Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release

← Back to Stories (view on slashdot.org)

Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release

Posted by Soulskill on Saturday March 20, 2010 @04:05AM from the sooner-than-later dept.

Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."

22 of 140 comments (clear)

Re:1.5 months for a response and release?! by bunratty · 2010-03-20 04:14 · Score: 2, Informative

The flaw was disclosed to Mozilla only recently (perhaps just a few days ago), and there is already a patched build available.

--
What a fool believes, he sees, no wise man has the power to reason away.
Re:1.5 months for a response and release?! by wizardforce · 2010-03-20 04:16 · Score: 2, Informative

Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability.
A fix already exists, it's just not in the official release.

--
Sigs are too short to say anything truly profound so read the above post instead.
Re:What kept them? by bunratty · 2010-03-20 04:16 · Score: 3, Informative

Because the vulnerability was not disclosed to Mozilla at first.

--
What a fool believes, he sees, no wise man has the power to reason away.
Re:What kept them? by NotQuiteReal · 2010-03-20 04:19 · Score: 4, Funny

Lynx is pretty secure

--
This issue is a bit more complicated than you think.
So this just shows, that you can't relax. by Securityemo · 2010-03-20 04:23 · Score: 2, Insightful

Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

--
Emotions! In your brain!
1. Re:So this just shows, that you can't relax. by TheRaven64 · 2010-03-20 06:01 · Score: 2, Informative
  
  (And even if your old CPU doesn't support the NX bit, DEP will work for you as they have a software emulation for it in the OS.)
  Not true. The DEP code on machines without NX bit support in the page tables will only protect you from a certain category of attack involving Microsoft's Structured Exception Handling system.
  Contrast this with the OpenBSD implementation, which uses the x86 segment protection mechanism to enforce W^X when the NX bit is not present.
  
  --
  I am TheRaven on Soylent News
2. Re:So this just shows, that you can't relax. by Rick17JJ · 2010-03-20 06:56 · Score: 2, Interesting
  
  I run Firefox sandboxed from within SandboxIE on my Windows XP computer. SandboxIE builds a virtual sandbox around the default browser on a computer. In addition, my computer is set up to where I am normally logged in with a user name. I only log in as administrator, when needed. I also use the NoScript and Adblock Plus extensions for Firefox. I only enable the running of scripts for certain Websites that I trust. Perhaps, those measures might help, but I am not a computer expert and do not know for sure.
  
  I use Kubuntu Linux on my other computer, which is my main home computer. That is the computer which I am using at the moment. I also use Firefox on it, but there is not a Linux version of SandboxIE. Perhaps, I should use the Konqueror browser instead, until the final release of the patched version of Firefox becomes available. The Konqueror browser is already installed on this computer.
  
  In the Linux version of Firefox, I also use the NoScript and Adblock Plus extensions. Of course, when using the Linux computer, I am normally logged in under under my user name, with the limited privileges which go with it. Like most Linux users, I do not run as root all the time. When I temporarily need more privileges I use sudo.
  
  I am not a computer expert. I am just someone who uses both Linux and also Windows XP on my two computers at home.
  
  http://esecurityplanet.com/features/article.php/3842331/Sandboxie-Blocking-Web-Based-Malware-From-Your-PC.htm
Someone enlighten me by mrsteveman1 · 2010-03-20 04:36 · Score: 3, Insightful

Why are companies so unwilling to micro-patch their software? If Mozilla has a fix NOW, why are they waiting another ~2 weeks to push it out with the next minor upgrade? Just to avoid making users upgrade too often?
1. Re:Someone enlighten me by marcansoft · 2010-03-20 04:39 · Score: 2, Informative
  
  QA. New releases need to go through QA anyway to make sure they haven't botched anything up.
  Usually the release process for a large piece of software requires a certain degree of human interaction (anywhere from light to extreme), and there's always the possibility that something will mess up, even if the bugfix itself is perfectly trivial or safe.
2. Re:Someone enlighten me by The+MAZZTer · 2010-03-20 06:12 · Score: 2, Insightful
  
  Because the fix could break other things, or even not actually fix anything or fix the security vulnerability completely, or even cause a different security vulnerability (possibly worse).
  Testing is important, especially when you want to attract users, not drive them away. Unstable software will do that.
3. Re:Someone enlighten me by bunratty · 2010-03-20 06:44 · Score: 2, Informative
  
  If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.
  
