Slashdot Mirror
New Mozilla Firefox 1.0.3 Exploit
An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."
Oh, wait.
What is wrong with a campaign to fix bugs? Their lives consist of programming: writing software AND fixing all bugs.
Because THAT, with some documentation, would be helpfull. Still, as long as it doesn't create *nix r00tkits on the fly on my box, I'm on the safeside :)
Fantastic. Now we'll see Microsoft going "OMG DON'T USE FIREFOX YOU CAN'T EVEN CLICK ON SOMETHING SAFELY!". I guess this is at least 1 step up from "just come to the page, we'll own your PC and you don't even need a mouse".
I like muppets.
And everyone will say ":oh no firefox is a security risk" whaaaa. well this isnt really the case and is overstating things just a bit. When it comes down to it firefox still has many quicker fixes and the bug is probably already fixed by now.
So if this is the case where is the problem? a non issue if you ask me.
Why cant these people just get a life.
Which people?
Newsfollow.com
Maybe it's time to accept Firefox has it's fair share of exploits?
And the best part, is the patch management system in Firefox is so damn poor (ie. non-existant), getting these patches distributed to end-users is a real damn chore (assuming they are distributed at all).
That's nasty! I'm glad that in Linux files aren't automagically executable when you give them a certain name :)
...hilarious fan-boi apologism (wherein mind-crushingly tortured logic spins this awful security flaw into something that is actually a feature yet another reason why Firefox is better than IE!) in 5...4...3...2...1...
This was reported to the mozilla bugzilla a while ago. https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1
This post isn't interesting at all! I mean, read it - where's the substance?
I'm using Linux too, but from what I hear, a significant amount of Windows users are completely and totally failing to trigger the exploit. Have any Windows users managed to get it to actually work, yet?
Firefox had the advantage of being able to fix bugs reveled by IE expolits. This gave the illusion of it being a bulletproof browser. Now that it has caught up with IE, it has exploits of it's own which just show that it's not much better than IE (coding standard-wise).
As long as programs are written by humans, there'll be flaws. It's a fact of software-development.
Will I have to download another 4.5MB so that I can fix this flaw?
... the page is /.'ed... 0day kiddies wont be able to get their hands on the exploit till tomorrow and by then Mozilla dev team has patched it.
Exploit summery? Well, the weather is improving but I doubt that the exploit caused it.
Bugzilla bug 293302 has been filed. A temporary fix has been implemented on UMO.
...at work for you.
"Summery?" Really? --Support your planet or get the hell out--
"Is this Winkhorst a nova criminal?" "No just a technical sergeant wanted for interrogation."
didn't work
Firefox has rightly earnt a strong following, but in the proud tradition of the FANBOY, some firefox nuts will probably have an adverse reaction to the news that firefox has a vulnerability, and subsequently die.
It looks like a hacker alias, but it really stands for French Security Incident Response Team. Exploit description cached here.
---- Just another spud server.
Subj says it all. That html page after loading into firefox gives javascript error on some line according to JS console...
Does it work really?
They were already working on patching this, but it was stolen before they could finish and leaked to bugtraq with LIVE material in the exploit (it's not a proof of concept, folks!) and no explanation or advisory.
/. referers. Copy URL and paste in new to view. (Beware Slashcode's extra spaces.)
9 1 %lt; Original security bug (probably still blocked to outsiders to prevent someone stealing it before mitigation)
0 2 %lt; Duplicate (reported after leak)
h tml
Reminder: Bugzilla blocks
https://bugzilla.mozilla.org/show_bug.cgi?id=2926
https://bugzilla.mozilla.org/show_bug.cgi?id=2933
They are going to release a 1.0.4 shortly, I gather.
Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.
A^C^E, a Firefox security researcher, is claiming on Addict3D.org that this is a 0day duplicate of a leaked, known bug. He says, "I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice."
Also, bugzilla.mozilla.org is claiming they've been slashdotted. Go easy on em.
...but Firefox keeps suggesting I run it with Wine. I don't get it, I'm not thirsty. I'd rather run it with a nice plate of steak and eggs.
My God! It's full of Voids!
...with Firefox 1.0.3 on Windows 2000, and it didn't execute anything. Anyone else try it on Windows?
Well, it is harmless on Linux.
What remains is that most people who I have shown Firefox to don't click the little red bell when it appears, and so won't update to get the fix to this problem. Firefox needs to be more forceful with its updates.
Uncheck Tools > Options > Web Features > Allow web sites to install software
There's... a bug... in firefox?? *gasp* *hack* *cough* I think... I may be having a heart attack... They told me it was so much better! *wheeze*
Just curious, I downloaded the page and loaded it up on several systems:
Win XP, Firefox 1.0.3
Win 2k, Firefox 1.0.3
FreeBSD, Firefox 1.0.3
and none of them did anything. The javascript looks like it should save a file (c:\booom.bat) and run it which should echo "malicious commands here" and wait for a keypress.
Is this truly an issue with Firefox and not some other software? If so, any ideas why it doesn't work?
I cant run exe files anyhooo! hehehe
Disable JavaScript, or disable the "Allow web sites to install software" option [Tools - Options - Web Features].
