Slashdot Mirror
Firefox 3.5's First Vulnerability "Self-Inflicted"
CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."
Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser.
Just a note, I think Mozilla tries to shirk any idea of "company" or "corporation" from the open source development side of things. Instead, they are a non-profit foundation and recently created a separate taxable corporation with the intent of distribution and productizing Firefox & Thunderbird.
I think the word 'company' implies commercial interests and the developing part of Mozilla--the Foundation--does not have any commercial interests. While this may seem unimportant to you, I believe it to be a pretty important concept to clarify when you're talking about open source from a non-profit and open source from a company.
My work here is dung.
Everyone download NoScript Pronto!
It pays to be obvious, especially if you have a reputation for being subtle.
I have to say that Firefox is getting a lot worse lately. The user experience is in serious need of improvement and development is the pits. I installed the latest "big deal" Firefox update on June 30th. (For some reason they skipped a full four secondary updates, but whatever.) Upon restarting, which took several minutes, I began using Firefox 3.5.
At first, Firefox seemed strangely familiar. I thought they had changed very little unnecessarily until I visited the Acid3 test. Lo and behold, I was still using Firefox 3.0.0.11. What the fuck? I manually invoked Check for Updates and repeated my first attempt only to find, upon restarting, the same thing.
Finally in desperation I downloaded the installer manually from Mozilla. The install ran surprisingly quickly and, after a few minutes, I was launched with the new version. I had to check, though, because again I thought it looked like very little had changed.
In fact, did Mozilla bother changing anything beside the JavaScript? The new TraceMonkey is great and all, but they could have at least made it look like they were working on something else. When the most noticeable improvement is the "Know Your Rights" button (which everyone ignores) one really starts to wonder what the fuss was all about.
Well, after the three tries it took to upgrade, I found my profile wouldn't migrate. This was a mess, but I was able to eventually retrieve my bookmarks from a long, arcane file path in a hidden directory. But then upon visiting my bookmarked sites I found that almost none of my add-ons are compatible with it. Therefore my browser is almost entirely functionless.
The bookmark tool itself could use a polishing. It's a mess and has been since version 1.0. If a browser is meant to render and organize content, Firefox surely falls down in this area. Why does it take me several minutes to slosh through the GUI just to make a new folder and alphabetize some bookmarks in it? Not to mention the damned Bookmarks toolbar, which takes up too much damn space and can't be turned off.
And speaking of the GUI, it's slow as Hell slowget rid of the proprietary XUL and just hardcode the damned interface already!
I also have to mention memory use. On my system, Firefox was swallowing an incredible 400 MB with only a simple HTML 4 table open. 400 MB?! I blame this on the Firefox team's use of C++, where memory management is about as easy as herding cats. Likewise Firefox is a slow, bloated nightmare. (For a contrast, there's Safari, which is written in Objective C and is very small and efficient.)
Most of the time I have heavy JavaScript sites open. I shudder to think how much Firefox eats then, and I'll be sure to check in the future. No wonder my system tends to slow down when I've left Firefox open for days on end with dynamically updating pages and RSS feeds. Clearly, Firefox leaks memory like a cracked sieve in a waterfall.
With Firefox smelling more and more like crapware, I started to dig a little, first on Wikipedia and then on the Mozilla Development Forums. It turns out that my observations are part of a larger pattern of Firefox quality issues and development customs. The Mozilla developers are a bunch of arrogant, abusive shitheads.
For starters, they're still running all tabs in the same process. This is something IE7 and Safari 3 have had right for years. So if a plugin crashes or a page takes forever to finish rendering, everything's stuck. You can't even switch tabs to another page! And Firefox 3.5 is a "milestone" release? Firefox 3.6 and 4 are milestones too, and process-per-tab isn't scheduled for either.
Developer interaction with Firefox users is stilted too. Sometimes
We tried to be cool, but you guys violated our trust and abused the database, and made us look like fools in the process.
Congratulations, hacker, you've ruined it for everybody.
The Bugzilla database will no longer be made available to the public, only the elite cadre of Firefox developers.
Let's see how long it takes them to patch this
Probably won't be too long
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
I've wondered: will having an up to date NoScript addon for firefox prevent these attacks? or will this bypass NoScript?
"Going to war without the French is like going deer hunting without your accordion." ~General Norman Schwarzkopf
Has anyone notice performance degradation in 3.5? Opening a slew of bookmarked pages into tabs tends to make it feel like my internet connection has slowed down. Yet when all the tabs load, they all respond snappily.
And sometimes certain sites act sluggish when opening the same exact site works fine in Safari.
