Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3.0.1 Fixes 'Carpet Bombing' Issue

Posted by CmdrTaco on from the break-out-the-bug-spray dept.

An anonymous reader writes "Firefox 3.0.1 was released today. It fixes 3 security vulnerabilities, including a critical issue reported by Billy Rios, Ben Turner, and Dan Veditz. The issue could be combined with an issue in Apple's Safari browser to read data from the user's disk or to execute arbitrary code. This issue was previously discussed on Slashdot. The release also fixes a remote code execution bug involving the CSS reference counter, reported by the Zero-Day Initiative (previously discussed on Slashdot here), as well as a Mac-only potential code execution bug involving GIF image rendering, reported by Drew Yao of Apple Product Security."

24 of 168 comments (clear)

  1. Re:Who Cares... by bconway · · Score: 5, Informative

    Actually, it's a .0.1 release. Firefox 3.1 (alpha due this summer) has a lot of new features that didn't make it in time for 3.0.

    --
    Interested in open source engine management for your Subaru?
  2. *spit* by Anonymous Coward · · Score: 1, Informative

    This update disabled my Firebug and "Copy all Urls" extensions.

    I'll never take an update on the first day again. Ever. *spit*

  3. Workaround by brunes69 · · Score: 3, Informative

    This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

    So as long as you use Firefox all day long, you will not be affected.

  4. Re:"awesome bar" by -Tango21- · · Score: 5, Informative

    Hmm, a Google search reveals that while the "awesome bar" is still the default, you can disable it by following the directions below (but, maybe you already knew this):

    1. Type about:config into the location bar and change the value browser.urlbar.matchOnlyTyped to true. After this, you need to restart Firefox. All this does is make it so that Firefox only searches the URLs you have typed and not the titles of pages.

    2. Install the Old Location Bar extension. This changes the location bar so that it looks like how it looked in Firefox 2. As of me writing this post, it is an experimental addon so you will need to register to the Firefox addon service to install it.

  5. Re:When will Microsoft fix IE? by dnwq · · Score: 2, Informative

    You're misunderstanding him, he means working directory

  6. Re: head in the sand? by Anonymous Coward · · Score: 1, Informative

    (released the day before yesterday)
    http://www.mozilla.org/security/known-vulnerabilities/firefox20.html
    Fixed in Firefox 2.0.0.16
    MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
    MFSA 2008-34 Remote code execution by overflowing CSS reference counter

    (released yesterday)
    http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
    Fixed in Firefox 3.0.1
    MFSA 2008-36 Crash with malformed GIF file on Mac OS X
    MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
    MFSA 2008-34 Remote code execution by overflowing CSS reference counter

    Whew! Good thing you didn't upgrade! You might have been vulnerable for a whole extra day! (Wait, you did take the 2.0.0.16 update already, right?)

  7. Re:When will Microsoft fix IE? by argent · · Score: 3, Informative

    When you run an application from Windows Explorer, it is normally run with its current directory set to the directory that the executable is located in. The vulnerability exposed by the "carpet bombing" attack involved attacking Internet Explorer, because Internet Explorer runs with its current directory set to the desktop... not the directory containing the IE executable. There is no obvious reason why IE does this, nor any reason I can come up with for Microsoft not to change it.

  8. crash crashing or? by Fallen+Andy · · Score: 4, Informative
    OK, if you saw the following I may have an answer for you. If you installed FF3 and around a day or two later mysteriously it seemed to put up the hourglass cursor with the disk thrashing a lot, then you got bitten by the urlclassifier db (anti-phishing sqlite database) being downloaded. After a day or so things go back to normal. (It would look more like a temporary freeze of the program rather than a crash to the desktop).

    For anyone on a slow connection or with an old machine (like me) that was almost a showstopper. Thankfully, *seems* to be fixed now.Haven't seen any real crashes to the desktop even with the betas...

    A workaround is to go Tools->Options-> Security and turn off the attack site and forgery options.

    Andy

    1. Re:crash crashing or? by Anonymous Coward · · Score: 1, Informative

      You need to remove antiphishing filter, delete it's database file, finger it, and chmod it uneditable on Linux.

