Forgot your password?
typodupeerror
Mozilla The Internet Security

New Vulnerabilities Discovered in Firefox 1.0 406

Posted by samzenpus
from the protect-yourself-at-all-times dept.
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
This discussion has been archived. No new comments can be posted.

New Vulnerabilities Discovered in Firefox 1.0

Comments Filter:
  • First (Score:4, Funny)

    by Anonymous Coward on Wednesday March 02, 2005 @08:47PM (#11829720)
    It's open source so it will get fixed quickly post.
  • New Discovery? (Score:5, Interesting)

    by fembots (753724) on Wednesday March 02, 2005 @08:47PM (#11829721) Homepage
    Today, the security firm Secunia has released 8 more security bugs it has discovered in Mozilla products, including Firefox and Thunderbird. [......] If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about

    Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?
    • Re:New Discovery? (Score:5, Insightful)

      by chrisbtoo (41029) on Wednesday March 02, 2005 @08:50PM (#11829764) Homepage Journal
      Chances are that they found the 8 bugs in 1.0, reported them to Mozilla, who kept it quiet and fixed them for 1.0.1.

      I guess this is trumpet-blowing from Secunia, together with an advisory as to how important it is to upgrade to 1.0.1.
      • Re:New Discovery? (Score:5, Informative)

        by SuperficialRhyme (731757) on Wednesday March 02, 2005 @09:15PM (#11829986) Homepage
        Secunia just put the list together. Copy/pasting the list and who found them from secunia since someone didn't link to it in the article.

        1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.

        2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

        This is similar to:
        SA12712

        3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.

        4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.

        5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.

        6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.

        7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.

        Successful exploitation requires that the malicious website is allowed to request installations.

        8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.

        9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.

        Provided and/or discovered by:
        1) Tavis Ormandy
        2) Christian Schmidt
        3) Masayuki Nakano
        4) Georgi Guninski
        5) Matt Brubeck
        6) Independently discovered by:
        * Daniel de Wildt
        * Gaël Delalleau
        7) Phil Ringnalda
        8) wind li
        9) Mook, Doug Turner, Kohei Yoshino, M. Deaudelin
        • Re:New Discovery? (Score:5, Informative)

          by aneroid (856995) <aneroid@gmai l . com> on Wednesday March 02, 2005 @09:39PM (#11830150) Homepage Journal
          2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

          i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).

          i doubt this would've prevented the bug. but the page it was appearing for would be obvious. a possible hack to that could be...have a javascript window which is already open make the connection. in that case, even if the js window is shown, with the browser most likely behind it, it wouldn't be obvious. could fix that too :P by outlining the window/tab that calls it. of course, even that could...
          • Re:New Discovery? (Score:3, Interesting)

            by LnxAddct (679316)
            Or how about just stopping the javascript interpreter when the window isn't in focus. And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect. That would more or less cover all the cases, would it not?
            Regards,
            Steve
            • Re:New Discovery? (Score:3, Insightful)

              by ajs318 (655362)

              Or how about just stopping the javascript interpreter when the window isn't in focus.

              As another poster has pointed out, this could break timing-based stuff ..... for instance, you could not simply background a tab until the enforced-view adverts disappeared :)

              Nonetheless, it'd be a good idea to allow as an option.

              And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect.

              I thought of this too ..... if a tab wants to bring up any kind

      • SOP for Secunia... (Score:5, Interesting)

        by Anonymous Coward on Wednesday March 02, 2005 @09:37PM (#11830132)
        They released their list of major vulnurabilities in IE two days before MS released the update and months after they reported the problems originally.

        They're just glory whores.
    • Re:New Discovery? (Score:3, Insightful)

      by darkmeridian (119044)
      The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?

    • Re:New Discovery? (Score:5, Insightful)

      by einhverfr (238914) <chris.travers@gmail. c o m> on Wednesday March 02, 2005 @08:59PM (#11829840) Homepage Journal
      I personally am grateful to Secunia for helping to look at Firefox's security the way that we should be.

      Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.
      • Re:New Discovery? (Score:2, Insightful)

        by boredMDer (640516)
        'But any software has a security record better than IE.'

        What about Windows proper? :)
      • Re:New Discovery? (Score:5, Interesting)

        by LnxAddct (679316) <sgk25@drexel.edu> on Wednesday March 02, 2005 @10:42PM (#11830523)
        It is certainly good that people are looking out for bugs, but Secunia didn't find these. They just compiled a list of known bugs that were fixed in 1.0.1. Their site is supposed to be a consolidated source for finding vulnerabilites and researching the security of applications, which means whether or not they find the vulnerabilites, they report on them.
        Regards,
        Steve
  • What the hell? (Score:5, Informative)

    by Anonymous Coward on Wednesday March 02, 2005 @08:47PM (#11829722)
    Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories [secunia.com] page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 [slashdot.org] has already been covered on Slashdot, and these vulnerabilites were announced then [mozilla.org].
  • ...only affects v1.0 (Score:2, Informative)

    by Tumbleweed (3706) *
    If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.

    No worries, just keep your browser updated.
    • I'm rather unimpressed with Firefox today. The update button popped up this afternoon yet the update itself was dated Feb. 25. I realize they didn't want a mass stampede to their server but that means a heck of a lot of people were unprotected (and remain unprotected) if they don't habitually check /. or Mozilla.org to see if there are new versions available.

