Firefox 3.5's First Vulnerability "Self-Inflicted"

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

Foundation, Not a Company

[eldavojohn]

Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser.

Just a note, I think Mozilla tries to shirk any idea of "company" or "corporation" from the open source development side of things. Instead, they are a non-profit foundation and recently created a separate taxable corporation with the intent of distribution and productizing Firefox & Thunderbird.

I think the word 'company' implies commercial interests and the developing part of Mozilla--the Foundation--does not have any commercial interests. While this may seem unimportant to you, I believe it to be a pretty important concept to clarify when you're talking about open source from a non-profit and open source from a company.

Re:Foundation, Not a Company

[TinBromide]

The legal definition (as was explained to me by a drunk law school student) is that a company is a group of people working together towards a shared goal. I.E. a bunch of boy scouts who want to go camping could technically call themselves a company, a bunch of guys looking to go out drinking could technically be called a company. Scale that up and the foundation could be technically called a company.

Your issue isn't with the technical use of the word, but diction, its implied meaning and associations. That being said, the use is technically incorrect but not artistically apt.

Where the Hitchhiker's Guide is in error, it is definitively so. This means that Reality is the one who got things wrong. So when the publishers of the Hitchhiker's Guide got sued by the families of tourists who took literally the sentence 'Vicious Bugblatter beasts often make a good meal for visiting tourists' which should have been rendered 'Vicious Bugblatter beasts often make a good meal of visiting tourists', the publishers brought in a poet to testify under oath that the second sentence is the more aesthetically pleasing of the two, and that Beauty is Truth and Truth, Beauty. They argued then that Life itself was the culprit for being neither beautiful nor true. In a startling decision, the judges agreed, holding Life in contempt of court and confiscated it from everyone present before going out for a round of Ultra-golf.

Re:Foundation, Not a Company

[Richard_at_work]

When you wish to download Firefox or Thunderbird, you are redirected from Mozilla.org to Mozilla.com, so in this case calling it a company is most certainly correct - the Mozilla corporation is distributing the software to you, not the Mozilla foundation.

Re:Foundation, Not a Company

[FudRucker]

or the Boogie Woogie Bugle boys from Company "B"

Right_Here

Re:Foundation, Not a Company

[TheLink]

I am not a drunk law school student but here you go:

http://en.wikipedia.org/wiki/Legal_person#Examples

Note that in legal terms a Company is different from a Cooperative, even though a Cooperative could also be considered a group of people working towards a shared goal.

Re:Foundation, Not a Company

Geezus....I should probably stop reading this site, it seems that everyone is so sure of themselves and are ALWAYS in the right that you actually have time to quabble over insignificant details. yeah he may have been incorrect (doubtful!) but do really think that the point was lost to anyone that read it? or caused ANY confusion? Why bother then?

get over yourselves, we aren't all born perfect, and may make mistakes. There is absolutely no reason to jump all over somebody for such a piddly mistake, EXCEPT TO BOOST YOUR OWN EGO!

rant off....

Re:Foundation, Not a Company

[Dragonslicer]

Company is also a military term for a medium-sized group of soldiers (Wikipedia says on the order of 100-200).

Re:Foundation, Not a Company

[plague3106]

Well, we can't let people actually discuss the issue here, which is a zero day exploit in a FOSS project. Nope, we'll gloss over that and nitpick the word used to describe Mozilla.

Re:Foundation, Not a Company

[nigelo]

... a Company is different from a Cooperative...

You mean, the People's Front of Mozilla, as opposed to the Mozillan People's Front, or any other form of anarcho-syndicalist commune?

Re:Foundation, Not a Company

[the_womble]

The Mozilla Foundation's about page says:

The Mozilla Foundation is a California non-profit corporation exempt from Federal income taxation under IRC 501(c)(3). It is governed by its Board of Directors.

I am not sure about US usage, but in the UK and many other countries a corporation created by registration (with the registrar of companies - Companies House in the UK) is correctly referred to as a company, regardless of whether it is a profit making or non-profit company.

Re:Foundation, Not a Company

[TheLink]

Add "Democratic" to the name for that Extra Touch of Class.

Re:Foundation, Not a Company

[brusk]

You mean that Extra Touch of Class Struggle.

