Slashdot Mirror
2 Firefox Security Flaws Lead to Exploit Potential
Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."
I smell scandel, it was bill gates who wrote the code and you know it. IT's like the SetErrors flag in windows (Fp maybe?)
i dont mean to be trolling/flaimbait, but please
:/
mod me accordingly if i am.
do we really need to see it posted here, every time
a firefox sploit is found?
gettin me all excited for nothing
http://it.slashdot.org/article.pl?sid=05/05/08/135 217&tid=154&tid=172
Exploits rise with popularity. Watch out desktop linux.
Seriously this Is getting repetitive. There are always flaws. Just update your browser and hope it doesn't become the next iexplore.
I JUST got through explaining to my parents why Firefox is a safer alternative.
Sigs are for Terrorists.
Come on, timothy. This is hardly the time to be downplaying the severity, even though we all like Firefox. There are undoubtedly people using the posted code, and they wouldn't be likely to tell News.com about it. Everyone should upgrade immediately.
Before everyone freaks out, take a look at the bug notes to get the details.
Exploitation requires the javascript bug AND a whitelisted site. The only default whitelisted site is the update.mozilla.org, and they have made changes to mitigate the problem on their end.
So unless you've whitelisted a lot of extra sites to install themes or extensions, this is not a huge risk. To be sure, disable install "Allow websites to install software" under options | web features, and if really worried, disable javascript.
Dupe
will be claimed in the topic of the zealotery propanda news medias 'friendly' to Microsoft, in the next few days, beware!
Won't someone end this duplicity?!?
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
dupe?
The news here is that news.com is running a sensationalist story, that doesn't provide anything new, but is always good for page hits.
Again:
This is not a Dupe!!!11!!!11
Dupe or Yet Another FireFox Flaw ? Nah, easy to guess on Slashdot...
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Mozilla and Firefox have been recommended as alternatives to IE for security reasons. Yet, lately, it seems that there's quite a lot of security problems being uncovered in Firefox. So I'm trying to figure out how to read this.
I suspect that Firefox is somewhat more secure on the simple basis that it is not as tightly integrated with the rest of the operating system as IE is. What makes IE exploits so nasty is that they tend to become email and other exploits too.
My concern is that if Firefox gains some more ground and does become a more active target for exploits, that it may become a poster child Microsoft can use to point out that open source software's "many eyes" theory is hogwash. Maybe it is hogwash.
This sig has been temporarily disconnected or is no longer in service
Perhaps there has been no rush to exploit it due to the fact there with 10% market share, it would not effect a wide enough user base?
-dave
http://millionnumbers.com/ - own the number of your dreams
When was this vulnerability first introduced? How long did/has it gone unpatched? Inquiring minds want to know.
"Ask not what your country can do for you." --John F. Kennedy
What Firefox (and the rest of the suite) is a good way to upgrade the software, without installing everything as a new user would... This is something they really should fix...
Not yet. Been looking for an opening. Thanks for the tip!
{code code code}
Vroomm..Vrooom...
"But...IE...Disable Javascript....NOT FAIR!!"
It's up to MoFo to fix their software as soon as vulnerabilities are reported now. The play time is over, from now on it's going to be Browser Wars II: The Security Menace.
Bored? Browse Slashdot with a +6 modifier for Troll comme
-dee-fucking-dupe!@#!!$%!@#$±!@±!±±!!!
"no known cases have yet emerged where an attacker took advantage of the public exploit code."
I appreciate this clarification. And I'm sure such a clarification will be included in the next IE bug report posted on Slashdot... Right?
PDHoss
======================================
Writers get in shape by pumping irony.
Well I'm glad I'm using my parents PowerBook with Safari atm. But when I get back home, maybe I should try and figure out a way to get notpad to browse the net, it seems the only safe windows alternative.
Black Sky
2D Elite Inspired Game
You just missed it the first 3 times.
If this is the riskiest bug coming out of FireFox right now, I think I'm going to consider myself lucky. Microsoft's browser had at least one far greater bug to its IFRAME setup, on top of the countless other horrifying bugs running around.
Like others have said before, however, this is only the beginning for FireFox. As it gets more and more popular, more and more of these nasty bugs are going to appear and (hopefully not) be exploited. Won't stop me from enjoying FireFox, though, and it shouldn't stop anyone else either.
