Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Firefox 3.0.1 Fixes 'Carpet Bombing' Issue

Posted by CmdrTaco on Thu Jul 17, 2008 11:29 AM
from the break-out-the-bug-spray dept.
Mozilla The Internet Security
An anonymous reader writes "Firefox 3.0.1 was released today. It fixes 3 security vulnerabilities, including a critical issue reported by Billy Rios, Ben Turner, and Dan Veditz. The issue could be combined with an issue in Apple's Safari browser to read data from the user's disk or to execute arbitrary code. This issue was previously discussed on Slashdot. The release also fixes a remote code execution bug involving the CSS reference counter, reported by the Zero-Day Initiative (previously discussed on Slashdot here), as well as a Mac-only potential code execution bug involving GIF image rendering, reported by Drew Yao of Apple Product Security."
+ -
story

Related Stories

[+] A Few Firefox 3 Followups 407 comments
An anonymous reader writes "Using data generated by the Mozilla Firefox download pledge page, the map on this blog post ranks countries, not by absolute number of pledges made, but rather on a per capita basis. This analysis yields some interesting conclusions about where open source is strongest and weakest." Anonymous Warthog writes "That didn't take long. In a blog posting from the TippingPoint DVLabs security team (of Kraken and CanSecWest hacking contest fame), they confirmed that they reported a vulnerability in Firefox 3.0 to Mozilla a mere five hours after it was released. Additionally, there was a posting on the Full Disclosure security mailing list from someone that purports to have another vulnerability in the works as well. In the grand scheme of things, this probably means nothing to the general security of Firefox, but you can be sure the browser zealots on all sides will be watching carefully." Finally, from reader Toreo asesino: "Microsoft have congratulated the Mozilla team by sending them their second cake (minus recipe) to Mozilla's Mountain View headquarters to congratulate them on shipping FireFox 3, which went live right on time last night." Congratulations are indeed due on both the browser and the release process — looks like the Firefox fever (despite some seriously taxed servers) resulted in more than 8 million downloads in 24 hours.
[+] IT: Safari "Carpet Bomb" Attack Still a Risk 117 comments
SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
Submission: Firefox 3.0.1 fixes 'carpet bombing' issue by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Firefox 3.0.1 Fixes 'Carpet Bombing' Issue 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • no crashes yet (Score:3, Interesting)

    by mjs_ud (849782) on Thursday July 17 2008, @11:38AM (#24229695)
    Firefox 3 was crashing 3-10 times a day for me even after completely removing everything FF related. At the risk of jinxing myself I will say that I'm crash free on 3.0.1 for 4 hours now.

    • crash crashing or? (Score:5, Informative)

      by Fallen Andy (795676) on Thursday July 17 2008, @11:58AM (#24230001)
      OK, if you saw the following I may have an answer for you. If you installed FF3 and around a day or two later mysteriously it seemed to put up the hourglass cursor with the disk thrashing a lot, then you got bitten by the urlclassifier db (anti-phishing sqlite database) being downloaded. After a day or so things go back to normal. (It would look more like a temporary freeze of the program rather than a crash to the desktop).

      For anyone on a slow connection or with an old machine (like me) that was almost a showstopper. Thankfully, *seems* to be fixed now.Haven't seen any real crashes to the desktop even with the betas...

      A workaround is to go Tools->Options-> Security and turn off the attack site and forgery options.

      Andy

    • Mine crashes every time I run it, but that's due to either no libpangocairo or no GTK+ 2.10 or someone deciding I shouldn't have permissions to be able to run X applications on that machine. But then that's probably not considered crashing as it never got running properly in the first place. So I'm running 2.0.0.16.

      At least I solved one of the crashes I used to get with it: a very long Javascript bookmark in the toolbar to open a Javascript console would crash the browser if it tried to display as a tooltip

  • ... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.

    Remember: if there aren't any patches for it, chances are that the reason is not that it's bug-free, but that it's still buggy.

    • I finally upgraded last night. So far, so good - it's certainly faster, and the most important mods to me (CSL and NoScript) seem to be working just fine.

      Of course, if it isn't all good then I'm screwed now, but c'est la vie.

    • I upgraded to Firefox 3, but had so many problems with it crashing and not rendering some sites correctly that I reverted to Firefox 2. Strangely, I only had problems with FF3 on my work machine running the Windows XP version (this is the one I rolled back to FF2). I haven't had any problems with it on my Linux machine (Kubuntu 8.04).

