Slashdot Mirror
New Vulnerabilities Discovered in Firefox 1.0
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 has already been covered on Slashdot, and these vulnerabilites were announced then.
If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.
No worries, just keep your browser updated.
I was actually expecting this. Firefox is an immature fork. One vulnerability eliminated is one less to be discovered later. It is inconvenient now, but should expedite relative maturity in the base. I am, however, still awaiting an automatic update for my installation of Firefox 1.0... ;-)
Do you like German cars?
The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1
RTFA
Firefox is already fixed....
The others won't be long.
from the article:
If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.
liqbase
don't mod parent as troll, it's a joke, a parody of the fact that someone posts a link to firefox when there is a IE vul. story.
oh forget it, some of you mods are dumber than a deck of cards.
Uh, they started rolling out the 1.0.1 updates. Run it again, you might get it.
The update button showed up for me today. I clicked it and it ran me through the download and install of 1.0.1. The automatic update was intentionally delayed because of server capacity issues; apparently they've got them sorted out now.
It's already fixed, "ma'man".
The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?
It looks like they are aware of these problems and are working on them.
There is.
Asa mentioned something about server problems and activating the update for 1.0.1 later, and indeed it did show up today. Granted, it's a week since the release and that's a long time for security update... And windows-only apparently, though Linux users probably update trough their native package systems anyway.
His blog has more.
Secunia collectively rated the vulnerabilities as "Moderately Critical," and said that only Firefox has been fixed. Users should download the newest edition, Firefox 1.0.1, which was released last week.
The vulnerabilities have been corrected in Mozilla, but the patched edition, 1.7.6, has not yet been officially released. The same goes for Thunderbird, the Mozilla Foundation's free e-mail client, which is also susceptible to the bugs. Both Mozilla 1.7.6 and Thunderbird 1.0.1 should roll out this week, Mozilla has said.
8 More Bugs Found In Firefox And Mozilla
Hmmm...do you have a webserver on your box, and a no-ad hosts file?
I ran into that when I had IIS installed and a hosts file with many ad servers sent to 127.0.0.1.
I fixed it by turning off the Web Publishing Service.
Secunia just put the list together. Copy/pasting the list and who found them from secunia since someone didn't link to it in the article.
1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.
2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).
This is similar to:
SA12712
3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.
4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.
5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.
6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.
7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.
Successful exploitation requires that the malicious website is allowed to request installations.
8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.
9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.
Provided and/or discovered by:
1) Tavis Ormandy
2) Christian Schmidt
3) Masayuki Nakano
4) Georgi Guninski
5) Matt Brubeck
6) Independently discovered by:
* Daniel de Wildt
* Gaël Delalleau
7) Phil Ringnalda
8) wind li
9) Mook, Doug Turner, Kohei Yoshino, M. Deaudelin
firescrolling exploit example.... caution exploit code
been out for atleast 2 weeks..... just because the media does not cover something does not mean it doesn't exist.
I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?
No, it's a problem with the way the Gecko engine renders layers.
Firefox:
2 7235&tid=154&tid=164&tid=162&tid=1
/. article was brought to you by the firefox marketing campaign:
Update to version 1.0.1.
http://www.mozilla.org/products/firefox/
=
Firefox 1.0.1 Released
http://it.slashdot.org/article.pl?sid=05/02/25/03
The dup firefox
http://www.spreadfirefox.com/
i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).
i doubt this would've prevented the bug. but the page it was appearing for would be obvious. a possible hack to that could be...have a javascript window which is already open make the connection. in that case, even if the js window is shown, with the browser most likely behind it, it wouldn't be obvious. could fix that too
I've seen it on other sites as well. Something about table widths being set to 100% or something. On some sites, the main text table cell doesn't show up until there's a reload. The same ctrl- ctrl+ fixes those too or a reload. It's really annoying.
Open Source Java DAO Generator
Sure, you can copy-and-paste anything you want into your URL bar, and hit enter. This takes time, and thought, and you have to look at the string in two different places, so it's reasonably secure based on that.
The only security problems that could arise would be if there were links that you could click on, or bookmark them. Try it here (slashdot won't let you write chrome:// URLs unfortunately). It doesn't work.
There are tons of security measures related to XPI/XUL, the Firefox team has IMHO taken an OVERLY aggressive approach to XUL/XPI issues. You know why there are several extra steps required in Firefox to install an XPI plugin? Because there were some theoretical exploits where someone might ask a user to click on a place on the screen over and over (eg. hit the monkey), and then display the XPI dialog there, and the user might end up clicking "yes, please install" before they realized that they were running potentially suspicious code. So now users have to wait a few seconds before being able to click.
