Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Mozilla The Internet Security

Firefox 3.0.1 Fixes 'Carpet Bombing' Issue 168

An anonymous reader writes "Firefox 3.0.1 was released today. It fixes 3 security vulnerabilities, including a critical issue reported by Billy Rios, Ben Turner, and Dan Veditz. The issue could be combined with an issue in Apple's Safari browser to read data from the user's disk or to execute arbitrary code. This issue was previously discussed on Slashdot. The release also fixes a remote code execution bug involving the CSS reference counter, reported by the Zero-Day Initiative (previously discussed on Slashdot here), as well as a Mac-only potential code execution bug involving GIF image rendering, reported by Drew Yao of Apple Product Security."
This discussion has been archived. No new comments can be posted.

Firefox 3.0.1 Fixes 'Carpet Bombing' Issue

Comments Filter:
  • no crashes yet (Score:3, Interesting)

    by mjs_ud ( 849782 ) on Thursday July 17, 2008 @11:38AM (#24229695)
    Firefox 3 was crashing 3-10 times a day for me even after completely removing everything FF related. At the risk of jinxing myself I will say that I'm crash free on 3.0.1 for 4 hours now.
    • crash crashing or? (Score:5, Informative)

      by Fallen Andy ( 795676 ) on Thursday July 17, 2008 @11:58AM (#24230001)
      OK, if you saw the following I may have an answer for you. If you installed FF3 and around a day or two later mysteriously it seemed to put up the hourglass cursor with the disk thrashing a lot, then you got bitten by the urlclassifier db (anti-phishing sqlite database) being downloaded. After a day or so things go back to normal. (It would look more like a temporary freeze of the program rather than a crash to the desktop).

      For anyone on a slow connection or with an old machine (like me) that was almost a showstopper. Thankfully, *seems* to be fixed now.Haven't seen any real crashes to the desktop even with the betas...

      A workaround is to go Tools->Options-> Security and turn off the attack site and forgery options.

      Andy

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Fx 3 completely freezes my laptop, puts up the hourglass, and the HDD activity light goes solid every time I open it. It does that for about 30 seconds and then it works. As soon as I click the URL bar it does it again and then stops. Once I try to load the page, it locks up yet again. My Fx 3 install on my laptop (XP SP2) is completely broken. I unchecked the boxes under the options that people recommended, I also tried the Linux fix of changing the size of something (can't remember) sqllite related in abo

        • Re: (Score:1, Informative)

          by Anonymous Coward

          You need to remove antiphishing filter, delete it's database file, finger it, and chmod it uneditable on Linux.

          On windows, create an empty file, replace the antiphishing database with it, set it as read only and preferably change permissions so you cannot edit it.

          Or, if you're using XP Home, you're fucked.

    • by BPPG ( 1181851 )
      I haven't reinstalled it the since ff3 release candidate 2 binary tarball for linux. It's crashed on me once, and I use flash sites like youtube and newgrounds regularly. I guess your mileage may vary.
    • by HTH NE1 ( 675604 )

      Mine crashes every time I run it, but that's due to either no libpangocairo or no GTK+ 2.10 or someone deciding I shouldn't have permissions to be able to run X applications on that machine. But then that's probably not considered crashing as it never got running properly in the first place. So I'm running 2.0.0.16.

      At least I solved one of the crashes I used to get with it: a very long Javascript bookmark in the toolbar to open a Javascript console would crash the browser if it tried to display as a tooltip

    • Comment removed based on user account deletion
      • It will also apparently kill TabsPlus (yes, the one you can get at Download.com [download.com] that DOES work with FF 3.0). And as, 1) I haven't had any problems with crashing and 2) there's no mention that they fixed the bug which caused tabs not to be saved (and I like TP better anyway), I'll stick with 3.0.

    • by prandal ( 87280 )

      I could pretty reliably crash Firefox 3.0 by using the GMail Notifier statusbar icon to open GMail in a new tab, then closing that tab and doing something else in the other tab.

      Not so with Firefox 3.0.1.

      Looking good.

  • *spit* (Score:1, Informative)

    by Anonymous Coward

    This update disabled my Firebug and "Copy all Urls" extensions.

    I'll never take an update on the first day again. Ever. *spit*

  • And this is why... (Score:2, Insightful)

    by arotenbe ( 1203922 )

    ... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.