Why would anyone run routinely with "Allow web sites to install software" enabled ?
it is 'mostly harmless'.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
If you can't get to the link, source for the exploit is available here:
e /1/397747/2005-05-05/2005-05-11/2
http://www.securityfocus.com.nyud.net:8090/archiv
Has this already been fixed in the latest-trunk builds (aka 1.03 specific) or is this a firefox-wide bug? Also, does this affect (effect? I can never remember) other iterations, like Mozilla, Netscape, K-Melon, etc?
FrSIRT Vurnerability Alert!!
FrSIRT will go down 2 minutes after the start of a brutal Slashdotting.
Firefox has rightly earnt a strong following, but in the proud tradition of the FANBOY, some firefox nuts will probably have an adverse reaction to the news that firefox has a vulnerability, and subsequently die ;)
Just be glad he didn't make any reference to sharks with fricking firefox exploits strapped to their heads. In that case our moderator overlords (whom I welcome by the way) would have granted him a +5 funny in double quick time!
While I was reading the comments I highlighted some text, and firefox crashed immediately.
the patch management system in Firefox is so damn poor (ie. non-existant)
Pretty much any modern OS distribution comes with a package manager that handles upgrading for you. Time for you to upgrade your OS perhaps.
I'll probably be modded down for this...
Where I work, the computer network installs Firefox on all of the Windows boxes, and makes it hard to find IE. This is in the name of "security."
Unfortunately, IE is updated with the Automatic Windows Updates, while Firefox is only updated by us when a new Windows template is rolled out on all the computers every 6 months or so.
From a security standpoint, fully updated IE is much better than unupdated Firefox. Unfortunately, anti-Microsoft zealotry keeps people from making rational decisions on the subject.
At least it could offer me a beer or something.
Or some apple juice, natch. ;p
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
It's news when one Firefox exploit is found.
When is Microsoft going to fix ActiveX?
They don't know why, or how. It just does.
First to the "reporter", if your server leaked information, perhaps you should work on that. Did you place it in a location that was reachable through the Internet, even to be denied later on? It's easy to do, but still.
Second, Mozilla should only install software from whitelisted locations. This should mean that the "exploit" should popup a whitelist window, with the URL and ask for your consent to 'install software" which significantly reduces the 'clinical' effects of this exploit. My mother would call me.
Have there been any Firefox exploits that aren't just wrappers for windows bugs yet? The only one that comes to mind is the i18 phishing/hostname display issue.
Since I'm using a multi-user operating system, I created an extra user called "untrusted", who runs my web browser. This way, the worst that anything can do is destroy my browser settings. "untrusted" doesn't own any valuable files.
There was a server side change that prevents the exploit from working on UMO. You only need to be concerned with sites on your install software whitelist.
These people look deep within my soul and assign me a number based upon the order I joined. -Homer Simpson
There's not many comments yet, but most of them have a similar theme: " Oh no, now Microsoft and Internet Explorer users can get payback for all the trash talk we've thrown at them." Then they rationalize it with, "But, MS and IE are way worse because of quantity, severity, and duration until patch."
Now think about it for a minute. Who are you really at war against? Security exploits and the people who would exploit them, or browsers other than the one you use and the people that use them?
This reminds me of the days when Mac zealots would get all freaked out every time PC's got faster. "OMG, this is bad news! Now there are 3GHz PCs for under 500 dollars!"
This really boils down to people rating the quality of Product A compared to the suckiness of Product B. Personally, I've been using Products A, B, and C for a long time. When there is a problem found with Product B, that really doesn't make Product A perform the task I use it for any better.
If you want to call yourself a truly knowledgeable computer user, then you have to acknowledge that Products A, B, and C all have their strengths and weaknesses and therefore have tasks their better suited for as well as tasks in which they're not the best solution.
If you look at it from the proper perspective, every time an exploit is found by good people before bad people have a chance to do harm with it then it is good for everyone.
This particular exploit also demonstrates how foolish it is to posture and sling insults. The whole time FF users slung insults at IE when exploits were found, this exploit was there lurking below the surface waiting to be found.
Let applications that are without exploit cast the first stone. Since that's never going to happen, argue your cause based on its merits.
I truly don't understand why these security firms publish these problems (and even example code!) before giving the vendor time to fix the problem. And they justify it by acting like the Vendor is ignoring them. "We contacted Microsoft yesterday about this exploit, but have yet to respond, so we figured that we should tell the entire world how to take advantage of the problem".
... specifically windows, right? haven't gotten too many .exe running on my mac, and installing malicious code on my c drive ...
the only relevant cross platform exploits still depend on ms office, afaik ;-)
Yet another zero-day exploit released as a publicity stunt by a so-called security consulting firm ... the scourge of legitimate information-security professionals.
