Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 0.10.1 Released, Fixes Security Hole

Posted by CowboyNeal on from the hole-in-the-dam dept.

_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."

56 of 441 comments (clear)

  1. done already! by tuggy · · Score: 5, Informative

    upgrade done in 3 seconds!
    this is what i call being secured :D

    1. Re:done already! by tuggy · · Score: 5, Insightful

      it sure means something!
      its very different to have an exploit in the wild and be able to prevent it in 3 seconds, or waiting 1,2..10 weeks for a fix

    2. Re:done already! by Epistax · · Score: 5, Funny

      I must admit I/it fumbled. I went to the mozilla website as posted in the subject and hit the "click here". What happened? A funny bar appeared near the top saying that Firefox protected me from the website. Luckily there was an options button which allowed me to add www.mozilla .org as a trusted site and it was all very obvious to me, but it won't be obvious for my parents (who I switched to Firefox).

    3. Re:done already! by scat-cat · · Score: 3, Informative

      It stopped a popup. The bar alerts you so that you can allow popups from the sites you want.

    4. Re:done already! by Epistax · · Score: 3, Interesting

      I don't believe it was that message. This appeared as a bar at the top which stated (loosely) that it prevented the website from running... something or other. I don't have it inform me in any way when it blocks a popup. Anyway it had an options button which had a list of trusted sites. update.mozilla .org was already on the list, however the link originated from www.mozilla .org so it wasn't picked up. I would say they should add that site to the list.

    5. Re:done already! by jd142 · · Score: 3, Informative

      Apparently software version numbers don't work like "real" numbers. ;) In other words, those aren't decimal places, their merely dividers. .1 is not equal to .10. The order goes .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11. 0.10.0 came out about 2 weeks ago.

    6. Re:done already! by ZeroPost · · Score: 4, Informative

      To be fair, Windows Update scans for updates to a lot more software than Firefox.

      Firefox can scan a lot faster than Windows Update because it is only checking for updates to a single program.

      Of course, Microsoft could make an option within IE to scan for IE-only updates, which would make updating IE much faster, but they don't.

    7. Re:done already! by The+Snowman · · Score: 3, Funny

      Of course, Microsoft could make an option within IE to scan for IE-only updates, which would make updating IE much faster, but they don't.

      What is the point? Since IE is integrated into the operating system, updates require reboots even under Windows XP which is a lot better with regards to rebooting than previous versions. Anyway, even if the actual update is faster, you would still have to wait for the reboot.

      I just updated Firefox in less than ten seconds, and I did not have to restart the browser, certainly not the entire operating system (Windows XP in this case).

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
    8. Re:done already! by AstroDrabb · · Score: 4, Informative
      The update thingy also tells me that 1.0 PR is available and I should download it. The only problem is that I am already running 1.0 PR
      Not the latest version. If you look at your User Agent (click Help -> About Mozilla Firefox), you will see Firefox/0.10 at the end of your UA. If you go and download the latest version that includes this fix, the new UA will be Firefox/0.10.1.

      I ran into this same problem with the update under Linux. MS Windows users won't run into it since they are running as local Admin or have write permissions to the firefox directory. When I ran it as root, it worked fine so I take it the update needs to write to the root firefox directory it probably then updates your firefox profile. As a normal user you cannot run the update and it never writes to your profile. I think it was just a poor update design for this one update. Hopefully the firefox team will fix it or fix this issue for future updates.

      You could grab the latest firefox tarball from here and just untar it into your current firefox installation folder and restart.

      --
      If Tyranny and Oppression come to this land,
      it will be in the guise of fighting a foreign enemy. -James Madison
  2. This may sound stupid... by -kertrats- · · Score: 5, Interesting

    But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?

    --
    The Braying and Neighing of Barnyard Animals Follows.
    1. Re:This may sound stupid... by neodude88 · · Score: 5, Insightful

      Maybe because you don't need to reinstall to upgrade to this patch? Just update.

    2. Re:This may sound stupid... by rixdaffy · · Score: 3, Funny


      well, it would be quite frustrating if your download directory is your Desktop, homedirectory or any other place where you keep other files too.
      not to mention all the pron you have to download again :-) j/k

      Ricardo.