  --
  What a fool believes, he sees, no wise man has the power to reason away.
Re:Planning? It's not enough! by maxume · 2010-03-20 04:40 · Score: 5, Informative

Are you being intentionally ridiculous?
The fix is in the latest beta release already, that binary is slated to be the release candidate, and if testing goes well, it will be the release.

--
Nerd rage is the funniest rage.
Re:Planning? It's not enough! by Athanasius · 2010-03-20 04:42 · Score: 4, Informative

As someone else already quoted:

Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability
You can already go and download that 3.6.2 beta if you want, I did.
The 'planning' is about the data of 3.6.2's release, not whether or not it will have this fix included.
Re:1.5 months for a response and release?! by masmullin · 2010-03-20 04:42 · Score: 2, Informative

RTFS
March 30th.
Re:1.5 months for a response and release?! by Anonymous Coward · 2010-03-20 04:48 · Score: 2, Informative

1) about:config
2) app.update.channel = beta
And join the beta testers :)
Re:OMFG by wizardforce · 2010-03-20 04:58 · Score: 4, Insightful

Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response.
Secunia: omfg Firefox has a vulnerability!!!
Mozilla: ok so what are the specifics?
Secunia: ...
Mozilla: Hello?
Secunia: ...
Mozilla: Anyone?
Secunia a few days ago: Right then... here are the details...
Mozilla: *patched beta*

--
Sigs are too short to say anything truly profound so read the above post instead.
Re:1.5 months for a response and release?! by daveime · 2010-03-20 05:06 · Score: 3, Funny

Welcome to the FOSS bug patching system
Re:1.5 months for a response and release?! by BrokenHalo · 2010-03-20 05:21 · Score: 2, Informative

There is someone, somewhere that would likely fix it and recompile.

If you had taken the trouble to read the fine (and brief) article, you would be aware that the fix is already available in the release candidates.
Re:What kept them? by thetoadwarrior · 2010-03-20 05:31 · Score: 2, Insightful

If it's patched on March 30 then that's just over a month since it was revealed. That's not too bad and better than Microsoft's record as a whole.

No one claims Firefox is perfect (or any browser for that matter) but IE gets more grief because it most certainly has more problems than the rest. If it weren't for competition as well we'd probably still be stuck on IE6 too since MS was quite happy to stop updating IE when they thought they had the market cornered.

So no need to get defensive about an awful browser like IE.
Re:OMFG by recoiledsnake · 2010-03-20 06:08 · Score: 2, Insightful

Maybe it was more like this:
Secunia: omfg Firefox has a vulnerability!!!
Mozilla: ok so what are the specifics?
Secunia: ... (puts it on black hat exploit auctions)
Mozilla: Hello?
Secunia: ... (sells it to the highest bidders)
Mozilla: Anyone?
Secunia a few days ago: Right then... here are the details... (Milked it enough)
Mozilla: *patched beta*

--
This space for rent.
Re:fixed... by camperslo · 2010-03-20 07:01 · Score: 2, Informative

The 3.6.2 beta has worked fine for me, but those uncomfortable with that and not willing to wait can avoid the bug by using a 3.5x version. The vulnerability is only in 3.6 series releases.
Re:Updating... how to? by Bambi+Dee · 2010-03-20 08:20 · Score: 3, Informative

When I go to mozilla.com, a big green button offers me a .tar.bz2 with a distro-agnostic Firefox binary. Isn't that what you mean?