FrSIRT calls itself "a leading security research organisation employing an international team of Internet security experts to provide an outsourced, Web-based approach to securing a company's cyberspace." Pure marketspeak.
anyone who allows a 0day site to install software automagically quite frankly deserves to have their computer disabled.
this= new Teacup.Storm();
"Allow web sites to install software"
which in itself opens the clueles to all sorts of mischief
where does 'personal responsibility' end and 'crappy product support' begin?
stuff your mouse with burning inscense(insense?) and while swinging in the fashion of a pendulum, repeat 444 times:
"My computer is a tool, My computer is not an appliance"
Today is the day that you should brave the yellow face, go upstairs and thank your mom for letting you turn the basement into a Nethack dungeon. Not posting in the typical smarmy, "I told you so" Slashdot fashion. You never told me so. You just say it now to look 'visionary'.
Firefox is going to have bugs, it's going to break, it's going to suck sometimes. The difference between it and IE is that the Firefox devs actually *care*.
So put on a less dirty shirt, douse yourself with some of that Stetson cologne you got for Christmas about ten years ago, pick some dandelions and go tell your mom 'Happy Mother's Day'.
the AOL-employees should just concentrate on producinge spyware instead of trying to make a browser.
They do. That's why the Mozilla Foundation is a seperate entity.
Not here (WinXP, FF 1.0.3).
The javascript console informs me that the javascript contains an "unterminated string literal" which is probably causing it to fail.
... bug-compatible with IE, are we?
Microsoft takes a lifetime to fix major bugs. This is why we've had ALL IFrames blocked at our firewall for a period over 6 months - just in case some IE user would be affected, hereby crippling most websites, rendering them useless.
Exploits like this come out like every week for IE. And what makes it that much more of a risk than any firefox exploit is the browser is used by a LOT of people, so it is VERY likely to be used by malicious pages, unlike in this case. Plus, the firefox bugs are fixed quickly, and since most people will be running updated versions really quick, it'll be pretty pointless to have bothered with it. Just how many of the few firefox users can you nail down in a couple days, versus all the joe users using IE at home over a 6 month period?
IE will also load up every system with spyware and other crap without needing the user to do anything. From a security standpoint, nothing is worse than IE.
I'm sorry, but you REALLY don't have a point at all- and no, I'm not a anti-microsoft zealot. IE is beeing proven highly unsafe day after day after day, welcome to reality.
I'm amazed at the number of people verifying that this works by trying to recreate it. Why bother writing a self-replicating virus, just post it on Slashdot!
I keep testing the batch file.exe exploit it says and just can't seem to get it too work??
-Hack
-Fedora Core Test 4
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Secunia have already released an advisory explaining how the exploit works:
http://secunia.com/advisories/15292/
This is the first Firefox exploit that has received the rating 'Extremely Critical'.
--- Extract from Secunia's site ---
Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
Solution:
Disable JavaScript.
I'll probably be modded down for this...
Posting from Konqueror on Linux
pretty fucking impressive! thanks for the heads-up
Bring on the "OMG i WiLL SWiTCH TO iE L0L0L" jokes.
This means the exploit is Windows only. If Microsoft did a better job of locking people out of the Administrator account, this would not be an issue. MS should make using the Administrator account as difficult as possible and there really should be an exam that users need to pass before they are authorized to have access to it. I'd like to see this exploit even try to do this on a properly configured *nix system where the user is smart enough to know not to run as root. In fact, I would go as far as saying that the browser itself should not allow users to run it if they are logged in as Administrator or root without having the knowledge as to how to do it. Hehe. We need to take exams to get a driver's license, the same should be done with computers. Of course, look at the number of people who don't follow the rule of the road (obeying speed limits, using turn indicators, NOT tailgating, etc...) and I suppose an exam like this wouldn't totally stop the idiots from turn the on switch on.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
go tot ons
http://extensionroom.mozdev.org/more-info/prefbut
and install the prefbuttons extension.
Then "customize toolbar" and drag the send-referrer-checkbox to your toolbar.
You have to have the FlashGot extension *and* and download manager for this to work.
I don't and I tried this several times and the c:\boom.bat was never created.
Looks to me "security" "specialists" in France are quite clueless.
Hey, I'm happy to get anything working on Windows,
seems like this code is not one of those things?
this.showSig(false)
That all software has bugs, and theres no real point in pointing fingers at any one software company, large or small, open source or not.
... here they come.
Does the code work on SP2?
I tried the proof-of-concept exploit provided, but it didn't seem to work. I loaded the page, and clicked it like a mad-man.. nothing.
My system is GNU/Linux running Firefox 1.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Clicked on the page several times - nothing happens except a couple of javascript errors.
Are these "security researchers" trying to get free publicity?
Rediculous is ridiculous!
Well, I'd better protect my Linux and OS X boxes, then...
If a malicious site has been added to the whitelist, then you've probably already installed malicious software from it. The default install does not appear exploitable.
This just goes to show that the more popular an application, the more people will try and find exploits for it.
As FF's marketshare grows, so will the number of exploits found.
I tried loading the exploit web page , but nothing happens.
There must be more factors needed to enable this this that they didn't elaborate on.
If you are running your web browser as root, and you get rooted, then it is your fault.
Don't run as root unless you have to.
I'll probably be modded down for this...
The lesson I've learned is that building secure applications on windows is like a house with a foundation of sand.
create and execute a malicious batch/exe file.