    3. Re:This may sound stupid... by dwhitman · · Score: 4, Informative
      But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?

      1. Suppose your download directory isn't dedicated to just downloads. Any files in that directory are vulnerable.

      2. You don't need to uninstall and reinstall. As the article says, just go to tools: options: advanced: software updates and hit the Check Now button

    4. Re:This may sound stupid... by LurkerXXX · · Score: 5, Funny

      Does it matter? My pr0n! All my precious pr0n!!!

    5. Re:This may sound stupid... by compwizrd · · Score: 4, Informative

      because firefox on windows uses the Desktop as the default download location.

    6. Re:This may sound stupid... by igrp · · Score: 4, Insightful
      Others have pointed out that some users may use ~ or their desktop as their download directory. That may not be a smart thing to do but that's really beside the point.

      Any vulnerability that allows remote users to alter content is by definition critical. It doesn't matter if you think it's a big deal. There should be no unauthorized access to files, period.

      Your non-critical files aren't 777, are they? Now why is that? Well, despite the fact that data is non-critical, recoverable or maybe even pure gargabe you still wouldn't want people to mess with it, would you?

      Think about it: you probably have a lots of old stuff, bank statements and what not somewhere. That data is useless to me (value == 0). By your logic, I could just throw it all out since it doesn't matter to me. It may still be valueable to you though. And even if it weren't, you still probably wouldn't appreciate me going through your stuff and tossing whatever I don't deem important.

      See, all attacks that allow any access control circumvention at all are critical. Just because it's not critical to you, doesn't mean every feels the same way.

      That's why disclosing the vulnerability and making an update available ASAP was a very good move on part of the fine folks at Mozilla. I just wish there was a mechanism to do manual network-wide mass roll-outs of critical updates (ie. rolling out critical updates immediately without having to wait for Firefox's periodical checks).

  3. Am I the only one . . . . by theparanoidcynic · · Score: 5, Insightful

    Who finds this version numbering scheme damn confusing? The actual program calls itself 1.0PR but the directory structure on the Mozilla server and CowboyNeal call it 0.10.1. Anyone care to explain what's going on here?

    --
    Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
    1. Re:Am I the only one . . . . by wongn · · Score: 5, Informative

      It is quite confusing. I believe that 1.0PR was called 0.10 in order to distinguish it better from 1.0RCs and above. THe program actually calls itself "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1", as in 0.10.1, but the "laymans" name is 1.0PR... you could say ;)

    2. Re:Am I the only one . . . . by jack_csk · · Score: 3, Funny

      Ya know, those dudes at Mozilla might be using hex instead of decimal, i.e. Firefox 1.0 == Firefox 0.16

  4. Re:WTF?? by MikeBabcock · · Score: 4, Informative

    For all the people who didn't bother reading the last article ...

    Firefox 1.0 has *not* been released yet.

    The current (Firefox 0.10.x) is a preview of what will become 1.0 when it is released (thus PR).

    --
    - Michael T. Babcock (Yes, I blog)
  5. Depends on your download directory by anno1602 · · Score: 3, Insightful

    Some people have a dedicated download directory they only use for temp storage until moving the file into a permanent place (or deleting it).

    There are, however, a lot of users who pack all their stuff onto the desktop or into "My Documents" with no or little subfolders. For such use cases, the patch is indeed worth installing.

  6. Helpful bug by Ford+Prefect · · Score: 5, Funny

    ...could potentially allow a malicious site to erase files from the user's Download directory

    My download directory in Windows is my desktop. Have you seen my desktop? It's a fairly old screenshot, too - it's only got worse since then. My iBook's equally bad, except everything's just randomly strewn around the place...

    A bit of remote tidying-up would be greatly appreciated. :-)

    --
    Tedious Bloggy Stuff - hooray?
    1. Re:Helpful bug by Uerige · · Score: 5, Funny

      You should try the following: 1. Click on your Desktop. 2. Take a deep breath. 3. Press Ctrl-A, followed by Enter Voila -- Your computer just exploded. No more cluttered desktop.

  7. When... by Moby+Cock · · Score: 5, Interesting

    I'm just curious if anybody knows how long this patch took to be released. That is, what was the turnaround time from the discovery of the bug to the release of this patch? In the past it has been a fast as a few hours. The longest I think was only a day or too.

