Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch & Workaround for Firefox Flaw Available

Posted by Zonk on from the plugging-the-holes dept.

mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.

4 of 235 comments (clear)

  1. actually. by asa · · Score: 5, Informative

    We actually had the patch and workaround up yesterday.

    It's unfortunate that the bug reporter gave us so little time to respond to the issue before going public. He filed the confidential security bug on the afternoon of the 6th, and then went highly public (to c|net) in less than 72 hours.

    As anyone can see now that the bug is no longer confidential, we were hard at work diagnosing the problem when he went public. Not only that, but the public release he made was based on our developer's analysis of the problem, not his -- which happened to be wrong.

    This workaround that we posted (on the same day as the problem was made public) is only temporary and causes some of our users a loss of functionality (IDN). We will be issuing a full browser update for our stable Firefox 1.0.x and Mozilla 1.7.x releases which contains the real fix (also available as a patch to both 1.0.6 and 1.5 Beta yesterday) that avoids the security issue without disabling IDN.

    Expect that new release shortly.

    - A

  2. Doesn't quite work, use about:config instead by slobber · · Score: 4, Informative

    Going to

    about:config:

    does nothing in firefox (at least version 1.0.4)

    use

    about:config

    instead.

    --
    "You mortals are so obtuse." -Q
  3. Re:Here's a question... by Anonymous Coward · · Score: 4, Informative

    IDN -> International Domain Names

    It allows you to create a domain name with international characters ( like böghåla.se ), create the A/PTR records with a coded name that bind can handle ( xn--bghla-ira0j.se ) and a method to convert between the two ( look up PUNY ).

    That way, when you type in your browser "http://www.böghåla.se", you are directed to "http://www.xn--bghla-ira0j.se".

    Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

    I wonder if the guy who coined the advice "turn it off" would cut off his arm if he got a zit on the elbow ? Same thing..

  4. Re:IDN by ssj_195 · · Score: 5, Informative

    You are correct; the previous one was a IDN spoofing vulnerability, which I thought was largely a flaw in the IDN specification itself, rather than in any particular implementation thereof (is this correct...?). This time around, however, the flaw lies in the Firefox code itself.