How does this affect systems where user is restricted priviledge-wise? If you're on a Unix-style system (includes OS X?), wouldn't the worst that could happen is that it could hose your $HOME? (You would be able to restore from your backups. (Backups, right?))
Or the attacker could scan for personal information through the script and do some identity theft (probably worse then the deletion of $HOME).
One thing people forget with IE is that the program is just a front-end to Windows' HTML rendering libraries. If there's an issue with that library then all the programs that uses it are affected (like Outlook?). The libraries of FF are less likely to be used by other programs.
In the same vein if OS X's WebKit ever had an issue it would be a big deal since just about all programs that deal with HTML on the Mac use it since it works pretty well and the APIs are so convenient to use.
Not defending either set up or software, just some ideas on how things are organized by the two programs.
Either way, this exploit requires a Windows based system... hmmm... I guess I'm safe either of my primary systems - FreeBSD and Slackware...
At work I currently run FireFox 1.03 on Windows and at home I run Firefox 1.00 on Mandrake Linux.
I've not had to upgrade the Linux version yet due to any security scares, so what is with the Windows version?
Are the coders doing a bad job or is it actually Windows that is the problem?
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
That's why you need Cisco Security Agent. It stops Day 0 attacks, virii spyware, worms, etc.. Does use signatures and has never been compromised yet.
www.cisco.com/go/csa
--- RFC 1149 Compliant.
And turn off all those executable bits.
Unless Firefox resets it for you. In which case, LD_PRELOAD a library that intercepts the umask() library call.
Any information if this affects regular mozilla?
That it is a good thing that the Firefox download is only 5 mb...
And how often to people actually download the IE updates? As a phone support guy, I can tell you that 9 out of ten people who call in have never run Windows update. At least Firefox lets you know when there is an update available for it. Windows Update just sits in the corner and tells you that updates are available in general...no hints as to what updates.
Don't take life so seriously. No one makes it out alive.
All these exploits being found is proof M$ is just trying to damage the credibility of FOSS by finding bugs in our popular software. Storm the gates of Redmond so we can go back to our stuffy elitist thinking as soon as possible!
For people running Firefox in a business or school with centrally locked down settings I think a quick fix might be to add
lockpref("xpinstall.enabled","false");
xpinstall.enabled seems to be the preference changed by "Allow websites to install software"
The basic problem is that the Mozilla developers, in their futile attempt to create a "platform", put in a mechanism comparable to Active-X - a way to dynamically download executable programs. Of course, they tried to make sure this "feature" could not be used for purposes of evil. Like Microsoft, they failed.
Understand, this isn't subtle. The code uses built-in Mozilla JavaScript extensions to create a local file in a very straightforward way. It then calls "nsILocalFile::launch()" (which does exactly what you think it does) to launch it. Those are capabilities that shouldn't be in a browser's JavaScript engine at all.
Having designed in a potential security hole big enough to drive a semitrailer through, they tried to make it "secure" with the usual crap approaches - signatures, lists of trusted sites, and disabling for certain types of URLs. They failed. They forgot to make those checks for "favicon.ico" files (Mozilla's implementation of a Microsoft icon-in-the-toolbar gimmick.)
Plugging that hole is not the answer. The problem is more fundamental. "nsILocalFile::launch()" needs to be removed. Browsers have no business launching arbitrary executable programs. Period.
Last week I tried posting under Ask Slashdot about the possibility of Firefox somehow being exploited, after realizing that having only four programs installed and hadn't used IE except for the initial windows update.
I guess I was right. Ah well, I tried warning everyone.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
unlike in Windows, it also wouldn't have superuser privileges.
Linspire (or at least older versions thereof) runs as superuser.
http://secunia.com/advisories/15292/
it says in the article
"Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org")."
I tryed it, it doesn't work.
"Nothing to see here... go back to your homes and resume using firefox"
From a security standpoint, fully updated IE is much better than unupdated Firefox.
Unfortunately, a legit copy of the full update to IE costs at least $100 for users of Microsoft Windows 2000 operating systems.
In a nutshell, Firefox has the idea that some sites are privileged (namely the sites on the whitelist for installing software), it lets privileged sites have a dangerous degree of control over the user's computer, and it has at least one way for unprivileged sites to execute code in the context of a privileged site.
What are the important differences between this and Microsoft Internet Explorer? In MSIE some sites are in the Trusted Sites or Local Machine zones and therefore privileged. Such sites have a dangerous degree of control over the user's computer, and there have been many ways for unprivileged sites to execute code in the context of a privileged site.
Is Firefox doing something better than IE in its design, or are we going to see a whole class of bugs like this one in the future?
I've advocated running web browsers as a guest user for a while, but there are two problems:
This exploit just like a ton of others uses javascript. The language that has no purpose anymore.
Why can't we modify it or find something to replace it ?
specifically windows, right? haven't gotten too many .exe running on my mac,
If you have to deal with the web site of a government, the only bank with branches in town, or some other monopoly, and that web site works only with IE for Windows, then you have to run IE in Virtual PC in order to access that web site.
Sounds like a windows only vulnerability. Are the Mac and Linux versions open to the hole as well?
