Slashdot Mirror
Firefox 0.10.1 Released, Fixes Security Hole
_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."
upgrade done in 3 seconds! :D
this is what i call being secured
But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?
The Braying and Neighing of Barnyard Animals Follows.
Who finds this version numbering scheme damn confusing? The actual program calls itself 1.0PR but the directory structure on the Mozilla server and CowboyNeal call it 0.10.1. Anyone care to explain what's going on here?
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
For all the people who didn't bother reading the last article ...
Firefox 1.0 has *not* been released yet.
The current (Firefox 0.10.x) is a preview of what will become 1.0 when it is released (thus PR).
- Michael T. Babcock (Yes, I blog)
Some people have a dedicated download directory they only use for temp storage until moving the file into a permanent place (or deleting it).
There are, however, a lot of users who pack all their stuff onto the desktop or into "My Documents" with no or little subfolders. For such use cases, the patch is indeed worth installing.
So after doing the update through the advanced options should my browser report 0.10.1 under help about? Because I still have 1.0PR
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
...could potentially allow a malicious site to erase files from the user's Download directory
:-)
My download directory in Windows is my desktop. Have you seen my desktop? It's a fairly old screenshot, too - it's only got worse since then. My iBook's equally bad, except everything's just randomly strewn around the place...
A bit of remote tidying-up would be greatly appreciated.
Tedious Bloggy Stuff - hooray?
I'm just curious if anybody knows how long this patch took to be released. That is, what was the turnaround time from the discovery of the bug to the release of this patch? In the past it has been a fast as a few hours. The longest I think was only a day or too.
I see the 0.10.1 at the bottom in the user agent string.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
"Firefox was not able to find any available updates" - this on a vanilla install of the 1.0 PR.
This is what open-source needs: a quick and convenient upgrade/patch system. I went to the system settings and ten seconds later, my Firefox was patched.
Now if only Gaim does this.
Will
A NYC lawyer blogs. http://www.chuangblog.com/
Considering Firefox is supposed to be the secure alternative, 13 security advisories in the last 6 or so months isn't a good look.
Sure it isn't that bad, but nonetheless, it doesn't help the Firefox's image at all and looking at Secunia, Firefox has had more advisories than any other browser, (yes, that includes Internet Explorer and the Mozilla Suite) since May this year.
... under the main menu edit, then preferences ... then advanced... to Software updates
I ran this thing last night forgetting that Firefox was installed to a location that user accounts can't write to.
Seeing the error mesage and remembering this fact I lit Firefox as root and ran the update. This left Firefox mangled and incapiable of downloading things from the user accounts.
The moral of the story: do be careful using the update thingy. Now, off to fill out a bug report.
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
I'd hope that the update mechanism was a little more secure than "Hi! I'm the firefox update server, honest!" ...
yes.
i guess thats because of the gnome integration..
What type of sites is it you operate? Here are some logs from a 100% non-technology related site which still shows Internet Explorer as by far the most-used browser.
.NET CLR 1 .NET
Note that the Opera browser shown in Rank 3 should not be taken as accurate as this merely runs a "ticker" on auto-refresh setting every 10 minutes.
# Hits User Agent
1 31005 15.75% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
2 20925 10.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
3 11074 5.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.50
4 10596 5.38% Opera/7.50 (Windows NT 5.0; U) [en]
5 9893 5.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko
6 8281 4.21% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
7 7856 3.99% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProd
8 6113 3.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
9 5286 2.69% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
10 4868 2.47% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
11 4795 2.44% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko
12 2915 1.48% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2) Opera 7.50
13 2885 1.47% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko
14 2783 1.41% Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
15 2645 1.34% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54
Backup not found: (A)bort (R)etry (P)anic
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
If this doesn't work, of course, you'll have to download and install, which is almost as painless as the upgrade frob. The red 'upgrade' icon may still be present, so you'll have to click that so that Firefox will find that all is well with the world.
As always, YMMV.
This sig no verb.
