Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch & Workaround for Firefox Flaw Available

Posted by Zonk on from the plugging-the-holes dept.

mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.

12 of 235 comments (clear)

  1. Re:IDN? by Anonymous Coward · · Score: 1, Informative

    Wikipedia is your friend.

    http://en.wikipedia.org/wiki/Internationalized_dom ain_name

  2. actually. by asa · · Score: 5, Informative

    We actually had the patch and workaround up yesterday.

    It's unfortunate that the bug reporter gave us so little time to respond to the issue before going public. He filed the confidential security bug on the afternoon of the 6th, and then went highly public (to c|net) in less than 72 hours.

    As anyone can see now that the bug is no longer confidential, we were hard at work diagnosing the problem when he went public. Not only that, but the public release he made was based on our developer's analysis of the problem, not his -- which happened to be wrong.

    This workaround that we posted (on the same day as the problem was made public) is only temporary and causes some of our users a loss of functionality (IDN). We will be issuing a full browser update for our stable Firefox 1.0.x and Mozilla 1.7.x releases which contains the real fix (also available as a patch to both 1.0.6 and 1.5 Beta yesterday) that avoids the security issue without disabling IDN.

    Expect that new release shortly.

    - A

    1. Re:actually. by bogie · · Score: 3, Informative

      That's coming in 1.5. See the release notes here.

      http://www.mozilla.org/products/firefox/releases/1 .5beta1.html

      Note that future updates to Firefox "may now be half a megabyte or smaller."

      --
      If you wanna get rich, you know that payback is a bitch
  3. Re:It's not. by Anonymous Coward · · Score: 1, Informative

    Seems the default is "True." Am I supposed to do something after verifying the setting?

    Yes. You will need to right-click on the setting and select "Toggle" from the popup menu that appears. This will set the network.EnableIDN setting to false and correct this bug.

  4. Doesn't quite work, use about:config instead by slobber · · Score: 4, Informative

    Going to

    about:config:

    does nothing in firefox (at least version 1.0.4)

    use

    about:config

    instead.

    --
    "You mortals are so obtuse." -Q
  5. Re:Here's a question... by Anonymous Coward · · Score: 4, Informative

    IDN -> International Domain Names

    It allows you to create a domain name with international characters ( like böghåla.se ), create the A/PTR records with a coded name that bind can handle ( xn--bghla-ira0j.se ) and a method to convert between the two ( look up PUNY ).

    That way, when you type in your browser "http://www.böghåla.se", you are directed to "http://www.xn--bghla-ira0j.se".

    Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

    I wonder if the guy who coined the advice "turn it off" would cut off his arm if he got a zit on the elbow ? Same thing..

  6. Re:Secure Web Browser by Transcendent · · Score: 2, Informative

    Lynx has had it's problems. You can crash some previous (recent) versions with very large tables. They can be empty tables too like this one.

  7. Re:Umm... by MHobbit · · Score: 2, Informative

    I'll elaborate. Remember this?

    --
    Debugging? Klingons do not debug. Bugs are good for building character in the user.
  8. Re:IDN by ssj_195 · · Score: 5, Informative

    You are correct; the previous one was a IDN spoofing vulnerability, which I thought was largely a flaw in the IDN specification itself, rather than in any particular implementation thereof (is this correct...?). This time around, however, the flaw lies in the Firefox code itself.

  9. Mozilla Suite, Too by alacqua · · Score: 3, Informative

    For all of you dinosuars who, like me, still use and prefer mozilla suite, this applies to us also. And for all of you lazy slashdot readers who, like me, hate to track down a link in another comment, here's that link:

    What Firefox and Mozilla users should know about the IDN buffer overflow security issue

    --

    Move on. There's nothing to see here.
  10. Re:Here's a question... by DJCater · · Score: 2, Informative

    Pay attention. This is a temporary workaround. Just like the previous vulnerability, the workaround was "disable JavaScript". That was until the real fix was landed.

    --
    Sig Appended to the end of comments you post. 120 chars.
  11. IDN spoofing with Cyrillic and Greek by ThreeDayMonk · · Score: 3, Informative

    example: hötmail.çom

    Actually, I don't think you can change the ".com" - the TLDs need to match still - but you can do even better: the Cyrillic and Greek alphabets contain numerous letters that look exactly like Roman letters.

    Including archaic and variant forms present in Unicode, the following lower-case characters can be spoofed:

    Cyrillic has a, e, o, p, c, y, x, and s.
    Greek has v, o, c, j.

    And that's before you start on the close matches (gamma, rho, upsilon, omega.) which might easily be mistaken at small point sizes.

    --
    If your comment title says 'Re: Foo', I'm not likely to read it.