Well that's the essential question. If it doesn't I'd rather flee to mozilla suite than IE.
Quit whining and start WINEing.
The security advisory doesn't explain it too well, but it it seems to imply that this only happens with sites that you've added to your list of sites trusted to install software (in which case it isn't really much of a problem).
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
With propietary software it's easier to implement a binary update feature, since you're the only one that gets to compile the source code. However, since Firefox is free software (you know, free as in free speech), everybody can compile it, using perhaps different optimizations (portage comes to mind), so implementing a binary update for Firefox (or any other free software for that matter) is quite difficult.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Only works if the site is allowed to install software. Not too likely that is allowed to do that. Still critical, but waaaaay difficult to utilise.
Justin.
You're only jealous cos the little penguins are talking to me.
"Allow web sites to install software"
Now there's something only microsoft would think was OK.
So microsoft programmers must have started working on the Firefox code!
Why did you people let them?
And who the F*ck thought up that brilliant "option"?
You people need to get a clue.
This one is beyond STUPID!
Letting people you don't know program your computer from remote is STUPID enough (javascript and java) but this one takes the cake.
Turn that crap off!
And you idiots that think they know how to make web sites, STOP PUTTING JAVASCRIPT ON YOUR SITES!
Stupid!
So far, Firefox had been free of remote execution vulnerabilities - let alone EXPLOITS using javascript.
A black spot in Firefox's history.
"I'll take firefox over IE's Broken/Incomplete..."
If you prefer Firefox then by all means use it. That is your choice. If you want to persuade others to choose to use it as well, then everyone involved would be better served by a knowledgeable summary of its strengths and weaknesses so that they can make an informed decision of their own.
You are doing a disservice to everyone if you just say it sucks less than IE. I can't speak for the Firefox/Mozilla developers, but personally my goal for an application I develop wouldn't be that it suck less than something else. Nor as an end user would I find the "sucks less" argument all that compelling.
Furthermore, I find comments like, "Interweb-monopoly-lock-in-Explorer", to be quite telling as to the motivation of a persuader. Clearly you have a lot of baggage when it comes to Microsoft and your opinion of MS products is there for highly suspect.
Not to say that I wouldn't take it on the chin a few times to support a product from an entity that strives to server a higher cause. However, in the personal computer industry there's really only the big 3: Microsoft, Apple, and Open Source.
Microsoft has indeed clearly demonstrated that their ultimate goal is to amass huge sums of money. Their greatest tool to that end being locking down data with proprietary formats. However, the personal computer end user rarely feels the brunt of their greed as it is generally directed at other huge corporations. I only give Microsoft money when I buy a new Windows OS or a computer with it pre-installed.
Apple is every bit as money hungry as Microsoft. However, their greed is focused squarely on the personal computer end user. They are locked in tighter than Microsoft could ever dream of becoming. Every "innovative technology" they come up with comes at a monetary price to the end user. They do everything they can to lock in proprietary formats and technologies while still being able to compete.
Finally there is Open Source. Most think that being OSS automatically implies a selfless desire to serve humanity. In my experience this has almost never been the actual case. While OSS is monetarily free, almost all OSS begs and nags for donations. Furthermore, and really despite this appeal for donations, they wrap themselves in a cloak of "Hey, I'm doing this in my free time, for free. You have no right to complain about anything. This includes functionality, features, bugs, and development schedule." Often OSS products remain in beta for years while they amass a large user base and then discontinue the OSS product to transition to a proprietary product. Which as a result reduces OSS to a marketing tool. Of course, not all OSS is abandoned for pursuit of a proprietary product, sometimes it's abandoned just because the developers got tired of developing it. Or often times people can't agree and development splinters off into competing products with mixed features and functionality. The end result is that each OSS product has to be evaluated independently and it's extremely difficult to ascertain motivation of the developers and by extension the longevity of the product.
Years ago I wanted to add a forum to my website. After looking at hundreds of competing OSS products I found a very nice one. On the main page the developers said something to the effect that apache is free, php is free, mysql is free, why should a BBS built on all these technologies be hundreds of dollars? I was impressed by this, until years later I went looking for a forum for my website and came across this product which was now proprietary costing hundreds of dollars.
The point being, there are few products that exist solely for the betterment of mankind. Therefore in almost all cases you are supporting not only a product, but the entity that created it and its agenda. With Apple and Microsoft that agenda is shareholder profit, but they are very open about this fact. With OSS the agenda is largely unknown. While for the most part end user satisfaction is neither their primary concern nor in opposition to their agenda.
All you can do as an end user is make an informed decision that best meets your needs.
If this were Microsoft Firefox, I'd give it four to ten years before Microsoft even addressed the problem. Then, the problem would be "fixed", meaning that Microsoft wouldn't repair the code that causes it, but would instead slap another 10,000 lines of buggy code on top of the problem to detect whether each web page accessed is going to do this, and then display a window that asks the user some obscure technical question with a "do you wish to continue? yes/no", to which, of course the user will answer "yes" (without even reading the question) and then it's not Microsoft's fault anymore. And then Norton, Symantec, McAfee, and ten other companies will release software that runs in the background, slows your computer to a crawl, detects the same problem, and puts up a similar warning.
