Patch & Workaround for Firefox Flaw Available

mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.

yesterday it was "unpatched!?!?!", today is fixed.

[Maow]

I thought yesterday's story about the unpatched flaw was a bit hasty.

I wouldn't be implying laziness on the part of developers until a couple days have passed after the bug report.

Power of Propaganda

[i_ate_god]

I'm amazed at how surprised some people are at the fact that Firefox has serious exploit. They think, "oh well, it's an alternative to microsoft, it's therefore immune to everything!". Then something bad happens and these same people act like they no longer have anywhere to turn to. They act like their faith was completely misguided and now they have no one to put said faith into.

The same thing applied to other people as well, as we saw in a previous slash dot article about macs. While not impossible, it's extremely difficult to make software that is in a constant state of development completely exploit proof. Firefox is ultimately a better browser than IE for numerous reasons, but it is not 100% perfect, nor is OSX, nor is Linux or FreeBSD or Windows, or anything else on this planet and it's silly to expect otherwise.

Nature doesn't operate on 100% uptime, only 99.9%.

Re:That was FAST.

[bluesoul88]

You make a good point. But I've got faith that the Firefox guys will put up a more solid patch soon, to get IDN working as it should. For many people this will be a "good enough" fix. Many other people won't be satisfied with it, as you said. The important thing is the flaw's identified and a tentative fix is in place. Now they can just elaborate on it. That's how I would do it, anyway.

Re:yesterday it was "unpatched!?!?!", today is fix

[Bogtha]

"Unpatched" means there is not a patch available to fix the vulnerability. Yesterday it was unpatched.

Since when does "unpatched" mean lazy?

Re:Secure Web Browser

[mu-sly]

Memorize this and make it your mantra:

"Security is a process, not a product."

Re:Secure Web Browser

[Beryllium+Sphere(tm)]

>Unplug. I have yet to see a hacker get around that, and it's been around for ages!

Oh, I can imagine a bad guy getting around that:

phone rings
User: "Hello?"
BG: "This is the help desk. Have you been having any network slowdowns?"
User: "Well, now that you mention it..."
BG: "Could you please help us test the collectimizer flexput on your MAUnode? Just plug your workstation into the network and point your browser to http://www.helpdesk.ro/"

Elegant and simple solutions don't work if the problem is malicious and intelligent.

Re:yesterday it was "unpatched!?!?!", today is fix

[darkonc]

That sounds like Microsoft saying to turn off ActiveX controls, until a real patch can be made...

Sort of, but IDN isn't something that's that critical for many people like Active-X, which is at the centre of Microsoft's incompatibility war.

IDN is (necessarily) a bit of a kludge for the most part anyways. The International Domain Name stuff opens up it's own can of worms in that you can come up with Domain names that look a lot like a well known one by grabbing a domain name with one letter changed to an IDN character that looks enough like the original one to fool people. example: hötmail.çom replaces both the O in hotmail and the c in com. botth relatively obvious but good enough to fool some into thinking that it's a rendering error. (( Slashdot filters out almost all international characters, which makes it hard to give a really good IDN example )).