New Vulnerabilities Discovered in Firefox 1.0 406
jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""
New Discovery? (Score:5, Interesting)
Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?
Why doesn't Firefox 1.0 update to 1.0.1? (Score:3, Interesting)
Re:So is Billy counting bugs to go to sleep (Score:2, Interesting)
Welcome to the real world. You can't have your cake and eat it.
Re:THANK YOU SLASHDOT!!! (Score:2, Interesting)
I never had a problem with slashdot. What exactly makes it "unreadable"?
Sometimes the stories or comments get shoved into the left nav. Sometimes the tables don't render at all leaving a largely blank page. This has been a problem since Netscape 7.0 came out (whatever version of mozilla that was.) In fact, when Slashdot put up the story about NS7 being release, I immediately downloaded it and just as quickly found the problem. I don't use windows much, but under linux, this has been a problem for quite a while. There are work arounds like ctrl +-, but the fact is that Slashdot does not render the same way every time. I have not seen this behavior to this extreme on any other website. If I were a slashcoder, I'd be extremely embarrassed. Then again, it seems that one quality required to be a Slashdot editor/coder is to be able to publicly make a complete fool out of yourself repeatedly for years and not give a shit.
NB
What about the bug bounty? (Score:1, Interesting)
MSIE? (Score:1, Interesting)
Just kidding... I use Opera. BTW, try the new Beta of Opera 8. It's quite nice.
Re:Firefox 1.0 doesn't tell you about 1.01 (Score:5, Interesting)
Interestingly, when I went through the update process, it downloaded and installed the full 1.01 package. Does anyone know if this is how updates will be done in the future, or if Mozilla will migrate to a patch system?
SOP for Secunia... (Score:5, Interesting)
They're just glory whores.
Food for thought... (Score:3, Interesting)
Re:Here we go... (Score:2, Interesting)
Once found, if people want to be malicious about it, they'll release the vulnerability information to black hats, then the public, then the company(if at all). If bugs cause people to switch browsers, all that needs to be done is make sure you find more bugs in your competitors software.
I read an article not long ago questioning whether posting vulnerability information in any public forum was really a good idea and the question still remains.
Re:New Discovery? (Score:5, Interesting)
Regards,
Steve
Re:...only affects v1.0 (Score:2, Interesting)
Grrr... After I reinstall Firefox 1.0.1, the update still reminded me that there's update available, I wonder what's that since I couldn't downlaod it....
Re:Firefox bugs (Score:2, Interesting)
I agree with you that the more popular a product is, the more it gets attacked. For example, virii needs a certain population density of infectable hosts to proliferate. Linux machines, for example, is not there. I dont think it is truly worth anyones time to write linux, or for that matter anything other that win32, virii.
However, having agreed with you, I also want to argue the security case for linux. Let us for example take writing a virus for linux:
To do some real damage in linux, a virus needs root access. People dont normaly run as root so yes, linux and for that matter *nix is designed more secure than win32.
Maybe I should clarify. In order for the virus to execute, it needs to load itself into memmory and/or infect an executable.
A memory only virus can be easily detected by a process list or something similar and killed by logging off or rebooting.
Infecting an executable is problematic since it needs write access to said executable, a privilege users dont generally have. There are two ways around this.
The first would be to create and executable with the appropriate privileges in the users home directory or
The second is to gain root privileges by exploiting kernel vulns or software vulns running as root. This is definitely not easy as it seems. Any cracker should be able to testify to that. Also, with so many flavours of linux, some exploits present in some software and some in others, the probability of your virus working is relatively low. This option is definitely not your VB script-kiddie job as some of the high profile w32 virii was - you need to be good to do this, but you could trash the whole system if you can get this right.
OK, there is a third way. It involves tricking the user into actually giving root to the virus. I see that as the greatest threat if more computer semi-literates start using linux. This, IMO, is not an inherent problem of the OS, but the ignorance of the user and can only be fixed by education.
Also, the path of infection in *nix is more difficult. With explorer integrated in the OS, addware and virii are much easier to get in through malicious websites or emails.
To be honest though, the last Microsoft OS I used extensively was W2K which I only used to compile and test win32 versions of my code - usually after a lot of blood, sweat, tears, #defines and swearing;). I dont know much about their security model now. Could be quite good, but I doubt it since we still hear alot about virii and addware infecting the systems.
So, this is my (I think justified) opinion:
The Linux security model, while not perfect is definitely better than the win32 model.
To get a bit on topic:
Yes, I use firefox exclusively to browse. Once again I dont think it is perfect. I love the features - cant live without tabbed browsing + extentions, but sometimes I get anoyed at some of the quirks - slashdot bug has me pressing ctrl+;ctrl- on every page load for example. BTW yes, it IS firefox's fault.
Is firefox better/more secure/tighter coded than IE? Nobody that truly knows will ever tell - We probably wont trust them in any case
$firefox --debuger valgrind
Also, late last year there was another slashdot story
http://it.slashdot.org/article.pl?sid=04/1
where firefox didnt do too good on broken html. IIRC there was a few buffer overruns inolved which COULD POSSIBLY indicate security vulns. and certainly some slightly less than tight code.
Just my opinion.
Re:New Discovery? (Score:3, Interesting)
Regards,
Steve
the real difference (Score:4, Interesting)
The choice for me is not a lot different than choosing to live in the Soviet Union or the United States. I'd rather not eat the gruel (or browser) someone else thinks is all I deserve.
MOD PARENT UP! (Score:0, Interesting)
There is no reason to use JavaScript for displaying web pages. It's just stupid. Everyone should turn all scripting off (JavaScript, VBScript, ActiveX, Flash, etc.), and avoid web sites that require it.
Almost anything productive that is done with JavaScript can be done using forms. I know some people will say "But without JavaScript, verification will have to be done on the server instead of the client, and I won't be able to pop up new windows programmatically." Well, boo hoo. First of all, any web site that is the least bit secure will revalidate the form fields anyway (to prevent cracking), so the only thing being saved by client-side validation is a little bit of bandwidth to refresh the page if a field is wrong. (If it takes a lot of bandwidth to refresh a forms page, then there's something wrong with the page.) As to the pop-up complaint, well, I don't want the fucking page to pop up any fucking windows programmatically. Give me a link and let me make up my own mind.
Web page scripting sucks, and should be stopped.
I find it interesting (Score:3, Interesting)