Slashdot Mirror
Unpatched Firefox Flaw May Expose Users
Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."
Firefox is open source... how can it have a bug in it? Lol, they must have meant Internet Explorer!
Everybody knows that security flaws are only available in Microsoft products. I read it on Slashdot!!! It has to be true!!!
Did anyone else have a sudden concern that using Firefox would cause you to be "pants'ed"?
The Spoon
Updated 6/28/2011
If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible, even if it means a short trip to install it for somebody. Nothing will hurt Firefox's reputation more than unpatched installations being exploited.
Cyric Zndovzny at your service.
For trolling sake, it is still better then IE.
Custom electronics and digital signage for your business: www.evcircuits.com
That the posted exploit only causes Firefox to crash to stop responded (that is what it did to 1.5b1 on my Linux box). The person that found the exploit claims he has tweaked the code to actually run arbitrary code on the system, but I would like to se e proof of this since as of right now we only have a hanging browser.
Unstable Apps: Our Android Apps Don't Suck
I know the Adblock Extension doesn't let you banish [a href="
Anyone know of any stable extension(s) that would?
[Fuck Beta]
o0t!
I thought MS had a patent on unpatched browser flaws?!?!?
Jerry
http://www.cyvin.org/
Why would you be browsing warez sites? You are a Linux user, right? If so, you'd have all the software you ever need. That's the beauty of open source: no need for piracy.
Cyric Zndovzny at your service.
IT all comes down to how quickly a patch can be made and distributed. IIRC, the next version of FireFox will have support for incremental updates which will make this kind of thing easier to deal with on updates. I'm curious if it affects the Mozilla suite in any way; I had thought they shared a lot of code.
Derek
Don't Panic...
Doesn't work on Firefox for Mac OS X, 1.0.6
Anyone got an experiences on other platforms?
Anyone know if this can do anything other than crash the browser?
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
more information on the bug at: www.youissostupid.ru/scriptyuiopuioqwhjklfashuiopy uiopuiopuiopuouihjklasd-2789789-hfsjadkhuiof
The world is made by those who show up for the job.
It's for str33t cr3d. He wants to be 1337.
The bug depended on the host name being all ---
It will be hard to craft some exploit code using only the - character.
It may DOS and cause instability; as for those "but, open source should be proof against this" nay-sayers, I'm pretty certain from the advisory that this could only be properly discovered because the source was available.
hmmmm, maybe if you can trick users to click on bad links a few times it might cause heap corruption and crashing; maybe if you get them to download the right page a few times to pre-load the heap, and then a few ----- might cause the browser to execute from the heap,
A look at the soucre will show the consequences of this and show what sort of pathway there is to arbitrary code execution. I guess it could be exploitable...
Sam
blog.sam.liddicott.com
The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC,
Just for curiosity, can be Firefox compiled with the compiler parameter which adds code to detect a wide variety of such bugs? It's what Microsoft did at IE in the XP SP2; does it have "sense" to do the same for firefox?
"The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."
We rightly criticize Microsoft for not responding to security concerns in a timely manner. I hope the Mozilla Foundation will be held to the same standard.
"Ask not what your country can do for you." --John F. Kennedy
I hear they make FireFox for Windows, too
Don't click me, I will crash your browser session!
Help poke pirates in the eyepatch, arr.
would you rather find about about a bug and fix it:
A. before you release a version (Firefox);
or
B. years after you release a version (IE).
Well? Which is better? If you choose option B, you can deny there's a problem for 1-2 years, start working on a fix in 2-3 years, nay-say press rumors about the bug in 3-4 years, and fix it and release the bug fix in 4-5 years.
I choose option A.
-- Tigger warning: This post may contain tiggers! --
Well, unlike Microsoft (and IE) which doesn't really care about the bad press its browser gets; I know for a fact that Mozilla and the people that work on Firefox, do.
Does CNET really think that Mozilla group is going to ignore it? I don't really see the point of the article. It seems like they were more interested in saying, "Oh, hey. Look, we're cool too because we found a flaw in Firefox."
I'm sure it'll be fixed in a couple day in the nightly builds. The new auto-update mechanism in 1.5 wasn't implemented for nothing. And it's the things like these that make Mozilla (Firefox) a good browser. No matter what kind of press (or lack of) that it gets, bugs still get fixed.
Personally, I think CNET is trying to jump on the Firefox-bug-reporting bandwagon like everyone else.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
I suspect I may have an extension that is preventing the hang, but I have 17 extensions and no time to isolate. :-)
-Rob
Biblical fiscal responsibility
I mean if i just downloaded the new firefox 1.5 (wtf last version was 1.06 THAT wont confuse people, skipping 44 versions). I just want to know if 1.5 is secure against this. It would be pretty ironic if the version annouced for download today did not address a security flaw also posted to slashdot on the same day
do i expect too much?
I'll just use my special getting high powers one more time...
I use elinks. :)
maybe it's secure, maybe not.
Due to the lack of graphics support and javascript there is a good chance it is more secure than most other browsers.