Whoa. So you mean the number of "extremely critical" holes discovered in a program varies in accordance with the number of users of the program? I never would have guessed... Gosh, you don't think that maybe IE's code really isn't worse than other browsers' after all, do you?
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
MS always claimed that Moz was less vulnerable to hacks and exploits due to the fact that less people were using it -- it had not yet reached critical mass. Seems that's changing....
It's bad, but maybe it signifies something good?
So combine this with a poisoned DNS attack. update.mozilla.org resolves as your malware server, then you use this exploit.
Sure, it makes it a little harder to execute then, say, something like Nimda that could run free across the internet, but it's still a valid security issue.
Tried the proof-of-concept and it did not work, any idea why? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.7) Gecko/20050414 Firefox/1.0.3.
If anything, news.com are, ehm, playing it up.
And just for your information, there is right now nothing to upgrade to, as a new firefox version which fixes the bug is expected shortly, but is not here yet.
However, if you really want to be on the save side, just open preferences and disable Allow web sites to install software under web features.
Please allow the current battle of the IE/Firefox flamewars to commence.
Well, lets be fair.
Sadly, the Linux version of Firefox cannot be updated automatically despite the apparent need for daily updates. It seems interesting that with all the extensions that have been developed for Firefox, no one came up with a way to automate the Firefox updates on Linux.
But, don't fret. I understand that an MP3 playing extension will be released later today!
Anyone know of a Firefox distribution that can be executed(and consequently updated just once) from a network drive or thumb drive?
:(
I ask because I have alot of extensions on each of my Firefox installations. I have Firefox on my desktop at work, my laptop, my home computer, my wife's computer, etc etc
updating one computer (and then going into safe mode to find the extension that freaked out) is not that bad. But updating 5 or 10 computers can be a pain in the butt. Can I run ONE Firefox from *someplace* on the internet that has all my extesions/addons/updates?
only thing I can think of is using Remote Desktop, but then that's not what I really want to do
I'm a Mozilla user. I don't use Firefox. I'm guessing that Mozilla is affected by this as well, but every time a security flaw is found, only Firefox is mentioned.
n/t
I believe there should be a minimum intelligence needed to use the internet ,mainly being able to update things every now and then, often by simply clicking a 'next' button a couple of times (and I have yet to meet someone who, when properly instructed, fails this), so people should keep up to date without needing headlines reminding them that they should try to keep up to date. Bug reports should be limited to bug reports, and not invading out news sites.
It was bound to happen..., . However (pause), if I get even a whiff of a malicious attack!!! //Regresses; Where the hell are
my crit die!? Gimmie my +3 vorpal!// Ah, but those
were the days when pencil, grid paper and an imagination made all of this meaningless.
No bug here...
Jesus H. Christ on a Hot Cross Bun, man, what does it take for you to consider something a problem? Does it have to burn your house down before you accept that yes, this is indeed a serious issue?
there's more than one way to do me.
Mind you, they don't get laid, either.
Look at all the eyes looking at the source
THE EYES-s-s-ss!!
Every downloader is a potential developer!
Every downloader is a potential developer!
Every downloader is a potential developer!
My god you people aren't living up to the F/OSS contract!
Moderators, delete this article, the author is an enemy of open source software, and probably works for M$cro$oft$$$ (M$FT) spreading FUD (Fear Uncertainty and Doubt)
we the open source community must fight against these people
because if we don't THEY will win!
This is old, old old news. I knew about this 2 nights ago, even had the exploit code, thanks to BugTraq mailing list.
Could we get a new icon for Firefox and dump the Mozilla icon?
.. two unpatched security security holes (code named timothy and CmdrTaco) in Slashdot allowing posting of dupes were disclosed.
From a news report:
Because the foundation controls all sites in the default software installation white list, it has been able to take preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain.
The foundation said users who have not added any additional sites to their software installation white list are no longer at risk.
So one down, the other to be fixed shortly.
Meanwhile I got a notice this morning that tomorrow's Microsoft security patch will fix one major flaw, but leave others unpatched UNTIL NEXT MONTH.
So much for "days of unpatched vulnerability" supposedly favoring Microsoft.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Welcome to Slashdot, you must be new here.
