Forgot your password?
typodupeerror
Mozilla The Internet Security

Firefox 3.5's First Vulnerability "Self-Inflicted" 156

Posted by CmdrTaco
from the that-sounds-all-emo dept.
CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."
This discussion has been archived. No new comments can be posted.

Firefox 3.5's First Vulnerability "Self-Inflicted"

Comments Filter:
  • by eldavojohn (898314) * <.moc.liamg. .ta. .nhojovadle.> on Thursday July 16, 2009 @10:27AM (#28716445) Journal

    Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser.

    Just a note, I think Mozilla tries to shirk any idea of "company" or "corporation" from the open source development side of things. Instead, they are a non-profit foundation [mozilla.org] and recently created a separate taxable corporation [mozilla.org] with the intent of distribution and productizing Firefox & Thunderbird.

    I think the word 'company' implies commercial interests and the developing part of Mozilla--the Foundation--does not have any commercial interests. While this may seem unimportant to you, I believe it to be a pretty important concept to clarify when you're talking about open source from a non-profit and open source from a company.

    • by TinBromide (921574) on Thursday July 16, 2009 @10:35AM (#28716559)
      The legal definition (as was explained to me by a drunk law school student) is that a company is a group of people working together towards a shared goal. I.E. a bunch of boy scouts who want to go camping could technically call themselves a company, a bunch of guys looking to go out drinking could technically be called a company. Scale that up and the foundation could be technically called a company.

      Your issue isn't with the technical use of the word, but diction, its implied meaning and associations. That being said, the use is technically incorrect but not artistically apt.

      Where the Hitchhiker's Guide is in error, it is definitively so. This means that Reality is the one who got things wrong. So when the publishers of the Hitchhiker's Guide got sued by the families of tourists who took literally the sentence 'Vicious Bugblatter beasts often make a good meal for visiting tourists' which should have been rendered 'Vicious Bugblatter beasts often make a good meal of visiting tourists', the publishers brought in a poet to testify under oath that the second sentence is the more aesthetically pleasing of the two, and that Beauty is Truth and Truth, Beauty. They argued then that Life itself was the culprit for being neither beautiful nor true. In a startling decision, the judges agreed, holding Life in contempt of court and confiscated it from everyone present before going out for a round of Ultra-golf.

      • by FudRucker (866063) on Thursday July 16, 2009 @10:44AM (#28716721)
        or the Boogie Woogie Bugle boys from Company "B"

        Right_Here [youtube.com]
      • by TheLink (130905)

        I am not a drunk law school student but here you go:

        http://en.wikipedia.org/wiki/Legal_person#Examples [wikipedia.org]

        Note that in legal terms a Company is different from a Cooperative, even though a Cooperative could also be considered a group of people working towards a shared goal.

        • by nigelo (30096)

          ... a Company is different from a Cooperative...

          You mean, the People's Front of Mozilla, as opposed to the Mozillan People's Front, or any other form of anarcho-syndicalist commune?

        • Re: (Score:3, Interesting)

          by the_womble (580291)

          The Mozilla Foundation's about page says:

          The Mozilla Foundation is a California non-profit corporation exempt from Federal income taxation under IRC 501(c)(3). It is governed by its Board of Directors.

          I am not sure about US usage, but in the UK and many other countries a corporation created by registration (with the registrar of companies - Companies House in the UK) is correctly referred to as a company, regardless of whether it is a profit making or non-profit company.

      • Company is also a military term for a medium-sized group of soldiers (Wikipedia says on the order of 100-200).
    • Re: (Score:3, Insightful)

      When you wish to download Firefox or Thunderbird, you are redirected from Mozilla.org to Mozilla.com, so in this case calling it a company is most certainly correct - the Mozilla corporation is distributing the software to you, not the Mozilla foundation.
    • by Anonymous Coward on Thursday July 16, 2009 @11:43AM (#28717661)

      Geezus....I should probably stop reading this site, it seems that everyone is so sure of themselves and are ALWAYS in the right that you actually have time to quabble over insignificant details. yeah he may have been incorrect (doubtful!) but do really think that the point was lost to anyone that read it? or caused ANY confusion? Why bother then?

      get over yourselves, we aren't all born perfect, and may make mistakes. There is absolutely no reason to jump all over somebody for such a piddly mistake, EXCEPT TO BOOST YOUR OWN EGO!

      rant off....

      • Re: (Score:2, Insightful)

        by plague3106 (71849)

        Well, we can't let people actually discuss the issue here, which is a zero day exploit in a FOSS project. Nope, we'll gloss over that and nitpick the word used to describe Mozilla.

  • Everyone download NoScript Pronto!

