Vulnerability In Firefox Popup Blocker

← Back to Stories (view on slashdot.org)

Vulnerability In Firefox Popup Blocker

Posted by kdawson on Tuesday February 6, 2007 @10:01AM from the all-your-files dept.

cj writes in with news of a vulnerability in Firefox's stock popup blocker discovered by Michal Zalewski. The vulnerability can allow a malicious user to read files from an affected system. The attacker would "need to plant a predictably named file with exploit code on the target system. This sounds hard, but isn't," according to the article.

100 comments

Anyone knows if the 2.x tree is vulnerable too? by A+beautiful+mind · 2007-02-06 10:03 · Score: 5, Informative

From TFA:
Vulnerable Systems:
* Firefox version 1.5.0.9
Can anyone test?

--
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
1. Re:Anyone knows if the 2.x tree is vulnerable too? by Tony+Hoyle · 2007-02-06 10:07 · Score: 2, Interesting
  
  Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.
2. Re:Anyone knows if the 2.x tree is vulnerable too? by Richard_at_work · 2007-02-06 10:11 · Score: 2, Informative
  
  Im using 1.5.0.9 at the moment, no 2.0 upgrade was ever pushed out to me, and checking now manually shows no updates waiting.
3. Re:Anyone knows if the 2.x tree is vulnerable too? by Tony+Hoyle · 2007-02-06 10:13 · Score: 5, Insightful
  
  Can anyone test?
  
  Nope, because no example exploit is given and the means of exploitation looks rather unlikely:
  
  "To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm', 'new2',''),
  
  with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time)."
  
  1. It assumes that the temp file is c:/windows/temp. It isn't, unless you're running Windows 95, and only then if you've not changed it from default. That's the *system* default temp file. The *user* temp directory is inside local settings in the user specific area (much harder to find out remotely. Maybe not impossible, but you'd have to get lucky (it's not just the username as the directory name.. it has things like .000 after it).
  2. Calculating the seed to that accuracy is damned hard.
4. Re:Anyone knows if the 2.x tree is vulnerable too? by Baron+Eekman · 2007-02-06 10:15 · Score: 1
  
  I use Ubuntu Dapper, and it hasn't updated to 2.0 yet, I type this running 1.5.0.9. I do not really understand the exploit, but it seems quite elaborate. There is no concept of proof that I can test over there, sorry. It doesn't say whether only Windows versions are susceptible either.
5. Re:Anyone knows if the 2.x tree is vulnerable too? by Baron+Eekman · 2007-02-06 10:18 · Score: 2, Funny
  
  "proof of concept" that is; I should go to bed
6. Re:Anyone knows if the 2.x tree is vulnerable too? by CRCulver · 2007-02-06 10:24 · Score: 2, Informative
  
  Did you download Firefox directly from its website? It may be that your distro turned off auto-update in packaging Firefox.
7. Re:Anyone knows if the 2.x tree is vulnerable too? by linuxci · 2007-02-06 10:29 · Score: 2, Informative
  
  Firefox 2 is still an optional upgrade so is not pushed through auto-update, the 1.5 series is still supported. Once 1.5 gets closer to end of life then 2.0 will be offered.
8. Re:Anyone knows if the 2.x tree is vulnerable too? by N7DR · 2007-02-06 10:31 · Score: 2, Interesting
  
  FYI, the auto-update to 2.0.x has been delayed a few times. It will happen sometime soon.
  http://wiki.mozilla.org/Major_Update_1.5.0.x_to_2. 0.0.x
9. Re:Anyone knows if the 2.x tree is vulnerable too? by rainman_bc · 2007-02-06 10:35 · Score: 3, Informative
  
  Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.
  
  Fedora has no plans to officially release a 2.0 for FC6:
  
  http://fedoraproject.org/wiki/Firefox2
  
  "Fedora users will be to stay with Firefox 1.5 and wait for the Firefox 3.0 update"
  
  That's left me a bit annoyed personally... I like the changes to FF2...
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
10. Re:Anyone knows if the 2.x tree is vulnerable too? by hal9000(jr) · 2007-02-06 10:40 · Score: 3, Informative
  
  Yep, on windows. I moved to FF2.0 when it came out, got hosed by java handling and other stuff, and jumped back to 1.5. I will wait a bit longer before I make the leap again.
11. Re:Anyone knows if the 2.x tree is vulnerable too? by iago-vL · 2007-02-06 10:53 · Score: 2, Interesting
  
  For what it's worth, from Zalewski's original post,
  Firefox sometimes creates outright deterministic temporary filenames in system-wide temporary directory when opening files with external applications
  And according to him, calculating the seed isn't terribly difficult. srand() is called directly before the random file creation and is seeded with the current time, in milliseconds. That time is possible to obtain within a narrow margin using JavaScript.
  
