Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3.0.1 Fixes 'Carpet Bombing' Issue

Posted by CmdrTaco on from the break-out-the-bug-spray dept.

An anonymous reader writes "Firefox 3.0.1 was released today. It fixes 3 security vulnerabilities, including a critical issue reported by Billy Rios, Ben Turner, and Dan Veditz. The issue could be combined with an issue in Apple's Safari browser to read data from the user's disk or to execute arbitrary code. This issue was previously discussed on Slashdot. The release also fixes a remote code execution bug involving the CSS reference counter, reported by the Zero-Day Initiative (previously discussed on Slashdot here), as well as a Mac-only potential code execution bug involving GIF image rendering, reported by Drew Yao of Apple Product Security."

39 of 168 comments (clear)

  1. Re:Who Cares... by bconway · · Score: 5, Informative

    Actually, it's a .0.1 release. Firefox 3.1 (alpha due this summer) has a lot of new features that didn't make it in time for 3.0.

    --
    Interested in open source engine management for your Subaru?
  2. no crashes yet by mjs_ud · · Score: 3, Interesting

    Firefox 3 was crashing 3-10 times a day for me even after completely removing everything FF related. At the risk of jinxing myself I will say that I'm crash free on 3.0.1 for 4 hours now.

    --
    return EXIT_SUCCESS;
  3. "awesome bar" by Cantras · · Score: 2, Interesting

    So have they given us the option to disable their "awesome bar" yet?

    1. Re:"awesome bar" by -Tango21- · · Score: 5, Informative

      Hmm, a Google search reveals that while the "awesome bar" is still the default, you can disable it by following the directions below (but, maybe you already knew this):

      1. Type about:config into the location bar and change the value browser.urlbar.matchOnlyTyped to true. After this, you need to restart Firefox. All this does is make it so that Firefox only searches the URLs you have typed and not the titles of pages.

      2. Install the Old Location Bar extension. This changes the location bar so that it looks like how it looked in Firefox 2. As of me writing this post, it is an experimental addon so you will need to register to the Firefox addon service to install it.

    2. Re:"awesome bar" by Qzukk · · Score: 2, Insightful

      Yeah, well, the FF2 bar wasn't all that hot either. The only thing more annoying than waiting for the list of sites to never come up because you started typing while another tab was still loading, is having the list of sites popup while you're typing and since you had the mouse in the wrong location when you hit enter you went to some completely different place than you had expected.

      I don't care whether it's awesome or not, give me an option to make it not appear unless I press down or alt-down or tab or something that indicates that I want it to appear.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    3. Re:"awesome bar" by tehBoris · · Score: 2, Funny

      I kinda like the so called awesome bar. What's wrong with it?

      The oldies want their URL bars to match URLs and those pesky kids to GET OFF THEIR LAWNS!

    4. Re:"awesome bar" by ShadowRangerRIT · · Score: 3, Insightful
      1. Type 'co' in the Awesome bar. Marvel at how it "awesomely" returns every site in the .com TLD.
      2. If you are the type who remembers the URL of sites you visit, it just means a bunch of false positives.

      I've used it once to date, when going back to a walkthrough page on gamefaqs. 99% of the time, I know the address I'm going to, or I have it bookmarked, so the "awesomeness" is wasted on me.

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
    5. Re:"awesome bar" by andy9701 · · Score: 3, Informative

      Lifehacker has instructions on how to restore the yellow for SSL sites, among other nice UI changes (such as removing the Go and Search buttons from the Address and Search bars, respectively). It does require an extension (either Stylish or Greasemonkey), but it definitely works, I've been using this at home for a few weeks now.

    6. Re:"awesome bar" by woot+account · · Score: 2, Informative

      Which still doesn't fix it. Like the person below me said, type "co" in and watch it match every site you've typed that ends in ".com".

      Unfortunately, it seems that the Mozilla developers don't care if people dislike it.

      --
      By what name do you wish to be mourned?
    7. Re:"awesome bar" by bunratty · · Score: 2, Insightful

      I finally did what you suggested and typed "co" into the address bar. It gives fifteen suggestions, although I'm sure I go to many more than fifteen .com sites. The top suggestions were for COmputer documentation for where I work, COnsumer Reports magazine, COmputer Cable Store, two sites I frequent that are .com domains, and Weather Forecast and COnditions for my city. I fail to see the problem. Care to explain?

      --
      What a fool believes, he sees, no wise man has the power to reason away.
  4. To to prevent the issue I need to use Firefox? by techess · · Score: 5, Funny
    From http://www.mozilla.org/security/announce/2008/mfsa2008-35.html

    Workaround
    This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

    I had to giggle at the workaround. To prevent a firefox flaw from biting you, you need to have firefox open. Phew, I'm so glad I'm safe.

