Slashdot Mirror
New Vulnerabilities Discovered in Firefox 1.0
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
It's open source so it will get fixed quickly post.
Today, the security firm Secunia has released 8 more security bugs it has discovered in Mozilla products, including Firefox and Thunderbird. [......] If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about
Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?
Rock that crushes, Paper & Scissors that don't matter.
Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 has already been covered on Slashdot, and these vulnerabilites were announced then.
If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.
No worries, just keep your browser updated.
you can find the patch here. ;)
Marge, get me your address book, 4 beers, and my conversation hat.
Oh my God! I'm switching back to Internet Explorer right away!
I still feel safer than when I use IE.
Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.
Jerry
http://www.syslog.org/
Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P
UNIX? They're not even circumcised! Savages!
The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1
I actually got an email from a friend of mine on the redmond campus warning me to be careful since I use that dangerous firefox browser about 3 hours ago. I told him I wouldn't believe it until I saw it on slashdot! :D
Your bank can and will ask you to confirm your password at random intervals via email.
If in doubt about who sent the email, click on the link they provide in the email to get to your bank's website to make sure it's them.
And remember, even banks sometimes forget to get their ssl certificates in order. No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....
That's why I use Firef... uhhh what???
Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..
They want it to look more like "news".
1's and 0's should be free.
Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.
Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.
Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?
Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.
Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.
I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.
Three Squirrels
I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...
You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.
Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.
*blinking cursor*
I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?
/. front page and no other page that I frequent.
I only have this problem is only with the
Does anyone have an explanation as to why firefox's online update feature doesn't upgrade to 1.0.1?
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Hmmm...do you have a webserver on your box, and a no-ad hosts file?
I ran into that when I had IIS installed and a hosts file with many ad servers sent to 127.0.0.1.
I fixed it by turning off the Web Publishing Service.
Welcome to the real world. You can't have your cake and eat it.
Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?
Creative Demolition
firescrolling exploit example.... caution exploit code
been out for atleast 2 weeks..... just because the media does not cover something does not mean it doesn't exist.
What?
I never had a problem with slashdot. What exactly makes it "unreadable"?
Sometimes the stories or comments get shoved into the left nav. Sometimes the tables don't render at all leaving a largely blank page. This has been a problem since Netscape 7.0 came out (whatever version of mozilla that was.) In fact, when Slashdot put up the story about NS7 being release, I immediately downloaded it and just as quickly found the problem. I don't use windows much, but under linux, this has been a problem for quite a while. There are work arounds like ctrl +-, but the fact is that Slashdot does not render the same way every time. I have not seen this behavior to this extreme on any other website. If I were a slashcoder, I'd be extremely embarrassed. Then again, it seems that one quality required to be a Slashdot editor/coder is to be able to publicly make a complete fool out of yourself repeatedly for years and not give a shit.
NB
I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?
No, it's a problem with the way the Gecko engine renders layers.
If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.
If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.
That's unfortunately the mentality that will keep MS in business for a long time yet.
Engineering is the art of compromise.
I also waited for Firefox to alert me that an update was available, both to be kind to the servers and to see how the update process worked. Yeasterday it alerted me to the update via a new icon next to the activity icon in the upper right of the window.
Interestingly, when I went through the update process, it downloaded and installed the full 1.01 package. Does anyone know if this is how updates will be done in the future, or if Mozilla will migrate to a patch system?
I would rather be killed by a terrorist than enslaved by my government.
They released their list of major vulnurabilities in IE two days before MS released the update and months after they reported the problems originally.
They're just glory whores.
SSL implementations have been barely usable for real people years with their laughably tiny "padlock" indicator.
Bugs aside things are just starting to look reasonable as far as SSL in browsers is concerned.
Firefox puts the "padlock" where someone will actually stand a chance of seeing it (in the urlbar) and also color codes the URL.
Opera does something similar in it's recent beta but also displays the organisational name of the certificate owner aside the padlock.
