New Vulnerabilities Discovered in Firefox 1.0

← Back to Stories (view on slashdot.org)

New Vulnerabilities Discovered in Firefox 1.0

Posted by samzenpus on Wednesday March 2, 2005 @12:46PM from the protect-yourself-at-all-times dept.

jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""

28 of 406 comments (clear)

New Discovery? by fembots · 2005-03-02 12:47 · Score: 5, Interesting

Today, the security firm Secunia has released 8 more security bugs it has discovered in Mozilla products, including Firefox and Thunderbird. [......] If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about

Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?

--
Rock that crushes, Paper & Scissors that don't matter.
1. Re:New Discovery? by einhverfr · 2005-03-02 12:59 · Score: 5, Insightful
  
  I personally am grateful to Secunia for helping to look at Firefox's security the way that we should be.
  
  Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.
  
  --
  
  LedgerSMB: Open source Accounting/ERP
2. Re:New Discovery? by Daniel+Boisvert · 2005-03-02 13:00 · Score: 5, Informative
  
  The update button showed up for me today. I clicked it and it ran me through the download and install of 1.0.1. The automatic update was intentionally delayed because of server capacity issues; apparently they've got them sorted out now.
3. Re:New Discovery? by SuperficialRhyme · 2005-03-02 13:15 · Score: 5, Informative
  
  Secunia just put the list together. Copy/pasting the list and who found them from secunia since someone didn't link to it in the article.
  
  1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.
  
  2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).
  
  This is similar to:
  SA12712
  
  3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.
  
  4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.
  
  5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.
  
  6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.
  
  7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.
  
  Successful exploitation requires that the malicious website is allowed to request installations.
  
  8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.
  
  9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.
  
  Provided and/or discovered by:
  1) Tavis Ormandy
  2) Christian Schmidt
  3) Masayuki Nakano
  4) Georgi Guninski
  5) Matt Brubeck
  6) Independently discovered by:
  * Daniel de Wildt
  * Gaël Delalleau
  7) Phil Ringnalda
  8) wind li
  9) Mook, Doug Turner, Kohei Yoshino, M. Deaudelin
4. Re:New Discovery? by aneroid · 2005-03-02 13:39 · Score: 5, Informative
  
  2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).
  
  i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).
  
  i doubt this would've prevented the bug. but the page it was appearing for would be obvious. a possible hack to that could be...have a javascript window which is already open make the connection. in that case, even if the js window is shown, with the browser most likely behind it, it wouldn't be obvious. could fix that too :P by outlining the window/tab that calls it. of course, even that could...
5. Re:New Discovery? by LnxAddct · 2005-03-02 14:42 · Score: 5, Interesting
  
  It is certainly good that people are looking out for bugs, but Secunia didn't find these. They just compiled a list of known bugs that were fixed in 1.0.1. Their site is supposed to be a consolidated source for finding vulnerabilites and researching the security of applications, which means whether or not they find the vulnerabilites, they report on them.
  Regards,
  Steve
6. Re:New Discovery? by taylortbb · 2005-03-02 16:44 · Score: 5, Informative
  
  They started rolling it out for windows only but they had the cancel it. Linux and Mac users were getting the windows only code and that was causing problems so it was disabled. It is now back for windows users.
  
  http://weblogs.mozillazine.org/asa/
What the hell? by Anonymous Coward · 2005-03-02 12:47 · Score: 5, Informative

Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 has already been covered on Slashdot, and these vulnerabilites were announced then.
1. Re:What the hell? by AndroidCat · 2005-03-02 12:55 · Score: 5, Funny
  
  Firefox 1.0.1? What the..?! Windows Update never mentioned a thing about that, must be broken!
  
  --
  One line blog. I hear that they're called Twitters now.
patch here by Coneasfast · 2005-03-02 12:48 · Score: 5, Funny

you can find the patch here. ;)

--
Marge, get me your address book, 4 beers, and my conversation hat.
Emergency! by Peter_Pork · 2005-03-02 12:49 · Score: 5, Funny

Oh my God! I'm switching back to Internet Explorer right away!
1. Re:Emergency! by kagelump · 2005-03-02 13:03 · Score: 5, Funny
  
  uh... funny? i think this meant to be informative
And yet... by tannmann · 2005-03-02 12:49 · Score: 5, Funny

I still feel safer than when I use IE.
The downside of popularity by confusion · 2005-03-02 12:49 · Score: 5, Insightful

Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.

