2 Firefox Security Flaws Lead to Exploit Potential

Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."

Re:sorry..

[MankyD]

We hear about it every time IE has an exploit - and most people flame MS like it hasn't already gone out of style. Why should Mozilla be immune to such treatment?

Updating/Using only ONE copy of Firefox??

[Steve_Jobs_HNIC]

Anyone know of a Firefox distribution that can be executed(and consequently updated just once) from a network drive or thumb drive?

I ask because I have alot of extensions on each of my Firefox installations. I have Firefox on my desktop at work, my laptop, my home computer, my wife's computer, etc etc

updating one computer (and then going into safe mode to find the extension that freaked out) is not that bad. But updating 5 or 10 computers can be a pain in the butt. Can I run ONE Firefox from *someplace* on the internet that has all my extesions/addons/updates?

only thing I can think of is using Remote Desktop, but then that's not what I really want to do :(

Does this affect Mozilla also?

[llzackll]

I'm a Mozilla user. I don't use Firefox. I'm guessing that Mozilla is affected by this as well, but every time a security flaw is found, only Firefox is mentioned.

Re:Does this affect Mozilla also?

[dogfull]

No.

Firefox has a completely rewritten XUL engine. This exploit makes use of a bug in FF XUL engine. Thus, Mozilla's old XUL engine will not be affected :)

Re:Mozilla's Security?

[garcia]

it may become a poster child Microsoft can use to point out that open source software's "many eyes" theory is hogwash. Maybe it is hogwash.

I don't run Firefox because I find it inferior to IE in rendering pages as they were intended (yes, we live in an IE world, deal with it).

As far as "many eyes" being hogwash, I can't agree. Even though these exploits were found recently work has been done to make sure that the exploits are closed quickly. Some of MSFT's holes were left open for MONTHS before anything was done (and that included half-assed workarounds to stop the problems).

While Firefox may not be the best browser for me and it might not be as "safe/secure" as the zealots would like you to believe, the bugs *are* fixed in a much shorter timeframe because the coders DO care about their product.

And Laura Didio says?

[inherent+monkey+love]

Am I the only one waiting for a report from Laura Didio on how Internet Explorer is far more secure than Firefox and citing these vulnerabilities as proof? What about the rest of the Microsoft apologist doomsayers?

Yes people, they are serious vulnerabilities. Yes, they should be patched and dealt with. And yes, they will be dealt with far sooner than "Patch Tuesday". The sky isn't falling.

Re:Mozilla's Security?

[molo]

Its the security response that is really beneficial.. Microsoft has sat on bugs for months and months before releasing fixes. Mozilla has a transparent bug tracking system that you can access to get patches and so forth, before they even release an update. And they tend to release updates within days, not months.

-molo

The many eyes theory does not hold true

When there are not 'may eyes'. Just because a pro
ject is OSS does not mean that 'many eyes' are actively looking at it. Most OSS projects are one person, some are a handful, a very few are a dozen, and the exceptional ones are several dozen.

We know about the issue of FireFox lacking reviewers already: http://steelgryphon.com/blog/index.php?p=37

We geeks really need to stop being swayed by ideology or anti-establishment 'cool' and try thinking for ourselves for a change.

There is no 'silver bullet' and that includes OSS.

Re:The many eyes theory does not hold true

[Master+of+Transhuman]

Red herring.

Nobody has ever said that EVERY OSS project has "many eyes" ON the project.

What has been said is that to the extent that the source code is included, and is available for perusal by those who KNOW how to do so, this is an extra safeguard since SOME people OTHER than the developers will examine the code - possibly for precisely such reason as security.

And that is exactly what is proved by such incidents. Somebody examined the source code and determined there was a problem.

They didn't have to wait on someone at Microsoft to do so.

If anything in OSS can be complained about, it's the relatively poor amount of testing that seems to get done. Things like the dual-boot bug in Fedora last year should not happen.

Re:And to think...

[tfoss]

It's not safer than Internet Explorer, just less exploited.

And San Jose's not safer than Detroit, just less crime.

-Ted

Re:See! See!

Exploits rise with popularity. Watch out desktop linux.

Those two statements are unrelated. Yes, exploits rise with popularity. That doesn't mean that unpopular software magically becomes more vulnerable as it gets more popular. It means the vulnerabilities that already exist are found quicker. This is a good thing, especially for open-source software, because vulnerabilities are easier to find, both for white hats and black hats.

The canonical example is Apache. That's by far the most popular web server, and yet it outperforms IIS wrt. security without question. Popularity * vulnerabilities == exploits. If the vulnerabilities aren't there, or are relatively low, then the amount of exploits won't be a problem as the popularity rises.