Re:Foundation, Not a Company

[Chrisq]

Add "Democratic" to the name for that Extra Touch of Class.

The Democratic people's front of Mozilla! Pha! Splitters.

Re:Foundation, Not a Company

[thePowerOfGrayskull]

In addition, thinking that the company has no influence over the development done by the foundation is a bit naive...

Right! Quick!

[Canazza]

Everyone download NoScript Pronto!

Re:Right! Quick!

[zorg50]

No-Script has never been spyware. Adware, on the other hand...

Re:Right! Quick!

[RiotingPacifist]

Ended up going back to noscript recently but it really is an ugly solution, yesscript is only helps against tracking. What is really needed is a good guide for using controldescripts (or a similar extention) allowing all sites to access a list of known safe fucntions (to let you browse the web without it getting in the way), some to be blacklisted (to protect you from tracking), an easy GUI way to allow a greater subset of functions to be accessed (for trusted site) and an security workarounds to stop any vulnerabilities working in the wild.

Re:Right! Quick!

[IRWolfie-]

and don't forget malware

Re:Right! Quick!

[nog_lorp]

Sounds like you want a "Javascript Firewall". Cool idea really.

Nice test for the open source community

[Big+Hairy+Ian]

Let's see how long it takes them to patch this

Probably won't be too long

Re:Nice test for the open source community

[fedxone-v86]

If you had read the bugzilla thread (I know, I know) you'd know it's already fixed ;)

Re:Nice test for the open source community

[maxume]

They haven't released an update yet though, which is probably the more interesting event.

Re:Nice test for the open source community

[ioErr]

Just remember to start counting from the day the bug was reported and not from today.

Re:Nice test for the open source community

[bunratty]

It's already patched, and there are test builds of Firefox 3.5.1 available.

Re:Nice test for the open source community

[Yvanhoe]

The first post is somehow a patch. /. community passes !

Re:Nice test for the open source community

[fedxone-v86]

They haven't released an update yet though, which is probably the more interesting event.

That's true of course. And I don't want to split hairs but point out the open source nature of the Firefox browser:

The patch is already available.

Re:Nice test for the open source community

[jank1887]

But, the majority of users only update firefox when it pops up a "hey, there's an update. Click here!" prompt.

The issue is unfixed for 90% of users until that occurs.

Re:Nice test for the open source community

[AmberBlackCat]

It's possible Microsoft has an update somewhere to patch all known vulnerabilities of every version of Windows.

Re:Nice test for the open source community

[TheCycoONE]

According to the mozilla wiki report of the weekly status meetings the patch will be out by the end of the week: https://wiki.mozilla.org/Firefox3.5/StatusMeetings/2009-07-15

Re:Nice test for the open source community

[barzok]

It's called fdisk

Re:Nice test for the open source community

[Cato]

I didn't find this patch on Linux or Windows through Check For Updates - currently the about:config change is the way to go.

Re:Nice test for the open source community

[Lennie]

I have some doubts about that.

Re:Nice test for the open source community

[AmberBlackCat]

The point was, Mozilla having a patch available is no better than Microsoft possibly having a patch available, if it isn't released.

Re:Nice test for the open source community

[Lennie]

I wasn't all that serious.

Re:Nice test for the open source community

[TheCycoONE]

The patch appears to have been released now

Re:Nice test for the open source community

[fedxone-v86]

No, the point is, since Firefox is an open-source project, a security minded person is already able to fetch the patch from Mozilla's open code repository. There is no such thing for Microsoft products.

In my opinion this makes a big difference. But nowadays, I seem to be in the minority.

By Vulnerability, you mean...

[Haffner]

I've wondered: will having an up to date NoScript addon for firefox prevent these attacks? or will this bypass NoScript?

Re:By Vulnerability, you mean...

[emocomputerjock]

The answer I've seen elsewhere is yes, NoScript blocks this (unless you allow it).

Re:By Vulnerability, you mean...

[kamatsu]

If that is seriously firefox code, i'm glad I use chromium.

Maybe off topic but...

[vertinox]

Has anyone notice performance degradation in 3.5? Opening a slew of bookmarked pages into tabs tends to make it feel like my internet connection has slowed down. Yet when all the tabs load, they all respond snappily.

