Mozilla Issues Fix For Firefox Zero-Day Bug 115
An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."
Re: (Score:1, Insightful)
Nothing is perfect. Open or closed source. What you should focus on is the manner and speed of a company's efforts to rectify any issues.
Re: (Score:3, Interesting)
Agreed. And this goes especially for browsers, since they're hitting a moving target.
That said, this exploit highlights the fact that Mozilla still hasn't gotten their act together on layered security. Firefox remains the only browser not to run in low integrity mode (i.e. protected mode) on Windows, so while certain plugins like Flash are sandboxed, the greater browser is not. This goes hand in hand with the fact that Firefox currently does not have the ability to run each tab/window in
Re: (Score:2)
Open source vs. exploits (Score:1)
Open source just lowers the bar for others to both contribute to this, and to potentially take advantage of bugs.
You don't need source code to take advantage of bugs. Or even discover them. Almost always you do need source code to fix bugs, though.
So that would be a good argument (one of many!) for why someone would prefer to use open source software. But how much that helps with bug-fixing, depends very much on each project's regular maintainers ("upstream").
Re: (Score:2)
Fundamentally it is more secure, but it depends on how secure the user makes it.
You can buy the best locks for your house and bullet proof windows, but if you don't lock the door, leave the windows open and leave the spare key in plain view on the patio it really doesn't matter how secure the components are. If they are not installed or configured properly then security will be lax or non-existent.
Re: (Score:3, Insightful)
Well, open source code is no more secure than closed source. That isn't a function of the source being open or closed. You can have poorly written open source software and excellent closed source stuff.
The value of open source is the assumption that more eyes on an issue allows inevitable bugs to be found, and for potential users to inspect what they are running. Closed source would have to rely on the number of people authorized to view the code, and the customer will not be able to view the code, just
Re: (Score:2)
Because everything, across the board, is being slammed hard, be it BIOS/EFI firmware, holes like F0 0F in the CPU, open source items, closed source items, IoT devices, you name it... the amount of attacks have risen in number and sophistication by an extreme.
Re: (Score:1)
Those people have moved on to soylentnews.org
Re: (Score:1)
I thought the consensus here was that open source software was secure? Why do the events of the past year make it appear as if they're as bad or worse?
Bullshit, that's not what the consensus is. The consensus is that because open source software's code is viewable by anyone, it's more likely that flaws/bugs will be found.
Only an imbecile (like you) would make the false claim that open source software is inherently "secure". Stop spreading your FUD, you buttwipe.
Re: (Score:1)
Free Software does tend to be based on more secure designs.
On the other hand, pretty much everything is better than the market leader monopoly-ware product. This pretty much the way it's always been.
So it's easy to see a skew in favor of open source. That's just because the leading proprietary product has always been such crap. If something like VMS or QNX were in the mix being good examples of proprietary software, the differences would not be so obvious.
Re: (Score:2)
Free Software does tend to be based on more secure designs.
Yes, I'd say that's generally the case. I was responding more to his flat, blanket claim that "open source software was secure", which implies that open source software has no vulnerabilities, period. His comment was just a bit too trollish in my opinion.
On the other hand, pretty much everything is better than the market leader monopoly-ware product. This pretty much the way it's always been.
Some is, some isn't. Some OS applications are so much better than the commercial offerings that I often wonder how
Re: (Score:1)
External PDF viewer? (Score:4, Interesting)
Re:External PDF viewer? (Score:5, Insightful)
Why does a Web browser have a built-in PDF viewer in the first place?
A PDF file is an external document not meant to be viewed inside a browser. Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?
Re: (Score:1)
Because Chrome has one.
Re: (Score:1)
Why does Chrome have one? It's a web browser. The same questions apply.
Re:External PDF viewer? (Score:5, Funny)
Why does Chrome have one? It's a web browser. The same questions apply.
Hipsters.
Re: (Score:2)
Hipsters with keys to the family car.
Re: (Score:1)
Because people want to view PDFs in their browser and Google's reader is far more secure than anything from Adobe.
Re: (Score:3)
Why can't Adobe write a PDF view that just does the job simply and without the feature overload that leads to the most bug ridden software since the Microsoft Butterfly 98 Home Edition?
