Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Firefox 0.10.1 Released, Fixes Security Hole

Posted by CowboyNeal on Sat Oct 02, 2004 08:41 AM
from the hole-in-the-dam dept.
Mozilla The Internet Security
_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Firefox 0.10.1 Released, Fixes Security Hole 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • done already! (Score:5, Informative)

    by tuggy (694581) on Saturday October 02 2004, @08:42AM (#10412722) Homepage Journal
    upgrade done in 3 seconds!
    this is what i call being secured :D

    • Re:done already! (Score:5, Funny)

      by Epistax (544591) <epistax@nOSpAM.gmail.com> on Saturday October 02 2004, @09:06AM (#10412852) Journal
      I must admit I/it fumbled. I went to the mozilla website as posted in the subject and hit the "click here". What happened? A funny bar appeared near the top saying that Firefox protected me from the website. Luckily there was an options button which allowed me to add www.mozilla .org as a trusted site and it was all very obvious to me, but it won't be obvious for my parents (who I switched to Firefox).

        • Re:done already! (Score:4, Interesting)

          by Epistax (544591) <epistax@nOSpAM.gmail.com> on Saturday October 02 2004, @09:24AM (#10412938) Journal
          I don't believe it was that message. This appeared as a bar at the top which stated (loosely) that it prevented the website from running... something or other. I don't have it inform me in any way when it blocks a popup. Anyway it had an options button which had a list of trusted sites. update.mozilla .org was already on the list, however the link originated from www.mozilla .org so it wasn't picked up. I would say they should add that site to the list.

      • Re:done already! (Score:4, Informative)

        by jd142 (129673) on Saturday October 02 2004, @10:00AM (#10413135) Homepage
        Apparently software version numbers don't work like "real" numbers. ;) In other words, those aren't decimal places, their merely dividers. .1 is not equal to .10. The order goes .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11. 0.10.0 came out about 2 weeks ago.

      • Re:done already! (Score:4, Informative)

        by ZeroPost (792045) on Saturday October 02 2004, @11:22AM (#10413578) Homepage
        To be fair, Windows Update scans for updates to a lot more software than Firefox.

        Firefox can scan a lot faster than Windows Update because it is only checking for updates to a single program.

        Of course, Microsoft could make an option within IE to scan for IE-only updates, which would make updating IE much faster, but they don't.

        • Re:done already! (Score:4, Funny)

          by The Snowman (116231) * <john@johngaughan.net> on Saturday October 02 2004, @01:34PM (#10414422) Homepage

          Of course, Microsoft could make an option within IE to scan for IE-only updates, which would make updating IE much faster, but they don't.

          What is the point? Since IE is integrated into the operating system, updates require reboots even under Windows XP which is a lot better with regards to rebooting than previous versions. Anyway, even if the actual update is faster, you would still have to wait for the reboot.

          I just updated Firefox in less than ten seconds, and I did not have to restart the browser, certainly not the entire operating system (Windows XP in this case).

        • Re:done already! (Score:5, Informative)

          by AstroDrabb (534369) on Saturday October 02 2004, @09:00PM (#10417264)
          The update thingy also tells me that 1.0 PR is available and I should download it. The only problem is that I am already running 1.0 PR
          Not the latest version. If you look at your User Agent (click Help -> About Mozilla Firefox), you will see Firefox/0.10 at the end of your UA. If you go and download the latest version that includes this fix, the new UA will be Firefox/0.10.1.

          I ran into this same problem with the update under Linux. MS Windows users won't run into it since they are running as local Admin or have write permissions to the firefox directory. When I ran it as root, it worked fine so I take it the update needs to write to the root firefox directory it probably then updates your firefox profile. As a normal user you cannot run the update and it never writes to your profile. I think it was just a poor update design for this one update. Hopefully the firefox team will fix it or fix this issue for future updates.

          You could grab the latest firefox tarball from here [mozilla.org] and just untar it into your current firefox installation folder and restart.

  • This may sound stupid... (Score:5, Interesting)

    by -kertrats- (718219) on Saturday October 02 2004, @08:43AM (#10412726) Journal
    But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?

    • Re:This may sound stupid... (Score:5, Insightful)

      by neodude88 (799799) on Saturday October 02 2004, @08:45AM (#10412734) Homepage
      Maybe because you don't need to reinstall to upgrade to this patch? Just update.

    • well, it would be quite frustrating if your download directory is your Desktop, homedirectory or any other place where you keep other files too.
      not to mention all the pron you have to download again :-) j/k

      Ricardo.
    • Some people have a dedicated download directory they only use for temp storage until moving the file into a permanent place (or deleting it).

      There are, however, a lot of users who pack all their stuff onto the desktop or into "My Documents" with no or little subfolders. For such use cases, the patch is indeed worth installing.

