Firefox 3.5's First Vulnerability "Self-Inflicted"

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

Re:Foundation, Not a Company

[Richard_at_work]

When you wish to download Firefox or Thunderbird, you are redirected from Mozilla.org to Mozilla.com, so in this case calling it a company is most certainly correct - the Mozilla corporation is distributing the software to you, not the Mozilla foundation.

Full disclosure

[fedxone-v86]

Go on and mod me troll but, IMNSHO, this is just a display of the expertise of the full disclosure movement: Just post a test-case from an open bugtracker as your own exploit and enjoy your 15 minutes of fame amongst all the other skript-kiddies.

Well done, hacker!

Re:WTF

[bunratty]

You mean that you actually want example exploit code to be available to everyone? Why?

Re:WTF

[maxume]

So when they know about and are actively working on fixing a bug that is an exploit vulnerability, you think they should do it in public?

I get the argument that telling your users about it means that they can protect themselves (say, by running noscript), but for a consumer facing organization like Mozilla, the majority of users aren't going to notice or do anything.

MOD PARENT UP

[argent]

Mod Parent Up "this should have been in the summary, Taco".

Re:MOD PARENT UP

[argent]

Except then the bug is patched, and all of a sudden you aren't running the default settings for FF and things get weird.

I've got at least a dozen non-default settings I've set in about:config. What's one more?

Re:Nice test for the open source community

[fedxone-v86]

They haven't released an update yet though, which is probably the more interesting event.

That's true of course. And I don't want to split hairs but point out the open source nature of the Firefox browser:

The patch is already available.

Re:Foundation, Not a Company

Geezus....I should probably stop reading this site, it seems that everyone is so sure of themselves and are ALWAYS in the right that you actually have time to quabble over insignificant details. yeah he may have been incorrect (doubtful!) but do really think that the point was lost to anyone that read it? or caused ANY confusion? Why bother then?

get over yourselves, we aren't all born perfect, and may make mistakes. There is absolutely no reason to jump all over somebody for such a piddly mistake, EXCEPT TO BOOST YOUR OWN EGO!

rant off....

Re:Nice test for the open source community

[jank1887]

But, the majority of users only update firefox when it pops up a "hey, there's an update. Click here!" prompt.

The issue is unfixed for 90% of users until that occurs.

Re:Foundation, Not a Company

[plague3106]

Well, we can't let people actually discuss the issue here, which is a zero day exploit in a FOSS project. Nope, we'll gloss over that and nitpick the word used to describe Mozilla.

Re:NoScript: http://noscript.net

[Requiem18th]

Right, now where do we find something to protect us against NoScript and its attempts to take control over our browsers?

Re:This is why NoScript should be a core feature

[sjames]

Of course, NoScript can also be configured as opt out. It might make a lot of sense to incorporate it defaulted to opt-out and let the user make it opt-in if they like.

The browser's job is to do what the user wants it to do as it relates to browsing.

Why do we trust Javascript all of a sudden

[onlyjoking]

Is it just me who remembers the days when the only way to browse safely was to turn off Javascript? Now we're all drinking the web 2.0 kool aid it seems we've forgotten how many browser vulns are Javascript-related. Websites should never depend on Javascript to function properly but now we have point 'n click JQuery, Dojo etc. it seems websites are built on Javascript foundations with all the security issues that implies.

Re:Why do we trust Javascript all of a sudden

[twistah]

But there have been many browser exploits recently, and they've been in virtually every component of the browser. This flaw has nothing to do with JavaScript itself, just the implementation. Flaws have been found in XML and HTML rendering engines, third-party components, URL handlers and many other pieces of the browser. If we're going to disable every feature that's potentially vulnerable, we might as well stay off the Web.

Re:Some Questions & Comments About Firefox 3.5

[BZ]

323 // 0: no restrictions - divert everything
324 // 1: don't divert window.open at all
325 // 2: don't divert window.open with features
326 pref("browser.link.open_newwindow.restriction", 2);

See http://hg.mozilla.org/mozilla-central/annotate/94909af358c4/browser/app/profile/firefox.js

Re:time to close Bugzilla to the public

[jesset77]

such as assuming that nobody will ever guess that putting in a password of "&aR4q=Xj9_n½" will give them administrator access.

I would have edited in a password like "12345", but I had to enclose it in "strong" tags so that felt kind of cheap.

"Security through obscurity" means that lack of information is the only thing keeping something secure

yeah, kind of like lacking my username and password is one of the few practical things keeping you from using my online identity, and lacking my credit card number keeps you from running me into debt. Things like that. ;3