  --
  http://www.skullsecurity.org/blog/
12. Re:Anyone knows if the 2.x tree is vulnerable too? by kosmosik · 2007-02-06 11:04 · Score: 1
  
  You kind of right. It is hard but not impossible or in fact very easy for skilled cracker.
  
  I've always liked MZ way of thinking. I've read his book. Usually his discoverings do not cover the mass side of a thing. He usually focuses on targeted attacks which are hard but possible - I mean attacks when you target some individual or organisation to get data, not when you want to have biggest coverage of zombies on casual-home-user-machines.
  
  Same as in here. If you are a security professional (I can guess - I am not) you do not worry to much about automated bot stuff targeted against people who do not patch their machines or have little-to-none knowledge about security and face it use vanilla Windows installation. I guess that when you are paranoid about security (and I wish people who are responsible for that to be paranoid) than such kind of just possibility makes you just wonder.
13. Re:Anyone knows if the 2.x tree is vulnerable too? by Tony+Hoyle · 2007-02-06 11:06 · Score: 2, Interesting
  
  I strongly doubt it does, because you'd fall foul of vista UAC protection - no user app should go near the systemwide temp directory (that's even if you can find it... %TEMP%, GetTempFileName, etc. will always give you the user one. AFAIK you have to dig into the registry to find the system one, or be running as a system service).
  
  Although a bug exists (file:// bypasses some of the security checks.. fixed already apparently) the theoretical exploit as written isn't usable - probably why there's no working example
14. Re:Anyone knows if the 2.x tree is vulnerable too? by Tony+Hoyle · 2007-02-06 11:19 · Score: 1
  
  Paranoia is good - I don't disagree that there's an issue that needs fixing, but the way it's presented is as if there's a general exploit, but it just isn't that easy.
  
  Clearly targeting a specific user where you knew information like the username and system setup beforehand would make this possible (independent of OS).
15. Re:Anyone knows if the 2.x tree is vulnerable too? by JackHoffman · 2007-02-06 11:31 · Score: 1
  
  Yes, one can test the primary vulnerability quite easily and yes, it works in Firefox 2.0. The popup blocker allows users to retroactively open file: URLs which are called from webpages (http://...) even though Firefox normally blocks all such accesses. If you can place a file with a known pathname on the user's system, you can read every file. The PRN bug is only one way by which an attacker could place his helper file, the article mentions one more.
16. Re:Anyone knows if the 2.x tree is vulnerable too? by totally+bogus+dude · 2007-02-06 11:36 · Score: 1
  
  I strongly doubt it does, because you'd fall foul of vista UAC protection
  How does that matter? It's not as if anybody is using Vista yet... :)
  
  On a serious note, is the system temp directory really not world-writeable in Vista?
  
  <rant>Also, what's with Windows never deleting anything in the user temp directories? What part of temporary does it not understand? Every now and then I'll see an app crap itself because it can't create a temporary file... because the directory is full!. What the **** is up with that?! I've still got files in my user temp folder from when the machine was built in September last year! (This may go some way to explaining why Windows PCs seem to get slower and slower with nothing more than age.)</rant>
17. Re:Anyone knows if the 2.x tree is vulnerable too? by Carnildo · 2007-02-06 11:54 · Score: 3, Interesting
  
  Thanks for the tip. I just checked my temp directory, and I've got stuff dating back to early 2001 in there.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
18. Re:Anyone knows if the 2.x tree is vulnerable too? by porl · 2007-02-06 12:01 · Score: 1
  
  i don't think dapper will ever roll over to 2.x. from memory the firefox 1.5 code was buried too deeply in their customised gnome packages or something, so it was a major undertaking to pull it out. when i ran dapper though i found it easy to download and install firefox 2 off the official site and either run it from my home dir or install system wide, just install to /usr/local/bin etc and do something like ln -sf /usr/local/bin/firefox /usr/bin/firefox if you want to make it completely override the system version like i did.
19. Re:Anyone knows if the 2.x tree is vulnerable too? by Anonymous Coward · 2007-02-06 12:02 · Score: 0
  
  Users have many interesting pieces of information on their computers: game and OS license keys, for example. If they're not in deterministic locations, an attacker can write a script to look for them: file-URLs can be used to list directory contents.
20. Re:Anyone knows if the 2.x tree is vulnerable too? by HeroreV · 2007-02-06 12:05 · Score: 1
  
  I don't believe Firefox can be upgraded from 1.5 to 2.0. So far only security patches have been released as updates.
21. Re:Anyone knows if the 2.x tree is vulnerable too? by starnix · 2007-02-06 12:13 · Score: 1
  
  Bullshit.... I have Dapper running FF 2.0.0.1 and it was very EASY to install it.
22. Re:Anyone knows if the 2.x tree is vulnerable too? by kosmosik · 2007-02-06 12:18 · Score: 1
  
  > Paranoia is good - I don't disagree that there's an issue that
  > needs fixing, but the way it's presented is as if there's a
  > general exploit, but it just isn't that easy.
  
