Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unpatched Firefox Flaw May Expose Users

Posted by Zonk on from the again dept.

Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

8 of 390 comments (clear)

  1. Tell all your friends! by CyricZ · · Score: 5, Insightful

    If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible, even if it means a short trip to install it for somebody. Nothing will hurt Firefox's reputation more than unpatched installations being exploited.

    --
    Cyric Zndovzny at your service.
    1. Re:Tell all your friends! by killproc · · Score: 5, Insightful


      "If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible"

      Not trying to troll here, but...

      Couldn't the same be said for IE or any other browser? If you have non-techie friends that could be vulnerable on any platform, wouldn't letting them know how to check for security updates be the right thing to do?

      Should you let them flounder and possibly become zombies for some nefarious spam network because they don't use your "preferred" browser?

      Personally, I use Mozilla at home because I like it much better, and encourage all my friends to do the same, but I'm not above recommending security updates to those who choose not to use Mozilla/Firefox.

      --
      When you die, on your deathbed, you will receive total consciousness. So I got that goin' for me, which is nice.
  2. Re:Expose users? by .sig · · Score: 5, Funny

    I'm counting on it, I'm passing out copies of firefox to all the women I know....

    --
    -Space for rent
  3. Re:It should be noted by Anonymous Coward · · Score: 5, Interesting

    There is an actual testcase on the bug in bugzilla, and the bug is private because of that (it would be highly irresponsible to provide a working exploit to the world).

    <mao|zZz> mscmurf, dveditz: bug 307259 has been slashdotted - maybe it would be politically good to disclose the bug, at least to counteract this statement at the end of the advisory: "Mozilla was notified, and im guessing they are working on a patch. Who knows though?"
    <mcsmurf_> well, if there is a comment in it which should not be public
    <mcsmurf_> then the bug remains private ;)
    <dveditz> mao|zZz: the potential issue is that his advisory is incorrect, and I'd rather not release the real crashing testcase (though people might discover it soon enough)
    <CTho> mao|zZz: it was nice of them to wait til we shipped to make sure the world hears ;)
    <biesi> it was public before we shipped
    <mcsmurf_> one day?
    <dveditz> CTho: that was probably our fault, I should have pushed the fix in
    <mao|zZz> biesi: but the slashdot sequence is pretty suspect...
    <CTho> dveditz: i heard the patch on teh bug doesnt work
    <dveditz> It was nominated, but after the point where triage was being done -- needed to be more actively pushed
    <mao|zZz> looks like an easy move to eclipse the beta release wow effect, or worse make it a boomerang
    ***Toba wonders if the bug is patched yet
    <Toba> anyone got the bug link?
    <biesi> it's not publically visible
    <dveditz> Toba: it's still a private bug
    <biesi> (https://bugzilla.mozilla.org/show_bug.cgi?id=3072 59)
    <dveditz> see scrollback a few lines
    <Toba> dveditz: eh, I guess it would be nice to know
    <Toba> but oh well
    <biesi> dveditz, it was your comment that said the patch didn't work?
    <dveditz> we have *a* patch, we're not convinced it's the right patch
    <mao|zZz> dveditz: would you cc me?
    <Toba> I guess it's better if the world doesn't know how to exploit yet
    <mcsmurf_> dveditz: do you know why or if SeaMonkey is not vulnerable? it doesn't crash when using the exploit
    <dveditz> mcsmurf_: that's part of why I'm not opening the bug... the released testcase is not the testcase from the bug
    <mcsmurf_> ah-hah
    <dveditz> seamonkey is vulnerable, this is core networking stuff
    <mcsmurf_> :)
    <mcsmurf_> well i assumed so
    <mcsmurf_> but i only have the public testcase

  4. Re:Expose users? by iceborer · · Score: 5, Funny

    Since you're a /. member, I would have thought you'd installed Firefox for your mom and little sister already.

  5. For all those that can't reproduce by revelation0 · · Score: 5, Informative

    Take 2 seconds to check out his proof of concept:

    http://www.security-protocols.com/firefox-death.ht ml

    WARNING: Clicking the above link will crash firefox. It will do nothing else. The hyphens are not normal minus hyphen (the - symbol on your american keyboard will translate to 0x2d) but a soft hyphen (0xad).

  6. Re:It should be noted by Delphiki · · Score: 5, Funny
    So if person P is skeptical of claim C about entity E, then it logically follows that P thinks that E "can do no wrong"? That sounds a like a fringe-whacko line of thought to me.

    You don't really want to get into the business of pointing out wackos on slashdot. It's easily a full time job and it doesn't pay.

    --

    Feel free to mod me "-1 - Angry Jerk".

  7. Re:Expose users? by sootman · · Score: 5, Funny

    No worries, the patch is here: http://www.mozilla.org/patch-to-fix-the-problem-wi th-firefox-where-long-URLs-with-lots-of-hypohens-c an-cause-bad-things-to-happen-like-the-browser-wil l-crash-and-stuff.html

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.