Firefox 3.0.1 Fixes 'Carpet Bombing' Issue

An anonymous reader writes "Firefox 3.0.1 was released today. It fixes 3 security vulnerabilities, including a critical issue reported by Billy Rios, Ben Turner, and Dan Veditz. The issue could be combined with an issue in Apple's Safari browser to read data from the user's disk or to execute arbitrary code. This issue was previously discussed on Slashdot. The release also fixes a remote code execution bug involving the CSS reference counter, reported by the Zero-Day Initiative (previously discussed on Slashdot here), as well as a Mac-only potential code execution bug involving GIF image rendering, reported by Drew Yao of Apple Product Security."

no crashes yet

[mjs_ud]

Firefox 3 was crashing 3-10 times a day for me even after completely removing everything FF related. At the risk of jinxing myself I will say that I'm crash free on 3.0.1 for 4 hours now.

crash crashing or?

[Fallen Andy]

OK, if you saw the following I may have an answer for you. If you installed FF3 and around a day or two later mysteriously it seemed to put up the hourglass cursor with the disk thrashing a lot, then you got bitten by the urlclassifier db (anti-phishing sqlite database) being downloaded. After a day or so things go back to normal. (It would look more like a temporary freeze of the program rather than a crash to the desktop).

For anyone on a slow connection or with an old machine (like me) that was almost a showstopper. Thankfully, *seems* to be fixed now.Haven't seen any real crashes to the desktop even with the betas...

A workaround is to go Tools->Options-> Security and turn off the attack site and forgery options.

Andy

Re:

[Anonymous Coward]

Fx 3 completely freezes my laptop, puts up the hourglass, and the HDD activity light goes solid every time I open it. It does that for about 30 seconds and then it works. As soon as I click the URL bar it does it again and then stops. Once I try to load the page, it locks up yet again. My Fx 3 install on my laptop (XP SP2) is completely broken. I unchecked the boxes under the options that people recommended, I also tried the Linux fix of changing the size of something (can't remember) sqllite related in abo

Re:

[Anonymous Coward]

You need to remove antiphishing filter, delete it's database file, finger it, and chmod it uneditable on Linux.

On windows, create an empty file, replace the antiphishing database with it, set it as read only and preferably change permissions so you cannot edit it.

Or, if you're using XP Home, you're fucked.

Re:

[BPPG]

I haven't reinstalled it the since ff3 release candidate 2 binary tarball for linux. It's crashed on me once, and I use flash sites like youtube and newgrounds regularly. I guess your mileage may vary.

Re:

[HTH NE1]

Mine crashes every time I run it, but that's due to either no libpangocairo or no GTK+ 2.10 or someone deciding I shouldn't have permissions to be able to run X applications on that machine. But then that's probably not considered crashing as it never got running properly in the first place. So I'm running 2.0.0.16.

At least I solved one of the crashes I used to get with it: a very long Javascript bookmark in the toolbar to open a Javascript console would crash the browser if it tried to display as a tooltip

Re:

[thePowerOfGrayskull]

So... reported that yet [mozilla.org]?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[penguin_dance]

It will also apparently kill TabsPlus (yes, the one you can get at Download.com [download.com] that DOES work with FF 3.0). And as, 1) I haven't had any problems with crashing and 2) there's no mention that they fixed the bug which caused tabs not to be saved (and I like TP better anyway), I'll stick with 3.0.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[prandal]

I could pretty reliably crash Firefox 3.0 by using the GMail Notifier statusbar icon to open GMail in a new tab, then closing that tab and doing something else in the other tab.

Not so with Firefox 3.0.1.

Looking good.

*spit*

[Anonymous Coward]

This update disabled my Firebug and "Copy all Urls" extensions.

I'll never take an update on the first day again. Ever. *spit*

Re:

[VGPowerlord]

The Firebug version [mozilla.org] from July 14 seems to work fine on Firefox 3.0.1 for me.

And this is why...

[arotenbe]

... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.

