Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3.5's First Vulnerability "Self-Inflicted"

Posted by CmdrTaco on from the that-sounds-all-emo dept.

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

15 of 156 comments (clear)

  1. Re:Foundation, Not a Company by TinBromide · · Score: 4, Interesting
    The legal definition (as was explained to me by a drunk law school student) is that a company is a group of people working together towards a shared goal. I.E. a bunch of boy scouts who want to go camping could technically call themselves a company, a bunch of guys looking to go out drinking could technically be called a company. Scale that up and the foundation could be technically called a company.

    Your issue isn't with the technical use of the word, but diction, its implied meaning and associations. That being said, the use is technically incorrect but not artistically apt.

    Where the Hitchhiker's Guide is in error, it is definitively so. This means that Reality is the one who got things wrong. So when the publishers of the Hitchhiker's Guide got sued by the families of tourists who took literally the sentence 'Vicious Bugblatter beasts often make a good meal for visiting tourists' which should have been rendered 'Vicious Bugblatter beasts often make a good meal of visiting tourists', the publishers brought in a poet to testify under oath that the second sentence is the more aesthetically pleasing of the two, and that Beauty is Truth and Truth, Beauty. They argued then that Life itself was the culprit for being neither beautiful nor true. In a startling decision, the judges agreed, holding Life in contempt of court and confiscated it from everyone present before going out for a round of Ultra-golf.

    --
    Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
  2. Unacceptable by Anonymous Coward · · Score: 4, Funny

    What do you mean there is a security exploit in a brand new version of a web browser? This is crazy, new versions of software should always be more secure then the previous versions.

    Personally I'll be sticking with IE6, I never bought into this whole "Firefox" thing.

  3. Yeah, right by DoofusOfDeath · · Score: 5, Funny

    '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

    Oh sure, I'm definitely going to follow that link now.

    1. Re:Yeah, right by DoofusOfDeath · · Score: 4, Informative

      http://www.cutekittens.com/ how about that one? :D

      Oh man, that site is AWESOME!!! I can't believe what those women were doing. I can't believe it's a free site. Thanks!

  4. Re:Nice test for the open source community by fedxone-v86 · · Score: 5, Informative

    If you had read the bugzilla thread (I know, I know) you'd know it's already fixed ;)

    --
    (USER WAS PUT ON PROBATION FOR THIS POST)
  5. Re:WTF by bunratty · · Score: 4, Insightful

    You mean that you actually want example exploit code to be available to everyone? Why?

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  6. Re:WTF by maxume · · Score: 5, Insightful

    So when they know about and are actively working on fixing a bug that is an exploit vulnerability, you think they should do it in public?

    I get the argument that telling your users about it means that they can protect themselves (say, by running noscript), but for a consumer facing organization like Mozilla, the majority of users aren't going to notice or do anything.

    --
    Nerd rage is the funniest rage.
  7. Temporary fix by AdmiralXyz · · Score: 5, Informative

    According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.

    --
    Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
  8. MOD PARENT UP by argent · · Score: 4, Insightful

    Mod Parent Up "this should have been in the summary, Taco".

    1. Re:MOD PARENT UP by the+way,+what're+you · · Score: 5, Funny

      I've got at least a dozen non-default settings I've set in about:config. What's one more?

      at least a baker's dozen?

      --
      example.org - powered by Linux!
  9. Re:Foundation, Not a Company by Anonymous Coward · · Score: 4, Insightful

    Geezus....I should probably stop reading this site, it seems that everyone is so sure of themselves and are ALWAYS in the right that you actually have time to quabble over insignificant details. yeah he may have been incorrect (doubtful!) but do really think that the point was lost to anyone that read it? or caused ANY confusion? Why bother then?

    get over yourselves, we aren't all born perfect, and may make mistakes. There is absolutely no reason to jump all over somebody for such a piddly mistake, EXCEPT TO BOOST YOUR OWN EGO!

    rant off....

  10. NoScript: http://noscript.net by Futurepower(R) · · Score: 4, Informative

    Careful.

    The official NoScript site is http://noscript.net/.

    To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.

  11. Re:Nice test for the open source community by jank1887 · · Score: 4, Insightful

    But, the majority of users only update firefox when it pops up a "hey, there's an update. Click here!" prompt.

    The issue is unfixed for 90% of users until that occurs.

  12. Re:Right! Quick! by RiotingPacifist · · Score: 4, Interesting

    Ended up going back to noscript recently but it really is an ugly solution, yesscript is only helps against tracking. What is really needed is a good guide for using controldescripts (or a similar extention) allowing all sites to access a list of known safe fucntions (to let you browse the web without it getting in the way), some to be blacklisted (to protect you from tracking), an easy GUI way to allow a greater subset of functions to be accessed (for trusted site) and an security workarounds to stop any vulnerabilities working in the wild.

    --
    IranAir Flight 655 never forget!
  13. Re:This is why NoScript should be a core feature by VGPowerlord · · Score: 4, Informative

    I was going to point out that NoScript was near the top of the recommended add-ons page, but now I see that is no longer there at all! You have to search for it. Adblock Plus still tops the list, however.

    NoScript got buried after the incident with it fucking around with AdBlock's settings, then once that was discovered and pointed out, them adding an AdBlock filter set to bypass blocking on NoScript's author's site.

    As far as I know, it does neither any more, but it pissed off a lot of users, myself included, and its author's reputation went through the floor.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011