    --
    Don't anthropomorphize computers. They *hate* that.
  5. When will Microsoft fix IE? by argent · · Score: 2, Interesting

    So far as I know, the only application that normally runs with its current directory on the desktop (and is thus a potential target for any successful exploit of this issue) is Internet Explorer.

    1. Re:When will Microsoft fix IE? by dnwq · · Score: 2, Informative

      You're misunderstanding him, he means working directory

    2. Re:When will Microsoft fix IE? by argent · · Score: 3, Informative

      When you run an application from Windows Explorer, it is normally run with its current directory set to the directory that the executable is located in. The vulnerability exposed by the "carpet bombing" attack involved attacking Internet Explorer, because Internet Explorer runs with its current directory set to the desktop... not the directory containing the IE executable. There is no obvious reason why IE does this, nor any reason I can come up with for Microsoft not to change it.

  6. Workaround by brunes69 · · Score: 3, Informative

    This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

    So as long as you use Firefox all day long, you will not be affected.

    1. Re:Workaround by igaborf · · Score: 2, Funny

      So as long as you use Firefox all day long, you will not be affected.

      "But boss, I have to browse the Web all day."

  7. Re:And this is why... by gamanimatron · · Score: 2, Insightful

    I finally upgraded last night. So far, so good - it's certainly faster, and the most important mods to me (CSL and NoScript) seem to be working just fine.

    Of course, if it isn't all good then I'm screwed now, but c'est la vie.

    --
    cogito ergo dubito
  8. Another software release post? by dnwq · · Score: 2, Interesting

    Slashdot needs a "important software updates" section.

  9. Re:And this is why... by E+IS+mC(Square) · · Score: 3, Insightful

    Chances are that the reason is not that it's bug-free, but that it's still buggy.

    Chances are that you are not a developer.
    "He who is without a sin throw the first stone."

  10. crash crashing or? by Fallen+Andy · · Score: 4, Informative
    OK, if you saw the following I may have an answer for you. If you installed FF3 and around a day or two later mysteriously it seemed to put up the hourglass cursor with the disk thrashing a lot, then you got bitten by the urlclassifier db (anti-phishing sqlite database) being downloaded. After a day or so things go back to normal. (It would look more like a temporary freeze of the program rather than a crash to the desktop).

    For anyone on a slow connection or with an old machine (like me) that was almost a showstopper. Thankfully, *seems* to be fixed now.Haven't seen any real crashes to the desktop even with the betas...

    A workaround is to go Tools->Options-> Security and turn off the attack site and forgery options.

    Andy

  11. I didn't even know there was a problem. by DamienNightbane · · Score: 2, Informative

    Now if only they could get around to fixing the much bigger memory issues that seem to get worse and worse with every release. I'm getting tempted to go back to IE for the first time in years.

    1. Re:I didn't even know there was a problem. by thePowerOfGrayskull · · Score: 3, Informative

      Nice to repeat the same ol' FUD, but you do realize that FF3 memory usage is significantly lower than FF2 and IE, don't you? You /did/ know that, right?

  12. Re:And this is why... by Spy+der+Mann · · Score: 5, Informative

    ... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.

    Um... the carpet bombing vulnerability also affects Firefox 2. It looks like someone is in trouble :)

  13. You may find this useful by p3d0 · · Score: 3, Informative

    http://dictionary.reference.com/search?q=irony

    --
    Patrick Doyle
    I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
  14. Ubuntu Repos by martinw89 · · Score: 2, Interesting

    I could swear that I was notified of a security update regarding Firefox a few days ago. After the update, I checked Firefox and it's own About dialog reported it was 3.0.1. Can anyone else confirm this or am I going bonkers? I'm certainly on 3.0.1 now and I only received some mundane updates this morning.

    1. Re:Ubuntu Repos by pablomme · · Score: 2, Interesting

      I would guess you have the 'proposed' repository enabled.

      --
      The state you are in while your HEAD is detached... - wait, what?
  15. Re:Addons? by slimjim8094 · · Score: 3, Informative

    when the authors update them?

    of course, you could google for a couple of seconds and fix it yourself (hint: you can force it to ignore the version)

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
  16. Re:Who Cares... by Vectronic · · Score: 4, Interesting

    I for one, welcome our browser caring overlords.

    My issue is that "No one cares when Opera or Safari have a similar release. [or Internet Explorer, or Konqueror...]" but they do when its Firefox.

    Opera 9.51 went through a few RC's and a final and is on 9.52RC/Snapshot, Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...

    But no, Firefox 3.1 Sub-Alpha-Hypothetical-Possibility-Beta-RC Build 3219 hits front page and we're supposed to eat a cracker drink some wine and pray to it, but oh wait, we're all for competition and innovation, as long as its Firefox Vs. Firefox.