    • Re:This may sound stupid... (Score:5, Informative)

      by dwhitman (105201) on Saturday October 02 2004, @08:51AM (#10412773)
      But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?

      1. Suppose your download directory isn't dedicated to just downloads. Any files in that directory are vulnerable.

      2. You don't need to uninstall and reinstall. As the article says, just go to tools: options: advanced: software updates and hit the Check Now button

    • Re:This may sound stupid... (Score:5, Funny)

      by LurkerXXX (667952) on Saturday October 02 2004, @08:57AM (#10412811)
      Does it matter? My pr0n! All my precious pr0n!!!

    • Re:This may sound stupid... (Score:5, Informative)

      by compwizrd (166184) on Saturday October 02 2004, @08:59AM (#10412823) Homepage
      because firefox on windows uses the Desktop as the default download location.

    • Re:This may sound stupid... (Score:5, Insightful)

      by igrp (732252) on Saturday October 02 2004, @10:01AM (#10413141)
      Others have pointed out that some users may use ~ or their desktop as their download directory. That may not be a smart thing to do but that's really beside the point.

      Any vulnerability that allows remote users to alter content is by definition critical. It doesn't matter if you think it's a big deal. There should be no unauthorized access to files, period.

      Your non-critical files aren't 777, are they? Now why is that? Well, despite the fact that data is non-critical, recoverable or maybe even pure gargabe you still wouldn't want people to mess with it, would you?

      Think about it: you probably have a lots of old stuff, bank statements and what not somewhere. That data is useless to me (value == 0). By your logic, I could just throw it all out since it doesn't matter to me. It may still be valueable to you though. And even if it weren't, you still probably wouldn't appreciate me going through your stuff and tossing whatever I don't deem important.

      See, all attacks that allow any access control circumvention at all are critical. Just because it's not critical to you, doesn't mean every feels the same way.

      That's why disclosing the vulnerability and making an update available ASAP was a very good move on part of the fine folks at Mozilla. I just wish there was a mechanism to do manual network-wide mass roll-outs of critical updates (ie. rolling out critical updates immediately without having to wait for Firefox's periodical checks).

  • Am I the only one . . . . (Score:5, Insightful)

    by theparanoidcynic (705438) on Saturday October 02 2004, @08:45AM (#10412737)
    Who finds this version numbering scheme damn confusing? The actual program calls itself 1.0PR but the directory structure on the Mozilla server and CowboyNeal call it 0.10.1. Anyone care to explain what's going on here?

  • Version numbers seem odd? (Score:3, Interesting)

    by Mustang Matt (133426) on Saturday October 02 2004, @08:47AM (#10412750)
    So after doing the update through the advanced options should my browser report 0.10.1 under help about? Because I still have 1.0PR

  • Helpful bug (Score:5, Funny)

    by Ford Prefect (8777) on Saturday October 02 2004, @08:48AM (#10412753) Homepage
    ...could potentially allow a malicious site to erase files from the user's Download directory

    My download directory in Windows is my desktop. Have you seen my desktop? [man.ac.uk] It's a fairly old screenshot, too - it's only got worse since then. My iBook's equally bad, except everything's just randomly strewn around the place...

    A bit of remote tidying-up would be greatly appreciated. :-)

  • When... (Score:5, Interesting)

    by Moby Cock (771358) on Saturday October 02 2004, @08:48AM (#10412755) Homepage
    I'm just curious if anybody knows how long this patch took to be released. That is, what was the turnaround time from the discovery of the bug to the release of this patch? In the past it has been a fast as a few hours. The longest I think was only a day or too.

    • Re:When... (Score:5, Informative)

      by aliebrah (135162) * <ali@ebrahi m . o rg> on Saturday October 02 2004, @09:32AM (#10412972) Homepage
      In a few days, you'll be able to see the full bug report here:

      http://bugzilla.mozilla.org/show_bug.cgi?id=2597 08

      Currently, it's not scheduled to be marked as public before 4th October. It's still marked as private so that people have an opportunity to upgrade before the details are made public.

  • Cool. Upgrade Path (Score:5, Insightful)

    by darkmeridian (119044) <william.chuang@g ... minus herbivore> on Saturday October 02 2004, @08:52AM (#10412784) Homepage
    This is what open-source needs: a quick and convenient upgrade/patch system. I went to the system settings and ten seconds later, my Firefox was patched.

    Now if only Gaim does this.

    Will

    • Re:Cool. Upgrade Path (Score:5, Insightful)

      by jrcamp (150032) on Saturday October 02 2004, @09:17AM (#10412899)
      No, this is the job of package management systems under Linux, be it apt-get, emerge, urpmi, yum, etc. Individual programs don't need to start implementing their own update schemes. For third party packages there will be autopackage.org one day I hope, and updates could be done through that.

