Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 0.10.1 Released, Fixes Security Hole

Posted by CowboyNeal on from the hole-in-the-dam dept.

_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."

28 of 441 comments (clear)

  1. Re:This may sound stupid... by neodude88 · · Score: 5, Insightful

    Maybe because you don't need to reinstall to upgrade to this patch? Just update.

  2. Am I the only one . . . . by theparanoidcynic · · Score: 5, Insightful

    Who finds this version numbering scheme damn confusing? The actual program calls itself 1.0PR but the directory structure on the Mozilla server and CowboyNeal call it 0.10.1. Anyone care to explain what's going on here?

    --
    Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
  3. Depends on your download directory by anno1602 · · Score: 3, Insightful

    Some people have a dedicated download directory they only use for temp storage until moving the file into a permanent place (or deleting it).

    There are, however, a lot of users who pack all their stuff onto the desktop or into "My Documents" with no or little subfolders. For such use cases, the patch is indeed worth installing.

  4. Re:done already! by tuggy · · Score: 5, Insightful

    it sure means something!
    its very different to have an exploit in the wild and be able to prevent it in 3 seconds, or waiting 1,2..10 weeks for a fix

  5. Ah nevermind by Mustang+Matt · · Score: 2, Insightful

    I see the 0.10.1 at the bottom in the user agent string.

    --
    The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
  6. Re:done already! by distributed · · Score: 2, Insightful

    wow.. no shit ! it actually took just 3 seconds..

    I wonder what IE can do about this...
    The windows update site takes a hell of a time to load and then scan @ a snails pace.

    And live feeds are simply amazing... thats how i check slashdot now, and cot this post.

    great work guys.

    --
    [all generalizations are untrue except this one]
  7. Cool. Upgrade Path by darkmeridian · · Score: 4, Insightful

    This is what open-source needs: a quick and convenient upgrade/patch system. I went to the system settings and ten seconds later, my Firefox was patched.

    Now if only Gaim does this.

    Will

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
    1. Re:Cool. Upgrade Path by jrcamp · · Score: 4, Insightful

      No, this is the job of package management systems under Linux, be it apt-get, emerge, urpmi, yum, etc. Individual programs don't need to start implementing their own update schemes. For third party packages there will be autopackage.org one day I hope, and updates could be done through that.

  8. These hurt... by deminisma · · Score: 3, Insightful

    Considering Firefox is supposed to be the secure alternative, 13 security advisories in the last 6 or so months isn't a good look.

    Sure it isn't that bad, but nonetheless, it doesn't help the Firefox's image at all and looking at Secunia, Firefox has had more advisories than any other browser, (yes, that includes Internet Explorer and the Mozilla Suite) since May this year.

  9. Re:it's nice to see ms finally losing the browserw by aardvarkjoe · · Score: 3, Insightful
    it's nice to see ms finally losing the browserwars
    Yeah, now not only do we get a browser as good as IE, it's got similar security "features" too...
    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  10. defending this post worth loosing karma by scupper · · Score: 2, Insightful
    Right now, the parent post :
    This may sound stupid...by -kertrats
    has just been modded, within seconds of being posted, as "Flamebait".

    How on earth is that post flamebait?

    The article discusses a vulnerablility.

    kertrats asks:
    But what exactly is the worry here? It deletes files in your download directory? Does that really matter?
    How is asking others on /. for their insight into this vulnerability "flamebait"? Isn't that what /. is all about, discussion? He/she didn't bash on Mozilla, or the whole open source effort, they just asked questions about the vulnerability after reading the summary from mozilla.

    As to the last question asked by kertrats:
    Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?
    Again, kertrats was ASKING A QUESTION, NOT INSULTING THE GECKO GOD OF MOZILLA AND OPEN SOURCE.

    It's mods like this one that make you wonder if the person modding is either waging a mod war against another /. member, can't comprehend english as their native language is not English, or simply uses the moderation points like a video game weapon on hapless victims, then messaging their karma cabals to attack the same /. member.

    People ask questions like this all the time. How is kertras being confrontational and "flamebaiting" by asking questions that did not contain words like "junk" or "piece of shit", or whatever.

    Obviously, kertras is a firefox user, and wants to continue to use firefox, otherwise he/she wouldn't give a rats ass about it either way.

    Man, get with it with the damn mods.
  11. Re:Helpful bug by Anonymous Coward · · Score: 1, Insightful

    You have a few files there called "Copy of Copy of Copy of Whatever". Man, you are messy!

  12. Best way to find out ... by fine09 · · Score: 3, Insightful

    The issue isn't that there is a new expliot. The good thing is that we found out about the exploit by having to apply the patch to fix it.

    No software is perfect, any software that has any contact with the internet can have a exploit. It all depends on how fast the developers are able to discover and fix the problems.

  13. Explaining 0.10.1 by XoloX · · Score: 5, Insightful

    The reason (for as far as I know) that Firefox uses this versioning scheme:

    If 1.0PR would have a version-tag with 1.0 in it, it would be more complicated for (for example) extensions to differentiate 1.0PR and the real 1.0. And home-users would probably not even get to see these version-numbers. They would just notice there is a new update.