And sometimes certain sites act sluggish when opening the same exact site works fine in Safari.

It wasn't like this in 3.01

Re:Maybe off topic but...

[FlyingBishop]

Yes, but a single Slashdot article with comments loads at least 30% faster, and I do that a lot more often than opening a ton of bookmarks in tabs. I think on the whole it saves me a lot more time than it costs.

Re:Maybe off topic but...

[troylanes]

It certainly "feels" less responsive. Particularly when scrolling through a page then subsequently stopping and clicking a link, etc. A 3-5 second 'spinning ball of death' is not uncommon when traversing any given page.

Re:Maybe off topic but...

[Lord+Ender]

When complaining about Firefox performance issues, always disable all addons to verify that the problem is, in fact, with Firefox itself.

I can say that Firefox is quite fast on my i7 with 12GB RAM and an Intel X25 Extrem SSD ;-)

Re:Maybe off topic but...

[rtyhurst]

FF3.5 eats a lot of system resources, especially when it's been open for a while.

I think this accounts for these observations.

Re:Maybe off topic but...

[misexistentialist]

Noscript 1.9.5 causes a slowdown when opening multiple tabs. You can test this by trying the development build http://noscript.net/getit#devel

Re:Maybe off topic but...

[Propaganda13]

I haven't noticed a problem except when I went into the history section and told it open all of yesterday's sites. It did warn me that opening 500+ tabs could cause performance issues.

Re:Maybe off topic but...

[indraneil]

I think the problem that you may be facing is due to firefox doing weird things to generate random numbers at start
See https://bugzilla.mozilla.org/show_bug.cgi?id=501605
I see that the bug has since been fixed - but I guess it has not been distributed to the general public via upgrades.

Re:Maybe off topic but...

[Landshark17]

I have... Kinda. I got the newest update and things seemed fine, then I tried to access Pandora. I'd never used it before and thought I'd check it out. Big mistake. It crashed Firefox three attempts in a row, and I had no better luck with Opera. Ever since, anything I do in Firefox is painfully slow. Case and point, while typing this response, more than once I typed so fast that I had to wait for the letters on the screen to catch up with my typing to make sure I hadn't made an error. Also it takes me a few seconds to switch between tabs, and a second more to mouse-over something and have Firefox realize it was a link. I just assumed Pandora had somehow screwed up my computer, but now I'm considering using Opera and seeing if it's not just Firefox that's acting funny.

Re:Maybe off topic but...

[gbarules2999]

No.

Re:Maybe off topic but...

[orngjce223]

Pandora is very heavy on the CPU. I have to run it in a Google Chrome tab (point being, it's faster) just to keep FF responsive enough to post to Slashdot in.

Re:Maybe off topic but...

[Zancarius]

Has anyone notice performance degradation in 3.5? Opening a slew of bookmarked pages into tabs tends to make it feel like my internet connection has slowed down. Yet when all the tabs load, they all respond snappily.

I have, especially with > 200 tabs open at a time. But, that's more an artifact of my insanity and less a representation of a common use case among users. I know of others who tend to have in excess of 400 open, but I don't imagine they're more than 1% of the user base.

I love my tabs.

Re:Maybe off topic but...

[Steven_Lunn]

Running 500 at the moment myself. Yes, I'm insane too, but it works great for me.

Re:Maybe off topic but...

[Zancarius]

Thank goodness someone else understands. I'm curious if you suffer from the same affliction as I: Do you tend to open nearly anything that looks remotely interesting on the off-chance you might go back to it later? I've done that more often than I care to admit, though most of my tabs tend to be related to documentation and the likes. Oh, and probably about 20-30 forgotten Google searches.

It's probably none of my business, but I'm really rather curious what habits other "tab mongers" have! (My meager all-time-high of 330 tabs is pale in contrast to yours!)

Re:Maybe off topic but...

[Steven_Lunn]

Absolutely. Most links I open I come back to later (sometimes much later - months even), unless I really do need to look at them now. I tend to have a window per "subject area", with many tabs per window. So my news window has tabs from all the news sites I visit, tech window has all tech related tabs etc. Admittedly many of the tabs get closed quickly when I do eventually go back to them, as they can often be duplicates (easy to forget whether I have opened a tab before or not) or not very useful. The thing that generates the most tabs for me is visiting a forum. If I haven't been there for a while then it can get very busy........ FF makes it easy to recover due to tab and window restore. I find NoScipt is a must to stop FF from hogging the CPU if one of the sites has Flash or unnecessary JavaScript.

