Serious Vulnerability In Firefox 2.0.0.12

Oh, Not Now writes "Mozilla Firefox 2.0.0.12, mere hours old, is vulnerable by default to a directory traversal trick, via the view-source mechanism. Although mitigated by the NoScript plug-in, this is quite a serious bug — the default installation is vulnerable from the get-go."

Re:* Stops download of newest Firefox *

[webmaster404]

Also, one thing that I have noticed about OSS bugs is that those severe enough to cause execution of code, there are very very few utilities to easily attack systems unlike their MS counterparts. Most OSS flaws are rarely exploited in the wild. The only thing that annoys me about them is that someone will surely come up to me on Monday stating how bad Firefox is because of this while blissfully ignoring all the flaws that Windows/IE has had for years.

NoScript

[bazald]

Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level.

Re:NoScript

[milsoRgen]

Why isn't NoScript just a mandatory extension at this point? I wouldn't be surprised if it becomes a part of the browser (or something like it), just as pop-up blockers of yore have been incorporated.

Re:NoScript

[punissuer]

Have you noticed how often NoScript gets updated? I wouldn't quite call it unobtrusive, especially since NoScript likes to make your browser open a tab to the NoScript site after an update. Really, how hard is it to prevent execution of javascript that didn't come from a site that's been whitelisted? I now use AdBlock Plus instead.

Re:NoScript

[SJS]

... (somehow including a database of checksums of widely-deployed, known-safe scripts like Google Analytics' urchin, jquery, Amazon affiliate stuff, and... that's all that comes to mind)

Why is everyone in love with checksums?

Disk is cheap. The amount of scripting I should trust is small.

So cache the *actual* scripts... and then use those as keys into what scripts are actually run.

That is, when you first hit a website that tries to run a script, capture all of the script functions and fragments, and indicate to the user how many un-approved scripts are on this page. The user than has the option to say "Trust this set of scripts" (like noscript now), or "Let me look at these scripts."

And this is where the fun can begin.

The browser can present to me a list of script functions and fragments, each with a "allow", "deny", or "remap" option. Allow is just that -- allow that script function or fragment to be run as-is, temporarily or for that page, machine, or domain. Deny is just that -- deny that script function or fragment, again, for that page, machine, or domain.

For remap, however, I should get a little two-window/textarea display (top/bottom, left/right, don't care, should probably be the user's choice), one read-only (the key) and the other editable. I can then edit the second chunk of code as I please -- stupid client-side verification, gone, replaced with "return true;". Code that disables a feature, deletes information from the display, and so on and so forth... gone. The test for browser/os versions... gone. Bugs become fixable. (Sure, I might introduce bugs, but that's my own fault, and it's my browser anyway.)

Most folks wouldn't ever use "remap" in this way, but that's okay. The ability is there, just like most folks don't compile open-source programs from scratch. That's not the point... if they wanted to, they could.

The next step is to share remapping libraries, like people are sharing greasemonkey scripts now. I could get a call from my mother about how some website is broken to how she'd want to use it, and I can go look at the web-page, fix it, export my changes to some convenient archive, drop it on to my webpage, and then send the url to my mother, who can click on the archive, and have the browser ask "Do you want to install this?", click "Yes", and all is well in the world.

Sure, some websites will take steps to make every bit of client-side scripting unique for every connection. They'll obfuscate their code, randomize the variable names on a per-session basis, mess with the structure... and now you KNOW those websites are hostile and malicious and should be treated as such.

Don't bother with checksums, that doesn't put any power into the hands of the users. Track code, and allow for client-side replacement of code. Allow end-users to share their code-replacement libraries. We can kinda-sorta do that now with plugins and greasemonkey, but that's tricky and error-prone and tedious. Let the computer solve the problems that are tricky, or error-prone, and especially the problems that are tedious!

Re:NoScript

[the_womble]

Exactly, the average users reaction would be: Internet Explorer (or "the normal internet" as I recently heard it called) works on this site, Firefox does not, so Firefox is broken.

The minority who can cope with those sort of settings can manage to install an extension.

Re:NoScript

[CNeb96]

You forgot the 4th, it wouldn't be upgraded nearly as often as the current maintainers upgrade it. Noscript is updated all the time. Firefox needs a hybrid approach include extensions by default AND allow them to be independently updated separately from the main release, they don't do that currently for any extension.

yahoo or mozilla

[erat123]

Maybe microsoft should have looked into mozilla instead of yahoo...

I sure hope it's only this version...

[WiglyWorm]

Hopefully the Firefox 3 beta is not affected by this, that's what I've been running since Beta 2 came out. Anyone know?