It wasn't like this in 3.01
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
As the man sung:
You do it to yourself, you do
and that's what really hurts
Is that you do it to yourself
Just you, you and no-one else
You do it to yourself
But, then, isn't that how it always is?
How else could you vote for George W Bush, Sarah Palin, and the rest of the goof troup with a straight face.
Poor republicans are even so dumb as to vote for policies that directly harm them.
Religion helps keep these people stupified, but you have to wonder if you still have to be born retarded to vote Republican.
What do you mean there is a security exploit in a brand new version of a web browser? This is crazy, new versions of software should always be more secure then the previous versions.
Personally I'll be sticking with IE6, I never bought into this whole "Firefox" thing.
'[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."
Oh sure, I'm definitely going to follow that link now.
I only use IE 5.5!
I had heard about this earlier in the week and decided to give the demo exploit (which executes calc.exe) a run. As soon as I tried to save the HTML to a file Microsoft's Forefront A/V popped up with an alert detecting the shellcode within the sample code. Not bad, MS.
But if you really want to be safe you should be running noscript. It'll save you from running malicious code on sites you don't trust.
but isn't every application vulnerability self-inflicted? unless perhaps somebody hacked in and wrote the code for you!
"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier"
Nice attitude, guys...
Go on and mod me troll but, IMNSHO, this is just a display of the expertise of the full disclosure movement: Just post a test-case from an open bugtracker as your own exploit and enjoy your 15 minutes of fame amongst all the other skript-kiddies.
Well done, hacker!
(USER WAS PUT ON PROBATION FOR THIS POST)
Good thing I'm using Internet Explorer!
Oh wait...
w00t
still stuck on their momma's nipple ... they feel they cannot do anything without the help of others ... please momma, let me live in your house cause i'm scared of going out on my own ... please big government pay me money and give me free food cause you know i can't hold a job ... lmao
political parties are retarded in general ... vote independent
According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.
Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
security fix here
is Google Chrome...
Mod Parent Up "this should have been in the summary, Taco".
Still it was fixed by the time I heard about it, yesterday. I've become a recent Microsoft convert, but they tend to pretend this isn't happening, till they release a fix on their own good time. And Apple just breaks everything for everyone else all the time so let's not go there. I'll be the first ever person to ever say I bought Apple hardware just to find out that Apple broke it for me cause I wasn't just cool.
Hey they allow links from slashdot again. that was blocked in the past.
Why not post in the summary the simple fix?
In lieu of a patch, users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine.
To do that, users should enter "about:config" in Firefox's address bar, type "jit" in the filter box, then double-click
the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.
Of course, Mozilla won't add a NoScript-like UI to Firefox, as it would make it convenient to block scripting, and hence annoy advertisers.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Careful.
The official NoScript site is http://noscript.net/.
To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.
I'd say, when complaining about FF performance, GTFO. The whining is just brutal ever since 3.0 came out, and I just don't get it. There is no shortage of alternatives. If FF doesn't do improve their performance enough, they will surely fall by the wayside. If you don't have the energy to put a repeatable scenario in Bugzilla, cya, and godspeed.
Sometimes it's better to just hold back and wait until my distro decides it is time to update my versions.
“Common sense is not so common.” — Voltaire
fixed, but not pushed out yet. For the 'days to a fix' count, you need to count all days from the time the hole was discovered to the day a fixed version / patch is pushed out to users. (if I have to go looking for it, it's not 'fixed' yet) Most people are trained to only respond to Firefox's Update popups.
milw0rm who can be easily put to definition of "script kiddie lamer" spied bugzilla bug reporting system which should not be open regarding security issues and posted a quick exploit code to a bug which its was already in progress of fixing.
So, open source system was abused in some form. It was error on mozilla's part though, security issues of open source apps shouldn't be discussed in public along with crashers etc.
Not a surprise. These people subscribe to all update/security mailing lists and grab couple of issues and claim they hacked OS X.
On the other hand, Mozilla should be glad that he picked it. If it was a real black hat professional, he wouldn't be stupid enough to publicly disclose it and milk it as long as possible.
I thought the whole point of open source was not hiding bugs, so that they got fixed faster.
To me it's an essential difference with closed source.
That being said, until there's a fix, it's no porn, no online gambling, no pirate bay, no nothing!
"If anyone else has complaints about Firefox, post them here. [My emphasis] For a browser that's taken nearly a third of the market, it's doing so with an incredibly broken development model and backend...
"Until then, Firefox is just another out-of-control Open Source project that needs a good stiff slap in the face."
Agreed. Firefox has had broken, weak management because a socially inept lawyer, Winifred Mitchell Baker who has no technical knowledge or interest, was the head of the Mozilla foundation. Now she is Chairman of the Board.
