Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Vulnerabilities Discovered in Firefox 1.0

Posted by samzenpus on from the protect-yourself-at-all-times dept.

jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""

17 of 406 comments (clear)

  1. The downside of popularity by confusion · · Score: 5, Insightful

    Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.

    Jerry
    http://www.syslog.org/

  2. The most important part of TFA by Zocalo · · Score: 5, Insightful
    "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about."

    Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P

    --
    UNIX? They're not even circumcised! Savages!
    1. Re:The most important part of TFA by sd.fhasldff · · Score: 5, Insightful

      That has to be the most pathetic slashdot blurb I've ever seen. It's grossly misleading and links to a completely assinine site (which, in return, doesn't even link to the Secunia report - the real source).

  3. Re:New Discovery? by chrisbtoo · · Score: 4, Insightful

    Chances are that they found the 8 bugs in 1.0, reported them to Mozilla, who kept it quiet and fixed them for 1.0.1.

    I guess this is trumpet-blowing from Secunia, together with an advisory as to how important it is to upgrade to 1.0.1.

    --
    Registering accounts later than some other chrisb since 1997
  4. Firefox bugs by benspikey · · Score: 4, Insightful

    Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..

  5. Re:I frequently talk up by jrcamp · · Score: 5, Insightful

    Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.

  6. Re:New Discovery? by einhverfr · · Score: 5, Insightful

    I personally am grateful to Secunia for helping to look at Firefox's security the way that we should be.

    Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.

    --

    LedgerSMB: Open source Accounting/ERP
  7. Re:Internet Commerce On Its Way Out by GeorgeMcBay · · Score: 4, Insightful


    Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.

    Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?

  8. Every day is insecure by rueger · · Score: 4, Insightful

    Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.

    Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.

    I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.

    --
    Three Squirrels
  9. Re:I frequently talk up by merdaccia · · Score: 5, Insightful

    I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...

    You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.

    Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.

    --

    *blinking cursor*

  10. Re:New Discovery? by einhverfr · · Score: 4, Insightful

    Ok.... IE has two major security issues inherent in its design and that is zone permission elevation while the other is ActiveX related.

    Mozilla/Firefox has another-- XUL display. XUL is a great technology, but it is difficult to handle because the main UI rendering is too closely tied to the rendering of the web site. There is a security barrier which is designed to keep one from harming the system but it is not designed to prevent spoofing of apps. Hopefully a defence barrier can be built in.

    Don't believe me? pasting this into your address bar: chrome://navigator/content/navigator.xul (only works in Mozilla)

    For example, something simple like "Components in Chrome are locked by default and only unlocked components can be modified outside of Chrome" would be a nice start.

    --

    LedgerSMB: Open source Accounting/ERP
  11. Re:Here we go... by NEOtaku17 · · Score: 5, Insightful
    "How long before Microsoft jumps all over this, and uses it as yet another FUD related reason not to use Open Source software..."

    Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?

    --
    Creative Demolition
  12. That's how the FUD engine works by EmbeddedJanitor · · Score: 5, Insightful
    Nobody ever got fired for buying Microsoft.

    If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.

    If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.

    That's unfortunately the mentality that will keep MS in business for a long time yet.

    --
    Engineering is the art of compromise.
    1. Re:That's how the FUD engine works by cerberusss · · Score: 4, Insightful
      If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault

      This is funny, but very true. The same goes for MS Office documents. If you open a Word document in a different version of MS Word and it gets fragged, it's not your fault, it is Microsoft's fault.

      If, however, you open that same document in OpenOffice and it renders it wrong because of some crazy layout (think table cells that span multiple pages...), then YOU are to blame. You should have "just used normal programs"...

      This stuff drives me mad...

      --
      8 of 13 people found this answer helpful. Did you?
  13. Phishing "vulnerabilities" need a special category by argent · · Score: 5, Insightful

    I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.

    I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.

    The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.

  14. Re:SOP for Secunia... by Myen · · Score: 5, Insightful
    In the case of Mozilla, Secunia regularly regurgitates the offical Mozilla.org advisories (as is this case). Pretty much the time flow goes like:
    • vulnerabilities discovered; reported to mozilla.org
    • they sit for a while
    • eventually fixed and go into the next release
    • after a few days, mozilla.org opens up the security bugs fixed in that release and posts advisories
    • Secunia sees them and posts info on same advisories
    • people see Secunia with Mozilla vulnerabilities

    And I know Secunia didn't come up with the list because
    1. they link to mozilla.org (except in one case, where they linked to iDefense) as original advisories
    2. "Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others."
    3. I recognize names from the list - Phil Ringnalda is the Chatzilla guy, and Doug Turner is Minimo. So they already work on Mozilla a lot. That, and I'm in the list (probably undeserved).
  15. Re:First by DrXym · · Score: 5, Insightful

    Sorry, but that's a pretty unlikely exploit. To carry it out, someone has to be convinced to drag and drop an image onto an empty address bar. Have you seen many sites that do that? Have you seen many users who either understand or follow such instructions?