Last night I noticed a nifty pulsing red bubble in the upper right-hand corner of my Firefox toolbar. Clicking it revealed a message from the software-updater stating that an urgent fix was availeble. I clicked allow install, and it was done in ten seconds. Very nice that the browser alerted me to a fix and patched itself in no time at all.
has just been modded, within seconds of being posted, as "Flamebait".
How on earth is that post flamebait?
The article discusses a vulnerablility.
kertrats asks: How is asking others on
As to the last question asked by kertrats:
Again, kertrats was ASKING A QUESTION, NOT INSULTING THE GECKO GOD OF MOZILLA AND OPEN SOURCE.
It's mods like this one that make you wonder if the person modding is either waging a mod war against another
People ask questions like this all the time. How is kertras being confrontational and "flamebaiting" by asking questions that did not contain words like "junk" or "piece of shit", or whatever.
Obviously, kertras is a firefox user, and wants to continue to use firefox, otherwise he/she wouldn't give a rats ass about it either way.
Man, get with it with the damn mods.
Thunderbird cannot execute .VBS (Microsoft VB Script) files.
DJ kRYPT's Free MP3s!
The issue isn't that there is a new expliot. The good thing is that we found out about the exploit by having to apply the patch to fix it.
No software is perfect, any software that has any contact with the internet can have a exploit. It all depends on how fast the developers are able to discover and fix the problems.
"...a security flaw that could potentially allow a malicious site to erase files from the user's Download directory."
I would consider this a feature more than a bug. It's like someone breaking into your house and taking out the garbage for you...
:n
The reason (for as far as I know) that Firefox uses this versioning scheme:
If 1.0PR would have a version-tag with 1.0 in it, it would be more complicated for (for example) extensions to differentiate 1.0PR and the real 1.0. And home-users would probably not even get to see these version-numbers. They would just notice there is a new update.
And about the bugs, I know I'm stating the obvious, and that it's been said before in this thread, but I'll try again:
First of all, because Firefox performs so well people tend to forget this is still beta-software! Second, these bugs are discovered partially because of the bughunting program with rewards. So these bugs could well have existed for months before being discovered. It's good news they have already been squashed! And third, some of these bugs actually appeared because of the way Windows fucks up! (Remember the shell:// protocol?)
Hope this helps,
XoloX
I haven't done (ms-)windows since the beginning of time and since he doesn't know *anything* about computers it was hard trying to figure out what might've been the problem, but it sounded like the typical standard unprotected ms-windows setup that was probably also loaded with spam and ad-ware, bogging down even his simple efforts at browsing the web.
Knowing that quite a few people here have experience with cleaning up the standard MS-install mess, I would like to ask what needs to be done to plug the major holes and deficiencies in a new MS setup?
Firefox is an obvious rescue tool to replace MSIE so are there any issues when installing it or does it automatically and painlessly migrate all necessary MSIE data?
And what about utilities to remove the spyware his machine may already be infested with? Any suggestions?
I'm hoping to be able to burn all these goodies on a CD to give him so I also wonder whether they're easy enough to operate by a total non-techie?
Since his "computing needs" appear to be very simple I'm also giving him a Linux liveCD (perhaps Ubuntu-based Gnoppix would be a good starter with its simplified GUI and it also comes with Firefox) to try out and play with but before completing his conversion I'd need to evaluate how well e.g. OpenOffice.org fulfills his needs at this point.
Should invading one's peaceful neighbours be opposed, or rewarded with trade deals?
The thing that strikes me here is that the ability for browsers to have convenient, automatic features (and, in the case of Firefox, UI customization capability up the wazoo) is simply another form of the same mentality that made IE into such a security nightmare. The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place. The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead. The bloated XUL interface engine that makes Mozilla (and Firefox) next to unusable on my old workstation (450 MHz, RH 7.3) also means that the UI can be totally changed - this, to me, is very scary. Because if something can be totally changed, then I can guarantee that eventually someone will figure out a way to totally change it without my consent.
Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.
I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.
Why does a user have to go to Tools -> Options -> Advanced to check for updates to Firefox? For the average non-technical user, this should be much more accessible.
