Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3.5's First Vulnerability "Self-Inflicted"

Posted by CmdrTaco on from the that-sounds-all-emo dept.

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

49 of 156 comments (clear)

  1. Foundation, Not a Company by eldavojohn · · Score: 3, Informative

    Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser.

    Just a note, I think Mozilla tries to shirk any idea of "company" or "corporation" from the open source development side of things. Instead, they are a non-profit foundation and recently created a separate taxable corporation with the intent of distribution and productizing Firefox & Thunderbird.

    I think the word 'company' implies commercial interests and the developing part of Mozilla--the Foundation--does not have any commercial interests. While this may seem unimportant to you, I believe it to be a pretty important concept to clarify when you're talking about open source from a non-profit and open source from a company.

    --
    My work here is dung.
    1. Re:Foundation, Not a Company by TinBromide · · Score: 4, Interesting
      The legal definition (as was explained to me by a drunk law school student) is that a company is a group of people working together towards a shared goal. I.E. a bunch of boy scouts who want to go camping could technically call themselves a company, a bunch of guys looking to go out drinking could technically be called a company. Scale that up and the foundation could be technically called a company.

      Your issue isn't with the technical use of the word, but diction, its implied meaning and associations. That being said, the use is technically incorrect but not artistically apt.

      Where the Hitchhiker's Guide is in error, it is definitively so. This means that Reality is the one who got things wrong. So when the publishers of the Hitchhiker's Guide got sued by the families of tourists who took literally the sentence 'Vicious Bugblatter beasts often make a good meal for visiting tourists' which should have been rendered 'Vicious Bugblatter beasts often make a good meal of visiting tourists', the publishers brought in a poet to testify under oath that the second sentence is the more aesthetically pleasing of the two, and that Beauty is Truth and Truth, Beauty. They argued then that Life itself was the culprit for being neither beautiful nor true. In a startling decision, the judges agreed, holding Life in contempt of court and confiscated it from everyone present before going out for a round of Ultra-golf.

      --
      Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
    2. Re:Foundation, Not a Company by Richard_at_work · · Score: 2, Insightful

      When you wish to download Firefox or Thunderbird, you are redirected from Mozilla.org to Mozilla.com, so in this case calling it a company is most certainly correct - the Mozilla corporation is distributing the software to you, not the Mozilla foundation.

    3. Re:Foundation, Not a Company by FudRucker · · Score: 3, Funny

      or the Boogie Woogie Bugle boys from Company "B"

      Right_Here

      --
      Politics is Treachery, Religion is Brainwashing
    4. Re:Foundation, Not a Company by Anonymous Coward · · Score: 4, Insightful

      Geezus....I should probably stop reading this site, it seems that everyone is so sure of themselves and are ALWAYS in the right that you actually have time to quabble over insignificant details. yeah he may have been incorrect (doubtful!) but do really think that the point was lost to anyone that read it? or caused ANY confusion? Why bother then?

      get over yourselves, we aren't all born perfect, and may make mistakes. There is absolutely no reason to jump all over somebody for such a piddly mistake, EXCEPT TO BOOST YOUR OWN EGO!

      rant off....

    5. Re:Foundation, Not a Company by plague3106 · · Score: 2, Insightful

      Well, we can't let people actually discuss the issue here, which is a zero day exploit in a FOSS project. Nope, we'll gloss over that and nitpick the word used to describe Mozilla.

    6. Re:Foundation, Not a Company by the_womble · · Score: 2, Interesting

      The Mozilla Foundation's about page says:

      The Mozilla Foundation is a California non-profit corporation exempt from Federal income taxation under IRC 501(c)(3). It is governed by its Board of Directors.

      I am not sure about US usage, but in the UK and many other countries a corporation created by registration (with the registrar of companies - Companies House in the UK) is correctly referred to as a company, regardless of whether it is a profit making or non-profit company.

    7. Re:Foundation, Not a Company by brusk · · Score: 2, Funny

      You mean that Extra Touch of Class Struggle.

