Slashdot Mirror
New Vulnerabilities Discovered in Firefox 1.0
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
At least with FireFox they'll be patched up within a few days. Unlike Microsoft which waits until half the world has been screwed over...
Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.
Jerry
http://www.syslog.org/
Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P
UNIX? They're not even circumcised! Savages!
Chances are that they found the 8 bugs in 1.0, reported them to Mozilla, who kept it quiet and fixed them for 1.0.1.
I guess this is trumpet-blowing from Secunia, together with an advisory as to how important it is to upgrade to 1.0.1.
Registering accounts later than some other chrisb since 1997
The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?
A NYC lawyer blogs. http://www.chuangblog.com/
Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..
They want it to look more like "news".
1's and 0's should be free.
Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.
I personally am grateful to Secunia for helping to look at Firefox's security the way that we should be.
Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.
LedgerSMB: Open source Accounting/ERP
Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.
Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?
Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.
Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.
I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.
Three Squirrels
One word: adwords
I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...
You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.
Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.
*blinking cursor*
Ok.... IE has two major security issues inherent in its design and that is zone permission elevation while the other is ActiveX related.
Mozilla/Firefox has another-- XUL display. XUL is a great technology, but it is difficult to handle because the main UI rendering is too closely tied to the rendering of the web site. There is a security barrier which is designed to keep one from harming the system but it is not designed to prevent spoofing of apps. Hopefully a defence barrier can be built in.
Don't believe me? pasting this into your address bar: chrome://navigator/content/navigator.xul (only works in Mozilla)
For example, something simple like "Components in Chrome are locked by default and only unlocked components can be modified outside of Chrome" would be a nice start.
LedgerSMB: Open source Accounting/ERP
Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?
Creative Demolition
If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.
If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.
That's unfortunately the mentality that will keep MS in business for a long time yet.
Engineering is the art of compromise.
SSL implementations have been barely usable for real people years with their laughably tiny "padlock" indicator.
Bugs aside things are just starting to look reasonable as far as SSL in browsers is concerned.
Firefox puts the "padlock" where someone will actually stand a chance of seeing it (in the urlbar) and also color codes the URL.
Opera does something similar in it's recent beta but also displays the organisational name of the certificate owner aside the padlock.
The spoofing problem isn't a fundamental flaw that is going to doom the future of browser based commerce. The reinvigoration of browser competition has started making things better for the end user.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
It does, Mozilla delayed the update because the servers were getting overloaded when it first came out. By now it should report there being an update and allow you to install that.
I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.
I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.
The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.
'But any software has a security record better than IE.'
:)
What about Windows proper?
i'm willing to deal with a couple firefox vulnerabilities over that browser that runs activeX controls.
so we are going to get an artical everytime a vun. is found in an app now
If you mod me down, I will become more powerful than you can imagine....
Microsoft's security has always been such a huge public issue in the past primarily because a.) nobody online has anything else to report on, and b.) people love to hate on Microsoft, despite most of them still using their products.
All complicated pieces of software, like browsers and operating systems, are going to have flaws. They've been found in every OS, and every browser. They'll continue to be found, as long as they make up a large part of the market, because not only are these what "hackers" search for, but also security professionals.
So the Firefox team will fix their flaws, just as the Microsoft team has continued to do so for theirs. However, Firefox's will now get brought into the public's attention much more as it becomes more popular, even though flaws have existed for it all along, as anyone who views the release log on their site can see. But only IE got the attention for being riddled with problems up till now.
So this just further proves that it's not just Microsoft's problem. Firefox is going to get its share of the limelight now, for better or worse.
Because SSL protects no one against key loggers.
Investigator1: We noticed that the 25 credit card fraud victims each shopped at The Gap five months ago. We talked to the store manager and interviewed the employees. One pimply faced teenager broke down in his interview and admitted he gave the credit card numbers to a member of a well-known, local crime syndicate. We arrested five people in our fair city. We recommend people carefully read their credit card statements each month and report any unauthorized purchases.
Investigator2: We noticed that the 5000 credit card fraud victims had hard drives choking on pornography and had several key loggers. The key loggers were programmed to access an IRC channel that hasn't been active in five months. As the fraudulent purchases all took place in Eastern Europe, it is unlikely we will ever catch the perps. We recommend you do your shopping locally and avoid using the Internet for any financially sensitive activities.
