New Vulnerabilities Discovered in Firefox 1.0 406
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
Ah well (Score:1, Insightful)
The downside of popularity (Score:5, Insightful)
Jerry
http://www.syslog.org/ [syslog.org]
The most important part of TFA (Score:5, Insightful)
Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P
Re:New Discovery? (Score:5, Insightful)
I guess this is trumpet-blowing from Secunia, together with an advisory as to how important it is to upgrade to 1.0.1.
Re:New Discovery? (Score:3, Insightful)
Firefox bugs (Score:4, Insightful)
It's obvious (Score:2, Insightful)
Re:I frequently talk up (Score:5, Insightful)
Re:New Discovery? (Score:5, Insightful)
Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.
Re:Internet Commerce On Its Way Out (Score:5, Insightful)
Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.
Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?
Every day is insecure (Score:5, Insightful)
Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.
I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.
Re:What the hell? (Score:1, Insightful)
Re:I frequently talk up (Score:5, Insightful)
I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...
You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.
Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.
Re:New Discovery? (Score:5, Insightful)
Mozilla/Firefox has another-- XUL display. XUL is a great technology, but it is difficult to handle because the main UI rendering is too closely tied to the rendering of the web site. There is a security barrier which is designed to keep one from harming the system but it is not designed to prevent spoofing of apps. Hopefully a defence barrier can be built in.
Don't believe me? pasting this into your address bar: chrome://navigator/content/navigator.xul (only works in Mozilla)
For example, something simple like "Components in Chrome are locked by default and only unlocked components can be modified outside of Chrome" would be a nice start.
Re:The most important part of TFA (Score:5, Insightful)
Re:Here we go... (Score:5, Insightful)
Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?
That's how the FUD engine works (Score:5, Insightful)
If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.
If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.
That's unfortunately the mentality that will keep MS in business for a long time yet.
Re:Internet Commerce On Its Way Out (Score:4, Insightful)
Bugs aside things are just starting to look reasonable as far as SSL in browsers is concerned.
Firefox puts the "padlock" where someone will actually stand a chance of seeing it (in the urlbar) and also color codes the URL.
Opera does something similar in it's recent beta but also displays the organisational name of the certificate owner aside the padlock.
The spoofing problem isn't a fundamental flaw that is going to doom the future of browser based commerce. The reinvigoration of browser competition has started making things better for the end user.
Re:Why doesn't Firefox 1.0 update to 1.0.1? (Score:4, Insightful)
Re:Every day is insecure (Score:3, Insightful)
Phishing "vulnerabilities" need a special category (Score:5, Insightful)
I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.
The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.
Re:New Discovery? (Score:2, Insightful)
What about Windows proper?
i'll take it! (Score:2, Insightful)
oh great (Score:2, Insightful)
Re:Food for thought... (Score:2, Insightful)
All complicated pieces of software, like browsers and operating systems, are going to have flaws. They've been found in every OS, and every browser. They'll continue to be found, as long as they make up a large part of the market, because not only are these what "hackers" search for, but also security professionals.
So the Firefox team will fix their flaws, just as the Microsoft team has continued to do so for theirs. However, Firefox's will now get brought into the public's attention much more as it becomes more popular, even though flaws have existed for it all along, as anyone who views the release log on their site can see. But only IE got the attention for being riddled with problems up till now.
So this just further proves that it's not just Microsoft's problem. Firefox is going to get its share of the limelight now, for better or worse.
Re:Internet Commerce On Its Way Out (Score:2, Insightful)
Because SSL protects no one against key loggers.
Investigator1: We noticed that the 25 credit card fraud victims each shopped at The Gap five months ago. We talked to the store manager and interviewed the employees. One pimply faced teenager broke down in his interview and admitted he gave the credit card numbers to a member of a well-known, local crime syndicate. We arrested five people in our fair city. We recommend people carefully read their credit card statements each month and report any unauthorized purchases.
Investigator2: We noticed that the 5000 credit card fraud victims had hard drives choking on pornography and had several key loggers. The key loggers were programmed to access an IRC channel that hasn't been active in five months. As the fraudulent purchases all took place in Eastern Europe, it is unlikely we will ever catch the perps. We recommend you do your shopping locally and avoid using the Internet for any financially sensitive activities.
How's that?
Re:First (Score:1, Insightful)
If you have firefox 1.01 installed you have nothing to worry about.
Fixed days ago. Now thats speedy service.
Yet when a slashdot story uses Microsoft XP service pack one to show how full of holes the OS is - It's newsworthy.
Re:SOP for Secunia... (Score:2, Insightful)
I haven't check the history for those advisories; maybe they truely are 'glory whores', I'm just saying we shouldn't rush to judgement.
Re:First (Score:3, Insightful)
Re:Firefox 1.0 doesn't tell you about 1.01 (Score:1, Insightful)
The new Firefox autoupdate should be available around March 7th. Firefox 1.0 users who aren't experienced in handling profiles during the uninstall/reinstall process may want to wait. Autoupdate will install the 1.0.1 patch automatically and preserve all current settings, without the need to uninstall/reinstall The Autoupdate feature should already be set on, as it is the default setting for Firefox 1.0. You can check for proper settings through: TOOLS
Re:New Discovery? (Score:2, Insightful)
i agree [slashdot.org]... and
Re:So is Billy counting bugs to go to sleep (Score:2, Insightful)
Sure you can. That's what having your cake means.
Re:SOP for Secunia... (Score:5, Insightful)
And I know Secunia didn't come up with the list because
Re:New Discovery? (Score:3, Insightful)
Your see, the security barriers exist because you want to provide some functionality which is more trusted than others. This is part of the reason why IE is so darned insecure: It has too many of these security barriers.
Instead, the problem is that you have the problem that the security barriers are fundamentally permeable. Ideally therefore you want to design your software in such a way that the security barriers are enforced by design limitations of the software rather than enforcement checks.
bizzt! (Score:3, Insightful)
Re:That's how the FUD engine works (Score:5, Insightful)
This is funny, but very true. The same goes for MS Office documents. If you open a Word document in a different version of MS Word and it gets fragged, it's not your fault, it is Microsoft's fault.
If, however, you open that same document in OpenOffice and it renders it wrong because of some crazy layout (think table cells that span multiple pages...), then YOU are to blame. You should have "just used normal programs"...
This stuff drives me mad...
What's the problem with credit cards? (Score:3, Insightful)
I just have to inform the card company that the transaction was not good. And I don't have to pay for it. And since it's not MY money, it's someone else's problem.
At worst, I can't use the affected card and the card company issues me a new card.
That's OK - I have more than one credit card.
I'm far more puzzled by the popularity of debit cards. If stuff happens it's YOUR money that's gone, so YOU have to be the one working your butt off trying to get your money back.
Even cash isn't as safe. You buy something with your credit card and the merchant cheats you, it's a lot easier to fix.
The online merchants AND banks are the ones who should be worried. Too many customers tricked/exploited and their business would be affected.
Re:First (Score:5, Insightful)
Re:New Discovery? (Score:3, Insightful)
Nonetheless, it'd be a good idea to allow as an option. I thought of this too
This however might conceivably create a new "deadly embrace" vulnerability, if two tabs are demanding to raise requesters and each depends on the other. But if the present system allows only one requester to be showing anyway, perhaps this isn't newly-introduced after all.
Re:First (Score:3, Insightful)
Don't forget, you also have a choice to go back to IE and OE if you feel they are more secure. The existence of choice is another important factor of OSS.