Remember: if there aren't any patches for it, chances are that the reason is not that it's bug-free, but that it's still buggy.

Re:

[gamanimatron]

I finally upgraded last night. So far, so good - it's certainly faster, and the most important mods to me (CSL and NoScript) seem to be working just fine.

Of course, if it isn't all good then I'm screwed now, but c'est la vie.

Re:

[kesuki]

i've been using firefox 3 since ubuntu went 8.04 LTS, i waited a wile to upgrade windows to FF3 ubuntu simply didn't leave me any choice.

Re:

[kesuki]

in a word: Yes.

do not underestimate my laziness.

Re:

[sricetx]

I upgraded to Firefox 3, but had so many problems with it crashing and not rendering some sites correctly that I reverted to Firefox 2. Strangely, I only had problems with FF3 on my work machine running the Windows XP version (this is the one I rolled back to FF2). I haven't had any problems with it on my Linux machine (Kubuntu 8.04).

Re:

[Random BedHead Ed]

My problems are exactly identical (and I mean identical, with FF3 on my Windows XP work machine crashing constantly, but the one on my Kubuntu Hardy desktop is fine). I'd love to know what causes this. New profile, fresh install - none of it helps.

Re: head in the sand?

[Anonymous Coward]

(released the day before yesterday)
http://www.mozilla.org/security/known-vulnerabilities/firefox20.html [mozilla.org]
Fixed in Firefox 2.0.0.16
MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
MFSA 2008-34 Remote code execution by overflowing CSS reference counter

(released yesterday)
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html [mozilla.org]
Fixed in Firefox 3.0.1
MFSA 2008-36 Crash with malformed GIF file on Mac OS X
MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not runn

Re:

[E IS mC(Square)]

Chances are that the reason is not that it's bug-free, but that it's still buggy.

Chances are that you are not a developer.
"He who is without a sin throw the first stone."

Re:And this is why...

[Spy der Mann]

... I didn't download Firefox 3 when it came out. In fact, I'm still on Firefox 2, and I'm sure a good percentage of fellow /.ers are as well.

Um... the carpet bombing vulnerability also affects Firefox 2. It looks like someone is in trouble :)

Re:

[woot account]

I'm still on Firefox 2, and looking for a new browser. Unless they fix the URL bar, I'm not upgrading, and eventually they'll drop support for FFx 2, so...

Re:

[Random BedHead Ed]

Unless they fix the URL bar, I'm not upgrading

The Awesome Bar is awesome ... but if you disagree, I think you can turn it off, IIRC.

Re:

[Random BedHead Ed]

Do'h! Someone clarified this below [slashdot.org]

Re:

[woot account]

Except that's misinformation that refuses to die. The about:config workaround doesn't fix it, and the OldBar extension just changes the way it looks.

Re:

[quesogrande]

http://www.mozilla.org/security/known-vulnerabilities/firefox20.html [mozilla.org] 2 of the 3 mentioned bugs were fixed in the 2.0.0.16 release as well, so you weren't protecting yourself from much.

FF2 *got the same fix*. Tuesday.

[rickst29]

The update for FF2 was pushed out a day before the FF3 update (on Tuesday morning, versus Wednesday afternoon). If you aren't using 2.0.0.16, you're prone to the same attack.

Re:

[zullnero]

Firefox 3 is basically a whole lot of bug fixes with a few behind the scenes additions. I never had nearly as many problems with FF2 as I have had with any of the IE browsers, but even then, FF3 contains a lot of fixes for bugs that seemingly bothered a lot of other people (like the memory leaks that I never seemed to have for some reason, even though I do pretty much the same stuff that a lot of /.ers do).

"awesome bar"

[Cantras]

So have they given us the option to disable their "awesome bar" yet?

Re:"awesome bar"

[-Tango21-]

Hmm, a Google search reveals that while the "awesome bar" is still the default, you can disable it by following the directions below (but, maybe you already knew this):

1. Type about:config into the location bar and change the value browser.urlbar.matchOnlyTyped to true. After this, you need to restart Firefox. All this does is make it so that Firefox only searches the URLs you have typed and not the titles of pages.