Re: (Score:2)
Why does Chrome have one? It's a web browser. The same questions apply.
Then go back and ask Firefox?
Re:External PDF viewer? (Score:5, Interesting)
Re:External PDF viewer? (Score:5, Funny)
Re: (Score:2)
And Chrome's version works a million times better/faster.
Re: (Score:2, Informative)
It is a tough choice. Build in your own PDF viewer, or use an existing one that pops up security holes now and then. In general, the built in ones have far fewer features, so there are fewer security holes.
Chrome is better at this because it does more compartmentalization than Firefox. Firefox runs plugins in a separate process, but that is about the extent of the isolation they get, while Chrome runs everything in separate tasks, and you can even kill them in the browser.
The only real long term solution
Re: (Score:3)
Or set your browser to download (or at least prompt) the PDF instead of automatically executing the PDF with any software. That way, a PDF you choose to look at can still work fine, but a drive-by exploit attempt will have another speedbump to get past.
Re: (Score:2)
That, and focus on not requiring third-party programs for Web content.
But will web content ever remain static long enough for browser standards to keep pace? Mozilla tied itself up in knots over H.264 long after it had eclipsed all other contenders for HD video support.
Re: (Score:2)
Who do you trust more to create software with less security holes: Google or Adobe?
Re: (Score:2)
Sorry, was responding to wrong person but you can just switch Google with Mozilla. Mozilla has their share of software issues, for sure, but nothing even remotely bad as Adobe's track record.
Re: (Score:2)
Which PDF reader publisher do you trust more than Mozilla and Adobe?
Re:External PDF viewer? (Score:4, Interesting)
is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?
If enough web links go directly to that type of file, then they might. For the same reasons.
Re:External PDF viewer? (Score:4, Interesting)
Because users where not updating their external PDF viewers, so they included a viewer which does get frequent updates because the browser gets frequent updates. Thus making it a more secure solution.
If you are using Adobe Acrobat it includes Javascript and Flash support and lots of other stuff you can't even image. Supposedly the code base of Adobe Acrobat is bigger than browsers like Firefox.
Re:External PDF viewer? (Score:4, Informative)
Why does a Web browser have a built-in PDF viewer in the first place?
Because just as text/html is a commonly used media type on the web, so is application/pdf. Having a PDF viewer written in JavaScript contributes to the Downloads folder not being quite as littered. And because not only is JavaScript inherently less subject to accidental "undefined behavior" than the C++ in which I assume Adobe implemented its Reader, but also has Mozilla shown itself to be more responsive than Adobe to security issues. That's also why Mozilla has been working on Shumway, its SWF player.
Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?
Anyone who wants to write a JavaScript viewer for those formats is free to do so.
Re: (Score:2)
So now instead of just having to worry about bugs in Firefox's HTML rendering engine and, say, Evince (or whatever other PDF viewer you use to open saved PDFs) you now also have to worry about bugs in Firefox's PDF rendering code.
Because Firefox's PDF rendering code is in JavaScript, a memory-safe language, entire classes of bugs that might affect a standalone PDF reader like Evince or Adobe or Foxit or Sumatra are not possible. For example, JavaScript arrays are always bounds checked, meaning there's no such thing as a buffer overflow.
Re: (Score:2)
The first browser that allowed PDFs to be displayed inline without a plugin was Safari since its beta stages. That's because OS X has had the ability to display PDFs built in to it since its Nextstep days. So, it all stems from a desire to duplicate a feature in Safari that was actually a native feature of OS X . . .
Re: (Score:1)
Re: (Score:2)
From hacker's news, it seems this exploit is in PDF.js. If you're not running PDF.js, there's no security hole.
Re:External PDF viewer? (Score:5, Informative)
You can go to about:config and set the value for pdfjs.disabled to true, or create that setting (boolean type) if it doesn't exist. That'll cause Firefox to pop up a download dialog when you click a PDF link, and you can use something like Sumatra to open the file.
Re: (Score:2)
my guess: pdf.js runs on different permission set since it's not downloaded over the web.