Also nobody is going to target it.
...and that is all I have to say about that.
http://jessta.id.au
This is a good time for slashdot's OSS cheerleaders
to start celebrations about how fast this bug is going to be fixed & how great Open Source is.
I get a redirect to google "keyword:--------------------" for both http:${dashes} and http://${dashes} including SSL versions on 1.0.5 on windows. I can try 1.0.6 linux and deerpark alpha but why?
How on earth can the first post be redundant?
I can see why some folks will publicize exploits if they feel the software maker isn't responding in a timely manner. But c'mon - he just reported this to the Mozilla folks on Sunday!
#DeleteChrome
Tell everybody to type in the URL instead of clicking on it.
Nobody is going to type those long URLs, so they won't even visit those pages.
From TFA:
"The security vulnerability is a buffer overflow"
Buffer overflows aren't very easy to catch, but I thank the guy who discovered it. This way we can make Firefox a more secure browser everytime.
But frankly, I don't know how to feel. Embarrassed because buffer overflows are the result of sloppy buffer programming, or proud because Firefox has much fewer buffer overflows than windows products?
Oh that is such bull.
Using Linux doesn't not automatically make you born again. All ethically and morally clensed.
Gadget News at Gizmo.com
This is why open source is better! M$ expects me to wait until year's end for a patch?! What am I supposed to do until then, hide in a cave?
What's that you say? This isn't an article about Microsoft?
Oh, nevermind then.
Tech, life, family, faith: Give me a visit
Oh please, how is a heap overflow of 0x78787878787878... going to be exploitable. This looks like just a regular crash, if these turn you on just watch bugzilla for a few days, they turn up all the time.
A browser is a complex piece of software, of course there are going to be subtle bugs that turn up now and then. Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible. Please stop making a fuss about "OMG BROWSER DoS!!".
about:config -> network.enableIDN -> false
be happy!
I made a page with the supposed bad link full of dashes and all that happens, is that FF tries to do a Google lookup on "keyword:---lots of dashes here---"
This seems to be a dud exploit...
Oh well, what the hell...
The article is misleading,since firefox 1.01, 1.02, 1.03 and so on up to 1.06 are all security updates that were quickly released each time such bug was found. I do expect 1.07 this monday.
I like hearing about Firefox exploits this way rather than having it mess up my computer by learning about these exploits the hard way.
I've had problems with another browser (guess) in the past where I found out about an exploit the hard way and then found out that the exploit had been a known problem for a very long time. At least we know that the people behind Firefox will have a fix probably within the next few days, but no longer than a couple weeks.
Sorry, that also doesn't trigger anything in Firefox. This seems to be a bogus exploit.
Oh well, what the hell...
under winxp I can't get this to crash. Crap! I thought windows should help with things like this! (Clippy: -So, it looks like you are trying to crash your browser. Need help?)
You can't handle the truth.
A billion lines of code? That includes the operative system, then? And maybe your moms operating system as well?
I followed several links from other posters, as well as TFA, and all anybody said was "it's unpatched."
/. and its 100 redundant "you can get a fix <h t t p://www.slashdot.org/-----------------">here</a>" posts?
Hell, most IE exploits can be gotten around by disabling Active-X.
So as a Firefox user (at home, I'm on a Windows IE boxen here), what should I do to protect myself? Use IE?
That doesn't seem like a particularly safe thing to do to me. Anybody have any workarounds, short of not browsing
I guess this Bogus FUD Bug will be another "Won't Fix" item in the Firefox Todo list, since you can't really fix a bug that isn't there...
Oh well, what the hell - Yosarian, Catch 22.
Oh well, what the hell...
I think most Won't Fix items in the Firefox To do list are probably more like the bug I submitted for music.yahoo.com where it won't run something that another person wrote who won't fix it.
That would be my guess.
It's kind of mystifying why, even if they are closed source, people like the folks at music.yahoo.com won't fix such an obvious problem - it's not like Firefox created the problem per se, and it is kind of awkward to go and fix it - but I guess the Yahoo folks are sitting on their piles of cash and feeling sorry they're not Google coders or something like that, instead of fixing flaws in major browser implementations caused by their code.
That would be my guess
-- Tigger warning: This post may contain tiggers! --
Actually...I wonder: Could someone develop a extension which stops a (this) exploit?
OMG!
;)
A bug in firefox, lets all go back to IE because its so much better and has none... no wait, it does!
In short im sure alot of people will cry over this bug (yes I know its not the only one) and stupidly switch back just on that basis. Wonder how long until this one will get sorted compared to Microsoft's patch turn around
I get a dialog box indicating that the URL could not be found. No error, no hang, no interruption or problem whatsoever.
There are 11 types of people in the world: those who can count in binary, and those who can't.
So, whats the third type of people? Those that pretend to be able to count in binary to make a joke in their signature?
As IE and Firefox are still subject to new releases we get A and B
Each bug is before the next release and after the previous releases.