    1. Re:When... by aliebrah · · Score: 4, Informative

      In a few days, you'll be able to see the full bug report here:

      http://bugzilla.mozilla.org/show_bug.cgi?id=2597 08

      Currently, it's not scheduled to be marked as public before 4th October. It's still marked as private so that people have an opportunity to upgrade before the details are made public.

    2. Re:When... by Stuwee · · Score: 3, Informative
      I'm just curious if anybody knows how long this patch took to be released.
      Looking through Mozilla's Bugzilla, it would seem as if the bug was first realised on the 23rd of September in a comment to bug 240068, and then had a seperate security-sensitive -- and hence restricted access -- bug report opened yesterday. I'll leave others to comment on the acceptability.

      Bugzilla links referring from Slashdot are blocked, so the above links will have to be manually opened unless your referrer header is obfuscated.
  8. No go by Anonymous Coward · · Score: 3, Interesting

    "Firefox was not able to find any available updates" - this on a vanilla install of the 1.0 PR.

  9. Cool. Upgrade Path by darkmeridian · · Score: 4, Insightful

    This is what open-source needs: a quick and convenient upgrade/patch system. I went to the system settings and ten seconds later, my Firefox was patched.

    Now if only Gaim does this.

    Will

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
    1. Re:Cool. Upgrade Path by jrcamp · · Score: 4, Insightful

      No, this is the job of package management systems under Linux, be it apt-get, emerge, urpmi, yum, etc. Individual programs don't need to start implementing their own update schemes. For third party packages there will be autopackage.org one day I hope, and updates could be done through that.

  10. These hurt... by deminisma · · Score: 3, Insightful

    Considering Firefox is supposed to be the secure alternative, 13 security advisories in the last 6 or so months isn't a good look.

    Sure it isn't that bad, but nonetheless, it doesn't help the Firefox's image at all and looking at Secunia, Firefox has had more advisories than any other browser, (yes, that includes Internet Explorer and the Mozilla Suite) since May this year.

    1. Re:These hurt... by kryptkpr · · Score: 5, Informative

      You must not be aware that the mozilla foundation has put out a bounty where they reward security researchers $500 for finding critical remotely-exploitable vulnerabilities and reporting them.

      What you're seeing are the results of this program.. people are finding bugs, submitting them, and the bugs are being fixed before blackhats can exploit them.

      This is a very wise decision on the part of Mozilla considering how close they are to a v1.0 release.

      --
      DJ kRYPT's Free MP3s!
    2. Re:These hurt... by lachlan76 · · Score: 4, Informative
      13 security advisories in the last 6 or so months isn't a good look.

      And how many are there in IE that we haven't found yet? The dangerous exploits are the ones we don't know about.
      And besides, do you expect Secunia to have all the security flaws from when IE was in beta? Or do you find it strange that a beta product has had more security flaws found in the last 6 months than the one that's been around and insecure for years.

      Not to mention that none of the advisories were ranked "extremely critical", and only 2 were critical.

      Not to bad for a beta product. Also (from Secunia):
      1. Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Extremely critical
        Currently, 19 out of 60 Secunia advisories, is marked as "Unpatched" in the Secunia database.
      2. Mozilla Firefox 0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
        Currently, 2 out of 13 Secunia advisories, is marked as "Unpatched" in the Secunia database.

      Which would you trust?
  11. On Linux the advanced items are ... by 3seas · · Score: 4, Informative

    ... under the main menu edit, then preferences ... then advanced... to Software updates

  12. Probable bug . . . . by theparanoidcynic · · Score: 5, Informative

    I ran this thing last night forgetting that Firefox was installed to a location that user accounts can't write to.

    Seeing the error mesage and remembering this fact I lit Firefox as root and ran the update. This left Firefox mangled and incapiable of downloading things from the user accounts.

    The moral of the story: do be careful using the update thingy. Now, off to fill out a bug report.