I'm really glad I copied Fireof off a friend now. I'm sitting here laughing at all you fools who paid for your copies. You should know the right people, like I do.
..cause no one uses it
"no known cases have yet emerged where an attacker took advantage of the public exploit code."
Interesting. I have to wonder if because so many people want to see Firefox take off, they have a tendancy to leave the explots alone. After all, the people who take advantage of the exploits are more-than-likely techie people and know that if Firefox had bad press about exploits, and people taking advantage of them, Firefox would take a nose dive. Eh.. just a thought.
Am I the only one waiting for a report from Laura Didio on how Internet Explorer is far more secure than Firefox and citing these vulnerabilities as proof? What about the rest of the Microsoft apologist doomsayers?
Yes people, they are serious vulnerabilities. Yes, they should be patched and dealt with. And yes, they will be dealt with far sooner than "Patch Tuesday". The sky isn't falling.
It seems interesting that with all the extensions that have been developed for Firefox, no one came up with a way to automate the Firefox updates on Linux.
emerge firefox
apt-get firefox
rpm -U firefox-i586.rpm
etc.
These always seem to work fine for me.
Seriously this Is getting repetitive. There are always flaws. Just update your browser and hope it doesn't become the next iexplore.
Seriously, this is getting repetitive. There are always flaws. Just run Windows Update and hope there's a patch for Internet Explorer.
Ye not worthy (squee-dum squee-dum squee-dum)
"no known cases have yet emerged where an attacker took advantage of the public exploit code."
it's so lame that this line gets trotted out whenever theres a new exploit, to set people's minds at ease. it's meaningless. it's just as true to say "no known cases have yet emerged where an attacker failed when using the exploit code."
"Is this just useless, or is it expensive as well?"
On behalf of the IE programming team, let me be the first to say "Neener neener neener!"
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
I am not going to visit some site every so often, nor is my grandmother, just to check whether there might be any new vulnerabilities in Firefox or Thunderbird. There is not even a critical alerts mailing list! However, both my grandmother and I can set up automatic updates so Internet Explorer remains secure, so I know which one I am going for...
Comment removed based on user account deletion
we see more security flaws in Firefox. No surprise.. this is exactly what I've been arguing for years with Microsoft's security (not to say that MS has a great record.. but just to say that just because something hasn't been exploited as much doesn't make it "more secure").
I am the maverick of Slashdot
On Saturday, the Mozilla Update team, plus some Mozilla devs, took steps which prevented all published exploits we'd found from working. On Sunday, Mozilla Update was moved to an untrusted URL; as a result, users who have not added other sites to their whitelist should now be safe from the remote code execution attack.
My server
Gentoo, Red Hat, SuSE, Mandrake and Debian do NOT usually provide packages on the same day that upstream developers release updates. Mozilla themselves only provide a tar.gz for Linux which is incompatible with the package managers.
Firefox for Windows has an update button and can be configured for automatic updates, directly from mozilla.org. It is inexcusable that the Linux version doesn't have the same functionality and pathetic that you attempt to make apologies.
When there are not 'may eyes'. Just because a pro
ject is OSS does not mean that 'many eyes' are actively looking at it. Most OSS projects are one person, some are a handful, a very few are a dozen, and the exceptional ones are several dozen.
We know about the issue of FireFox lacking reviewers already: http://steelgryphon.com/blog/index.php?p=37
We geeks really need to stop being swayed by ideology or anti-establishment 'cool' and try thinking for ourselves for a change.
There is no 'silver bullet' and that includes OSS.
Tools/Options/Web Features/"Allow web sites to install software" - uncheck it. I don't know why this isn't unchecked by default.
It takes just a moment and an action to destroy. It takes some time and thought to create.
Sure, MoFo can get out patches quicker and take other actions quicker because they don't have to pass through tons of quality control....but the point is that the everyday user doesn't update it.
If Firefox is going to win in the Browser Security Wars, they need to make the "critical update" thingy from the toolbar pop up, raise hell, close the browser, have someone check a disclaimer to skip it, etc. It needs to be ABSOLUTELY clear to the user that ignoring a critical update is a Bad Thing(tm).
They also need to release PATCHES against the official builds, not full installs. Full installs take a while to download and take a while to install. A patch is small, is quickly applied, and the browser just restarts. Leave the full installs for newbies, milestones or for when a patch fails.