Re:time to close Bugzilla to the public

[maxume]

They already had a standing policy of hiding security related bugs (I.e. those that they figured were exploitable; It is even discussed in the log linked in the summary!).

Unacceptable

What do you mean there is a security exploit in a brand new version of a web browser? This is crazy, new versions of software should always be more secure then the previous versions.

Personally I'll be sticking with IE6, I never bought into this whole "Firefox" thing.

Yeah, right

[DoofusOfDeath]

'[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

Oh sure, I'm definitely going to follow that link now.

Re:Yeah, right

[phantomcircuit]

http://www.cutekittens.com/ how about that one? :D

Re:Yeah, right

[DoofusOfDeath]

http://www.cutekittens.com/ how about that one? :D

Oh man, that site is AWESOME!!! I can't believe what those women were doing. I can't believe it's a free site. Thanks!

Re:Yeah, right

[RichardJenkins]

How about this one? Looks like it goes to Google, right?

Wimp!

[argent]

I only use IE 5.5!

Re:Wimp!

[GaratNW]

My first reaction to seeing the headline for this post was basically "Shit! I forgot I need to update Firefox to 3.5!"... Humans are kinda dumb sometimes. Or maybe it's just me.

Re:Wimp!

[RiotingPacifist]

3.5 is good for speed ups and being able to disable the awsomebar (if you want), but generally most mozilla browsers need a couple of security patches before they are truely ready for the masses. 3.5.1 or 3.5.2 would be a good one to upgrade to.

Re:Wimp!

[mcrbids]

Pshaw. I use telnet, and read the native code. I don't even see the code anymore... Blonde, Brunette, Red-Head...

Reading sites that use SSL is a bit tricky, though.

Re:Wimp!

[notseamus]

If you wait long enough, the spyware that exploited old versions of IE will disappear making browsin safe again!

Re:Wimp!

[jesset77]

So what? All that proves is that you've moved the point of execution, and the vulnerability on into your head.

And don't expect Motoko to dive in just to save your ghost. :P

Microsoft Caught This 0-day

[_bug_]

I had heard about this earlier in the week and decided to give the demo exploit (which executes calc.exe) a run. As soon as I tried to save the HTML to a file Microsoft's Forefront A/V popped up with an alert detecting the shellcode within the sample code. Not bad, MS.

But if you really want to be safe you should be running noscript. It'll save you from running malicious code on sites you don't trust.

Re:Microsoft Caught This 0-day

[Hatta]

But if you really want to be safe you should be running noscript. It'll save you from running malicious code on sites you don't trust.

If only there was something that would save me from running malicious code on sites I do trust.

forgive me

[neonprimetime]

but isn't every application vulnerability self-inflicted? unless perhaps somebody hacked in and wrote the code for you!

Re:forgive me

[bunratty]

They mean that they publicly released the example exploit code. Of course they coded the vulnerability!

WTF

[wumpus188]

"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier"

Nice attitude, guys...

Re:WTF

[bunratty]

You mean that you actually want example exploit code to be available to everyone? Why?

Re:WTF

[maxume]

So when they know about and are actively working on fixing a bug that is an exploit vulnerability, you think they should do it in public?

I get the argument that telling your users about it means that they can protect themselves (say, by running noscript), but for a consumer facing organization like Mozilla, the majority of users aren't going to notice or do anything.

Re:WTF

[Hurricane78]

No. The point is that security trough obscurity never works. If you hide it, only the bad guys will have it. If you show it, at least more people can do something against it.

Full disclosure

[fedxone-v86]

Go on and mod me troll but, IMNSHO, this is just a display of the expertise of the full disclosure movement: Just post a test-case from an open bugtracker as your own exploit and enjoy your 15 minutes of fame amongst all the other skript-kiddies.

Well done, hacker!

Re:Full disclosure

[broken_chaos]

Mozilla doesn't even practice full disclosure. They normally hide security bugs from the public, but they missed this one, as well as not fixing it before 3.5's release.