2. Install the Old Location Bar extension. This changes the location bar so that it looks like how it looked in Firefox 2. As of me writing this post, it is an experimental addon so you will need to register to the Firefox addon service to install it.

Re:

[pembo13]

I kinda like the so called awesome bar. What's wrong with it?

Re:

[tehBoris]

I kinda like the so called awesome bar. What's wrong with it?

The oldies want their URL bars to match URLs and those pesky kids to GET OFF THEIR LAWNS!

Re:

[ShadowRangerRIT]

1. Type 'co' in the Awesome bar. Marvel at how it "awesomely" returns every site in the .com TLD.
2. If you are the type who remembers the URL of sites you visit, it just means a bunch of false positives.

I've used it once to date, when going back to a walkthrough page on gamefaqs. 99% of the time, I know the address I'm going to, or I have it bookmarked, so the "awesomeness" is wasted on me.

Re:

[MMC Monster]

Matching co to .com is obviously a bug. As for those that remembers URLs, it is admittedly not too useful.

That being said, if you are someone with a lot of bookmarks, it can really speed up looking for something in your bookmarks. It also brings this search ability to every page in your history, which is great for the unwashed masses that either don't understand bookmarks (really!) or just don't use them for whatever reason.

Just a tip.

[Hillgiant]

Truecrypt + portable Firefox = pr0n hidden

Re:

[kesuki]

but if you type 'co.' it shows all the co.uk co.jp or whatever you've been going to... is typing '.' after co such a pain?

Re:

[woot account]

Which still doesn't fix it. Like the person below me said, type "co" in and watch it match every site you've typed that ends in ".com".

Unfortunately, it seems that the Mozilla developers don't care if people dislike it [mozilla.org].

Re:

[bunratty]

Unfortunately, you're doing what so many have taken to, misrepresenting what Mozilla developers say. As far as I can tell, two Mozilla developers responded in that bug report. One asked for specific details about exactly what about the Awesome Bar the user didn't like so preferences could be added to remove those aspects. When a user responded that certain about:config settings had the desired effect, another Mozilla developer agreed that the preferences already existed and concluded that there are no prefe

Re:

[bunratty]

I finally did what you suggested and typed "co" into the address bar. It gives fifteen suggestions, although I'm sure I go to many more than fifteen .com sites. The top suggestions were for COmputer documentation for where I work, COnsumer Reports magazine, COmputer Cable Store, two sites I frequent that are .com domains, and Weather Forecast and COnditions for my city. I fail to see the problem. Care to explain?

Re:

[Richard_at_work]

1. Type about:config into the location bar and change the value browser.urlbar.matchOnlyTyped to true. After this, you need to restart Firefox. All this does is make it so that Firefox only searches the URLs you have typed and not the titles of pages.

This doesn't seem to work on any FF3 install I have tried it - I have that value set to true (and I have restarted Firefox), and my URL bar still matches page titles as well as urls (example: I type 'the' intending to go to thedailywtf.com, and I get 'EADS NV - The latest press releases', 'The Boeing Company', 'isoHunt - the bittorrent and p2p search engine', 'Wikipedia, the free encyclopedia' among others, none of which have 'the' in the url, and all of which have 'the' in the page title highlighted in the

Re:

[andy9701]

Lifehacker [lifehacker.com] has instructions on how to restore the yellow for SSL sites, among other nice UI changes (such as removing the Go and Search buttons from the Address and Search bars, respectively). It does require an extension (either Stylish or Greasemonkey), but it definitely works, I've been using this at home for a few weeks now.

Re:

[Darkness404]

Yes, and there are tons of posts about it. Just Google, remove awesome bar. And you will get tons of ways to make it like the FF 2 toolbar.

Re:

[Qzukk]

Yeah, well, the FF2 bar wasn't all that hot either. The only thing more annoying than waiting for the list of sites to never come up because you started typing while another tab was still loading, is having the list of sites popup while you're typing and since you had the mouse in the wrong location when you hit enter you went to some completely different place than you had expected.