    Remember: if there aren't any patches for it, chances are that the reason is not that it's bug-free, but that it's still buggy.

    • Re: (Score:2, Insightful)

      I finally upgraded last night. So far, so good - it's certainly faster, and the most important mods to me (CSL and NoScript) seem to be working just fine.

      Of course, if it isn't all good then I'm screwed now, but c'est la vie.

      • by kesuki ( 321456 )

        i've been using firefox 3 since ubuntu went 8.04 LTS, i waited a wile to upgrade windows to FF3 ubuntu simply didn't leave me any choice.

    • by sricetx ( 806767 )
      I upgraded to Firefox 3, but had so many problems with it crashing and not rendering some sites correctly that I reverted to Firefox 2. Strangely, I only had problems with FF3 on my work machine running the Windows XP version (this is the one I rolled back to FF2). I haven't had any problems with it on my Linux machine (Kubuntu 8.04).
      • My problems are exactly identical (and I mean identical, with FF3 on my Windows XP work machine crashing constantly, but the one on my Kubuntu Hardy desktop is fine). I'd love to know what causes this. New profile, fresh install - none of it helps.
    • by Anonymous Coward

      (released the day before yesterday)
      http://www.mozilla.org/security/known-vulnerabilities/firefox20.html [mozilla.org]
      Fixed in Firefox 2.0.0.16
      MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
      MFSA 2008-34 Remote code execution by overflowing CSS reference counter

      (released yesterday)
      http://www.mozilla.org/security/known-vulnerabilities/firefox30.html [mozilla.org]
      Fixed in Firefox 3.0.1
      MFSA 2008-36 Crash with malformed GIF file on Mac OS X
      MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not runn

    • Re: (Score:3, Insightful)

      Chances are that the reason is not that it's bug-free, but that it's still buggy.

      Chances are that you are not a developer.
      "He who is without a sin throw the first stone."

    • ... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.

      Um... the carpet bombing vulnerability also affects Firefox 2. It looks like someone is in trouble :)

    • I'm still on Firefox 2, and looking for a new browser. Unless they fix the URL bar, I'm not upgrading, and eventually they'll drop support for FFx 2, so...
    • http://www.mozilla.org/security/known-vulnerabilities/firefox20.html [mozilla.org] 2 of the 3 mentioned bugs were fixed in the 2.0.0.16 release as well, so you weren't protecting yourself from much.
    • The update for FF2 was pushed out a day before the FF3 update (on Tuesday morning, versus Wednesday afternoon). If you aren't using 2.0.0.16, you're prone to the same attack.
    • Firefox 3 is basically a whole lot of bug fixes with a few behind the scenes additions. I never had nearly as many problems with FF2 as I have had with any of the IE browsers, but even then, FF3 contains a lot of fixes for bugs that seemingly bothered a lot of other people (like the memory leaks that I never seemed to have for some reason, even though I do pretty much the same stuff that a lot of /.ers do).
  • "awesome bar" (Score:2, Interesting)

    by Cantras ( 1134231 )
    So have they given us the option to disable their "awesome bar" yet?
    • Re:"awesome bar" (Score:5, Informative)

      by -Tango21- ( 703195 ) on Thursday July 17, 2008 @11:46AM (#24229813)
      Hmm, a Google search reveals that while the "awesome bar" is still the default, you can disable it by following the directions below (but, maybe you already knew this):

      1. Type about:config into the location bar and change the value browser.urlbar.matchOnlyTyped to true. After this, you need to restart Firefox. All this does is make it so that Firefox only searches the URLs you have typed and not the titles of pages.

      2. Install the Old Location Bar extension. This changes the location bar so that it looks like how it looked in Firefox 2. As of me writing this post, it is an experimental addon so you will need to register to the Firefox addon service to install it.
      • by pembo13 ( 770295 )
        I kinda like the so called awesome bar. What's wrong with it?
        • Re: (Score:2, Funny)

          by tehBoris ( 1120961 )

          I kinda like the so called awesome bar. What's wrong with it?

          The oldies want their URL bars to match URLs and those pesky kids to GET OFF THEIR LAWNS!

        • Re: (Score:3, Insightful)

          1. Type 'co' in the Awesome bar. Marvel at how it "awesomely" returns every site in the .com TLD.
          2. If you are the type who remembers the URL of sites you visit, it just means a bunch of false positives.