I think you were trying to say "at least mozilla folk fix it in the next release"
Sam
blog.sam.liddicott.com
This guy was driving and navigated to a bunch of yellow dashes in succession.
This method of action caused his car to crash.
I've only been able to replicate this bug on roads with > 2 cars.
Anyone experience this?
/waiting for roads v1.5
This flaw is only present in Firefox 1.5beta1, 1.0.6 is not affected.
So if you are worried just keep using the stable version until at least the next beta release and be happy.
There's a hidden treasure in Python 3.x: __prepare__()
It's not so much Firefox, as it is the Mozilla codebase upon which Firefox is built. Having recently done some work with Mozilla, I can say that it is a very complex beast. Perhaps even too complex, some might say. The potential for the introduction of bugs is astounding, since it is often very difficult to know for sure exactly what effects a code change will have.
It doesn't help that a lot of the documentation is out of date, often by several years. Nothing is worse than incorrect or outdated documentation, which can often lead to incorrect code being unintentionally added.
While a rewrite of Mozilla is of course out of the question, there should perhaps be some procedures in place to clean up the code base, and ensure that documentation is correct. Performing such basic engineering practices is what results in quality products, be it software or bridges.
Cyric Zndovzny at your service.
Indeed. The main update/fix for Internet Explorer-related problems is Firefox. So that should always be the first solution proposed. That in turn directly leads to my proposal: always keep your non-technical friends' Firefox installations up to date.
Cyric Zndovzny at your service.
You can download a fix here
Does it even crash you? So far I haven't found anyone this actually crashes.
People need to take a step back here and realize that no program is perfectly secure. It doesn't matter how hard the Mozilla foundation tries, there will always be another "security hole".
Best security practices still apply, even if you use Firefox. Visit trusted, reputable sites. Check links BEFORE you click them. If something doesn't seem right, don't go there. If a download pops up that you didn't expect, don't download it. ETC ETC ETC. Most security issues become non-issues if a few simple steps are followed when you're on the net.
Don't take life so seriously. No one makes it out alive.
Espeically because as a pointer (which is what gets overwritten in a heap overflow) that points to a particular place in the address space.
On Windows, this points right into the middle of NTDLL.DLL, which is read-only memory. No exploit here.
Between 2005-09-03 and 2005-09-06, there were several bugs reported to Mozilla that are now marked hidden. Expect one of them to become visible now that this is announced. (note: bugzilla blocks slashdot referer, so cut&paste is needed, watch out for the extra space)
3 94 03 14 08 48 7
https://bugzilla.mozilla.org/show_bug.cgi?id=3069
https://bugzilla.mozilla.org/show_bug.cgi?id=3069
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
BTW, why is it necessary that so many bug reports be hidden? They can't all be valid security bugs, can they? Besides, full disclosure and an open development model go hand-in-hand.
-molo
Using your sig line to advertise for friends is lame.
"Oh please, how is a heap overflow of 0x78787878787878... going to be exploitable. This looks like just a regular crash, if these turn you on just watch bugzilla for a few days, they turn up all the time."
;).
You are a moron. How is the heap overflow going to be exploited? Are you serious? Go look up exploiting buffer overlows. You obviously don't know what the hell you are talking about, and you obviously know nothing of how programs run in memory. Sure the heap overflow is just crashing your browser now, only because it is accessing memory it isn't suppose to. I am sure some nop's and jmp statements could point it in the right direction
"This looks like a regular crash"
You keep thinking that!
"Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible."
Hahahahahaha, no comment here because your stupidity speaks for itself.
"Please stop making a fuss about 'OMG BROWSER DoS!!'"
Stop pretending this flaw isn't harmful, and "only a crash". Buffer overlows are serious.
It opened up a google search with ----------- whatever in it. Using firefox 1.0.6 on linux.
Honestly, who cares? Why does this have to be compared to a Microsoft response? Why can't this just be viewed as an event in its own right and not constantly looked at as some insult which might be handing Microsoft an edge?
Objectively, if I use Firefox I have no interest in how Microsoft might have responded to a similar situation. I am purely interested in the Mozilla response (which I'm explicitly not passing judgement on in this post). Can people give it a rest with the constant defensiveness against Microsoft?
Cheers,
Ian
I mean I looked at the official disclosure from him (http://www.security-protocols.com/advisory/sp-x17 -advisory.txt)
and basically he acts like 4 days is all he needs to wait.. and apparently Mozilla isn't doing enough for this?
Mozilla isn't Microsoft or Cisco in two catagories.
A. They arn't ultra large coporatitions that can fix stuff in an instant.
B. They don't ignore problems, especially like this. They're likely working as fast as they can and they are willing to admit fuckups, but they want to have a fix for the fuck up first.
We don't need everyone running around thinking that EVERY company conducts business the same way that Cisco does... How all of them are part of a conspiracy. Firefox is getting known in the industry to be basically good at avoiding problems other browsers have and fixing major bugs.