Re:* Stops download of newest Firefox *

[croddy]

Oh, you make a good point. I always wondered what people were talking about when they went on and on about Firefox consuming tons of memory because I would look at mine and it would never look even remotely like what people were describing. Of course, it all makes sense now -- less crappy unnecessary javascript running, fewer memory leaks. I can't imagine web browsing without manually whitelisting scripts either.

list of files that can be read (win32)

lol, serious stuff 300: file:///C:/Program%20Files/Mozilla%20Firefox/ 200: filename content-length last-modified file-type 201: .autoreg 0 Mon,%2005%20Nov%202007%2016:16:28%20GMT FILE 201: AccessibleMarshal.dll 13952 Fri,%2008%20Feb%202008%2019:42:30%20GMT FILE 201: LICENSE 30869 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE 201: README.txt 177 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE 201: browserconfig.properties 232 Thu,%2026%20Jul%202007%2002:39:26%20GMT FILE 201: chrome 0 Fri,%2008%20Feb%202008%2019:42:39%20GMT DIRECTORY 201: components 0 Fri,%2008%20Feb%202008%2019:42:39%20GMT DIRECTORY 201: defaults 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY 201: dictionaries 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY 201: extensions 0 Fri,%2021%20Dec%202007%2011:21:24%20GMT DIRECTORY 201: firefox.exe 7655024 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: freebl3.chk 476 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: freebl3.dll 200829 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: greprefs 0 Fri,%2008%20Feb%202008%2019:42:40%20GMT DIRECTORY 201: install.log 28197 Fri,%2021%20Dec%202007%2011:20:32%20GMT FILE 201: js3250.dll 456808 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: nspr4.dll 161392 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: nss3.dll 378472 Fri,%2008%20Feb%202008%2019:42:36%20GMT FILE 201: nssckbi.dll 271984 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: old-homepage-default.properties 112 Thu,%2026%20Jul%202007%2002:39:26%20GMT FILE 201: plc4.dll 34424 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: plds4.dll 30320 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: plugins 0 Fri,%2008%20Feb%202008%2019:42:42%20GMT DIRECTORY 201: res 0 Fri,%2028%20Sep%202007%2022:59:27%20GMT DIRECTORY 201: searchplugins 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY 201: smime3.dll 112232 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: softokn3.chk 476 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: softokn3.dll 254060 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: ssl3.dll 132712 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: uninstall 0 Fri,%2008%20Feb%202008%2019:42:48%20GMT DIRECTORY 201: updater.exe 132232 Fri,%2008%20Feb%202008%2019:42:38%20GMT FILE 201: updater.ini 709 Fri,%2019%20Oct%202007%2013:36:24%20GMT FILE 201: xpcom.dll 13416 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE 201: xpcom_compat.dll 73848 Fri,%2008%20Feb%202008%2019:42:38%20GMT FILE 201: xpcom_core.dll 422000 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE 201: xpicleanup.exe 73336 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE 201: xpistub.dll 12400 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE

or not

Re:or just visit sites you trust

[11223]

Or you can take the first step like you always should, and not visit sites you don't trust.

Ever use an open 802.11 access point? Ever been redirected to a legalese page before being allowed onto the internet? Now what if that page had the exploit in it? For added fun, imagine the hotspot isn't malicious but there's an attacker on the network using a rogue DHCP server to feed you a bogus set of DNS servers.

People assume that their web browser is a trusted execution environment. Vulnerabilities which affect the browser are worth caring about for that reason.

Firefox is too large to be secure

[Morgaine]

This isn't a problem just with Firefox, but with all full browsers today (the various midget text-mode ones excluded).

Any non-trivial program contains bugs and vulnerabilities proportional to its size, and the relationship between size and inherent problem-count is probably a lot worse than linear. This is true for all programs and all systems, but it is especially true for monolithic ones, and to a very large extent the main body of modern browsers is quite monolithic. Even the plugins load into the same address space in most cases, although there are exceptions to this in the browser world.

The present situation is not good, and everyone is familiar with the consequences of it: the web browser is by far the most crash-prone of all applications present in our operating systems today.

Is there a solution to this on the horizon? Not at present, because developers in all the most popular programming languages almost always implement monolithic systems (because the languages encourage it and the courses teach it), and are highly adverse to extreme modularization. Again, there are exceptions, but they are rare.

We are living in a bit of a Dark Age in this area currently, and I don't forsee any change within the next five years at least.

Re:* Stops download of newest Firefox *

[Achromatic1978]

So, it's their fault, right? Funny, just reading their page alone mentioned how they'd already made mention of how this affects more than just extensions, but Mozilla ("What leaks? Show us a single leak!") developers shrugged, blamed extensions, and released, without fixing the core problem.

Re:* Stops download of newest Firefox *

[Compholio]

who really cares, I am gonna use firefox, not to many hackers are that good at getting into Linux Machines, and if I wasn't gonna use FireFox then I would use Opera. Cheers!

Yeah, plus (according to TFA) all they can do is traverse the install folder. Said hacker can have fun looking at all the plugins and blank password database in my ~/.mozilla/firefox/ folder all they want.

Re:Memory Usage / No Script

[Mr+Z]

How many windows / tabs do you tend to have open, and how often do you restart the browser? Also, what OS?

Here's the output of ps on my 64-bit Ubuntu 7.04 box, running Ubuntu's Firefox package:

im14u2c 2527 6.1 11.2 987640 454116 ? Sl Feb07 176:30 /usr/lib/firefox/firefox-bin

The first number suggests Firefox is taking nearly 1GB, but 512MB of that is just the X mapping my video card, I think. The second number shows it clearly taking around 450M.

--Joe