Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch & Workaround for Firefox Flaw Available

Posted by Zonk on from the plugging-the-holes dept.

mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.

17 of 235 comments (clear)

  1. yesterday it was "unpatched!?!?!", today is fixed. by Maow · · Score: 5, Insightful
    I thought yesterday's story about the unpatched flaw was a bit hasty.

    I wouldn't be implying laziness on the part of developers until a couple days have passed after the bug report.

  2. Secure Web Browser by joelparker · · Score: 4, Interesting

    With two significant security flaws discovered so far in Firefox (and many in IE) what should a high-security company do for a secure web browser?

    1. Re:Secure Web Browser by justsomebody · · Score: 4, Interesting

      Well, first thing a high-security company should do is localize machines with internet access and separate them from the rest that need to be secure. It worked out for me when I recieved a job that demanded this task.

      We just separated vital and non-vital computers in two groups with one computer serving as bridge when data needed to be transfered from one network to another. This was one and only node in network visible to all with minimized and highly tracked in-house services for transfering the data.

      Second thing on the secure part is absolute disabling of any kind of install and taking out every removable device.

      But,... there is no better security than being unplugged. So, best answer to your question "which browser?" is NO BROWSER

      --
      Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
    2. Re:Secure Web Browser by mu-sly · · Score: 4, Insightful

      Memorize this and make it your mantra:

      "Security is a process, not a product."

      --
      Organic free-range music... yum!
  3. actually. by asa · · Score: 5, Informative

    We actually had the patch and workaround up yesterday.

    It's unfortunate that the bug reporter gave us so little time to respond to the issue before going public. He filed the confidential security bug on the afternoon of the 6th, and then went highly public (to c|net) in less than 72 hours.

    As anyone can see now that the bug is no longer confidential, we were hard at work diagnosing the problem when he went public. Not only that, but the public release he made was based on our developer's analysis of the problem, not his -- which happened to be wrong.

    This workaround that we posted (on the same day as the problem was made public) is only temporary and causes some of our users a loss of functionality (IDN). We will be issuing a full browser update for our stable Firefox 1.0.x and Mozilla 1.7.x releases which contains the real fix (also available as a patch to both 1.0.6 and 1.5 Beta yesterday) that avoids the security issue without disabling IDN.

    Expect that new release shortly.

    - A

  4. Doesn't quite work, use about:config instead by slobber · · Score: 4, Informative

    Going to

    about:config:

    does nothing in firefox (at least version 1.0.4)

    use

    about:config

    instead.

    --
    "You mortals are so obtuse." -Q
  5. Re:That was FAST. by cnettel · · Score: 4, Interesting
    It will just be sad for those users relying on IDN. That may not be U.S. users, but it WILL disturb some Swedish sites, and I assume it's far worse for Japanese and Chinese users, for example. There may be other, older, domain name schemes for those users still used that I'm not aware of, though, but IDN has been seen as the way forward for quite some time.

    It's not a patch anymore than turning of Javascript is a patch for several IE vulnerabilities. It might be argued that this workaround does less in the area of destroying the "experience" for normal surfers, but as I noted, I think that depends much on your nationality/language.

  6. Re:Here's a question... by Anonymous Coward · · Score: 4, Informative

    IDN -> International Domain Names

    It allows you to create a domain name with international characters ( like böghåla.se ), create the A/PTR records with a coded name that bind can handle ( xn--bghla-ira0j.se ) and a method to convert between the two ( look up PUNY ).

    That way, when you type in your browser "http://www.böghåla.se", you are directed to "http://www.xn--bghla-ira0j.se".

    Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

    I wonder if the guy who coined the advice "turn it off" would cut off his arm if he got a zit on the elbow ? Same thing..

  7. Power of Propaganda by i_ate_god · · Score: 5, Insightful

    I'm amazed at how surprised some people are at the fact that Firefox has serious exploit. They think, "oh well, it's an alternative to microsoft, it's therefore immune to everything!". Then something bad happens and these same people act like they no longer have anywhere to turn to. They act like their faith was completely misguided and now they have no one to put said faith into.

    The same thing applied to other people as well, as we saw in a previous slash dot article about macs. While not impossible, it's extremely difficult to make software that is in a constant state of development completely exploit proof. Firefox is ultimately a better browser than IE for numerous reasons, but it is not 100% perfect, nor is OSX, nor is Linux or FreeBSD or Windows, or anything else on this planet and it's silly to expect otherwise.

    Nature doesn't operate on 100% uptime, only 99.9%.

    --
    I'm god, but it's a bit of a drag really...
  8. Re:That was FAST. by bluesoul88 · · Score: 5, Insightful

    You make a good point. But I've got faith that the Firefox guys will put up a more solid patch soon, to get IDN working as it should. For many people this will be a "good enough" fix. Many other people won't be satisfied with it, as you said. The important thing is the flaw's identified and a tentative fix is in place. Now they can just elaborate on it. That's how I would do it, anyway.

    --
    TLoM: Nerds + DDR + Rednecks for the win!
  9. Re:yesterday it was "unpatched!?!?!", today is fix by Bogtha · · Score: 4, Insightful

    "Unpatched" means there is not a patch available to fix the vulnerability. Yesterday it was unpatched.

    Since when does "unpatched" mean lazy?

    --
    Bogtha Bogtha Bogtha
  10. Re:Here's a question... by Professor_UNIX · · Score: 4, Funny
    Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

    I disagree. I would wager at least 98% of Firefox users do not need IDN functionality at all. The only thing it's really used for in reality are phishing sites. Unless you regularly interact with foreigners who refuse to conform to the proper ASCII character set in their domain names you shouldn't notice any difference in your browsing at all. When Jesus established the original RFC for domain names he used sensible restrictions, but now with this new IDN garbage we have people using characters that don't even make sense or appear on our keyboards! What villainy is this?

  11. Re:Here's a question... by Professor_UNIX · · Score: 4, Funny

    Woops, I meant Jon.. Jon Postel. Common mistake.

  12. But, but, but by heinousjay · · Score: 5, Funny

    Removed wayward colon.

    Ewwwwwww.

    --
    Slashdot - where whining about luck is the new way to make the world you want.
  13. Ouch. by x136 · · Score: 5, Funny
    Update: 09/10 18:59 GMT by Z : Removed wayward colon.
    That sounds exceedingly painful.
    --
    SIGFEH
  14. Re:IDN by ssj_195 · · Score: 5, Informative

    You are correct; the previous one was a IDN spoofing vulnerability, which I thought was largely a flaw in the IDN specification itself, rather than in any particular implementation thereof (is this correct...?). This time around, however, the flaw lies in the Firefox code itself.

  15. Re:yesterday it was "unpatched!?!?!", today is fix by darkonc · · Score: 5, Insightful
    That sounds like Microsoft saying to turn off ActiveX controls, until a real patch can be made...

    Sort of, but IDN isn't something that's that critical for many people like Active-X, which is at the centre of Microsoft's incompatibility war.

    IDN is (necessarily) a bit of a kludge for the most part anyways. The International Domain Name stuff opens up it's own can of worms in that you can come up with Domain names that look a lot like a well known one by grabbing a domain name with one letter changed to an IDN character that looks enough like the original one to fool people. example: hötmail.çom replaces both the O in hotmail and the c in com. botth relatively obvious but good enough to fool some into thinking that it's a rendering error. (( Slashdot filters out almost all international characters, which makes it hard to give a really good IDN example )).

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.