I don't care whether it's awesome or not, give me an option to make it not appear unless I press down or alt-down or tab or s

A brief future history of the awesome bar

[violet16]

Let me save you some time and map out your journey to acceptance of the awesome bar.

First you hate it, because it's new and different to what you expect. You are trained to use it as an address bar and nothing else, so it acting like a search bar is confusing and suboptimal to you.

At this point many people decide to trial the new bar, but you are the kind of person who tends to think he (forgive me, but he) knows what's good and what's not, and even quite enjoy the idea of customizing your Firefox. So you l

To to prevent the issue I need to use Firefox?

[techess]

From http://www.mozilla.org/security/announce/2008/mfsa2008-35.html [mozilla.org]

Workaround
This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

I had to giggle at the workaround. To prevent a firefox flaw from biting you, you need to have firefox open. Phew, I'm so glad I'm safe.

When will Microsoft fix IE?

[argent]

So far as I know, the only application that normally runs with its current directory on the desktop (and is thus a potential target for any successful exploit of this issue) is Internet Explorer.

Re:

[initdeep]

maybe I'm misunderstanding you, but I know a lot of people that change their download directory default in Firefox to the desktop.

Re:

[dnwq]

You're misunderstanding him, he means working directory [wikipedia.org]

Re:When will Microsoft fix IE?

[argent]

When you run an application from Windows Explorer, it is normally run with its current directory set to the directory that the executable is located in. The vulnerability exposed by the "carpet bombing" attack involved attacking Internet Explorer, because Internet Explorer runs with its current directory set to the desktop... not the directory containing the IE executable. There is no obvious reason why IE does this, nor any reason I can come up with for Microsoft not to change it.

Workaround

[brunes69]

This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.

So as long as you use Firefox all day long, you will not be affected.

Re:

[jellomizer]

As more and more applications are becoming Web Based. Developers having 1 browser open is stupid, as they need to test different environments.

Re:

[snl2587]

Or use the IE tab extension...switches rendering in a heartbeat. That takes care of two of the browser.

Re:

[thrillseeker]

Well, there's VirtualBox, for example.

Re:

[jellomizer]

Or you just click on the Firefox icon, Opera icon, and Internet Explorer icon. Then you just use them. Why do you want to make things more complex

Re:

[jellomizer]

Yes there is it is called a script. Once Click 3 browsers load up. and display it. Beside normal usage for development has him trying a fix for the broken browser (ie, IE) then just go back to see if the fix didn't break the others. So normally just having them loaded you just hit the refresh until it renders the way that you wanted. Also there are other issues to test out too. the default browsers have different heights of tool bars and sometime widths as well. If you want the page to defaultly fit on a s

Re:

[Nos.]

Developers are a relatively small subset of users. Arguably, they should be somewhat more aware of the risks/vulnerabilities in the browsers they are using.

Re:

[igaborf]

So as long as you use Firefox all day long, you will not be affected.

"But boss, I have to browse the Web all day."

Ironic timing

[Anonymous Coward]

As I was reading this post, the update was auto-downloading.

You may find this useful

[p3d0]

http://dictionary.reference.com/search?q=irony [reference.com]

Yup, opposite of what I expected

[davidwr]

I expect Slashdot to either have news of events before they go live or after a 7-day delay, depending on the phase of the moon and CowboyNeal's health.

I never expect it to be "right on time."

Another software release post?

[dnwq]

Slashdot needs a "important software updates" section.

Slashmeat

[tepples]

Slashdot needs a "important software updates" section.

I thought it was called "Freshmeat".

Re:

[dotancohen]

Slashdot needs a "important software updates" section.

In addition, or as a replacement for, the "stuff that matters" section?

I didn't even know there was a problem.

[DamienNightbane]

Now if only they could get around to fixing the much bigger memory issues that seem to get worse and worse with every release. I'm getting tempted to go back to IE for the first time in years.

