New Vulnerabilities Discovered in Firefox 1.0 406
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
What the hell? (Score:5, Informative)
...only affects v1.0 (Score:2, Informative)
No worries, just keep your browser updated.
Security (Score:2, Informative)
The bugs have already been fixed (Score:4, Informative)
it's already fixed. (Score:1, Informative)
Re:Emergency! (Score:2, Informative)
The others won't be long.
from the article:
If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.
Re:patch here (Score:4, Informative)
oh forget it, some of you mods are dumber than a deck of cards.
Re:New Discovery? (Score:1, Informative)
Re:New Discovery? (Score:5, Informative)
Re:Firefox bugs (Score:1, Informative)
Re:New Discovery? (Score:2, Informative)
It looks like [mozillazine.org] they are aware of these problems and are working on them.
Re:New Discovery? (Score:5, Informative)
Asa mentioned something about server problems and activating the update for 1.0.1 later, and indeed it did show up today. Granted, it's a week since the release and that's a long time for security update... And windows-only apparently, though Linux users probably update trough their native package systems anyway.
His blog [mozillazine.org] has more.
Re:The most important part of TFA (Score:2, Informative)
The vulnerabilities have been corrected in Mozilla, but the patched edition, 1.7.6, has not yet been officially released. The same goes for Thunderbird, the Mozilla Foundation's free e-mail client, which is also susceptible to the bugs. Both Mozilla 1.7.6 and Thunderbird 1.0.1 should roll out this week, Mozilla has said.
8 More Bugs Found In Firefox And Mozilla [techweb.com]
Re:...only affects v1.0 (Score:4, Informative)
Supposedly. By my reading of Asa's blog [mozillazine.org], if you use the en-US version (most of Slashdot), then you should be able to get an update. Specifically, check out the entries localized 1.0.1 updates [mozillazine.org] and another try at update [mozillazine.org].
However, I use the en-US version, and my Firefox refuses to auto-update. So it doesn't appear to be working for everyone. (I'm behind a firewall, if that matters.)
Re:Firefox ad hack! (Score:3, Informative)
I ran into that when I had IIS installed and a hosts file with many ad servers sent to 127.0.0.1.
I fixed it by turning off the Web Publishing Service.
Re:New Discovery? (Score:5, Informative)
1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.
2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).
This is similar to:
SA12712
3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.
4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.
5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.
6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.
7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.
Successful exploitation requires that the malicious website is allowed to request installations.
8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.
9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.
Provided and/or discovered by:
1) Tavis Ormandy
2) Christian Schmidt
3) Masayuki Nakano
4) Georgi Guninski
5) Matt Brubeck
6) Independently discovered by:
* Daniel de Wildt
* Gaël Delalleau
7) Phil Ringnalda
8) wind li
9) Mook, Doug Turner, Kohei Yoshino, M. Deaudelin
Re:I frequently talk up (Score:5, Informative)
been out for atleast 2 weeks..... just because the media does not cover something does not mean it doesn't exist.
Comment removed (Score:4, Informative)
Solution: (Score:1, Informative)
Update to version 1.0.1.
http://www.mozilla.org/products/firefox/ [mozilla.org]
=
Firefox 1.0.1 Released
http://it.slashdot.org/article.pl?sid=05/02/25/03
The dup firefox
http://www.spreadfirefox.com/ [spreadfirefox.com]
Re:New Discovery? (Score:5, Informative)
i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).
i doubt this would've prevented the bug. but the page it was appearing for would be obvious. a possible hack to that could be...have a javascript window which is already open make the connection. in that case, even if the js window is shown, with the browser most likely behind it, it wouldn't be obvious. could fix that too
Re:THANK YOU SLASHDOT!!! (Score:4, Informative)
Re:New Discovery? (Score:5, Informative)
Sure, you can copy-and-paste anything you want into your URL bar, and hit enter. This takes time, and thought, and you have to look at the string in two different places, so it's reasonably secure based on that.
The only security problems that could arise would be if there were links that you could click on, or bookmark them. Try it here [68k.org] (slashdot won't let you write chrome:// URLs unfortunately). It doesn't work.
