New Vulnerabilities Discovered in Firefox 1.0

jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""

Ah well

[Anonymous Coward]

At least with FireFox they'll be patched up within a few days. Unlike Microsoft which waits until half the world has been screwed over...

The downside of popularity

[confusion]

Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.

Jerry
http://www.syslog.org/ [syslog.org]

The most important part of TFA

[Zocalo]

"If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about."

Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P

Re:New Discovery?

[chrisbtoo]

Chances are that they found the 8 bugs in 1.0, reported them to Mozilla, who kept it quiet and fixed them for 1.0.1.

I guess this is trumpet-blowing from Secunia, together with an advisory as to how important it is to upgrade to 1.0.1.

Re:New Discovery?

[darkmeridian]

The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?

Firefox bugs

[benspikey]

Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..

It's obvious

[SlashThat]

They want it to look more like "news".

Re:I frequently talk up

[jrcamp]

Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.

Re:New Discovery?

[einhverfr]

I personally am grateful to Secunia for helping to look at Firefox's security the way that we should be.

Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.

Re:Internet Commerce On Its Way Out

[GeorgeMcBay]

Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.


Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?

Every day is insecure

[rueger]

Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.

Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.

I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.

Re:What the hell?

[Anonymous Coward]

One word: adwords

Re:I frequently talk up

[merdaccia]

I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...

You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.

Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.

Re:New Discovery?

[einhverfr]

Ok.... IE has two major security issues inherent in its design and that is zone permission elevation while the other is ActiveX related.

Mozilla/Firefox has another-- XUL display. XUL is a great technology, but it is difficult to handle because the main UI rendering is too closely tied to the rendering of the web site. There is a security barrier which is designed to keep one from harming the system but it is not designed to prevent spoofing of apps. Hopefully a defence barrier can be built in.

Don't believe me? pasting this into your address bar: chrome://navigator/content/navigator.xul (only works in Mozilla)

For example, something simple like "Components in Chrome are locked by default and only unlocked components can be modified outside of Chrome" would be a nice start.

Re:The most important part of TFA

[sd.fhasldff]

That has to be the most pathetic slashdot blurb I've ever seen. It's grossly misleading and links to a completely assinine site (which, in return, doesn't even link to the Secunia report - the real source).

Re:Here we go...

[NEOtaku17]

"How long before Microsoft jumps all over this, and uses it as yet another FUD related reason not to use Open Source software..."

Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?

That's how the FUD engine works

[EmbeddedJanitor]

Nobody ever got fired for buying Microsoft.

If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.

If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.

That's unfortunately the mentality that will keep MS in business for a long time yet.

Re:Internet Commerce On Its Way Out

[Chuck Chunder]

SSL implementations have been barely usable for real people years with their laughably tiny "padlock" indicator.

Bugs aside things are just starting to look reasonable as far as SSL in browsers is concerned.

Firefox puts the "padlock" where someone will actually stand a chance of seeing it (in the urlbar) and also color codes the URL.

Opera does something similar in it's recent beta but also displays the organisational name of the certificate owner aside the padlock.

The spoofing problem isn't a fundamental flaw that is going to doom the future of browser based commerce. The reinvigoration of browser competition has started making things better for the end user.

Re:Why doesn't Firefox 1.0 update to 1.0.1?

[dicepackage]

It does, Mozilla delayed the update because the servers were getting overloaded when it first came out. By now it should report there being an update and allow you to install that.

Re:Every day is insecure

[Chuck Chunder]

Really, do we need a story every time some security problem appears in some software package?

No. But then we aren't getting that either.

Firewall, virus scanner, frequent updates to all software. Maybe a change in OS

All great tools against browser spoofing I'm sure...

Phishing "vulnerabilities" need a special category

[argent]

I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.

I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.

The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.

Re:New Discovery?

[boredMDer]

'But any software has a security record better than IE.'

What about Windows proper? :)

i'll take it!

[nuckin futs]

i'm willing to deal with a couple firefox vulnerabilities over that browser that runs activeX controls.

oh great

[timmarhy]

so we are going to get an artical everytime a vun. is found in an app now

Re:Food for thought...

