Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch & Workaround for Firefox Flaw Available

Posted by Zonk on from the plugging-the-holes dept.

mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.

24 of 235 comments (clear)

  1. yesterday it was "unpatched!?!?!", today is fixed. by Maow · · Score: 5, Insightful
    I thought yesterday's story about the unpatched flaw was a bit hasty.

    I wouldn't be implying laziness on the part of developers until a couple days have passed after the bug report.

  2. Secure Web Browser by joelparker · · Score: 4, Interesting

    With two significant security flaws discovered so far in Firefox (and many in IE) what should a high-security company do for a secure web browser?

    1. Re:Secure Web Browser by justsomebody · · Score: 4, Interesting

      Well, first thing a high-security company should do is localize machines with internet access and separate them from the rest that need to be secure. It worked out for me when I recieved a job that demanded this task.

      We just separated vital and non-vital computers in two groups with one computer serving as bridge when data needed to be transfered from one network to another. This was one and only node in network visible to all with minimized and highly tracked in-house services for transfering the data.

      Second thing on the secure part is absolute disabling of any kind of install and taking out every removable device.

      But,... there is no better security than being unplugged. So, best answer to your question "which browser?" is NO BROWSER

      --
      Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
    2. Re:Secure Web Browser by mu-sly · · Score: 4, Insightful

      Memorize this and make it your mantra:

      "Security is a process, not a product."

      --
      Organic free-range music... yum!
    3. Re:Secure Web Browser by Beryllium+Sphere(tm) · · Score: 3, Insightful

      >Unplug. I have yet to see a hacker get around that, and it's been around for ages!

      Oh, I can imagine a bad guy getting around that:

      phone rings
      User: "Hello?"
      BG: "This is the help desk. Have you been having any network slowdowns?"
      User: "Well, now that you mention it..."
      BG: "Could you please help us test the collectimizer flexput on your MAUnode? Just plug your workstation into the network and point your browser to http://www.helpdesk.ro/"

      Elegant and simple solutions don't work if the problem is malicious and intelligent.

  3. That was FAST. by bluesoul88 · · Score: 3, Interesting

    From what I read in yesterday's article it was more than a little serious. Going from broken to patched in a day is a damn good turnaround. Or it could just be, you know, breathlessly delivered news. This is possible. :) Either way, thank you Firefox team. The local high school is going to be transitioning over to Firefox within a few weeks, to coincide with moving in to a newly built school. I can't say I'm not more surprised about Firefox than the new school.

    --
    TLoM: Nerds + DDR + Rednecks for the win!
    1. Re:That was FAST. by cnettel · · Score: 4, Interesting
      It will just be sad for those users relying on IDN. That may not be U.S. users, but it WILL disturb some Swedish sites, and I assume it's far worse for Japanese and Chinese users, for example. There may be other, older, domain name schemes for those users still used that I'm not aware of, though, but IDN has been seen as the way forward for quite some time.

      It's not a patch anymore than turning of Javascript is a patch for several IE vulnerabilities. It might be argued that this workaround does less in the area of destroying the "experience" for normal surfers, but as I noted, I think that depends much on your nationality/language.

    2. Re:That was FAST. by bluesoul88 · · Score: 5, Insightful

      You make a good point. But I've got faith that the Firefox guys will put up a more solid patch soon, to get IDN working as it should. For many people this will be a "good enough" fix. Many other people won't be satisfied with it, as you said. The important thing is the flaw's identified and a tentative fix is in place. Now they can just elaborate on it. That's how I would do it, anyway.

      --
      TLoM: Nerds + DDR + Rednecks for the win!
  4. Re:IDN? by ScrewMaster · · Score: 3, Funny

    Integrated Digital Network without the Services. I think it's referring to MSN.

    --
    The higher the technology, the sharper that two-edged sword.
  5. actually. by asa · · Score: 5, Informative

    We actually had the patch and workaround up yesterday.

    It's unfortunate that the bug reporter gave us so little time to respond to the issue before going public. He filed the confidential security bug on the afternoon of the 6th, and then went highly public (to c|net) in less than 72 hours.

    As anyone can see now that the bug is no longer confidential, we were hard at work diagnosing the problem when he went public. Not only that, but the public release he made was based on our developer's analysis of the problem, not his -- which happened to be wrong.

    This workaround that we posted (on the same day as the problem was made public) is only temporary and causes some of our users a loss of functionality (IDN). We will be issuing a full browser update for our stable Firefox 1.0.x and Mozilla 1.7.x releases which contains the real fix (also available as a patch to both 1.0.6 and 1.5 Beta yesterday) that avoids the security issue without disabling IDN.

    Expect that new release shortly.

    - A

    1. Re:actually. by bogie · · Score: 3, Informative

      That's coming in 1.5. See the release notes here.

      http://www.mozilla.org/products/firefox/releases/1 .5beta1.html

      Note that future updates to Firefox "may now be half a megabyte or smaller."

      --
      If you wanna get rich, you know that payback is a bitch
    2. Re:actually. by mroch · · Score: 3, Interesting

      The description of the vulnerability is copied verbatim out of the bug report, yet Tom Ferris claims copyright at the bottom of the announcement. This is plagiarism, and public disclosure of confidential information, isn't it? Can Mozilla go after him? (IANAL)

  6. Doesn't quite work, use about:config instead by slobber · · Score: 4, Informative

    Going to

    about:config:

    does nothing in firefox (at least version 1.0.4)

    use

    about:config

    instead.

