Slashdot Mirror
Patch & Workaround for Firefox Flaw Available
mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.
yeah!
Done. Work around complete.
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
Seems the default is "True." Am I supposed to do something after verifying the setting?
wtf is IDN?
I wouldn't be implying laziness on the part of developers until a couple days have passed after the bug report.
With two significant security flaws discovered so far in Firefox (and many in IE) what should a high-security company do for a secure web browser?
Since Asa Dotzler of Mozilla keeps deleting me from his blog, this is just to publicize just how crap Mozilla's security practices really are. Yes, they issue patches quickly, and they have an excellent policy of paying for disclosure for remote exploit holes. But they don't design securely at all, and they certainly don't test securely.
I asked a very simple question in Ask Asa #17: Basically, who was responsible for the testing/QA failure that led to a security regression in Firefox 1.0.4, how will they be censured, and what is being done to prevent a similar recurrence.
He didn't answerand has deleted every comment I post, in which I've said the same thing. I think it's a fair question. Not answering is pretty crappy, but censoring just because he spends too much time being 'visible' and not enough time actually doing QA is truly pathetic.
Asa isn't the funloving guy his blog projects, he can be a complete idiot too. Spread the word.
Firefox is totally secure, just like Linux is. Only MSFT is not secure, don't you read this website???
Fine. Now here's the confirmation of Mozilla's fast response again. Do we need more, more and more fast bugfixes to stop trolling around?
From what I read in yesterday's article it was more than a little serious. Going from broken to patched in a day is a damn good turnaround. Or it could just be, you know, breathlessly delivered news. This is possible. :) Either way, thank you Firefox team. The local high school is going to be transitioning over to Firefox within a few weeks, to coincide with moving in to a newly built school. I can't say I'm not more surprised about Firefox than the new school.
TLoM: Nerds + DDR + Rednecks for the win!
I'm I imagining it or is this the second time a bug has been found in IDN?
How do we know that URL doesn't trigger the bug? Appropriately enough, my /. confirmation image word is "beguile"!
What is IDN and what about it causes vulnerability?
Since when has this country used intellectual elite as a pejorative term?
here ;)
You can't handle the truth.
We actually had the patch and workaround up yesterday.
It's unfortunate that the bug reporter gave us so little time to respond to the issue before going public. He filed the confidential security bug on the afternoon of the 6th, and then went highly public (to c|net) in less than 72 hours.
As anyone can see now that the bug is no longer confidential, we were hard at work diagnosing the problem when he went public. Not only that, but the public release he made was based on our developer's analysis of the problem, not his -- which happened to be wrong.
This workaround that we posted (on the same day as the problem was made public) is only temporary and causes some of our users a loss of functionality (IDN). We will be issuing a full browser update for our stable Firefox 1.0.x and Mozilla 1.7.x releases which contains the real fix (also available as a patch to both 1.0.6 and 1.5 Beta yesterday) that avoids the security issue without disabling IDN.
Expect that new release shortly.
- A
Gains market sh48e Survey which
I seem to recall having to do this before -- anyone else?
Going to
about:config:
does nothing in firefox (at least version 1.0.4)
use
about:config
instead.
"You mortals are so obtuse." -Q
informational:5
I'm amazed at how surprised some people are at the fact that Firefox has serious exploit. They think, "oh well, it's an alternative to microsoft, it's therefore immune to everything!". Then something bad happens and these same people act like they no longer have anywhere to turn to. They act like their faith was completely misguided and now they have no one to put said faith into.
The same thing applied to other people as well, as we saw in a previous slash dot article about macs. While not impossible, it's extremely difficult to make software that is in a constant state of development completely exploit proof. Firefox is ultimately a better browser than IE for numerous reasons, but it is not 100% perfect, nor is OSX, nor is Linux or FreeBSD or Windows, or anything else on this planet and it's silly to expect otherwise.
Nature doesn't operate on 100% uptime, only 99.9%.
I'm god, but it's a bit of a drag really...
It's quite similar to registering a domain name with typos and still hope that people enter their login data, but it's MUCH harder to realize that this is going on when you can't realize it by just reading the domain name with your eyes, no matter how closely you look at the letters.