There are tons of security measures related to XPI/XUL, the Firefox team has IMHO taken an OVERLY aggressive approach to XUL/XPI issues. You know why there are several extra steps required in Firefox to install an XPI plugin [mozdev.org]? Because there were some theoretical exploits where someone might ask a user to click on a place on the screen over and over (eg. hit the monkey), and then display the XPI dialog there, and the user might end up clicking "yes, please install" before they realized that they were running potentially suspicious code. So now users have to wait a few seconds before being able to click.
Users CAN actually configure their browser to let remote sites do just about anything [mozilla.org], include read/write files, change the clipboard, etc., because this is sometimes something that's useful that users might want from a few special sites. But it's a pain in the butt to get the several security configuration settings set properly, and again, as a developer, I think they might have overdone it.
Installing 1.01 (Score:2, Informative)
The DL link can be found here:
http://www.mozilla.org/
After downloading that I closed all windows and uninstalled 1.0 (winXP) by using add/remove programs and clicked yes on delete folder. My settings/profile/chrome stuff is not in that folder, but here in my case:
C:\Documents and Settings\My puter name\Application Data\Mozilla\
Then I installed 1.01 by clicking the exe
Done. My extensions, chrome, bookmarks seem to be intact, which of course was my biggest worry. My start menu just turned black though
The update thing in 1.0 just checked/updated my extensions, and my flash blocker stopped working. I took a look in about:config and the build and version number was still old, so that thing definately didn't update to 1.01
Re:First (Score:5, Informative)
If you have firefox 1.01 installed you have nothing to worry about.
Fixed days ago. Now thats speedy service.
Re:New Discovery? (Score:5, Informative)
http://weblogs.mozillazine.org/asa/ [mozillazine.org]
Re:First (Score:5, Informative)
No, there are security advisories for firefox 1.01, like this one [secunia.com].
And the story didn't even link the vulnerability report on Mozilla Firefox 1.x [secunia.com] from Secunia. Anyway, just stay tuned and have your FF always updated.
Re:First (Score:3, Informative)
Re:Auto Update (Score:2, Informative)
VISA's Zero Liability plan is useless. (Score:2, Informative)
*Covers U.S.-issued cards only. Visa's Zero Liability policy does not apply to commercial card or ATM transactions, or to PIN transactions not processed by Visa. See your Cardholder Agreement for more details.
**Cardholders should always regularly check their monthly statements for transaction accuracy. Financial institutions may impose greater liability on the cardholder if the financial institution reasonably determines that the unauthorized transaction was caused by the gross negligence or fraudulent action of the cardholder--which may include your delay for an unreasonable time in reporting unauthorized transactions.
Before you think 'I can keep my PIN secret, so what's the problem?', try to figure out how a transaction was processed by looking at your bank statement. Was it credit or debit? What network processed the transaction?
I recently had my VISA card used fradulantly, and was stuck footing the bill.
The 'call this number if your card is lost or stolen' number on the back of the card didn't work. Apparently, the organization that I contacted does not handle debit cards.
The charge was for $40; the zero liability plan applies to the first $50 of fradulant transactions.
Of course, my bank "didn't know" how the charges were made, and ATM/pin transactions are not covered, so I couldn't take advantage of the Zero Liability policy without paying the bank to figure it out for me.
I found that the vendor (McAfee) was totally unresponsive (I never managed to contact a human being after trying for a few hours), so I could not obtain any information about the transaction (I thought I would get an IP address or a shipping address. Yeah, right!)
The bank wanted to charge well over $100 to 'launch an investigation', which would be billed as an initial cost plus an hourly fee, and could drag on indefinitely.
VISA charges vendors a few percentage points of every purchase you make. If the per-transaction fees aren't being used to combat fraud on the network, or even to maintain contact information for a handful of major vendors, what are they for?
If the average amount of a transaction is $5, and Visa takes 1% (two very low estimates), that's costing the vendor $0.05. For what? Sending a few kilobytes of data over an encrypted line? Running a (really expensive!?!) database transaction?
I've been dumping around a bit over 1% of my income into this network for years. If federal tax is 20%, that's roughly as much [washingtonpost.com] as I've put into the department of education and department of transportation, combined!
At this point, I think I'll just carry cash, since its less of a hassle. If I get mugged, I'm out $100, and that's it. With a VISA card, I get to negotiate with my bank over who is liable for what, and there is a huge risk of electronic fraud. Besides, using cash keeps prices lower, and most businesses are happy to accept it.