Patch & Workaround for Firefox Flaw Available

mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.

Secure Web Browser

[joelparker]

With two significant security flaws discovered so far in Firefox (and many in IE) what should a high-security company do for a secure web browser?

Re:Secure Web Browser

[justsomebody]

Well, first thing a high-security company should do is localize machines with internet access and separate them from the rest that need to be secure. It worked out for me when I recieved a job that demanded this task.

We just separated vital and non-vital computers in two groups with one computer serving as bridge when data needed to be transfered from one network to another. This was one and only node in network visible to all with minimized and highly tracked in-house services for transfering the data.

Second thing on the secure part is absolute disabling of any kind of install and taking out every removable device.

But,... there is no better security than being unplugged. So, best answer to your question "which browser?" is NO BROWSER

That was FAST.

[bluesoul88]

From what I read in yesterday's article it was more than a little serious. Going from broken to patched in a day is a damn good turnaround. Or it could just be, you know, breathlessly delivered news. This is possible. :) Either way, thank you Firefox team. The local high school is going to be transitioning over to Firefox within a few weeks, to coincide with moving in to a newly built school. I can't say I'm not more surprised about Firefox than the new school.

Re:That was FAST.

[cnettel]

It will just be sad for those users relying on IDN. That may not be U.S. users, but it WILL disturb some Swedish sites, and I assume it's far worse for Japanese and Chinese users, for example. There may be other, older, domain name schemes for those users still used that I'm not aware of, though, but IDN has been seen as the way forward for quite some time.

It's not a patch anymore than turning of Javascript is a patch for several IE vulnerabilities. It might be argued that this workaround does less in the area of destroying the "experience" for normal surfers, but as I noted, I think that depends much on your nationality/language.

Re:actually.

[mroch]

The description of the vulnerability is copied verbatim out of the bug report, yet Tom Ferris claims copyright at the bottom of the announcement. This is plagiarism, and public disclosure of confidential information, isn't it? Can Mozilla go after him? (IANAL)

So, reason #2 not to enable IDN

[That's+Unpossible!]

I believe this is the second problem to arise from the support for IDN. I checked my setting, and I already had it disabled from the last one (where you could essentially spoof a domain name by using unicode characters that look exactly the same as ascii characters, but are in fact, different).

Someone give me one good reason why I should EVER enable IDN?

It should default to 'false' in any event

[HBI]

Most people using the browser have no use for those URLs. Being vulnerable to an exploit twice due to a feature most people don't need is positively Microsoft-ish.