By having a guy run around like this only 4 days (notice the dates in that link) it can only cause a higher likelyhood that someone will use that find maliciously and Firefox will get blamed for it when it's really the disclosure that's the problem.
The fact is those of us who find these bugs need to give the company time to react, we don't need to act like they don't care. 4 days is hardly enough unless he got back a letter that said screw you, which it doesn't sound like he did. Giving Full Disclosure the first time you hear about a problem, just creates a bigger problem because now more people will learn of the problem.
And there's a definate difference between waiting a couple monthes like the Cisco incident where the company was being forced into an uncomfortable positions and waiting less then a full week with apparently no provacation.
Take 2 seconds to check out his proof of concept:
t ml
http://www.security-protocols.com/firefox-death.h
WARNING: Clicking the above link will crash firefox. It will do nothing else. The hyphens are not normal minus hyphen (the - symbol on your american keyboard will translate to 0x2d) but a soft hyphen (0xad).
The exploit no longer works with that workaround enabled.
Does Not Work For Me.
Firefox 1.5b1/WinXP Pro
This works for me. What does IDN do anyway? Is it important?
>
Like Slashdot department names?
Not "may", "does". It's a remotely exploitable vul in Netscape and Firefox.. Plain and simple.
Telling them its insecure only encourages them to stick with IE. All the studies are showing this with clueless uers since Microsoft does not like to boast about holes in IE.
http://saveie6.com/
Totally. Opensource isn't just fewer bugs. It's easier to find and fix bugs. The theory is just that eventually this process leads to fewer bugs because the bugs get found and fixed sooner rather than later.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
http://www.frsirt.com/english/advisories/2005/1690
Affected Products:
Mozilla Firefox version 1.0.6 and prior
Mozilla Firefox version 1.5 Beta 1 and prior
Mozilla Suite version 1.7.11 and prior
Well, I just went to their firefox test page and tried it myself. Firefox 1.06 did NOT hang or crash. I have adblock, and the firefox google bar (not the Google's own release one). No error messages, no slow down, nothing.
I suspect if you have IDN switched off (like I do) then nothing happens. I turned it off and I believe new installs are off by default now because of an IDN bug before which allowed you to fake urls. The temp workaround was to disable IDN but since I dont need it, I didnt enable it.
There seems to be some confusion about the POC and this exploit. The problem doesn't lie in actually clicking the link, the problem lies in the fact that the link actually exists on the page. Does opening this page not crash your browser? _Then_ you can say the exploit doesn't work.
Ferris found this "hidden feature" by inspecting the source code, not by trying to probe the browser from "the outside".
He just analysed possible outcomes of usage of this function:
nsStandardURL::BuildNormalizedSpec
That is another proof (of known fact) that it is much easier to hack the open sourced then the proprietary application.
Wow, I thought only MS products and Internet Explorer were capable of having bugs or exploits.
Were the people championing these other browser lying to me, or just ignorant in the fact that all software when given mass distribution will exhibit growing pains and exploits will be found no matter how good the programmers think they are.
Hm... (Ok, mark this as Flamebait - even though what I say is factually correct.)
Go look up exploiting buffer overlows. You obviously don't know what the hell you are talking about, and you obviously know nothing of how programs run in memory. Sure the heap overflow is just crashing your browser now, only because it is accessing memory it isn't suppose to. I am sure some nop's and jmp statements could point it in the right direction ;).
No, you go and look up buffer overflows.
Just randomly overwriting memory != executing code. You have to overwrite some object that controls the flow of execution, on stack buffers you're looking for return adresses, on the heap an ideal situation would be function pointers. If you think just writing "nop's and jmp statements" onto the heap means you get them executed, you're a moron.
Secondly, lets assume that a thorough analysis of the heap reveals some object that you can overwrite and could potentially redirect the flow of execution to some code that you can control..how exactly are you going to get there if all you can do is change it to 0x78787878? Go ahead, try and change the "proof of concept" to include other characters or byte values. Does it work? No.
All this is is a heap corruption bug.
I'm pretty sure it only applies to the 1.5 beta, and possibly earlier alphas of it.
I thought the beauty of open source was that the source code was available. Free speech, not free beer. I didn't know it was "Open Source is great because it means I don't have to fire up eMule anymore!"
"Sufferin' succotash."
So it'll take off my pants?
Bugs and flaws are commonplace ... its a model which promotes a fast fix to these shortcomings that really makes a difference.
There is a separate advisory from FrSIRT with their severity level at http://www.frsirt.com/english/advisories/2005/1690 where they list Mozilla Firefox version 1.0.6 and prior, Mozilla Firefox version 1.5 Beta 1 and prior and Mozilla Suite version 1.7.1.1 and prior.
Netscape 8 based to Firefox codebase is not immune: http://www.frsirt.com/english/advisories/2005/1691
Flaw is present in firefox 1.0.6. except the way to
................ ................ .......... >.
triget it isent a '-' but a string of 0xad see
hex view of www.security-protocols.com/firefox-death.html
0000000: 3c41 2048 5245 463d 6874 7470 733a adad <A HREF=https:..
