Firefox 3.5's First Vulnerability "Self-Inflicted" 156
Posted
by
CmdrTaco
from the that-sounds-all-emo dept.
from the that-sounds-all-emo dept.
CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."
Nice test for the open source community (Score:1, Interesting)
Probably won't be too long
Re:Foundation, Not a Company (Score:5, Interesting)
Your issue isn't with the technical use of the word, but diction, its implied meaning and associations. That being said, the use is technically incorrect but not artistically apt.
Where the Hitchhiker's Guide is in error, it is definitively so. This means that Reality is the one who got things wrong. So when the publishers of the Hitchhiker's Guide got sued by the families of tourists who took literally the sentence 'Vicious Bugblatter beasts often make a good meal for visiting tourists' which should have been rendered 'Vicious Bugblatter beasts often make a good meal of visiting tourists', the publishers brought in a poet to testify under oath that the second sentence is the more aesthetically pleasing of the two, and that Beauty is Truth and Truth, Beauty. They argued then that Life itself was the culprit for being neither beautiful nor true. In a startling decision, the judges agreed, holding Life in contempt of court and confiscated it from everyone present before going out for a round of Ultra-golf.
WTF (Score:3, Interesting)
Nice attitude, guys...
Re:Maybe off topic but... (Score:2, Interesting)
Yes, but a single Slashdot article with comments loads at least 30% faster, and I do that a lot more often than opening a ton of bookmarks in tabs. I think on the whole it saves me a lot more time than it costs.
Re:Nice test for the open source community (Score:3, Interesting)
They haven't released an update yet though, which is probably the more interesting event.
Re:time to close Bugzilla to the public (Score:2, Interesting)
Who cares if they do? Security through obscurity is a perfectly valid strategy, as long as it is used in conjunction with other strategies, so when someone criticizes the mere use of secrecy, they can be disregarded.
(Think about it for a minute; passwords, keys, access codes, hidden safes, etc.)
Glad I didn't rush to upgrade (Score:3, Interesting)
Sometimes it's better to just hold back and wait until my distro decides it is time to update my versions.
Re:Right! Quick! (Score:5, Interesting)
Ended up going back to noscript recently but it really is an ugly solution, yesscript is only helps against tracking. What is really needed is a good guide for using controldescripts (or a similar extention) allowing all sites to access a list of known safe fucntions (to let you browse the web without it getting in the way), some to be blacklisted (to protect you from tracking), an easy GUI way to allow a greater subset of functions to be accessed (for trusted site) and an security workarounds to stop any vulnerabilities working in the wild.
Re:Full disclosure (Score:3, Interesting)
Mozilla doesn't even practice full disclosure. They normally hide security bugs from the public, but they missed this one, as well as not fixing it before 3.5's release.
Unless you're seriously suggesting that all bugs should be hidden from the public on the off chance they'll be exploitable, meaning a lot more duplicate bug reports, no independent confirmation of a bug's existence, and an inability for anyone else to fix the problem, except those granted permissions to read bugs.
Re:MOD PARENT UP (Score:2, Interesting)
"The popular NoScript add-on will also ward off attacks. "
Though I would think that is only true depending on how strict one's NoScript settings are, it might be useful to those with NoScript installed to realize that they can tweak with it to give them a temporary fix until an official update/patch comes out. Also, it might warn some users to pay attention when NoScript pops up a warning about malicious script possibilities, as opposed to just clicking the 'allow anyway' option.
Cheers.
Re:Foundation, Not a Company (Score:3, Interesting)
The Mozilla Foundation's about page says:
The Mozilla Foundation is a California non-profit corporation exempt from Federal income taxation under IRC 501(c)(3). It is governed by its Board of Directors.
I am not sure about US usage, but in the UK and many other countries a corporation created by registration (with the registrar of companies - Companies House in the UK) is correctly referred to as a company, regardless of whether it is a profit making or non-profit company.
Re:Why didn't you post the (simple) fix??? (Score:3, Interesting)
It basically just puts you back to 3.0 mode.