The javascript privilege escalation exploit is quite a biggy so in the interest of creating awareness it isn't a bad thing. The real shameful thing about this is it is pretty much a dupe, giving little or no more information than the first submission..
News of malicious use of the exploit in the wild may have been worthy, but if anything it says the risk is now lower.
*shakes head and wonders off*
patch
sorry, it was just so easy
Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?
Another post mentions that someone is claiming an 0-day exploit in the wild for these issues.
:)
From BT:
Firefox Remote Compromise Technical Details
Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already in development and so any more work going into fine-tuning this exploit would be a waist of time.
There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de/ helped me with the research.
To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However, it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script] url, that individual would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the addon install function into displaying an icon with a javascript url.
However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (pointing to a mozilla.org page) within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history object. After the page loads, we use the history object to navigate backwards to the javascript page. The javascript is executed again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to a javascript:[script] page. Now we call the install addon feature, which displays a dialog with det
ails of the requested addon, including an image with a specified image. This image points to a javascript:[script] url, which gets executed in the context of chrome. Now we have compromised the system
Whew, that was quite a mouthful.
I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody.
Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves, and you can be sure that we will not make the same mistake twice.
If you want to see the original PoC, here is the url:
http://greyhatsecurity.org/vulntests/ffrc.htm
Paul
Greyhats Security
http://greyhatsecurity.org/
You are save (for now) from GNAA last measure with this: http://flashblock.mozdev.org/
What a load of BS! In this house we have Mozilla, IE, Firefox, Safari + other small system browsers!
Gak! What a terrible comment.
As long as the web is based on standards anyone can build a browser. It's just like cars running on the highway. The interstate is a standard, the back roads are build to different standards governed by state and local laws. There are some single tracks on private land that don't conform to anything. Drive there at your own risk... Drive a browser that will take you where you want to go. FireFox is my prefered choice! It's fast, it renders the pages I want to see, and it's got a nice interface(tabs I love).
Lastly open source is like any software development, it's a "process". It is done by humans and if your lucky it's peer reviewed. Having it in the open means more people can see the flaws. Is this good or bad? Since the bugs get found and fixed faster I would have to say it's better. I know of a lot of closed source programs that have bugs and I know that they will never get fixed. Why? Cause the people who know where the bugs are do not work for the company any more, or the company no longer exists, or the company won't allocate the resources cause there is no money in it!
Ask Bill Gates if he wouild use a computer he didn't have the source code for!
This exploit is severe enough to really worry about. I can't believe so many people are saying 'oh, no big deal, no worms are bothering to try to use this, so there's no problem'.
The problem is akin to the exploits with:
https://phish.site/https://your.bank.access/ being displayed as simply 'your.bank.access', except worse, as an automated whilelist failed it's job before even having to fool a person, leaving the default install wide open for a time.
It is good to see the rapid response on the server, and I look forward to more robust, thorough update handling code, but the architecture is badly broken when you can hook malicious local-run code onto a widely accepted legit install package url. To be clear to folks: The whitelist *does not* protect against this, as so many have claimed, no one would be bitching if that were the case, the problem is that an attacker need only know a legit xpi url for the browser, and can use that to piggyback malicious code.
The only default-whitelisted sites now employ some random url generation to make it a moving target, so it is now much more difficult to exploit, but still needs patching badly...
XML is like violence. If it doesn't solve the problem, use more.
Now, here's a question. From my knowledge, Opera doesn't have any similar "features", so in the long run, it's better off. However, I might very well be missing something there. Does anyone knows of an article which would compare browsers based on their security record, and potential design flaws (such as ActiveX or XUL) allowing for more attack vectors? Or at least some data to begin with?
Ford! Chevy! Ford! Chevy! Ford! Chevy! FORD! CHEVY! DODGE!
s/Ford/Firefox/
s/Chevy/IE/
s/Dodge/whatever_dumb_browswer_u_want/
Come on.
System.out.println("Hello World! I've just been haxxored!!");
I don't mind when exploit articles get posted. I just mind they seem to get posted with the intent to start a flamewar.....
From what I have been able to find, this exploit affects Firefox ONLY, not the Mozilla Suite (Seamonkey?).
