Mozilla Issues Fix For Firefox Zero-Day Bug

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."

People still use Firefox?

Use Firefox? lolwut? Why would anyone still use that bloated, insecure crap?

Re:People still use Firefox?

[Lunix+Nutcase]

It's disabled by default.

Integrated PDF reader. The code for this is still included for emergencies (i.e. when you need to read a PDF but don't have access to a reader) but disabled by default - you are always recommended to use a separate, up-to-date document reader for PDF files (as an external program, not as a browser plugin) for your own security, and to have documents displayed in their fully intended format instead of a stripped-down display in an in-browser reader.

https://www.palemoon.org/techn...

Re:Open source?

Nothing is perfect. Open or closed source. What you should focus on is the manner and speed of a company's efforts to rectify any issues.

Re:External PDF viewer?

[U2xhc2hkb3QgU3Vja3M]

Why does a Web browser have a built-in PDF viewer in the first place?

A PDF file is an external document not meant to be viewed inside a browser. Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

Re:Open source?

They don't. They only confirm that you need vigilance and a willingness to fix things as quickly as possible. Open source just lowers the bar for others to both contribute to this, and to potentially take advantage of bugs. But these things only matter when a product is widespread enough to be worth exploiting.

Re:Open source?

[tnk1]

Well, open source code is no more secure than closed source. That isn't a function of the source being open or closed. You can have poorly written open source software and excellent closed source stuff.

The value of open source is the assumption that more eyes on an issue allows inevitable bugs to be found, and for potential users to inspect what they are running. Closed source would have to rely on the number of people authorized to view the code, and the customer will not be able to view the code, just the resulting functionality to evaluate its security.

In reality, however, there is no guarantee that just because there is open source, that anyone will actually *look* at that code and even less assurance that someone who is qualified to read the code will have done so. So, a distinction needs to be made between open source software with a large and active community, and open sourced software that does not have an active community. You still get a *potential* advantage from having the source to look at, but it is only a potential advantage without the community. A closed source application could overcome those potential advantages by ensuring that they have excellent customer support, and are able to insure or indemnify customers against bad results.

In any event, that is why you should never say open sourced software is simply "more secure". It isn't. And some of it is complete shit. What it does provide is the ability for a user/customer to be able to discover any issues for themselves, but *someone* has to go that extra step.