Slashdot Mirror
Unpatched Firefox Flaw May Expose Users
Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."
If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible, even if it means a short trip to install it for somebody. Nothing will hurt Firefox's reputation more than unpatched installations being exploited.
Cyric Zndovzny at your service.
For trolling sake, it is still better then IE.
Custom electronics and digital signage for your business: www.evcircuits.com
"The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."
We rightly criticize Microsoft for not responding to security concerns in a timely manner. I hope the Mozilla Foundation will be held to the same standard.
"Ask not what your country can do for you." --John F. Kennedy
I can see why some folks will publicize exploits if they feel the software maker isn't responding in a timely manner. But c'mon - he just reported this to the Mozilla folks on Sunday!
#DeleteChrome
Oh please, how is a heap overflow of 0x78787878787878... going to be exploitable. This looks like just a regular crash, if these turn you on just watch bugzilla for a few days, they turn up all the time.
A browser is a complex piece of software, of course there are going to be subtle bugs that turn up now and then. Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible. Please stop making a fuss about "OMG BROWSER DoS!!".
I was not aware that wanting to classify the severity of a problem made one a zealot...
Finkployd
The new patching system is awesome. Binary diffs, so no downloading huge files, it downloads in the background so it doesn't disturb you, and installs when you restart firefox. It's amazingly convienient.
Yes, but would you have said the same thing if you had replaced the word firefox with the word windows in that sentence? I say that only because that's what WAU does these days, though I forget for how long it has been doing the binary diffs. I think that came along with the latest BITS update sometime in early summer this year, but can't be sure. Just FYI.
Geek used to be a four letter word. Now it's a six-figure one.
This flaw is only present in Firefox 1.5beta1, 1.0.6 is not affected.
So if you are worried just keep using the stable version until at least the next beta release and be happy.
There's a hidden treasure in Python 3.x: __prepare__()
It's not so much Firefox, as it is the Mozilla codebase upon which Firefox is built. Having recently done some work with Mozilla, I can say that it is a very complex beast. Perhaps even too complex, some might say. The potential for the introduction of bugs is astounding, since it is often very difficult to know for sure exactly what effects a code change will have.
It doesn't help that a lot of the documentation is out of date, often by several years. Nothing is worse than incorrect or outdated documentation, which can often lead to incorrect code being unintentionally added.
While a rewrite of Mozilla is of course out of the question, there should perhaps be some procedures in place to clean up the code base, and ensure that documentation is correct. Performing such basic engineering practices is what results in quality products, be it software or bridges.
Cyric Zndovzny at your service.
Between 2005-09-03 and 2005-09-06, there were several bugs reported to Mozilla that are now marked hidden. Expect one of them to become visible now that this is announced. (note: bugzilla blocks slashdot referer, so cut&paste is needed, watch out for the extra space)
3 94 03 14 08 48 7
https://bugzilla.mozilla.org/show_bug.cgi?id=3069
https://bugzilla.mozilla.org/show_bug.cgi?id=3069
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
BTW, why is it necessary that so many bug reports be hidden? They can't all be valid security bugs, can they? Besides, full disclosure and an open development model go hand-in-hand.
-molo
Using your sig line to advertise for friends is lame.
"Oh please, how is a heap overflow of 0x78787878787878... going to be exploitable. This looks like just a regular crash, if these turn you on just watch bugzilla for a few days, they turn up all the time."
;).
You are a moron. How is the heap overflow going to be exploited? Are you serious? Go look up exploiting buffer overlows. You obviously don't know what the hell you are talking about, and you obviously know nothing of how programs run in memory. Sure the heap overflow is just crashing your browser now, only because it is accessing memory it isn't suppose to. I am sure some nop's and jmp statements could point it in the right direction
"This looks like a regular crash"
You keep thinking that!
"Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible."
Hahahahahaha, no comment here because your stupidity speaks for itself.
"Please stop making a fuss about 'OMG BROWSER DoS!!'"
Stop pretending this flaw isn't harmful, and "only a crash". Buffer overlows are serious.
Honestly, who cares? Why does this have to be compared to a Microsoft response? Why can't this just be viewed as an event in its own right and not constantly looked at as some insult which might be handing Microsoft an edge?