      --
      .sig withheld by request
  2. Maybe off topic but... by vertinox · · Score: 2, Informative

    Has anyone notice performance degradation in 3.5? Opening a slew of bookmarked pages into tabs tends to make it feel like my internet connection has slowed down. Yet when all the tabs load, they all respond snappily.

    And sometimes certain sites act sluggish when opening the same exact site works fine in Safari.

    It wasn't like this in 3.01

    --
    "I am the king of the Romans, and am superior to rules of grammar!"
    -Sigismund, Holy Roman Emperor (1368-1437)
    1. Re:Maybe off topic but... by FlyingBishop · · Score: 2, Interesting

      Yes, but a single Slashdot article with comments loads at least 30% faster, and I do that a lot more often than opening a ton of bookmarks in tabs. I think on the whole it saves me a lot more time than it costs.

  3. Re:time to close Bugzilla to the public by maxume · · Score: 3, Informative

    They already had a standing policy of hiding security related bugs (I.e. those that they figured were exploitable; It is even discussed in the log linked in the summary!).

    --
    Nerd rage is the funniest rage.
  4. Unacceptable by Anonymous Coward · · Score: 4, Funny

    What do you mean there is a security exploit in a brand new version of a web browser? This is crazy, new versions of software should always be more secure then the previous versions.

    Personally I'll be sticking with IE6, I never bought into this whole "Firefox" thing.

  5. Yeah, right by DoofusOfDeath · · Score: 5, Funny

    '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

    Oh sure, I'm definitely going to follow that link now.

    1. Re:Yeah, right by DoofusOfDeath · · Score: 4, Informative

      http://www.cutekittens.com/ how about that one? :D

      Oh man, that site is AWESOME!!! I can't believe what those women were doing. I can't believe it's a free site. Thanks!

  6. Wimp! by argent · · Score: 2, Funny

    I only use IE 5.5!

    1. Re:Wimp! by mcrbids · · Score: 3, Funny

      Pshaw. I use telnet, and read the native code. I don't even see the code anymore... Blonde, Brunette, Red-Head...

      Reading sites that use SSL is a bit tricky, though.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  7. WTF by wumpus188 · · Score: 2, Interesting

    "Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier"

    Nice attitude, guys...

    1. Re:WTF by bunratty · · Score: 4, Insightful

      You mean that you actually want example exploit code to be available to everyone? Why?

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:WTF by maxume · · Score: 5, Insightful

      So when they know about and are actively working on fixing a bug that is an exploit vulnerability, you think they should do it in public?

      I get the argument that telling your users about it means that they can protect themselves (say, by running noscript), but for a consumer facing organization like Mozilla, the majority of users aren't going to notice or do anything.

      --
      Nerd rage is the funniest rage.
  8. Full disclosure by fedxone-v86 · · Score: 2, Insightful

    Go on and mod me troll but, IMNSHO, this is just a display of the expertise of the full disclosure movement: Just post a test-case from an open bugtracker as your own exploit and enjoy your 15 minutes of fame amongst all the other skript-kiddies.

    Well done, hacker!

    --
    (USER WAS PUT ON PROBATION FOR THIS POST)
    1. Re:Full disclosure by broken_chaos · · Score: 2, Interesting

      Mozilla doesn't even practice full disclosure. They normally hide security bugs from the public, but they missed this one, as well as not fixing it before 3.5's release.

      Unless you're seriously suggesting that all bugs should be hidden from the public on the off chance they'll be exploitable, meaning a lot more duplicate bug reports, no independent confirmation of a bug's existence, and an inability for anyone else to fix the problem, except those granted permissions to read bugs.

  9. Re:Nice test for the open source community by fedxone-v86 · · Score: 5, Informative

    If you had read the bugzilla thread (I know, I know) you'd know it's already fixed ;)

    --
    (USER WAS PUT ON PROBATION FOR THIS POST)
  10. Re:Nice test for the open source community by maxume · · Score: 3, Interesting

    They haven't released an update yet though, which is probably the more interesting event.

    --
    Nerd rage is the funniest rage.
  11. Temporary fix by AdmiralXyz · · Score: 5, Informative

    According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.