  • These hurt... (Score:4, Insightful)

    by deminisma (703135) on Saturday October 02 2004, @08:52AM (#10412786)
    Considering Firefox is supposed to be the secure alternative, 13 security advisories [secunia.com] in the last 6 or so months isn't a good look.

    Sure it isn't that bad, but nonetheless, it doesn't help the Firefox's image at all and looking at Secunia, Firefox has had more advisories than any other browser, (yes, that includes Internet Explorer and the Mozilla Suite) since May this year.

    • Re:These hurt... (Score:5, Informative)

      by kryptkpr (180196) on Saturday October 02 2004, @08:55AM (#10412797) Homepage
      You must not be aware that the mozilla foundation has put out a bounty [mozilla.org] where they reward security researchers $500 for finding critical remotely-exploitable vulnerabilities and reporting them.

      What you're seeing are the results of this program.. people are finding bugs, submitting them, and the bugs are being fixed before blackhats can exploit them.

      This is a very wise decision on the part of Mozilla considering how close they are to a v1.0 release.

    • Re:These hurt... (Score:5, Informative)

      by lachlan76 (770870) <lachlan.gunn@in t e r n o d e .on.net> on Saturday October 02 2004, @09:30AM (#10412957)
      13 security advisories in the last 6 or so months isn't a good look.

      And how many are there in IE that we haven't found yet? The dangerous exploits are the ones we don't know about.
      And besides, do you expect Secunia to have all the security flaws from when IE was in beta? Or do you find it strange that a beta product has had more security flaws found in the last 6 months than the one that's been around and insecure for years.

      Not to mention that none of the advisories were ranked "extremely critical", and only 2 were critical.

      Not to bad for a beta product. Also (from Secunia):
      1. Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Extremely critical
        Currently, 19 out of 60 Secunia advisories, is marked as "Unpatched" in the Secunia database.
      2. Mozilla Firefox 0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
        Currently, 2 out of 13 Secunia advisories, is marked as "Unpatched" in the Secunia database.

      Which would you trust?

  • On Linux the advanced items are ... (Score:5, Informative)

    by 3seas (184403) on Saturday October 02 2004, @08:55AM (#10412801) Homepage Journal
    ... under the main menu edit, then preferences ... then advanced... to Software updates

  • Probable bug . . . . (Score:5, Informative)

    by theparanoidcynic (705438) on Saturday October 02 2004, @08:55AM (#10412802)
    I ran this thing last night forgetting that Firefox was installed to a location that user accounts can't write to.

    Seeing the error mesage and remembering this fact I lit Firefox as root and ran the update. This left Firefox mangled and incapiable of downloading things from the user accounts.

    The moral of the story: do be careful using the update thingy. Now, off to fill out a bug report.

    • Re:Probable bug . . . . (Score:5, Informative)

      by aonifer (64619) on Saturday October 02 2004, @09:32AM (#10412971)
      I just installed the fix as root, closed Firefox, reopened Firefox as root to verify that the fix was applied, then closed it and reran as a regular user. The regular user account doesn't know that the fix was applied (the red button is there and when I click on it, it says it needs to download the fix). Either there's some kind of permissions problem, or the update information goes into root's profile, and not system-wide.

  • Linux users, take note (Score:5, Informative)

    by dacarr (562277) on Saturday October 02 2004, @09:06AM (#10412853) Homepage Journal
    Another user has pointed out that the Advanced option is under Edit|Preferences. Note, you must be root to do this - not merely 'su', but 'su -' at the bare minimum.

    If this doesn't work, of course, you'll have to download and install, which is almost as painless as the upgrade frob. The red 'upgrade' icon may still be present, so you'll have to click that so that Firefox will find that all is well with the world.

    As always, YMMV.

  • Last night I noticed a nifty pulsing red bubble in the upper right-hand corner of my Firefox toolbar. Clicking it revealed a message from the software-updater stating that an urgent fix was availeble. I clicked allow install, and it was done in ten seconds. Very nice that the browser alerted me to a fix and patched itself in no time at all.

  • Don't upgrade (Score:5, Funny)

    by pestario (781793) on Saturday October 02 2004, @09:19AM (#10412908) Journal
    "...a security flaw that could potentially allow a malicious site to erase files from the user's Download directory."

    I would consider this a feature more than a bug. It's like someone breaking into your house and taking out the garbage for you...

  • Explaining 0.10.1 (Score:5, Insightful)

    by XoloX (816533) on Saturday October 02 2004, @09:20AM (#10412913) Homepage

    The reason (for as far as I know) that Firefox uses this versioning scheme:

    If 1.0PR would have a version-tag with 1.0 in it, it would be more complicated for (for example) extensions to differentiate 1.0PR and the real 1.0. And home-users would probably not even get to see these version-numbers. They would just notice there is a new update.