One thing I didn't like is that when I got the notification from Firefox for a "critical fix" there was no indication of exactly what it was supposed to fix. I like to know why I need to install an update before doing it. Or am I just blind?
...or you could have norton which stupidly and automatically deletes the file the vbs is in and pops up a window saying repair successful. AKA your inbox.
Any sufficiently advanced influence is indistinguishable from control.
They still have yet to fix a much more serious bug.
Just because most of us don't live in South America doesn't mean it isn't huge problem.
Sorry, links to Bugzilla from Slashdot are disabled.
ooh, bugzilla you sassy wench
I'm running Firefox on Linux and I had the previous release candidate installed. The update facility failed with a meaningless error, and corrupted my current install.
So I downloaded and installed the new version, which overwrote my old version including my plugins directory, and on startup, failed with an obscure error until I deleted my user profile.
I'm a card carrying Firefox freak, but really, this was not smooth...
Isn't it great using the words "idiot" and "deciced" in the same subject?
It would be a useful addition to add an FF Profile Manager that included FF Update and Extension Install/Update permissions for multi-user workstations . I looked through MozillaZine, but didn't find much. I can prohibit other users from updating FF and installing/updating extensions using NTFS permissions, User group settings and GP settings, but it would handy to have it included in a FF Profile Manager.
On the downside, that means that anyone who can pose as the update server gets to insert arbitrary code into your Mozilla install without your knowledge - now that's trojanning!
Um, no. That is absolutely not the case. The information bar and the trusted sites list is simply a user convenience/inforamtion mechanism like the pop-up blocking bar. After adding a site to the whitelist, a user still has to agree to the software installation. A site cannot "insert arbitrary code into your Mozilla install without your knowledge" because the install doesn't happen until you agree to the install. There are no prompt-less installs.
--Asa
I just installed and patched the PR edition on my system and added AdBlock and Firesomething. My friend who is a Microsoft developer was watching this process which took 2 minutes. He was taken aback and had to admit that things have improved for installing applications for Linux. He also said that most Windows users would be lost following the instructions to install from a terminal window or doing any installation requiring "./configure, make, make install." He has a point. We need more "Windows-like" app installation to get more Windoze users to migrate to Linux.
Argument by assertion. Provide some sort of logical argument. Otherwise, please stop wasting everyone's time.
What if the "Ask me where to save every file"-option is checked and there is apparently no defined download directory?
Uh. What then?
Fight for your digital freedom, join the EFF *now*: http://www.eff.org/support/
No, it sounds like your virus scanner did it.
A proper virus scanner should be scanning incoming e-mail _before_ it hits your hard disk (through the use of a Winsock LSP), not after. Both Norton and NOD32 implement this type of scanning.
If it only picked up the virus after it's allowed Thunderbird to write it to disk, and then "cleaned it", then it has effictively nuked your inbox for you since Thunderbird keeps all your e-mail for a given folder in 1 file.
DJ kRYPT's Free MP3s!
The user has to actually initiate the update themselves. You simply see a little red arrow, click it, and then are asked to update. Why is this bad if mozilla.org knows how to secure itself?
"Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead."
Don't you think they've thought of that? Update installs are coded for mozilla.org only and I expect other layered security to come as well. Give them a little credit already. When mozilla/firefox becomes the plauge of the Internet like IE is currently then you can start throwing accusations around. Until then based on their track record I'm willing to give them the benefit of the doubt.
"The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place."
Just because Microsoft completely fucked up with IE doesn't mean all of IE's features are bad, just not properly secured. Your wrongly throwing away an entire workable concept for all the wrong reasons.
Also AFAIK there has never been a hack of either Windows Update or Red Hat Network where someone got trojaned for installing an update. Again, expect tighter controls on who can install what in the future.