    --
    "You mortals are so obtuse." -Q
  7. Re:Here's a question... by Anonymous Coward · · Score: 4, Informative

    IDN -> International Domain Names

    It allows you to create a domain name with international characters ( like böghåla.se ), create the A/PTR records with a coded name that bind can handle ( xn--bghla-ira0j.se ) and a method to convert between the two ( look up PUNY ).

    That way, when you type in your browser "http://www.böghåla.se", you are directed to "http://www.xn--bghla-ira0j.se".

    Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

    I wonder if the guy who coined the advice "turn it off" would cut off his arm if he got a zit on the elbow ? Same thing..

  8. Power of Propaganda by i_ate_god · · Score: 5, Insightful

    I'm amazed at how surprised some people are at the fact that Firefox has serious exploit. They think, "oh well, it's an alternative to microsoft, it's therefore immune to everything!". Then something bad happens and these same people act like they no longer have anywhere to turn to. They act like their faith was completely misguided and now they have no one to put said faith into.

    The same thing applied to other people as well, as we saw in a previous slash dot article about macs. While not impossible, it's extremely difficult to make software that is in a constant state of development completely exploit proof. Firefox is ultimately a better browser than IE for numerous reasons, but it is not 100% perfect, nor is OSX, nor is Linux or FreeBSD or Windows, or anything else on this planet and it's silly to expect otherwise.

    Nature doesn't operate on 100% uptime, only 99.9%.

    --
    I'm god, but it's a bit of a drag really...
  9. Re:yesterday it was "unpatched!?!?!", today is fix by Bogtha · · Score: 4, Insightful

    "Unpatched" means there is not a patch available to fix the vulnerability. Yesterday it was unpatched.

    Since when does "unpatched" mean lazy?

    --
    Bogtha Bogtha Bogtha
  10. Re:Here's a question... by Professor_UNIX · · Score: 4, Funny
    Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

    I disagree. I would wager at least 98% of Firefox users do not need IDN functionality at all. The only thing it's really used for in reality are phishing sites. Unless you regularly interact with foreigners who refuse to conform to the proper ASCII character set in their domain names you shouldn't notice any difference in your browsing at all. When Jesus established the original RFC for domain names he used sensible restrictions, but now with this new IDN garbage we have people using characters that don't even make sense or appear on our keyboards! What villainy is this?

  11. Re:Here's a question... by Professor_UNIX · · Score: 4, Funny

    Woops, I meant Jon.. Jon Postel. Common mistake.

  12. But, but, but by heinousjay · · Score: 5, Funny

    Removed wayward colon.

    Ewwwwwww.

    --
    Slashdot - where whining about luck is the new way to make the world you want.
  13. Ouch. by x136 · · Score: 5, Funny
    Update: 09/10 18:59 GMT by Z : Removed wayward colon.
    That sounds exceedingly painful.
    --
    SIGFEH
  14. Re:IDN by ssj_195 · · Score: 5, Informative

    You are correct; the previous one was a IDN spoofing vulnerability, which I thought was largely a flaw in the IDN specification itself, rather than in any particular implementation thereof (is this correct...?). This time around, however, the flaw lies in the Firefox code itself.

  15. Mozilla Suite, Too by alacqua · · Score: 3, Informative

    For all of you dinosuars who, like me, still use and prefer mozilla suite, this applies to us also. And for all of you lazy slashdot readers who, like me, hate to track down a link in another comment, here's that link:

    What Firefox and Mozilla users should know about the IDN buffer overflow security issue

    --

    Move on. There's nothing to see here.
  16. Re:yesterday it was "unpatched!?!?!", today is fix by darkonc · · Score: 5, Insightful
    That sounds like Microsoft saying to turn off ActiveX controls, until a real patch can be made...

    Sort of, but IDN isn't something that's that critical for many people like Active-X, which is at the centre of Microsoft's incompatibility war.

    IDN is (necessarily) a bit of a kludge for the most part anyways. The International Domain Name stuff opens up it's own can of worms in that you can come up with Domain names that look a lot like a well known one by grabbing a domain name with one letter changed to an IDN character that looks enough like the original one to fool people. example: hötmail.çom replaces both the O in hotmail and the c in com. botth relatively obvious but good enough to fool some into thinking that it's a rendering error. (( Slashdot filters out almost all international characters, which makes it hard to give a really good IDN example )).

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  17. IDN spoofing with Cyrillic and Greek by ThreeDayMonk · · Score: 3, Informative

    example: hötmail.çom

    Actually, I don't think you can change the ".com" - the TLDs need to match still - but you can do even better: the Cyrillic and Greek alphabets contain numerous letters that look exactly like Roman letters.

    Including archaic and variant forms present in Unicode, the following lower-case characters can be spoofed:

    Cyrillic has a, e, o, p, c, y, x, and s.
    Greek has v, o, c, j.

    And that's before you start on the close matches (gamma, rho, upsilon, omega.) which might easily be mistaken at small point sizes.

    --
    If your comment title says 'Re: Foo', I'm not likely to read it.