      They greeted this security update better than Microsoft usually does...but not much better.
  • patch here (Score:5, Funny)

    by Coneasfast (690509) on Wednesday March 02, 2005 @08:48PM (#11829736)
    you can find the patch here [microsoft.com]. ;)
    • Re:patch here (Score:4, Informative)

      by Anonymous Coward on Wednesday March 02, 2005 @08:54PM (#11829794)
      don't mod parent as troll, it's a joke, a parody of the fact that someone posts a link to firefox when there is a IE vul. story.

      oh forget it, some of you mods are dumber than a deck of cards.
      • by Anonymous Coward
        oh forget it, some of you mods are dumber than a deck of cards.

        I am a deck of cards, you insensitve clod!
      • bizzt! (Score:3, Insightful)

        by Leers (159585)
        -1 Insulting Mods
  • Emergency! (Score:5, Funny)

    by Peter_Pork (627313) on Wednesday March 02, 2005 @08:49PM (#11829743)
    Oh my God! I'm switching back to Internet Explorer right away!
  • And yet... (Score:5, Funny)

    by tannmann (819117) on Wednesday March 02, 2005 @08:49PM (#11829746)
    I still feel safer than when I use IE.
  • by confusion (14388) on Wednesday March 02, 2005 @08:49PM (#11829750) Homepage
    Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.

    Jerry
    http://www.syslog.org/ [syslog.org]
  • by Zocalo (252965) on Wednesday March 02, 2005 @08:49PM (#11829753) Homepage
    "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about."

    Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P

  • Security (Score:2, Informative)

    by Scoria (264473)
    I was actually expecting this. Firefox is an immature fork. One vulnerability eliminated is one less to be discovered later. It is inconvenient now, but should expedite relative maturity in the base. I am, however, still awaiting an automatic update for my installation of Firefox 1.0... ;-)
  • by Anonymous Coward on Wednesday March 02, 2005 @08:52PM (#11829778)
    The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1 [mozilla.org]
  • by Anonymous Coward on Wednesday March 02, 2005 @08:53PM (#11829789)
    Your bank can and will ask you to confirm your password at random intervals via email.

    If in doubt about who sent the email, click on the link they provide in the email to get to your bank's website to make sure it's them.

    And remember, even banks sometimes forget to get their ssl certificates in order. No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....
  • Hah! (Score:4, Funny)

    by Anonymous Coward on Wednesday March 02, 2005 @08:54PM (#11829796)
    That's why I use Firef... uhhh what???
  • Firefox bugs (Score:4, Insightful)

    by benspikey (658022) on Wednesday March 02, 2005 @08:55PM (#11829808)
    Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..
  • by rueger (210566) * on Wednesday March 02, 2005 @09:06PM (#11829906) Homepage
    Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.

    Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.

    I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.
    • Really, do we need a story every time some security problem appears in some software package?
      No. But then we aren't getting that either.
      Firewall, virus scanner, frequent updates to all software. Maybe a change in OS
      All great tools against browser spoofing I'm sure...
    • Slashdot loves to post articles on Microsoft software vulnerabilities. It's only fair that OSS vulnerabilitie be covered as well.
  • You know the MS PR warmachine will make the most of this, don't you?
  • by Mustang Matt (133426) on Wednesday March 02, 2005 @09:10PM (#11829940)
    Does anyone have an explanation as to why firefox's online update feature doesn't upgrade to 1.0.1?
  • by teslatug (543527)
    What's the use of having an update feature if you never enable it or get it in a working state? I have never been able to update firefox through the built-in feature.
  • Food for thought... (Score:3, Interesting)

    by Ericzombie (812295) on Wednesday March 02, 2005 @09:43PM (#11830175)
    Anyone else notice how now that Firefox has gotten pretty big, you're mostly hearing about firefox issues, rather thant he slew of IE issues that we used to be swarming over. In essence it makes sense as most /.ers have upgraded to Firefox, however it just seems to be working that way. I don't think that M$ could have gotten all of the kinks out of IE, so whats the deal?
    • you're right ... I agree they attack Firefox while ignoring IE issues that were never addressed. So, in case anyone hasn't heard this: I just wanted to say IE sucks really bad, especially if you're on a Mac and they won't do anything useful.
  • I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.

    I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.

    The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.
  • by Transcendent (204992) on Wednesday March 02, 2005 @09:56PM (#11830279)
    ...slashdot doesn't display correctly in Firefox 1.0+

    More at 11.
  • i'll take it! (Score:2, Insightful)

    by nuckin futs (574289)
    i'm willing to deal with a couple firefox vulnerabilities over that browser that runs activeX controls.
  • by Anonymous Coward on Wednesday March 02, 2005 @11:25PM (#11830785)
    I use Internet Explorer.
  • the real difference (Score:4, Interesting)

    by IdentifiedDareDevil (842240) on Thursday March 03, 2005 @02:37AM (#11831737)
    (for me) isn't really the technology or the security. IE and firefox are really not that far apart in terms of bugs/features (yet).. the main difference to me is that one on hand, you have a greedy, monopolistic company working outside proper market forces - allowing it to decide when and how it improves its software (IE 6.0 released in Aug 2002 - what major sw app can get away with a 3 year major release cycle?) vs. Firefox/Mozilla - a grass-roots colaboration of people who are trying to make something significant and have fun at the same time.

    The choice for me is not a lot different than choosing to live in the Soviet Union or the United States. I'd rather not eat the gruel (or browser) someone else thinks is all I deserve.
  • by harryoyster (814652) on Thursday March 03, 2005 @07:13AM (#11832355) Homepage
    I would love to see how they actually find some of these vulnerabilities. Direct from secunia : "The vulnerability is caused due to missing URI handler validation when dragging an image with a "javascript:" URL to the address bar. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging an image to the address bar." Dont think ive ever dragged anything from a web page in my life.. I maybe a newbie though (only been on the net since 1992..

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...