Patch & Workaround for Firefox Flaw Available

mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.

yesterday it was "unpatched!?!?!", today is fixed.

[Maow]

I thought yesterday's story about the unpatched flaw was a bit hasty.

I wouldn't be implying laziness on the part of developers until a couple days have passed after the bug report.

Secure Web Browser

[joelparker]

With two significant security flaws discovered so far in Firefox (and many in IE) what should a high-security company do for a secure web browser?

Re:Secure Web Browser

[ari_j]

lynx

Re:Secure Web Browser

[Transcendent]

Lynx has had it's problems. You can crash some previous (recent) versions with very large tables. They can be empty tables too like this one.

Re:Secure Web Browser

[Mr.+Underbridge]

Mac and Safari and or Firefox on Mac.

Firefox on the Mac is about as stable as a schizophrenic off their lithium.

Re:Secure Web Browser

[An+Onerous+Coward]

Nyuh-uh. Lynx still does "rendering", which means it's actually interpreting the information being sent to it. That means there is still a risk of it being sent a piece of data that exploits a vulnerability.

I was going to argue that the only safe thing to do would be to use wget and interpret the web pages in your head. But the last guy who took that advice got 'sploited anyways. He's in the hospital with his brain stuck in an infinite loop.

Re:Secure Web Browser

[justsomebody]

Well, first thing a high-security company should do is localize machines with internet access and separate them from the rest that need to be secure. It worked out for me when I recieved a job that demanded this task.

We just separated vital and non-vital computers in two groups with one computer serving as bridge when data needed to be transfered from one network to another. This was one and only node in network visible to all with minimized and highly tracked in-house services for transfering the data.

Second thing on the secure part is absolute disabling of any kind of install and taking out every removable device.

But,... there is no better security than being unplugged. So, best answer to your question "which browser?" is NO BROWSER

Re:Secure Web Browser

[mu-sly]

Memorize this and make it your mantra:

"Security is a process, not a product."

Re:Secure Web Browser

[Beryllium+Sphere(tm)]

>Unplug. I have yet to see a hacker get around that, and it's been around for ages!

Oh, I can imagine a bad guy getting around that:

phone rings
User: "Hello?"
BG: "This is the help desk. Have you been having any network slowdowns?"
User: "Well, now that you mention it..."
BG: "Could you please help us test the collectimizer flexput on your MAUnode? Just plug your workstation into the network and point your browser to http://www.helpdesk.ro/"

Elegant and simple solutions don't work if the problem is malicious and intelligent.

Re:Secure Web Browser

[bcmm]

Telnet

That was FAST.

[bluesoul88]

From what I read in yesterday's article it was more than a little serious. Going from broken to patched in a day is a damn good turnaround. Or it could just be, you know, breathlessly delivered news. This is possible. :) Either way, thank you Firefox team. The local high school is going to be transitioning over to Firefox within a few weeks, to coincide with moving in to a newly built school. I can't say I'm not more surprised about Firefox than the new school.

Re:That was FAST.

[cnettel]

It will just be sad for those users relying on IDN. That may not be U.S. users, but it WILL disturb some Swedish sites, and I assume it's far worse for Japanese and Chinese users, for example. There may be other, older, domain name schemes for those users still used that I'm not aware of, though, but IDN has been seen as the way forward for quite some time.

It's not a patch anymore than turning of Javascript is a patch for several IE vulnerabilities. It might be argued that this workaround does less in the area of destroying the "experience" for normal surfers, but as I noted, I think that depends much on your nationality/language.

Re:That was FAST.

[bluesoul88]

You make a good point. But I've got faith that the Firefox guys will put up a more solid patch soon, to get IDN working as it should. For many people this will be a "good enough" fix. Many other people won't be satisfied with it, as you said. The important thing is the flaw's identified and a tentative fix is in place. Now they can just elaborate on it. That's how I would do it, anyway.

IDN

[dfunct]

I'm I imagining it or is this the second time a bug has been found in IDN?

Re:IDN

[ssj_195]

You are correct; the previous one was a IDN spoofing vulnerability, which I thought was largely a flaw in the IDN specification itself, rather than in any particular implementation thereof (is this correct...?). This time around, however, the flaw lies in the Firefox code itself.

Re:IDN?

[ScrewMaster]

Integrated Digital Network without the Services. I think it's referring to MSN.

actually.

[asa]

We actually had the patch and workaround up yesterday.

It's unfortunate that the bug reporter gave us so little time to respond to the issue before going public. He filed the confidential security bug on the afternoon of the 6th, and then went highly public (to c|net) in less than 72 hours.

As anyone can see now that the bug is no longer confidential, we were hard at work diagnosing the problem when he went public. Not only that, but the public release he made was based on our developer's analysis of the problem, not his -- which happened to be wrong.

This workaround that we posted (on the same day as the problem was made public) is only temporary and causes some of our users a loss of functionality (IDN). We will be issuing a full browser update for our stable Firefox 1.0.x and Mozilla 1.7.x releases which contains the real fix (also available as a patch to both 1.0.6 and 1.5 Beta yesterday) that avoids the security issue without disabling IDN.