Jerry
http://www.syslog.org/
The most important part of TFA by Zocalo · 2005-03-02 12:49 · Score: 5, Insightful

"If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about."
Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P

--
UNIX? They're not even circumcised! Savages!
1. Re:The most important part of TFA by sd.fhasldff · 2005-03-02 13:17 · Score: 5, Insightful
  
  That has to be the most pathetic slashdot blurb I've ever seen. It's grossly misleading and links to a completely assinine site (which, in return, doesn't even link to the Secunia report - the real source).
Re:Here we go... by hawks5999 · 2005-03-02 12:52 · Score: 5, Funny

I actually got an email from a friend of mine on the redmond campus warning me to be careful since I use that dangerous firefox browser about 3 hours ago. I told him I wouldn't believe it until I saw it on slashdot! :D
remember people by Anonymous Coward · 2005-03-02 12:53 · Score: 5, Funny

Your bank can and will ask you to confirm your password at random intervals via email.

If in doubt about who sent the email, click on the link they provide in the email to get to your bank's website to make sure it's them.

And remember, even banks sometimes forget to get their ssl certificates in order. No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....
Re:I frequently talk up by jrcamp · 2005-03-02 12:56 · Score: 5, Insightful

Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.
Re:I frequently talk up by merdaccia · 2005-03-02 13:09 · Score: 5, Insightful

I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...
You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.
Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.

--
*blinking cursor*
Re:Here we go... by NEOtaku17 · 2005-03-02 13:18 · Score: 5, Insightful

"How long before Microsoft jumps all over this, and uses it as yet another FUD related reason not to use Open Source software..."
Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?

--
Creative Demolition
That's how the FUD engine works by EmbeddedJanitor · 2005-03-02 13:33 · Score: 5, Insightful

Nobody ever got fired for buying Microsoft.
If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.
If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.
That's unfortunately the mentality that will keep MS in business for a long time yet.

--
Engineering is the art of compromise.
Re:Firefox 1.0 doesn't tell you about 1.01 by Soldrinero · 2005-03-02 13:36 · Score: 5, Interesting

I also waited for Firefox to alert me that an update was available, both to be kind to the servers and to see how the update process worked. Yeasterday it alerted me to the update via a new icon next to the activity icon in the upper right of the window.

Interestingly, when I went through the update process, it downloaded and installed the full 1.01 package. Does anyone know if this is how updates will be done in the future, or if Mozilla will migrate to a patch system?

--
I would rather be killed by a terrorist than enslaved by my government.
SOP for Secunia... by Anonymous Coward · 2005-03-02 13:37 · Score: 5, Interesting

They released their list of major vulnurabilities in IE two days before MS released the update and months after they reported the problems originally.

They're just glory whores.
1. Re:SOP for Secunia... by Myen · 2005-03-02 17:50 · Score: 5, Insightful
  In the case of Mozilla, Secunia regularly regurgitates the offical Mozilla.org advisories (as is this case). Pretty much the time flow goes like:
  
  vulnerabilities discovered; reported to mozilla.org
  
  they sit for a while
  
  eventually fixed and go into the next release
  
  after a few days, mozilla.org opens up the security bugs fixed in that release and posts advisories
  
  Secunia sees them and posts info on same advisories
  
  people see Secunia with Mozilla vulnerabilities
  
  And I know Secunia didn't come up with the list because
  
  they link to mozilla.org (except in one case, where they linked to iDefense) as original advisories
  
  "Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others."
  
  I recognize names from the list - Phil Ringnalda is the Chatzilla guy, and Doug Turner is Minimo. So they already work on Mozilla a lot. That, and I'm in the list (probably undeserved).
Phishing "vulnerabilities" need a special category by argent · 2005-03-02 13:53 · Score: 5, Insightful

I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.

I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.

The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.
Re:First by felipin-sioux · 2005-03-02 16:45 · Score: 5, Informative

If you have firefox 1.01 installed you have nothing to worry about.

No, there are security advisories for firefox 1.01, like this one.

And the story didn't even link the vulnerability report on Mozilla Firefox 1.x from Secunia. Anyway, just stay tuned and have your FF always updated.

--
Sorry, this sig is beneath your current threshold
Re:First by DrXym · 2005-03-02 22:28 · Score: 5, Insightful

Sorry, but that's a pretty unlikely exploit. To carry it out, someone has to be convinced to drag and drop an image onto an empty address bar. Have you seen many sites that do that? Have you seen many users who either understand or follow such instructions?