Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unpatched Firefox Flaw May Expose Users

Posted by Zonk on from the again dept.

Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

14 of 390 comments (clear)

  1. Tell all your friends! by CyricZ · · Score: 5, Insightful

    If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible, even if it means a short trip to install it for somebody. Nothing will hurt Firefox's reputation more than unpatched installations being exploited.

    --
    Cyric Zndovzny at your service.
    1. Re:Tell all your friends! by killproc · · Score: 5, Insightful


      "If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible"

      Not trying to troll here, but...

      Couldn't the same be said for IE or any other browser? If you have non-techie friends that could be vulnerable on any platform, wouldn't letting them know how to check for security updates be the right thing to do?

      Should you let them flounder and possibly become zombies for some nefarious spam network because they don't use your "preferred" browser?

      Personally, I use Mozilla at home because I like it much better, and encourage all my friends to do the same, but I'm not above recommending security updates to those who choose not to use Mozilla/Firefox.

      --
      When you die, on your deathbed, you will receive total consciousness. So I got that goin' for me, which is nice.
    2. Re:Tell all your friends! by AKAImBatman · · Score: 4, Insightful

      I was thinking the same thing. All browsers are vulnerable and all will need to be updated.

      The ridiculous part, though, is that software doesn't *have* to be vulnerable to buffer overflows! We've had languages for more than 20 years that are completely invulnerable to such a simplistic attack. Even C/C++ have large numbers of libraries available to make such overflows a thing of the past. Yet here we are in 2005 and the number one exploit across systems is still...

      (wait for it)

      Buffer overflows.

      Am I the only one who's getting just a smidge annoyed by this? No wonder we don't have any flying cars! We can't debug the darn things worth a damn! ;-)

      --
      Javascript + Nintendo DSi = DSiCade
  2. Unacceptable by goldspider · · Score: 3, Insightful

    "The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

    We rightly criticize Microsoft for not responding to security concerns in a timely manner. I hope the Mozilla Foundation will be held to the same standard.

    --
    "Ask not what your country can do for you." --John F. Kennedy
  3. He sounds like a self-promoting twit by 93+Escort+Wagon · · Score: 4, Insightful

    I can see why some folks will publicize exploits if they feel the software maker isn't responding in a timely manner. But c'mon - he just reported this to the Mozilla folks on Sunday!

    --
    #DeleteChrome
    1. Re:He sounds like a self-promoting twit by tdvaughan · · Score: 4, Insightful

      Responsible vulnerability reporting doesn't necessarily mean telling everyone possible (including proof-of-concept exploit code) as soon as you discover a vulnerability. Some people allow the vendor/maintainer 30 days to make an appropriate response (e.g. investigating the vulnerability and making a commitment to fixing it) and a further 30 days on top of that to provide a fix before going public. Regardless of how long you think a vendor should be given, though, going public immediately makes me wonder if his priorities are personal gain rather than trying to improve the software's security.

  4. Re:Flaws by Anonymous Coward · · Score: 4, Insightful

    Oh please, how is a heap overflow of 0x78787878787878... going to be exploitable. This looks like just a regular crash, if these turn you on just watch bugzilla for a few days, they turn up all the time.

    A browser is a complex piece of software, of course there are going to be subtle bugs that turn up now and then. Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible. Please stop making a fuss about "OMG BROWSER DoS!!".

  5. Re:Patent infringement by SonicBurst · · Score: 4, Insightful

    The new patching system is awesome. Binary diffs, so no downloading huge files, it downloads in the background so it doesn't disturb you, and installs when you restart firefox. It's amazingly convienient.

    Yes, but would you have said the same thing if you had replaced the word firefox with the word windows in that sentence? I say that only because that's what WAU does these days, though I forget for how long it has been doing the binary diffs. I think that came along with the latest BITS update sometime in early summer this year, but can't be sure. Just FYI.