  You mean how it is presented here (on Slashdot). Well you must be new here. ;))) They always present it like that - this is like lowest grade journalism. But I like the fact that users that read this kind of information are geek enough to understand that this is overhyped. It is some kind of local (global in fact) folklor that is unique to /. :)
  
  > Clearly targeting a specific user where you knew information
  > like the username and system setup beforehand would make this
  > possible (independent of OS).
  
  And this is scary. As we had agreed on (I assume) anything we stated I can only add that in current situation a browser (or MUA - or anything that processes data from the untrusted sources/Internet) that runs different privilege domain/context (hell we have it from ages in Linux via SELinux) would render this kind of attack useless. Too bad such kind of privileges are quite new yet - as for now typical user is in Windows 95 era and he/she does not understand basic NT or unix file permissions. And this is the biggest problem I think. :\
23. Re:Anyone knows if the 2.x tree is vulnerable too? by ESqVIP · 2007-02-06 12:57 · Score: 1
  
  Windows does clean it... well, sort of.
  When you're running low of disk space a warning appears, offering to run the Disk Cleanup tool, which tries to remove unused temporary files (among other things).
  But I wonder why it doesn't erase those pesky thumbs.db files (by checking their last access date).
24. Re:Anyone knows if the 2.x tree is vulnerable too? by HUADPE · 2007-02-06 13:03 · Score: 1
  
  Bullshit.... I have Dapper running FF 2.0.0.1 and it was very EASY to install it.
  
  From grandparent when i ran dapper though i found it easy to download and install firefox 2 off the official site
  Bullshit apparently now means "I agree with you."
  
  --
  This sig has not been evaluated by the FDA. It is not designed to diagnose, treat, prevent, or cure any disease.
25. Re:Anyone knows if the 2.x tree is vulnerable too? by Anonymous Coward · 2007-02-06 13:03 · Score: 0
  
  Disk Cleanup in Windows Vista does have an option to delete thumbnail files, but Disk Cleanup in Windows XP does not.
26. Re:Anyone knows if the 2.x tree is vulnerable too? by evilviper · 2007-02-06 13:05 · Score: 3, Insightful
  
  Also, what's with Windows never deleting anything in the user temp directories? What part of temporary does it not understand?
  As opposed to Linux, which also doesn't clear /tmp?
  
  Windows is slightly worse, but not by a lot.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
27. Re:Anyone knows if the 2.x tree is vulnerable too? by Zonnald · 2007-02-06 13:08 · Score: 1
  
  I think the idea is that the application that writes to the temp directory is supposed to remove it when it doesn't need it any more. This has mostly been my experience with software written by Microsoft. Especially annoying when such software crashes before the file is release/deleted and then can't recreate the file next time you run it. (VB6).
28. Re:Anyone knows if the 2.x tree is vulnerable too? by spikedvodka · 2007-02-06 13:13 · Score: 1
  
  man tmpwatch
  
  --
  I will not give in to the terrorists. I will not become fearful.
29. Re:Anyone knows if the 2.x tree is vulnerable too? by mashade · 2007-02-06 13:16 · Score: 1
  
  Many linux distros keep /tmp as a ramdisk which means they're cleared the moment the machine is shut off. I believe Slackware clears /tmp at least partially on every boot, so... Go do some research ;)
  
  --
  Technology tips and tricks.
30. Re:Anyone knows if the 2.x tree is vulnerable too? by TubeSteak · 2007-02-06 13:17 · Score: 1
  
  I didn't change over to FF 2.0, mostly out of sheer laziness.
  
  Then I went and grabbed FF Portable & just unzipped it into a folder.
  http://portableapps.com/apps/internet/firefox_port able
  
  There's an installer, but you can just unzip the .exe
  Note: The actual FF executable is a folder or two deep
  
  --
  [Fuck Beta]
  o0t!
31. Re:Anyone knows if the 2.x tree is vulnerable too? by Anonymous Coward · 2007-02-06 13:39 · Score: 3, Funny
  
  Bullshit.
32. Re:Anyone knows if the 2.x tree is vulnerable too? by Tharkban · 2007-02-06 13:42 · Score: 1
  
  The exploit code does not work on my own computer (Ubuntu edgy, firefox 2.0.0.1)
  
  I just checked whether I could get the provided code to run at all, file:/// or http:/// popup or not, nothing worked XMLHttpRequest.open() is not allowed in any scenario (including directed at external sites). That being said, I did manage to get the popup to display a file:/// url, so maybe there is some vulnerability there. But for my setup the exploit code doesn't do anything.
  
