New Vulnerabilities Discovered in Firefox 1.0

jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""

First

It's open source so it will get fixed quickly post.

Re:First

[Anti_zeitgeist]

crap....now i have to use IE again!

Re:First

I would be happy if I could use IE with good conscience

Is this possible? I mean, either you're very trusting, or your conscience is pretty shallow.

I'm voting on the latter.

Re:First

[ikkonoishi]

From TFA

If you have firefox 1.01 installed you have nothing to worry about.

Fixed days ago. Now thats speedy service.

Re:First

[the_Bionic_lemming]

From TFA

If you have firefox 1.01 installed you have nothing to worry about.

Fixed days ago. Now thats speedy service.

Yet when a slashdot story uses Microsoft XP service pack one to show how full of holes the OS is - It's newsworthy.

Re:First

The question is: how long did they know about it when 1.0 was out without fixing it.

Re:First

Journalists are scum when interpreting technical articles without experience or familiarity with the aspects compared-the report differed significantly from the site-article summary of it. Slashdot should be a collection of technical articles written by technical professionals for interested parties, but it has fallen to the scum of journalistic manipulations of information. On technical level, vulnerabilities in both are posted as significant user base has yet to update either or both the program (is it now fully released to update channel?) and the operating system (occupational programs found to work by everyone and the second patch applied?). On those grounds, it is both scholarly for the fields we are professionals in or students of and useful to form a more complete picture of the faults in the Microsoft development, QA, and testing processes.

Re:First

Yahoo has been rendering like shit since I upgraded to 1.01...anyone else experiencing problems????

Re:First

[felipin-sioux]

If you have firefox 1.01 installed you have nothing to worry about.

No, there are security advisories for firefox 1.01, like this one.

And the story didn't even link the vulnerability report on Mozilla Firefox 1.x from Secunia. Anyway, just stay tuned and have your FF always updated.

Re:First

[shaitand]

It is a stretch to even call that a vulnerability. It would be easier to trick a user into downloading and executing code themselves than to get them to drag a properly crafted image into the address bar and then use the url.

Re:First

Of course, here is their vulnerability report for IE 6 as a comparison. If you want airtight browser security, just use Dillo.

Re:First

Oh, really? Yahoo renders fine for me on FF 1.0.1 on both Windows and Linux.

Re:First

[DrXym]

Sorry, but that's a pretty unlikely exploit. To carry it out, someone has to be convinced to drag and drop an image onto an empty address bar. Have you seen many sites that do that? Have you seen many users who either understand or follow such instructions?

Re:First

[sl4shd0rk]

> It's open source so it will get fixed quickly post.

Don't forget, you also have a choice to go back to IE and OE if you feel they are more secure. The existence of choice is another important factor of OSS.

Re:First

[sl4shd0rk]

eh?

From TFA:
"If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. "

Sounds like secunia has a buffer overflow in their bug tracking system.

Re:First

As Firefox & Linux become more popular, then hackers ,spammers ,and virus writers will spend more time creating exploits for those platforms.

Open source is not the panacia for the worlds computer problems.

Re:First

[paulatz]

I have tryed, but IE crashed with wine.

Re:First

Well, not quite.

Some time ago I convinced my father of trying out Thunderbird. He's somewhat particular about his computer, so I left Oulook installed in case he started whining.

So Thunderbird imported everything fine, worked fine. Ther were a couple things he didn't like and also one minor but real bug he found. He complained it wasn't polished enough etc, etc and wanted to go back to outlook.

I said fine, I'll just export the new email and you can start using outlook right away. But, get this, there is no mail export feature in thunderbird. And of course MS doesn't have an import in outlook. So I had to leave both programs installed in case he needed to refer to his older email.

I know exporting is not a priority feature for Thunderbird, but its lack prevents me from suggesting people try thunderbird. That's a problem.

Re:First

[tonsofpcs]

It's worse than that, IE has security vulnerabilities too. I have to use NCSA Mosaic again!

Re:First

[mrogers]

So users of Debian Stable have nothing to worry about?

Re:First

[Tribbin]

Some people do everything that 'the computer' instructs them to do.

Re:First

[Phiu-x]

You haven't work much in technical support right? ALOT of people WILL do what the computer instruct them to do because "Eh it must be allright , its the computer who's asking".

Re:First

[Registered+Coward+v2]

I don't know how many people will do it, but I just received an email from the Honorable Mr. Nacumbo with detailed directions how to do it so that I can help him get his late uncle's fortune before the government takes it.

Re:First

[Matt_Joyce]

pretty unlikely so don't worry ?
pretty unlikely so don't update ?

I think not.

Re:First

[Weltanschauung]

It's worse than that, IE has security vulnerabilities too. I have to use NCSA Mosaic again!

Ack, the bleeding edge. I have to use WorldWideWeb again!

Re:First

[Mika24]

yeah people just seem to skip over the description of what causes the exploit to happen

New Discovery?

[fembots]

Today, the security firm Secunia has released 8 more security bugs it has discovered in Mozilla products, including Firefox and Thunderbird. [......] If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about

Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?

Re:New Discovery?

[chrisbtoo]

Chances are that they found the 8 bugs in 1.0, reported them to Mozilla, who kept it quiet and fixed them for 1.0.1.

I guess this is trumpet-blowing from Secunia, together with an advisory as to how important it is to upgrade to 1.0.1.

Re:New Discovery?

Did you perhaps think that they _told_ mozilla.org people before so it wouldn't cause havoc?? Thats what a real security company should do.

Re:New Discovery?

[darkmeridian]

The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?

Re:New Discovery?

Uh, they started rolling out the 1.0.1 updates. Run it again, you might get it.

Re:New Discovery?

[einhverfr]

I personally am grateful to Secunia for helping to look at Firefox's security the way that we should be.

Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.

Re:New Discovery?

[Daniel+Boisvert]

The update button showed up for me today. I clicked it and it ran me through the download and install of 1.0.1. The automatic update was intentionally delayed because of server capacity issues; apparently they've got them sorted out now.

Re:New Discovery?

[MattJakel]

The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?

It looks like they are aware of these problems and are working on them.

Re:New Discovery?

Yeah or maybe designing a web browser isn't as easy as it's made out to be, now is it?

Re:New Discovery?

[juhaz]

There is.

Asa mentioned something about server problems and activating the update for 1.0.1 later, and indeed it did show up today. Granted, it's a week since the release and that's a long time for security update... And windows-only apparently, though Linux users probably update trough their native package systems anyway.

His blog has more.

Re:New Discovery?

[SuperficialRhyme]

Secunia just put the list together. Copy/pasting the list and who found them from secunia since someone didn't link to it in the article.

1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.

2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

This is similar to:
SA12712

3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.

4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.

5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.

6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.

7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.

Successful exploitation requires that the malicious website is allowed to request installations.

8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.

9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.

Provided and/or discovered by:
1) Tavis Ormandy
2) Christian Schmidt
3) Masayuki Nakano
4) Georgi Guninski
5) Matt Brubeck
6) Independently discovered by:
* Daniel de Wildt
* Gaël Delalleau
7) Phil Ringnalda
8) wind li
9) Mook, Doug Turner, Kohei Yoshino, M. Deaudelin

Re:New Discovery?

[einhverfr]

Ok.... IE has two major security issues inherent in its design and that is zone permission elevation while the other is ActiveX related.

Mozilla/Firefox has another-- XUL display. XUL is a great technology, but it is difficult to handle because the main UI rendering is too closely tied to the rendering of the web site. There is a security barrier which is designed to keep one from harming the system but it is not designed to prevent spoofing of apps. Hopefully a defence barrier can be built in.

Don't believe me? pasting this into your address bar: chrome://navigator/content/navigator.xul (only works in Mozilla)

For example, something simple like "Components in Chrome are locked by default and only unlocked components can be modified outside of Chrome" would be a nice start.

Re:New Discovery?

Odd. The update button just appeared for me too, but when I click on it it still only gives me that damn Qute 3 that I refuse to install because it fucks with the icon sizes and makes everything ugly. No Firefox update in sight.

Re:New Discovery?

[WarPresident]

The update button showed up for me today. I clicked it and it ran me through the download and install of 1.0.1. The automatic update was intentionally delayed because of server capacity issues; apparently they've got them sorted out now.

I wonder how much delaying the update helped their capacity issues. I simply downloaded the whole Firefox 1.0.1 archive after hearing about the vulnerability. So did everyone else I know that also runs Firefox. Just uninstall/reinstall and everything else (bookmarks, cookies, extensions) is still there.

Re:New Discovery?

[aneroid]

2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).

i doubt this would've prevented the bug. but the page it was appearing for would be obvious. a possible hack to that could be...have a javascript window which is already open make the connection. in that case, even if the js window is shown, with the browser most likely behind it, it wouldn't be obvious. could fix that too :P by outlining the window/tab that calls it. of course, even that could...

Re:New Discovery?

[Virtual+Karma]

what ever they looked at they do have a point. Here is one article that speaks about "Firefox false sense of security"... NOT a troll, I didnt write this article. Its from PCWorld.com This is pure information

Re:New Discovery?

That's not true!

<?php
echo "Hello World!";
?>

Just try it!

Re:New Discovery?

[boredMDer]

'But any software has a security record better than IE.'

What about Windows proper? :)

Re:New Discovery?

[sd.fhasldff]

This isn't new stuff! It's all fixed in 1.0.1. What, exactly, are you thanking Secunia for?

Re:New Discovery?

[interiot]

Riiiiiight.

Sure, you can copy-and-paste anything you want into your URL bar, and hit enter. This takes time, and thought, and you have to look at the string in two different places, so it's reasonably secure based on that.

The only security problems that could arise would be if there were links that you could click on, or bookmark them. Try it here (slashdot won't let you write chrome:// URLs unfortunately). It doesn't work.

There are tons of security measures related to XPI/XUL, the Firefox team has IMHO taken an OVERLY aggressive approach to XUL/XPI issues. You know why there are several extra steps required in Firefox to install an XPI plugin? Because there were some theoretical exploits where someone might ask a user to click on a place on the screen over and over (eg. hit the monkey), and then display the XPI dialog there, and the user might end up clicking "yes, please install" before they realized that they were running potentially suspicious code. So now users have to wait a few seconds before being able to click.

Users CAN actually configure their browser to let remote sites do just about anything, include read/write files, change the clipboard, etc., because this is sometimes something that's useful that users might want from a few special sites. But it's a pain in the butt to get the several security configuration settings set properly, and again, as a developer, I think they might have overdone it.

Re:New Discovery?

[metamatic]

No update for me yet, so I'm gonna go download the whole thing...

Re:New Discovery?

[LnxAddct]

It is certainly good that people are looking out for bugs, but Secunia didn't find these. They just compiled a list of known bugs that were fixed in 1.0.1. Their site is supposed to be a consolidated source for finding vulnerabilites and researching the security of applications, which means whether or not they find the vulnerabilites, they report on them.
Regards,
Steve

Re:New Discovery?

Funny how no one waits for IE to patch. Sounds like a double standard. It doesn't mattered. I had to run Firefox unsecure with many known bugs for the past 2 months while Mozilla fixed them. IE had a patch within days for major bugs that came out the same day.

Re:New Discovery?

[Dizzle]

People using 1.0 that don't know about the bugs? Telling them that there's an update to protect them?

Re:New Discovery?

[Supernoma]

Copy and pasting, or clicking of the link does nothing for me. What's it supposed to do?

Re:New Discovery?

Don't expect this crowd to react to reality. They would rather you sit around with an insecure browser for months while the "open source" community turns around a fix. This is a joke.

"To sin by silence when one should protest makes cowards out of men."

Re:New Discovery?

[taylortbb]

They started rolling it out for windows only but they had the cancel it. Linux and Mac users were getting the windows only code and that was causing problems so it was disabled. It is now back for windows users.

http://weblogs.mozillazine.org/asa/

Re:New Discovery?

Javascript is a security hole. If you want to be safe, disable it!

Re:New Discovery?

[LnxAddct]

Or how about just stopping the javascript interpreter when the window isn't in focus. And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect. That would more or less cover all the cases, would it not?
Regards,
Steve

Re:New Discovery?