    --

    Geek used to be a four letter word. Now it's a six-figure one.
  6. possible bugzilla bugs by molo · · Score: 4, Insightful

    Between 2005-09-03 and 2005-09-06, there were several bugs reported to Mozilla that are now marked hidden. Expect one of them to become visible now that this is announced. (note: bugzilla blocks slashdot referer, so cut&paste is needed, watch out for the extra space)

    https://bugzilla.mozilla.org/show_bug.cgi?id=30693 9
    https://bugzilla.mozilla.org/show_bug.cgi?id=30694 0
    https://bugzilla.mozilla.org/show_bug.cgi?id=30703 1
    https://bugzilla.mozilla.org/show_bug.cgi?id=30704 0
    https://bugzilla.mozilla.org/show_bug.cgi?id=30708 4
    https://bugzilla.mozilla.org/show_bug.cgi?id=30708 7

    BTW, why is it necessary that so many bug reports be hidden? They can't all be valid security bugs, can they? Besides, full disclosure and an open development model go hand-in-hand.

    -molo

    --
    Using your sig line to advertise for friends is lame.
  7. Re:Well, just another bug by footissimo · · Score: 4, Insightful

    What about how 'critical' the bugs are rated or how long it takes for each to be fixed? Are the problems with ActiveX included?

  8. MS vs Firefox is irrelevant by mccalli · · Score: 4, Insightful
    I'm reading a depressingly large number of predicatble off-pat responses - "So? IE is far worse. Microsoft sucks!".

    Honestly, who cares? Why does this have to be compared to a Microsoft response? Why can't this just be viewed as an event in its own right and not constantly looked at as some insult which might be handing Microsoft an edge?

    Objectively, if I use Firefox I have no interest in how Microsoft might have responded to a similar situation. I am purely interested in the Mozilla response (which I'm explicitly not passing judgement on in this post). Can people give it a rest with the constant defensiveness against Microsoft?

    Cheers,
    Ian

  9. what a whiny runt. by kinglink · · Score: 3, Insightful

    I mean I looked at the official disclosure from him (http://www.security-protocols.com/advisory/sp-x17 -advisory.txt)
    and basically he acts like 4 days is all he needs to wait.. and apparently Mozilla isn't doing enough for this?

    Mozilla isn't Microsoft or Cisco in two catagories.
    A. They arn't ultra large coporatitions that can fix stuff in an instant.
    B. They don't ignore problems, especially like this. They're likely working as fast as they can and they are willing to admit fuckups, but they want to have a fix for the fuck up first.

    We don't need everyone running around thinking that EVERY company conducts business the same way that Cisco does... How all of them are part of a conspiracy. Firefox is getting known in the industry to be basically good at avoiding problems other browsers have and fixing major bugs.

    By having a guy run around like this only 4 days (notice the dates in that link) it can only cause a higher likelyhood that someone will use that find maliciously and Firefox will get blamed for it when it's really the disclosure that's the problem.

    The fact is those of us who find these bugs need to give the company time to react, we don't need to act like they don't care. 4 days is hardly enough unless he got back a letter that said screw you, which it doesn't sound like he did. Giving Full Disclosure the first time you hear about a problem, just creates a bigger problem because now more people will learn of the problem.

    And there's a definate difference between waiting a couple monthes like the Cisco incident where the company was being forced into an uncomfortable positions and waiting less then a full week with apparently no provacation.

  10. Aren't firefox users heading back to IE over this? by Billly+Gates · · Score: 4, Insightful

    Telling them its insecure only encourages them to stick with IE. All the studies are showing this with clueless uers since Microsoft does not like to boast about holes in IE.

    --
    http://saveie6.com/
  11. Re:Firefox is the fix for Internet Explorer proble by RzUpAnmsCwrds · · Score: 4, Insightful

    Well, after five security updates that patch numerous security holes (22 since 2004), I'm not sure that Firefox is the solution. It's certainly more secure than IE, but is it secure *enough*? No, it isn't.

    I deployed Firefox on the corporate network to improve security. Five updates later, I'm explaining to my manager that Firefox, just like IE, is full of security holes that need to be patched.

    Unlike IE, Firefox can't be updated through Windows Update and it doesn't have a patch release cycle. That makes it harder to plan for and harder to deploy Firefox patches.

    Having "fewer" vulnerabilities than IE isn't good enough - particularly when your patching system sucks. Open source can do better.