0000010: adad adad adad adad adad adad adad adad
0000020: adad adad adad adad adad adad adad adad
0000030: adad adad adad adad adad 203e 0a
mod parent ignorent istend of insightful please
bob
http:\\www.apple.com:0182093487209480923@phishersi nc.org/32976423923649326493269
Many people would see www.apple.com, and not the phishersinc.org address. By hiliting the host name people should see quicker the issue:
http:\\www.apple.com:0182093487209480923@phishersi nc.org/32976423923649326493269
*note: forward slashes converted to back slashes to avoid being converted to link
Jumpstart the tartan drive.
it should be much easier for white hats to find holes and report them responsibly. This guy didn't do that. 4 days is not enough time.
For those testing on their own, *please realize* that it is not simply a dash (0x2D), but the character 0xAD.
International Domain Names can be written with exotic letters like é ù ø and much more...
I entered the html in hex editor as from:
= 13519728
a aaaaaaa/
m files/96083106_1_rvmshv
http://it.slashdot.org/comments.pl?sid=161697&cid
and clicked on the link. The link pointed to:
https://xn--m1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
and firefox downloaded this:
http://www.srh.noaa.gov/abrfc/archive/1996/aug/rv
Well, after five security updates that patch numerous security holes (22 since 2004), I'm not sure that Firefox is the solution. It's certainly more secure than IE, but is it secure *enough*? No, it isn't.
I deployed Firefox on the corporate network to improve security. Five updates later, I'm explaining to my manager that Firefox, just like IE, is full of security holes that need to be patched.
Unlike IE, Firefox can't be updated through Windows Update and it doesn't have a patch release cycle. That makes it harder to plan for and harder to deploy Firefox patches.
Having "fewer" vulnerabilities than IE isn't good enough - particularly when your patching system sucks. Open source can do better.
... there were a post like this every time a flaw was found in IE? IT: Unpatched IE Flaw May Expose Users Bug Posted by Zonk on Friday September 09, @11:16AM IT: Unpatched IE Flaw May Expose Users Bug Posted by Zonk on Friday September 09, @11:18AM IT: Unpatched IE Flaw May Expose Users Bug Posted by Zonk on Friday September 09, @11:20AM IT: Unpatched IE Flaw May Expose Users Bug Posted by Zonk on Friday September 09, @11:22AM
If I ever see another "secure by design" bs comment from /. idiots, I'll be sure to point out this story.
Vote for Pedro
Release Date:
September 8, 2005
Date Reported:
September 4, 2005
Vendor Status:
Mozilla was notified, and im guessing they are working on a patch. Who knows though?
Do I understand correctly that the guy reported the bug to Mozilla on September 4, 2005 and then released it to public on September 8, 2005?
It so that would show a complete lack of responsibility on his part and total disreagard for proper security reporting procedures.
I have tried the above page with Fx 1.0.6 under Linux and it doesn't crash at all. Maybe it's windows-only?
There's a hidden treasure in Python 3.x: __prepare__()
Further, if patches for vulnerabilites aren't released, they what good is Windows Update? (Note that you can't update *anything* except MS products via Windows Update. You think this is a coincidence?). Do you explain to your boss that yes, you aren't as secure, but if you had a patch to fix things you could deploy it quickly? If Microsoft is controlling what patches you get, when they're applied, and what the priority for fixes is, then exactly how much control over your security do you actually have? Wouldn't it be more cost effective for your boss to just fire you and outsource to Microsoft?
What about userid's as all dashes?
Am I suddendly the anti-firefox?
If you are looking for a 100% secure, bug-free browser, you won't find it. Get over it. Microsoft releases fewer patches mainly because they sit on their asses longer. There are still many unpatched vulnerabilities in MSIE. The main difference between MSIE and Firefox is that you don't have to spend days cleaning out spyware if your users use Firefox.
Why is it that no one seems to understand the points that I'm making? I ask for discussion and all I get is "no". I point out a flaw in someone's post and they call me ignorant.
DAMN IT, I'm trying to discuss things, to point out injustices, to help people understand and all I get is crap. I *know* that I'm not a bad person. I *know* that I'm trying to be helpful.
I thought that the advantage of Open Source was that thousands of programmers all over the world were waiting to pounce on every bug and fix it instantly?
My Journal
Sheesh, just announced yesterday.
Calling it unpatched makes it sound so -- neglected.
If not fixed by monday, then it would be accurrately called Unpatched flaw instead of New flaw
Sorry .. Can't Reproduct Still ...
FreeBSD/amd64 7.0-CURRENT firefox-1.0.6
Sig?
Having "fewer" vulnerabilities than IE isn't good enough - particularly when your patching system sucks. Open source can do better.
That's why they improved the patching system for version 1.5.
The bug is in the IDN handling. Go to about:config and set network.enableIDN to false. Bingo! Problem solved... as long as you don't use international URLs.