Expect that new release shortly.

- A

Re:actually.

[bogie]

That's coming in 1.5. See the release notes here.

http://www.mozilla.org/products/firefox/releases/1 .5beta1.html

Note that future updates to Firefox "may now be half a megabyte or smaller."

Re:actually.

[mroch]

The description of the vulnerability is copied verbatim out of the bug report, yet Tom Ferris claims copyright at the bottom of the announcement. This is plagiarism, and public disclosure of confidential information, isn't it? Can Mozilla go after him? (IANAL)

Re:actually.

[pe1chl]

How did forking help the project?
IMHO it didn't.
The option to install only the browser has always been there.

Now we are stuck with forks, always confusing about what problem is caused by what part and appears in what versions, and even more wasted work on releases, internationalisation, etc.

How are we going to explain to the employees that this "non-standard" browser/mailer Mozilla (most businesses use IE and Outlook, so that is what most people think of as the standard) that we use is going to be replaced by Firefox and Thunderbird? Or is going to be called Seamonkey next week?

No, I think it was a bad idea. Open Source does not have the resources and credibility to spill them this way.

Doesn't quite work, use about:config instead

[slobber]

Going to

about:config:

does nothing in firefox (at least version 1.0.4)

use

about:config

instead.

Re:Here's a question...

IDN -> International Domain Names

It allows you to create a domain name with international characters ( like böghåla.se ), create the A/PTR records with a coded name that bind can handle ( xn--bghla-ira0j.se ) and a method to convert between the two ( look up PUNY ).

That way, when you type in your browser "http://www.böghåla.se", you are directed to "http://www.xn--bghla-ira0j.se".

Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

I wonder if the guy who coined the advice "turn it off" would cut off his arm if he got a zit on the elbow ? Same thing..

Power of Propaganda

[i_ate_god]

I'm amazed at how surprised some people are at the fact that Firefox has serious exploit. They think, "oh well, it's an alternative to microsoft, it's therefore immune to everything!". Then something bad happens and these same people act like they no longer have anywhere to turn to. They act like their faith was completely misguided and now they have no one to put said faith into.

The same thing applied to other people as well, as we saw in a previous slash dot article about macs. While not impossible, it's extremely difficult to make software that is in a constant state of development completely exploit proof. Firefox is ultimately a better browser than IE for numerous reasons, but it is not 100% perfect, nor is OSX, nor is Linux or FreeBSD or Windows, or anything else on this planet and it's silly to expect otherwise.

Nature doesn't operate on 100% uptime, only 99.9%.

Re:Power of Propaganda

[DCstewieG]

Nature doesn't operate on 100% uptime, only 99.9%.

Really? I must have missed the time nature went down. What was that like?

Re:Power of Propaganda

[i_ate_god]

I dunno, I went down with it.

Re:Power of Propaganda

[darkonc]

This is one of the reason why some people promote interoperability, compatability and standards. If you aren't forced to use only one browser (IE, firefox, whatever) for browsing the net, then you can choose whichever one is

1. safe
2. preferred
3. convenient
   (pretty much in that order)

When Microsoft creates 'tools' that don't even allow you to try a different browser, word processor, etc., then you're totally screwed when that 'one and only' browser has a flaw.

Given that I'm running Linux(FC4), I have the choice of 3 or more browsers to view this announcement and workaround here on slashdot, or even on the mozilla website.

Just like genetic diversity makes it harder for one virus to wipe out an entire year's crop, application (and/or OS) diversity makes it harder for one hacker to wipe out the entire internet. Part of the reason why I avoid IE is that any vulnerability is such a juicy target given that so many people don't think that they have a choice other than to use IE.

Re:Example of Mozilla Security Sucking

[sbrown123]

But they don't design securely at all, and they certainly don't test securely.

You were probably deleted from the blog for FUD statements like that. I don't believe in censoring myself, but your asking really idiotic questions and making opinions while lacking the knowledge to be making them to begin with.

a very simple question in Ask Asa #17: Basically, who was responsible for the testing/QA failure that led to a security regression in Firefox 1.0.4

I think your first problem is is the way you ask questions. Your question is apparently an attempt to start a blame game. Also, I can tell you who is responsible for testing and QA failures: you are. Yep, you apparently missed that Mozilla puts out betas with the intent that people test and find the bugs. Did you not notice that it's an open source project? Because its open source there is no "team" of testers working round the clock to find problems. Oddly, Microsoft which has these types of teams never seems to find the large number of security holes in IE. Mozilla's strategy, with its far fewer security vulnerabilities, may be proving that its a better testing/QA model for security. Only time will tell I guess. So far I think Mozilla is easily winning in this game.

Asa isn't the funloving guy his blog projects, he can be a complete idiot too. Spread the word.

I have better things to do than spread FUD. I will instead spread copies of Firefox on peoples computers with the knowledge that it's still more stable and secure than IE. This seems to be more constructive than blasting people as "idiots" because I have some person problem with them.