    • Chances are that the reason is not that it's bug-free, but that it's still buggy.

      Chances are that you are not a developer.
      "He who is without a sin throw the first stone."

    • ... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.

      Um... the carpet bombing vulnerability also affects Firefox 2. It looks like someone is in trouble :)

  • So have they given us the option to disable their "awesome bar" yet?

    • Re:"awesome bar" (Score:5, Informative)

      by -Tango21- (703195) on Thursday July 17 2008, @11:46AM (#24229813)
      Hmm, a Google search reveals that while the "awesome bar" is still the default, you can disable it by following the directions below (but, maybe you already knew this):

      1. Type about:config into the location bar and change the value browser.urlbar.matchOnlyTyped to true. After this, you need to restart Firefox. All this does is make it so that Firefox only searches the URLs you have typed and not the titles of pages.

      2. Install the Old Location Bar extension. This changes the location bar so that it looks like how it looked in Firefox 2. As of me writing this post, it is an experimental addon so you will need to register to the Firefox addon service to install it.
      • I kinda like the so called awesome bar. What's wrong with it?

        • I kinda like the so called awesome bar. What's wrong with it?

          The oldies want their URL bars to match URLs and those pesky kids to GET OFF THEIR LAWNS!

          1. Type 'co' in the Awesome bar. Marvel at how it "awesomely" returns every site in the .com TLD.
          2. If you are the type who remembers the URL of sites you visit, it just means a bunch of false positives.

          I've used it once to date, when going back to a walkthrough page on gamefaqs. 99% of the time, I know the address I'm going to, or I have it bookmarked, so the "awesomeness" is wasted on me.

          • Matching co to .com is obviously a bug. As for those that remembers URLs, it is admittedly not too useful.

            That being said, if you are someone with a lot of bookmarks, it can really speed up looking for something in your bookmarks. It also brings this search ability to every page in your history, which is great for the unwashed masses that either don't understand bookmarks (really!) or just don't use them for whatever reason.

        • Re: (Score:3, Informative)

          by andy9701 (112808)

          Lifehacker [lifehacker.com] has instructions on how to restore the yellow for SSL sites, among other nice UI changes (such as removing the Go and Search buttons from the Address and Search bars, respectively). It does require an extension (either Stylish or Greasemonkey), but it definitely works, I've been using this at home for a few weeks now.

        • Re: (Score:3, Insightful)

          by bunratty (545641)
          I finally did what you suggested and typed "co" into the address bar. It gives fifteen suggestions, although I'm sure I go to many more than fifteen .com sites. The top suggestions were for COmputer documentation for where I work, COnsumer Reports magazine, COmputer Cable Store, two sites I frequent that are .com domains, and Weather Forecast and COnditions for my city. I fail to see the problem. Care to explain?
    • Yes, and there are tons of posts about it. Just Google, remove awesome bar. And you will get tons of ways to make it like the FF 2 toolbar.

      • Re: (Score:3, Insightful)

        by Qzukk (229616)

        Yeah, well, the FF2 bar wasn't all that hot either. The only thing more annoying than waiting for the list of sites to never come up because you started typing while another tab was still loading, is having the list of sites popup while you're typing and since you had the mouse in the wrong location when you hit enter you went to some completely different place than you had expected.

        I don't care whether it's awesome or not, give me an option to make it not appear unless I press down or alt-down or tab or s

    • Let me save you some time and map out your journey to acceptance of the awesome bar.

      First you hate it, because it's new and different to what you expect. You are trained to use it as an address bar and nothing else, so it acting like a search bar is confusing and suboptimal to you.

      At this point many people decide to trial the new bar, but you are the kind of person who tends to think he (forgive me, but he) knows what's good and what's not, and even quite enjoy the idea of customizing your Firefox. So you l

  • To to prevent the issue I need to use Firefox? (Score:5, Funny)

    by techess (1322623) on Thursday July 17 2008, @11:41AM (#24229749)
    From http://www.mozilla.org/security/announce/2008/mfsa2008-35.html [mozilla.org]

    Workaround
    This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

    I had to giggle at the workaround. To prevent a firefox flaw from biting you, you need to have firefox open. Phew, I'm so glad I'm safe.

  • So far as I know, the only application that normally runs with its current directory on the desktop (and is thus a potential target for any successful exploit of this issue) is Internet Explorer.

    • Re: (Score:2, Interesting)

      by initdeep (1073290)

      maybe I'm misunderstanding you, but I know a lot of people that change their download directory default in Firefox to the desktop.