  --
  Tharkban (It is a signature after all)
33. Re:Anyone knows if the 2.x tree is vulnerable too? by Anonymous Coward · 2007-02-06 14:52 · Score: 0
  
  Well a blind mole will still find it's hole eventually.
  The problem this is only a example and if you have nothing better to all day you make as many cases you can on a p*rn page, which I assume is the best place, flood your browser with pop-ups and one will get through.
34. Re:Anyone knows if the 2.x tree is vulnerable too? by anagama · 2007-02-06 15:06 · Score: 1
  
  What the heck? Are you trying to ruin my uptime???
  
  --
  What changed under Obama? Nothing Good
35. Re:Anyone knows if the 2.x tree is vulnerable too? by evilviper · 2007-02-06 18:09 · Score: 1
  
  Many linux distros keep /tmp as a ramdisk
  By "many" do you perhaps mean "none"?
  
  There's always the odd floppy or CD-based mini distro, but that's really not relevant.
  I believe Slackware clears /tmp at least partially on every boot, so...
  I just checked my Slackware machine's init scripts. It clears /tmp/.X11 lock files, but that's it.
  Go do some research ;)
  *Ahem*
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
36. Re:Anyone knows if the 2.x tree is vulnerable too? by evilviper · 2007-02-06 18:11 · Score: 1
  
  No manual entry for tmpwatch
  $
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
37. Re:Anyone knows if the 2.x tree is vulnerable too? by OmnipotentEntity · 2007-02-06 21:11 · Score: 1
  
  Well, at least I know my Debian box does it on bootup, check /etc/rcS.d/S36mountall-bootclean.sh for more details.
  
  --
  "Build a man a fire warm him for a day, set a man on fire and warm him for the rest of his life."
38. Re:Anyone knows if the 2.x tree is vulnerable too? by donaldm · 2007-02-06 22:35 · Score: 2, Informative
  
  When I put FC6 on my 64 bit dual core AMD laptop it came standard with Firefox 1.5 while OpenSUSE (put this on my son's PC) came with Firefox 2. To upgrade to version 2 was fairly easy since all I had to do was download the rpm then remove version 1.5 then install the rpm. Firefox 2 seems to work well and I can even install global or personal plug-ins. I have a 64 bit processor and most of my apps are 64 bits (including Firefox) have to use nspluginwrapper to add 32 bit plug-ins because some vendors (cough Flash) have not got a 64 bit addition, however once "wrapped" it works.
  
  I am not sure if Firefox 2 is vulnerable since I have not seen any alerts.
  
  --
  There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
39. Re:Anyone knows if the 2.x tree is vulnerable too? by smoker2 · 2007-02-06 23:29 · Score: 1
  
  Fedora has no plans to officially release a 2.0 for FC6
  
  Back when FC4 was current, I got fed up with waiting for updates for FF from fedora, and even more fed up with broken updates for FF. So I uninstalled the FC release of Firefox, and downloaded a copy direct from the FF homepage. It has worked well, and been auto-updating without incident ever since.
  Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1
  
  On a tangent, why does the headline not say "Vulnerability in Win32 Firefox Popup Blocker" ? Should it be taken for granted that any exploit will be windows based from now on ?
40. Re:Anyone knows if the 2.x tree is vulnerable too? by DrSkwid · 2007-02-07 05:33 · Score: 1
  
  not all operating systems are the same
  
  the upgrade pusher will not work for some, and neither should it
  
  --
  There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
41. Re:Anyone knows if the 2.x tree is vulnerable too? by Anonymous Coward · 2007-02-07 06:40 · Score: 0
  
  $ sudo apt-get install tmpreaper
42. Re:Anyone knows if the 2.x tree is vulnerable too? by aymanh · 2007-02-07 07:01 · Score: 1
  
  I used this script to install Firefox 2 on Dapper. It automatically downloads the latest version, installs it, integrates it with plugins installed through apt-get, and updates symbolic links. Works like a charm.
  
