Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Vulnerabilities Discovered in Firefox 1.0

Posted by samzenpus on from the protect-yourself-at-all-times dept.

jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""

11 of 406 comments (clear)

  1. The downside of popularity by confusion · · Score: 5, Insightful

    Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.

    Jerry
    http://www.syslog.org/

  2. The most important part of TFA by Zocalo · · Score: 5, Insightful
    "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about."

    Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P

    --
    UNIX? They're not even circumcised! Savages!
    1. Re:The most important part of TFA by sd.fhasldff · · Score: 5, Insightful

      That has to be the most pathetic slashdot blurb I've ever seen. It's grossly misleading and links to a completely assinine site (which, in return, doesn't even link to the Secunia report - the real source).

  3. Re:I frequently talk up by jrcamp · · Score: 5, Insightful

    Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.

  4. Re:New Discovery? by einhverfr · · Score: 5, Insightful

    I personally am grateful to Secunia for helping to look at Firefox's security the way that we should be.

    Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.

    --

    LedgerSMB: Open source Accounting/ERP
  5. Re:I frequently talk up by merdaccia · · Score: 5, Insightful

    I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...

    You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.

    Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.

    --

    *blinking cursor*

  6. Re:Here we go... by NEOtaku17 · · Score: 5, Insightful
    "How long before Microsoft jumps all over this, and uses it as yet another FUD related reason not to use Open Source software..."

    Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?

    --
    Creative Demolition
  7. That's how the FUD engine works by EmbeddedJanitor · · Score: 5, Insightful
    Nobody ever got fired for buying Microsoft.

    If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.

    If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.

    That's unfortunately the mentality that will keep MS in business for a long time yet.

    --
    Engineering is the art of compromise.
  8. Phishing "vulnerabilities" need a special category by argent · · Score: 5, Insightful

    I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.

    I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.

    The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.

  9. Re:SOP for Secunia... by Myen · · Score: 5, Insightful
    In the case of Mozilla, Secunia regularly regurgitates the offical Mozilla.org advisories (as is this case). Pretty much the time flow goes like:
    • vulnerabilities discovered; reported to mozilla.org
    • they sit for a while
    • eventually fixed and go into the next release
    • after a few days, mozilla.org opens up the security bugs fixed in that release and posts advisories
    • Secunia sees them and posts info on same advisories
    • people see Secunia with Mozilla vulnerabilities

    And I know Secunia didn't come up with the list because
    1. they link to mozilla.org (except in one case, where they linked to iDefense) as original advisories
    2. "Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others."
    3. I recognize names from the list - Phil Ringnalda is the Chatzilla guy, and Doug Turner is Minimo. So they already work on Mozilla a lot. That, and I'm in the list (probably undeserved).
  10. Re:First by DrXym · · Score: 5, Insightful

    Sorry, but that's a pretty unlikely exploit. To carry it out, someone has to be convinced to drag and drop an image onto an empty address bar. Have you seen many sites that do that? Have you seen many users who either understand or follow such instructions?