I've been mucking around with a GreaseMonkey script to recognize unicode 00AD, but it looks like the JavaScript regular expression handler doesn't know how to deal with it. Could just be an ID10T error though.
I'd think whoever found this bug has the know-how to fix it. Why wouldn't/shouldn't he issue a security alert AND the fix at the same time?
Now they seem to have a working fix, after four days. You can't say they sat on this one.
"It's certainly more secure than IE, but is it secure *enough*? No, it isn't."
What I think you mean is that while Firefox is more secure than IE, that added security doesn't make up for IE's convenience factors: WindowsUpdate, comes with Windows.
What about this: it's a better browser.
Or this: no popups, no spyware.
"Five updates later, I'm explaining to my manager that Firefox, just like IE, is full of security holes that need to be patched."
How about saying, "Firefox needs to be updated." Why is it necessary to say that Firefox (or IE) is "full of security holes"? It makes you sound whiny and unprofessional to make negative generalzations about the software you support.
The very phrase "security holes" makes my teeth grind. Say, "IE is the primary way spyware gets installed, because of its policy of allowing execution of untrusted programs."
As for whether regularly scheduled updates are better than updates when needed, I think you'll find it hard to justify that when your users get hit by some piece of malware that will be fixed in a patch that's due out, on average, in two weeks.
I suggest you keep a log of when you apply patches (to FF or IE), and how much time it costs you. Since IE is part of the OS, you have to keep it patched even when FF is the default browser. Try to integrate the log into your daily timekeeping system, if you have one. Note how much user interruption there is, such as whether you have to reboot after a particular patch.
When you have a few months of data, I am certain you'll be able to justify Firefox as a more robust and secure browser than IE.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
bug 307259 is now open to the public - you can see clearly that the reporter had little clue, and that the only reason his disclosure contains correct information is because one of the mozilla developers (david baron) stated that correct information on the bug.
Sigh.
this might be an application level 'sploit, which _may_ allow access to unsafe (777?) directories on non Win boxes, but really, this is an OS level bug which an app-level insecurity may be able to exploit
Anyone running HPUX can probably breathe easy (hi steve!)
http://milkshake.dexy.org
Yes, this is another IDN bug. The temporary workaround is to disable IDN (there are hardly any sites out there who use it yet since Microsoft doesn't support it).
Here's how:
1. Type "about:config" in the location bar.
2. Type "network.enableIDN" in the filter bar.
3. Double click the setting to set it to "false".
4. All done!
Why is every firefox vulnerability a news story? Why isn't every Internet Explorer flaw a news story? IE flaws only seem to be reported after a serious malicious use of the flaw. Firefox vulnerabilities are immediate news stories even though no such disaster occurs. Browser market share aside, why is this news? (not news on slashdot, but news in the press)
;)
Is it some sort of negative PR campaign being launched by Microsoft or Opera Software to counter Firefox's popularity?
It probably helps Firefox from a security stand point since it gets out in the open before a major malicious use and the Mozilla team has a patch shortly afterward. I wish Microsoft would get bad press just because of a vulnerability, not just after a major disaster.
Their is definitely a PR campaign going on here. But perhaps that is obvious.
chance of being pwned = SUM over vulnerabilities of (chance of vulnerability being exploited)*(chance of user encountering exploit).
You can't measure security on number of vulnerabilities alone, because many of them will either affect a small number of users or be encountered in rare conditions.
That said, Firefox still beats IE hands-down because ... IE is used by about 10 x the user base, has a larger number of vulnerabilities, and has vulnerabilities that affect common situations (like those related to clicking on links).
Human being (n.): A genetically human, genetically distinct, functioning organism.
So, lets say your physician was going to view your medical record using, say, Citrix, from a home PC (a common scenario when a /.er has actually eaten that stuff in the back of the fridge and ended up in the ER, and the ER doc needs to know background info). Would you want them using Firefox or IE?
If your manager hasn't realised that all software has bugs, and that software that fetches remote data over the network and then parses it is doing something very complicated in an extremely hostile environment, then perhaps you should have managed his/her expectations better? You might also explain that the Fx holes are, in general, much less severe than IE holes (remote root from Mozilla? not likely); that they are usually patched within a matter of days, rather than the months Microsoft takes (and you might point him to eEye's long list of critical vulnerabililties that they won't tell us about until MS release a patch - and how overdue those fixes are; google for it); and you could also cheat a bit and mention that in-the-wild exploits of Firefox are far far less common than IE exploits, because it's still comparitively rare.