The spoofing problem isn't a fundamental flaw that is going to doom the future of browser based commerce. The reinvigoration of browser competition has started making things better for the end user.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Anyone else notice how now that Firefox has gotten pretty big, you're mostly hearing about firefox issues, rather thant he slew of IE issues that we used to be swarming over. In essence it makes sense as most /.ers have upgraded to Firefox, however it just seems to be working that way. I don't think that M$ could have gotten all of the kinks out of IE, so whats the deal?
Once found, if people want to be malicious about it, they'll release the vulnerability information to black hats, then the public, then the company(if at all). If bugs cause people to switch browsers, all that needs to be done is make sure you find more bugs in your competitors software.
I read an article not long ago questioning whether posting vulnerability information in any public forum was really a good idea and the question still remains.
I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.
I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.
The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.
...slashdot doesn't display correctly in Firefox 1.0+
More at 11.
i'm willing to deal with a couple firefox vulnerabilities over that browser that runs activeX controls.
I've seen it on other sites as well. Something about table widths being set to 100% or something. On some sites, the main text table cell doesn't show up until there's a reload. The same ctrl- ctrl+ fixes those too or a reload. It's really annoying.
Open Source Java DAO Generator
If anyone wonders about installing, here's what I did:
:/
The DL link can be found here:
http://www.mozilla.org/
After downloading that I closed all windows and uninstalled 1.0 (winXP) by using add/remove programs and clicked yes on delete folder. My settings/profile/chrome stuff is not in that folder, but here in my case:
C:\Documents and Settings\My puter name\Application Data\Mozilla\
Then I installed 1.01 by clicking the exe
Done. My extensions, chrome, bookmarks seem to be intact, which of course was my biggest worry. My start menu just turned black though
The update thing in 1.0 just checked/updated my extensions, and my flash blocker stopped working. I took a look in about:config and the build and version number was still old, so that thing definately didn't update to 1.01
The Chair Corp. comic(*00-12)
Because SSL protects no one against key loggers.
Investigator1: We noticed that the 25 credit card fraud victims each shopped at The Gap five months ago. We talked to the store manager and interviewed the employees. One pimply faced teenager broke down in his interview and admitted he gave the credit card numbers to a member of a well-known, local crime syndicate. We arrested five people in our fair city. We recommend people carefully read their credit card statements each month and report any unauthorized purchases.
Investigator2: We noticed that the 5000 credit card fraud victims had hard drives choking on pornography and had several key loggers. The key loggers were programmed to access an IRC channel that hasn't been active in five months. As the fraudulent purchases all took place in Eastern Europe, it is unlikely we will ever catch the perps. We recommend you do your shopping locally and avoid using the Internet for any financially sensitive activities.
How's that?
I use Internet Explorer.
I think you mean, you won't believe until you have seen the dupe on slashdot.
meh
MS Spokeperson:
Firefox is really not enterprise ready. Just look at the rate of patches. Why in the product's entire lifecycle, they've only had one patch to a production release. Only one!!! Compare that to Internet Explorer, which not a day used to go by that we'd patch something, or make a fix of some form. We've produced more IE patches and fixes than Firefox can ever dream of.
Thusly, we must be much more focused on security. If Firefox/Mozilla were, don't you think they'd have to patch their software as much?
You can't have your cake and eat it.
Sure you can. That's what having your cake means.
After all, I am strangely colored.
(for me) isn't really the technology or the security. IE and firefox are really not that far apart in terms of bugs/features (yet).. the main difference to me is that one on hand, you have a greedy, monopolistic company working outside proper market forces - allowing it to decide when and how it improves its software (IE 6.0 released in Aug 2002 - what major sw app can get away with a 3 year major release cycle?) vs. Firefox/Mozilla - a grass-roots colaboration of people who are trying to make something significant and have fun at the same time.