[6th+time+lucky]

Im not sure how it saved their servers either. You may as well as download the whole thing, as this is what the automatic update does. And then it just autoruns the installer. The firefox setup 1.0.1.exe (4704kb-windows) is left on the desktop afterwards.
I too was going to just download it, but the autoupdate finally came up yesterday afternoon.

Re:New Discovery?

[aneroid]

Or how about just stopping the javascript interpreter when the window isn't in focus.

would be too effective. all timing based scripts would break.

And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect.

i agree...

and only appear for that tab (when it's in focus).

and

could fix that too :P by outlining the window/tab that calls it.

Re:New Discovery?

[raehl]

A site that just compiles a list of information produced by others? Who would read something like that?

Maybe if it had comments.....

Re:New Discovery?

[einhverfr]

The fact that you can't just click on a link doesn;t mean that this is not a problem. Yes there are security measures and barriers in place, but this is the *problem* not the solution.

Your see, the security barriers exist because you want to provide some functionality which is more trusted than others. This is part of the reason why IE is so darned insecure: It has too many of these security barriers.

Instead, the problem is that you have the problem that the security barriers are fundamentally permeable. Ideally therefore you want to design your software in such a way that the security barriers are enforced by design limitations of the software rather than enforcement checks.

Re:New Discovery?

But any software has a security record better than IE.

And this is based on what? You're not believing your own press are you?

Re:New Discovery?

[ThJ]

Mod parent funny!

Re:New Discovery?

[ajs318]

Or how about just stopping the javascript interpreter when the window isn't in focus.

As another poster has pointed out, this could break timing-based stuff ..... for instance, you could not simply background a tab until the enforced-view adverts disappeared :)

Nonetheless, it'd be a good idea to allow as an option.

And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect.

I thought of this too ..... if a tab wants to bring up any kind of requester {for a JavaScript prompt, or for a login and password} then it should come to the foreground {or wait, if there is already a requester showing from another tab}.

This however might conceivably create a new "deadly embrace" vulnerability, if two tabs are demanding to raise requesters and each depends on the other. But if the present system allows only one requester to be showing anyway, perhaps this isn't newly-introduced after all.

Re:New Discovery?

Well, that was interesting. Unfortunately, after opening that link, my status bar no longet shows links when I hover over them (even after I closed the tab), so now I have to shutdown Moz and restart it. Thanks a lot.

Re:New Discovery?

[alerante]

Firefox seems to do pretty well with using panes above the tab's contents when, say, it blocks popups or needs a plug-in. Why not use one of those for authentication? Then there's no question as to what tab is requesting a username or password.

Re:New Discovery?

[aneroid]

yes, the pane is used well...but would be un-required for all normal authentic connections.

and if the tab/window gets focus (either auto or manual), the js box will show in the foreground to that. so there won't be much use of the pane since u know which site is calling it...assuming u aren't vulnerable to the idn spoofing bug of course ;-)

Re:New Discovery?

[Phisbut]

I'd just be happy now if they could release just a patch, or something that can be applied without having to uninstall Firefox everytime.

That goes in the way of usability. My mom is used to clicking a couple of buttons and Windows Update fixes her IE without her having to uninstall or reinstall anything. With Firefox, you have to uninstall 1.0 to install 1.0.1, and I bet I'll have to uninstall Thunderbird 1.0 too when TB 1.0.1 comes out. It's hard convincing mom that Firefox is better and easier to use if she has to repeat those administrative steps over and over again.

Re:New Discovery?

[interiot]

So that whole user/root separation is a problem, and not a solution? And 'su' is something that's fatally flawed? And don't get me STARTED on 'sudo'!

Re:New Discovery?

[6th+time+lucky]

umm no, well unless you are actually having problems. Firefox *will* install over an older version since around 0.9 (?)

Yes the autoupdate does get the whole install file, but it runs and updates Fx and then just asks for Fx to be restarted (not a reboot). So its not that much different than WU (except without for the constant *&%$# nagging to reboot every 5 minutes)

Re:New Discovery?

[Phisbut]

umm no, well unless you are actually having problems. Firefox *will* install over an older version since around 0.9 (?)

Mozilla says it doesn't.

Prior to installing Firefox 1.0.1, please ensure that the directory you've chosen to install into is clean and doesn't contain any previous Firefox installations.

If you can't trust Mozilla's own instructions for upgrading, who can you trust?

Re:New Discovery?

[spiff06]

> i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).
Great suggestion. I've been merely annoyed by it but never thought it might, possibly, introduce a security issue.

Re:New Discovery?

[6th+time+lucky]

damn, ok i take it back. Those instructions are now way to complicated for any lay person.

It would appear that the profile directory *might* be able to stay. It does say that it shouldnt be installed over a 'zipped' package, so i took it to assume that if it wasnt zipped then it was ok. However if you read on and on and on it does say to put it into a new directory and to uninstall the old one, so which one do/can i do???

The installer should just fix it all for me, i.e.

"It appears you have an old install of Firefox, It is highly recomended that you allow this installer to uninstall your old version first and then install this new version. Dont worry, your old settings will be automatically transferred to the new install. But you have a backup dont you???

Format c:?

(OK) (Cancel)"

What the hell?

Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 has already been covered on Slashdot, and these vulnerabilites were announced then.

Re:What the hell?

[AndroidCat]

Firefox 1.0.1? What the..?! Windows Update never mentioned a thing about that, must be broken!

Re:What the hell?

Is that a blog site or a FUD site? It looks to me more like a FUD site. It's handling the slashdot crowd without a peep. Far too much bandwidth for a random blogger no one has heard of.

Re:What the hell?

One word: adwords

Re:What the hell?

[The-Perl-CD-Bookshel]

Neither has Firefox Update...Yet

Re:What the hell?

[croddy]

he's not just some random guy -- he submitted the story to slashdot. of course he's going to link to his own miserable web log.

Re:What the hell?

The submitter's name is linked to another blog... unless he has two blogs... Madness, I say.

Re:What the hell?

[AndroidCat]

Oh. Does that red dot in the upper right corner beside the go-roundy flower thing mean anything?

Re:What the hell?

[The-Perl-CD-Bookshel]

At home I downloaded 1.01, but on my laptop I'm still using 1.0. My dot on my laptop was blue until I clicked on it. As of now, the process still has to be initiated by the user.

...only affects v1.0

[Tumbleweed]

If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.

No worries, just keep your browser updated.

Re:...only affects v1.0

[LiquidCoooled]

Has the automatic update kicked in yet?

I ask because when they released 1.0.1 the updater was postponed for a week to prevent the servers from overloading.

Re:...only affects v1.0

[Tumbleweed]

I think it has - I was seeing some autoupdate popup things going on with it last night as I was using it, but never got around to investigating it to make sure that's what was going on.

Re:...only affects v1.0

[owlstead]

The answer seems to be no. In advanced there is a button [check] (which does not work correctly, click multiple times). Maybe they should add torrent functionality to download signed updates or something similar.

Re:...only affects v1.0

[gordgekko]

I'm rather unimpressed with Firefox today. The update button popped up this afternoon yet the update itself was dated Feb. 25. I realize they didn't want a mass stampede to their server but that means a heck of a lot of people were unprotected (and remain unprotected) if they don't habitually check /. or Mozilla.org to see if there are new versions available.

They greeted this security update better than Microsoft usually does...but not much better.

Re:...only affects v1.0

OK, but I need to redownload the whole app.
There are really no patches for Firefox 1.0.

As an aside, it would be best to come up with a patch mechanism for Firefox, instead on relying upon users going to check the mozilla page every once in a while (and maybe failing to notice that the "Download" link now discreetely says 1.0.1 instead of 1.0). That is, if a confortable user experience is one of the goals for Firefox...

Re:...only affects v1.0

[_xeno_]

Supposedly. By my reading of Asa's blog, if you use the en-US version (most of Slashdot), then you should be able to get an update. Specifically, check out the entries localized 1.0.1 updates and another try at update.

However, I use the en-US version, and my Firefox refuses to auto-update. So it doesn't appear to be working for everyone. (I'm behind a firewall, if that matters.)

Re:...only affects v1.0

[idamaybrown]

"No worries, just keep your browser updated." Thats what they say about IE!

Re:...only affects v1.0

The delay wasn't because of that. It was because of another issue that they were having. The file has been available for a few days.

Re:...only affects v1.0

[SQLz]

They greeted this security update better than Microsoft usually does...but not much better.

Yeah...they actually had it fixed before the problems were announced. I'd say thats 1000x better than someone else finding them, MS denying it,a viral outbreak occurs bringing down 1/2 the internet, then they get fixed 2 weeks later.

Re:...only affects v1.0

[lakeland]

If I have to keep tabs on secunia and worry about grabbing the latest hotfixes, I may as well be using IE.

Go ahead. We don't mind. Really.

Re:...only affects v1.0

[28481k]

I uses the en-US version of Firefox as well and I think I would wait until the auto-update kicks in so that there would be less hassle to update the browser. Yesterday Morning I saw the update sign shown on the browser, so I clicked it to see if it could auto-update my browser. But it stopped three-quarters or four-fifths of the way through, and since then I could not download it further (not for another 10 hours...). So later, I decided to take the matter on my hands and uninstall Fx 1.0 for Fx 1.0.1 manually.

Grrr... After I reinstall Firefox 1.0.1, the update still reminded me that there's update available, I wonder what's that since I couldn't downlaod it....

Re:...only affects v1.0

[HD+Webdev]

Maybe they should add torrent functionality to download signed updates or something similar.

That's a great idea but I'm one of those tin-foil hat kinda guys. I'd rather only have my browser directly updated from the source or official mirrors.

My reason being that one of the vulnerabilities might be linked to signed updates themselves or some other Evil Thing.

Re:...only affects v1.0

[owlstead]

In that case you might want to use another web-client. The fulnerability could also affect the lookup of hostnames. Security is tricky business (and the PC is an untrusted platform).

patch here

[Coneasfast]

you can find the patch here. ;)

Re:patch here

don't mod parent as troll, it's a joke, a parody of the fact that someone posts a link to firefox when there is a IE vul. story.

oh forget it, some of you mods are dumber than a deck of cards.

Re:patch here

oh forget it, some of you mods are dumber than a deck of cards.

I am a deck of cards, you insensitve clod!

Re:patch here

You really have to wonder how much the influx of new users and the banning of a large number of older users from moderating have decreased moderation quality.

Annecdotal evidence suggests that the answer is "a lot", but as long as those same fucking moderators are saying "fair" in M2 then I guess the system must be fair, no?

Re:patch here

I can't seem to find the version for Linux at the URL you gave.

Re:patch here

I am a deck of cards, you insensitve clod!

No, you are just a joker.

Re:patch here

And I see that 32M ought to be enough for WinXP!!

Re:patch here

[ari_j]

Meta-moderation is just a horrible idea as it is. Since you probably can't metamoderate yourself, and since metamoderation is easier to get access to than mod points, it follows that the people doing the metamoderating are the people with the shittiest quality of input the userbase has to offer.

Re:patch here

[shaitand]

meta moderation is easier to get access to than mod points but meta-mods are still elite compared to the average slashdotter.

The biggest problem is that unless your every post is modded into the ground then anyone who posts a lot will have excellent karma and eventually get to meta-mod AND moderate. Hell mods are chosen at random, at least meta-mods are chosen based on criteria that indicates they are above par slashdotters!

Re:patch here

Like a lot of posters I can metamoderate, but not moderate - I think I modded up a post of doom or something. I don't know that m2 eligibility means anything.

Re:patch here

oh forget it, some of you mods are dumber than a deck of cards.

Or a screen door on a battleship.

Ah well

At least with FireFox they'll be patched up within a few days. Unlike Microsoft which waits until half the world has been screwed over...

Re:Ah well

Can you cite an example?

Most of the time vulnerabilities are reported on Slashdot, they're often already patched in SP2 or some other patch (and conveniently not mentioned in the article summary).

Emergency!

[Peter_Pork]

Oh my God! I'm switching back to Internet Explorer right away!

Re:Emergency!

[someonewhois]

Uhh, insightful? I think it was meant to be funny..

Re:Emergency!

[LiquidCoooled]

Firefox is already fixed....