    (stomps off)

  17. Re:Who Cares... by badpazzword · · Score: 3, Informative

    And Safari and Opera are both non-free so they are more reluctant to give detailed fix reports.

    http://my.opera.com/desktopteam/blog/

    --
    When ideas fail, words become very handy.
  18. Re:Who Cares... by ya+really · · Score: 2

    And Safari and Opera are both non-free so they are more reluctant to give detailed fix reports. http://my.opera.com/desktopteam/blog/ [opera.com]

    Non free? I believe you mean they have a proprietary source code, as opposed to open source like firefox. I don't recall paying to download either Opera or Safari for my desktop and laptop. Yes, I do know opera charges now for the Wii browser, but I don't have a Wii.

  19. Re:Who Cares... by Darkness404 · · Score: 2, Informative

    Non-free, as in closed-source, as in proprietary. Sure Safari is mostly open-source, but Opera is as much proprietary as IE.

    --
    Taxation is legalized theft, no more, no less.
  20. Re:Who Cares... by ya+really · · Score: 2, Interesting

    My issue is that "No one cares when Opera or Safari have a similar release. [or Internet Explorer, or Konqueror...]" but they do when its Firefox.

    Opera 9.51 went through a few RC's and a final and is on 9.52RC/Snapshot, Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...

    Your post is sorta worded as flamebait to some, but it does have truth. It doesn't take a statistician or a complex algo to add up how many postings have been about FireFox in the past 6 months compared to all other browsers combined. I applaude the openness that Mozilla chose for it's flagship browser. However, their product seems to have drawn some rather fervent users as well. Don't mind them, they're to Firefox as Fundies are to religion. That is, ignore/condemn anything that doesnt parallel their own viewpoint.

  21. Re:Who Cares... by drewness · · Score: 2, Informative

    Non free? I believe you mean they have a proprietary source code, as opposed to open source like firefox.

    Safari is Open Source. Head over to WebKit.org and you can get the source via Subversion or browse it via Trac. It's licensed under a mix of LGPL and BSD licenses.

  22. Re:Who Cares... by Godji · · Score: 3, Funny

    Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...

    And Internet Explorer is still going through lots of *&^%$#@!

  23. FF2 *got the same fix*. Tuesday. by rickst29 · · Score: 2, Informative

    The update for FF2 was pushed out a day before the FF3 update (on Tuesday morning, versus Wednesday afternoon). If you aren't using 2.0.0.16, you're prone to the same attack.

  24. Re:Who Cares... by HeroreV · · Score: 4, Informative

    Safari is closed source. WebKit (the layout engine Safari uses) is open source, but the builds used by Safari rely on a binary closed source blob from Apple. If you value software freedom, you shouldn't use Safari.

  25. Re:Who Cares... by Lennie · · Score: 4, Informative

    no, Safari isn't open source, WebKit is open source, because it is based on khtml.

    --
    New things are always on the horizon
  26. Re:Who Cares... by hesiod · · Score: 4, Funny

    It seems you haven't run Windows Update for a long time then...

  27. A brief future history of the awesome bar by violet16 · · Score: 2, Insightful

    Let me save you some time and map out your journey to acceptance of the awesome bar.

    First you hate it, because it's new and different to what you expect. You are trained to use it as an address bar and nothing else, so it acting like a search bar is confusing and suboptimal to you.

    At this point many people decide to trial the new bar, but you are the kind of person who tends to think he (forgive me, but he) knows what's good and what's not, and even quite enjoy the idea of customizing your Firefox. So you look for a way to preserve your old behavior. There are enough people like you to make worthwhile a mass solution: a config option and an extension.

    You and your anti-awesome fellows make use of these. You occasionally grumble that the awesome bar shouldn't be default at all, but you are basically satisfied so the rest of the world hears from you less and less.

    As time passes, you occasionally find yourself using other people's computers that have Firefox in a default state. This annoys you at first and if you are spending any serious time on them, you disable the awesome bar. But sometimes you're only using them briefly, so it's not worth modifying. Then, all of a sudden, you find the awesome bar useful. It's a surprise, like a door opening: you suddenly see that if you alter your behavior a little, the awesome bar could be quite useful.

    From this point you never disable the awesome bar again, although you leave it disabled on your main desktop, as a matter of principle.

    A new version of Firefox is released. The "Disable Firefox Awesome Bar" extension hasn't yet been updated to work on it. But by now you don't really mind. You now prefer the awesome bar. When you have to use Internet Explorer, or Firefox 2, the lack of an awesome bar bugs you. It seems so inflexible, so archaic.

    A while later, the author of the awesome-disabling extension stops updating it. People forget that anybody ever didn't like the awesome bar. But this new Firefox feature, the predictive URL form mapping--oh man, that's just so horrible, why is it on by default?

    --
    I should buy some cement.