Re:yesterday it was "unpatched!?!?!", today is fix

[Bogtha]

"Unpatched" means there is not a patch available to fix the vulnerability. Yesterday it was unpatched.

Since when does "unpatched" mean lazy?

Re:Umm...

[MHobbit]

I'll elaborate. Remember this?

Re:Here's a question...

[Professor_UNIX]

Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

I disagree. I would wager at least 98% of Firefox users do not need IDN functionality at all. The only thing it's really used for in reality are phishing sites. Unless you regularly interact with foreigners who refuse to conform to the proper ASCII character set in their domain names you shouldn't notice any difference in your browsing at all. When Jesus established the original RFC for domain names he used sensible restrictions, but now with this new IDN garbage we have people using characters that don't even make sense or appear on our keyboards! What villainy is this?

So, reason #2 not to enable IDN

[That's+Unpossible!]

I believe this is the second problem to arise from the support for IDN. I checked my setting, and I already had it disabled from the last one (where you could essentially spoof a domain name by using unicode characters that look exactly the same as ascii characters, but are in fact, different).

Someone give me one good reason why I should EVER enable IDN?

Re:Here's a question...

[Professor_UNIX]

Woops, I meant Jon.. Jon Postel. Common mistake.

But, but, but

[heinousjay]

Removed wayward colon.

Ewwwwwww.

Re:Here's a question...

[JourneyExpertApe]

Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

If you were driving down the highway and you discovered that running your air conditioner caused your brakes to stop working, would you keep running your A/C until you got to a repair station, or would you turn it off?

Besides, most people probably rarely, if ever, use IDN. So it's more like disabling the child safety locks in your car. Who's ever used those?

It should default to 'false' in any event

[HBI]

Most people using the browser have no use for those URLs. Being vulnerable to an exploit twice due to a feature most people don't need is positively Microsoft-ish.

Ouch.

[x136]

Update: 09/10 18:59 GMT by Z : Removed wayward colon.

That sounds exceedingly painful.

Mozilla Suite, Too

[alacqua]

For all of you dinosuars who, like me, still use and prefer mozilla suite, this applies to us also. And for all of you lazy slashdot readers who, like me, hate to track down a link in another comment, here's that link:

What Firefox and Mozilla users should know about the IDN buffer overflow security issue

Re:Done and...

[jpostel]

Another thing that annoys me about this is the coverage of this flaw seems to indicate that this was unpatched for a while. This one is an example http://www.securityfocus.com/news/11308. Yet the original discovery was 9/4/2005 according to Tom Ferris' website http://www.security-protocols.com/advisory/sp-x17- advisory.txt

This bug was found and a work around was provided 6 days later. Is this unreasonable? If a patch were provided a week from now, would that be unreasonable?

I think that full disclosure is good, but giving a reasonable amount of time to patch a flaw is better. If we find out that Tom Ferris provided a patch to Mozilla that they ignored or rejected, then it changes things little, but releasing the vulnerability after 5 days due to a "run-in with Mozilla staff" http://news.com.com/Unpatched+Firefox+flaw+may+exp ose+users/2100-1002_3-5856201.html does not portray Tom Ferris in a good light.

Re:Example of Mozilla Security Sucking

[pohl]

Sorry to say this, but it sounds like you were removed for being a habitual trolling attention-whore. Just the way that you ask your questions is offensive: as if some naughty QA monkey needs to be publically whipped. How many times did people try to explain to you how ignorant you are of the open source development process before they took action? Be honest.

Re:yesterday it was "unpatched!?!?!", today is fix

[darkonc]

That sounds like Microsoft saying to turn off ActiveX controls, until a real patch can be made...

Sort of, but IDN isn't something that's that critical for many people like Active-X, which is at the centre of Microsoft's incompatibility war.

IDN is (necessarily) a bit of a kludge for the most part anyways. The International Domain Name stuff opens up it's own can of worms in that you can come up with Domain names that look a lot like a well known one by grabbing a domain name with one letter changed to an IDN character that looks enough like the original one to fool people. example: hötmail.çom replaces both the O in hotmail and the c in com. botth relatively obvious but good enough to fool some into thinking that it's a rendering error. (( Slashdot filters out almost all international characters, which makes it hard to give a really good IDN example )).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Here's a question...

[DJCater]

Pay attention. This is a temporary workaround. Just like the previous vulnerability, the workaround was "disable JavaScript". That was until the real fix was landed.

IDN spoofing with Cyrillic and Greek

[ThreeDayMonk]

example: hötmail.çom

Actually, I don't think you can change the ".com" - the TLDs need to match still - but you can do even better: the Cyrillic and Greek alphabets contain numerous letters that look exactly like Roman letters.

Including archaic and variant forms present in Unicode, the following lower-case characters can be spoofed:

Cyrillic has a, e, o, p, c, y, x, and s.
Greek has v, o, c, j.

And that's before you start on the close matches (gamma, rho, upsilon, omega.) which might easily be mistaken at small point sizes.