"Unpatched" means there is not a patch available to fix the vulnerability. Yesterday it was unpatched.
Since when does "unpatched" mean lazy?
Bogtha Bogtha Bogtha
Deja vu anyone? I've always thought that this "bug" and its corresponding "patch" has been out for a while... I know for sure that when I heard about this a while ago, I disabled IDN...
Debugging? Klingons do not debug. Bugs are good for building character in the user.
Try using about:config instead... do these people check these articles before they put them live? Every article has at least one typo.
While I always type in potentially system modifying commands into my computer based on what a news site tells me to type, this time I'll give it a day or so in order to let the tech guinea pigs report back just what the changes have done for them.
If the Sulfnbk.exe "virus" taught me anything [and I didn't since I had that hoax figured out when I saw it], it's don't assume someone's helping your computer if you don't know them from a hole in the ground, and you never asked for their help.
Saskboy's blog is good. 9 out of 10 dentists agree.
Release Date:
September 8, 2005
Date Reported:
September 4, 2005
Vendor Status:
Mozilla was notified, and im guessing they are working on a patch. Who knows though?
Is this the one that was reported by a "security professional" on September 4, 2005 and released on September 8, 2005? Boy, that would give Mozilla whole four (4) days to fix the bug!
We are doomed to be re-exploited.
I turned off IDN the last round of IDN exploits and left it off.
You will be baked, and there will be cake.
How hard is it to change the default IDN toggle to false, from true?
I don't know, try changing the company to Microsoft and see.
*Imagines millions of barking zealot nerds screaming 'Omg M$ is teh lazy!!111'*
Since when are instructions for removing a feature in your product a "patch"? The details simply tell you to disable IDN support in your browser. If Microsoft released a patch like this people would call foul immediately. The patch is just a stop-gap reaction to make the Firefox team appear responsive to security bugs. Fixing and - more importantly - testing severe flaws in all your customers' configurations takes a long time and the idea of the 24-hour bug fix is idealogical at best.
I believe this is the second problem to arise from the support for IDN. I checked my setting, and I already had it disabled from the last one (where you could essentially spoof a domain name by using unicode characters that look exactly the same as ascii characters, but are in fact, different).
Someone give me one good reason why I should EVER enable IDN?
Ironically, the word ironically is often used incorrectly.
1. It says: "You should only install software from sources that you trust"
2. It comes from ftp.mozilla.org
3. But the patch is "unsigned".
Would a signature elevate the level of trust, or are we talking some other type of signature, here ?
News: discovered vulnerability Mozilla: patch next day after article. Microsoft: patch next black tuesday. The only reason you see patches before announcements with microsoft is because the security groups dont want to deal with litigation-hell microsoft might try to inflict on them. Mozilla on the other hand doesn't have that advantange with all groups. So please keep your stupid comments to yourself.
[!] No, I can't see my comments. They are not worthy of +3 moderation.
Removed wayward colon.
Ewwwwwww.
Slashdot - where whining about luck is the new way to make the world you want.
This Ferris guy seems to have it in for Firefox. He gave them only 48 hours notice before publishing the exploit to the buffer overrun.e r+IE+flaw+report/2100-1002_3-5844431.html?tag=nl), however he in this case no exploit details were given at all.
However, he also discovered some exploits in IE (http://news.com.com/Microsoft+investigates+anoth
Not really a patch, is it? Turning something off? That sounds like Microsoft saying to turn off ActiveX controls, until a real patch can be made...
When Firefox releases a real "patch" that lets you use the "True" setting, and it works correctly, then its "patched". Right now its just "Band-Aided".
Yuma, AZ...You will never find a more wretched hive of scum and villainy. We must be cautious.
How about we just kill off IDN entirely instead?
Finally! A year of moderation! Ready for 2019?
with thE number
Most people using the browser have no use for those URLs. Being vulnerable to an exploit twice due to a feature most people don't need is positively Microsoft-ish.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
SIGFEH
"Unpatched" a month or 2 after the developer's were notified of the issue could me lazy......could. It could also be that hard to fix, but most buffer overruns aren't going to be that hard to find and fix once you know they exist.