The others won't be long.

from the article:
If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.

Re:Emergency!

[kagelump]

uh... funny? i think this meant to be informative

Re:Emergency!

[bicho]

Uh... I am not sure how this should be moded...

Re:Emergency!

Uh redundant?... I think it was meant to be funny..

Re:Emergency!

Not if you're moderating from a work computer in Redmond!

Re:Emergency!

[spitefulcrow]

Uh... I think I just want some positive karma.

Re:Emergency!

Moron!

Score is still 10's to 1000's!

Re:Emergency!

[shutdown+-p+now]

Uh... not with that sig of yours

Re:Emergency!

-1 can't spell

gentlemen, start your engines

Anyone taking bets how long these will take to fix? 2 weeks?

Re:gentlemen, start your engines

[dicepackage]

I think you saw this as "New Vulnerabilities Discovered in Internet Explorer." The vulnearabilities have been fixed in Firefox 1.0.1 but there hasn't been much press about them until now.

Re:gentlemen, start your engines

That's the magic of open source -- time reversal bug fixes. These exploits were fixed a week ago.

And yet...

[tannmann]

I still feel safer than when I use IE.

Re:And yet...

Ignorance is bliss, eh?

eek!

Funded by the terroriists Securinitaara is!

The downside of popularity

[confusion]

Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.

Jerry
http://www.syslog.org/

Re:The downside of popularity

oh really?

And that's a whole OS with an enterprise level database used by the largest institutions on earth.

Re:The downside of popularity

What part of 'popular' don't you understand?

Re:The downside of popularity

[doku_hebi_ryu]

Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.

What a great attitude. I've got to try that one on my boss sometime.

"Hey man, chill out. I'm like Firefox with all these bugs, and you know, everybody likes Firefox. I actually wrote those intentionally so people would love my software! Vat a Kantry!"

Doku

Re:The downside of popularity

[confusion]

great examples of popular software!

Re:The downside of popularity

[confusion]

If someone in my organization came to me with that, I would have to reprimand them. As the creators of applications, we have to be focused completely on quality, but the reality is that there WILL be bugs and you have to plan for them.

Converse to your arguement, now that we have everyone completely committed to writing secure & quality code, we can stop code audits, QA, and pen testing, because hey, we have a committment to quality.
Give me a break man, it's not nearly as clearly defined as you're making it out to be.

Re:The downside of popularity

The real key is going to be in how the bugs are dealt with.

Perhaps this would be a good place for you to start. The proper tense in this case includes "was" and "were"

Re:The downside of popularity

[shaitand]

The real key is going to be in how the bugs was dealt with.

Somehow that just doesn't work for me. The parent was predicting more bugs in the future and saying we should watch how they will be dealt with. As a grammar troll your fired. As an arse advocating firefox, your still fired. Have a nice day!

Re:The downside of popularity

[Anonymous+Custard]

An unlike ActiveX and Zone Security issues which are inherent design flaws in IE, bugs found in Firefox will be fixed overnight.

Re:The downside of popularity

[Zorikin]

The real key WAS going to be in how the bugs WERE dealt with.

Game over! Zero points, you lose at English.

Re:The downside of popularity

[auggie2001]

It's "you're fired".

Re:The downside of popularity

[shaitand]

That would be the case if he were talking about bugs that had already been fixed. Since he is talking about bugs that will be found in the future a future tense is appropriate.

What about this did you not understand the first time?

Re:The downside of popularity

[Zorikin]

In fact, OP didn't specify which bugs his phrase "the bugs" refers to. Perhaps, instead of guessing at what he means, you could allow him to make his own clarifications. But that's irrelevant. You lose at english because you failed to perform an absolutely trivial tense-shift transformation on that sentence, whereas all english winners understood immediately what AC was suggesting.

The most important part of TFA

[Zocalo]

"If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about."

Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P

Re:The most important part of TFA

the slashdot editors only do enough work to keep slashdot popular, and to get their pay checks

Re:The most important part of TFA

[monophaze]

Secunia collectively rated the vulnerabilities as "Moderately Critical," and said that only Firefox has been fixed. Users should download the newest edition, Firefox 1.0.1, which was released last week.

The vulnerabilities have been corrected in Mozilla, but the patched edition, 1.7.6, has not yet been officially released. The same goes for Thunderbird, the Mozilla Foundation's free e-mail client, which is also susceptible to the bugs. Both Mozilla 1.7.6 and Thunderbird 1.0.1 should roll out this week, Mozilla has said.

8 More Bugs Found In Firefox And Mozilla

Re:The most important part of TFA

[sd.fhasldff]

That has to be the most pathetic slashdot blurb I've ever seen. It's grossly misleading and links to a completely assinine site (which, in return, doesn't even link to the Secunia report - the real source).

Re:The most important part of TFA

[ptudor]

recent track record

Recent? If by recent you meant 1997 to 2012.

Re:The most important part of TFA

[ari_j]

"Most pathetic" ... I can't agree. Maybe "most pathetic since noon" or "most pathetic Firefox blurb since January," but not most pathetic overall. It's a matter of relativity in a field with a great number of samples in the lower regions, so you have to differentiate between degrees of "holy shit WTF were they thinking?"

And there's already a fix?

[b00m3rang]

I'll take it.

Re:And there's already a fix?

I love that, theres already a fix??? Some of these vulnerabilites were found in excess of 6 months ago.

Re:And there's already a fix?

[b00m3rang]

I wasn't surprised... let me rephrase that: "Vulnerabilities hit the news and it turns out the application has already been patched for a while? I'll take that over the alternative, anyday."

Re:And there's already a fix?

[Kehvarl]

You need your fix, huh? How abot trying something.. a little stronger. Sure it's been around a while, and yeah it can be dangerous... but have you ever thought about trying some of.. this. First taste is free.

Re:And there's already a fix?

[b00m3rang]

I don't know, links2 seems to work better than lynx in my experience. But I do still make sure that the few web pages I code are text browser friendly.

Re:And there's already a fix?

[Kehvarl]

Whoa! slow down there, you should gradually ease youre way up to the more powerful experiences. that's why the scale is IE, Operal , Firefox/Mozilla, lynx, telnet, links2. Skipping steps can lead to not having the tolerance to handle it and overdoses can be fatal.

I frequently talk up

[Clockwurk]

the advantages of firefox to all my co-workers and to family memebers. I usually mention security (along with the great extensions), and tabbed browsing. With more and more vulnerabilities being found, I might need to start recommending other solutions like AvantBrowser or Opera.

Re:I frequently talk up

[jrcamp]

Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.

Re:I frequently talk up

A potential exploit IS an exploit. To treat them otherwise is plain stupidity.

Re:I frequently talk up

[gl4ss]

well.

whatever you recommend them to use, anything that fondles with data that's downloaded from random sites should be updated frequently.

i'm not entirely sure, but doesn't firefox's default start page mention if there's a new version available?

Re:I frequently talk up

Exactly, by the time the advisory is given, a fix is not only already available but the hole is, so far, only theoretically exploitable. This is a far cry from what we're used to with Microsoft where the advisories are delayed and 'sploits are found in the wild.

Re:I frequently talk up

[merdaccia]

I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...

You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.

Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.

Re:I frequently talk up

[badriram]

firescrolling exploit example.... caution exploit code

been out for atleast 2 weeks..... just because the media does not cover something does not mean it doesn't exist.

Re:I frequently talk up

[Teja]

I honestly don't mean to be a troll here but here is my word on Opera:

Honestly, after using Opera for a year (7 months with ads) I can say that after a week's worth of use, I hardly ever notice the ads (And almost any user will agree to this). With a minimalistic theme and things minimized and all, it is almost like as if it doesn't matter that ad is there. After buying Opera, I can be certain and say that, the $39 I spent on Opera was the best money I ever spent on a computer software.

Re:I frequently talk up

Security holes exist in any application

Wrong, security holes exist in bloated, badly-written applications. If your statement is true, how come none of djb's software has security holes? (qmail, tinydns, dnscache, etc).

Why people think Firefox has *less* bugs than IE is beyond me. It comes from the same software industry. Just changing the license doesn't magically fix bugs.

As long as people think that "Security holes exist in any application." we will have this problem.

I'm not picking on you specifically, but look at your own words:

Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed.

You don't even think of the obvious: software should be designed WITHOUT SECURITY HOLES. I guess we've all given up on the possibility?

Re:I frequently talk up

[EMR]

well, for one thing.. these "vulnerabilities" listed in this article have Already been fixed in Firefox 1.0.1. Which is by FAR different from M$'s actions of fixing the vulnerabilities several months (or longer) after the vulnerablites have become widly known about.

Re:I frequently talk up

[miu]

If your statement is true, how come none of djb's software has security holes? (qmail, tinydns, dnscache, etc).

Because they are so minimalist as to be useless in the face of the MS "feature machine" as well as actual progress in the state of the art. I agree that DJB's stuff is rock solid and is very useful for what it does, but you can't just freeze things in 1999 and pretend that you have created the solution for all time. "For what it does" when applied to DJB's software is becoming less relevant every second.

Real software grows over time, and as it gets bigger there will be bugs. You don't accept the bugs, or just say "such is software", but you accept that somehow a mistake was made and fix it.

Re:I frequently talk up

[MrNemesis]

I've paid for Opera. Twice. Opera software have been kind enough to grant me a license that will let me use it on every computer in the house.

Why do I pay for a browser when FF is free? Because as great and capable as FF/Moz are, I prefer Opera.

Re:I frequently talk up

[grenthal]

This exploit doesn't work for me in Firefox 1.0.1 on Linux Just because the site is still up doesn't mean it haven't been fixed

Re:I frequently talk up

Actually some of these vulnerabilites were posted on secunia around 6 months ago. they are FAR from being fixed fast. go take a look at when they were actually reported.

Re:I frequently talk up

[DisKurzion]

Doesn't work for Firefox 1.0 on XP SP2. I had AdBlock disabled.

I'm not even running a firewall. The only security measures are my adblocking hosts file and AVG.

So unless hitting the adservers was a mandatory part of that... I see no working exploit code.

Re:I frequently talk up

[badriram]

duh.... The point was there was an exploit out for 1.0 and had been fixed in 1.0.1

Re:I frequently talk up

wow... i got a command shell, and does not work if i am logged in as a regular user.

Re:I frequently talk up

Agreed completely. I'd much rather use Opera, if only because the mouse gestures are built in rather than being a plugin with firefox.

Re:I frequently talk up

[shaitand]

"Real software grows over time, and as it gets bigger there will be bugs."

Yes but it shouldn't neccesarily. Commercial software in particular grows because it has to grow to produce new versions to sell. All applications eventually stagnate. As was pointed out in an article I'm too lazy to look up and link to, this is where open source catches up when cloning a commercial product, the commercial product stops adding new useful features because it has matured (read office suites/desktops/webservers/etc) at this point open source software will catchup with the feature machine except with a rock solid and efficient implementation.

Look at office, they haven't added much of anything worthwhile since office 97. The only thing they do now is bloat it. Just because the MS Feature machine is producing features doesn't mean those features are worth a damn.

Re:I frequently talk up

[pherthyl]

Except I am immediately suspicious of the exploit site because the scrollbar does not behave like a normal scrollbar.

The cursor turns to a hand (like over links) which immediately tells me something is wrong so I wouldn't even try to scroll using it.

Re:I frequently talk up

A potential homicide IS a homicide. Oh wait.

Re:I frequently talk up

[WIAKywbfatw]

Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.

Just because you won't pay for what many consider to be the best browser out there, or live with the inobtrusive text-based Google ads in the ad-supported version, that doesn't mean that "nobody" will.

To be honest, for 99 percent of users, Opera is a far better browser than FireFox. But because FireFox is F/OSS and Opera isn't, and because this is a F/OSS-focused website, FireFox is put on an altar whilst Opera is constantly bashed.

THANK YOU SLASHDOT!!!

For some reason the front page of Slashdot fails to render correctly on Mozilla and Firefox for me. I AM NOW FREE FROM COMPULSIVELY READING IT!!!

Re:THANK YOU SLASHDOT!!!

[Neil+Blender]

For some reason the front page of Slashdot fails to render correctly on Mozilla and Firefox for me.

