×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox 3.5's First Vulnerability "Self-Inflicted"

CmdrTaco posted more than 4 years ago | from the that-sounds-all-emo dept.

Mozilla 156

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

156 comments

Foundation, Not a Company (3, Informative)

eldavojohn (898314) | more than 4 years ago | (#28716445)

Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser.

Just a note, I think Mozilla tries to shirk any idea of "company" or "corporation" from the open source development side of things. Instead, they are a non-profit foundation [mozilla.org] and recently created a separate taxable corporation [mozilla.org] with the intent of distribution and productizing Firefox & Thunderbird.

I think the word 'company' implies commercial interests and the developing part of Mozilla--the Foundation--does not have any commercial interests. While this may seem unimportant to you, I believe it to be a pretty important concept to clarify when you're talking about open source from a non-profit and open source from a company.

Re:Foundation, Not a Company (4, Interesting)

TinBromide (921574) | more than 4 years ago | (#28716559)

The legal definition (as was explained to me by a drunk law school student) is that a company is a group of people working together towards a shared goal. I.E. a bunch of boy scouts who want to go camping could technically call themselves a company, a bunch of guys looking to go out drinking could technically be called a company. Scale that up and the foundation could be technically called a company.

Your issue isn't with the technical use of the word, but diction, its implied meaning and associations. That being said, the use is technically incorrect but not artistically apt.

Where the Hitchhiker's Guide is in error, it is definitively so. This means that Reality is the one who got things wrong. So when the publishers of the Hitchhiker's Guide got sued by the families of tourists who took literally the sentence 'Vicious Bugblatter beasts often make a good meal for visiting tourists' which should have been rendered 'Vicious Bugblatter beasts often make a good meal of visiting tourists', the publishers brought in a poet to testify under oath that the second sentence is the more aesthetically pleasing of the two, and that Beauty is Truth and Truth, Beauty. They argued then that Life itself was the culprit for being neither beautiful nor true. In a startling decision, the judges agreed, holding Life in contempt of court and confiscated it from everyone present before going out for a round of Ultra-golf.

Re:Foundation, Not a Company (-1)

Anonymous Coward | more than 4 years ago | (#28716955)

Parent had him explain it during drinking time? What a nerd!

Oh wait...

Re:Foundation, Not a Company (1)

Dragonslicer (991472) | more than 4 years ago | (#28718421)

Company is also a military term for a medium-sized group of soldiers (Wikipedia says on the order of 100-200).

Re:Foundation, Not a Company (2, Insightful)

Richard_at_work (517087) | more than 4 years ago | (#28716627)

When you wish to download Firefox or Thunderbird, you are redirected from Mozilla.org to Mozilla.com, so in this case calling it a company is most certainly correct - the Mozilla corporation is distributing the software to you, not the Mozilla foundation.

Re:Foundation, Not a Company (4, Insightful)

Anonymous Coward | more than 4 years ago | (#28717661)

Geezus....I should probably stop reading this site, it seems that everyone is so sure of themselves and are ALWAYS in the right that you actually have time to quabble over insignificant details. yeah he may have been incorrect (doubtful!) but do really think that the point was lost to anyone that read it? or caused ANY confusion? Why bother then?

get over yourselves, we aren't all born perfect, and may make mistakes. There is absolutely no reason to jump all over somebody for such a piddly mistake, EXCEPT TO BOOST YOUR OWN EGO!

rant off....

Re:Foundation, Not a Company (2, Insightful)

plague3106 (71849) | more than 4 years ago | (#28718601)

Well, we can't let people actually discuss the issue here, which is a zero day exploit in a FOSS project. Nope, we'll gloss over that and nitpick the word used to describe Mozilla.

Right! Quick! (1)

Canazza (1428553) | more than 4 years ago | (#28716497)

Everyone download NoScript Pronto!

Re:Right! Quick! (-1, Troll)

kalirion (728907) | more than 4 years ago | (#28716791)

That's right, get it from The Official No-Script Site [thenoscriptsite.lt].

