Mozilla First To Patch Pwn2Own Browser Vulnerability

Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."

Re:First post.

[MightyYar]

Yeah, but internet browsing just doesn't feel as exciting without the risk. Back to unpatched XP with IE6 for me...

Re:And this is a surprise?

[drinkypoo]

I also thought that open source had a built in Plan B that if a hole was found, anyone could submit a patch and it would get folded in as soon as it was reviewed and approved.

That's funny, this is a story about the Open Source browser being patched before every other browser, and you're not seeing a benefit?

Seen how insecure web browsers are...

Seen how insecure web browsers are, what would be a good way to surf under Linux?

I have an account that I use only for GMail and my bank's website (the latter using a physical device answering cryptographic challenge so nobody is abusing that [when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that]).

Then I have an account only for browsing. The user owning this account on my machine has user ID 1007.

This user is not even allowed to connect to localhost. I don't want to know. All he can do is surf the web, using iptables like this:

iptables -I OUTPUT -m owner --uid-owner 1007 -j REJECT
iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 443 -j ACCEPT
iptables -I OUTPUT -m owner --uid-owner 1007 -p udp --dport 53 -j ACCEPT

Are there others simple things I could do to deal with security hazard that these browsers are?

Things I could do about this user's home directory permissions? Disable his SSH? etc.

Basically I think I'd like to have an account that can "do nothing but run Firefox".

Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?

In other words, I consider the "security" of all the browsers to be a bad joke and I regard running a browser basically the same as executing "omgWindozeServer2012Crack.exe" on my machine and I'd like any hint from people who are surfing in a "safer" way.

Re:Seen how insecure web browsers are...

[siride]

You could try not freaking the fuck out about browser security, unless you plan on visiting Russian spam sites and whatnot. I use Firefox on Linux and I've never had an issue. I use Flashblock, Adblock and occasionally Noscript. Just exercise reasonable caution and you should be fine. Heck, even under Windows I never got viruses or spyware, and I used IE!

MS already patched in IE8 final build

MS patched this on IE8 on Vista already before it published Mar 19. http://blogs.iss.net/archive/chicksdigIE8.html

XP hasn't been patched yet. Doesn't support DEP, so will be a bit more work.

Re:MS already patched in IE8 final build

Doesn't support DEP, so will be a bit more work.

DEP is supported on Windows XP since SP2.

BAH!

[iminplaya]

The contestants already have next year's winning exploit waiting in the wings. Maybe we should have these contests every month instead of once a year.

Re:And this is a surprise?

And did closed source helped ms to make more secure browser?

umm, yes.
the person who cracked safari on osx said that ie8 on vista was the toughest to exploit.

Re:And this is a surprise?

[makomk]

Well, it wouldn't work on Vista on the final release of IE8, except on Intranet pages. Apparently, it still works on IE8 running under XP, still works on Intranet pages. The underlying vulnerability is still present on IE8 on all platforms, it's just that there's not currently any way to exploit it thanks to DEP and ASLR.

Re:First post.

[purpledinoz]

You finish installing Windows XP. You connect to the internet and fire up your browser. 4 minutes later, additional processes start appearing in your task manager. You've been pwnd! You frantically try to close the security holes by going to the Windows Update website, but all you get are ads for penis enlargement and free porn. As your PC slows to a crawl, the excitement fades...

Re:And this is a surprise?

[icebraining]

On the other hand, Firefox on Linux wasn't exploited at all.

Re:First post.

[RiotingPacifist]

untrusted extentions are the way of the future. they let YOU choose how much you get pwned.
Only want a mild risk? install a few 3rd party extentions,
Fancy taking your chances? look for ones with spelling mistakes in the discriptions,
Unprotected sex with the internet? well start installing them from 3rd party sites
Fuck it, pwn me already? install greasemonkeys and look for scripts that have the discription written in 1337 sp3/\k

Mac OS X != OSS

[tepples]

I can't download the upgrade. I'm running OSX 10.3.9, and Firefox 2.0.0.1. Firefox 3.x requires 10.4.

OSS developers should think about those of us that are still happy with their older software! (or can't upgrade)

Mac OS X is not open-source software. If you can't install Leopard or even Tiger on your PowerPC Mac, try installing a Linux distribution that supports your Mac model. I'm sure they still exist.