Re:People still use Firefox? (Score:4, Informative)
On Windows, your choices are:
edit: Slashdot lets us use HTML in our posts but makes bullets invisible... way to go, guys.
Re:People still use Firefox? (Score:4, Insightful)
It's disabled by default.
Integrated PDF reader. The code for this is still included for emergencies (i.e. when you need to read a PDF but don't have access to a reader) but disabled by default - you are always recommended to use a separate, up-to-date document reader for PDF files (as an external program, not as a browser plugin) for your own security, and to have documents displayed in their fully intended format instead of a stripped-down display in an in-browser reader.
https://www.palemoon.org/techn... [palemoon.org]
Re: (Score:2)
As long as the PDF reader is disabled, no.
Re: (Score:2)
This list [webdevelopersnotes.com] isn't even exhaustive and it's far more than the 4 choices you claim are all that exist.
Re: (Score:1)
cool, .php3
I'm really going to trust that list
Re: (Score:2)
Cool story, brah.
Re: (Score:2)
Links, lynx, w3m still work on cygwin.
Re:People still use Firefox? (Score:4, Informative)
Re: (Score:3)
Unless you're one of the users running into those mysterious "memory leaks" that nobody can replicate once they file an actual bug
I stopped using Firefox a couple of years ago because of this. They're not mysterious, they were real. Try opening a reasonable amount of tabs (50-100), and leave the browser open for a day or two, and you'll probably be able to reproduce it.
Re: (Score:1)
Are you sure that 50 to 100 is actually a reasonable number of tabs to open? I have some blisteringly fast computers with absolutely retarded amounts of RAM and I still would find that many tabs unreasonable.
Re: (Score:2)
Re: (Score:1)
Personally, I can not fathom having that many tabs open. I can think of no case where that would help me. Also, I am an Opera user almost exclusively. I have been since it was pay-ware. I did use and donated (I seem to recall they put my name in a newspaper but I forget which one) Firefox but they have gone downhill. Now, when I install Linux, I use Firefox like I would use IE. I use it just long enough to download another browser. I could just grab one out of the repo but I really prefer my Opera and I hav
Re: (Score:2)
Firefox, the bloated browser with memory leaks
Note: the memory leaks are mostly fixed by now.
Re: (Score:2)
You left out Safari, built by the same team that brought you iTunes for Windows so you know it's quality!
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Generic FUD (Score:1)
I told you PDF in browser is a bad idea (Score:1)
I told you I told you I told you. Seriously go back to when it was announced on slashdot and i very specifically said this will be nothing but an additional attack vector.
As soon as i updated to the version which had it i immediately set it to never activate knowing this would happen eventually and have never used it since.
Yeah Jeffrey Ir Rational (Score:1)
Re: (Score:1)
Thank You Mozilla!! (Score:1, Offtopic)
Re: (Score:1)
Is this the real person that divulged it? I ask because I can't quite figure out why we have this blog post https://blog.mozilla.org/secur... [mozilla.org] .
It backs up the version you report.
However, if you go to this page https://www.mozilla.org/en-US/... [mozilla.org] you will find that they are giving credit to an entirely different person. A security researcher named Cody Crews.
It's interesting because everyone is giving Mozilla a big slap on the back for acting so fast, yet the fact of the matter is if MSFA 2015-78 is to be beli
Really ? (Score:1)
Having s
Patch and don't forget this... (Score:3, Interesting)
"The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. "
It's taken from the blog about the exploit and doesn't seem to be drawing much attention.
V39.0, no updates available (Score:2)
Just checked, my Firefox says it is versoin 39.0 - no third number (39.0.3), and the application itself says it is "up to date". :/
Would think that they'd include the full version-number in the About box (the place they say to go to check for updates), just so users can be 100% certain they are using the right one
Re: (Score:2)
Just did the same, with the same result.
Your're not up-to-date; the "application" lied (Score:2)
Re: (Score:2)
Further to my post, a message balloon popped up about an hour ago saying that the update was available. I tried the same thing with the same result as before. Then, I thought that maybe it was something to do with me running as a Limited User, so I right-clicked the Firefox icon and chose the "Run as administrator" option. I logged in, Firefox promptly started up and I successfully updated from there.