Anything is possible given time and money.
Why not try this? http://news.google.com/?ned=us&topic=t
It actually covers many of the headlines seen recently on Slashdot, but without the dupes, and generally without the bias.
I mean people say MSIE/Windows are more exploited because they are more "popular". I think that the rapid adoption, and soaring popularity, of Firefox is grabbing the attention of people who used to target IE exclusively.
I could be completely wrong of course.
C17H21NO4
How come it's OK to yank the CherryOS story off the front page because some editor went "oops a dupe" ...
but it's not OK to take down or bury this flat out wrong stuff?
I wouldn't worry about promptly reported and fixed Firefox exploits.
-- Tigger warning: This post may contain tiggers! --
A serious exploit flaw has been found. So severe is the flaw that it spans all hardware and all software. It matters not if your computer is patched or unpatched. This exploit flaw is so serious that any computer that emits power from its power supply is vulnerable. The only security fix to this devastating exploit flaw involves pulling the power plug from the computer.
......Seriously though, there has always been a direct correlation between usability and security. Any time features are added to a piece of software to make it more usable, will make it more vulnerable and open to flaws that can be exploited. Firefox may have started out as a stripped down, no nonsense browser, but with its popularity rising, feature creep sets in and inherent flaws will be discovered and exploited.
The only way to make it 100% secure is to make sure nothing can be done to the system, and that's powered off with no automated way of powering on (i.e. it's unplugged). Once we accept that it MUST be plugged in to be usable, we need to accept the possibility of exploits. Given that, however, we can't accept defeatism, and must strive to fix it.
The typical rhetoric of "There see? product y is just as insecure as product x", and "Well at least the exploit count is 2, not 50!", only serves to distract us from the real goal of getting better and MORE secure software. Like the saying goes, "SHIT HAPPENS". Let's just learn from it and move on.
Security through obscurity is theoretically plausible, but not very practical. What may be firefox's saving grace is that it's open source and is not held as proprietary IP, controlled by a corporation out for profit, thus the evolution of the product is driven by its need to simply be better.
Perhaps microsoft will see these flaws as proof that open source doesn't work and will lower their own standards, making IE7 less secure or shipping earlier with less stability, or maybe they will take this opportunity to make IE7 that much better in the hopes of regaining popularity and claiming vindication. As long as firefox advances and closes those holes, we still have one extra viable choice. This would only result in a fundamentally more secure web surfing experience.
I don't run Firefox because I find it inferior to IE in rendering pages as they were intended (yes, we live in an IE world, deal with it).
Actually that is incorrect "technically" speaking. Generally, Firefox is significantly better at rendering pages as they are intended as it complies much better with the CSS standard than IE. The results might not look like what the designer intended, but it is much closer to what the code says it should do.
Anyways, why do we have to live with being in an IE world...just because IE is dominant? That's kind of foolish given that IE development has been stagnant for years, has fundamental design flaws and inconsistently implements CSS. As a result, website code is far less maintainable and secure than it could be. If all web browsers followed web standards and good design practices we would have just a small fraction of the problems we hae today.
Looking at it another way: Linux is inferior at games compared to Windows, and "we live in a Windows world" so should we just give up on Linux, sit back and deal with a virus infested, poorly architected system like Windows?
If open source and freedom are so valued, why are the bugzilla entries private and hidden?
I'm surprised (or maybe I missed something). Why is noone asking the real questions here?
Sure, Firefox had two security flaws. Okay. HOW were those vulnerabilites found? Were they found because Firefox is an open-source program, and has the 'many eyes' advantage? Were the people who found them going through the code, evaluating and auditing it function-by-function is search of flaws?
Or were they testing against it in the traditional way, the way IE vulnerabilities were found? Or maybe a combination of the two?
The article doesn't say, but I believe this is more important to know than the current count on a Firefox/IE vulnerability pissing match. It's the best example (or counter-example) of open-source security in action that we have. If anyone can supply this information, I (and others, perhaps) will be most grateful.
Because I don't really like the new versions and was hoping I'd be safe due to obsolescence.
You can also delete all the trusted sites from the sites list as well.
You offer up snide remarks while not checking the facts. Typical apologist bullshit.
