Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 0.10.1 Released, Fixes Security Hole

Posted by CowboyNeal on from the hole-in-the-dam dept.

_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."

10 of 441 comments (clear)

  1. Re:This may sound stupid... by neodude88 · · Score: 5, Insightful

    Maybe because you don't need to reinstall to upgrade to this patch? Just update.

  2. Am I the only one . . . . by theparanoidcynic · · Score: 5, Insightful

    Who finds this version numbering scheme damn confusing? The actual program calls itself 1.0PR but the directory structure on the Mozilla server and CowboyNeal call it 0.10.1. Anyone care to explain what's going on here?

    --
    Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
  3. Re:done already! by tuggy · · Score: 5, Insightful

    it sure means something!
    its very different to have an exploit in the wild and be able to prevent it in 3 seconds, or waiting 1,2..10 weeks for a fix

  4. Cool. Upgrade Path by darkmeridian · · Score: 4, Insightful

    This is what open-source needs: a quick and convenient upgrade/patch system. I went to the system settings and ten seconds later, my Firefox was patched.

    Now if only Gaim does this.

    Will

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
    1. Re:Cool. Upgrade Path by jrcamp · · Score: 4, Insightful

      No, this is the job of package management systems under Linux, be it apt-get, emerge, urpmi, yum, etc. Individual programs don't need to start implementing their own update schemes. For third party packages there will be autopackage.org one day I hope, and updates could be done through that.

  5. Explaining 0.10.1 by XoloX · · Score: 5, Insightful

    The reason (for as far as I know) that Firefox uses this versioning scheme:

    If 1.0PR would have a version-tag with 1.0 in it, it would be more complicated for (for example) extensions to differentiate 1.0PR and the real 1.0. And home-users would probably not even get to see these version-numbers. They would just notice there is a new update.

    And about the bugs, I know I'm stating the obvious, and that it's been said before in this thread, but I'll try again:

    First of all, because Firefox performs so well people tend to forget this is still beta-software! Second, these bugs are discovered partially because of the bughunting program with rewards. So these bugs could well have existed for months before being discovered. It's good news they have already been squashed! And third, some of these bugs actually appeared because of the way Windows fucks up! (Remember the shell:// protocol?)

    Hope this helps,

    XoloX

  6. Automatic stuff == bad security by ngunton · · Score: 5, Insightful

    The thing that strikes me here is that the ability for browsers to have convenient, automatic features (and, in the case of Firefox, UI customization capability up the wazoo) is simply another form of the same mentality that made IE into such a security nightmare. The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place. The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead. The bloated XUL interface engine that makes Mozilla (and Firefox) next to unusable on my old workstation (450 MHz, RH 7.3) also means that the UI can be totally changed - this, to me, is very scary. Because if something can be totally changed, then I can guarantee that eventually someone will figure out a way to totally change it without my consent.

    Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.

    I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.

  7. Too Complicated? by jeremyds · · Score: 5, Insightful

    Why does a user have to go to Tools -> Options -> Advanced to check for updates to Firefox? For the average non-technical user, this should be much more accessible.

  8. Re:This may sound stupid... by igrp · · Score: 4, Insightful
    Others have pointed out that some users may use ~ or their desktop as their download directory. That may not be a smart thing to do but that's really beside the point.

    Any vulnerability that allows remote users to alter content is by definition critical. It doesn't matter if you think it's a big deal. There should be no unauthorized access to files, period.

    Your non-critical files aren't 777, are they? Now why is that? Well, despite the fact that data is non-critical, recoverable or maybe even pure gargabe you still wouldn't want people to mess with it, would you?

    Think about it: you probably have a lots of old stuff, bank statements and what not somewhere. That data is useless to me (value == 0). By your logic, I could just throw it all out since it doesn't matter to me. It may still be valueable to you though. And even if it weren't, you still probably wouldn't appreciate me going through your stuff and tossing whatever I don't deem important.

    See, all attacks that allow any access control circumvention at all are critical. Just because it's not critical to you, doesn't mean every feels the same way.

    That's why disclosing the vulnerability and making an update available ASAP was a very good move on part of the fine folks at Mozilla. I just wish there was a mechanism to do manual network-wide mass roll-outs of critical updates (ie. rolling out critical updates immediately without having to wait for Firefox's periodical checks).

  9. Another flawless Install, but... by fr8_liner · · Score: 5, Insightful

    I just installed and patched the PR edition on my system and added AdBlock and Firesomething. My friend who is a Microsoft developer was watching this process which took 2 minutes. He was taken aback and had to admit that things have improved for installing applications for Linux. He also said that most Windows users would be lost following the instructions to install from a terminal window or doing any installation requiring "./configure, make, make install." He has a point. We need more "Windows-like" app installation to get more Windoze users to migrate to Linux.