    --
    Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
  12. MOD PARENT UP by argent · · Score: 4, Insightful

    Mod Parent Up "this should have been in the summary, Taco".

    1. Re:MOD PARENT UP by argent · · Score: 2, Insightful

      Except then the bug is patched, and all of a sudden you aren't running the default settings for FF and things get weird.

      I've got at least a dozen non-default settings I've set in about:config. What's one more?

    2. Re:MOD PARENT UP by the+way,+what're+you · · Score: 5, Funny

      I've got at least a dozen non-default settings I've set in about:config. What's one more?

      at least a baker's dozen?

      --
      example.org - powered by Linux!
    3. Re:MOD PARENT UP by BJ_Covert_Action · · Score: 2, Interesting

      Also from the article:

      "The popular NoScript add-on will also ward off attacks. "

      Though I would think that is only true depending on how strict one's NoScript settings are, it might be useful to those with NoScript installed to realize that they can tweak with it to give them a temporary fix until an official update/patch comes out. Also, it might warn some users to pay attention when NoScript pops up a warning about malicious script possibilities, as opposed to just clicking the 'allow anyway' option.

      Cheers.

      --
      Motorcycles, Robots, Space Gossip and More!
  13. Re:time to close Bugzilla to the public by maxume · · Score: 2, Interesting

    Who cares if they do? Security through obscurity is a perfectly valid strategy, as long as it is used in conjunction with other strategies, so when someone criticizes the mere use of secrecy, they can be disregarded.

    (Think about it for a minute; passwords, keys, access codes, hidden safes, etc.)

    --
    Nerd rage is the funniest rage.
  14. Re:the only browser with 0 vulnerabilities by Colonel+Korn · · Score: 3, Informative

    is Google Chrome...

    Nope:

    http://chromekb.com/vulnerabilities/

    The attitude that some platforms are simply immune to attacks is foolish and counterproductive.

    --
    "I zero-index my hamsters" - Willtor (147206)
  15. Why didn't you post the (simple) fix??? by brunes69 · · Score: 2, Informative

    Why not post in the summary the simple fix?

        In lieu of a patch, users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine.
        To do that, users should enter "about:config" in Firefox's address bar, type "jit" in the filter box, then double-click
        the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.

    1. Re:Why didn't you post the (simple) fix??? by brunes69 · · Score: 2, Interesting

      It basically just puts you back to 3.0 mode.

  16. Re:Right! Quick! by zorg50 · · Score: 3, Informative

    No-Script has never been spyware. Adware, on the other hand...

  17. Re:Some Questions & Comments About Firefox 3.5 by Dishevel · · Score: 2

    Why does it take me several minutes to slosh through the GUI just to make a new folder and alphabetize some bookmarks in it?

    I don't know. Why dose it take you that long? I takes me seconds. Maybe the issue is you?

    --
    Why is it so hard to only have politicians for a few years, then have them go away?
  18. Re:Nice test for the open source community by fedxone-v86 · · Score: 3, Insightful

    They haven't released an update yet though, which is probably the more interesting event.

    That's true of course. And I don't want to split hairs but point out the open source nature of the Firefox browser:

    The patch is already available.

    --
    (USER WAS PUT ON PROBATION FOR THIS POST)
  19. NoScript: http://noscript.net by Futurepower(R) · · Score: 4, Informative

    Careful.

    The official NoScript site is http://noscript.net/.

    To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.

    1. Re:NoScript: http://noscript.net by Requiem18th · · Score: 2, Insightful

      Right, now where do we find something to protect us against NoScript and its attempts to take control over our browsers?

      --
      But... the future refused to change.
    2. Re:NoScript: http://noscript.net by kalirion · · Score: 2, Informative

      And how are readers to know that your link is any more valid than mine?

      Actually, the safest way to link to extensions would be through Mozilla's Own Site. That page should have the actual category.

  20. Re:Nice test for the open source community by jank1887 · · Score: 4, Insightful

    But, the majority of users only update firefox when it pops up a "hey, there's an update. Click here!" prompt.

    The issue is unfixed for 90% of users until that occurs.

