Slashdot Mirror
Firefox 3.0.1 Fixes 'Carpet Bombing' Issue
An anonymous reader writes "Firefox 3.0.1 was released today. It fixes 3 security vulnerabilities, including a critical issue reported by Billy Rios, Ben Turner, and Dan Veditz. The issue could be combined with an issue in Apple's Safari browser to read data from the user's disk or to execute arbitrary code. This issue was previously discussed on Slashdot.
The release also fixes a remote code execution bug involving the CSS reference counter, reported by the Zero-Day Initiative (previously discussed on Slashdot here), as well as a Mac-only potential code execution bug involving GIF image rendering, reported by Drew Yao of Apple Product Security."
Actually, it's a .0.1 release. Firefox 3.1 (alpha due this summer) has a lot of new features that didn't make it in time for 3.0.
Interested in open source engine management for your Subaru?
Firefox 3 was crashing 3-10 times a day for me even after completely removing everything FF related. At the risk of jinxing myself I will say that I'm crash free on 3.0.1 for 4 hours now.
return EXIT_SUCCESS;
I had to giggle at the workaround. To prevent a firefox flaw from biting you, you need to have firefox open. Phew, I'm so glad I'm safe.
Don't anthropomorphize computers. They *hate* that.
This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.
So as long as you use Firefox all day long, you will not be affected.
Hmm, a Google search reveals that while the "awesome bar" is still the default, you can disable it by following the directions below (but, maybe you already knew this):
1. Type about:config into the location bar and change the value browser.urlbar.matchOnlyTyped to true. After this, you need to restart Firefox. All this does is make it so that Firefox only searches the URLs you have typed and not the titles of pages.
2. Install the Old Location Bar extension. This changes the location bar so that it looks like how it looked in Firefox 2. As of me writing this post, it is an experimental addon so you will need to register to the Firefox addon service to install it.
When you run an application from Windows Explorer, it is normally run with its current directory set to the directory that the executable is located in. The vulnerability exposed by the "carpet bombing" attack involved attacking Internet Explorer, because Internet Explorer runs with its current directory set to the desktop... not the directory containing the IE executable. There is no obvious reason why IE does this, nor any reason I can come up with for Microsoft not to change it.
Chances are that the reason is not that it's bug-free, but that it's still buggy.
Chances are that you are not a developer.
"He who is without a sin throw the first stone."
For anyone on a slow connection or with an old machine (like me) that was almost a showstopper. Thankfully, *seems* to be fixed now.Haven't seen any real crashes to the desktop even with the betas...
A workaround is to go Tools->Options-> Security and turn off the attack site and forgery options.
Andy
... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.
Um... the carpet bombing vulnerability also affects Firefox 2. It looks like someone is in trouble :)
http://dictionary.reference.com/search?q=irony
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
when the authors update them?
of course, you could google for a couple of seconds and fix it yourself (hint: you can force it to ignore the version)
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
I for one, welcome our browser caring overlords.
My issue is that "No one cares when Opera or Safari have a similar release. [or Internet Explorer, or Konqueror...]" but they do when its Firefox.
Opera 9.51 went through a few RC's and a final and is on 9.52RC/Snapshot, Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...
But no, Firefox 3.1 Sub-Alpha-Hypothetical-Possibility-Beta-RC Build 3219 hits front page and we're supposed to eat a cracker drink some wine and pray to it, but oh wait, we're all for competition and innovation, as long as its Firefox Vs. Firefox.
(stomps off)
And Safari and Opera are both non-free so they are more reluctant to give detailed fix reports.
http://my.opera.com/desktopteam/blog/
When ideas fail, words become very handy.
Nice to repeat the same ol' FUD, but you do realize that FF3 memory usage is significantly lower than FF2 and IE, don't you? You /did/ know that, right?
I've used it once to date, when going back to a walkthrough page on gamefaqs. 99% of the time, I know the address I'm going to, or I have it bookmarked, so the "awesomeness" is wasted on me.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
Lifehacker has instructions on how to restore the yellow for SSL sites, among other nice UI changes (such as removing the Go and Search buttons from the Address and Search bars, respectively). It does require an extension (either Stylish or Greasemonkey), but it definitely works, I've been using this at home for a few weeks now.
Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...
And Internet Explorer is still going through lots of *&^%$#@!
Safari is closed source. WebKit (the layout engine Safari uses) is open source, but the builds used by Safari rely on a binary closed source blob from Apple. If you value software freedom, you shouldn't use Safari.
no, Safari isn't open source, WebKit is open source, because it is based on khtml.
New things are always on the horizon
It seems you haven't run Windows Update for a long time then...