NoScript: http://noscript.net (4, Informative)

Futurepower(R) (558542) | more than 4 years ago | (#28717797)

Careful.

The official NoScript site is http://noscript.net/ [noscript.net].

To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.

Re:NoScript: http://noscript.net (2, Insightful)

Requiem18th (742389) | more than 4 years ago | (#28718979)

Right, now where do we find something to protect us against NoScript and its attempts to take control over our browsers?

Re:Right! Quick! (0)

Anonymous Coward | more than 4 years ago | (#28717107)

Why download confiremd spyware?

Re:Right! Quick! (4, Interesting)

RiotingPacifist (1228016) | more than 4 years ago | (#28718499)

Ended up going back to noscript recently but it really is an ugly solution, yesscript is only helps against tracking. What is really needed is a good guide for using controldescripts (or a similar extention) allowing all sites to access a list of known safe fucntions (to let you browse the web without it getting in the way), some to be blacklisted (to protect you from tracking), an easy GUI way to allow a greater subset of functions to be accessed (for trusted site) and an security workarounds to stop any vulnerabilities working in the wild.

Some Questions & Comments About Firefox 3.5 (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28716505)

I have to say that Firefox is getting a lot worse lately. The user experience is in serious need of improvement and development is the pits. I installed the latest "big deal" Firefox update on June 30th. (For some reason they skipped a full four secondary updates, but whatever.) Upon restarting, which took several minutes, I began using Firefox 3.5 [mozilla.com].

At first, Firefox seemed strangely familiar. I thought they had changed very little unnecessarily until I visited the Acid3 [acidtests.org] test. Lo and behold, I was still using Firefox 3.0.0.11. What the fuck? I manually invoked Check for Updates and repeated my first attempt only to find, upon restarting, the same thing.

Finally in desperation I downloaded the installer manually from Mozilla [mozilla.com]. The install ran surprisingly quickly and, after a few minutes, I was launched with the new version. I had to check, though, because again I thought it looked like very little had changed.

In fact, did Mozilla bother changing anything beside the JavaScript? The new TraceMonkey is great and all, but they could have at least made it look like they were working on something else. When the most noticeable improvement is the "Know Your Rights" button (which everyone ignores) one really starts to wonder what the fuss was all about.

Well, after the three tries it took to upgrade, I found my profile wouldn't migrate. This was a mess, but I was able to eventually retrieve my bookmarks from a long, arcane file path in a hidden directory. But then upon visiting my bookmarked sites I found that almost none of my add-ons are compatible with it. Therefore my browser is almost entirely functionless.

The bookmark tool itself could use a polishing. It's a mess and has been since version 1.0. If a browser is meant to render and organize content, Firefox surely falls down in this area. Why does it take me several minutes to slosh through the GUI just to make a new folder and alphabetize some bookmarks in it? Not to mention the damned Bookmarks toolbar, which takes up too much damn space and can't be turned off.

And speaking of the GUI, it's slow as Hell slowget rid of the proprietary XUL and just hardcode the damned interface already!

I also have to mention memory use. On my system, Firefox was swallowing an incredible 400 MB with only a simple HTML 4 table open. 400 MB?! I blame this on the Firefox team's use of C++, where memory management is about as easy as herding cats. Likewise Firefox is a slow, bloated nightmare. (For a contrast, there's Safari [apple.com], which is written in Objective C and is very small and efficient.)

Most of the time I have heavy JavaScript sites open. I shudder to think how much Firefox eats then, and I'll be sure to check in the future. No wonder my system tends to slow down when I've left Firefox open for days on end with dynamically updating pages and RSS feeds. Clearly, Firefox leaks memory like a cracked sieve in a waterfall.

With Firefox smelling more and more like crapware, I started to dig a little, first on Wikipedia [wikipedia.org] and then on the Mozilla Development Forums [mozilla.org]. It turns out that my observations are part of a larger pattern of Firefox quality issues and development customs. The Mozilla developers are a bunch of arrogant, abusive shitheads.