But this is not Microsoft Firefox. And the vulnerability wasn't posted on firefox-security or some obscure mailing list or blog. The vulnerability is posted all over the front page of Slashdot, where a million programmers are going to see it within the next fifteen minutes.
I give it a couple of hours and Firefox 1.0.4 is out.
And that, my friends, is why Firefox is more secure than MSIE. Microsoft. Where do you want to go today?
I recall many times that people here like to say how much more secure open source is. And then others on the other side bring up the theory that Windows has more exploits due to its marketshare. (In other words, why would someone spend time creating or finding an exploit that affects a small number of users?) It seems that this theory is proving to be true as Firefox continues to gain marketshare, it also continues to have security bugs. Note that is probably also because Firefox is getting more complex and with more complex software, you increase the likelihood of bugs.
Yeah, well thats what they said about Earth.
Im not here now... Im out KILLING pepperoni
would be a script which downloads and installs a rootkit and/or IRC-controlled spam relay.
There are 42 OSS projects where no one but the other ever bothers to look at the code.
When the patch for Mozilla Firefox 0.10.1 came out, it was about 10 kilobytes in size. It was installable through the XPI install process. Fundamentally, the bug was in the Mozilla user-interface, so the fix was fairly small and easy.
> Why on earth the browser thinks it's necessary to allow
> scripts to create executeable files is beyond me.
Why on earth would the browser allow scripts to create any files at all? Is there some legitimate usage for this capability? I would not expect any new files on my computer unless I explicitly download them.
Tip of the day: When submitting a story to /., remember to RUN A SPELLCHECKER FIRST.
"summery" != "summary".
No gods, no demons, and no masters. Secular Humanism!
This is not an integral total "Firefox" exploit. There's a BIG difference. Editors and submitters, this is another Windows exploit. Please just add that one word to any article summaries if it is appropriate. Firefox is not an operating system. If it affects all operating systems that run Firefox, swell, ignore it, but we have way too many "exploits" headlines that only affect "Windows" yet it's not deemed worthy enough to mention. Please, we all aren't running this "Windows" thing, and the headlines get crawled by search engines. It is more fair and more accurate to include the operating system first, then the application, then say "new exploit". It's not that hard to do. "A new 0 day Windows Firefox exploit has been announced"--something like that. The blame/fame/flames need to go to all the appropriate places, in the appropriate order.
Thanks, not a complaint or troll, just a request.
It is spelled summAry not summEry
Summery of the exploit:
In a nutshell, Firefox has the idea that some sites are privileged (namely the sites on the whitelist for installing software), it lets privileged sites have a dangerous degree of control over the user's computer, and it has at least one way for unprivileged sites to execute code in the context of a privileged site.
I hadn't been concerned about this whitelist, because I thought all it allowed you to do was to proceed to the next dialog where you allow an install to take place... and at that point the xpi itself can be loaded and installed. But looking at this exploit it looks like the whitelist is actually at a lower level, and there are other operations that are enabled by the whitelist.
That's a big problem because it's not designed to 'fail closed', which every security mechanism should. Fortunately, if I'm reading the code correctly, the Mozilla people should be able to fix it permanantly by deferring the granting of additional rights until after the user has approved the install.
What are the important differences between this and Microsoft Internet Explorer?
There's a bunch of technical differences, but the big one is social.
Because of the particular way that Microsoft Internet Explorer is implemented, they can't back out of the underlying problem without making significant changes to the API of the MS HTML control, which would require modifying every program that used the HTML control and also required ActiveX and Active Scripting. And, perhaps more important in a way, without backing down on the whole issue of desktop/internet integration that they fought the Justice Department to a standstill over.
Firefox doesn't have that problem. It looks like they can defer granting rights based on the whitelist until after the user has positively approved the install, then the situation gets back to the old question of users getting used to security dialogs. This one at least would never be a case of the computer "crying wolf".
WTF Secunia
All you have to do is ensure trusted sites can be, you know, *trusted*, before you add them.
That said, Google's DNS spoof episode doesn't help in that regard.
Whatever.
Before more people bitch and moan, Binary Patching is going to be available for Firefox 1.1
So issues like these will only be a few kb away as apposed to 4megs (still a lot less than most of IE's updates).
looking at the bottom of that page, "recent exploits", I see:
:-P
"Privilege escalation in BulletProof FTP Server v2.4.0.31"
So I guess even the server that *claims* to be BulletProof isn't Then again, shoot BulletProof glass a couple of times in the same place, its actually not so bulletproof either, mindless a good anti-tank missle and I don't care how much buletproof glass your vehicle has..
The speed of patching. Expect a patch to Firefox very, very quickly.
Expect a patch to MSIE problems in hmm, two months, if ever.
The two sites "update.mozilla.org" and "addons.mozilla.org" are trusted by default, and the exploit only requires these default trusted sites.
The web page first tricks Firefox into installing a trusted extension (vulnerability 1). Then it takes advantage of an vulnerability during the install process (vulnerability 2).
Separately these vulnerabilities are not that worrying, but combine them, and you have a problem.