  • Workaround (Score:4, Informative)

    by brunes69 (86786) <slashdot.keirstead@org> on Thursday July 17 2008, @11:42AM (#24229771) Homepage

    This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

    So as long as you use Firefox all day long, you will not be affected.

  • Another software release post? (Score:3, Interesting)

    by dnwq (910646) on Thursday July 17 2008, @11:54AM (#24229935)
    Slashdot needs a "important software updates" section.

    • Slashdot needs a "important software updates" section.

      In addition, or as a replacement for, the "stuff that matters" section?

  • Now if only they could get around to fixing the much bigger memory issues that seem to get worse and worse with every release. I'm getting tempted to go back to IE for the first time in years.

    • Ok, seriously: what are these memory issues everyone keeps bitching about? I keep open a considerable selection of tabs myself with low memory usage...and I haven't even made the optimizations for lower memory usage. I'm yet to see any evidence of these "memory issues".

    • Nice to repeat the same ol' FUD, but you do realize that FF3 memory usage is significantly lower than FF2 and IE [pavlov.net], don't you? You /did/ know that, right?

  • Ubuntu Repos (Score:3, Interesting)

    by martinw89 (1229324) on Thursday July 17 2008, @12:04PM (#24230099)
    I could swear that I was notified of a security update regarding Firefox a few days ago. After the update, I checked Firefox and it's own About dialog reported it was 3.0.1. Can anyone else confirm this or am I going bonkers? I'm certainly on 3.0.1 now and I only received some mundane updates this morning.

    • Re:Who Cares... (Score:5, Informative)

      by bconway (63464) on Thursday July 17 2008, @11:35AM (#24229661) Homepage

      Actually, it's a .0.1 release. Firefox 3.1 (alpha due this summer) has a lot of new features that didn't make it in time for 3.0.

    • Re:Who Cares... (Score:4, Interesting)

      by Vectronic (1221470) on Thursday July 17 2008, @12:33PM (#24230485)

      I for one, welcome our browser caring overlords.

      My issue is that "No one cares when Opera or Safari have a similar release. [or Internet Explorer, or Konqueror...]" but they do when its Firefox.

      Opera 9.51 went through a few RC's and a final and is on 9.52RC/Snapshot, Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...

      But no, Firefox 3.1 Sub-Alpha-Hypothetical-Possibility-Beta-RC Build 3219 hits front page and we're supposed to eat a cracker drink some wine and pray to it, but oh wait, we're all for competition and innovation, as long as its Firefox Vs. Firefox.

      (stomps off)

      • Re: (Score:3, Interesting)

        by ya really (1257084)

        My issue is that "No one cares when Opera or Safari have a similar release. [or Internet Explorer, or Konqueror...]" but they do when its Firefox.

        Opera 9.51 went through a few RC's and a final and is on 9.52RC/Snapshot, Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...

        Your post is sorta worded as flamebait to some, but it does have truth. It doesn't take a statistician or a complex algo to add up how many postings have been about FireFox in the past 6

      • Re:Who Cares... (Score:4, Funny)

        by Godji (957148) on Thursday July 17 2008, @01:13PM (#24231049) Homepage
        Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...

        And Internet Explorer is still going through lots of *&^%$#@!

      • Re: (Score:3, Informative)

        by badpazzword (991691)

        And Safari and Opera are both non-free so they are more reluctant to give detailed fix reports.

        http://my.opera.com/desktopteam/blog/ [opera.com]

        • And Safari and Opera are both non-free so they are more reluctant to give detailed fix reports. http://my.opera.com/desktopteam/blog/ [opera.com] [opera.com]

          Non free? I believe you mean they have a proprietary source code, as opposed to open source like firefox. I don't recall paying to download either Opera or Safari for my desktop and laptop. Yes, I do know opera charges now for the Wii browser, but I don't have a Wii.

          • Re: (Score:3, Informative)

            by drewness (85694)

            Non free? I believe you mean they have a proprietary source code, as opposed to open source like firefox.

            Safari is Open Source. Head over to WebKit.org [webkit.org] and you can get the source via Subversion or browse it via Trac. It's licensed under a mix of LGPL and BSD licenses.

        • Re: (Score:3, Informative)

          by Darkness404 (1287218)
          Non-free, as in closed-source, as in proprietary. Sure Safari is mostly open-source, but Opera is as much proprietary as IE.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.