" next to unusable on my old workstation (450 MHz, RH 7.3) "
Yes, and xp runs slow on 5 to 6 year old hardware as well. What your point? The zilla's won't ever be blazing fast on ancient hardware so you might as well move on now. Photoshop CS won't run very well on a P450 either. That's a fairly lame complaint since most users don't have your problem. The Mozilla developers also never claimed it would be a browser for old computing platforms in the first place. I don't know why you assumed that. I have btw used Firefox on that era hardware as well. It's no speed demon loading but useable once it launched. On my PIII 700 laptop with 256MB, a machine only a little newer than users, Firefox runs pretty well and its all I use.
If you wanna get rich, you know that payback is a bitch
It's amazing how quick everyone is to bash MS IE, some legitimate, but not a peep on Firefox. Not a peep. I understand there is a bias here, but the silence is deafening.
Depends if youre on linux or windows. On Windows its tools->options. They really should standardize it.
Joseph?
I went to Tools/Options/Advanced/Software Update and clicked "Check Now". It confirmed that there was a critical update available, which I let it install immediately. Firefox hung while downloading the update (1.0PR, Windows XP).
I had to terminate Firefox without completing the update, which seemed dangerous, but there was no alternative. When I restarted it, I discovered that I had previously blocked software installs in Tools/Options/Web Features, which might have caused the automatic upgrade to hang. (Of course there should have been a message instead of hanging.) So I checked Allow Web sites to install software. (My "allowed sites" list displayed as empty, incidentally. Is that correct?)
Then I downloaded the update manually (file 259708.xpi) to my harddrive and installed it by opening that file in Firefox. The update installed successfully (no message though). I verified this by checking the install.log in the firefox directory.
Now Firefox should have been at version 0.10.1, but Help/About showed 0.10.0 until I closed Firefox and reopened it. This is surely a bug, and it might allow a user to install the same update twice. Under some imaginable circumstances, that might trash the installation.
I thought Bad Microsoft was the only one who let me unprotected from the bad people! Firefokz has security flaws too??? OHMYGOSH!!! I though Linuz was impenetrable and perfect!! I'm hit!!! ohhhh! I'm melting.... I'm melting!! What a world...
This source code is subject to the U.S. Export Administration Regulations and other U.S. law, and may not be exported or re-exported to certain countries (currently Afghanistan (Taliban controlled areas), Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) or to persons or entities prohibited from receiving U.S. exports (including Denied Parties, entities on the Bureau of Export Administration Entity List, and Specially Designated Nationals).
How realistic is it to keep this code away from these contries, and, more important, how fair is it to do so? Could the mozilla 1.0 code be significant for the international security? Or is it just paranoid? Why is a web browser dangerous?
And, what about IE?
Dynamic theme switching was considered too buggy for 1.0.
(And now, the part that is not a dupe)
Set extensions.dss.enabled to true in about:config to use what they have so far. Some things might not work completely, but people seem to believe that it works mostly well enough anyway.
It looks like that standard disclaimer to make sure the Mozilla Foundation doesn't get sued by the government - I believe that IE also had the disclaimer (havn't checked in a while though). MoFo does have their servers in the States.
I assume a version without NSS (the HTTPS &c stuff) would be legal, and it's probably possible to obtain the code from intermediary countries anyway.
1. It can detect I need the update, but when I click next to download and install, it just sits there
2. I don't have the checkbox marked to look for Firefox updates, but it checked anyways.
I am moox - the Firefox builder making the localized builds of Firefox. Sorry for the odd uer name of Sevencarbon, but moox was already taken. I just want to point out that there are several 3rd party developers making optimized and customized versions of Firefox and Thunderbird. The include people such as mmoy, JTw, BangBang23, BlueFrye, daihard, pigfoot, scragz, amano, djeter, matlhDam, and MMx. If you want to see the fruits of their efforts or learn about what they working on I strongly suggest you look at the mozillazine forums (http://forums.mozillazine.org/viewforum.php?f=42) or at pryan's forums (http://pryan.org/mozilla/forums/viewforum.php?f=3 ).
As a group, we all work tirelessly to make a good product better and I do not think it is fair for the focus to be on one of us since we have all made significant and valuabe contributions to the development of Firefox and Thunderbird.