I'll probably be modded down for this...
What am supposed to do? I click click click click click and nothing happens. Though I do have a lot more free disk space, yay!
Not a full patch, but the exploit no longer works. Look at the dates in TFA:
Exploit posted 07/05/2005
They noticed the Mozilla fix on 08.05.2005
IE still has multiple unpatched vulnerabilities, like it always does. Firefox gets a vulnerability and patches it the next day. I hate to call "astroturf", but the grandparent post reeks of green plastic.
So, I dare you: try it. Try posting a trojan in an open source project. See if it ever gets accepted. See how fast it gets patched, especially once it becomes known.
In reality, the difference is like night and day -- Firefox patched in 1 day, IE patched never.
Don't thank God, thank a doctor!
Perhaps you should manually download and install a release past beta. If you've been running the same version for "all these months" then you probably don't have a version current enough to include the update code. I've been getting the update notification icon since the 1.0 release, and perhaps even one of the release candidates. I've had the update icon working on Win2000, WinXP, SuSE Linux, and for a short time on a FreeBSD box.
I AM, therefore I THINK!
// Update (08.05.2005) - The Mozilla Foundation patched (partially) this
// issue on the server side by adding random letters and numbers to the
// install function, which will prevent this exploit from working.
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
My whitelist is totaly blank. There are NO sites allowed or trusted in my FF. So while that may be ONE possibility of exploitation, it would seem logical that in my case, this whitelist exploit is not the one I'm encountering, at all.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Oh well, at least When the next patch (1.04) comes out Mozilla is now on target to claim 100 million copies of FireFox have been downloaded since every patch is actually a re-install of the whole thing :-)
Will ever be this fixed? Why sometimes programmers look that fucking stupid??
What modern Obelix would say today? Of course, "Those crazy Americans!".
Obviously "aichpvee" didn't RTFA:
Mozilla is secure by design -- IE isn't
That's supposed to be "UNIX si secure by design -- Windows isn't." Nobody claimed Mozilla had a more secure design than IE.
is that for windows?
Look, this is software. Bugs are par for the course. Let's just patch the fscking thing and get on with our lives.
This sig no verb.
In summary, then, is it fair to say that Firefox is free from drive-by installation to begin with, in general has a more restricted idea of what whitelisted sites can do, and has more design flexibility to eliminate whole classes of problem?
"Aside from the fundamentally critical nature of the exploit, it is however important to note that successful exploitation requires that the site is allowed to install software (the only sites which are allowed these privileges by default are "update.mozilla.org" and "addons.mozilla.org"). ie. you need to have whitelisted the exploit site in order for the exploit to work."
So in other words there is no exploit at all. none whatsoever. it's no more of an exploit than granting a java script installer elevated privledges or accepting a security ceritfication. Bot of those require you to acknowledge what you are doing is granting a site elevated privledges to access your local file system.
whoop-te-doo. The only thin news worthy here is that this pathway to doing this was unintentional. But fortunately the attacker has to be someone you granted install privs to, not just any site you visit.
this is not the security exploit you're looking for. move along.
Some drink at the fountain of knowledge. Others just gargle.
Sure, but these are the countless OSS projects which no one cares to install and run. Look up sourceforge, do you think the nearly 100000 projects there by over a million developers are all being actively used? There's a statistics lesson to be learned here: if an OSS project is good enough to be used by a significant amount of users, it will be thoroughly vetted by a significant amount of super experts.
parent post makes all other posts look stupid.
I remember you, you're an MS astroturfer, recently caught re-using your own material across multiple posts. No, this exploit is not very serious, as only sites that users have allowed to install software can exploit this - so by default only the Mozilla updates site can exploit this.
Welp, I'm safe.
Using Opera, checking Secunia right now. Hmmm, that's interesting. Firefox, extremely critical, 5 out of 16 advisories unpatched. Maybe I should check Opera. Oh, ha, 0 out of 35. Maybe I should stop paying for a browser, obviously Open is the way to go. Thanks for showing me the light. Although, quite honestly, I do like Firefox, just don't use it all that often.
thankfully i'm still using stock 1.0 firefox :)
Science : Proprietary , Knowledge : Open Source
It doesn't checks all the time, but periodically. If you have a version different than the english one it won't display the update until your language's version is updated - which may take a while, for spanish it has taken more than a week some times.
MS has always taken a "security through obsucrity" approach. They are firm advocates of keeping things closed. They believe it is best to keep things restricted to their in house and other trusted testers. They take public commentary, but only on the end result, the process and the code is shrouded in mystery.
/. since they like to periodicly run MS bug patch stories. When these run, there are always a ton of people who slam on MS for their security record, and specificly for keeping people in the dark about the bugs until patch day.
So for them, it's quite consistent to want to sit on a bug until they have a patch. After all, the code isn't open so no one else can fix it, and if it's kept quiet it's much more likely no one can exploit it until a patch is released.
Open source is the exact opposite theory, the many eyes theory. You open the entire code base to the entire world, without restriction. So anyone onw, malicious or benevolant can examine just how your stuff works. You actively encourage others to modify your work and to distribute those modifications to the world. It's all about transparancy and access.