Unless you're seriously suggesting that all bugs should be hidden from the public on the off chance they'll be exploitable, meaning a lot more duplicate bug reports, no independent confirmation of a bug's existence, and an inability for anyone else to fix the problem, except those granted permissions to read bugs.

Re:Full disclosure

[fedxone-v86]

After reading this comment I felt the need to point out the practices of the Secunia sponsored "Full Disclosure" mailing list whose supporters I called the Full Disclosure movement.

This is the message that credits a guy called SBerry for "discovering" the vulnerability. All that guy did was take the testcase from the Mozilla bug tracker attach a payload to it and publish it as his exploit, ready to be consumed by every skript kiddie with a subscription to that list or the milw0rm exploit RSS feed.

And Secunia even have the nerve calling the exploit the original advisory.

I'm not suggesting we hide all bugs and actually I don't like Mozilla's practice of doing so, for the same reasons that you suggest.

What I'm suggesting is that people like SBerry, milw0rm and Secunia get punished for what they do. An exploit is no security advisory! As the name suggests its only purpose is to exploit a known vulnerability which in almost all cases happens with criminal intend. Secunia is promoting this practice by giving credit to the exploit writers (and who knows what else). milw0rm is one of their henchmen hosting all the exploits. SBerry is one of the many misguided hackers, yearning for approval, who partake in this "security practice" called Full Disclosure.

But you know, I'm just a developer who was raised a hacker. I would never call me a security expert but I really have an uneasy feeling knowing that the Security industry is promoting ready-made exploits, which I think is actually quite insecure.

Re:time to close Bugzilla to the public

[Lulfas]

So.... Time till someone makes a post saying how much better Firefox is because it doesn't practice "Security through obscurity?"

Temporary fix

[AdmiralXyz]

According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.

MOD PARENT UP

[argent]

Mod Parent Up "this should have been in the summary, Taco".

Re:MOD PARENT UP

[kestasjk]

Except then the bug is patched, and all of a sudden you aren't running the default settings for FF and things get weird.

Better not to visit suspicious sites, and if you have to install NoScript, it'll hugely decrease the potentially vulnerable "surface area" of your web browser.

Re:MOD PARENT UP

[argent]

Except then the bug is patched, and all of a sudden you aren't running the default settings for FF and things get weird.

I've got at least a dozen non-default settings I've set in about:config. What's one more?

Re:MOD PARENT UP

[the+way,+what're+you]

I've got at least a dozen non-default settings I've set in about:config. What's one more?

at least a baker's dozen?

Re:MOD PARENT UP

[BJ_Covert_Action]

Also from the article:

"The popular NoScript add-on will also ward off attacks. "

Though I would think that is only true depending on how strict one's NoScript settings are, it might be useful to those with NoScript installed to realize that they can tweak with it to give them a temporary fix until an official update/patch comes out. Also, it might warn some users to pay attention when NoScript pops up a warning about malicious script possibilities, as opposed to just clicking the 'allow anyway' option.

Cheers.

Re:MOD PARENT UP

[snl2587]

Who reads the summary? The title's all you need!

Granted bugs happen and is obviously nice exploit

[qurk]

Still it was fixed by the time I heard about it, yesterday. I've become a recent Microsoft convert, but they tend to pretend this isn't happening, till they release a fix on their own good time. And Apple just breaks everything for everyone else all the time so let's not go there. I'll be the first ever person to ever say I bought Apple hardware just to find out that Apple broke it for me cause I wasn't just cool.

bugzilla.

[leuk_he]

Hey they allow links from slashdot again. that was blocked in the past.

Re:time to close Bugzilla to the public

[maxume]

Who cares if they do? Security through obscurity is a perfectly valid strategy, as long as it is used in conjunction with other strategies, so when someone criticizes the mere use of secrecy, they can be disregarded.

(Think about it for a minute; passwords, keys, access codes, hidden safes, etc.)

Re:the only browser with 0 vulnerabilities

[Colonel+Korn]

is Google Chrome...

Nope:

http://chromekb.com/vulnerabilities/

The attitude that some platforms are simply immune to attacks is foolish and counterproductive.

Why didn't you post the (simple) fix???

