program actually calls itself "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1", as in 0.10.1, but the "laymans" name is 1.0PR... you could say ;)
1. Suppose your download directory isn't dedicated to just downloads. Any files in that directory are vulnerable.
2. You don't need to uninstall and reinstall. As the article says, just go to tools: options: advanced: software updates and hit the Check Now button
You must not be aware that the mozilla foundation has put out a bounty where they reward security researchers $500 for finding critical remotely-exploitable vulnerabilities and reporting them.
What you're seeing are the results of this program.. people are finding bugs, submitting them, and the bugs are being fixed before blackhats can exploit them.
This is a very wise decision on the part of Mozilla considering how close they are to a v1.0 release.
DJ kRYPT's Free MP3s!
... under the main menu edit, then preferences ... then advanced... to Software updates
I ran this thing last night forgetting that Firefox was installed to a location that user accounts can't write to.
Seeing the error mesage and remembering this fact I lit Firefox as root and ran the update. This left Firefox mangled and incapiable of downloading things from the user accounts.
The moral of the story: do be careful using the update thingy. Now, off to fill out a bug report.
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
While your logic is good, your reasoning is wrong. This is just version 0.10.0 also known as 1.0PR with a security update which bumped it up to 0.10.1. Doesn't have anything to do with dates, just a coincidence.
Regards,
Steve
yes.
i guess thats because of the gnome integration..
because firefox on windows uses the Desktop as the default download location.
If this doesn't work, of course, you'll have to download and install, which is almost as painless as the upgrade frob. The red 'upgrade' icon may still be present, so you'll have to click that so that Firefox will find that all is well with the world.
As always, YMMV.
This sig no verb.
Thunderbird cannot execute .VBS (Microsoft VB Script) files.
DJ kRYPT's Free MP3s!
And how many are there in IE that we haven't found yet? The dangerous exploits are the ones we don't know about.
And besides, do you expect Secunia to have all the security flaws from when IE was in beta? Or do you find it strange that a beta product has had more security flaws found in the last 6 months than the one that's been around and insecure for years.
Not to mention that none of the advisories were ranked "extremely critical", and only 2 were critical.
Not to bad for a beta product. Also (from Secunia):
Currently, 19 out of 60 Secunia advisories, is marked as "Unpatched" in the Secunia database.
Currently, 2 out of 13 Secunia advisories, is marked as "Unpatched" in the Secunia database.
Which would you trust?
If I had mod points this morning I'd mod both you dumb motherfuckers down. Grandpa I'd mod flamebait for asking such a stupid fucking question (Remote attackers can delete files. Why should I bother to upgrade?), and you I'd mod offtopic, which is how all "mod parent x" posts should be moderated.
In a few days, you'll be able to see the full bug report here:
7 08
http://bugzilla.mozilla.org/show_bug.cgi?id=259
Currently, it's not scheduled to be marked as public before 4th October. It's still marked as private so that people have an opportunity to upgrade before the details are made public.
...or you could have norton which stupidly and automatically deletes the file the vbs is in and pops up a window saying repair successful. AKA your inbox.
Any sufficiently advanced influence is indistinguishable from control.
The numbering scheme is XX.YY.ZZ
XX is the major version.
YY is the minor version.
ZZ is for small patch updates.
0.10.1 is the tenth minor version and has had one patch.
Bugzilla links referring from Slashdot are blocked, so the above links will have to be manually opened unless your referrer header is obfuscated.
The browser relies on a trusted sites white list for execution of the type of files in question.
On the downside, that means that anyone who can pose as the update server gets to insert arbitrary code into your Mozilla install without your knowledge - now that's trojanning!
Um, no. That is absolutely not the case. The information bar and the trusted sites list is simply a user convenience/inforamtion mechanism like the pop-up blocking bar. After adding a site to the whitelist, a user still has to agree to the software installation. A site cannot "insert arbitrary code into your Mozilla install without your knowledge" because the install doesn't happen until you agree to the install. There are no prompt-less installs.
--Asa
No matter, just visit the press page linked by CowboyNeal and click the link to install the XPI patch directly.
Firefox will probably block it, but two more button-presses to whitelist www.mozilla.org for patch installations and you'll be able to apply it.
If this sort of thing continues they should definitely add www.mozilla.org to the default whitelist.
No, it sounds like your virus scanner did it.
A proper virus scanner should be scanning incoming e-mail _before_ it hits your hard disk (through the use of a Winsock LSP), not after. Both Norton and NOD32 implement this type of scanning.
If it only picked up the virus after it's allowed Thunderbird to write it to disk, and then "cleaned it", then it has effictively nuked your inbox for you since Thunderbird keeps all your e-mail for a given folder in 1 file.