The choice for me is not a lot different than choosing to live in the Soviet Union or the United States. I'd rather not eat the gruel (or browser) someone else thinks is all I deserve.
-1 Insulting Mods
With my credit card, in event of fraud - it's NOT my money that's gone.
I just have to inform the card company that the transaction was not good. And I don't have to pay for it. And since it's not MY money, it's someone else's problem.
At worst, I can't use the affected card and the card company issues me a new card.
That's OK - I have more than one credit card.
I'm far more puzzled by the popularity of debit cards. If stuff happens it's YOUR money that's gone, so YOU have to be the one working your butt off trying to get your money back.
Even cash isn't as safe. You buy something with your credit card and the merchant cheats you, it's a lot easier to fix.
The online merchants AND banks are the ones who should be worried. Too many customers tricked/exploited and their business would be affected.
Firefox, a version 1.0 product, has minor defects?
OMG, I demand a full refund now!
(But I sure am glad that people smarter than I am are able to inspect the code, find and expose the bugs before disaster strikes.)
What would Groucho do?
I don't think so, automatic update has been on the works since/before the full FF 1.01 release.
By Tuntematon
I would love to see how they actually find some of these vulnerabilities. Direct from secunia : "The vulnerability is caused due to missing URI handler validation when dragging an image with a "javascript:" URL to the address bar. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging an image to the address bar." Dont think ive ever dragged anything from a web page in my life.. I maybe a newbie though (only been on the net since 1992..
Got a question about UNIX ask it here : Unix/xBSD Forum
No, in practice, debit cards are not covered by the zero liability plan. From VISA's site:
*Covers U.S.-issued cards only. Visa's Zero Liability policy does not apply to commercial card or ATM transactions, or to PIN transactions not processed by Visa. See your Cardholder Agreement for more details.
**Cardholders should always regularly check their monthly statements for transaction accuracy. Financial institutions may impose greater liability on the cardholder if the financial institution reasonably determines that the unauthorized transaction was caused by the gross negligence or fraudulent action of the cardholder--which may include your delay for an unreasonable time in reporting unauthorized transactions.
Before you think 'I can keep my PIN secret, so what's the problem?', try to figure out how a transaction was processed by looking at your bank statement. Was it credit or debit? What network processed the transaction?
I recently had my VISA card used fradulantly, and was stuck footing the bill.
The 'call this number if your card is lost or stolen' number on the back of the card didn't work. Apparently, the organization that I contacted does not handle debit cards.
The charge was for $40; the zero liability plan applies to the first $50 of fradulant transactions.
Of course, my bank "didn't know" how the charges were made, and ATM/pin transactions are not covered, so I couldn't take advantage of the Zero Liability policy without paying the bank to figure it out for me.
I found that the vendor (McAfee) was totally unresponsive (I never managed to contact a human being after trying for a few hours), so I could not obtain any information about the transaction (I thought I would get an IP address or a shipping address. Yeah, right!)
The bank wanted to charge well over $100 to 'launch an investigation', which would be billed as an initial cost plus an hourly fee, and could drag on indefinitely.
VISA charges vendors a few percentage points of every purchase you make. If the per-transaction fees aren't being used to combat fraud on the network, or even to maintain contact information for a handful of major vendors, what are they for?
If the average amount of a transaction is $5, and Visa takes 1% (two very low estimates), that's costing the vendor $0.05. For what? Sending a few kilobytes of data over an encrypted line? Running a (really expensive!?!) database transaction?
I've been dumping around a bit over 1% of my income into this network for years. If federal tax is 20%, that's roughly as much as I've put into the department of education and department of transportation, combined!
At this point, I think I'll just carry cash, since its less of a hassle. If I get mugged, I'm out $100, and that's it. With a VISA card, I get to negotiate with my bank over who is liable for what, and there is a huge risk of electronic fraud. Besides, using cash keeps prices lower, and most businesses are happy to accept it.