  --
  python>>> q="'";s='q="%c";s=%c%s%c;print s%%(q,q,s,q)';print s%(q,q,s,q)
43. Re:Anyone knows if the 2.x tree is vulnerable too? by Dretep · 2007-02-07 11:12 · Score: 0
  
  No manual entry for tmpwatch Give google a try. In any case, most installs of Linux (or at least the ones I've used - CentOS, RedHat, Fedora) have a cron job for tmpwatch enabled. Ubuntu unfortunately only cleans /tmp after a reboot.
44. Re:Anyone knows if the 2.x tree is vulnerable too? by evilviper · 2007-02-07 12:01 · Score: 1
  
  The fact that it can be installed is not the point. The point is that it isn't installed by default on most distros... Much like Windows.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
45. Re:Anyone knows if the 2.x tree is vulnerable too? by MilesAttacca · 2007-02-07 15:12 · Score: 1
  
  I'm still using 1.5.0.9, giving 2.0 a little bit of time for all or most of my favorite extensions to catch up, and some bugs to be resolved. (I'm also telling myself "I have to organize my bookmarks so I can switch," as if that's ever happening anyway.)
  
  --
  98% of America's teens drink alcohol, smoke, and have sex. Put this in your sig if you like bagels.
Is this the best they can do? by adpsimpson · 2007-02-06 10:04 · Score: -1, Flamebait

I thought open source software was meant to be playing catchup to proprietory programs, and then we see yet another lame-ass exploit.
This just shows why open source just isn't ready for the desktop.

--
Is crushing a suspect's child's testicles illegal?
John Yoo: "No, [if] the President thinks he needs to do that."
1. Re:Is this the best they can do? by ewl1217 · 2007-02-06 10:07 · Score: 2, Informative
  
  This only affects the 1.5.x branch, not the current 2.x stuff...
2. Re:Is this the best they can do? by bky1701 · 2007-02-06 10:12 · Score: 0, Flamebait
  
  So you think IE is secure?
  
  Enjoy your virii.
  
  --
  Great Intellect...
3. Re:Is this the best they can do? by Anonymous Coward · 2007-02-06 10:23 · Score: 0, Offtopic
  
  Enjoy your virii.
  
  You mean viruses. http://en.wikipedia.org/wiki/Virii
4. Re:Is this the best they can do? by bcmm · 2007-02-06 10:40 · Score: 1
  
  You have said about three things, and totally failed to link any of them together.
  
  --
  # cat /dev/mem | strings | grep -i llama
  Damn, my RAM is full of llamas.
5. Re:Is this the best they can do? by Anonymous Coward · 2007-02-06 10:51 · Score: 0
  
  This just shows why open source just isn't ready for the desktop.
  
  Oh fer chrissake! Did you even read the article? It's a very unlikely set of circumstances, on one specific flavor of Windows, difficult to even demonstrate and it will be patched before any exploits "in the wild". Hardly yet another lame-ass exploit.
  
  On the other hand, Windows has been demonstrating why closed source isn't ready for the desktop for the last 10 years! with every week bringing yet another lame-ass exploit, discovered "in the wild" and unpatched for months.
  
  Get back to work, Microsoftie, and fix them damned Vista bugs!
6. Re:Is this the best they can do? by adpsimpson · 2007-02-06 11:06 · Score: 1
  
  oops...
  
  Seems I've just entered the unintentionally-trollish-joke-taken-for-a-troll camp. The original (ok, cryptic) meaning of my post was that this exploit is lame-ass - open source should be, apparently, so we're told by some, catching up with proprietory - and yet this is the best style of exploit it can come up with? It's crap!
  
  Oh well. Suddenly I see the thrill of trolling. The pull of the dark side is strong. [mumble mumble hot grits mumble Natelie Portman mumble mumble overlords mumble mod me down but mumble mumble]
  
  Anyway, Windows is dead. Netcraft confirms it.
  
  --
  Is crushing a suspect's child's testicles illegal?
  John Yoo: "No, [if] the President thinks he needs to do that."
7. Re:Is this the best they can do? by mrgavins · 2007-02-06 11:28 · Score: 1
  
  That's wrong. This bug affects both 2.0 and 2.0.0.1. This confusion seems to stem from the version field in the bug, which is set to the earliest version that's affected.
  