"Unpatched" 4 days after notification isn't lazy at all. I think that was the point.
You know, why don't they fix it with the "check for updates" thing?
For all of you dinosuars who, like me, still use and prefer mozilla suite, this applies to us also. And for all of you lazy slashdot readers who, like me, hate to track down a link in another comment, here's that link:
What Firefox and Mozilla users should know about the IDN buffer overflow security issue
Move on. There's nothing to see here.
It's not fixed, they're just disabling that part of the browser. What they're doing is like saying that there's a vulerability in the way Windows shares files, so the patch is to stop sharing files.
Here is a list of every currently exploitable problem in Microsoft products that a SINGLE company has found.
h tml
http://www.eeye.com/html/research/upcoming/index.
They have currently been waiting 165 days for a patch for remote code execution.
Anyone that moderated this Insightful needs to be hit with a really big fucking clue stick. IDN is International Domain Names -- it allows for non-ASCII characters in the domain name for non-English languages.
Sort of, but IDN isn't something that's that critical for many people like Active-X, which is at the centre of Microsoft's incompatibility war.
IDN is (necessarily) a bit of a kludge for the most part anyways. The International Domain Name stuff opens up it's own can of worms in that you can come up with Domain names that look a lot like a well known one by grabbing a domain name with one letter changed to an IDN character that looks enough like the original one to fool people. example: hötmail.çom replaces both the O in hotmail and the c in com. botth relatively obvious but good enough to fool some into thinking that it's a rendering error. (( Slashdot filters out almost all international characters, which makes it hard to give a really good IDN example )).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Comment removed based on user account deletion
I'm amazed at how surprised some people are at the fact that Firefox has serious exploit.
I'm amazed that a slashdot reader doesn't understand the difference between an exploit and a vulnerability.
I do agree Asa has a dark side, it's quite obvious when you check not only his blog entries but the comments, and his comments in bugzilla. I also agree that many Mozilla policies are poor, and cause security issues. For example there's a feature request in bugzilla asking for extension blacklisting. This is a very good feature because anyone could write a nasty xpi with a nice name and it would cause much PR trouble. But the bug request was put "on hold" because their priorities are "elsewhere". On the other hand, Firefox is and always has been much more secure than IE. Not only in the number of vulnerabilities, but the fact that they were all proofs of concept, and not actual vulnerabilities found on malicious web sites. The security process is also a lot more transparant, meaning patches are provided more quickly. So it's a bit of both really.
Ouch! That's got to hurt! ;P (Note to humour impaired mods: This is a use of good humour. Mod appropriately)
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
After a few months
Just another crappy blog
And if this is fresh news, do people care of their internet security at all? Or just bad memory?
Here's the link to Ferris's site's article on this: Ferris vuln report
Also, that page apparently has some (quite simple) test code "linked" to here: vuln test code
I must say, I don't appreciate having to scramble because he wanted some notoriety. 2 days from notify to disclose? Greetz indeed.
Ferris -1, Jerk
example: hötmail.çom
Actually, I don't think you can change the ".com" - the TLDs need to match still - but you can do even better: the Cyrillic and Greek alphabets contain numerous letters that look exactly like Roman letters.
Including archaic and variant forms present in Unicode, the following lower-case characters can be spoofed:
Cyrillic has a, e, o, p, c, y, x, and s.
Greek has v, o, c, j.
And that's before you start on the close matches (gamma, rho, upsilon, omega.) which might easily be mistaken at small point sizes.
If your comment title says 'Re: Foo', I'm not likely to read it.
If you don't want to disable IDN, or if you want to help test the change so Mozilla can release updated versions faster, try these nightly builds:
Today's Gecko 1.8 branch nightly - Firefox 1.5 Beta 1 plus the fix for this security hole.
Today's Aviary 1.0.1 branch nightly - Firefox 1.0.6 plus the fix for this security hole. There isn't a Linux build here; I don't know why.
The shareholder is always right.
When using Firefox, you can just drag the link onto the tab bar. It'll open it up as if you had typed the address, so it won't appear to come from slashdot.
This is a workaround. It disables the feature that has the flaw. I wouldn't call this patching the bug. When the real patch comes around, this will be even more evident
It works on so many levels!