    --
    Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
    1. Re:Probable bug . . . . by aonifer · · Score: 4, Informative

      I just installed the fix as root, closed Firefox, reopened Firefox as root to verify that the fix was applied, then closed it and reran as a regular user. The regular user account doesn't know that the fix was applied (the red button is there and when I click on it, it says it needs to download the fix). Either there's some kind of permissions problem, or the update information goes into root's profile, and not system-wide.

  13. Re:luckily for me... by hattig · · Score: 3, Funny

    I'd hope that the update mechanism was a little more secure than "Hi! I'm the firefox update server, honest!" ...

  14. Re:Don't have that menu option by tuggy · · Score: 4, Informative

    yes.
    i guess thats because of the gnome integration..

  15. Re:it's nice to see ms finally losing the browserw by timmyf2371 · · Score: 4, Interesting

    What type of sites is it you operate? Here are some logs from a 100% non-technology related site which still shows Internet Explorer as by far the most-used browser.

    Note that the Opera browser shown in Rank 3 should not be taken as accurate as this merely runs a "ticker" on auto-refresh setting every 10 minutes.

    # Hits User Agent
    1 31005 15.75% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    2 20925 10.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1
    3 11074 5.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.50
    4 10596 5.38% Opera/7.50 (Windows NT 5.0; U) [en]
    5 9893 5.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko
    6 8281 4.21% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    7 7856 3.99% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProd
    8 6113 3.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    9 5286 2.69% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
    10 4868 2.47% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
    11 4795 2.44% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko
    12 2915 1.48% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2) Opera 7.50
    13 2885 1.47% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko
    14 2783 1.41% Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
    15 2645 1.34% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54

    --

    Backup not found: (A)bort (R)etry (P)anic
  16. Re:it's nice to see ms finally losing the browserw by aardvarkjoe · · Score: 3, Insightful
    it's nice to see ms finally losing the browserwars
    Yeah, now not only do we get a browser as good as IE, it's got similar security "features" too...
    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  17. Linux users, take note by dacarr · · Score: 4, Informative
    Another user has pointed out that the Advanced option is under Edit|Preferences. Note, you must be root to do this - not merely 'su', but 'su -' at the bare minimum.

    If this doesn't work, of course, you'll have to download and install, which is almost as painless as the upgrade frob. The red 'upgrade' icon may still be present, so you'll have to click that so that Firefox will find that all is well with the world.

    As always, YMMV.

    --
    This sig no verb.
    1. Re:Linux users, take note by tuggy · · Score: 4, Informative

      sudo firefox and then automatic upgrade did the trick for me :)

  18. Upgrade was even easier then described... by kikensei · · Score: 3, Interesting

    Last night I noticed a nifty pulsing red bubble in the upper right-hand corner of my Firefox toolbar. Clicking it revealed a message from the software-updater stating that an urgent fix was availeble. I clicked allow install, and it was done in ten seconds. Very nice that the browser alerted me to a fix and patched itself in no time at all.

  19. Re:Nope by kryptkpr · · Score: 3, Informative

    Thunderbird cannot execute .VBS (Microsoft VB Script) files.

    --
    DJ kRYPT's Free MP3s!
  20. Best way to find out ... by fine09 · · Score: 3, Insightful

    The issue isn't that there is a new expliot. The good thing is that we found out about the exploit by having to apply the patch to fix it.

    No software is perfect, any software that has any contact with the internet can have a exploit. It all depends on how fast the developers are able to discover and fix the problems.

  21. Don't upgrade by pestario · · Score: 5, Funny

    "...a security flaw that could potentially allow a malicious site to erase files from the user's Download directory."

    I would consider this a feature more than a bug. It's like someone breaking into your house and taking out the garbage for you...

    --
    :n
  22. Explaining 0.10.1 by XoloX · · Score: 5, Insightful

    The reason (for as far as I know) that Firefox uses this versioning scheme:

    If 1.0PR would have a version-tag with 1.0 in it, it would be more complicated for (for example) extensions to differentiate 1.0PR and the real 1.0. And home-users would probably not even get to see these version-numbers. They would just notice there is a new update.

    And about the bugs, I know I'm stating the obvious, and that it's been said before in this thread, but I'll try again:

    First of all, because Firefox performs so well people tend to forget this is still beta-software! Second, these bugs are discovered partially because of the bughunting program with rewards. So these bugs could well have existed for months before being discovered. It's good news they have already been squashed! And third, some of these bugs actually appeared because of the way Windows fucks up! (Remember the shell:// protocol?)