    And about the bugs, I know I'm stating the obvious, and that it's been said before in this thread, but I'll try again:

    First of all, because Firefox performs so well people tend to forget this is still beta-software! Second, these bugs are discovered partially because of the bughunting program with rewards. So these bugs could well have existed for months before being discovered. It's good news they have already been squashed! And third, some of these bugs actually appeared because of the way Windows fucks up! (Remember the shell:// protocol?)

    Hope this helps,

    XoloX

  14. Automatic stuff == bad security by ngunton · · Score: 5, Insightful

    The thing that strikes me here is that the ability for browsers to have convenient, automatic features (and, in the case of Firefox, UI customization capability up the wazoo) is simply another form of the same mentality that made IE into such a security nightmare. The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place. The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead. The bloated XUL interface engine that makes Mozilla (and Firefox) next to unusable on my old workstation (450 MHz, RH 7.3) also means that the UI can be totally changed - this, to me, is very scary. Because if something can be totally changed, then I can guarantee that eventually someone will figure out a way to totally change it without my consent.

    Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.

    I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.

  15. Re:Don't upgrade by whiteranger99x · · Score: 2, Insightful

    I would consider this a feature more than a bug. It's like someone breaking into your house and taking out the garbage for you...

    Or for most of us, it would mean someone breaking into your house, shreding your porno mags, demagnetizing the VHS porn, and scratching and shredding the DVD porn...bastards! :P

    --
    Join the TWIT army now!
  16. Re:done already! by Mr.+Marabou+Man · · Score: 1, Insightful

    Your parents probably shouldn't be running a preview release in the first place ...

  17. Too Complicated? by jeremyds · · Score: 5, Insightful

    Why does a user have to go to Tools -> Options -> Advanced to check for updates to Firefox? For the average non-technical user, this should be much more accessible.

  18. More information, please by Arkaic · · Score: 2, Insightful

    One thing I didn't like is that when I got the notification from Firefox for a "critical fix" there was no indication of exactly what it was supposed to fix. I like to know why I need to install an update before doing it. Or am I just blind?

  19. Re:This may sound stupid... by igrp · · Score: 4, Insightful
    Others have pointed out that some users may use ~ or their desktop as their download directory. That may not be a smart thing to do but that's really beside the point.

    Any vulnerability that allows remote users to alter content is by definition critical. It doesn't matter if you think it's a big deal. There should be no unauthorized access to files, period.

    Your non-critical files aren't 777, are they? Now why is that? Well, despite the fact that data is non-critical, recoverable or maybe even pure gargabe you still wouldn't want people to mess with it, would you?

    Think about it: you probably have a lots of old stuff, bank statements and what not somewhere. That data is useless to me (value == 0). By your logic, I could just throw it all out since it doesn't matter to me. It may still be valueable to you though. And even if it weren't, you still probably wouldn't appreciate me going through your stuff and tossing whatever I don't deem important.

    See, all attacks that allow any access control circumvention at all are critical. Just because it's not critical to you, doesn't mean every feels the same way.

    That's why disclosing the vulnerability and making an update available ASAP was a very good move on part of the fine folks at Mozilla. I just wish there was a mechanism to do manual network-wide mass roll-outs of critical updates (ie. rolling out critical updates immediately without having to wait for Firefox's periodical checks).

  20. Another flawless Install, but... by fr8_liner · · Score: 5, Insightful

    I just installed and patched the PR edition on my system and added AdBlock and Firesomething. My friend who is a Microsoft developer was watching this process which took 2 minutes. He was taken aback and had to admit that things have improved for installing applications for Linux. He also said that most Windows users would be lost following the instructions to install from a terminal window or doing any installation requiring "./configure, make, make install." He has a point. We need more "Windows-like" app installation to get more Windoze users to migrate to Linux.

  21. Re:Nope by Anonymous Coward · · Score: 2, Insightful

    Argument by assertion. Provide some sort of logical argument. Otherwise, please stop wasting everyone's time.

  22. What if -- ask me where to save.. by castrox · · Score: 2, Insightful

    What if the "Ask me where to save every file"-option is checked and there is apparently no defined download directory?

    Uh. What then?

    --
    Fight for your digital freedom, join the EFF *now*: http://www.eff.org/support/
  23. Re:Helpful bug by value_added · · Score: 2, Insightful

    Gezus, man! I think People Like You provide an invaluable service to users everywhere by providing an example of What Not to Do. ;-) Consider yourself blessed.

    Seriously, I hear there's a thing called folders you can use to store stuff. Might be worth a try?

  24. Re:done already! by Anonymous Coward · · Score: 1, Insightful

    I use windows update every week. I have never had to reboot after installing an update for almost two months now.

    I only reboot my machine on weekends.

  25. Re:done already! by the_quark · · Score: 2, Insightful

    Well, and except with Firefox update, I got this update late last night when it notified me of it - and this was the first anyone had heard of the problem. When was the last time we found out about a flaw in IE because Windows released a patch to fix it (as opposed to finally releasing a patch after six months of badgering)? Kudos to the Mozilla team for working proactively to fix this instead of hoping no one would notice or care.

  26. You all got back stage passes... by robotoil · · Score: 2, Insightful

    It's amazing how quick everyone is to bash MS IE, some legitimate, but not a peep on Firefox. Not a peep. I understand there is a bias here, but the silence is deafening.

  27. Re:Helpful bug by cmodcmodcmod · · Score: 2, Insightful

    I think that deep breath should be between cntrl-a and enter.