For starters, they're still running all tabs in the same process. This is something IE7 and Safari 3 have had right for years. So if a plugin crashes or a page takes forever to finish rendering, everything's stuck. You can't even switch tabs to another page! And Firefox 3.5 is a "milestone" release? Firefox 3.6 and 4 are milestones too, and process-per-tab isn't scheduled for either.

Developer interaction with Firefox users is stilted too. Sometimes Bugzilla [mozilla.org] reports are dismissed out of hand, only to be reopened when something goes terribly wrong later. I also saw instances of reported security flaws sitting years before being patched. In one case, someone released an exploit to point out the deep holes in Firefox before anyone did anything.

One time, a user with some programming experience suggested a bugfix to the wishlist. One programmer, whom I will not publicly name, suggested the user submit patches "once his balls dropped," if he were even male. If this were a real company and not a bunch of arrogant hacker hippies, user antagonism and sexism would never be acceptable. When I read this particular incident I uninstalled Firefox for good.

If anyone else has complaints about Firefox, post them here. For a browser that's taken nearly a third of the market, it's doing so with an incredibly broken development model and backend. Just imagine if the Firefox team actually treated its users right or prioritized projects properly. Maybe then the web would move beyond the mess of incompatibile standards and site hacks it is today.

Until then, Firefox is just another out-of-control Open Source project that needs a good stiff slap in the face.

Re:Some Questions & Comments About Firefox 3.5 (2)

Dishevel (1105119) | more than 4 years ago | (#28717301)

Why does it take me several minutes to slosh through the GUI just to make a new folder and alphabetize some bookmarks in it?

I don't know. Why dose it take you that long? I takes me seconds. Maybe the issue is you?

Re:Some Questions & Comments About Firefox 3.5 (1)

cayenne8 (626475) | more than 4 years ago | (#28717415)

My only complaint on FF 3.5 at this time is the way it works with Gmail now.

I have it set in FF, to open a new link in a new tab. This has worked beautifully till now. When I click a link in Gmail now, rather than open a new tab, it opens the link in a new windown without any scroll bars!?!?!

Now, if I want to open a link from Gmail, I have to rt. click and tell it to open in a new tab.

This kinda sucks IMHO.

Re:Some Questions & Comments About Firefox 3.5 (0)

Anonymous Coward | more than 4 years ago | (#28718201)

put about:config into the addressbar, enter, click through any warning, then into the filter box paste:

browser.link.open_newwindow.restriction

double-click that pref to edit the value to 0

I've had it this way for years without any problems.

Re:Some Questions & Comments About Firefox 3.5 (1)

cayenne8 (626475) | more than 4 years ago | (#28719039)

" put about:config into the addressbar, enter, click through any warning, then into the filter box paste:

browser.link.open_newwindow.restriction

double-click that pref to edit the value to 0

I've had it this way for years without any problems. "

Thank you, that worked!!

I've not had to do that before I don't think...wonder why they changed that in the 3.5 version?

What exactly does this setting do? My value was a "2".

Re:Some Questions & Comments About Firefox 3.5 (0)

Anonymous Coward | more than 4 years ago | (#28718291)

I don't know why Firefox makes it so hard to hackily work-around the multiple window thing. How hard is it to have a global option to NOT do something? Why can't they at least do the sane opera-like thing and have "windows" open in tabs? Oh right, because of inane philosophical bullshit about magic window managers which don't actually exist.

Review of your complaints (0)

Anonymous Coward | more than 4 years ago | (#28718737)

"If anyone else has complaints about Firefox, post them here. [My emphasis] For a browser that's taken nearly a third of the market, it's doing so with an incredibly broken development model and backend...

"Until then, Firefox is just another out-of-control Open Source project that needs a good stiff slap in the face."


Agreed. Firefox has had broken, weak management because a socially inept lawyer, Winifred Mitchell Baker [wikipedia.org] who has no technical knowledge or interest, was the head of the Mozilla foundation. Now she is Chairman of the Board.