Re:

[snl2587]

Ok, seriously: what are these memory issues everyone keeps bitching about? I keep open a considerable selection of tabs myself with low memory usage...and I haven't even made the optimizations for lower memory usage. I'm yet to see any evidence of these "memory issues".

Re:

[Lorkki]

Flash eats memory and CPU in gleeful amounts and is the only way I've gotten similar results, so my wild guess is that people aren't bothering to filter ads and just leave them running in old tabs while they continue browsing. Can't confirm it, though, since I've never been able to get much details out of someone who claims to experience this.

Re:

[thePowerOfGrayskull]

Nice to repeat the same ol' FUD, but you do realize that FF3 memory usage is significantly lower than FF2 and IE [pavlov.net], don't you? You /did/ know that, right?

Re:

[maxume]

You are using a broken plug in or extension. Memory usage in 3.0 is better than it was in 2.0, and the later 2.0.0.x releases saw reductions in leaks.

Ubuntu Repos

[martinw89]

I could swear that I was notified of a security update regarding Firefox a few days ago. After the update, I checked Firefox and it's own About dialog reported it was 3.0.1. Can anyone else confirm this or am I going bonkers? I'm certainly on 3.0.1 now and I only received some mundane updates this morning.

Re:

[pablomme]

I would guess you have the 'proposed' repository enabled.

Re:

[martinw89]

Yup, that would be it. I didn't realize proposed applies to getting security updates early as well. Thanks

Re:

[traabil]

I'm guessing you downloaded the Beta of FF3 before it was released. This tags you as a "tester" of some sorts, and you are eligible to receive pre-releases. Atleast this is what happened to me. YMMV

Re:

[andy9701]

This happened to me as well. From what I recall, there was some text on the dialog indicating that since I installed some Betas/RCs of 3.0, that they pushed the beta of 3.0.1 out to me as well.

I'm not sure if there is anyway to toggle this "feature" on or off (other than manually installing a non-final build), but it seems like a good idea - get some more random testing done on even the security releases can't hurt.

Addons?

[anuj2202]

Okay, just downloaded the version 3.0.1. What do I see now? My Google toolbar is gone, adblock not working, all other add-ons seem to be dead. Any idea when will the add-ons be updated?

Re:Addons?

[slimjim8094]

when the authors update them?

of course, you could google for a couple of seconds and fix it yourself (hint: you can force it to ignore the version)

Re:

[thedistrict]

I echo your sentiments, but for the time being, I think that we're just going to have to wait it out. I mean, many of the developers of these addons have other jobs anyway. Eventually the updates will come. For the time being though, I really like the product

whenever Firefox is mentioned on slashdot ..

[rs232]

Whenever Firefox is mentioned on slashdot, make sure to bring up the memory leak issue .. :)

Good...

[morari]

Now fix the Awesome Bar so that I can revert back to the way address bars should work!

No more carpet bombing?

[Oktober Sunset]

Well it's too late for the Afghanis and the Iraqis, but I'm sure the Iranians are relieved that there is a patch to stop them getting carpet bombed.

Re:Who Cares...

[bconway]

Actually, it's a .0.1 release. Firefox 3.1 (alpha due this summer) has a lot of new features that didn't make it in time for 3.0.

Re:

[pacroon]

You're right, we need WAY more Internet Explorer updates here: This just in: Animated 'e' is blue.

Re:Who Cares...

[hesiod]

It seems you haven't run Windows Update for a long time then...

Re:Who Cares...

[Vectronic]

I for one, welcome our browser caring overlords.

My issue is that "No one cares when Opera or Safari have a similar release. [or Internet Explorer, or Konqueror...]" but they do when its Firefox.

Opera 9.51 went through a few RC's and a final and is on 9.52RC/Snapshot, Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...

But no, Firefox 3.1 Sub-Alpha-Hypothetical-Possibility-Beta-RC Build 3219 hits front page and we're supposed to eat a cracker drink some wine and pray to it, but oh wait, we're all for competition and innovation, as long as its Firefox Vs. Firefox.