DJ kRYPT's Free MP3s!
The user has to actually initiate the update themselves. You simply see a little red arrow, click it, and then are asked to update. Why is this bad if mozilla.org knows how to secure itself?
"Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead."
Don't you think they've thought of that? Update installs are coded for mozilla.org only and I expect other layered security to come as well. Give them a little credit already. When mozilla/firefox becomes the plauge of the Internet like IE is currently then you can start throwing accusations around. Until then based on their track record I'm willing to give them the benefit of the doubt.
"The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place."
Just because Microsoft completely fucked up with IE doesn't mean all of IE's features are bad, just not properly secured. Your wrongly throwing away an entire workable concept for all the wrong reasons.
Also AFAIK there has never been a hack of either Windows Update or Red Hat Network where someone got trojaned for installing an update. Again, expect tighter controls on who can install what in the future.
" next to unusable on my old workstation (450 MHz, RH 7.3) "
Yes, and xp runs slow on 5 to 6 year old hardware as well. What your point? The zilla's won't ever be blazing fast on ancient hardware so you might as well move on now. Photoshop CS won't run very well on a P450 either. That's a fairly lame complaint since most users don't have your problem. The Mozilla developers also never claimed it would be a browser for old computing platforms in the first place. I don't know why you assumed that. I have btw used Firefox on that era hardware as well. It's no speed demon loading but useable once it launched. On my PIII 700 laptop with 256MB, a machine only a little newer than users, Firefox runs pretty well and its all I use.
If you wanna get rich, you know that payback is a bitch
Depends if youre on linux or windows. On Windows its tools->options. They really should standardize it.
Joseph?
The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead.
I don't think that. Because mozilla uses whitelisting to mark servers you're allowed to install from. If you try installing from another server, it throws up an error. A user would have to manually add a server to the allowed list before an exploit could be installed. Ofcourse, there might be a bug in the whitelisting system, but overall I think the approach is reasonably secure.
Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language...
Because you can't. I am not aware of any native toolkit that allows you to implement a browser fully compliant with the W3C standards, and wxwindows is even less capable than native toolkits. Mozilla optimizes by using native controls where it can, but if it didn't have the xul toolkit, compliance and compatibility would be a lot worse.
David Hyatt, who was/is a developer on both the mozilla and safari teams has written about the trouble with native widgets before. It's just not as simple as you would think it is.
I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days.
With modern standards being what they are, firefox is about as good as it gets. We're no longer in the days of html 3.2 (well, ok, slashdot still is, but that's beside the point). A browser nowadays has to do a lot more than just render html.
But if you think you can do better, please try.
Saying it's a beta product is an excuse, nothing more. 20 years ago, alpha, beta and release had clear significations. Now, it doesn't mean anything.
I think that explains it nicely. Can you hear me now?
I think it's great that we are actually getting bugs *found*, *reported*, and *fixed*. Can you just imagine how dangerously insecure life would be without this kind of performance? Sadly, if you haven't yet switched you don't have to.
Dynamic theme switching was considered too buggy for 1.0.
(And now, the part that is not a dupe)
Set extensions.dss.enabled to true in about:config to use what they have so far. Some things might not work completely, but people seem to believe that it works mostly well enough anyway.
It's a traditional numbering scheme. I've used similar ones for about 15 years!
To eliminate some confusion, I tend to use numbers like this ...
... instead of ...
... since the leading zeros sort more easily!
The numbers breaks down like this;
Where
So, you see "Version 5" on the box or at the web site while the software might have an internal stamp of "5.02.003.0456"
This is a general guide, though. Some folks use only the first two...some use three (with or without build #), and some use five.
The value of this is that it allows you to sort defect reports, quickly identify if something was formally made public (and tested), or if it came before/after another release.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I am moox - the Firefox builder making the localized builds of Firefox. Sorry for the odd uer name of Sevencarbon, but moox was already taken. I just want to point out that there are several 3rd party developers making optimized and customized versions of Firefox and Thunderbird. The include people such as mmoy, JTw, BangBang23, BlueFrye, daihard, pigfoot, scragz, amano, djeter, matlhDam, and MMx. If you want to see the fruits of their efforts or learn about what they working on I strongly suggest you look at the mozillazine forums (http://forums.mozillazine.org/viewforum.php?f=42) or at pryan's forums (http://pryan.org/mozilla/forums/viewforum.php?f=3 ).
As a group, we all work tirelessly to make a good product better and I do not think it is fair for the focus to be on one of us since we have all made significant and valuabe contributions to the development of Firefox and Thunderbird.