[brunes69]

Why not post in the summary the simple fix?

    In lieu of a patch, users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine.
    To do that, users should enter "about:config" in Firefox's address bar, type "jit" in the filter box, then double-click
    the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.

Re:Why didn't you post the (simple) fix???

[g-san]

That is not a simple fix, that is a temporary workaround. Turning off the JIT compiler has performance implications.

Re:Why didn't you post the (simple) fix???

[brunes69]

It basically just puts you back to 3.0 mode.

Re:Whew!

[Gadget_Guy]

If you are worried about IE, why did you link to a bug in Office?

This is why NoScript should be a core feature

[metamatic]

Of course, Mozilla won't add a NoScript-like UI to Firefox, as it would make it convenient to block scripting, and hence annoy advertisers.

Re:This is why NoScript should be a core feature

[e9th]

I was going to point out that NoScript was near the top of the recommended add-ons page, but now I see that is no longer there at all! You have to search for it. Adblock Plus still tops the list, however.

Re:This is why NoScript should be a core feature

[Ilgaz]

A browser's job is to execute scripts securely, safely and in fast manner. If a browser comes with "opt in" scripting which is really impossible in real web these days, it wouldn't really have a good image and experience.

What they should do is, think about the biggest lamer they have ever met and multiply it with 10 and act accordingly dealing with security issues. Spying bugzilla in progress and release an exploit(!) based on it is lowest one can get.

Re:This is why NoScript should be a core feature

[metamatic]

If a browser comes with "opt in" scripting which is really impossible in real web these days, it wouldn't really have a good image and experience.

If it's impossible, why is NoScript so popular?

And not downloading images makes for a bad web experience, but Firefox still has an option for that.

Re:This is why NoScript should be a core feature

[VGPowerlord]

I was going to point out that NoScript was near the top of the recommended add-ons page, but now I see that is no longer there at all! You have to search for it. Adblock Plus still tops the list, however.

NoScript got buried after the incident with it fucking around with AdBlock's settings, then once that was discovered and pointed out, them adding an AdBlock filter set to bypass blocking on NoScript's author's site.

As far as I know, it does neither any more, but it pissed off a lot of users, myself included, and its author's reputation went through the floor.

Re:This is why NoScript should be a core feature

[g-san]

> Adblock Plus still tops the list, however.

Which doesn't annoy advertisers. In fact, it helps them by conserving their bandwidth!

Re:This is why NoScript should be a core feature

[sjames]

Of course, NoScript can also be configured as opt out. It might make a lot of sense to incorporate it defaulted to opt-out and let the user make it opt-in if they like.

The browser's job is to do what the user wants it to do as it relates to browsing.

Re:Some Questions & Comments About Firefox 3.5

[Dishevel]

Why does it take me several minutes to slosh through the GUI just to make a new folder and alphabetize some bookmarks in it?

I don't know. Why dose it take you that long? I takes me seconds. Maybe the issue is you?

Re:Some Questions & Comments About Firefox 3.5

[cayenne8]

My only complaint on FF 3.5 at this time is the way it works with Gmail now.

I have it set in FF, to open a new link in a new tab. This has worked beautifully till now. When I click a link in Gmail now, rather than open a new tab, it opens the link in a new windown without any scroll bars!?!?!

Now, if I want to open a link from Gmail, I have to rt. click and tell it to open in a new tab.

This kinda sucks IMHO.

NoScript: http://noscript.net

[Futurepower(R)]

Careful.

The official NoScript site is http://noscript.net/.

To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.

Re:NoScript: http://noscript.net

[Requiem18th]

Right, now where do we find something to protect us against NoScript and its attempts to take control over our browsers?

Re:NoScript: http://noscript.net

[kalirion]

And how are readers to know that your link is any more valid than mine?

Actually, the safest way to link to extensions would be through Mozilla's Own Site. That page should have the actual category.

Glad I didn't rush to upgrade

[OrangeTide]

Sometimes it's better to just hold back and wait until my distro decides it is time to update my versions.

Re:Glad I didn't rush to upgrade

[OrangeTide]

My CPUs don't support 64-bit.
Atom N270 and Xeon LV

Re:Granted bugs happen and is obviously nice explo

[jank1887]

fixed, but not pushed out yet. For the 'days to a fix' count, you need to count all days from the time the hole was discovered to the day a fixed version / patch is pushed out to users. (if I have to go looking for it, it's not 'fixed' yet) Most people are trained to only respond to Firefox's Update popups.