(stomps off)

Re:

[ya really]

My issue is that "No one cares when Opera or Safari have a similar release. [or Internet Explorer, or Konqueror...]" but they do when its Firefox.

Opera 9.51 went through a few RC's and a final and is on 9.52RC/Snapshot, Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...

Your post is sorta worded as flamebait to some, but it does have truth. It doesn't take a statistician or a complex algo to add up how many postings have been about FireFox in the past 6

Re:Who Cares...

[Godji]

Safari has gone through a couple *.*# and a whole #.0 in the last few months for Mac, Win and Mobile...

And Internet Explorer is still going through lots of *&^%$#@!

Re:

[Vectronic]

lol... I "switched"... my first "Web browser" was Netscape Navigator (around 1994, Mac) then when I got my own PC, it was Windows, so IE, followed shortly by Linux (uh, wasnt IE), but basically IE, bit of NetNav (2000), then Opera, then Pheonix came out, switched to that strictly, till it became Firefox, then went back to (and remain with) Opera.

However, I have IE7, and FireFox 3.01 (along with Maxthon, and K-Meleon) installed along side Opera 9.52, there's the odd time I may need one of them for something,

Re:

[badpazzword]

And Safari and Opera are both non-free so they are more reluctant to give detailed fix reports.

http://my.opera.com/desktopteam/blog/ [opera.com]

Re:

[ya really]

And Safari and Opera are both non-free so they are more reluctant to give detailed fix reports. http://my.opera.com/desktopteam/blog/ [opera.com] [opera.com]

Non free? I believe you mean they have a proprietary source code, as opposed to open source like firefox. I don't recall paying to download either Opera or Safari for my desktop and laptop. Yes, I do know opera charges now for the Wii browser, but I don't have a Wii.

Re:

[drewness]

Non free? I believe you mean they have a proprietary source code, as opposed to open source like firefox.

Safari is Open Source. Head over to WebKit.org [webkit.org] and you can get the source via Subversion or browse it via Trac. It's licensed under a mix of LGPL and BSD licenses.

Re:

[Godji]

WebKit is open source, but is Safari? One is the engine, the other is the browser using that engine. Is Safari itself open source too?

Re:Who Cares...

[Lennie]

no, Safari isn't open source, WebKit is open source, because it is based on khtml.

Re:Who Cares...

[HeroreV]

Safari is closed source. WebKit (the layout engine Safari uses) is open source, but the builds used by Safari rely on a binary closed source blob from Apple. If you value software freedom, you shouldn't use Safari.

Re:

[E IS mC(Square)]

Apple Kool Aid much?

Re:

[KGIII]

Free as in? 'Cause, well, I'm pretty sure you should know that both Safari and Opera don't actually cost the end user anything to install. I think it is pretty safe to say that the pay-for-a-browser market on the PC platform is pretty much over.

Re:

[Darkness404]

Non-free, as in closed-source, as in proprietary. Sure Safari is mostly open-source, but Opera is as much proprietary as IE.

Re:

[KGIII]

That's what I figured/hoped you'd meant. I actually like Opera a great deal though the current version is too cartoonish looking for my taste. I should, probably, theme it. I dare say I like it more than I like Firefox. Ah well, thanks for making it more clear. (I am not one of the people who really cares if the source is open or closed, I just want it to work in the ways that I expect it to.)

Re:

[Darkness404]

Yes, I've used Opera a few times and think it is ok, but really I don't like the closed source aspect of it. Sure it is secure, but if it was the dominant browser, I think it would have as many exploitable holes as IE does now, Firefox and Safari both have open source going for them.

Re:

[leenks]

http://developer.yahoo.net/blog/archives/2007/07/yahoo-hadoop.html [yahoo.net]

Besides, Google's search engine doesn't run on MapReduce - they use MapReduce to build the indexes. The key with Google is the GFS...

Re:

[Anonymous Coward]

Stop being such a dick twitter.