          I've used it once to date, when going back to a walkthrough page on gamefaqs. 99% of the time, I know the address I'm going to, or I have it bookmarked, so the "awesomeness" is wasted on me.

          • Matching co to .com is obviously a bug. As for those that remembers URLs, it is admittedly not too useful.

            That being said, if you are someone with a lot of bookmarks, it can really speed up looking for something in your bookmarks. It also brings this search ability to every page in your history, which is great for the unwashed masses that either don't understand bookmarks (really!) or just don't use them for whatever reason.

          • by kesuki ( 321456 )

            but if you type 'co.' it shows all the co.uk co.jp or whatever you've been going to... is typing '.' after co such a pain?

      • Re: (Score:2, Informative)

        Which still doesn't fix it. Like the person below me said, type "co" in and watch it match every site you've typed that ends in ".com".

        Unfortunately, it seems that the Mozilla developers don't care if people dislike it [mozilla.org].
        • Unfortunately, you're doing what so many have taken to, misrepresenting what Mozilla developers say. As far as I can tell, two Mozilla developers responded in that bug report. One asked for specific details about exactly what about the Awesome Bar the user didn't like so preferences could be added to remove those aspects. When a user responded that certain about:config settings had the desired effect, another Mozilla developer agreed that the preferences already existed and concluded that there are no prefe
        • Re: (Score:3, Insightful)

          by bunratty ( 545641 )
          I finally did what you suggested and typed "co" into the address bar. It gives fifteen suggestions, although I'm sure I go to many more than fifteen .com sites. The top suggestions were for COmputer documentation for where I work, COnsumer Reports magazine, COmputer Cable Store, two sites I frequent that are .com domains, and Weather Forecast and COnditions for my city. I fail to see the problem. Care to explain?
      • 1. Type about:config into the location bar and change the value browser.urlbar.matchOnlyTyped to true. After this, you need to restart Firefox. All this does is make it so that Firefox only searches the URLs you have typed and not the titles of pages.

        This doesn't seem to work on any FF3 install I have tried it - I have that value set to true (and I have restarted Firefox), and my URL bar still matches page titles as well as urls (example: I type 'the' intending to go to thedailywtf.com, and I get 'EADS NV - The latest press releases', 'The Boeing Company', 'isoHunt - the bittorrent and p2p search engine', 'Wikipedia, the free encyclopedia' among others, none of which have 'the' in the url, and all of which have 'the' in the page title highlighted in the

    • Yes, and there are tons of posts about it. Just Google, remove awesome bar. And you will get tons of ways to make it like the FF 2 toolbar.
      • Re: (Score:3, Insightful)

        by Qzukk ( 229616 )

        Yeah, well, the FF2 bar wasn't all that hot either. The only thing more annoying than waiting for the list of sites to never come up because you started typing while another tab was still loading, is having the list of sites popup while you're typing and since you had the mouse in the wrong location when you hit enter you went to some completely different place than you had expected.

        I don't care whether it's awesome or not, give me an option to make it not appear unless I press down or alt-down or tab or s

    • Let me save you some time and map out your journey to acceptance of the awesome bar.

      First you hate it, because it's new and different to what you expect. You are trained to use it as an address bar and nothing else, so it acting like a search bar is confusing and suboptimal to you.

      At this point many people decide to trial the new bar, but you are the kind of person who tends to think he (forgive me, but he) knows what's good and what's not, and even quite enjoy the idea of customizing your Firefox. So you l

  • by techess ( 1322623 ) on Thursday July 17, 2008 @11:41AM (#24229749)
    From http://www.mozilla.org/security/announce/2008/mfsa2008-35.html [mozilla.org]

    Workaround
    This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

    I had to giggle at the workaround. To prevent a firefox flaw from biting you, you need to have firefox open. Phew, I'm so glad I'm safe.

  • So far as I know, the only application that normally runs with its current directory on the desktop (and is thus a potential target for any successful exploit of this issue) is Internet Explorer.

  • Workaround (Score:4, Informative)

    by brunes69 ( 86786 ) <slashdot@keirsGI ... minus herbivore> on Thursday July 17, 2008 @11:42AM (#24229771)

    This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

    So as long as you use Firefox all day long, you will not be affected.