Someone is surely going to come along and say it's a bug in Firefox, the fix will be in 1.1, blah blah blah. Funny how Slashdot is the only site I have ever seen that renders so poorly as to make it unreadable at times under Firefox and Netscape 7+.

Re:THANK YOU SLASHDOT!!!

Should read: ... Funny how Slashdot is the only site I have ever seen.

Re:THANK YOU SLASHDOT!!!

There's an extension to fix slashdot rendering in firefox ...

I'll save you by not mention the URL or the fact that it is called SlashFix.

Re:THANK YOU SLASHDOT!!!

[Nemo+Black]

I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?

I only have this problem is only with the /. front page and no other page that I frequent.

Re:THANK YOU SLASHDOT!!!

That's not a fix, it's a work-around.

Why on earth doesn't firefox/mozilla correctly render slashdot. I don't really care who's fault it is, it's been months and months!

Re:THANK YOU SLASHDOT!!!

i noticed today that sometimes i would load up slashdot and only the top header and lefthand table would load and the main selection of articles would be blank, one click of the refresh button would fix it and the page loads good then...

Re:THANK YOU SLASHDOT!!!

[helix_r]

...Funny how Slashdot is the only site I have ever seen that renders so poorly as to make it unreadable at times under Firefox ...

What?
I never had a problem with slashdot. What exactly makes it "unreadable"?

Re:THANK YOU SLASHDOT!!!

What?
I never had a problem with slashdot. What exactly makes it "unreadable"?

Sometimes the stories or comments get shoved into the left nav. Sometimes the tables don't render at all leaving a largely blank page. This has been a problem since Netscape 7.0 came out (whatever version of mozilla that was.) In fact, when Slashdot put up the story about NS7 being release, I immediately downloaded it and just as quickly found the problem. I don't use windows much, but under linux, this has been a problem for quite a while. There are work arounds like ctrl +-, but the fact is that Slashdot does not render the same way every time. I have not seen this behavior to this extreme on any other website. If I were a slashcoder, I'd be extremely embarrassed. Then again, it seems that one quality required to be a Slashdot editor/coder is to be able to publicly make a complete fool out of yourself repeatedly for years and not give a shit.

NB

Re:THANK YOU SLASHDOT!!!

[Aeiri]

I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?

No, it's a problem with the way the Gecko engine renders layers.

Re:THANK YOU SLASHDOT!!!

Top and left frames render, main frame doesn't render with exception of bg. After multiple refreshes, it jumps out of the bush and surprises you.

Re:THANK YOU SLASHDOT!!!

[Nemo+Black]

Aeiri:

Thanks for the insight. As I said, I am in no way an expert in web design and appreciate the info.

-Nemo

Re:THANK YOU SLASHDOT!!!

[njcoder]

I've seen it on other sites as well. Something about table widths being set to 100% or something. On some sites, the main text table cell doesn't show up until there's a reload. The same ctrl- ctrl+ fixes those too or a reload. It's really annoying.

Re:THANK YOU SLASHDOT!!!

[johndoe7776059]

This is fixed on the trunk, so the issue should finally go away when 1.1 comes out.

Re:THANK YOU SLASHDOT!!!

[FinestLittleSpace]

I FOUND NEMO! Phew.

Re:THANK YOU SLASHDOT!!!

[Kehvarl]

I never had a problem with slashdot. What exactly makes it "unreadable"?

I'm sorry, I just can't respond to that in any meaningful, intelligent manner.

Re:THANK YOU SLASHDOT!!!

[Nemo+Black]

Not that I am complaining, but I am curious as to why my previous comment was modded up +2 Funny.

Would anyone care to explain to me why, so I can learn from the experience? Thanx!

Nemo

Internet Commerce On Its Way Out

[jIyajbe]

Even spoof the SSL icon? This is giving me the willies.

Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead. Consumers won't trust any website with their credit card number, and with no money to be made on the web, the retailers will pull out too.

'Course, this might be a good thing...

Re:Internet Commerce On Its Way Out

[GeorgeMcBay]

Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.


Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?

Re:Internet Commerce On Its Way Out

[GlassUser]

Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?

Because the news tells them daily how scary this big new internet is. They "know" they're much safer with what they've been doing for years.

Re:Internet Commerce On Its Way Out

"Prediction: In 10 years...web-based commerce will be all but dead."

Yup! And won't that be a great day indeed. Why imagine a network just for the free flow and exchange of information. Deja vu all over again.

But your forgetting about retina scans, biometric ID, serial id's burned into chips and registered on the network and the end of anon web surfing.

Money always wins out in the end. I wouldn't write it off [internet commerce] so fast. No matter how appealing the idea is.

Re:Internet Commerce On Its Way Out

[Chuck+Chunder]

SSL implementations have been barely usable for real people years with their laughably tiny "padlock" indicator.

Bugs aside things are just starting to look reasonable as far as SSL in browsers is concerned.

Firefox puts the "padlock" where someone will actually stand a chance of seeing it (in the urlbar) and also color codes the URL.

Opera does something similar in it's recent beta but also displays the organisational name of the certificate owner aside the padlock.

The spoofing problem isn't a fundamental flaw that is going to doom the future of browser based commerce. The reinvigoration of browser competition has started making things better for the end user.

Re:Internet Commerce On Its Way Out

[laci]

Not at all. Even now you have to trust only one site: your credit card company's. Most CC companies now offer one time number you generate on the fly when you make an online purchase.

--Laci

Re:Internet Commerce On Its Way Out

[stutterbug]

Because SSL protects no one against key loggers.

Investigator1: We noticed that the 25 credit card fraud victims each shopped at The Gap five months ago. We talked to the store manager and interviewed the employees. One pimply faced teenager broke down in his interview and admitted he gave the credit card numbers to a member of a well-known, local crime syndicate. We arrested five people in our fair city. We recommend people carefully read their credit card statements each month and report any unauthorized purchases.

Investigator2: We noticed that the 5000 credit card fraud victims had hard drives choking on pornography and had several key loggers. The key loggers were programmed to access an IRC channel that hasn't been active in five months. As the fraudulent purchases all took place in Eastern Europe, it is unlikely we will ever catch the perps. We recommend you do your shopping locally and avoid using the Internet for any financially sensitive activities.

How's that?

Re:Internet Commerce On Its Way Out

[NardofDoom]

Yes, but the pimply faced kid at the Gap can't do this with hundreds or thousands of cards at a time from halfway around the world.

Re:Internet Commerce On Its Way Out

[shaitand]

Sounds like Visa's problem. Fraudulent charges are their problem not mine. If an actual human being can scam a "paper person" I say more power to him. And if you consider the number of shoppers on the web compared to the potential audience of the local gap, you'd likely find that proportionately the gap crime was bigger.

This is my creditcard not my workplace. It doesn't matter if shit slides downhill and there is someone to punish when something goes wrong.

Re:Internet Commerce On Its Way Out

I agree completely. And whats more, I know how to fix it. You want a fundamental fix? I got it. Will I tell you? Hell no. I'm working on approaching a few major international banks with this as we speak. Just gotta figure out how to tell them without them taking the idea and telling me to hit the road.

Security

[Scoria]

I was actually expecting this. Firefox is an immature fork. One vulnerability eliminated is one less to be discovered later. It is inconvenient now, but should expedite relative maturity in the base. I am, however, still awaiting an automatic update for my installation of Firefox 1.0... ;-)

Re:Security

err . . . . Why are you still waiting the update occured like 2 months ago or something, this is old news.

Re:Security

[sho222]

read the parent - he's waiting for the automatic update (the little green up arrow in the upper right of the browser). He could have gone out and found the 1.0.1 update instead of waiting, but that would have required that he knew about the update in the first place. The whole point of the Firefox auto udpate is so casual users don't have to check for updates all of the time.

Re:Security

Except when one fix implemented is ten vulnerabilities to be discovered later.

The bugs have already been fixed

The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1

Re:The bugs have already been fixed

[wjsteele]

Man... I just "upgraded" to FireFox 1.0... now I have to upgrade to 1.0.1 already???

Geesh.

Bill

Let the timer begin

[YoDave]

I'd say let's start the clock and see how long this takes to get fixed but...

Re:Let the timer begin

[Compholio]

I'd say let's start the clock and see how long this takes to get fixed but...

If you start the clock now then it's about -7 days.

Re:Here we go...

[hawks5999]

I actually got an email from a friend of mine on the redmond campus warning me to be careful since I use that dangerous firefox browser about 3 hours ago. I told him I wouldn't believe it until I saw it on slashdot! :D

it's already fixed.

[Run4yourlives]

RTFA

remember people

Your bank can and will ask you to confirm your password at random intervals via email.

If in doubt about who sent the email, click on the link they provide in the email to get to your bank's website to make sure it's them.

And remember, even banks sometimes forget to get their ssl certificates in order. No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....

Re:remember people

[jerquiaga]

The sad thing is that some people will actually believe comments like yours.

Re:remember people

Bah! Passwords are just another form of security through obscurity, they don't work... Give it up, open source your accounts, your ssn, CC#, everything. Your personal information wants to be free!

Re:remember people

[vally_the_poo]

No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....

You probably mean IE is almost as solid as Firefox was... ?

Hah!

That's why I use Firef... uhhh what???

Re:Hah!

TEE HEE!

MOD PARENT DOWN. PARENT IS A TROLL!

[Joey+Patterson]

Firefox bugs

[benspikey]

Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..

Re:Firefox bugs

It's already fixed, "ma'man".

Re:Firefox bugs

Äctually if you go back like 2-3 years EVERYONE was claiming that Linux is more secure than Windows because of it's design. Nothing to do with how many users use it. There are still some old skoolers that carry that on, but for the most part all Linux[1] users seem to slowly accept the fact that popularity == security.

There will allways be something to exploit, no matter how good it is written. Why? Because we are humans, and humans make mistakes. But it's not a mistaken until another human shows us.

Let's assume I am a hacker (cracker, call it what you want) with sufficient knowledge about virus writing etc... Why would I want for example write a virus for MacOS X if (a) the vast majority uses Windows XP and (b) I use Windows.

There are also viruses for MacOS X and Linux so chill out you Linux fanatics. But they're merely just something quickly put together just to show it can be done. Nothing serious really.

On a side note: I haven't seen any new Windows 95/98/ME viruses. I mean those that only run on 95/98/ME. I wonder why is that? :)

[1] ok, I'm generallizing here, obviously they're not just Linux users, but you get the idea.

Re:Firefox bugs

[ConceptJunkie]

On a side note: I haven't seen any new Windows 95/98/ME viruses. I mean those that only run on 95/98/ME. I wonder why is that? :)

No challenge?

Re:Firefox bugs

[swimmar132]

Who claims that Firefox is the answer to all security problems? It's a web browser, for god's sakes.

Re:Firefox bugs

[hennie]

Maybe off topic for TFA, but not so much for the post.

I agree with you that the more popular a product is, the more it gets attacked. For example, virii needs a certain population density of infectable hosts to proliferate. Linux machines, for example, is not there. I dont think it is truly worth anyones time to write linux, or for that matter anything other that win32, virii.

However, having agreed with you, I also want to argue the security case for linux. Let us for example take writing a virus for linux:

To do some real damage in linux, a virus needs root access. People dont normaly run as root so yes, linux and for that matter *nix is designed more secure than win32.

Maybe I should clarify. In order for the virus to execute, it needs to load itself into memmory and/or infect an executable.

A memory only virus can be easily detected by a process list or something similar and killed by logging off or rebooting.

Infecting an executable is problematic since it needs write access to said executable, a privilege users dont generally have. There are two ways around this.

The first would be to create and executable with the appropriate privileges in the users home directory or /tmp/. This would be the easiest way, but the desructive potential would be limited to the specific user. Also, the virus needs to add a line to one of the users start up scripts to execute on login. Again, this would be trivial to detect and disinfect. If it becomes a problem, a system where MD5s are kept and checked periodically for startup scripts would be a good start.

The second is to gain root privileges by exploiting kernel vulns or software vulns running as root. This is definitely not easy as it seems. Any cracker should be able to testify to that. Also, with so many flavours of linux, some exploits present in some software and some in others, the probability of your virus working is relatively low. This option is definitely not your VB script-kiddie job as some of the high profile w32 virii was - you need to be good to do this, but you could trash the whole system if you can get this right.