Users CAN actually configure their browser to let remote sites do just about anything, include read/write files, change the clipboard, etc., because this is sometimes something that's useful that users might want from a few special sites. But it's a pain in the butt to get the several security configuration settings set properly, and again, as a developer, I think they might have overdone it.
If anyone wonders about installing, here's what I did:
:/
The DL link can be found here:
http://www.mozilla.org/
After downloading that I closed all windows and uninstalled 1.0 (winXP) by using add/remove programs and clicked yes on delete folder. My settings/profile/chrome stuff is not in that folder, but here in my case:
C:\Documents and Settings\My puter name\Application Data\Mozilla\
Then I installed 1.01 by clicking the exe
Done. My extensions, chrome, bookmarks seem to be intact, which of course was my biggest worry. My start menu just turned black though
The update thing in 1.0 just checked/updated my extensions, and my flash blocker stopped working. I took a look in about:config and the build and version number was still old, so that thing definately didn't update to 1.01
The Chair Corp. comic(*00-12)
From TFA
If you have firefox 1.01 installed you have nothing to worry about.
Fixed days ago. Now thats speedy service.
They started rolling it out for windows only but they had the cancel it. Linux and Mac users were getting the windows only code and that was causing problems so it was disabled. It is now back for windows users.
http://weblogs.mozillazine.org/asa/
If you have firefox 1.01 installed you have nothing to worry about.
No, there are security advisories for firefox 1.01, like this one.
And the story didn't even link the vulnerability report on Mozilla Firefox 1.x from Secunia. Anyway, just stay tuned and have your FF always updated.
Sorry, this sig is beneath your current threshold
It is a stretch to even call that a vulnerability. It would be easier to trick a user into downloading and executing code themselves than to get them to drag a properly crafted image into the address bar and then use the url.
I don't think so, automatic update has been on the works since/before the full FF 1.01 release.
By Tuntematon
No, in practice, debit cards are not covered by the zero liability plan. From VISA's site:
*Covers U.S.-issued cards only. Visa's Zero Liability policy does not apply to commercial card or ATM transactions, or to PIN transactions not processed by Visa. See your Cardholder Agreement for more details.
**Cardholders should always regularly check their monthly statements for transaction accuracy. Financial institutions may impose greater liability on the cardholder if the financial institution reasonably determines that the unauthorized transaction was caused by the gross negligence or fraudulent action of the cardholder--which may include your delay for an unreasonable time in reporting unauthorized transactions.
Before you think 'I can keep my PIN secret, so what's the problem?', try to figure out how a transaction was processed by looking at your bank statement. Was it credit or debit? What network processed the transaction?
I recently had my VISA card used fradulantly, and was stuck footing the bill.
The 'call this number if your card is lost or stolen' number on the back of the card didn't work. Apparently, the organization that I contacted does not handle debit cards.
The charge was for $40; the zero liability plan applies to the first $50 of fradulant transactions.
Of course, my bank "didn't know" how the charges were made, and ATM/pin transactions are not covered, so I couldn't take advantage of the Zero Liability policy without paying the bank to figure it out for me.
I found that the vendor (McAfee) was totally unresponsive (I never managed to contact a human being after trying for a few hours), so I could not obtain any information about the transaction (I thought I would get an IP address or a shipping address. Yeah, right!)
The bank wanted to charge well over $100 to 'launch an investigation', which would be billed as an initial cost plus an hourly fee, and could drag on indefinitely.
VISA charges vendors a few percentage points of every purchase you make. If the per-transaction fees aren't being used to combat fraud on the network, or even to maintain contact information for a handful of major vendors, what are they for?
If the average amount of a transaction is $5, and Visa takes 1% (two very low estimates), that's costing the vendor $0.05. For what? Sending a few kilobytes of data over an encrypted line? Running a (really expensive!?!) database transaction?
I've been dumping around a bit over 1% of my income into this network for years. If federal tax is 20%, that's roughly as much as I've put into the department of education and department of transportation, combined!
At this point, I think I'll just carry cash, since its less of a hassle. If I get mugged, I'm out $100, and that's it. With a VISA card, I get to negotiate with my bank over who is liable for what, and there is a huge risk of electronic fraud. Besides, using cash keeps prices lower, and most businesses are happy to accept it.