Slashdot Mirror
Patch & Workaround for Firefox Flaw Available
mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.
I wouldn't be implying laziness on the part of developers until a couple days have passed after the bug report.
I'm amazed at how surprised some people are at the fact that Firefox has serious exploit. They think, "oh well, it's an alternative to microsoft, it's therefore immune to everything!". Then something bad happens and these same people act like they no longer have anywhere to turn to. They act like their faith was completely misguided and now they have no one to put said faith into.
The same thing applied to other people as well, as we saw in a previous slash dot article about macs. While not impossible, it's extremely difficult to make software that is in a constant state of development completely exploit proof. Firefox is ultimately a better browser than IE for numerous reasons, but it is not 100% perfect, nor is OSX, nor is Linux or FreeBSD or Windows, or anything else on this planet and it's silly to expect otherwise.
Nature doesn't operate on 100% uptime, only 99.9%.
I'm god, but it's a bit of a drag really...
But they don't design securely at all, and they certainly don't test securely.
You were probably deleted from the blog for FUD statements like that. I don't believe in censoring myself, but your asking really idiotic questions and making opinions while lacking the knowledge to be making them to begin with.
a very simple question in Ask Asa #17: Basically, who was responsible for the testing/QA failure that led to a security regression in Firefox 1.0.4
I think your first problem is is the way you ask questions. Your question is apparently an attempt to start a blame game. Also, I can tell you who is responsible for testing and QA failures: you are. Yep, you apparently missed that Mozilla puts out betas with the intent that people test and find the bugs. Did you not notice that it's an open source project? Because its open source there is no "team" of testers working round the clock to find problems. Oddly, Microsoft which has these types of teams never seems to find the large number of security holes in IE. Mozilla's strategy, with its far fewer security vulnerabilities, may be proving that its a better testing/QA model for security. Only time will tell I guess. So far I think Mozilla is easily winning in this game.
Asa isn't the funloving guy his blog projects, he can be a complete idiot too. Spread the word.
I have better things to do than spread FUD. I will instead spread copies of Firefox on peoples computers with the knowledge that it's still more stable and secure than IE. This seems to be more constructive than blasting people as "idiots" because I have some person problem with them.
You make a good point. But I've got faith that the Firefox guys will put up a more solid patch soon, to get IDN working as it should. For many people this will be a "good enough" fix. Many other people won't be satisfied with it, as you said. The important thing is the flaw's identified and a tentative fix is in place. Now they can just elaborate on it. That's how I would do it, anyway.
TLoM: Nerds + DDR + Rednecks for the win!
"Unpatched" means there is not a patch available to fix the vulnerability. Yesterday it was unpatched.
Since when does "unpatched" mean lazy?
Bogtha Bogtha Bogtha
You were probably deleted from the blog for FUD statements like that.
It's not FUD if it's true. Remember that XUL spoofing vulnerability that was marked non-public in Bugzilla so it could linger for over two years without being fixed?
Mozilla and Firefox are pretty bad when it comes to security. Not as bad as Internet Explorer but still pretty damn bad. It's a process problem more than anything else, and the OP's questions are certainly in need of answering.
Also, I can tell you who is responsible for testing and QA failures: you are.
That attitude is reminiscent of the infamous Bill Gates interview where he said that bugs was the end users' fault.
Mozilla's strategy, with its far fewer security vulnerabilities
Since the release of Firefox 1.0, I believe there have been about the same number of vulnerabilities found in both browsers. Sure, that's pretty bad considering Internet Explorer is supposed to be a mature application that stopped development four years ago, but don't try and pretend there are "far fewer security vulnerabilities". It's not true.
I have better things to do than spread FUD.
No, you spend your time bing a fanboy instead. That's just as bad, the bias is merely in the opposite direction.
Memorize this and make it your mantra:
"Security is a process, not a product."
Organic free-range music... yum!
Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.
If you were driving down the highway and you discovered that running your air conditioner caused your brakes to stop working, would you keep running your A/C until you got to a repair station, or would you turn it off?
Besides, most people probably rarely, if ever, use IDN. So it's more like disabling the child safety locks in your car. Who's ever used those?
If you can read this sig, you're too close.
>Unplug. I have yet to see a hacker get around that, and it's been around for ages!
Oh, I can imagine a bad guy getting around that:
phone rings
User: "Hello?"
BG: "This is the help desk. Have you been having any network slowdowns?"
User: "Well, now that you mention it..."
BG: "Could you please help us test the collectimizer flexput on your MAUnode? Just plug your workstation into the network and point your browser to http://www.helpdesk.ro/"
Elegant and simple solutions don't work if the problem is malicious and intelligent.
Another thing that annoys me about this is the coverage of this flaw seems to indicate that this was unpatched for a while. This one is an example http://www.securityfocus.com/news/11308. Yet the original discovery was 9/4/2005 according to Tom Ferris' website http://www.security-protocols.com/advisory/sp-x17- advisory.txt
p ose+users/2100-1002_3-5856201.html does not portray Tom Ferris in a good light.
This bug was found and a work around was provided 6 days later. Is this unreasonable? If a patch were provided a week from now, would that be unreasonable?
I think that full disclosure is good, but giving a reasonable amount of time to patch a flaw is better. If we find out that Tom Ferris provided a patch to Mozilla that they ignored or rejected, then it changes things little, but releasing the vulnerability after 5 days due to a "run-in with Mozilla staff" http://news.com.com/Unpatched+Firefox+flaw+may+ex
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
Sorry to say this, but it sounds like you were removed for being a habitual trolling attention-whore. Just the way that you ask your questions is offensive: as if some naughty QA monkey needs to be publically whipped. How many times did people try to explain to you how ignorant you are of the open source development process before they took action? Be honest.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Sort of, but IDN isn't something that's that critical for many people like Active-X, which is at the centre of Microsoft's incompatibility war.
IDN is (necessarily) a bit of a kludge for the most part anyways. The International Domain Name stuff opens up it's own can of worms in that you can come up with Domain names that look a lot like a well known one by grabbing a domain name with one letter changed to an IDN character that looks enough like the original one to fool people. example: hötmail.çom replaces both the O in hotmail and the c in com. botth relatively obvious but good enough to fool some into thinking that it's a rendering error. (( Slashdot filters out almost all international characters, which makes it hard to give a really good IDN example )).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
I'm amazed at how surprised some people are at the fact that Firefox has serious exploit.
I'm amazed that a slashdot reader doesn't understand the difference between an exploit and a vulnerability.
How did forking help the project?
IMHO it didn't.
The option to install only the browser has always been there.
Now we are stuck with forks, always confusing about what problem is caused by what part and appears in what versions, and even more wasted work on releases, internationalisation, etc.
How are we going to explain to the employees that this "non-standard" browser/mailer Mozilla (most businesses use IE and Outlook, so that is what most people think of as the standard) that we use is going to be replaced by Firefox and Thunderbird? Or is going to be called Seamonkey next week?
No, I think it was a bad idea. Open Source does not have the resources and credibility to spill them this way.