Objectively, if I use Firefox I have no interest in how Microsoft might have responded to a similar situation. I am purely interested in the Mozilla response (which I'm explicitly not passing judgement on in this post). Can people give it a rest with the constant defensiveness against Microsoft?
Cheers,
Ian
I mean I looked at the official disclosure from him (http://www.security-protocols.com/advisory/sp-x17 -advisory.txt)
and basically he acts like 4 days is all he needs to wait.. and apparently Mozilla isn't doing enough for this?
Mozilla isn't Microsoft or Cisco in two catagories.
A. They arn't ultra large coporatitions that can fix stuff in an instant.
B. They don't ignore problems, especially like this. They're likely working as fast as they can and they are willing to admit fuckups, but they want to have a fix for the fuck up first.
We don't need everyone running around thinking that EVERY company conducts business the same way that Cisco does... How all of them are part of a conspiracy. Firefox is getting known in the industry to be basically good at avoiding problems other browsers have and fixing major bugs.
By having a guy run around like this only 4 days (notice the dates in that link) it can only cause a higher likelyhood that someone will use that find maliciously and Firefox will get blamed for it when it's really the disclosure that's the problem.
The fact is those of us who find these bugs need to give the company time to react, we don't need to act like they don't care. 4 days is hardly enough unless he got back a letter that said screw you, which it doesn't sound like he did. Giving Full Disclosure the first time you hear about a problem, just creates a bigger problem because now more people will learn of the problem.
And there's a definate difference between waiting a couple monthes like the Cisco incident where the company was being forced into an uncomfortable positions and waiting less then a full week with apparently no provacation.
Telling them its insecure only encourages them to stick with IE. All the studies are showing this with clueless uers since Microsoft does not like to boast about holes in IE.
http://saveie6.com/
Wow, I thought only MS products and Internet Explorer were capable of having bugs or exploits.
Were the people championing these other browser lying to me, or just ignorant in the fact that all software when given mass distribution will exhibit growing pains and exploits will be found no matter how good the programmers think they are.
Hm... (Ok, mark this as Flamebait - even though what I say is factually correct.)
Bugs and flaws are commonplace ... its a model which promotes a fast fix to these shortcomings that really makes a difference.
That is another proof (of known fact) that it is much easier to hack the open sourced then the proprietary application.
But the opposite is also true...it's a proof that it's much easier to debug open sourced applications.
it should be much easier for white hats to find holes and report them responsibly. This guy didn't do that. 4 days is not enough time.
Well, after five security updates that patch numerous security holes (22 since 2004), I'm not sure that Firefox is the solution. It's certainly more secure than IE, but is it secure *enough*? No, it isn't.
I deployed Firefox on the corporate network to improve security. Five updates later, I'm explaining to my manager that Firefox, just like IE, is full of security holes that need to be patched.
Unlike IE, Firefox can't be updated through Windows Update and it doesn't have a patch release cycle. That makes it harder to plan for and harder to deploy Firefox patches.
Having "fewer" vulnerabilities than IE isn't good enough - particularly when your patching system sucks. Open source can do better.
Say it with me now.
"Security is a process."
Being open source programmers doesn't make them perfect programmers. Not working at Microsoft doesn't make them perfect programmers.
The phrase never never said, "given enough eyes, there are no bugs." It said "given enough eyes, all bugs are shallow." That phrase even admits there will be bugs. Security is a process, not an accumulated number of crash bugs.
I would hope Firefox has fewer overflows than IE, only because that would mean less headaches for me, and less bad press.
Get Firefox!
You can actually write secure code of arbitrary size by dividing up the pieces of code into interfaces and testing these interfaces with test code.
It is very time consuming and difficult and you have to track down all the corner cases and have a good selection of normal use stuff, but it can be done.
I wrote something in a day, and then spent a week writing a test harness and testing everything out inside gcov to ensure that the test cases covered every line of code.
I found that I could test and fix all sorts of bizare bugs before we ran into the problems in normal use and this testing allowed me to put the code into use in dozens of places with no new side effects discovered.
You will find that proper testing is 10 times more time consuming than writing the code module that implements the functionality in the first place.
And additionally when you find a bug in your implementation you should add the bug to your testing system to ensure you can detect the issue, and then fix it and run the tests again to ensure you didn't break anything else in that code module. At this point your testing harness will slowly grow and develop on it's own as long as you take the time to maintain and expand it.