[FyberOptic]

Microsoft's security has always been such a huge public issue in the past primarily because a.) nobody online has anything else to report on, and b.) people love to hate on Microsoft, despite most of them still using their products.

All complicated pieces of software, like browsers and operating systems, are going to have flaws. They've been found in every OS, and every browser. They'll continue to be found, as long as they make up a large part of the market, because not only are these what "hackers" search for, but also security professionals.

So the Firefox team will fix their flaws, just as the Microsoft team has continued to do so for theirs. However, Firefox's will now get brought into the public's attention much more as it becomes more popular, even though flaws have existed for it all along, as anyone who views the release log on their site can see. But only IE got the attention for being riddled with problems up till now.

So this just further proves that it's not just Microsoft's problem. Firefox is going to get its share of the limelight now, for better or worse.

Re:Internet Commerce On Its Way Out

[stutterbug]

Because SSL protects no one against key loggers.

Investigator1: We noticed that the 25 credit card fraud victims each shopped at The Gap five months ago. We talked to the store manager and interviewed the employees. One pimply faced teenager broke down in his interview and admitted he gave the credit card numbers to a member of a well-known, local crime syndicate. We arrested five people in our fair city. We recommend people carefully read their credit card statements each month and report any unauthorized purchases.

Investigator2: We noticed that the 5000 credit card fraud victims had hard drives choking on pornography and had several key loggers. The key loggers were programmed to access an IRC channel that hasn't been active in five months. As the fraudulent purchases all took place in Eastern Europe, it is unlikely we will ever catch the perps. We recommend you do your shopping locally and avoid using the Internet for any financially sensitive activities.

How's that?

Re:First

[the_Bionic_lemming]

From TFA

If you have firefox 1.01 installed you have nothing to worry about.

Fixed days ago. Now thats speedy service.

Yet when a slashdot story uses Microsoft XP service pack one to show how full of holes the OS is - It's newsworthy.

Re:SOP for Secunia...

[jBabel]

That's quite easy to say. But what if they were the original reporters for those vulnerabilities, and they kept quiet while MS & Mozilla fixed them? Couldn't they be allowed to publicize them now that they are fixed, and get the appropriate recognition without putting the users to risk?

I haven't check the history for those advisories; maybe they truely are 'glory whores', I'm just saying we shouldn't rush to judgement.

Re:First

[Anonymous Coward]

Journalists are scum when interpreting technical articles without experience or familiarity with the aspects compared-the report differed significantly from the site-article summary of it. Slashdot should be a collection of technical articles written by technical professionals for interested parties, but it has fallen to the scum of journalistic manipulations of information. On technical level, vulnerabilities in both are posted as significant user base has yet to update either or both the program (is it now fully released to update channel?) and the operating system (occupational programs found to work by everyone and the second patch applied?). On those grounds, it is both scholarly for the fields we are professionals in or students of and useful to form a more complete picture of the faults in the Microsoft development, QA, and testing processes.

Re:Firefox 1.0 doesn't tell you about 1.01

[Anonymous Coward]

http://forums.mozillazine.org/viewtopic.php?t=2256 01/ [mozillazine.org]

The new Firefox autoupdate should be available around March 7th. Firefox 1.0 users who aren't experienced in handling profiles during the uninstall/reinstall process may want to wait. Autoupdate will install the 1.0.1 patch automatically and preserve all current settings, without the need to uninstall/reinstall The Autoupdate feature should already be set on, as it is the default setting for Firefox 1.0. You can check for proper settings through: TOOLS ... OPTIONS ... ADVANCED ... SOFTWARE UPDATES ... check the boxes for "Periodically Check for Updates" for Firefox and My Extensions/Themes. Another setting to check is TOOLS ... OPTIONS ... WEB FEATURES ... CHECK "allow site to install software"

Re:New Discovery?

[aneroid]

Or how about just stopping the javascript interpreter when the window isn't in focus.

would be too effective. all timing based scripts would break.