Actually, patch in progress was abused by a lamer

[Ilgaz]

milw0rm who can be easily put to definition of "script kiddie lamer" spied bugzilla bug reporting system which should not be open regarding security issues and posted a quick exploit code to a bug which its was already in progress of fixing.

So, open source system was abused in some form. It was error on mozilla's part though, security issues of open source apps shouldn't be discussed in public along with crashers etc.

Not a surprise. These people subscribe to all update/security mailing lists and grab couple of issues and claim they hacked OS X.

On the other hand, Mozilla should be glad that he picked it. If it was a real black hat professional, he wouldn't be stupid enough to publicly disclose it and milk it as long as possible.

Re:time to close Bugzilla to the public

[Dragonslicer]

So.... Time till someone makes a post saying how much better Firefox is because it doesn't practice "Security through obscurity?"

Uh, "Security through obscurity" doesn't refer to whether or not existing security vulnerabilities are made public before a fix is available. "Security through obscurity" means that lack of information is the only thing keeping something secure, such as assuming that nobody will ever guess that putting "&admin=true" at the end of a URL will give them administrator access.

Re:Some Questions & Comments About Firefox 3.5

[cayenne8]

" put about:config into the addressbar, enter, click through any warning, then into the filter box paste:

browser.link.open_newwindow.restriction

double-click that pref to edit the value to 0

I've had it this way for years without any problems. "

Thank you, that worked!!

I've not had to do that before I don't think...wonder why they changed that in the 3.5 version?

What exactly does this setting do? My value was a "2".

/. is not the bugzilla you are looking for.

[Medievalist]

Well, you could check for known problems first.

http://mozillalinks.org/wp/2009/07/workaround-for-firefox-3-5-slow-startups-on-windows/

If that doesn't fix it for you, post a bug report with the firefox devs (instead of on slashdot).

that's funny...

[shentino]

I thought security bugs were supposed to be confidential.

That's correct. MOD PARENT UP.

[Futurepower(R)]

That's correct. I was mistaken. I gave a correct answer, but the only perfect way to know which URL is to go through the Mozilla web site.

Why do we trust Javascript all of a sudden

[onlyjoking]

Is it just me who remembers the days when the only way to browse safely was to turn off Javascript? Now we're all drinking the web 2.0 kool aid it seems we've forgotten how many browser vulns are Javascript-related. Websites should never depend on Javascript to function properly but now we have point 'n click JQuery, Dojo etc. it seems websites are built on Javascript foundations with all the security issues that implies.

Re:Why do we trust Javascript all of a sudden

[twistah]

But there have been many browser exploits recently, and they've been in virtually every component of the browser. This flaw has nothing to do with JavaScript itself, just the implementation. Flaws have been found in XML and HTML rendering engines, third-party components, URL handlers and many other pieces of the browser. If we're going to disable every feature that's potentially vulnerable, we might as well stay off the Web.

Re:Some Questions & Comments About Firefox 3.5

[BZ]

323 // 0: no restrictions - divert everything
324 // 1: don't divert window.open at all
325 // 2: don't divert window.open with features
326 pref("browser.link.open_newwindow.restriction", 2);

See http://hg.mozilla.org/mozilla-central/annotate/94909af358c4/browser/app/profile/firefox.js

Re:time to close Bugzilla to the public

[jesset77]

such as assuming that nobody will ever guess that putting in a password of "&aR4q=Xj9_n½" will give them administrator access.

I would have edited in a password like "12345", but I had to enclose it in "strong" tags so that felt kind of cheap.

"Security through obscurity" means that lack of information is the only thing keeping something secure

yeah, kind of like lacking my username and password is one of the few practical things keeping you from using my online identity, and lacking my credit card number keeps you from running me into debt. Things like that. ;3

Crappy moderators...

[nog_lorp]

This post is lifted directly from trollaxor.

http://www.trollaxor.com/2009/07/some-questions-comments-about-firefox.html

Please, when a post is as obviously a troll as this, mod it fucking troll.