Neither can any other software apart from Windows itself. So you can just patch it using the same patch management process you use for your other software that isn't Windows. (You know about OfficeUpdate, right?) Anyway, you can use the official Microsoft answer to this problem (SUS) with non-Microsoft MSI files, so you can push updates out to all your users whenever you want to. If you can't be bothered to use SUS, just patch Fx the same way you patch your other high-risk software such as RealPlayer, Quicktime, and so on... you do patch that stuff, right? And those non-networking apps - your workflow stuff, databases and so on - you patch those so the anti-social smartarse on the Helpdesk can't haxx0r the salary database of course; do you do walkrounds for those? New versions are released according to the roadmap published on the website "from time to time"; patches are released when they're ready. It's not Mozilla.org's fault if Microsoft release patches when it suits them, holding up vital security fixes for up to four weeks to hit that artificial schedule, is it! That phrase stinks of Redmond koolaid I'm afraid. What's to plan? A patch is released; you do whatever testing your vuln management policy says is appropriate for that class of vulnerability; when you're ready to deploy, you hit the big button. How can you plan for that beyond making sure you have resources available to meet your worst-case threat scenario? You know roughly how many patches to expect in a year (because you collect those stats from your workflow system, right?) You know roughly how long it takes to deploy a patch (whether it's a single NMS / SUS button push, or a sneakernet, or a server-side upgrade that must be done out of hours). You can't control when those patches will be released because you never know what's going to be patched from one day to the next (apart from Microsoft's artificial schedule, of course.) Incidentally does anyone know of any other sw vendor who saves patches up for the vendor's convenience? Didn't IBM do that in the 60s?) You realise they batch them up because they were getting embarrassed by the sheer number of advisories they release? (I realise people were getting a bad impression for the wrong reasons, but that doesn't change the fact that MS moved to the monthly schedule for PR and marketing reasons.)"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
It did here. I just checked my hard drive and I am going to heaven now. Are you sure you're doing it right?
I made a comment in Security-protocols article . But some time later, they removed all comments. This is really strange.
The bug report is now open and you can see that he reported it to Mozilla on the afternoon of the 6th. There was quite a bit of activity from top Mozilla developers and then the reporter posted the exploit publicly on the 8th.
We've determined that disabling IDN is a safe workaround and are working on supplying a small download that will take care of that configuration for the user.
- A
Wait! You forgot that IE also has more severe vulnerabilities, and they go unpatched for a longer time. The bottom line is that just about any mainstream alternative browser is way more secure than IE.
What a fool believes, he sees, no wise man has the power to reason away.
Currently that would be Opera, 0 unpatched vunerablities
http://secunia.com/product/4932/
(I still like Firefox better)
How about telling him that IE has 18 unpatched vunerabilites (http://secunia.com/product/11/) compared to 4 (http://secunia.com/product/4227/) in Firefox.
Theer is also the rate at which patches are rolled out. MS has multiple programs of various types they must keep uptodate. Mozilla has a handfull (T-bird, FF, Mozilla, and Sunbird). The mozilla team usually gets their patches out faster than the MS team. (Going by the average time between release date and last update date on the patched vunerablities listed on secunia)
If you are looking for 0 vunerabilities try Opera
(http://secunia.com/product/4932/)
Of, course IE is free(well bundled with windoze) and Firefox IS free while Opera costs money.
Pick your poison.
Yay FF
http://en.wikipedia.org/wiki/Shellcode
n /MS04-028.mspx
p ose+users/2100-1002_3-5856201.html
"Shellcodes are typically injected into computer memory by exploiting stack and heap-based buffer overflows, or format string attacks. Shellcode execution can be triggered by overwriting a stack return address with the address of the injected shellcode. Thus when the subroutine tries to return to the caller, it instead returns to the shellcode that opens a command line for the cracker to use."
Definition of a Heap Overflow:
http://en.wikipedia.org/wiki/Heap_overflow
A real example of a heap overflow:
http://www.microsoft.com/technet/security/bulleti
Yes, that says "Remote Code execution"
"All this is is a heap corruption bug." Thats why it was released as a Buffer Overflow?
Maybe you should read the article:
http://news.com.com/Unpatched+Firefox+flaw+may+ex
"The security vulnerability is a buffer overflow flaw that 'allows for an attacker to remotely execute arbitrary code' on a vulnerable PC, Ferris said. An attacker could host a Web site containing the malicious code to exploit the flaw, he said. Though his proof of concept only crashes Firefox, Ferris claims he has been able to tweak it to run code."
You must be smarter than the researcher that discovered this, congrats! Maybe you should send your findings in to them as well.
Mozilla Foundation has published a security advisory entitled "What Mozilla users should know about the IDN buffer overflow security issue" located at http://www.mozilla.org/security/idn.html . They say there is a small download (i.e. .xpi package) coming in the near future which will make this IDN configuration change automatically.
Heheheeeeee, i don't use Firefox. All the hype before, during and after its launch gave me goose bumps.
I have used Mozilla for close to 4+ years and its all good. Same mom you may say.
Long live the free (from money) world of tech.
P(Vi) = Probability of being pwned by single vulnerability Vi = (chance of vulnerability being exploited)*(chance of user replicating vulnerability conditions).
Probability of being pwned by multiple vulnerabilities = 1 - PROD over all vulnerabilities(1 - P(Vi)).
Human being (n.): A genetically human, genetically distinct, functioning organism.
Sure, with the proviso that after every time WUA tweaks your computer by as much as a single bit (or so it seems), it automatically reboots your computer.