      On windows, create an empty file, replace the antiphishing database with it, set it as read only and preferably change permissions so you cannot edit it.

      Or, if you're using XP Home, you're fucked.

  9. I didn't even know there was a problem. by DamienNightbane · · Score: 2, Informative

    Now if only they could get around to fixing the much bigger memory issues that seem to get worse and worse with every release. I'm getting tempted to go back to IE for the first time in years.

    1. Re:I didn't even know there was a problem. by thePowerOfGrayskull · · Score: 3, Informative

      Nice to repeat the same ol' FUD, but you do realize that FF3 memory usage is significantly lower than FF2 and IE, don't you? You /did/ know that, right?

  10. Re:And this is why... by Spy+der+Mann · · Score: 5, Informative

    ... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.

    Um... the carpet bombing vulnerability also affects Firefox 2. It looks like someone is in trouble :)

  11. You may find this useful by p3d0 · · Score: 3, Informative

    http://dictionary.reference.com/search?q=irony

    --
    Patrick Doyle
    I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
  12. Re:Addons? by slimjim8094 · · Score: 3, Informative

    when the authors update them?

    of course, you could google for a couple of seconds and fix it yourself (hint: you can force it to ignore the version)

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
  13. Re:Who Cares... by badpazzword · · Score: 3, Informative

    And Safari and Opera are both non-free so they are more reluctant to give detailed fix reports.

    http://my.opera.com/desktopteam/blog/

    --
    When ideas fail, words become very handy.
  14. Re:"awesome bar" by andy9701 · · Score: 3, Informative

    Lifehacker has instructions on how to restore the yellow for SSL sites, among other nice UI changes (such as removing the Go and Search buttons from the Address and Search bars, respectively). It does require an extension (either Stylish or Greasemonkey), but it definitely works, I've been using this at home for a few weeks now.

  15. Re:Who Cares... by Darkness404 · · Score: 2, Informative

    Non-free, as in closed-source, as in proprietary. Sure Safari is mostly open-source, but Opera is as much proprietary as IE.

    --
    Taxation is legalized theft, no more, no less.
  16. Re:Who Cares... by drewness · · Score: 2, Informative

    Non free? I believe you mean they have a proprietary source code, as opposed to open source like firefox.

    Safari is Open Source. Head over to WebKit.org and you can get the source via Subversion or browse it via Trac. It's licensed under a mix of LGPL and BSD licenses.

  17. Re:"awesome bar" by woot+account · · Score: 2, Informative

    Which still doesn't fix it. Like the person below me said, type "co" in and watch it match every site you've typed that ends in ".com".

    Unfortunately, it seems that the Mozilla developers don't care if people dislike it.

    --
    By what name do you wish to be mourned?
  18. FF2 *got the same fix*. Tuesday. by rickst29 · · Score: 2, Informative

    The update for FF2 was pushed out a day before the FF3 update (on Tuesday morning, versus Wednesday afternoon). If you aren't using 2.0.0.16, you're prone to the same attack.

  19. Re:Nothing to say by Anonymous Coward · · Score: 1, Informative

    http://slashdot.org/moderation.shtml go learn something. damn fool kids...

  20. Re:Who Cares... by HeroreV · · Score: 4, Informative

    Safari is closed source. WebKit (the layout engine Safari uses) is open source, but the builds used by Safari rely on a binary closed source blob from Apple. If you value software freedom, you shouldn't use Safari.

  21. Re:Who Cares... by Lennie · · Score: 4, Informative

    no, Safari isn't open source, WebKit is open source, because it is based on khtml.

    --
    New things are always on the horizon
  22. Re:"awesome bar" by Anonymous Coward · · Score: 1, Informative

    If you are the type who remembers the URL of sites you visit, it just means a bunch of false positives.

    Eh, it was kind of disappointing the first time I typed "s" and slashdot didn't come up. But then after hitting the down arrow a couple times and then enter (tough I know), the next time I typed "s", slashdot came right up. Magic.

    Let's see: s=slashdot y=youtube g=gmail r=rapidshare t=TPB

    I couldn't be happier.