  --
  Gavin Sharp
8. Re:Is this the best they can do? by Secrity · 2007-02-06 12:42 · Score: 1
  
  Parent post looks like it is written in English, but it does not parse.
9. Re:Is this the best they can do? by rapidweather · 2007-02-06 14:33 · Score: 1
  
  Glad to hear that the current 2.x stuff is not affected. I'm using FF 2.0.0.1 now, in my knoppix remaster (see screenshots below), and have other things I need to be doing with the remaster than upgrading FF. I do, however, jump on it and upgrade the browsers whenever they have new versions out. With Firefox, I put 9 RSS feeds on the toolbar by default, and for it's home page, I use a local version of this one, but with a slide-out ~/ menu setup, for browsing the /ramdisk.
  I notice that Netscape 9 for linux may be released in a couple of months. I'll try it out. Since I usually run my knoppix remaster with a 1 or 2 GB "persistent home" partition, I can easily download it and have it up and running in a few minutes, and can keep it around for a while to see how it does compared to Flock, Firefox and Opera. If it has anything to offer, and is not loaded up with AOL stuff, I might put it in the CD. I still use Netscape 4 on a Macintosh Quadra 660AV, and it seems to do a better job with the web pages than icab 2.99.
  That version is free, with no time limit, since it is for older Mac systems. Downloads quickly and installs automatically, however. Just a little disappointed in how many of the web pages look, so I tend to stick with Netscape.
  
  Rapidweather
  
  --
  Rapidweather's Linux Screenshots.
10. Re:Is this the best they can do? by Anonymous Coward · 2007-02-07 02:56 · Score: 0
  
  Here's a solution, since it is open-source go into the code and fix it yourself, or are you too stupid to even exist let alone use a computer? If you are that stupid then go slit your fucking wrists right now fucktard to take yourself out of the gene pool.
More proof by Reikk · 2007-02-06 10:04 · Score: -1, Troll

That open source software cannot be secure
1. Re:More proof by Anonymous Coward · 2007-02-06 10:43 · Score: -1, Redundant
  
  There be trolls in this here topic.
Right... by CasperIV · 2007-02-06 10:08 · Score: 4, Informative

That was quite possibly the most ignorant statement I have read on slashdot recently. I'm not particularly partial to either Firefox or IE, but exploit for exploit, your statement has no merit. What will be the deciding factor will be how fast it is patched.
1. Re:Right... by pairo · 2007-02-06 10:14 · Score: 5, Funny
  
  That was quite possibly the most ignorant statement I have read on slashdot recently.
  You don't really read much of Slashdot, do you?
2. Re:Right... by iggymanz · 2007-02-06 10:36 · Score: 2, Funny
  
  he meant by a non-author/non-editor
Windows only? by jimbobborg · 2007-02-06 10:10 · Score: 5, Informative

From the fine article:

"When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. "

So you have to MANUALLY disable the popup blocker on a site you don't know in order to make this work. Also, the article keeps talking about c:\whatever. It does not indicate if this is a vulnerability in a non-Windows system.
1. Re:Windows only? by Tony+Hoyle · 2007-02-06 10:16 · Score: 5, Informative
  
  From the text it's hardcoded to a specific installation of Windows (not even the default config). It wouldn't work on most systems.
2. Re:Windows only? by codepunk · 2007-02-06 10:21 · Score: 4, Funny
  
  You have to chmod 777 every file in the root and home file systems, log in as root, open a port for ssh, disable ip tables and or ipchains and post the user name (root of course), password and ip to a irc channel, turn off pop up blocking...yep see it effects linux also.
  
  That is the lamest vulnerability post I have seen in a long time...really stretching here are we not?
  
  --
  
  Got Code?
3. Re:Windows only? by kalleguld · 2007-02-06 10:51 · Score: 1
  
  Well, all it takes is a bit of social engineering to convince most users to disable the pop-up blocker for their site (after all, it's only like two clicks with the mouse). And really, do hackers care if they can infect Linux?
  
  --
  Sigs are bad for your health
4. Re:Windows only? by mrgavins · 2007-02-06 11:31 · Score: 1
  
  Your explanation is slightly misleading. You don't need to "manually disable the popup blocker" to reproduce the popup opening part of the theoretical exploit. All you need to do is click "show popup [once]" option in the popup blocker UI for a blocked file:// popup.
  
  --
  Gavin Sharp
5. Re:Windows only? by JackHoffman · 2007-02-06 11:43 · Score: 1
  
  The file:-opening bug is universal, only the URLs that are used would have to be adapted to different operating systems (easy, just look at the user-agent string). Even if you can't guess or calculate the temporary filename, there may be other vulnerabilities which allow an attacker to place a custom file with a known pathname on the victim's computer, which can then be called from a webpage and relay every file that is readable by the webbrowser.
6. Re:Windows only? by bl8n8r · 2007-02-06 12:17 · Score: 2, Funny
  
  Crap... where's the undo button for Xchat?
  
