Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Issues Fix For Firefox Zero-Day Bug

Posted by samzenpus on from the the-fix-is-in dept.

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."

5 of 115 comments (clear)

  1. Re:People still use Firefox? by U2xhc2hkb3QgU3Vja3M · · Score: 4, Informative

    On Windows, your choices are:

    • Firefox, the bloated browser with memory leaks who forgot the whole point of its creation
    • Chrome, the fast browser with built-in spyware from the Do-no-evil-but-let's-datamine-the-shit-out-of-our-users-anyway company
    • Edge, the browser made by the company with possibly the worst security history on the planet
    • Opera, the company that dropped its own engine and is now just basically a Chrome clone

    edit: Slashdot lets us use HTML in our posts but makes bullets invisible... way to go, guys.

  2. Re:External PDF viewer? by mlts · · Score: 1, Informative

    It is a tough choice. Build in your own PDF viewer, or use an existing one that pops up security holes now and then. In general, the built in ones have far fewer features, so there are fewer security holes.

    Chrome is better at this because it does more compartmentalization than Firefox. Firefox runs plugins in a separate process, but that is about the extent of the isolation they get, while Chrome runs everything in separate tasks, and you can even kill them in the browser.

    The only real long term solution is to have the OS cooperate with the browser, and completely isolate each individual browser tab (not just a lower security context, but filesystem and other space), so a rogue process is well isolated. That, and focus on not requiring third-party programs for Web content.

  3. Re:People still use Firefox? by Luthair · · Score: 3, Informative

    Firefox actually uses less memory than the others

  4. Re:External PDF viewer? by tepples · · Score: 3, Informative

    Why does a Web browser have a built-in PDF viewer in the first place?

    Because just as text/html is a commonly used media type on the web, so is application/pdf. Having a PDF viewer written in JavaScript contributes to the Downloads folder not being quite as littered. And because not only is JavaScript inherently less subject to accidental "undefined behavior" than the C++ in which I assume Adobe implemented its Reader, but also has Mozilla shown itself to be more responsive than Adobe to security issues. That's also why Mozilla has been working on Shumway, its SWF player.

    Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

    Anyone who wants to write a JavaScript viewer for those formats is free to do so.

  5. Re:External PDF viewer? by ShaunC · · Score: 5, Informative

    You can go to about:config and set the value for pdfjs.disabled to true, or create that setting (boolean type) if it doesn't exist. That'll cause Firefox to pop up a download dialog when you click a PDF link, and you can use something like Sumatra to open the file.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!