And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect.

i agree [slashdot.org]...

and only appear for that tab (when it's in focus).

and

could fix that too :P by outlining the window/tab that calls it.

Re:So is Billy counting bugs to go to sleep

[poopdeville]

You can't have your cake and eat it.

Sure you can. That's what having your cake means.

Re:SOP for Secunia...

[Myen]

In the case of Mozilla, Secunia regularly regurgitates the offical Mozilla.org advisories (as is this case [secunia.com]). Pretty much the time flow goes like:

• vulnerabilities discovered; reported to mozilla.org
  
• they sit for a while
  
• eventually fixed and go into the next release
  
• after a few days, mozilla.org opens up the security bugs fixed in that release and posts advisories
  
• Secunia sees them and posts info on same advisories
  
• people see Secunia with Mozilla vulnerabilities
  

And I know Secunia didn't come up with the list because

1. they link to mozilla.org (except in one case, where they linked to iDefense) as original advisories
   
2. "Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others."
   
3. I recognize names from the list - Phil Ringnalda is the Chatzilla guy, and Doug Turner is Minimo. So they already work on Mozilla a lot. That, and I'm in the list (probably undeserved).
   

Re:New Discovery?

[einhverfr]

The fact that you can't just click on a link doesn;t mean that this is not a problem. Yes there are security measures and barriers in place, but this is the *problem* not the solution.

Your see, the security barriers exist because you want to provide some functionality which is more trusted than others. This is part of the reason why IE is so darned insecure: It has too many of these security barriers.

Instead, the problem is that you have the problem that the security barriers are fundamentally permeable. Ideally therefore you want to design your software in such a way that the security barriers are enforced by design limitations of the software rather than enforcement checks.

bizzt!

[Leers]

-1 Insulting Mods

Re:That's how the FUD engine works

[cerberusss]

If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault

This is funny, but very true. The same goes for MS Office documents. If you open a Word document in a different version of MS Word and it gets fragged, it's not your fault, it is Microsoft's fault.

If, however, you open that same document in OpenOffice and it renders it wrong because of some crazy layout (think table cells that span multiple pages...), then YOU are to blame. You should have "just used normal programs"...

This stuff drives me mad...

What's the problem with credit cards?

[TheLink]

With my credit card, in event of fraud - it's NOT my money that's gone.

I just have to inform the card company that the transaction was not good. And I don't have to pay for it. And since it's not MY money, it's someone else's problem.

At worst, I can't use the affected card and the card company issues me a new card.

That's OK - I have more than one credit card.

I'm far more puzzled by the popularity of debit cards. If stuff happens it's YOUR money that's gone, so YOU have to be the one working your butt off trying to get your money back.

Even cash isn't as safe. You buy something with your credit card and the merchant cheats you, it's a lot easier to fix.

The online merchants AND banks are the ones who should be worried. Too many customers tricked/exploited and their business would be affected.

Re:First

[DrXym]

Sorry, but that's a pretty unlikely exploit. To carry it out, someone has to be convinced to drag and drop an image onto an empty address bar. Have you seen many sites that do that? Have you seen many users who either understand or follow such instructions?

Re:New Discovery?

[ajs318]

Or how about just stopping the javascript interpreter when the window isn't in focus.

As another poster has pointed out, this could break timing-based stuff ..... for instance, you could not simply background a tab until the enforced-view adverts disappeared :)

Nonetheless, it'd be a good idea to allow as an option.

And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect.

I thought of this too ..... if a tab wants to bring up any kind of requester {for a JavaScript prompt, or for a login and password} then it should come to the foreground {or wait, if there is already a requester showing from another tab}.

This however might conceivably create a new "deadly embrace" vulnerability, if two tabs are demanding to raise requesters and each depends on the other. But if the present system allows only one requester to be showing anyway, perhaps this isn't newly-introduced after all.

Re:First

[sl4shd0rk]

> It's open source so it will get fixed quickly post.

Don't forget, you also have a choice to go back to IE and OE if you feel they are more secure. The existence of choice is another important factor of OSS.