At the time of this posting, Fedora Core 3's latest release of Firefox is dated April 19, 2005 and the latest update for SuSE 9.3 is dated April 14, 2005. That's a few updates short of a safe browser! Linux automatic updates is of no help here.
For that matter, Wise Ass, Windows also has automatic updates yet, the Mozilla crew still felt it appropriate to include both an update button and an automatic update feature for the Firefox application.
I can't be bothered to check all the other distros out there, suffice it to say that, two of the arguably most used distros are now way out of date and the only way to update them to a safe version of Firefox is to do a manual install and break the distributions packaging system.
The fact is that Firefox' support for Linux SUCKS compared to its support for Windows!
If you are still using the preview release 1.0, then it tells you there are no updates to be installed... guess you're safe there...hmmmm
--"They say time is the fire in which we burn"
Likewise, fellow Gentoo user.
Get a room!!! You're just being disgusting!
Why does this rubbish still keep getting modded up?
Did you nitwits notice that this crap automatic update "feature" is the cause of the exploit we're talking about here? I sure as hell don't want any more attack vectors. And I don't want my users to have the ability to update system software. Period.
What people need to do is learn how to download and install a little 5MB software package. No.. wait, people already know how to do that when the software package is Bonzai Buddy or some other crap spyware. But if it's an essential, free program with better a better security track record than commercially available ones, all the modem users know how to do is bitch and moan.
What people need to do is suck it up and stop bitching.
"I assumed blithely that there were no elves out there in the darkness"
Can you imagine what would happen if bugs in proprietary software (I'm thinking of Windows or IE) were considered "extremely critical" as soon as an exploit was solidified in code? I mean, if "extremely critical" corresponds to "it is *possible* to exploit this bug" then what is the term to describe a bug which in fact is wreaking havoc on worldwide information infrastructure (as many Windows bugs)?
oh noes!!!!!111111oneone
I do not think this means what you think it means.
According to the Mozilla website you can disable JavaScript for the time being. Just for you lazy folks out there that didn't search around enough :P
There's too much media hype out there, even in tech news.
Good; it's a useful statement.
See, the difference is that any would-be programmer can pick up the Mozilla source code and pore over it. It's perfectly reasonable to imagine someone spotting a logic error, realizing it's important, and publishing a vulnerability report.
On the other hand, the only way to find an IE error is to directly attack it (unless you live in a particular Ivory Tower). Ergo, IE vulnerabilities are very likely to have exploits if they were initially discovered by anyone but Microsoft themselves.
Dewey, what part of this looks like authorities should be involved?
I know "preacting" is better than reacting, but has anyone in the public been with these exploits? How about in comparison to IE?
For our favorite firefox these are merely teething aches; the sooner the better.
"the popular Firefox browser"
It's about time the news is reporting it as popular. That IS newsworthy.
I have never experienced a problem with IE. Did not get adware installed. I switched because i wanted some of the features. Namely Tabs, and Web Developer. If it were not for those, well i do not think i would care enough.
Stupid, stupid, stupid! It's pure logic. Microsoft suffers open source. Microsoft has had years to add the level of security the GNU/Linux and others actually enjoy. Why do you think they haven't yet implemented the measure security default found with modern Open Software? The fact is, almost everyone I know using Windows is "ate up" with Viri, trojans, worms and malware and their time is severly monopolized because of it. Else, they're REALLY screwed and perhaps don't know it. Sadly, most are running to the store to buy more Microsoft. Microsoft says they are really working on new ways to fight this. :P
If you simply put in a freely downloadable mepis CD (www.mepis.com), set your monitor and do the easiest of all installers, you will not have a need to spend the time REQUIRED otherwise to constantly maintain Windows.
Now comes a leak for a potential "hole" that is already now halted and patch almost done and all I hear is Microsoft propaganda. The darn problem is simply an example of imperfect code. Did you think any code was perfect? Do you think that means Firefox is the same? Where's your logic?
What's worse is the misinformed, ignorant or downright evil implication that this proves Firefox as vunerable as IE. More ilogical is the GUESS that Firefox will be as bad soon. Please! Wake the hell up! You people really need to get your head on straight, or do you have fuduciary motive?
If you don't yet understand Open Software and how you don't have to pay a dime, then you don't have to. It works. It's now newer, better and faster.