OK, there is a third way. It involves tricking the user into actually giving root to the virus. I see that as the greatest threat if more computer semi-literates start using linux. This, IMO, is not an inherent problem of the OS, but the ignorance of the user and can only be fixed by education.

Also, the path of infection in *nix is more difficult. With explorer integrated in the OS, addware and virii are much easier to get in through malicious websites or emails.

To be honest though, the last Microsoft OS I used extensively was W2K which I only used to compile and test win32 versions of my code - usually after a lot of blood, sweat, tears, #defines and swearing;). I dont know much about their security model now. Could be quite good, but I doubt it since we still hear alot about virii and addware infecting the systems.

So, this is my (I think justified) opinion:
The Linux security model, while not perfect is definitely better than the win32 model.

To get a bit on topic:
Yes, I use firefox exclusively to browse. Once again I dont think it is perfect. I love the features - cant live without tabbed browsing + extentions, but sometimes I get anoyed at some of the quirks - slashdot bug has me pressing ctrl+;ctrl- on every page load for example. BTW yes, it IS firefox's fault.

Is firefox better/more secure/tighter coded than IE? Nobody that truly knows will ever tell - We probably wont trust them in any case ;) -. I actually have my doubts. According to some posts I read on slashdot, valgrind spits out quite a few memory leaks. Cant be bothered to find those posts, but try for yourself:
$firefox --debuger valgrind

Also, late last year there was another slashdot story
http://it.slashdot.org/article.pl?sid=04/10 /19/023 6213
where firefox didnt do too good on broken html. IIRC there was a few buffer overruns inolved which COULD POSSIBLY indicate security vulns. and certainly some slightly less than tight code.

Just my opinion.

Re:Firefox bugs

[shaitand]

Linux IS more secure than windows because of design. The reason you don't see many Win95/98/ME viruses is because most of the obvious security holes have been closed by this point and NT introduced a host of obvious RPC vulnerabilities.

While there are vulnerabilities and bugs in all software, the design of windows is intentionally poor and advocates security through obscurity. This leads to inadequate code review and lots of trivial exploits. The holes in popular open source applications are much more difficult to exploit.

For instance the only currently unpatched firefox exploit I am aware of requires not just specially crafting an image and convincing a user to view it, but to then drag that image to the address bar in a DIFFERENT firefox window.

"Because we are humans, and humans make mistakes. But it's not a mistaken until another human shows us."

Yes but both the code and design of popular open source programs are reviewed by a larger number of coders than their closed source counterparts. All told thousands of people review the linux sourcecode and tens of thousnads the design compared to a handful who review the core windows source.

"There are also viruses for MacOS X and Linux so chill out you Linux fanatics."

There are 0 linux viruses that will affect a fully patched system that I am aware of. There my be proof of concept exploits but even those are "this could theoretically happen in the wild" and usually in some service that may or may not be running on a system you have. If there is a bug in IE then that can potentially be exploited everytime you open a folder with image preview.

I would agree that more bugs will come out when a system is more popular. But with open source the more popular it is the more good guys are looking for problems. Unlike closed source applications this means those good guys can more readily find the problems and take the additional step of fixing them. The more popular an open source project the more difficult it is to successfully exploit it in the wild.

"Let's assume I am a hacker (cracker, call it what you want) with sufficient knowledge about virus writing... (b) I use Windows."

Although external forces may apply pressure, nobody with "sufficient knowledge" of technical matters uses windows. Wonder why.

Re:Firefox bugs

[Ogerman]

Open source or Closed Source... makes no difference bugs and exploits will always exists. ... no code is completely secure.

This is simply nonsense. It is quite possible to produce code which is completely secure, but most developers today either don't know how or don't take the extra time to do so. Because secure coding is ultimately about tight input checking, it can also have a negative effect on performance. But at some point you have to make tradeoffs. For popular (high-risk) software like OS'es and web browsers, the tradeoff always needs to fall in favor of security rather than development time or squeezing out every last ounce of performance.

Re:MOD PARENT DOWN. PARENT IS A TROLL!

Do we have a "-1:Stating the bleeding obvious" mod?

It's obvious

[SlashThat]

They want it to look more like "news".

Why Not Just Tell People to Update

[r3v0ltn]

Considering how many people don't RTFA, the post would be more useful if it mentioned the Firefox update.

So, how about Mozilla?

[RealAlaskan]

Do these also affect Mozilla 1.7.5? How about 1.8.x?

God forbid that I should RTFA; after all, this is slashdot.

Re:So, how about Mozilla?

It effects Mozilla 1.7.5 also. There is a fixed build already, but it's not yet released to public.

I sumbited this story (which was well written compared to this crap) thir morning and was rejected after like 10 mins. I had links to all Secunia sites... I can't look at my story obiously but if I remember correctly there was also mentioning of 2 new exploits in Thunderbid, but a fixed version is under way this week (says Mozilla Foundation).

I think we're about to see what most Linux zealots bash Windows for. Firefox is slowly becoming mainstream and web developers are just realizing it. Once Firefox is the dominant browser for porn sites you can expect there will be other exploits. More usefull. We already saw the popup-under (or how they call it) and I assume more things are to come. I predict (remember this sentence well :)) that next is something to do with extensions. You will browse some porn site one day and and extension will secretly be installed to track your activities. While IE has ActiveX as something worth exploiting, Firefox has (IMO) an even bigger problem. The extension are (or can be, for the most part) cross platform, so if someone figures out a way how to silently install an extension that will track you activities, this will (probably) affect all Firefox users, on all platforms. If you ever did an extension for FF you know it's perfectly fit for something like this. Just figure out a way how to install it without user's interaction.

Of course the Mozilla dev team is hard at work patching Firefox as quickly as possible, but we'll see how this turns out. If there is a flaw in Firefox's extension system to allow installing of spyware, will devs rewrite or remove the extension system?

How useful is actually Firefox without extensions.

I wish them best, because it sure is my preffered browser, but I might just switch to Opera if I get too annoyed of those damn popups (popunders)... REWRITE THE POPUP BLOCKER!

Re:MOD PARENT DOWN. PARENT IS A TROLL!

Please tell me you're trying to get bad karma.

Its out?

[ad0gg]

Really? I just went to check for updates button in the extensions manager and it says there are no updates for firefox. How am I suppose to know it got released? Better question, how are my parents suppose to know it got released? They don't read slashdot or any other technology news source.

Re:Its out?

[mattcoz]

Read what you posted, you pressed the check for updates button in the EXTENSION MANAGER. That button just checks extensions, which I would've thought was pretty obvious. In the options window you can check for Firefox updates, although it is set by default to check automatically on startup.

MOD PARENT UP, GRANDPARENT DOWN, REPLIES DOWN

[SirJaxalot]

MOD GREAT GRANDPARENT UP

Firefox ad hack!

[bryan8m]

Everytime I load a page on Slashdot in Firefox it shows two prompts for passwords to these ad sites. Pretty annoying...

Re:Firefox ad hack!

[arootbeer]

Hmmm...do you have a webserver on your box, and a no-ad hosts file?

I ran into that when I had IIS installed and a hosts file with many ad servers sent to 127.0.0.1.

I fixed it by turning off the Web Publishing Service.

Re:Firefox ad hack!

[Christianfreak]

The better solution is to use 0.0.0.0 (null route) in your no-ad hosts file. That way your browser never even looks at the localhost and you can run a webserver without any problems.

Re:ooh your good

What kind of cheese?

Do not doubt the importance of this fact!

Every day is insecure

[rueger]

Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.

Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.

I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.

Re:Every day is insecure

[Chuck+Chunder]

Really, do we need a story every time some security problem appears in some software package?

No. But then we aren't getting that either.

Firewall, virus scanner, frequent updates to all software. Maybe a change in OS

All great tools against browser spoofing I'm sure...

Re:Every day is insecure

[bonch]

Slashdot loves to post articles on Microsoft software vulnerabilities. It's only fair that OSS vulnerabilitie be covered as well.

Re:Every day is insecure

Really, do we need a story every time some security problem appears in some software package?

and, besides, this will give more articles to MS than anyone else! Do we really want to do this?

So is Billy counting bugs to go to sleep

[gelfling]

You know the MS PR warmachine will make the most of this, don't you?

Re:So is Billy counting bugs to go to sleep

And why shouldn't they. The Linux PR warmachine does the same thing with MS vulnerabilities?

Re:So is Billy counting bugs to go to sleep

[The+Bungi]

Kinda like the open source PR war machine (valiantly spearheaded by Slashdot) made the most of every single IE advisory and vulnerability in the past four years?

Welcome to the real world. You can't have your cake and eat it.

Re:So is Billy counting bugs to go to sleep

[gelfling]

No one said it was bad. On the other hand MS's view of facts is sometimes, uh I dunno....suspect? Remember these are the guys who said Windows is safer because there are more bugs that people find.

Re:So is Billy counting bugs to go to sleep

[poopdeville]

You can't have your cake and eat it.

Sure you can. That's what having your cake means.

Re:So is Billy counting bugs to go to sleep

[dedazo]

No one said it was bad. On the other hand MS's view of facts is sometimes, uh I dunno....suspect?

Like.. uh I dunno.. reporting user-executed email attachments are vulnerabilities?

Remember these are the guys who said Windows is safer because there are more bugs that people find.

And of course this article proves that's a bogus claim.

Re:So is Billy counting bugs to go to sleep

[gelfling]

Look dude, keep your ideological jihad to yourself. If you want to accept a priori that all or most of what MS tells you is the unvarnished truth, then do that.

Re:So is Billy counting bugs to go to sleep

[darien]

Yeah, this saying seems to have got a bit twisted over time, and the meaning of "have" has moved on a bit... a modern rendering of this saying should be "you can't eat your cake and still have it."

Re:So is Billy counting bugs to go to sleep

[poopdeville]

Whoever modded me insightful is an idiot.

Re:So is Billy counting bugs to go to sleep

[The+Bungi]

I concur =)

Re:So is Billy counting bugs to go to sleep

[dedazo]

"Ideological jihad"?? What, you think I'm somehow defending Microsoft? Microsoft?? Gawd.

I can't help it if you feel insulted when I point out a fallacy with one of the "commandments" that help constitute the argument against propietary software. Especially one that people around here like to repeat as if it were some kind of absolute, proven truth.

Half-truths, delusion and FUD will get you nowhere, fast. We could be learning from Microsoft, but instead we keep making the same mistakes.

Microsoft Firefox...

[killtheOSSnazis]

Microsoft Firefox is vulnerable.. what else is new?? wait a second... /confused

Why doesn't Firefox 1.0 update to 1.0.1?

[Mustang+Matt]

Does anyone have an explanation as to why firefox's online update feature doesn't upgrade to 1.0.1?

Re:Why doesn't Firefox 1.0 update to 1.0.1?

[RM6f9]

Fortunately, installing 1.0.1 does retain/transfer links/bookmarks,/etc...,
(jes' did it ma own self)

Re:Why doesn't Firefox 1.0 update to 1.0.1?

[dicepackage]

It does, Mozilla delayed the update because the servers were getting overloaded when it first came out. By now it should report there being an update and allow you to install that.

Re:Why doesn't Firefox 1.0 update to 1.0.1?

No it doesn't work. I installed today using the auto update feature and first it downloaded the setup[1] then tried to install it. All OK up to here. But then it finished and nothing happened. I couldn't open Firefox because some dialog came telling me some process needs to close before. I check Task Manager, see xpicleanup.exe and firefox.exe running. I leave it at that just to find out it still does nothing (CPU 0%) after 2 mins. Finally I try everything possible and then backup my entire Firefox folder, delete what's in and manually install it.

TALK ABOUT AUTO UPDATE !

[1] Which I could have done manually like a week ago if I'd knew that this "auto update" feature is basicly "don't have to go to mozilla.org and click the link update".

Re:Why doesn't Firefox 1.0 update to 1.0.1?