  • Let's see how long it takes them to patch this

    Probably won't be too long
  • by vertinox (846076) on Thursday July 16, 2009 @10:33AM (#28716525)

    Has anyone notice performance degradation in 3.5? Opening a slew of bookmarked pages into tabs tends to make it feel like my internet connection has slowed down. Yet when all the tabs load, they all respond snappily.

    And sometimes certain sites act sluggish when opening the same exact site works fine in Safari.

    It wasn't like this in 3.01

    • Re: (Score:2, Interesting)

      by FlyingBishop (1293238)

      Yes, but a single Slashdot article with comments loads at least 30% faster, and I do that a lot more often than opening a ton of bookmarks in tabs. I think on the whole it saves me a lot more time than it costs.

    • When complaining about Firefox performance issues, always disable all addons to verify that the problem is, in fact, with Firefox itself.

      I can say that Firefox is quite fast on my i7 with 12GB RAM and an Intel X25 Extrem SSD ;-)

    • I haven't noticed a problem except when I went into the history section and told it open all of yesterday's sites. It did warn me that opening 500+ tabs could cause performance issues.

    • I think the problem that you may be facing is due to firefox doing weird things to generate random numbers at start
      See https://bugzilla.mozilla.org/show_bug.cgi?id=501605 [mozilla.org]
      I see that the bug has since been fixed - but I guess it has not been distributed to the general public via upgrades.

    • I have... Kinda. I got the newest update and things seemed fine, then I tried to access Pandora. I'd never used it before and thought I'd check it out. Big mistake. It crashed Firefox three attempts in a row, and I had no better luck with Opera. Ever since, anything I do in Firefox is painfully slow. Case and point, while typing this response, more than once I typed so fast that I had to wait for the letters on the screen to catch up with my typing to make sure I hadn't made an error. Also it takes me a few
    • No.
    • by Zancarius (414244)

      Has anyone notice performance degradation in 3.5? Opening a slew of bookmarked pages into tabs tends to make it feel like my internet connection has slowed down. Yet when all the tabs load, they all respond snappily.

      I have, especially with > 200 tabs open at a time. But, that's more an artifact of my insanity and less a representation of a common use case among users. I know of others who tend to have in excess of 400 open, but I don't imagine they're more than 1% of the user base.

      I love my tabs.

  • by Anonymous Coward on Thursday July 16, 2009 @10:37AM (#28716585)

    What do you mean there is a security exploit in a brand new version of a web browser? This is crazy, new versions of software should always be more secure then the previous versions.

    Personally I'll be sticking with IE6, I never bought into this whole "Firefox" thing.

    • Wimp! (Score:3, Funny)

      by argent (18001)

      I only use IE 5.5!

      • by GaratNW (978516)
        My first reaction to seeing the headline for this post was basically "Shit! I forgot I need to update Firefox to 3.5!"... Humans are kinda dumb sometimes. Or maybe it's just me.
        • 3.5 is good for speed ups and being able to disable the awsomebar (if you want), but generally most mozilla browsers need a couple of security patches before they are truely ready for the masses. 3.5.1 or 3.5.2 would be a good one to upgrade to.

      • Re:Wimp! (Score:4, Funny)

        by mcrbids (148650) on Thursday July 16, 2009 @12:44PM (#28718713) Journal

        Pshaw. I use telnet, and read the native code. I don't even see the code anymore... Blonde, Brunette, Red-Head...

        Reading sites that use SSL is a bit tricky, though.

      • If you wait long enough, the spyware that exploited old versions of IE will disappear making browsin safe again!

  • Yeah, right (Score:5, Funny)

    by DoofusOfDeath (636671) on Thursday July 16, 2009 @10:38AM (#28716607)

    '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported [mozilla.com] Tuesday."

    Oh sure, I'm definitely going to follow that link now.

  • WTF (Score:3, Interesting)

    by wumpus188 (657540) on Thursday July 16, 2009 @10:43AM (#28716709)
    "Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier"

    Nice attitude, guys...
    • Re:WTF (Score:5, Insightful)

      by bunratty (545641) on Thursday July 16, 2009 @10:55AM (#28716915)
      You mean that you actually want example exploit code to be available to everyone? Why?
      • No. The point is that security trough obscurity never works. If you hide it, only the bad guys will have it. If you show it, at least more people can do something against it.

    • Re:WTF (Score:5, Insightful)

      by maxume (22995) on Thursday July 16, 2009 @10:56AM (#28716935)

      So when they know about and are actively working on fixing a bug that is an exploit vulnerability, you think they should do it in public?

      I get the argument that telling your users about it means that they can protect themselves (say, by running noscript), but for a consumer facing organization like Mozilla, the majority of users aren't going to notice or do anything.