Then there's the logic, Open (whatever) is "only" a small (but growing fast) user base BUT also it's popular. Pick one please! At thier best, the logic states it is both! More users run Windows AND now Open Software is WIDLY used by many, many people.
Thus, I submit the Open soruce CURRENT REALITY is excellence with security (and much more) even in light of it's underdog position, critics, enemies and propaganda (FUD) on numerous systems. Far more than enough to see the "percent" secure makes Windows suspect.
It's not, "Look how the mighty Firefox has fallen". Anyone experienced can see Firefox is far better; news reporting tone accepted. It's, why the hell does Microsoft continue with their unsecure vunerabilities. It's been years of real world ACTUAL expliots! Not bug just hunting. Which at it's worse, is the Firefox reality.
Sooner or later you will realize that Microsofts goals are now fundamentally opposed to yours, the user and they will not change.
Open Software is ready when you are, it's compatible and the only difference in your choosen user interface are the improvments you pick.
Think better, think open.
WTF this comment is insightful?? If anything, it should be troll/flamebait.
Which one of you marked it as insightful?
Bloody assholes.
...Firefox will be hacked more and more now. Mozilla is getting some seriaous momentum and that will make them a bog target. Maybe bigger then IE with time. I hope that they respond quickly to bugs and flaws to keep it secure.
After all, that is why majority of people are using firefox.
Just curious, because apparently Google does evil and prevents MSIE from remembering them...
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
If I should worry about Firefox on Linux let me know but until then would the editors please label these kind of things as non-critical due to it affects Windoze users who have learned to accept this kind of thing and do nothing :)
2 9219&tid=220&tid=218
http://it.slashdot.org/article.pl?sid=05/05/08/14
Smells like bullshit (possibly just bad wording from the anti-virus company). Mozilla wouldn't run a java applet that requires special privileges (and doing anything to your disk requires privileges) without asking first -- actually, the Java runtime wouldn't. If you really found a threat you'd be asked to trust the applet first, with several warnings in a dialog box.
Just like this past notice.
This one.
So what you're saying is that Apple users can't use Firefox now, because it's potentially unsafe. We can't use Safari either, because of the recent bugs announced. Um, Explorer 5.5? No, that's got bugs that are years old. So what do we do? Konqueror?
Work like no one is watching. Dance like you've never been hurt. Make love like you don't need the money.
All real-world software has bugs. That a project as massive as Firefox has security bugs, even "extremely critical" ones, is not exactly a shocker. However, if you compare the frequency of security bugs in Firefox 1.0 with the frequency of security bugs in, say, Internet Explorer 4.0 or Netscape Navigator 4.0 (products with a similar code maturity as measured by invested developer-hours), Firefox still comes out smelling like roses.
For IE users just a few short years ago, there was new remote code execution bug in IE on about a monthly basis. Now that IE's had a lot of time to mature and there's no new development for it, the security bugs have mostly settled down since all the low-hanging fruit has been picked.
Firefox, OTOH, has recently gotten popular enough that it's solidly entered the blackhat limelight. Naturally, this means that the blackhats are searching for low-hanging fruit. I actually find it rather assuring that, despite having fully public source code, it took a good 4 months before the first serious bug, and another month for the first pair of bugs that relate to the browser's actual security architecture.
Personally, I think that (a) writing the browser in XUL/Javascript was a security mistake on the level of IE's Zones, and that (b) whoever invented javascript: URLs should be drawn and quartered. However, what's done is done, and overall I still think that Firefox is on a more solid security footing than IE, especially thanks to the absence of an ActiveX-like auto-installing plugin architecture. I strongly doubt that the current pace of 1 major bug per month will hold true 6 months down the road, much less into the future beyond that. Because Firefox shares so much code with the Mozilla Suite, a lot of that buggy immaturity was stomped out during the Mozilla M18 through 0.9.x beta testing, about 4-5 years ago. I can't see any major shakeups happening with all that testing under Firefox's belt.
Range Voting: preference intensity matters
Smells like bullshit (possibly just bad wording from the anti-virus company). Mozilla wouldn't run a java applet that requires special privileges (and doing anything to your disk requires privileges) without asking first -- actually, the Java runtime wouldn't. If you really found a threat you'd be asked to trust the applet first, with several warnings in a dialog box.
Just like this past notice.