[SatanMat]

There are still (bugs or issues) there. Yes, I got the update button, and it downloaded and tried to install, but it does not upgrade 1.0 it just installs 1.0.1 -- You need to UNINSTALL 1.0 THEN install 1.0.1 but there is yet no AutoUpdate -- or am I missing something?

Re:Why doesn't Firefox 1.0 update to 1.0.1?

[HD+Webdev]

Yes, I got the update button, and it downloaded and tried to install, but it does not upgrade 1.0 it just installs 1.0.1

HELP -->> ABOUT MOZILLA FIREFOX: "version 1.0.1"

That means that it's upgraded.

Re:Why doesn't Firefox 1.0 update to 1.0.1?

[caomania]

I just tried it before posting - because I was under the impression that it was supposed to "check periodically." Even after manually clicking update I was not notified of the need to update.

FF1.0 on os X. I casual downloaders will get the message otherwise the gains we've seen in usage recently good likely go away.

Re:Why doesn't Firefox 1.0 update to 1.0.1?

[SatanMat]

HELP -->> ABOUT MOZILLA FIREFOX: "version 1.0.1"

--yes... but in XP it leaves 1.0 in the add/remove progs, and it caused general unruliness on my machine YMMV I love Firefox and All things Mozilla...-- I'd just like to see a cleaner upgrade is all...

Re:Why doesn't Firefox 1.0 update to 1.0.1?

[HD+Webdev]

I didn't notice that extra add/remove programs entry until you mentioned it, but OTOH, I'm used to programs doing that.

Sun Java is the worst add/remove offender. I've seen lots of boxes with 4-5 entries for it. Uninstalling any one of them hoses java in my experience so I have to use a utility to clean up the add/remove programs listings.

Now, for all us non Firefox 1.0.1 users is

[Ice+Station+Zebra]

this really /. or a clever spoof that will steal my credit-card numbers, drain my bank accounts and kill my grandma?

Arrrrrrrrrrrrrrrrgh......

Re:Now, for all us non Firefox 1.0.1 users is

[Aeiri]

I don't know, but if you give me your credit card information I'll charge you 10 easy payments of only $9.95 so you can be 100% sure.

All you have to do is click here.

Re:Now, for all us non Firefox 1.0.1 users is

[Ice+Station+Zebra]

Does that include a /. subscription?

Re:Now, for all us non Firefox 1.0.1 users is

[Aeiri]

No, you'll have to pay me 4 more payments for that. The subscription will be good until 03/04/2005.

Re:Now, for all us non Firefox 1.0.1 users is

[Ice+Station+Zebra]

Sold!

CC# 4111 1111 1111 1111
Exp: 01/2037

Where's the update?

[teslatug]

What's the use of having an update feature if you never enable it or get it in a working state? I have never been able to update firefox through the built-in feature.

Re:Where's the update?

[The-Bus]

Well, updates were a bit dicey. Today I noticed a green glowing thing in the top right-hand corner of Firefox. Being an idiot, I simply clicked on it. It says "Updates are available!" -- it downloaded them, upgraded my plug-in (Homeland Security Threat Level), and everything works A-O-K.

My question is, why didn't they make this a little bit more obvious? Not a splash screen but maybe something that appears the first X times. How else would I have known Firefox was ready to update? Especially when "I" am Joe User?

Great!

All publicity is good publicity. Now that we have exploitation parity we need to get those ActiveX controls running and screaming for better interoperability.

On the other hand, the jury's still out on the effectiveness of the raptor head. I mean even my lil's sister is seeing the writing on the wall and declaring the moz is dying. Maybe we need a new emblem like a leprechaun or something.

Open Source....

[jrushton]

is so good the bugs are fixed before theyre found! :D

Update download not seeing 1.01 ?

[tcc]

Something I didn't like yesterday with my 1.0 I did "check for updates" within firefox, everything was up to date eventhough 1.01 was out for a while... I went on manually downloading the 1.01 update and install it.

Am I the only one who got this?

Re:Update download not seeing 1.01 ?

[billmustdie]

I did the same thing for linux... I pressed the update button... (longer than usual progress bar filling) Then nothing. So I decided to grab the torrent (thanks slashdot)... then installed. Everything OK.

But I; like you (I think) don't expect mom and pop to know this.

Is the "update" button working under M$ yet?

Anyone who uses firefox under M$ let me know please!

Re:Update download not seeing 1.01 ?

[xconfig]

I have updated firefox under MS in the past.

Funny thing happened today, though. The update icon showed up, I clicked on it, and it said there were no updates. I'm still not on 1.0.1

Firefox 1.0 doesn't tell you about 1.01

[rimclean]

The problem I have (and no doubt you will all tell me if I am wrong) is that I am running Firefox 1.0 and in my preferences I have the box checked to 'download updates to Firefox'. However, Firefox has never told me about 1.01 so I feel that disregarding the original posting because 1.01 is available is not really so smart, particularly as it is not obvious to the average user that the update is available. Having the option to automatically download updates gives users a false sense of security if the updates are never downloaded.

Re:Firefox 1.0 doesn't tell you about 1.01

[Soldrinero]

I also waited for Firefox to alert me that an update was available, both to be kind to the servers and to see how the update process worked. Yeasterday it alerted me to the update via a new icon next to the activity icon in the upper right of the window.

Interestingly, when I went through the update process, it downloaded and installed the full 1.01 package. Does anyone know if this is how updates will be done in the future, or if Mozilla will migrate to a patch system?

Re:Firefox 1.0 doesn't tell you about 1.01

in my preferences I have the box checked to 'download updates to Firefox'. However, Firefox has never told me about 1.01

This is a known bug for like 6 months already. You need to disable (yes UNCHECK) the 'download updates' box for this to work. Your extensions won't auto update either if you have it checked.

Nasty and long ongoing bug since 0.8 I believe.

Re:Firefox 1.0 doesn't tell you about 1.01

http://forums.mozillazine.org/viewtopic.php?t=2256 01/

The new Firefox autoupdate should be available around March 7th. Firefox 1.0 users who aren't experienced in handling profiles during the uninstall/reinstall process may want to wait. Autoupdate will install the 1.0.1 patch automatically and preserve all current settings, without the need to uninstall/reinstall The Autoupdate feature should already be set on, as it is the default setting for Firefox 1.0. You can check for proper settings through: TOOLS ... OPTIONS ... ADVANCED ... SOFTWARE UPDATES ... check the boxes for "Periodically Check for Updates" for Firefox and My Extensions/Themes. Another setting to check is TOOLS ... OPTIONS ... WEB FEATURES ... CHECK "allow site to install software"

Re:Firefox 1.0 doesn't tell you about 1.01

I did do this:
TOOLS ... OPTIONS ... ADVANCED ... SOFTWARE UPDATES. and I saw a "Check Now" button.
I pressed it and it showed that the 1.01 update is ready.
I clicked NO to install and within a few seconds (guessing) I got a little up arrow in a red circle beside the FF throbber. I clicked that and the DL came down.

Re:Here we go...

[NEOtaku17]

"How long before Microsoft jumps all over this, and uses it as yet another FUD related reason not to use Open Source software..."

Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?

What about the bug bounty?

I wonder if these major flaws that are discovered are reported to Mozilla for their Bug Bounty program...

Re:..the worst infestation ever...

[cortana]

By default, Firefox will only allow extensions (XPIs) to be installed from a whitelist of sites that starts out as (update.mozilla.org).

For you to become infested with spyware by viewing a web site, you either added that site to the whitelist, or you were a victim of an unreported security problem. Did you report the site that infected you to bugzilla.mozilla.org?

Same could be said of Windows

[DigiShaman]

You know, had I just said "No worries, just keep your browser updated." in regards to IE and Windows, I would have been modded down for promoting Windows in the first place.

Re:Same could be said of Windows

[rasactive]

Continuing your unfinished last sentence which you mistakenly cut off with a period: ", because it would be wrong, since IE has a really bad track record of not fixing bugs even though they've been discovered, and not even publicly acknowledging them."

Re:..the worst infestation ever...

And admit I visist sites like that? Never!

I've been planning on setting up a VirtualPC and installing Firefox on that and visiting again, to see if it was a fluke or something... It's just not a priority at the moment.

Hello?? Re:Internet Commerce On Its Way Out

[sammyo]

There is fraud all the time outside the internet. They have not shutdown the banking system yet. It will be a balance of usefulness vs. problems. Internet commerce is not going away.

That's how the FUD engine works

[EmbeddedJanitor]

Nobody ever got fired for buying Microsoft.

If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.

If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.

That's unfortunately the mentality that will keep MS in business for a long time yet.

Re:That's how the FUD engine works

[nacturation]

Nobody ever got fired for buying Microsoft.

Given that it's a free download, if you bought Internet Explorer, you *should* be fired.

Re:That's how the FUD engine works

MSIE is part of windows. If you are getting it for free, then you should be fired.

Re:That's how the FUD engine works

[cerberusss]

If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault

This is funny, but very true. The same goes for MS Office documents. If you open a Word document in a different version of MS Word and it gets fragged, it's not your fault, it is Microsoft's fault.

If, however, you open that same document in OpenOffice and it renders it wrong because of some crazy layout (think table cells that span multiple pages...), then YOU are to blame. You should have "just used normal programs"...

This stuff drives me mad...

Re:That's how the FUD engine works

[shaitand]

Why? That just means your not using windows, MSIE is a free download for everyone whether they have windows or not.

Re:That's how the FUD engine works

"Nobody ever got fired for buying Microsoft."

Actually the real quote is...

"Nobody ever got fired for buying IBM."

If you bought IE though you should be fired for wasting company money.

Re:That's how the FUD engine works

> Nobody ever got fired for buying Microsoft.

"Nobody looks stupid for suggesting Linux."

Re:That's how the FUD engine works

[gosand]

Nobody ever got fired for buying Microsoft.

Oh no?

Re:That's how the FUD engine works

[EmbeddedJanitor]

Nobody looks stupid for suggesting Linux.

You normally get those rolling eyes "there goes that crazy hippy again" looks.

Re:That's how the FUD engine works

[runderwo]

If, however, you open that same document in OpenOffice and it renders it wrong because of some crazy layout (think table cells that span multiple pages...), then YOU are to blame.

Um, no, Microsoft's still to blame for not providing information necessary to interoperate with their products.

Re:That's how the FUD engine works

[cerberusss]

That's what you and I think, but for some reason my colleagues, managers and customers think otherwise.

MSIE?

[rice_burners_suck]

Vulnerabilities in Firefox?!???!!!?!?! I'm switching back to Internet Explorer. At least with that program, I was safe from all security issues.

Just kidding... I use Opera. BTW, try the new Beta of Opera 8. It's quite nice.

Solution:

Firefox:
Update to version 1.0.1.
http://www.mozilla.org/products/firefox/

=

Firefox 1.0.1 Released
http://it.slashdot.org/article.pl?sid=05/02/25/032 7235&tid=154&tid=164&tid=162&tid=1


The dup firefox /. article was brought to you by the firefox marketing campaign:

http://www.spreadfirefox.com/

Mozilla still has a ways to go

[klui]

Well, Asa said that automatic updates would be rolled out in phases this week, but although en-US is enabled, my Windows 1.0 doesn't see any updates. I guess the updater needs a bit more work...

Re:Mozilla still has a ways to go

[nick8325]

Whoa, you still use Windows 1.0?! No wonder you don't see any updates - I didn't even know it had a TCP/IP stack! ;-)

Actually, no automatic updates have appeared for me either. Hopefully they'll come in the next few days.

SOP for Secunia...

They released their list of major vulnurabilities in IE two days before MS released the update and months after they reported the problems originally.

They're just glory whores.

Re:SOP for Secunia...

[jBabel]

That's quite easy to say. But what if they were the original reporters for those vulnerabilities, and they kept quiet while MS & Mozilla fixed them? Couldn't they be allowed to publicize them now that they are fixed, and get the appropriate recognition without putting the users to risk?

I haven't check the history for those advisories; maybe they truely are 'glory whores', I'm just saying we shouldn't rush to judgement.

Re:SOP for Secunia...

