Slashdot Mirror
New Vulnerabilities Discovered in Firefox 1.0
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 has already been covered on Slashdot, and these vulnerabilites were announced then.
The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1
don't mod parent as troll, it's a joke, a parody of the fact that someone posts a link to firefox when there is a IE vul. story.
oh forget it, some of you mods are dumber than a deck of cards.
The update button showed up for me today. I clicked it and it ran me through the download and install of 1.0.1. The automatic update was intentionally delayed because of server capacity issues; apparently they've got them sorted out now.
There is.
Asa mentioned something about server problems and activating the update for 1.0.1 later, and indeed it did show up today. Granted, it's a week since the release and that's a long time for security update... And windows-only apparently, though Linux users probably update trough their native package systems anyway.
His blog has more.
Secunia just put the list together. Copy/pasting the list and who found them from secunia since someone didn't link to it in the article.
1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.
2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).
This is similar to:
SA12712
3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.
4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.
5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.
6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.
7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.
Successful exploitation requires that the malicious website is allowed to request installations.
8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.
9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.
Provided and/or discovered by:
1) Tavis Ormandy
2) Christian Schmidt
3) Masayuki Nakano
4) Georgi Guninski
5) Matt Brubeck
6) Independently discovered by:
* Daniel de Wildt
* Gaël Delalleau
7) Phil Ringnalda
8) wind li
9) Mook, Doug Turner, Kohei Yoshino, M. Deaudelin
firescrolling exploit example.... caution exploit code
been out for atleast 2 weeks..... just because the media does not cover something does not mean it doesn't exist.
I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?
No, it's a problem with the way the Gecko engine renders layers.
i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).
i doubt this would've prevented the bug. but the page it was appearing for would be obvious. a possible hack to that could be...have a javascript window which is already open make the connection. in that case, even if the js window is shown, with the browser most likely behind it, it wouldn't be obvious. could fix that too
Sure, you can copy-and-paste anything you want into your URL bar, and hit enter. This takes time, and thought, and you have to look at the string in two different places, so it's reasonably secure based on that.
The only security problems that could arise would be if there were links that you could click on, or bookmark them. Try it here (slashdot won't let you write chrome:// URLs unfortunately). It doesn't work.
There are tons of security measures related to XPI/XUL, the Firefox team has IMHO taken an OVERLY aggressive approach to XUL/XPI issues. You know why there are several extra steps required in Firefox to install an XPI plugin? Because there were some theoretical exploits where someone might ask a user to click on a place on the screen over and over (eg. hit the monkey), and then display the XPI dialog there, and the user might end up clicking "yes, please install" before they realized that they were running potentially suspicious code. So now users have to wait a few seconds before being able to click.
Users CAN actually configure their browser to let remote sites do just about anything, include read/write files, change the clipboard, etc., because this is sometimes something that's useful that users might want from a few special sites. But it's a pain in the butt to get the several security configuration settings set properly, and again, as a developer, I think they might have overdone it.
From TFA
If you have firefox 1.01 installed you have nothing to worry about.
Fixed days ago. Now thats speedy service.
They started rolling it out for windows only but they had the cancel it. Linux and Mac users were getting the windows only code and that was causing problems so it was disabled. It is now back for windows users.
http://weblogs.mozillazine.org/asa/
If you have firefox 1.01 installed you have nothing to worry about.
No, there are security advisories for firefox 1.01, like this one.
And the story didn't even link the vulnerability report on Mozilla Firefox 1.x from Secunia. Anyway, just stay tuned and have your FF always updated.
Sorry, this sig is beneath your current threshold