    Hope this helps,

    XoloX

  23. Automatic stuff == bad security by ngunton · · Score: 5, Insightful

    The thing that strikes me here is that the ability for browsers to have convenient, automatic features (and, in the case of Firefox, UI customization capability up the wazoo) is simply another form of the same mentality that made IE into such a security nightmare. The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place. The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead. The bloated XUL interface engine that makes Mozilla (and Firefox) next to unusable on my old workstation (450 MHz, RH 7.3) also means that the UI can be totally changed - this, to me, is very scary. Because if something can be totally changed, then I can guarantee that eventually someone will figure out a way to totally change it without my consent.

    Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.

    I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.

    1. Re:Automatic stuff == bad security by groomed · · Score: 4, Interesting

      It's not that simple. To fully support CSS, for example, Gecko (the page rendering engine that's used by Mozilla, Firefox, and Thunderbird) has to be able to change the way buttons and other elements are drawn. And it has to be able to control z-ordering, i.e. it has to be in control of what happens when you draw two buttons on top of eachother. The same goes for things like charset support, printing, accessibility, etc.

      To provide full support for the W3C standards, you need widgets that provide very specific capabilities. Toolkits like wxWidgets have the opposite goal: they work by hiding specifics from the application programmer. There is a fundamental mismatch between the two.

      If you want to fully support all the standards that make up the web across different operating systems, you end up with something like Firefox. It's not primarily some geek pride thing (although that always plays a role); it is primarily a consequence of the complexity and scope of the standards involved.

  24. Too Complicated? by jeremyds · · Score: 5, Insightful

    Why does a user have to go to Tools -> Options -> Advanced to check for updates to Firefox? For the average non-technical user, this should be much more accessible.

    1. Re:Too Complicated? by Roguelazer · · Score: 4, Funny

      You mean something more accessible like a flashing red light that says "A critical security update is available", and appears in an easily visible place? Darnit, why didn't they think of that?

      --
      My Systems
  25. Though a much more serious bug remains unfixed... by tippergore · · Score: 5, Funny

    They still have yet to fix a much more serious bug.

    Just because most of us don't live in South America doesn't mean it isn't huge problem.

  26. Re:Though a much more serious bug remains unfixed. by tippergore · · Score: 3, Funny

    Sorry, links to Bugzilla from Slashdot are disabled.

    ooh, bugzilla you sassy wench

  27. Re:but which idiot deciced... by Splinton · · Score: 3, Funny

    Isn't it great using the words "idiot" and "deciced" in the same subject?

  28. Re:luckily for me... by asa · · Score: 3, Informative

    On the downside, that means that anyone who can pose as the update server gets to insert arbitrary code into your Mozilla install without your knowledge - now that's trojanning!

    Um, no. That is absolutely not the case. The information bar and the trusted sites list is simply a user convenience/inforamtion mechanism like the pop-up blocking bar. After adding a site to the whitelist, a user still has to agree to the software installation. A site cannot "insert arbitrary code into your Mozilla install without your knowledge" because the install doesn't happen until you agree to the install. There are no prompt-less installs.

    --Asa

  29. Another flawless Install, but... by fr8_liner · · Score: 5, Insightful

    I just installed and patched the PR edition on my system and added AdBlock and Firesomething. My friend who is a Microsoft developer was watching this process which took 2 minutes. He was taken aback and had to admit that things have improved for installing applications for Linux. He also said that most Windows users would be lost following the instructions to install from a terminal window or doing any installation requiring "./configure, make, make install." He has a point. We need more "Windows-like" app installation to get more Windoze users to migrate to Linux.

  30. Re:defending this post worth loosing karma by FearUncertaintyDoubt · · Score: 4, Funny
    Again, kertrats was ASKING A QUESTION, NOT INSULTING THE GECKO GOD OF MOZILLA AND OPEN SOURCE.

    The Gecko God of Mozilla and Open Source is a jerk. A complete kneebiter. Thanks for your time. Now I'm off to see Gentoo. Later.