Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 0.10.1 Released, Fixes Security Hole

Posted by CowboyNeal on from the hole-in-the-dam dept.

_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."

21 of 441 comments (clear)

  1. done already! by tuggy · · Score: 5, Informative

    upgrade done in 3 seconds!
    this is what i call being secured :D

    1. Re:done already! by scat-cat · · Score: 3, Informative

      It stopped a popup. The bar alerts you so that you can allow popups from the sites you want.

    2. Re:done already! by jd142 · · Score: 3, Informative

      Apparently software version numbers don't work like "real" numbers. ;) In other words, those aren't decimal places, their merely dividers. .1 is not equal to .10. The order goes .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11. 0.10.0 came out about 2 weeks ago.

    3. Re:done already! by ZeroPost · · Score: 4, Informative

      To be fair, Windows Update scans for updates to a lot more software than Firefox.

      Firefox can scan a lot faster than Windows Update because it is only checking for updates to a single program.

      Of course, Microsoft could make an option within IE to scan for IE-only updates, which would make updating IE much faster, but they don't.

    4. Re:done already! by AstroDrabb · · Score: 4, Informative
      The update thingy also tells me that 1.0 PR is available and I should download it. The only problem is that I am already running 1.0 PR
      Not the latest version. If you look at your User Agent (click Help -> About Mozilla Firefox), you will see Firefox/0.10 at the end of your UA. If you go and download the latest version that includes this fix, the new UA will be Firefox/0.10.1.

      I ran into this same problem with the update under Linux. MS Windows users won't run into it since they are running as local Admin or have write permissions to the firefox directory. When I ran it as root, it worked fine so I take it the update needs to write to the root firefox directory it probably then updates your firefox profile. As a normal user you cannot run the update and it never writes to your profile. I think it was just a poor update design for this one update. Hopefully the firefox team will fix it or fix this issue for future updates.

      You could grab the latest firefox tarball from here and just untar it into your current firefox installation folder and restart.

      --
      If Tyranny and Oppression come to this land,
      it will be in the guise of fighting a foreign enemy. -James Madison
  2. Re:WTF?? by MikeBabcock · · Score: 4, Informative

    For all the people who didn't bother reading the last article ...

    Firefox 1.0 has *not* been released yet.

    The current (Firefox 0.10.x) is a preview of what will become 1.0 when it is released (thus PR).

    --
    - Michael T. Babcock (Yes, I blog)
  3. Re:Am I the only one . . . . by wongn · · Score: 5, Informative

    It is quite confusing. I believe that 1.0PR was called 0.10 in order to distinguish it better from 1.0RCs and above. THe program actually calls itself "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1", as in 0.10.1, but the "laymans" name is 1.0PR... you could say ;)

  4. Re:This may sound stupid... by dwhitman · · Score: 4, Informative
    But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?

    1. Suppose your download directory isn't dedicated to just downloads. Any files in that directory are vulnerable.

    2. You don't need to uninstall and reinstall. As the article says, just go to tools: options: advanced: software updates and hit the Check Now button

  5. Re:These hurt... by kryptkpr · · Score: 5, Informative

    You must not be aware that the mozilla foundation has put out a bounty where they reward security researchers $500 for finding critical remotely-exploitable vulnerabilities and reporting them.

    What you're seeing are the results of this program.. people are finding bugs, submitting them, and the bugs are being fixed before blackhats can exploit them.

    This is a very wise decision on the part of Mozilla considering how close they are to a v1.0 release.

    --
    DJ kRYPT's Free MP3s!
  6. On Linux the advanced items are ... by 3seas · · Score: 4, Informative

    ... under the main menu edit, then preferences ... then advanced... to Software updates

  7. Probable bug . . . . by theparanoidcynic · · Score: 5, Informative

    I ran this thing last night forgetting that Firefox was installed to a location that user accounts can't write to.