  --
  boycott slashdot February 10th - 17th check out: altSlashdot.org
7. Re:Windows only? by Anonymous Coward · 2007-02-06 15:06 · Score: 0
  
  From the fine article:
  
  "When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. "
  
  So you have to MANUALLY disable the popup blocker on a site you don't know in order to make this work.
  And your point is what, exactly, other than you're a raving fanboy, that is?
  Also, the article keeps talking about c:\whatever. It does not indicate if this is a vulnerability in a non-Windows system.
  Based on the problem description that you just quoted, it should be obvious to you that the problem will affect non-Windows systems, too.
I was refering to ewl1217's post... by CasperIV · 2007-02-06 10:10 · Score: 1

I didn't make it clear that the start of my post was directed at ewl1217's post above my own.
best hacker by Anonymous Coward · 2007-02-06 10:18 · Score: -1, Offtopic

Gorion, what do you think? :D
mod doWn by Anonymous Coward · 2007-02-06 10:24 · Score: -1, Troll

they are Come on interest in having ofone single puny The NetBSD project, YOU SHOULD BRING contributed code 4ouse... pathetic. posts on Usenet are
I tried with /etc/passwd by McNihil · 2007-02-06 10:28 · Score: 1

No result back with either FF1.5.0.9 and FF 2.0.0.1 using remote page. Local works obviously.
Is Microsoft hiring? by Anonymous Coward · 2007-02-06 10:28 · Score: -1, Flamebait

Just asking. It doesn't have to be in the shill department either. I could use a job and the exercise dodging chairs.
Fixed by Anonymous Coward · 2007-02-06 10:31 · Score: 5, Informative

Already fixed: https://bugzilla.mozilla.org/show_bug.cgi?id=36942 7
1. Re:Fixed by Anonymous Coward · 2007-02-06 12:11 · Score: 0
  
  It's fixed when the browser on my computer no longer has that bug. A checkin to some repository on the internet doesn't protect users, only downloadable updates do (if you can get the users to actually download them).
2. Re:Fixed by MMC+Monster · 2007-02-06 13:27 · Score: 1
  
  Well, according to earlier replies to this article, this is also fixed if you are running windows 2K or later. (well, not exactly fixed, but the exploit is nearly impossible given the number of assumptions made on stock win 2K/XP/Vista systems) So yes, this is probably fixed on your system as well. :-)
  
  --
  Help! I'm a slashdot refugee.
bullshit by tomstdenis · 2007-02-06 11:14 · Score: 1, Troll

Firefox/mozilla/etc run as your user. At most this would be able to infect my user, not the system. Even in windows, if you don't run as root it should be the same deal.

This exploit requires you to download the exploit code then, click on a link with file:/// with CTRL down (to turn off popup blocking). Sounds less like an exploit of firefox and more of the stupid user who runs things.

Tom

--
Someday, I'll have a real sig.
1. Re:bullshit by Goaway · 2007-02-06 12:05 · Score: 1
  
  What exactly do you think a malicious app wants to do that it can't do when running under your user account?
2. Re:bullshit by Anonymous Coward · 2007-02-06 12:09 · Score: 0
  
  But 99.9% of Windows users do run as "root" (i.e. have administrators rights) - it's the default.
3. Re:bullshit by drinkypoo · 2007-02-06 12:51 · Score: 1
  
  Firefox/mozilla/etc run as your user. At most this would be able to infect my user, not the system.
  
  Oh good! So the most it can do is wipe out all your data!
  
  I sure do hope you're not a security consultant...
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:bullshit by jesser · 2007-02-06 13:17 · Score: 2, Insightful
  
  Firefox doesn't have a "Hold Ctrl to disable pop-up blocking" feature. Maybe you're thinking of another browser or a Firefox extension?
  
  This vulnerability involves the "Show blocked popup" feature, which you can activate from the status bar icon indicating that a popup was blocked. If the popup is allowed in the first place, the security check works correctly.
  
  --
  The shareholder is always right.
5. Re:bullshit by tomstdenis · 2007-02-06 15:09 · Score: 1
  
  How does my comment show a lack of security concern? You want user apps to only run as the user. That's the point of privilege separation. If I had 30 users on a box, and one of them decides to run a virus, it should at most destroy their data.
  
  Also, this is why we backup data.
  