[Myen]

In the case of Mozilla, Secunia regularly regurgitates the offical Mozilla.org advisories (as is this case). Pretty much the time flow goes like:

• vulnerabilities discovered; reported to mozilla.org
  
• they sit for a while
  
• eventually fixed and go into the next release
  
• after a few days, mozilla.org opens up the security bugs fixed in that release and posts advisories
  
• Secunia sees them and posts info on same advisories
  
• people see Secunia with Mozilla vulnerabilities
  

And I know Secunia didn't come up with the list because

1. they link to mozilla.org (except in one case, where they linked to iDefense) as original advisories
   
2. "Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others."
   
3. I recognize names from the list - Phil Ringnalda is the Chatzilla guy, and Doug Turner is Minimo. So they already work on Mozilla a lot. That, and I'm in the list (probably undeserved).
   

Re:ooh you're good

• You may have noticed that, out of my love of the English language, I've corrected my subject-line mistake in grammer.

It's grammar...

stupid slashdot...

I can't-you moron's have slashdotted it.

Now how am I supposed to update?

Food for thought...

[Ericzombie]

Anyone else notice how now that Firefox has gotten pretty big, you're mostly hearing about firefox issues, rather thant he slew of IE issues that we used to be swarming over. In essence it makes sense as most /.ers have upgraded to Firefox, however it just seems to be working that way. I don't think that M$ could have gotten all of the kinks out of IE, so whats the deal?

Re:Food for thought...

[WillAffleck]

you're right ... I agree they attack Firefox while ignoring IE issues that were never addressed. So, in case anyone hasn't heard this: I just wanted to say IE sucks really bad, especially if you're on a Mac and they won't do anything useful.

Re:Food for thought...

Firefox does have security isses and IE's are not ignored. It's just that Firefox is much used now, and so security firms and hackers are targetting it, just like they did with IE for so many years. It's the same kind of shit.

Re:Food for thought...

[FyberOptic]

Microsoft's security has always been such a huge public issue in the past primarily because a.) nobody online has anything else to report on, and b.) people love to hate on Microsoft, despite most of them still using their products.

All complicated pieces of software, like browsers and operating systems, are going to have flaws. They've been found in every OS, and every browser. They'll continue to be found, as long as they make up a large part of the market, because not only are these what "hackers" search for, but also security professionals.

So the Firefox team will fix their flaws, just as the Microsoft team has continued to do so for theirs. However, Firefox's will now get brought into the public's attention much more as it becomes more popular, even though flaws have existed for it all along, as anyone who views the release log on their site can see. But only IE got the attention for being riddled with problems up till now.

So this just further proves that it's not just Microsoft's problem. Firefox is going to get its share of the limelight now, for better or worse.

Re:Food for thought...

[Embedded2004]

The obvious reason for this is, IE 6 was released many years ago, and based off code released many years before that. I wouldn't be surprised if there was a couple hundred cumulative "issues" with IE. It is no surprise that there hasn't been as many issues recently with IE, if that is even the case. Without any new releases or feature updates, even IE could partially stabilize. However, once they realize new updates, with the new wizbang features there counts will rise once again. The lesson to take away from this, is even though no software can be perfectly secure, those designed with a sence of security in mind, will always outperform those without (for example activex & IE).

Re:Here we go...

[Statecraftsman]

I see this as the beginning of what could be called a vulnerability war. We all know there are tons of bugs in any software that's actually released to the wild. With that said, the number of vulnerabilities that are found is really just a function of how hard people look.

Once found, if people want to be malicious about it, they'll release the vulnerability information to black hats, then the public, then the company(if at all). If bugs cause people to switch browsers, all that needs to be done is make sure you find more bugs in your competitors software.

I read an article not long ago questioning whether posting vulnerability information in any public forum was really a good idea and the question still remains.

And in other news...

[lortho]

...new vulnerabilities were also discovered in Internet Explorer 5.5, Netscape 3, Mosaic 1.0... (er, wait a sec...)

Phishing "vulnerabilities" need a special category

[argent]

I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.

I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.

The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.

This just in...

[Transcendent]

...slashdot doesn't display correctly in Firefox 1.0+

More at 11.

Re:This just in...

[omahajim]

Care to be more specific?

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 here, no problems reading, posting, modding, etc.

Re:This just in...

Every so often I've noticed with 1.0.1 the title bars stretch wide on the screen and the content appears just off the left side. I never had this problem with 1.0, so I guess it's new or slashdot broke something.

Re:This just in...

[WhatAmIDoingHere]

It's a known bug, /. won't fix it. There's a "fix" for /. (google for it) and I hear in 1.2 or later of FF they will address the issue.

Re:This just in...

[NiteMair]

Yes, I see it too with FF 1.0.1, until I log into /., and then it renders fine...

Re:This just in...

[HD+Webdev]

...$£4$hÐ07 Ð03$n'7 Ð1$p£4¥ (0rr3(7£¥ 1n 1r30x 1.0+

M0r3 47 11.

Wow, Slashdot does look weird with the 1.0.1 update.

Re:This just in...

[Platinum+Dragon]

So I'm not the only one that has noticed many more botched Slashdot renderings over the past couple of days? Galeon 1.3.18/Mozilla 1.7.5 here, and the infamous rendering problem only occurred rarely until a couple of days ago. Now, half the pages I load come up with the stupid overlap issue.

I think someone "updated" Slashcode and exacerbated whatever issue is causing the random botches in the first place. I also think this is an indication it's not entirely a Gecko problem, but a problem with Slashcode that only manifests in Gecko; I don't recall similar complaints from IE or KHTML-based users.

Re:This just in...

[TechnologyX]

Ugh... again, a FF post, and again, the same stupid shit:

"
"OMG I dont see it"
"OMG its because /. isn't XHTCSSXUL 3.9985566 Compliant!!!oneone!"

It's a race condition in Firefox that is fixed in the 1.1 branch

Would people STOP modding this shit up.

Re:This just in...

[dpete4552]

So let me get this straight: It takes some time for a particular bug to get noticed, once it is noticed some observations are made as to what could possibly be causing the issue, and with the next version of the app the issue is corrected. That is what is bothering you so much??

Would you rather it be:

"
"OMG IE isn't rendering this markup correctly."
"It's a condition in IE that is fixed in the Foghorn branch of Windows that will be released in Q1 of 2010. Just find a different way of coding your site in the meantime."

Re:This just in...

[Transcendent]

Root cause? It's not valid HTML, so the "HTML de-obfuscator" in all modern browsers has to take over. It's just that Firefox's isn't as good, apparently.

Funny thing is though, if you go to a link in slashdot, then hit the back button, the page will be displayed just fine. A similar problem is with the ATI website, where you have to go to the main page, then hit refresh for the menue effects to line up properly.

Re:This just in...

You know, i used to be sceptic about this to..

But last week FF 1.0 did indeed screw up slashdot's layout, and is doing this frequently now..

it's no myth, there is a bug !

Re:This just in...

[TheGratefulNet]

another 'fix': in firefox, click up and then down one size in fonts. effectively doing a no-op, YET it does cause the overlap problem to go away. for the currently loaded page, that is.

control 'plus' and control 'minus'. try it.

(gecko guys: can't you get broken sites like slash to NOT have this overlap? been in gecko for ages now) ;(

Re:This just in...

[rsadelle]

It's not just you. I'm using Mozilla 1.7.3, and before today, I'd never seen the infamous rendering problem. Today, it's happening once for every two or three times I return to the front page.

Re:This just in...

[Transcendent]

Wanna know a bug with that? Hold down the minus (with Ctrl), and the text will go as small as possible, then certian sections get large again. It's not like it's looping around, but it's just weird like that.

Doesn't happend for +... i.e. the text doesn't get small after holding it down for a while.

...at least on my system.

i'll take it!

[nuckin+futs]

i'm willing to deal with a couple firefox vulnerabilities over that browser that runs activeX controls.

Re:Proving once again...

This is VERY well said. Please mod the parent up. The guy is truly objective!

oh great

[timmarhy]

so we are going to get an artical everytime a vun. is found in an app now

And in 10 Years...

[Belial6]

The big old Internet is what they'll have been doing for years.

Installing 1.01

[PromANJ]

If anyone wonders about installing, here's what I did:

The DL link can be found here:
http://www.mozilla.org/

After downloading that I closed all windows and uninstalled 1.0 (winXP) by using add/remove programs and clicked yes on delete folder. My settings/profile/chrome stuff is not in that folder, but here in my case:
C:\Documents and Settings\My puter name\Application Data\Mozilla\

Then I installed 1.01 by clicking the exe
Done. My extensions, chrome, bookmarks seem to be intact, which of course was my biggest worry. My start menu just turned black though :/


The update thing in 1.0 just checked/updated my extensions, and my flash blocker stopped working. I took a look in about:config and the build and version number was still old, so that thing definately didn't update to 1.01

Re:Installing 1.01

[tech_nine]

update worked like a charm to me, no issues at all

Re:Installing 1.01

[Mant]

I had some strange problems. SpellBound stopped working and needed an uninstall and reinstall. Even more strange, the browser crashed whenever I typed www.amazon.co.uk into the address bar. The error reporting has never worked properly through the company firewall or I would have sent the reports of.

Uninstalling an reinstalling the browser didn't help, but after running it in safe mode once everything was OK.

I really like FireFox, but upgrading needs to be made less painful. Just a patch please, and no uninstall/reinstall.

Oh come on! More FUD

The idea of Firefox having more vulns exposed as it becomes more popular is FUD! uh...

Updated

Just as I was reading this thread a little box popped up that read 'Updates available' - it was for Firefox 1.0.1 :D

Bonus!

[cliffiecee]

I just upgraded, and suddenly I have mod points!

Links rules!!!!!

I didn't notice links or lynx in the list.... yes!

1.0.1 update

I just did my 1.0.1 update. What I like was that it was painless, quick, and didn't destroy the Windows kernel.

Phew, I'm safe!!

I use Internet Explorer.

patch

[minus_273]

is available here

All of this stuff isn't new

[darthcamaro]

It was all in the MOzilla advisory and if you looked at it you would it there. Secunia is just taking advantage of the situation claiming they've "discovered" 8 new items. F'ing profiteers.

Re:Proving once again...

It's funny how a bug for IE is treated with ridicule and jest but the same thing for Firefox is "no big deal"... hypocrites all.

These bugs have already been fixed, Mr. AC, and the article is just hype. How long did you have to wait for them to fix IE again before you pounce on Open Source? Actually perhaps you should just keep talking, you are your own worst enemy...

Auto Update

[assassinator42]

I see they finally added it to auto update. Did they just do that today? I wonder if this and adding the update to auto update had anything to do with each other.

Re:Auto Update

[Tuntematon]

I don't think so, automatic update has been on the works since/before the full FF 1.01 release.

Hey! Don't dis the deck of cards...

[NotQuiteReal]

...dumber than a deck of cards. Hey, some of us make a good living from that deck... oh never mind.

Re:Hey! Don't dis the deck of cards...

[pommiekiwifruit]

And in Cryptonomicon a deck of cards is described being used as a secure encryption technique!

Re:Here we go...

[dcam]

I think you mean, you won't believe until you have seen the dupe on slashdot.

Microsoft Reaction

MS Spokeperson:

Firefox is really not enterprise ready. Just look at the rate of patches. Why in the product's entire lifecycle, they've only had one patch to a production release. Only one!!! Compare that to Internet Explorer, which not a day used to go by that we'd patch something, or make a fix of some form. We've produced more IE patches and fixes than Firefox can ever dream of.

Thusly, we must be much more focused on security. If Firefox/Mozilla were, don't you think they'd have to patch their software as much?

Re:Proving once again...

Actually, most IE security flaws were fixed before they were revealed.

Despite the "romantic" notion that crackers are brilliant programmers, most exploits are triggered by the announcement of flaws, not by the skills of the criminals.

the real difference

[IdentifiedDareDevil]

(for me) isn't really the technology or the security. IE and firefox are really not that far apart in terms of bugs/features (yet).. the main difference to me is that one on hand, you have a greedy, monopolistic company working outside proper market forces - allowing it to decide when and how it improves its software (IE 6.0 released in Aug 2002 - what major sw app can get away with a 3 year major release cycle?) vs. Firefox/Mozilla - a grass-roots colaboration of people who are trying to make something significant and have fun at the same time.

