Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Vulnerabilities Discovered in Firefox 1.0

Posted by samzenpus on from the protect-yourself-at-all-times dept.

jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""

48 of 406 comments (clear)

  1. First by Anonymous Coward · · Score: 4, Funny

    It's open source so it will get fixed quickly post.

    1. Re:First by Anti_zeitgeist · · Score: 4, Funny

      crap....now i have to use IE again!

      --
      If it wasn't for C, we would be stuck using BASI, PASAL and OBOL.
    2. Re:First by ikkonoishi · · Score: 4, Informative

      From TFA

      If you have firefox 1.01 installed you have nothing to worry about.

      Fixed days ago. Now thats speedy service.

    3. Re:First by felipin-sioux · · Score: 5, Informative

      If you have firefox 1.01 installed you have nothing to worry about.

      No, there are security advisories for firefox 1.01, like this one.

      And the story didn't even link the vulnerability report on Mozilla Firefox 1.x from Secunia. Anyway, just stay tuned and have your FF always updated.

      --
      Sorry, this sig is beneath your current threshold
    4. Re:First by DrXym · · Score: 5, Insightful

      Sorry, but that's a pretty unlikely exploit. To carry it out, someone has to be convinced to drag and drop an image onto an empty address bar. Have you seen many sites that do that? Have you seen many users who either understand or follow such instructions?

  2. New Discovery? by fembots · · Score: 5, Interesting

    Today, the security firm Secunia has released 8 more security bugs it has discovered in Mozilla products, including Firefox and Thunderbird. [......] If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about

    Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?

    --
    Rock that crushes, Paper & Scissors that don't matter.
    1. Re:New Discovery? by chrisbtoo · · Score: 4, Insightful

      Chances are that they found the 8 bugs in 1.0, reported them to Mozilla, who kept it quiet and fixed them for 1.0.1.

      I guess this is trumpet-blowing from Secunia, together with an advisory as to how important it is to upgrade to 1.0.1.

      --
      Registering accounts later than some other chrisb since 1997
    2. Re:New Discovery? by einhverfr · · Score: 5, Insightful

      I personally am grateful to Secunia for helping to look at Firefox's security the way that we should be.

      Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.

      --

      LedgerSMB: Open source Accounting/ERP
    3. Re:New Discovery? by Daniel+Boisvert · · Score: 5, Informative

      The update button showed up for me today. I clicked it and it ran me through the download and install of 1.0.1. The automatic update was intentionally delayed because of server capacity issues; apparently they've got them sorted out now.

    4. Re:New Discovery? by juhaz · · Score: 4, Informative

      There is.

      Asa mentioned something about server problems and activating the update for 1.0.1 later, and indeed it did show up today. Granted, it's a week since the release and that's a long time for security update... And windows-only apparently, though Linux users probably update trough their native package systems anyway.

      His blog has more.

    5. Re:New Discovery? by SuperficialRhyme · · Score: 5, Informative

      Secunia just put the list together. Copy/pasting the list and who found them from secunia since someone didn't link to it in the article.

      1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.

      2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

      This is similar to:
      SA12712

      3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.

      4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.

      5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.

      6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.

      7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.

      Successful exploitation requires that the malicious website is allowed to request installations.

      8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.

      9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.

      Provided and/or discovered by:
      1) Tavis Ormandy
      2) Christian Schmidt
      3) Masayuki Nakano
      4) Georgi Guninski
      5) Matt Brubeck
      6) Independently discovered by:
      * Daniel de Wildt
      * Gaël Delalleau
      7) Phil Ringnalda
      8) wind li
      9) Mook, Doug Turner, Kohei Yoshino, M. Deaudelin

    6. Re:New Discovery? by einhverfr · · Score: 4, Insightful

      Ok.... IE has two major security issues inherent in its design and that is zone permission elevation while the other is ActiveX related.

      Mozilla/Firefox has another-- XUL display. XUL is a great technology, but it is difficult to handle because the main UI rendering is too closely tied to the rendering of the web site. There is a security barrier which is designed to keep one from harming the system but it is not designed to prevent spoofing of apps. Hopefully a defence barrier can be built in.

      Don't believe me? pasting this into your address bar: chrome://navigator/content/navigator.xul (only works in Mozilla)

      For example, something simple like "Components in Chrome are locked by default and only unlocked components can be modified outside of Chrome" would be a nice start.

      --

      LedgerSMB: Open source Accounting/ERP
    7. Re:New Discovery? by aneroid · · Score: 5, Informative
      2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

      i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).

      i doubt this would've prevented the bug. but the page it was appearing for would be obvious. a possible hack to that could be...have a javascript window which is already open make the connection. in that case, even if the js window is shown, with the browser most likely behind it, it wouldn't be obvious. could fix that too :P by outlining the window/tab that calls it. of course, even that could...
    8. Re:New Discovery? by interiot · · Score: 4, Informative
      Riiiiiight.