How's that?
From TFA
If you have firefox 1.01 installed you have nothing to worry about.
Fixed days ago. Now thats speedy service.
Yet when a slashdot story uses Microsoft XP service pack one to show how full of holes the OS is - It's newsworthy.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
That's quite easy to say. But what if they were the original reporters for those vulnerabilities, and they kept quiet while MS & Mozilla fixed them? Couldn't they be allowed to publicize them now that they are fixed, and get the appropriate recognition without putting the users to risk?
I haven't check the history for those advisories; maybe they truely are 'glory whores', I'm just saying we shouldn't rush to judgement.
Journalists are scum when interpreting technical articles without experience or familiarity with the aspects compared-the report differed significantly from the site-article summary of it. Slashdot should be a collection of technical articles written by technical professionals for interested parties, but it has fallen to the scum of journalistic manipulations of information. On technical level, vulnerabilities in both are posted as significant user base has yet to update either or both the program (is it now fully released to update channel?) and the operating system (occupational programs found to work by everyone and the second patch applied?). On those grounds, it is both scholarly for the fields we are professionals in or students of and useful to form a more complete picture of the faults in the Microsoft development, QA, and testing processes.
http://forums.mozillazine.org/viewtopic.php?t=2256 01/
... OPTIONS ... ADVANCED ... SOFTWARE UPDATES ... check the boxes for "Periodically Check for Updates" for Firefox and My Extensions/Themes. Another setting to check is TOOLS ... OPTIONS ... WEB FEATURES ... CHECK "allow site to install software"
The new Firefox autoupdate should be available around March 7th. Firefox 1.0 users who aren't experienced in handling profiles during the uninstall/reinstall process may want to wait. Autoupdate will install the 1.0.1 patch automatically and preserve all current settings, without the need to uninstall/reinstall The Autoupdate feature should already be set on, as it is the default setting for Firefox 1.0. You can check for proper settings through: TOOLS
i agree... and
You can't have your cake and eat it.
Sure you can. That's what having your cake means.
After all, I am strangely colored.
And I know Secunia didn't come up with the list because
The fact that you can't just click on a link doesn;t mean that this is not a problem. Yes there are security measures and barriers in place, but this is the *problem* not the solution.
Your see, the security barriers exist because you want to provide some functionality which is more trusted than others. This is part of the reason why IE is so darned insecure: It has too many of these security barriers.
Instead, the problem is that you have the problem that the security barriers are fundamentally permeable. Ideally therefore you want to design your software in such a way that the security barriers are enforced by design limitations of the software rather than enforcement checks.
LedgerSMB: Open source Accounting/ERP
-1 Insulting Mods
With my credit card, in event of fraud - it's NOT my money that's gone.
I just have to inform the card company that the transaction was not good. And I don't have to pay for it. And since it's not MY money, it's someone else's problem.
At worst, I can't use the affected card and the card company issues me a new card.
That's OK - I have more than one credit card.
I'm far more puzzled by the popularity of debit cards. If stuff happens it's YOUR money that's gone, so YOU have to be the one working your butt off trying to get your money back.
Even cash isn't as safe. You buy something with your credit card and the merchant cheats you, it's a lot easier to fix.
The online merchants AND banks are the ones who should be worried. Too many customers tricked/exploited and their business would be affected.
Sorry, but that's a pretty unlikely exploit. To carry it out, someone has to be convinced to drag and drop an image onto an empty address bar. Have you seen many sites that do that? Have you seen many users who either understand or follow such instructions?
Nonetheless, it'd be a good idea to allow as an option. I thought of this too
This however might conceivably create a new "deadly embrace" vulnerability, if two tabs are demanding to raise requesters and each depends on the other. But if the present system allows only one requester to be showing anyway, perhaps this isn't newly-introduced after all.
Je fume. Tu fumes. Nous fûmes!
> It's open source so it will get fixed quickly post.
Don't forget, you also have a choice to go back to IE and OE if you feel they are more secure. The existence of choice is another important factor of OSS.
Join the Slashcott! Feb 10 thru Feb 17!