So in this case it's rather inconsistent to keep everything hidden from the public. They are saying "there's a problem in the code we gave you, but we aren't going to tell you what it is or where it is." That sounds a lot like the Microsoft/closed source idea to me.
Also it's a particularly valid commentary on
However when an OSS patch story breaks, some of these very same people will crow on about how wonderful open source is and how fast the bug got patched because it's open. Often, however, a little investigation reveals that the bug has been known for some time, but the devs put a lid on it while the made a fix, same as MS does.
Now perhaps that's the proper strategy, you keep quiet about a bug until you have a fix, or until there's a demonstrated venurability in the wild. Maybe that's the best way to minimize damage. However, if that is the case, you can't hate on MS for doing it while praising Mozilla for the same thing.
Good think the permission system on GNU/Linux wont allow executables to execute without setting them executable manually. Its not the first time firefox exploits are reported where only Windows is vulnerable.
:)
Its not the browser, its the OS stupid
Okay.. I've asked this before (and no doubt will again):
Please explain again why the browser does not run in an isolated chroot environment? (at least for Linux users).
I've done a bit of work to make that happen but didn't quite get there. It needs to be a supported part of the browser install.
It helps to run the browser as a User ID with limited permissions but that is still not as good as chroot as part of the installation design.
1) Don't allow software installs. Period.
Steps:
1) Download xpi whatever.
2) Take the nic down or unplug
3) Re-enable software install
4) Install
5) Disable software install
6) Shut browser down
7) Bring nic back up
8) Launch browser again.
I don't have a whitelist. I only use 2 or 3 extensions.
Not quite. There's two problems:
The vulnerability requires exploiting both flaws. Fixing the second one (the core problem) is probably just a simple check. The first one should also be fixed as well, of course.
then how is it going to take advantage of the default? Or have they found a way of spoofing FF to think it is? Because that is not clear from TFA.
...and I posted on the offical forum asking if the requirement was a result of the developers being incompetent, or malicious.
Naturally, the result was quite a bit of flaming for my rather inflammatory opening question, so I reprhased my question asking why EA would do such a thing and oddly, every person who responded suggested that it could only be malice or incompetence.
The Sims 2 has since been given an update that allows non-Admins to run the game.
No game software should require admin rights. If a CD check scam requires it, then get a noCD crack. If the developers have written totally unnecessary checks to require Admin rights before running the game (Thief 3 delets system files when non-admins run it, yet making the system files read-only to non-admins makes the game run flawlessly), then find some way to circumvent. If you can't circumvent, tell the developers that you cannot in good faith trust their software to run on your computer because their asinine requirement is an indication that they are either malicious, and so you can't trust any code that they write on your computer, or they are incompetent, and so you can't trust any code that they write on your computer.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I'm not aware that the Mozilla Foundation has held back any code. Isn't it all there? Bugs and all? And doesn't that fall in line with the Open Source model?
Don't get me wrong - I'm not supporting the Mozilla Foundation's behavior here. I personally don't agree with hiding bug reports. And if one wants to make it a point of whether they are doing the right thing or not - fine. But that wasn't the point.
The point was a comparison of Microsoft to the Mozilla Foundation as models of proprietary and Open Source models. The fact is that IE's code is available under a very different set of rules than Mozilla's code. This is where Closed Source vs. Open Source comes in. No matter how secretive the Mozilla Foundation wants to be with their bug database, mailing list, or party invitations... the code is still there; available to all.
Whether the Mozilla Foundation should be more open with their bug database is an issue of disclosure. After all, Microsoft could become supporters of Full Disclosure while still maintaining proprietary code.
I'm just saying there's an inconsistency of ideals here. MS withholds code and monitors it's access strictly. Thus finding that they do that with bugs is not supprising. Mozilla gvies out its code freely, but seems to be done the same thing as MS with bugs. That's odd, given the code disclosure.
The real point Iw as trying to make it don't hate on MS when they conceal code and then love Mozilla for the same thing.
Fair enough. But make sure the hypocracy really exists before you call it out.
First, don't confuse the issues. You did so as soon as you mentioned "Open Source". This is, if anything, about the policies of Microsoft and the Mozilla Foundation (though I'm all for the question of whether Mozilla Foundation is following the spirit of Open Source or not).
Secondly, compare apples to apples. Do a bit of legwork and see if its actually the same individuals championing Full Disclosure or some other disclosure policy depending on the developer. If this is the case (and it might be - I haven't looked myself), then you've got a point. Otherwise, you're simply observing that Slashdot is made up of differing opinions.
Ug! I hate IE. Worst Browser on earth. Mozilla is waaay better.
All Your Base Are Belong To Us!!! chown -r us
The exploit was only possible because of a xpi extension hosted on mozilla web site (only default site allowed to install extensions). It has been already patched on server side, no 5MB setup needed!
More annoyingly, in Windows XP, Windows Update will always try to have you run the "Express Install" where it doesn't disclose which updates it plans to install. And if that weren't enough, despite me having repeatedly clicked the "Do not send this update again," it's still trying to get me to install SP2. Bleh...
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.