      Sure, you can copy-and-paste anything you want into your URL bar, and hit enter. This takes time, and thought, and you have to look at the string in two different places, so it's reasonably secure based on that.

      The only security problems that could arise would be if there were links that you could click on, or bookmark them. Try it here (slashdot won't let you write chrome:// URLs unfortunately). It doesn't work.

      There are tons of security measures related to XPI/XUL, the Firefox team has IMHO taken an OVERLY aggressive approach to XUL/XPI issues. You know why there are several extra steps required in Firefox to install an XPI plugin? Because there were some theoretical exploits where someone might ask a user to click on a place on the screen over and over (eg. hit the monkey), and then display the XPI dialog there, and the user might end up clicking "yes, please install" before they realized that they were running potentially suspicious code. So now users have to wait a few seconds before being able to click.

      Users CAN actually configure their browser to let remote sites do just about anything, include read/write files, change the clipboard, etc., because this is sometimes something that's useful that users might want from a few special sites. But it's a pain in the butt to get the several security configuration settings set properly, and again, as a developer, I think they might have overdone it.

    9. Re:New Discovery? by LnxAddct · · Score: 5, Interesting

      It is certainly good that people are looking out for bugs, but Secunia didn't find these. They just compiled a list of known bugs that were fixed in 1.0.1. Their site is supposed to be a consolidated source for finding vulnerabilites and researching the security of applications, which means whether or not they find the vulnerabilites, they report on them.
      Regards,
      Steve

    10. Re:New Discovery? by taylortbb · · Score: 5, Informative

      They started rolling it out for windows only but they had the cancel it. Linux and Mac users were getting the windows only code and that was causing problems so it was disabled. It is now back for windows users.

      http://weblogs.mozillazine.org/asa/

    11. Re:New Discovery? by raehl · · Score: 4, Funny

      A site that just compiles a list of information produced by others? Who would read something like that?

      Maybe if it had comments.....

      --
      paintball
  3. What the hell? by Anonymous Coward · · Score: 5, Informative

    Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 has already been covered on Slashdot, and these vulnerabilites were announced then.

    1. Re:What the hell? by AndroidCat · · Score: 5, Funny

      Firefox 1.0.1? What the..?! Windows Update never mentioned a thing about that, must be broken!

      --
      One line blog. I hear that they're called Twitters now.
  4. patch here by Coneasfast · · Score: 5, Funny

    you can find the patch here. ;)

    --
    Marge, get me your address book, 4 beers, and my conversation hat.
    1. Re:patch here by Anonymous Coward · · Score: 4, Informative

      don't mod parent as troll, it's a joke, a parody of the fact that someone posts a link to firefox when there is a IE vul. story.

      oh forget it, some of you mods are dumber than a deck of cards.

  5. Emergency! by Peter_Pork · · Score: 5, Funny

    Oh my God! I'm switching back to Internet Explorer right away!

    1. Re:Emergency! by kagelump · · Score: 5, Funny

      uh... funny? i think this meant to be informative

  6. And yet... by tannmann · · Score: 5, Funny

    I still feel safer than when I use IE.

  7. The downside of popularity by confusion · · Score: 5, Insightful

    Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.

    Jerry
    http://www.syslog.org/

  8. The most important part of TFA by Zocalo · · Score: 5, Insightful
    "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about."

    Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P

    --
    UNIX? They're not even circumcised! Savages!
    1. Re:The most important part of TFA by sd.fhasldff · · Score: 5, Insightful

      That has to be the most pathetic slashdot blurb I've ever seen. It's grossly misleading and links to a completely assinine site (which, in return, doesn't even link to the Secunia report - the real source).

  9. The bugs have already been fixed by Anonymous Coward · · Score: 4, Informative

    The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1

  10. Re:Here we go... by hawks5999 · · Score: 5, Funny

    I actually got an email from a friend of mine on the redmond campus warning me to be careful since I use that dangerous firefox browser about 3 hours ago. I told him I wouldn't believe it until I saw it on slashdot! :D

  11. remember people by Anonymous Coward · · Score: 5, Funny

    Your bank can and will ask you to confirm your password at random intervals via email.

    If in doubt about who sent the email, click on the link they provide in the email to get to your bank's website to make sure it's them.

    And remember, even banks sometimes forget to get their ssl certificates in order. No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....

  12. Hah! by Anonymous Coward · · Score: 4, Funny

    That's why I use Firef... uhhh what???

  13. Firefox bugs by benspikey · · Score: 4, Insightful

    Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..