    Seeing the error mesage and remembering this fact I lit Firefox as root and ran the update. This left Firefox mangled and incapiable of downloading things from the user accounts.

    The moral of the story: do be careful using the update thingy. Now, off to fill out a bug report.

    --
    Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
    1. Re:Probable bug . . . . by aonifer · · Score: 4, Informative

      I just installed the fix as root, closed Firefox, reopened Firefox as root to verify that the fix was applied, then closed it and reran as a regular user. The regular user account doesn't know that the fix was applied (the red button is there and when I click on it, it says it needs to download the fix). Either there's some kind of permissions problem, or the update information goes into root's profile, and not system-wide.

  8. Re:Don't have that menu option by tuggy · · Score: 4, Informative

    yes.
    i guess thats because of the gnome integration..

  9. Re:This may sound stupid... by compwizrd · · Score: 4, Informative

    because firefox on windows uses the Desktop as the default download location.

  10. Linux users, take note by dacarr · · Score: 4, Informative
    Another user has pointed out that the Advanced option is under Edit|Preferences. Note, you must be root to do this - not merely 'su', but 'su -' at the bare minimum.

    If this doesn't work, of course, you'll have to download and install, which is almost as painless as the upgrade frob. The red 'upgrade' icon may still be present, so you'll have to click that so that Firefox will find that all is well with the world.

    As always, YMMV.

    --
    This sig no verb.
    1. Re:Linux users, take note by tuggy · · Score: 4, Informative

      sudo firefox and then automatic upgrade did the trick for me :)

  11. Re:Nope by kryptkpr · · Score: 3, Informative

    Thunderbird cannot execute .VBS (Microsoft VB Script) files.

    --
    DJ kRYPT's Free MP3s!
  12. Re:These hurt... by lachlan76 · · Score: 4, Informative
    13 security advisories in the last 6 or so months isn't a good look.

    And how many are there in IE that we haven't found yet? The dangerous exploits are the ones we don't know about.
    And besides, do you expect Secunia to have all the security flaws from when IE was in beta? Or do you find it strange that a beta product has had more security flaws found in the last 6 months than the one that's been around and insecure for years.

    Not to mention that none of the advisories were ranked "extremely critical", and only 2 were critical.

    Not to bad for a beta product. Also (from Secunia):
    1. Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Extremely critical
      Currently, 19 out of 60 Secunia advisories, is marked as "Unpatched" in the Secunia database.
    2. Mozilla Firefox 0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
      Currently, 2 out of 13 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    Which would you trust?
  13. Re:When... by aliebrah · · Score: 4, Informative

    In a few days, you'll be able to see the full bug report here:

    http://bugzilla.mozilla.org/show_bug.cgi?id=2597 08

    Currently, it's not scheduled to be marked as public before 4th October. It's still marked as private so that people have an opportunity to upgrade before the details are made public.

  14. Re:When... by Stuwee · · Score: 3, Informative
    I'm just curious if anybody knows how long this patch took to be released.
    Looking through Mozilla's Bugzilla, it would seem as if the bug was first realised on the 23rd of September in a comment to bug 240068, and then had a seperate security-sensitive -- and hence restricted access -- bug report opened yesterday. I'll leave others to comment on the acceptability.

    Bugzilla links referring from Slashdot are blocked, so the above links will have to be manually opened unless your referrer header is obfuscated.
  15. Re:luckily for me... by asa · · Score: 3, Informative

    On the downside, that means that anyone who can pose as the update server gets to insert arbitrary code into your Mozilla install without your knowledge - now that's trojanning!

    Um, no. That is absolutely not the case. The information bar and the trusted sites list is simply a user convenience/inforamtion mechanism like the pop-up blocking bar. After adding a site to the whitelist, a user still has to agree to the software installation. A site cannot "insert arbitrary code into your Mozilla install without your knowledge" because the install doesn't happen until you agree to the install. There are no prompt-less installs.

    --Asa