    • As more and more applications are becoming Web Based. Developers having 1 browser open is stupid, as they need to test different environments.

      • Or use the IE tab extension...switches rendering in a heartbeat. That takes care of two of the browser.

      • Well, there's VirtualBox, for example.
        • Or you just click on the Firefox icon, Opera icon, and Internet Explorer icon. Then you just use them. Why do you want to make things more complex

      • by Nos. ( 179609 )
        Developers are a relatively small subset of users. Arguably, they should be somewhat more aware of the risks/vulnerabilities in the browsers they are using.
    • Re: (Score:3, Funny)

      by igaborf ( 69869 )

      So as long as you use Firefox all day long, you will not be affected.

      "But boss, I have to browse the Web all day."

  • by Anonymous Coward

    As I was reading this post, the update was auto-downloading.

  • by dnwq ( 910646 ) on Thursday July 17, 2008 @11:54AM (#24229935)
    Slashdot needs a "important software updates" section.
  • Now if only they could get around to fixing the much bigger memory issues that seem to get worse and worse with every release. I'm getting tempted to go back to IE for the first time in years.
    • Ok, seriously: what are these memory issues everyone keeps bitching about? I keep open a considerable selection of tabs myself with low memory usage...and I haven't even made the optimizations for lower memory usage. I'm yet to see any evidence of these "memory issues".

      • by Lorkki ( 863577 )
        Flash eats memory and CPU in gleeful amounts and is the only way I've gotten similar results, so my wild guess is that people aren't bothering to filter ads and just leave them running in old tabs while they continue browsing. Can't confirm it, though, since I've never been able to get much details out of someone who claims to experience this.
    • Re: (Score:3, Informative)

      Nice to repeat the same ol' FUD, but you do realize that FF3 memory usage is significantly lower than FF2 and IE [pavlov.net], don't you? You /did/ know that, right?
    • by maxume ( 22995 )

      You are using a broken plug in or extension. Memory usage in 3.0 is better than it was in 2.0, and the later 2.0.0.x releases saw reductions in leaks.

  • Ubuntu Repos (Score:3, Interesting)

    by martinw89 ( 1229324 ) on Thursday July 17, 2008 @12:04PM (#24230099)
    I could swear that I was notified of a security update regarding Firefox a few days ago. After the update, I checked Firefox and it's own About dialog reported it was 3.0.1. Can anyone else confirm this or am I going bonkers? I'm certainly on 3.0.1 now and I only received some mundane updates this morning.
    • Re: (Score:3, Interesting)

      by pablomme ( 1270790 )

      I would guess you have the 'proposed' repository enabled.

      • Yup, that would be it. I didn't realize proposed applies to getting security updates early as well. Thanks
    • by traabil ( 861418 )
      I'm guessing you downloaded the Beta of FF3 before it was released. This tags you as a "tester" of some sorts, and you are eligible to receive pre-releases. Atleast this is what happened to me. YMMV
      • This happened to me as well. From what I recall, there was some text on the dialog indicating that since I installed some Betas/RCs of 3.0, that they pushed the beta of 3.0.1 out to me as well.

        I'm not sure if there is anyway to toggle this "feature" on or off (other than manually installing a non-final build), but it seems like a good idea - get some more random testing done on even the security releases can't hurt.

  • Okay, just downloaded the version 3.0.1. What do I see now? My Google toolbar is gone, adblock not working, all other add-ons seem to be dead. Any idea when will the add-ons be updated?
    • Re:Addons? (Score:4, Informative)

      by slimjim8094 ( 941042 ) on Thursday July 17, 2008 @12:29PM (#24230437)

      when the authors update them?

      of course, you could google for a couple of seconds and fix it yourself (hint: you can force it to ignore the version)

    • I echo your sentiments, but for the time being, I think that we're just going to have to wait it out. I mean, many of the developers of these addons have other jobs anyway. Eventually the updates will come. For the time being though, I really like the product
  • Whenever Firefox is mentioned on slashdot, make sure to bring up the memory leak issue .. :)
  • Now fix the Awesome Bar so that I can revert back to the way address bars should work!

  • Well it's too late for the Afghanis and the Iraqis, but I'm sure the Iranians are relieved that there is a patch to stop them getting carpet bombed.

It's currently a problem of access to gigabits through punybaud. -- J. C. R. Licklider

Working...