  14. Re:I frequently talk up by jrcamp · · Score: 5, Insightful

    Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.

  15. Re:Internet Commerce On Its Way Out by GeorgeMcBay · · Score: 4, Insightful


    Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.

    Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?

  16. Every day is insecure by rueger · · Score: 4, Insightful

    Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.

    Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.

    I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.

    --
    Three Squirrels
  17. Re:I frequently talk up by merdaccia · · Score: 5, Insightful

    I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...

    You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.

    Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.

    --

    *blinking cursor*

  18. Re:Here we go... by NEOtaku17 · · Score: 5, Insightful
    "How long before Microsoft jumps all over this, and uses it as yet another FUD related reason not to use Open Source software..."

    Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?

    --
    Creative Demolition
  19. Re:I frequently talk up by badriram · · Score: 4, Informative

    firescrolling exploit example.... caution exploit code

    been out for atleast 2 weeks..... just because the media does not cover something does not mean it doesn't exist.

  20. Re:THANK YOU SLASHDOT!!! by Aeiri · · Score: 4, Informative

    I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?

    No, it's a problem with the way the Gecko engine renders layers.

  21. That's how the FUD engine works by EmbeddedJanitor · · Score: 5, Insightful
    Nobody ever got fired for buying Microsoft.

    If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.

    If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.

    That's unfortunately the mentality that will keep MS in business for a long time yet.

    --
    Engineering is the art of compromise.
    1. Re:That's how the FUD engine works by nacturation · · Score: 4, Funny

      Nobody ever got fired for buying Microsoft.

      Given that it's a free download, if you bought Internet Explorer, you *should* be fired.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    2. Re:That's how the FUD engine works by cerberusss · · Score: 4, Insightful
      If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault

      This is funny, but very true. The same goes for MS Office documents. If you open a Word document in a different version of MS Word and it gets fragged, it's not your fault, it is Microsoft's fault.

      If, however, you open that same document in OpenOffice and it renders it wrong because of some crazy layout (think table cells that span multiple pages...), then YOU are to blame. You should have "just used normal programs"...

      This stuff drives me mad...

      --
      8 of 13 people found this answer helpful. Did you?
  22. Re:Firefox 1.0 doesn't tell you about 1.01 by Soldrinero · · Score: 5, Interesting

    I also waited for Firefox to alert me that an update was available, both to be kind to the servers and to see how the update process worked. Yeasterday it alerted me to the update via a new icon next to the activity icon in the upper right of the window.

    Interestingly, when I went through the update process, it downloaded and installed the full 1.01 package. Does anyone know if this is how updates will be done in the future, or if Mozilla will migrate to a patch system?

    --
    I would rather be killed by a terrorist than enslaved by my government.
  23. SOP for Secunia... by Anonymous Coward · · Score: 5, Interesting

    They released their list of major vulnurabilities in IE two days before MS released the update and months after they reported the problems originally.

    They're just glory whores.

    1. Re:SOP for Secunia... by Myen · · Score: 5, Insightful
      In the case of Mozilla, Secunia regularly regurgitates the offical Mozilla.org advisories (as is this case). Pretty much the time flow goes like:
      • vulnerabilities discovered; reported to mozilla.org
      • they sit for a while
      • eventually fixed and go into the next release
      • after a few days, mozilla.org opens up the security bugs fixed in that release and posts advisories
      • Secunia sees them and posts info on same advisories
      • people see Secunia with Mozilla vulnerabilities

      And I know Secunia didn't come up with the list because
      1. they link to mozilla.org (except in one case, where they linked to iDefense) as original advisories
      2. "Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others."
      3. I recognize names from the list - Phil Ringnalda is the Chatzilla guy, and Doug Turner is Minimo. So they already work on Mozilla a lot. That, and I'm in the list (probably undeserved).
  24. Phishing "vulnerabilities" need a special category by argent · · Score: 5, Insightful

    I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.

    I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.

    The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.

  25. This just in... by Transcendent · · Score: 4, Funny

    ...slashdot doesn't display correctly in Firefox 1.0+

    More at 11.

  26. the real difference by IdentifiedDareDevil · · Score: 4, Interesting

    (for me) isn't really the technology or the security. IE and firefox are really not that far apart in terms of bugs/features (yet).. the main difference to me is that one on hand, you have a greedy, monopolistic company working outside proper market forces - allowing it to decide when and how it improves its software (IE 6.0 released in Aug 2002 - what major sw app can get away with a 3 year major release cycle?) vs. Firefox/Mozilla - a grass-roots colaboration of people who are trying to make something significant and have fun at the same time.

    The choice for me is not a lot different than choosing to live in the Soviet Union or the United States. I'd rather not eat the gruel (or browser) someone else thinks is all I deserve.