    And about the bugs, I know I'm stating the obvious, and that it's been said before in this thread, but I'll try again:

    First of all, because Firefox performs so well people tend to forget this is still beta-software! Second, these bugs are discovered partially because of the bughunting program with rewards. So these bugs could well have existed for months before being discovered. It's good news they have already been squashed! And third, some of these bugs actually appeared because of the way Windows fucks up! (Remember the shell:// protocol?)

    Hope this helps,

    XoloX

  • Automatic stuff == bad security (Score:5, Insightful)

    by ngunton (460215) on Saturday October 02 2004, @09:27AM (#10412948) Homepage
    The thing that strikes me here is that the ability for browsers to have convenient, automatic features (and, in the case of Firefox, UI customization capability up the wazoo) is simply another form of the same mentality that made IE into such a security nightmare. The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place. The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead. The bloated XUL interface engine that makes Mozilla (and Firefox) next to unusable on my old workstation (450 MHz, RH 7.3) also means that the UI can be totally changed - this, to me, is very scary. Because if something can be totally changed, then I can guarantee that eventually someone will figure out a way to totally change it without my consent.

    Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.

    I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.

    • Re:Automatic stuff == bad security (Score:5, Interesting)

      by groomed (202061) on Saturday October 02 2004, @10:18AM (#10413246)
      It's not that simple. To fully support CSS, for example, Gecko (the page rendering engine that's used by Mozilla, Firefox, and Thunderbird) has to be able to change the way buttons and other elements are drawn. And it has to be able to control z-ordering, i.e. it has to be in control of what happens when you draw two buttons on top of eachother. The same goes for things like charset support, printing, accessibility, etc.

      To provide full support for the W3C standards, you need widgets that provide very specific capabilities. Toolkits like wxWidgets have the opposite goal: they work by hiding specifics from the application programmer. There is a fundamental mismatch between the two.

      If you want to fully support all the standards that make up the web across different operating systems, you end up with something like Firefox. It's not primarily some geek pride thing (although that always plays a role); it is primarily a consequence of the complexity and scope of the standards involved.

  • Too Complicated? (Score:5, Insightful)

    by jeremyds (456206) on Saturday October 02 2004, @09:31AM (#10412964)
    Why does a user have to go to Tools -> Options -> Advanced to check for updates to Firefox? For the average non-technical user, this should be much more accessible.
  • They still have yet to fix a much [livejournal.com] more serious [mozilla.org] bug.

    Just because most of us don't live in South America doesn't mean it isn't huge problem.

  • Another flawless Install, but... (Score:5, Insightful)

    by fr8_liner (780267) on Saturday October 02 2004, @10:01AM (#10413148)
    I just installed and patched the PR edition on my system and added AdBlock and Firesomething. My friend who is a Microsoft developer was watching this process which took 2 minutes. He was taken aback and had to admit that things have improved for installing applications for Linux. He also said that most Windows users would be lost following the instructions to install from a terminal window or doing any installation requiring "./configure, make, make install." He has a point. We need more "Windows-like" app installation to get more Windoze users to migrate to Linux.
    • What type of sites is it you operate? Here are some logs from a 100% non-technology related site which still shows Internet Explorer as by far the most-used browser.

      Note that the Opera browser shown in Rank 3 should not be taken as accurate as this merely runs a "ticker" on auto-refresh setting every 10 minutes.

      # Hits User Agent
      1 31005 15.75% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
      2 20925 10.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1
      3 11074 5.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.50
      4 10596 5.38% Opera/7.50 (Windows NT 5.0; U) [en]
      5 9893 5.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko
      6 8281 4.21% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
      7 7856 3.99% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProd
      8 6113 3.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
      9 5286 2.69% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
      10 4868 2.47% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
      11 4795 2.44% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko
      12 2915 1.48% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2) Opera 7.50
      13 2885 1.47% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko
      14 2783 1.41% Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
      15 2645 1.34% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54

    • Re:it's nice to see ms finally losing the browserw (Score:4, Insightful)

      by aardvarkjoe (156801) on Saturday October 02 2004, @09:01AM (#10412830)
      it's nice to see ms finally losing the browserwars
      Yeah, now not only do we get a browser as good as IE, it's got similar security "features" too...

      • Re:luckily for me... (Score:4, Informative)

        by asa (33102) <asa@mozilla.com> on Saturday October 02 2004, @09:57AM (#10413121) Homepage
        On the downside, that means that anyone who can pose as the update server gets to insert arbitrary code into your Mozilla install without your knowledge - now that's trojanning!

        Um, no. That is absolutely not the case. The information bar and the trusted sites list is simply a user convenience/inforamtion mechanism like the pop-up blocking bar. After adding a site to the whitelist, a user still has to agree to the software installation. A site cannot "insert arbitrary code into your Mozilla install without your knowledge" because the install doesn't happen until you agree to the install. There are no prompt-less installs.

        --Asa

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.