Slashdot Mirror
New Vulnerabilities Discovered in Firefox 1.0
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
It's open source so it will get fixed quickly post.
Today, the security firm Secunia has released 8 more security bugs it has discovered in Mozilla products, including Firefox and Thunderbird. [......] If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about
Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?
Rock that crushes, Paper & Scissors that don't matter.
Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 has already been covered on Slashdot, and these vulnerabilites were announced then.
you can find the patch here. ;)
Marge, get me your address book, 4 beers, and my conversation hat.
Oh my God! I'm switching back to Internet Explorer right away!
I still feel safer than when I use IE.
Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.
Jerry
http://www.syslog.org/
Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P
UNIX? They're not even circumcised! Savages!
The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1
I actually got an email from a friend of mine on the redmond campus warning me to be careful since I use that dangerous firefox browser about 3 hours ago. I told him I wouldn't believe it until I saw it on slashdot! :D
Your bank can and will ask you to confirm your password at random intervals via email.
If in doubt about who sent the email, click on the link they provide in the email to get to your bank's website to make sure it's them.
And remember, even banks sometimes forget to get their ssl certificates in order. No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....
That's why I use Firef... uhhh what???
Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..
Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.
Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.
Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?
Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.
Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.
I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.
Three Squirrels
Supposedly. By my reading of Asa's blog, if you use the en-US version (most of Slashdot), then you should be able to get an update. Specifically, check out the entries localized 1.0.1 updates and another try at update.
However, I use the en-US version, and my Firefox refuses to auto-update. So it doesn't appear to be working for everyone. (I'm behind a firewall, if that matters.)
You are in a maze of twisty little relative jumps, all alike.
I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...
You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.
Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.
*blinking cursor*
Hmmm...do you have a webserver on your box, and a no-ad hosts file?
I ran into that when I had IIS installed and a hosts file with many ad servers sent to 127.0.0.1.
I fixed it by turning off the Web Publishing Service.
Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?
Creative Demolition
firescrolling exploit example.... caution exploit code
been out for atleast 2 weeks..... just because the media does not cover something does not mean it doesn't exist.
I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?
No, it's a problem with the way the Gecko engine renders layers.
If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.
If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.
That's unfortunately the mentality that will keep MS in business for a long time yet.
Engineering is the art of compromise.
I also waited for Firefox to alert me that an update was available, both to be kind to the servers and to see how the update process worked. Yeasterday it alerted me to the update via a new icon next to the activity icon in the upper right of the window.
Interestingly, when I went through the update process, it downloaded and installed the full 1.01 package. Does anyone know if this is how updates will be done in the future, or if Mozilla will migrate to a patch system?
I would rather be killed by a terrorist than enslaved by my government.
They released their list of major vulnurabilities in IE two days before MS released the update and months after they reported the problems originally.
They're just glory whores.
SSL implementations have been barely usable for real people years with their laughably tiny "padlock" indicator.
Bugs aside things are just starting to look reasonable as far as SSL in browsers is concerned.
Firefox puts the "padlock" where someone will actually stand a chance of seeing it (in the urlbar) and also color codes the URL.
Opera does something similar in it's recent beta but also displays the organisational name of the certificate owner aside the padlock.
The spoofing problem isn't a fundamental flaw that is going to doom the future of browser based commerce. The reinvigoration of browser competition has started making things better for the end user.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Anyone else notice how now that Firefox has gotten pretty big, you're mostly hearing about firefox issues, rather thant he slew of IE issues that we used to be swarming over. In essence it makes sense as most /.ers have upgraded to Firefox, however it just seems to be working that way. I don't think that M$ could have gotten all of the kinks out of IE, so whats the deal?
It does, Mozilla delayed the update because the servers were getting overloaded when it first came out. By now it should report there being an update and allow you to install that.
I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.
I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.
The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.
...slashdot doesn't display correctly in Firefox 1.0+
More at 11.
I've seen it on other sites as well. Something about table widths being set to 100% or something. On some sites, the main text table cell doesn't show up until there's a reload. The same ctrl- ctrl+ fixes those too or a reload. It's really annoying.
Open Source Java DAO Generator
I use Internet Explorer.
I think you mean, you won't believe until you have seen the dupe on slashdot.
meh
(for me) isn't really the technology or the security. IE and firefox are really not that far apart in terms of bugs/features (yet).. the main difference to me is that one on hand, you have a greedy, monopolistic company working outside proper market forces - allowing it to decide when and how it improves its software (IE 6.0 released in Aug 2002 - what major sw app can get away with a 3 year major release cycle?) vs. Firefox/Mozilla - a grass-roots colaboration of people who are trying to make something significant and have fun at the same time.
The choice for me is not a lot different than choosing to live in the Soviet Union or the United States. I'd rather not eat the gruel (or browser) someone else thinks is all I deserve.
-1 Insulting Mods
I would love to see how they actually find some of these vulnerabilities. Direct from secunia : "The vulnerability is caused due to missing URI handler validation when dragging an image with a "javascript:" URL to the address bar. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging an image to the address bar." Dont think ive ever dragged anything from a web page in my life.. I maybe a newbie though (only been on the net since 1992..
Got a question about UNIX ask it here : Unix/xBSD Forum