"A thousand eyes, all bugs are shallow". Oops!
"So wager what you will, but I bet you in return that your bet is based on ignorance rather than facts."
Most likely based on the same myopia you see in the US (even the Canadians know better). The world revolves around all things English (and American). The "turn it off" solution is one we see commonly used to solve Windows problems. Not Linux problems...until now.
as a reply to a reply stated doing this doesn't gain you much, if you run as a low privilage user you just end up with all your valuable data owned by that low privilage user and therefore vulnerable.
you could run the web browser as its own user which would limit damage if it was comprimised but this would still leave your cookies (which may contain valuable authentication information) browsing history etc vulnerable and would make downloading stuff a pain.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
so firefox isn't exactly turning off something lots of sites are going to be relying on
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Asa, it's good to see (putatively) competent posters on this topic. Please know that this is not intended as a troll. You see, one thing is a config change, but if it doesn't *actually* solve the problem then it'll just be noise in the config file.
7 7 that said this IDN config change isn't gonna work, and this worries me. If the publicized workaround is not effective then I think I'd be better off taking my chances on watching URLs myself, rather than having IDN 'faux disabled' (this may become effective at a later time when I'm not aware of it).
I mean, I came across https://bugzilla.mozilla.org/show_bug.cgi?id=2813
Can you say anything about these issues?
(PS. I'm still on v1.0.6 because 1.5b1 breaks my extensions.)
"Good news, everyone!"
I know a few fonts where "0" and "o" look the same. :-)
Karma: It's all a bunch of tree-huggin' hippy crap!
That's a GREAT link there...
Anyone using a slightly older version of Firefox gets redirected to a "you need to upgrade" page. How nice, I can't find out about a security vulnerability that exists in both new and old versions of Firefox, because I'm not using a more recent version of Firefox...
I can read that page using any non-Mozilla-based browser though! So the title of that page: "What Firefox and Mozilla users should know" is quite ironic, since it's inordinately hard for Firefox/Mozilla users to SEE that page.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
True, except the 's'. There is no such a thing in Cyrillic [...]
Actually, there is: it's used in the Macedonian version of the Cyrillic alphabet.
It's in Unicode, too: U+0455 CYRILLIC SMALL LETTER DZE
If your comment title says 'Re: Foo', I'm not likely to read it.
Right now Firefox has the ability to change the URL box colour to show that it is a secure site.
/. won't work so copy and paste URL and remove spaces):
8 49
Well, why not as part of the anti-phishing concept, make it so all IDN sites cause that same URL window to show a different colour, so once again the user gets a visible prompt to be extra vigilant that the site is legit.
Those that use IDN due to their nationality can thereby continue to use IDN where necessary (and as with all Firefox stuff, customise userchrome.css to NOT change the colour if they want).
Personally I already customise my security colours with custom graphics to make it really obvious when security gets broken. It's a trivial step to do the same with IDN. For more info on my customisation you can visit Mozillazine (direct link from
http://forums.mozillazine.org/viewtopic.php?t=128
Visceral Psyche Films
some perspective please. Not all bugs/flaws/vunerabilities are the same.
If Microsoft says on monday there is a flaw, or it is reported, and the 'fix' is to disable said component, then they usually point that out.
Of course, I have no idea how many LOC this took o fix, if it was trivial or not, or how it was exploitable, so maybe I shoudl shut up, then again, since when has knowing the facts been a prerequisite for slashdotting.... um tee...
To confirm you're not a script,
please type the word in this image: domestic
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Since when does "unpatched" mean lazy?
It implies lazy. Read the GP again.
This about:config method works in the newest Netscape 8.0.3.3 http://www.frsirt.com/english/advisories/2005/1691 too.
True, but calling it "unpatched" when it's also "brand-spanking-new" implies something not being done.
Since when does "unpatched" mean lazy?
It's negative connotation and implies (at least, I inferred) that a bug has been found (true) that is not patched (true), and implication/inference of: for a period of time longer than reasonable to come up with a patch.
BTW, I agree with poster who said it's more like "band-aided" than patched when the patch is turning off a feature.