Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch & Workaround for Firefox Flaw Available

Posted by Zonk on from the plugging-the-holes dept.

mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.

8 of 235 comments (clear)

  1. yesterday it was "unpatched!?!?!", today is fixed. by Maow · · Score: 5, Insightful
    I thought yesterday's story about the unpatched flaw was a bit hasty.

    I wouldn't be implying laziness on the part of developers until a couple days have passed after the bug report.

  2. actually. by asa · · Score: 5, Informative

    We actually had the patch and workaround up yesterday.

    It's unfortunate that the bug reporter gave us so little time to respond to the issue before going public. He filed the confidential security bug on the afternoon of the 6th, and then went highly public (to c|net) in less than 72 hours.

    As anyone can see now that the bug is no longer confidential, we were hard at work diagnosing the problem when he went public. Not only that, but the public release he made was based on our developer's analysis of the problem, not his -- which happened to be wrong.

    This workaround that we posted (on the same day as the problem was made public) is only temporary and causes some of our users a loss of functionality (IDN). We will be issuing a full browser update for our stable Firefox 1.0.x and Mozilla 1.7.x releases which contains the real fix (also available as a patch to both 1.0.6 and 1.5 Beta yesterday) that avoids the security issue without disabling IDN.

    Expect that new release shortly.

    - A

  3. Power of Propaganda by i_ate_god · · Score: 5, Insightful

    I'm amazed at how surprised some people are at the fact that Firefox has serious exploit. They think, "oh well, it's an alternative to microsoft, it's therefore immune to everything!". Then something bad happens and these same people act like they no longer have anywhere to turn to. They act like their faith was completely misguided and now they have no one to put said faith into.

    The same thing applied to other people as well, as we saw in a previous slash dot article about macs. While not impossible, it's extremely difficult to make software that is in a constant state of development completely exploit proof. Firefox is ultimately a better browser than IE for numerous reasons, but it is not 100% perfect, nor is OSX, nor is Linux or FreeBSD or Windows, or anything else on this planet and it's silly to expect otherwise.

    Nature doesn't operate on 100% uptime, only 99.9%.

    --
    I'm god, but it's a bit of a drag really...
  4. Re:That was FAST. by bluesoul88 · · Score: 5, Insightful

    You make a good point. But I've got faith that the Firefox guys will put up a more solid patch soon, to get IDN working as it should. For many people this will be a "good enough" fix. Many other people won't be satisfied with it, as you said. The important thing is the flaw's identified and a tentative fix is in place. Now they can just elaborate on it. That's how I would do it, anyway.

    --
    TLoM: Nerds + DDR + Rednecks for the win!
  5. But, but, but by heinousjay · · Score: 5, Funny

    Removed wayward colon.

    Ewwwwwww.

    --
    Slashdot - where whining about luck is the new way to make the world you want.
  6. Ouch. by x136 · · Score: 5, Funny
    Update: 09/10 18:59 GMT by Z : Removed wayward colon.
    That sounds exceedingly painful.
    --
    SIGFEH
  7. Re:IDN by ssj_195 · · Score: 5, Informative

    You are correct; the previous one was a IDN spoofing vulnerability, which I thought was largely a flaw in the IDN specification itself, rather than in any particular implementation thereof (is this correct...?). This time around, however, the flaw lies in the Firefox code itself.

  8. Re:yesterday it was "unpatched!?!?!", today is fix by darkonc · · Score: 5, Insightful
    That sounds like Microsoft saying to turn off ActiveX controls, until a real patch can be made...

    Sort of, but IDN isn't something that's that critical for many people like Active-X, which is at the centre of Microsoft's incompatibility war.

    IDN is (necessarily) a bit of a kludge for the most part anyways. The International Domain Name stuff opens up it's own can of worms in that you can come up with Domain names that look a lot like a well known one by grabbing a domain name with one letter changed to an IDN character that looks enough like the original one to fool people. example: hötmail.çom replaces both the O in hotmail and the c in com. botth relatively obvious but good enough to fool some into thinking that it's a rendering error. (( Slashdot filters out almost all international characters, which makes it hard to give a really good IDN example )).

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.