Slashdot Log In
Firefox 3.0.1 Fixes 'Carpet Bombing' Issue
Posted by
CmdrTaco
on Thursday July 17, @12:29PM
from the break-out-the-bug-spray dept.
from the break-out-the-bug-spray dept.
An anonymous reader writes "Firefox 3.0.1 was released today. It fixes 3 security vulnerabilities, including a critical issue reported by Billy Rios, Ben Turner, and Dan Veditz. The issue could be combined with an issue in Apple's Safari browser to read data from the user's disk or to execute arbitrary code. This issue was previously discussed on Slashdot.
The release also fixes a remote code execution bug involving the CSS reference counter, reported by the Zero-Day Initiative (previously discussed on Slashdot here), as well as a Mac-only potential code execution bug involving GIF image rendering, reported by Drew Yao of Apple Product Security."
Related Stories
[+]
A Few Firefox 3 Followups 407 comments
An anonymous reader writes "Using data generated by the Mozilla Firefox download pledge page, the map on this blog post ranks countries, not by absolute number of pledges made, but rather on a per capita basis. This analysis yields some interesting conclusions about where open source is strongest and weakest."
Anonymous Warthog writes "That didn't take long. In a blog posting from the TippingPoint DVLabs security team (of Kraken and CanSecWest hacking contest fame), they confirmed that they reported a vulnerability in Firefox 3.0 to Mozilla a mere five hours after it was released. Additionally, there was a posting on the Full Disclosure security mailing list from someone that purports to have another vulnerability in the works as well. In the grand scheme of things, this probably means nothing to the general security of Firefox, but you can be sure the browser zealots on all sides will be watching carefully."
Finally, from reader Toreo asesino: "Microsoft have congratulated the Mozilla team by sending them their second cake (minus recipe) to Mozilla's Mountain View headquarters to congratulate them on shipping FireFox 3, which went live right on time last night." Congratulations are indeed due on both the browser and the release process — looks like the Firefox fever (despite some seriously taxed servers) resulted in more than 8 million downloads in 24 hours.
[+]
IT: Safari "Carpet Bomb" Attack Still a Risk 117 comments
SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
Firehose:Firefox 3.0.1 fixes 'carpet bombing' issue by Anonymous Coward
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
no crashes yet (Score:3, Interesting)
Reply to This
crash crashing or? (Score:5, Informative)
For anyone on a slow connection or with an old machine (like me) that was almost a showstopper. Thankfully, *seems* to be fixed now.Haven't seen any real crashes to the desktop even with the betas...
A workaround is to go Tools->Options-> Security and turn off the attack site and forgery options.
Andy
Reply to This
Parent
To to prevent the issue I need to use Firefox? (Score:5, Funny)
I had to giggle at the workaround. To prevent a firefox flaw from biting you, you need to have firefox open. Phew, I'm so glad I'm safe.
Reply to This
When will Microsoft fix IE? (Score:3, Interesting)
So far as I know, the only application that normally runs with its current directory on the desktop (and is thus a potential target for any successful exploit of this issue) is Internet Explorer.
Reply to This
Re: (Score:3, Informative)
Re:When will Microsoft fix IE? (Score:4, Informative)
When you run an application from Windows Explorer, it is normally run with its current directory set to the directory that the executable is located in. The vulnerability exposed by the "carpet bombing" attack involved attacking Internet Explorer, because Internet Explorer runs with its current directory set to the desktop... not the directory containing the IE executable. There is no obvious reason why IE does this, nor any reason I can come up with for Microsoft not to change it.
Reply to This
Parent
Workaround (Score:4, Informative)
This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.
So as long as you use Firefox all day long, you will not be affected.
Reply to This
Another software release post? (Score:3, Interesting)
Reply to This
Ubuntu Repos (Score:3, Interesting)
Reply to This
Re: (Score:3, Interesting)
I would guess you have the 'proposed' repository enabled.
Re:Who Cares... (Score:5, Informative)
Actually, it's a .0.1 release. Firefox 3.1 (alpha due this summer) has a lot of new features that didn't make it in time for 3.0.
Reply to This
Parent
Re:Who Cares... (Score:4, Interesting)
I for one, welcome our browser caring overlords.
My issue is that "No one cares when Opera or Safari have a similar release. [or Internet Explorer, or Konqueror...]" but they do when its Firefox.
Opera 9.51 went through a few RC's and a final and is on 9.52RC/Snapshot, Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...
But no, Firefox 3.1 Sub-Alpha-Hypothetical-Possibility-Beta-RC Build 3219 hits front page and we're supposed to eat a cracker drink some wine and pray to it, but oh wait, we're all for competition and innovation, as long as its Firefox Vs. Firefox.
(stomps off)
Reply to This
Parent
Re:Who Cares... (Score:4, Funny)
And Internet Explorer is still going through lots of *&^%$#@!
Reply to This
Parent
Re: (Score:3, Informative)
And Safari and Opera are both non-free so they are more reluctant to give detailed fix reports.
http://my.opera.com/desktopteam/blog/ [opera.com]
Re:Who Cares... (Score:5, Informative)
Safari is closed source. WebKit (the layout engine Safari uses) is open source, but the builds used by Safari rely on a binary closed source blob from Apple. If you value software freedom, you shouldn't use Safari.
Reply to This
Parent
Re:Who Cares... (Score:5, Informative)
no, Safari isn't open source, WebKit is open source, because it is based on khtml.
Reply to This
Parent
Re:Who Cares... (Score:5, Funny)
It seems you haven't run Windows Update for a long time then...
Reply to This
Parent
Re:"awesome bar" (Score:5, Informative)
1. Type about:config into the location bar and change the value browser.urlbar.matchOnlyTyped to true. After this, you need to restart Firefox. All this does is make it so that Firefox only searches the URLs you have typed and not the titles of pages.
2. Install the Old Location Bar extension. This changes the location bar so that it looks like how it looked in Firefox 2. As of me writing this post, it is an experimental addon so you will need to register to the Firefox addon service to install it.
Reply to This
Parent
Re: (Score:3, Insightful)
I've used it once to date, when going back to a walkthrough page on gamefaqs. 99% of the time, I know the address I'm going to, or I have it bookmarked, so the "awesomeness" is wasted on me.
Re: (Score:3, Insightful)
Yeah, well, the FF2 bar wasn't all that hot either. The only thing more annoying than waiting for the list of sites to never come up because you started typing while another tab was still loading, is having the list of sites popup while you're typing and since you had the mouse in the wrong location when you hit enter you went to some completely different place than you had expected.
I don't care whether it's awesome or not, give me an option to make it not appear unless I press down or alt-down or tab or s
Re: (Score:3, Insightful)
Chances are that the reason is not that it's bug-free, but that it's still buggy.
Chances are that you are not a developer.
"He who is without a sin throw the first stone."
Re:And this is why... (Score:5, Informative)
... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.
Um... the carpet bombing vulnerability also affects Firefox 2. It looks like someone is in trouble :)
Reply to This
Parent
You may find this useful (Score:3, Informative)
http://dictionary.reference.com/search?q=irony [reference.com]
Re:Addons? (Score:4, Informative)
when the authors update them?
of course, you could google for a couple of seconds and fix it yourself (hint: you can force it to ignore the version)
Reply to This
Parent
Re: (Score:3, Informative)