Windows update never automatically reboots my computer. It periodically prompts me to remind me. , and I can choose to ignore it (I usually have a dozen things actively being worked on,s o I'm not always ready to reboot).
There's already enough valid FUD for Windows, you don't have to create more.
The bug has been disclosed by Mozilla staff and a patch fixing the reported buffer overflow has already been applied to the CVS tree, so expect a public security update very soon. In the meanwhile, as a temporary work-around, you can fully protect your browser opening "about:config" and setting the network.enableIDN preference to false, see the full story here.
There's a browser safer than Firefox, it is Firefox, with NoScript
No sir.
The bottom line is this:
Whether your browser has 10 vulnerablilities or 1, the end result is this: YOUR MACHINE GET'S OWNED.
What a fool believes, he sees, no wise man has the power to reason away.
The patch has been issued on the Mozilla site, download it at the following address: http://www.mozilla.org/security/idn.html By the way, did anyone notice "Microsoft pulls 'critical' Windows update"? Check it out: http://news.zdnet.com/2100-1009_22-5857338.html. It seems the big browser wasn't able to address its security vulnerabilities over the last month and won't be delivering its "critical" updates on its regualarly scheduled Patch Tuesday. Hmm, interesting Mozilla responds in 72 hours to its critical vulnerabilites, whereas Microsoft takes more than 30 days?
I set up a URL like the one shown in the advisory and when regardless of whether I paste it to the URL bar or click it in a webpage, Firefox changes the link to "keyword:---[...]" and takes me to a page that explains the operation of the Google "I Feel Lucky" function. I was expecting the browser to crash....
This is Firefox 1.0.6 under SuSE 9.2 (patched),
"The Internet is made of cats."
Index: mozilla/netwerk/base/src/nsStandardURL.cpp
/cvsroot/mozilla/netwerk/base/src/nsStandardURL.cp p,v
RCS file:
retrieving revision 1.82
retrieving revision 1.83
diff -u -r1.82 -r1.83
--- mozilla/netwerk/base/src/nsStandardURL.cpp 20 Jun 2005 05:23:20 -0000 1.82
+++ mozilla/netwerk/base/src/nsStandardURL.cpp 9 Sep 2005 19:06:58 -0000 1.83
@@ -467,6 +467,7 @@
nsCAutoString encUsername;
nsCAutoString encPassword;
nsCAutoString encHost;
+ PRBool useEncHost;
nsCAutoString encDirectory;
nsCAutoString encBasename;
nsCAutoString encExtension;
@@ -506,7 +507,7 @@
if (mHost.mLen > 0) {
const nsCSubstring& tempHost =
Substring(spec + mHost.mPos, spec + mHost.mPos + mHost.mLen);
- if (NormalizeIDN(tempHost, encHost))
+ if ((useEncHost = NormalizeIDN(tempHost, encHost)))
approxLen += encHost.Length();
else
approxLen += mHost.mLen;
@@ -539,7 +540,13 @@
buf[i++] = '@';
}
if (mHost.mLen > 0) {
- i = AppendSegmentToBuf(buf, i, spec, mHost, &encHost);
+ if (useEncHost) {
+ mHost.mPos = i;
+ mHost.mLen = encHost.Length();
+ i = AppendToBuf(buf, i, encHost.get(), mHost.mLen);
+ }
+ else
+ i = AppendSegmentToBuf(buf, i, spec, mHost);
net_ToLowerCase(buf + mHost.mPos, mHost.mLen);
if (mPort != -1 && mPort != mDefaultPort) {
nsCAutoString portbuf;
Sitting on patch to critical exploit for months after fixing it because of "release cycle" is better?
That's just... incomprehensible.
I am sure some nop's and jmp statements could point it in the right direction ;).
The point that the person was trying to make (for which you rather unjustifiably called them a moron) is that you can't encode a nop or a jmp with just 0x78 bytes. That means that you can't push exploit code over into the browser to execute using this hole. That doesn't mean that it's impossible to cause a problem with this -- there is a very slim possibility that something crucial could be overwritten while keeping the program operational (for instance, suppose there is a bit somewhere nearby in memory that, if enabled, allows a remote website full script execution privileges, and a series of 0x78 bytes could overwrite that memory).
The chance of there being a away to finagle this into any kind of security exploit other than a DoS while visiting a specific website is very minimal, though. Maybe Thunderbird users could be hit by email that crashes their mail client, which would be somewhat more serious, as it would be a push DoS instead of a pull DoS.
I don't really worry about every browser flaw that comes out. I run "yum update" every couple of days, and maybe I'm vulnerable for a few days...but, hell, such is life, and I don't really want to waste lots of time worrying about some security bug -- hell, someone could just mug me for my wallet.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Are there patches yet for 1.0x, and are there patches yet for 1.5x.x betas?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Well, Firefox has 0 unpatched vulnerabilities right now (this one was patched recently). Not to mention, Opera is closed-source, so who knows how many bugs it has.