"On my system, Firefox was swallowing an incredible 400 MB with only a simple HTML 4 table open. 400 MB?!"
I just started a computer that has Firefox 3.5 installed. I started Firefox and opened a web page. It used 200 MB.
"The bookmark tool itself could use a polishing. It's a mess and has been since version 1.0. If a browser is meant to render and organize content, Firefox surely falls down in this area."
Agreed. But apparently Firefox developers work on only what interests them, and they don't use browsers very heavily.
"No wonder my system tends to slow down when I've left Firefox open for days on end with dynamically updating pages and RSS feeds. Clearly, Firefox leaks memory like a cracked sieve in a waterfall."
Yes, but the CPU hogging bug is what makes Firefox slow after several days, not the memory hogging.
"I manually invoked Check for Updates and repeated my first attempt only to find, upon restarting, the same thing."
Yes, that's happened to me, also. The update procedure is buggy.
"Not to mention the damned Bookmarks toolbar, which takes up too much damn space and can't be turned off."
Not correct. The Bookmarks toolbar can be turned off.
"One time, a user with some programming experience suggested a bugfix to the wishlist. One programmer, whom I will not publicly name, suggested the user submit patches "once his balls dropped," if he were even male. If this were a real company and not a bunch of arrogant hacker hippies, user antagonism and sexism would never be acceptable."
Agreed, but it's worse than you say.
"For starters, they're still running all tabs in the same process. This is something IE7 and Safari 3 have had right for years. So if a plugin crashes or a page takes forever to finish rendering, everything's stuck. You can't even switch tabs to another page! And Firefox 3.5 is a "milestone" release? Firefox 3.6 and 4 are milestones too, and process-per-tab isn't scheduled for either."
Translation: Layoffs at Mozilla Foundation. As soon as Google's Chrome browser has sufficient Plug-ins, why would anyone use the quirky Firefox? But it may be years until Chrome has the necessary plug-ins. On the other hand, Google pays the Mozilla Foundation more than $55,000,000 per year to make Google the default search engine, so maybe someone at Google will hurry the development of Chrome to save huge amounts of money in future years.
PEOPLE IN GLASS HOUSES SHOULDN'T THROW STONES - "Those who are vulnerable should not attack others. The proverb has been traced back to Geoffrey Chaucer's 'Troilus and Criseyde' (1385). George Herbert wrote in 1651: 'Whose house is of glass, must not throw stones at another.' This saying is first cited in the United States in 'William & Mary College Quarterly' (1710). Twenty-six later Benjamin Franklin wrote, 'Don't throw stones at your neighbors', if your own windows are glass.' 'To live in a glass house' is used as a figure of speech referring to vulnerability." From "Random House Dictionary of Popular Proverbs and Sayings" (1996) by Gregory Y. Titelman (Random House, New York, 1996).
A reminder to all open source developers tempted to continue talking endless flak about Microsoft and Sun products.
Futurist Traditionalism
Well, you could check for known problems first.
http://mozillalinks.org/wp/2009/07/workaround-for-firefox-3-5-slow-startups-on-windows/
If that doesn't fix it for you, post a bug report with the firefox devs (instead of on slashdot).
I thought security bugs were supposed to be confidential.
"The whining is just brutal ever since 3.0 came out, and I just don't get it."
Yes, that's right. You just don't get it.
That's correct. I was mistaken. I gave a correct answer, but the only perfect way to know which URL is to go through the Mozilla web site.
Is it just me who remembers the days when the only way to browse safely was to turn off Javascript? Now we're all drinking the web 2.0 kool aid it seems we've forgotten how many browser vulns are Javascript-related. Websites should never depend on Javascript to function properly but now we have point 'n click JQuery, Dojo etc. it seems websites are built on Javascript foundations with all the security issues that implies.
It's been fixed I think. Here is the link.
You must eat it.
Pshaw. I use telnet, and read the native code. I don't even see the code anymore... Blonde, Brunette, Red-Head...
Reading sites that use SSL is a bit tricky, though.
Telnet? Phooey! I surf the web and the net by hand-modulating light I inject into a fiber optic link, and by interpreting the bits sent to me as the infrared wavelengths are absorbed by my skin creating minuscule temperature variations on the surface. It took a bit of time to train myself to modulate and demodulate, but now it comes easily.
You're right about encrypting, however. That does take a bit more learning and skill to do.
This post is lifted directly from trollaxor.
http://www.trollaxor.com/2009/07/some-questions-comments-about-firefox.html
Please, when a post is as obviously a troll as this, mod it fucking troll.