  Tom
  
  --
  Someday, I'll have a real sig.
Always one vulnerability by Anonymous Coward · 2007-02-06 11:43 · Score: 0

there's always going to be one security vulnerability with Firefox (and most all other software)... stupid users.
unfortunately there will never be a patch for it (what's that saying about building a better idiot?)
#irc.trol7talk.com by Anonymous Coward · 2007-02-06 12:22 · Score: -1, Offtopic

the mUndane chores
Wow... by thanksforthecrabs · 2007-02-06 12:25 · Score: 1

you mean the *other* browser has holes too?
1. Re:Wow... by Anonymous Coward · 2007-02-06 13:45 · Score: 0
  
  Of course not. It's perfect. Take a double dose of Linux tonight, one teaspoon of Stallman, and you'll get your head screwed on straight again.
Oblig. by element-o.p. · 2007-02-06 14:01 · Score: 1

"Humor. It is a difficult concept. It is not logical." --Lt. Saavik

--
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Lamest. Vulnerability-post. Ever. by JacksBrokenCode · 2007-02-06 14:21 · Score: 2, Insightful

That is the lamest vulnerability post I have seen in a long time...
You sure about that?
mod dowDN by Anonymous Coward · 2007-02-06 15:23 · Score: -1, Troll

BSD style.' In the live 4nd a job to any doubt: FreeBSD hobby. It was all
Linux can still be secure by r00t · 2007-02-06 16:40 · Score: 1

If you have SE Linux running with a strict policy, it just doesn't matter if they do log in as root. They'd have to get into the correct role and level as well, which would be blocked.

Even before levels were added, there used to be SE Linux systems on the net with public root passwords. (one Gentoo, and one either Debian or Red Hat) You could log in as root, look around a tad, append a message to a file, run a few processes... and that was about it. You couldn't load drivers, reboot, read log files, install software, etc. SE Linux locked the system down good and hard.
1. Re:Linux can still be secure by someone1234 · 2007-02-06 20:11 · Score: 1
  
  In other words, they had a regular user account with the name 'root' :)
  
  --
  Patents Drive Free Software as Hurricanes Drive Construction Industry
2. Re:Linux can still be secure by petermgreen · 2007-02-07 01:03 · Score: 1
  
  Even before levels were added, there used to be SE Linux systems on the net with public root passwords. (one Gentoo, and one either Debian or Red Hat) You could log in as root, look around a tad, append a message to a file, run a few processes... and that was about it. You couldn't load drivers, reboot, read log files, install software, etc. SE Linux locked the system down good and hard.
  so how exactly were theese boxes administered?
  
  unless there is an admin there with physical access who doesn't mind doing a hard reboot and can get to the box early in the boot process before the selinux stuff kicks in you are going to have to have some kind of administrative login, it may not be called root and it may not have a uid of 0 but it needs to be there.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
3. Re:Linux can still be secure by r00t · 2007-02-07 16:58 · Score: 1
  
  To admin the system, you need to change roles. No single role can do everything, and many role-to-role transitions are prohibited.
  
  So there is NOT an administrative login that lets you do everything. There are numerous limited-capability administrative logins, sort of. They are not related to UID.
  
  First you'd log in as root, since the old UID-based system is still being enforced. You'd need to do this from the console to get put into a role which is able to transition to something interesting. Then you run the an su-like command, called "newrole" I think, to gain one specific ability. For example, there may be a "backup" role that lets you read any file and a "net" role that lets you change network settings. Neither role can execute files written by the other.
  
  On a Fedora box, do "ls -Z" or "ps Zax" to see the security info. (by default, Fedora enables a fairly lax version of this -- but I did once get permission denied as root with a default Fedora install)
4. Re:Linux can still be secure by petermgreen · 2007-02-14 02:34 · Score: 1
  
  First you'd log in as root, since the old UID-based system is still being enforced. You'd need to do this from the console to get put into a role which is able to transition to something interesting.
  so what you are saying is that while the people have the root password the box has been configured in such a way that a root login from remote isn't really root.
  
  which is ok if the admin has local acess to the machine but renders the system pretty useless otherwise.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Only 6% of my visitors are using 1.5x. by JAB+Creations · 2007-02-06 17:54 · Score: 2, Informative

Only 6% of my users so far this year are using Firefox 1.5x compared to 68% using Firefox 2.0. There are still about 4% of users who are using IE 6 without service pack 2 on XP (or are using IE6 on older versions of Windows). Point: it's a vulnerability that hackers won't bother to exploit and Mozilla will probably patch quickly anyway.

--
- John
http://www.jabcreations.com/
Whew! by cciRRus · 2007-02-07 02:14 · Score: 1

Good thing I'm using the Internet Explorer.

--
w00t
Your link is wrong by Anonymous Coward · 2007-02-07 03:37 · Score: -1, Flamebait

Here's the fix
nope, UID was 0 by r00t · 2007-02-07 16:50 · Score: 1

The UID really was zero, which is NOT a regular user account. It's a normal root account.

I couldn't even write to files that were world-writable, owned by root or not.

Do an "ls -Z" on a default Fedora install to see what is going on. Fedora can be nearly like the system described if you install the "strict" policy.

To admin the system, you need to change roles. No single role can do everything, and many role-to-role transitions are prohibited.