  • Full disclosure (Score:2, Insightful)

    by fedxone-v86 (1080801)

    Go on and mod me troll but, IMNSHO, this is just a display of the expertise of the full disclosure movement: Just post a test-case from an open bugtracker as your own exploit and enjoy your 15 minutes of fame amongst all the other skript-kiddies.

    Well done, hacker!

    • Re: (Score:3, Interesting)

      by broken_chaos (1188549)

      Mozilla doesn't even practice full disclosure. They normally hide security bugs from the public, but they missed this one, as well as not fixing it before 3.5's release.

      Unless you're seriously suggesting that all bugs should be hidden from the public on the off chance they'll be exploitable, meaning a lot more duplicate bug reports, no independent confirmation of a bug's existence, and an inability for anyone else to fix the problem, except those granted permissions to read bugs.

  • Temporary fix (Score:5, Informative)

    by AdmiralXyz (1378985) on Thursday July 16, 2009 @10:58AM (#28716977)

    According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.

    • MOD PARENT UP (Score:5, Insightful)

      by argent (18001) <peter.slashdot@2006@taronga@com> on Thursday July 16, 2009 @11:03AM (#28717059) Homepage Journal

      Mod Parent Up "this should have been in the summary, Taco".

      • by kestasjk (933987) *
        Except then the bug is patched, and all of a sudden you aren't running the default settings for FF and things get weird.

        Better not to visit suspicious sites, and if you have to install NoScript, it'll hugely decrease the potentially vulnerable "surface area" of your web browser.
      • Re: (Score:2, Interesting)

        Also from the article:

        "The popular NoScript add-on will also ward off attacks. "

        Though I would think that is only true depending on how strict one's NoScript settings are, it might be useful to those with NoScript installed to realize that they can tweak with it to give them a temporary fix until an official update/patch comes out. Also, it might warn some users to pay attention when NoScript pops up a warning about malicious script possibilities, as opposed to just clicking the 'allow anyway' option.
      • by snl2587 (1177409)
        Who reads the summary? The title's all you need!
  • by brunes69 (86786) <slashdot@keirstea d . o rg> on Thursday July 16, 2009 @11:11AM (#28717175) Homepage

    Why not post in the summary the simple fix?

        In lieu of a patch, users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine.
        To do that, users should enter "about:config" in Firefox's address bar, type "jit" in the filter box, then double-click
        the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.

    • by g-san (93038)

      That is not a simple fix, that is a temporary workaround. Turning off the JIT compiler has performance implications.

  • Of course, Mozilla won't add a NoScript-like UI to Firefox, as it would make it convenient to block scripting, and hence annoy advertisers.

    • by Ilgaz (86384)

      A browser's job is to execute scripts securely, safely and in fast manner. If a browser comes with "opt in" scripting which is really impossible in real web these days, it wouldn't really have a good image and experience.

      What they should do is, think about the biggest lamer they have ever met and multiply it with 10 and act accordingly dealing with security issues. Spying bugzilla in progress and release an exploit(!) based on it is lowest one can get.

      • by metamatic (202216)

        If a browser comes with "opt in" scripting which is really impossible in real web these days, it wouldn't really have a good image and experience.

        If it's impossible, why is NoScript so popular?

        And not downloading images makes for a bad web experience, but Firefox still has an option for that.

      • Re: (Score:3, Insightful)

        by sjames (1099)

        Of course, NoScript can also be configured as opt out. It might make a lot of sense to incorporate it defaulted to opt-out and let the user make it opt-in if they like.

        The browser's job is to do what the user wants it to do as it relates to browsing.

  • by OrangeTide (124937) on Thursday July 16, 2009 @12:06PM (#28718025) Homepage Journal

    Sometimes it's better to just hold back and wait until my distro decides it is time to update my versions.

  • I thought security bugs were supposed to be confidential.
  • by onlyjoking (536550) on Thursday July 16, 2009 @06:22PM (#28723751)

    Is it just me who remembers the days when the only way to browse safely was to turn off Javascript? Now we're all drinking the web 2.0 kool aid it seems we've forgotten how many browser vulns are Javascript-related. Websites should never depend on Javascript to function properly but now we have point 'n click JQuery, Dojo etc. it seems websites are built on Javascript foundations with all the security issues that implies.

    • Re: (Score:3, Insightful)

      by twistah (194990)

      But there have been many browser exploits recently, and they've been in virtually every component of the browser. This flaw has nothing to do with JavaScript itself, just the implementation. Flaws have been found in XML and HTML rendering engines, third-party components, URL handlers and many other pieces of the browser. If we're going to disable every feature that's potentially vulnerable, we might as well stay off the Web.

NOWPRINT. NOWPRINT. Clemclone, back to the shadows again. - The Firesign Theater

Working...