The choice for me is not a lot different than choosing to live in the Soviet Union or the United States. I'd rather not eat the gruel (or browser) someone else thinks is all I deserve.

bizzt!

[Leers]

-1 Insulting Mods

What's the problem with credit cards?

[TheLink]

With my credit card, in event of fraud - it's NOT my money that's gone.

I just have to inform the card company that the transaction was not good. And I don't have to pay for it. And since it's not MY money, it's someone else's problem.

At worst, I can't use the affected card and the card company issues me a new card.

That's OK - I have more than one credit card.

I'm far more puzzled by the popularity of debit cards. If stuff happens it's YOUR money that's gone, so YOU have to be the one working your butt off trying to get your money back.

Even cash isn't as safe. You buy something with your credit card and the merchant cheats you, it's a lot easier to fix.

The online merchants AND banks are the ones who should be worried. Too many customers tricked/exploited and their business would be affected.

Re:What's the problem with credit cards?

[Christianfreak]

I'm far more puzzled by the popularity of debit cards. If stuff happens it's YOUR money that's gone, so YOU have to be the one working your butt off trying to get your money back.

Errr ... no. Debit cards have real credit card numbers too (and have the credit card type on them as well), so that it all works on the same system. Your "credit limit" is just whatever you have sitting in the bank. If someone cheats me, I call my bank and they stop payment just like they would a check. Same if I lose my card, etc. etc.

Re:What's the problem with credit cards?

[jfulcer]

Visa debit cards are covered under their 'zero liability fraud' policy. They've been advertising it pretty heavy lately with that lady in the parking lot that has all the super heros come to her rescue. lame. http://usa.visa.com/personal/security/zero_liabili ty.html/

Re:What's the problem with credit cards?

[TheLink]

Errr, yes. "Stop payment" only works if you manage to do it _before_ the money is gone.

Once the money is gone, it's your money that's gone.

Even IF the bank is working to get your money back, you sure can't use YOUR missing money.

Whereas that's not a big problem with credit card stuff. The Bank et all have to prove that it's actually YOUR money that's gone, rather than THEIRS...

OMG, a 1.0 product is not perfect....?

[ispland]

Firefox, a version 1.0 product, has minor defects?
OMG, I demand a full refund now!

(But I sure am glad that people smarter than I am are able to inspect the code, find and expose the bugs before disaster strikes.)

Re:ooh you're good

No, it's spelling.

Re:ooh you're good

No, it's faggotry.

MOD PARENT UP!

+1 Informative.

There is no reason to use JavaScript for displaying web pages. It's just stupid. Everyone should turn all scripting off (JavaScript, VBScript, ActiveX, Flash, etc.), and avoid web sites that require it.

Almost anything productive that is done with JavaScript can be done using forms. I know some people will say "But without JavaScript, verification will have to be done on the server instead of the client, and I won't be able to pop up new windows programmatically." Well, boo hoo. First of all, any web site that is the least bit secure will revalidate the form fields anyway (to prevent cracking), so the only thing being saved by client-side validation is a little bit of bandwidth to refresh the page if a field is wrong. (If it takes a lot of bandwidth to refresh a forms page, then there's something wrong with the page.) As to the pop-up complaint, well, I don't want the fucking page to pop up any fucking windows programmatically. Give me a link and let me make up my own mind.

Web page scripting sucks, and should be stopped.

Re:MOD PARENT UP!

[Tony-A]

"But without JavaScript, verification will have to be done on the server instead of the client..."

Verification is done by something over which you do have control.
Other that fresh malware, you do not necessarily have control over the browser. The browser might be faking it, scripts and all.

I find it interesting

[harryoyster]

I would love to see how they actually find some of these vulnerabilities. Direct from secunia : "The vulnerability is caused due to missing URI handler validation when dragging an image with a "javascript:" URL to the address bar. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging an image to the address bar." Dont think ive ever dragged anything from a web page in my life.. I maybe a newbie though (only been on the net since 1992..

Re:I find it interesting

No, that's exactly why you haven't dragged anything of off a webpage. The 'new' paradigm is drag-and-drop afterall. All the 'leet' doods are using it, don't you know..

Forget us old fogies with our keyboards and CLIs...

Re:ooh you're good

[ShagratTheTitleless]

No, it's Dead Horse Beatery.

Re:..the worst infestation ever...

And admit I visist sites like that? Never!

Fine - in that case, post a link here as an AC, and let someone else do the risky testing and embarrassing reporting for you.

If you refuse to do that, I'm afraid the only possible conclusion is that you're making stuff up...

Why worry?

Why are you guys even worrying about this? You could go back to IE and deal with it's security holes instead. Let's see, let me do this math ::calculates:: Nope! IE still sucks...

Lets time them

[thehunger]

See how fast this is getting fixed..

VISA's Zero Liability plan is useless.

[hedora]

No, in practice, debit cards are not covered by the zero liability plan. From VISA's site:

*Covers U.S.-issued cards only. Visa's Zero Liability policy does not apply to commercial card or ATM transactions, or to PIN transactions not processed by Visa. See your Cardholder Agreement for more details.

**Cardholders should always regularly check their monthly statements for transaction accuracy. Financial institutions may impose greater liability on the cardholder if the financial institution reasonably determines that the unauthorized transaction was caused by the gross negligence or fraudulent action of the cardholder--which may include your delay for an unreasonable time in reporting unauthorized transactions.

Before you think 'I can keep my PIN secret, so what's the problem?', try to figure out how a transaction was processed by looking at your bank statement. Was it credit or debit? What network processed the transaction?

I recently had my VISA card used fradulantly, and was stuck footing the bill.

The 'call this number if your card is lost or stolen' number on the back of the card didn't work. Apparently, the organization that I contacted does not handle debit cards.

The charge was for $40; the zero liability plan applies to the first $50 of fradulant transactions.

Of course, my bank "didn't know" how the charges were made, and ATM/pin transactions are not covered, so I couldn't take advantage of the Zero Liability policy without paying the bank to figure it out for me.

I found that the vendor (McAfee) was totally unresponsive (I never managed to contact a human being after trying for a few hours), so I could not obtain any information about the transaction (I thought I would get an IP address or a shipping address. Yeah, right!)

The bank wanted to charge well over $100 to 'launch an investigation', which would be billed as an initial cost plus an hourly fee, and could drag on indefinitely.

VISA charges vendors a few percentage points of every purchase you make. If the per-transaction fees aren't being used to combat fraud on the network, or even to maintain contact information for a handful of major vendors, what are they for?

If the average amount of a transaction is $5, and Visa takes 1% (two very low estimates), that's costing the vendor $0.05. For what? Sending a few kilobytes of data over an encrypted line? Running a (really expensive!?!) database transaction?

I've been dumping around a bit over 1% of my income into this network for years. If federal tax is 20%, that's roughly as much as I've put into the department of education and department of transportation, combined!

At this point, I think I'll just carry cash, since its less of a hassle. If I get mugged, I'm out $100, and that's it. With a VISA card, I get to negotiate with my bank over who is liable for what, and there is a huge risk of electronic fraud. Besides, using cash keeps prices lower, and most businesses are happy to accept it.

Re:VISA's Zero Liability plan is useless.

[TheLink]

As I said. Credit cards are fine. Cash is OK.

Say NO to debit cards.

If the same thing happened and it was a Credit Card transaction, the Merchant loses or the Bank loses. There's no need to negotiate with the Bank - just say "I didn't agree to that, I'm not paying".

Heck, someone I know screwed up once and did a chargeback of a _valid_ transaction. It's probably because he didn't recognize the actual payment handling company (which can be very different from the merchant) - this is quite common.

When that someone figured out he'd screwed up he was a bit too embarassed to use the same card, so he used another credit card to redo the payment ;).

The Merchant apparently was very very grateful.

open source just as insecure as closed source

[h4x0r-3l337]

This appears to confirm once again that open source software isn't inherently more secure than closed source software. It's just that open source is less popular, and therefore not as big a target. With the increasing popularity of Firefox and other open source software, expect more and more vulnerabilities to surface.

Re:open source just as insecure as closed source

[sexylicious]

Maybe... but at least the vulnerability no longer exists if you got the latest update, which has been out for a couple of weeks now...

from TFA:

If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about.

Re:ooh your good

I like blue cheese. Did it have blue veins - the cheese I mean.

Re:Here we go...

[runderwo]

How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?

Try this one: What proportion of Windows vulnerabilities allow the attacker to obtain sensitive information or result in complete system compromises?

Risk minimisation is the most important part of engineering software for security. It involves assuming that your software will eventually be compromised somehow and ensuring through design that the damage will be controlled. Microsoft has largely ignored this, and they rightly take flak for it, because their most crucial security problems could have been minimized or even eliminated through risk minimisation.

Slashdot has nothing to do with journalism...

[WIAKywbfatw]

Please don't confuse the Slashdot "editors" with journalists. The two are mutually exclusive: journalists (on the whole) actually care about the accuracy of what they write.

Oh, and journalists (or at least their editors) actually care about things like spelling, punctuation, and grammar, not to mention whether or not they're duplicating the already-published work of a colleague.

Re:..the worst infestation ever...

Despite my "troll" rating, my 4 hours of cleanup was no illustion. As I stated earlier in the thread- I will install Virtual PC and try to duplicate the problem with the 1.0.1 version of Firefox.

If the 1.0 version is still out there, I'd love to try it with that first- and then see if any of the patches fixed the problem.

I am installing VPC right now and will update when I have information either way.

Re:..the worst infestation ever...

I am unable to reproduce using Firefox 1.0.1 and Windows XP SP1a

If anyone has 1.0 availible I will try and see if it was fixed or I am somehow on dope... cause I know it happened...

BTW- it was a site listed from astalavista.box.sk... I think it was cracks.am however it might be one of th other sites they link to.

Problem with security fences.

[einhverfr]

That had actually occurred to me. But here is how I would respond---

I would define a security fence as an enforcement mechanism where the rules on either side are relatively similar, but the ability to change things from one side to the other is controlled using enforcement mechanisms.

Ideally, data and programming instructions (from the application's point of view) should be separate. Tying these two together with a security enforcement mechanism between them is a tradeoff which does significantly reduce security. This is the issue with Mozilla. Don't get me wrong, I do appreciate XUL, but I have to say that it is the security weak point of the application (not XPCOM) (as XPCOM "exists" only on one side of the fence).

Regarding root and user--- This is an issue--- look at how many privilege elevation attacks you seen in all operating systems, but again you have to look at it in the absence of any ability to fundamentally separate these privilages. To a large extent, this is a problem that projects like SE-Linux are designed to reduce.

So I think you are right regarding root and user provided that you are looking at a system without MAC. With a MAC framework like SE-Linux, you still have a security fence, but it is far more robust than that which came before.

We have these security enforcement boundaries (fences) because we want to use the same functionality from several points. In doing so, we trade maintainability and speed of development for security. The ideal solution from a security perspective IMO would be one where the user had a virtual environment and was stuck there while the admin could access the whole system including reaching into the user accounts information. This could be done with a clever use of chroot and would provide more than a fence.

Note that I am not saying that it would be cost-effecive to make every user maintain a shadow directory architecture and live in a chrooted jail.

Re:..the worst infestation ever...

I should mention it wasn't an XPI-

These crack sites popup dialog boxes.. well, they try to get you to "OK" and install of software you didn't request by calling it a download manager and warning you that you "MUST" to download the software. Anyone I know just clicks through the dialogs.

In the case I am mentioning, I went to the site for the first time ever with Firefox... and I'll say it again: I *LIKE* Firefox... and I didn't get prompted about anything- But I saw stange activity and realised stuff was being installed.. I killed the proccess and spend hours getting rid of the infestation.. Spybot, Manual cleaning, Ad Aware... and I still didn't find it all.. Then i used, belive it or not, AOL's spyware software and it found 2 or 3 others... cleaned them off also.

Interestingly, I continue to get new files here and there- and the AOL cleaner continues to catch them... and I only use Firefox (unless the page only works in IE).

How were they found??

[dmforcier]

I'd be interested to know if some or all of these vulnerabilites were discovered through code inspection? It would be a big feather in OSS' cap if so. (Although it could be spun the other way, were one sufficiently unscrupulous...)