  21. Glad I didn't rush to upgrade by OrangeTide · · Score: 2, Interesting

    Sometimes it's better to just hold back and wait until my distro decides it is time to update my versions.

    --
    “Common sense is not so common.” — Voltaire
  22. Re:Granted bugs happen and is obviously nice explo by jank1887 · · Score: 2, Informative

    fixed, but not pushed out yet. For the 'days to a fix' count, you need to count all days from the time the hole was discovered to the day a fixed version / patch is pushed out to users. (if I have to go looking for it, it's not 'fixed' yet) Most people are trained to only respond to Firefox's Update popups.

  23. Re:Right! Quick! by RiotingPacifist · · Score: 4, Interesting

    Ended up going back to noscript recently but it really is an ugly solution, yesscript is only helps against tracking. What is really needed is a good guide for using controldescripts (or a similar extention) allowing all sites to access a list of known safe fucntions (to let you browse the web without it getting in the way), some to be blacklisted (to protect you from tracking), an easy GUI way to allow a greater subset of functions to be accessed (for trusted site) and an security workarounds to stop any vulnerabilities working in the wild.

    --
    IranAir Flight 655 never forget!
  24. Re:This is why NoScript should be a core feature by VGPowerlord · · Score: 4, Informative

    I was going to point out that NoScript was near the top of the recommended add-ons page, but now I see that is no longer there at all! You have to search for it. Adblock Plus still tops the list, however.

    NoScript got buried after the incident with it fucking around with AdBlock's settings, then once that was discovered and pointed out, them adding an AdBlock filter set to bypass blocking on NoScript's author's site.

    As far as I know, it does neither any more, but it pissed off a lot of users, myself included, and its author's reputation went through the floor.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  25. Re:Nice test for the open source community by barzok · · Score: 2, Funny

    It's called fdisk

  26. Re:This is why NoScript should be a core feature by sjames · · Score: 2, Insightful

    Of course, NoScript can also be configured as opt out. It might make a lot of sense to incorporate it defaulted to opt-out and let the user make it opt-in if they like.

    The browser's job is to do what the user wants it to do as it relates to browsing.

  27. Why do we trust Javascript all of a sudden by onlyjoking · · Score: 3, Insightful

    Is it just me who remembers the days when the only way to browse safely was to turn off Javascript? Now we're all drinking the web 2.0 kool aid it seems we've forgotten how many browser vulns are Javascript-related. Websites should never depend on Javascript to function properly but now we have point 'n click JQuery, Dojo etc. it seems websites are built on Javascript foundations with all the security issues that implies.

    1. Re:Why do we trust Javascript all of a sudden by twistah · · Score: 2, Insightful

      But there have been many browser exploits recently, and they've been in virtually every component of the browser. This flaw has nothing to do with JavaScript itself, just the implementation. Flaws have been found in XML and HTML rendering engines, third-party components, URL handlers and many other pieces of the browser. If we're going to disable every feature that's potentially vulnerable, we might as well stay off the Web.

  28. Re:Some Questions & Comments About Firefox 3.5 by BZ · · Score: 2, Insightful

    323 // 0: no restrictions - divert everything
    324 // 1: don't divert window.open at all
    325 // 2: don't divert window.open with features
    326 pref("browser.link.open_newwindow.restriction", 2);

    See http://hg.mozilla.org/mozilla-central/annotate/94909af358c4/browser/app/profile/firefox.js

  29. Re:time to close Bugzilla to the public by jesset77 · · Score: 2, Insightful

    such as assuming that nobody will ever guess that putting in a password of "&aR4q=Xj9_n½" will give them administrator access.

    I would have edited in a password like "12345", but I had to enclose it in "strong" tags so that felt kind of cheap.

    "Security through obscurity" means that lack of information is the only thing keeping something secure

    yeah, kind of like lacking my username and password is one of the few practical things keeping you from using my online identity, and lacking my credit card number keeps you from running me into debt. Things like that. ;3

    --
    People willing to trade their freedom of expression for temporary entertainment deserve neither and will lose both.