"On my system, Firefox was swallowing an incredible 400 MB with only a simple HTML 4 table open. 400 MB?!"

I just started a computer that has Firefox 3.5 installed. I started Firefox and opened a web page. It used 200 MB.

"The bookmark tool itself could use a polishing. It's a mess and has been since version 1.0. If a browser is meant to render and organize content, Firefox surely falls down in this area."

Agreed. But apparently Firefox developers work on only what interests them, and they don't use browsers very heavily.

"No wonder my system tends to slow down when I've left Firefox open for days on end with dynamically updating pages and RSS feeds. Clearly, Firefox leaks memory like a cracked sieve in a waterfall."

Yes, but the CPU hogging bug is what makes Firefox slow after several days, not the memory hogging.

"I manually invoked Check for Updates and repeated my first attempt only to find, upon restarting, the same thing."

Yes, that's happened to me, also. The update procedure is buggy.

"Not to mention the damned Bookmarks toolbar, which takes up too much damn space and can't be turned off."

Not correct. The Bookmarks toolbar can be turned off.

"One time, a user with some programming experience suggested a bugfix to the wishlist. One programmer, whom I will not publicly name, suggested the user submit patches "once his balls dropped," if he were even male. If this were a real company and not a bunch of arrogant hacker hippies, user antagonism and sexism would never be acceptable."

Agreed, but it's worse than you say.

"For starters, they're still running all tabs in the same process. This is something IE7 and Safari 3 have had right for years. So if a plugin crashes or a page takes forever to finish rendering, everything's stuck. You can't even switch tabs to another page! And Firefox 3.5 is a "milestone" release? Firefox 3.6 and 4 are milestones too, and process-per-tab isn't scheduled for either."

Translation: Layoffs at Mozilla Foundation. As soon as Google's Chrome browser [google.com] has sufficient Plug-ins, why would anyone use the quirky Firefox? But it may be years until Chrome has the necessary plug-ins. On the other hand, Google pays the Mozilla Foundation more than $55,000,000 per year [techcrunch.com] to make Google the default search engine, so maybe someone at Google will hurry the development of Chrome to save huge amounts of money in future years.

time to close Bugzilla to the public (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#28716507)

We tried to be cool, but you guys violated our trust and abused the database, and made us look like fools in the process.

Congratulations, hacker, you've ruined it for everybody.

The Bugzilla database will no longer be made available to the public, only the elite cadre of Firefox developers.

Re:time to close Bugzilla to the public (3, Informative)

maxume (22995) | more than 4 years ago | (#28716571)

They already had a standing policy of hiding security related bugs (I.e. those that they figured were exploitable; It is even discussed in the log linked in the summary!).

Re:time to close Bugzilla to the public (1)

Lulfas (1140109) | more than 4 years ago | (#28716837)

So.... Time till someone makes a post saying how much better Firefox is because it doesn't practice "Security through obscurity?"

Re:time to close Bugzilla to the public (2, Interesting)

maxume (22995) | more than 4 years ago | (#28717115)

Who cares if they do? Security through obscurity is a perfectly valid strategy, as long as it is used in conjunction with other strategies, so when someone criticizes the mere use of secrecy, they can be disregarded.

(Think about it for a minute; passwords, keys, access codes, hidden safes, etc.)

Re:time to close Bugzilla to the public (1)

Dragonslicer (991472) | more than 4 years ago | (#28718519)

So.... Time till someone makes a post saying how much better Firefox is because it doesn't practice "Security through obscurity?"

Uh, "Security through obscurity" doesn't refer to whether or not existing security vulnerabilities are made public before a fix is available. "Security through obscurity" means that lack of information is the only thing keeping something secure, such as assuming that nobody will ever guess that putting "&admin=true" at the end of a URL will give them administrator access.

Nice test for the open source community (1, Interesting)

Big Hairy Ian (1155547) | more than 4 years ago | (#28716511)

Let's see how long it takes them to patch this

Probably won't be too long

Re:Nice test for the open source community (5, Informative)

fedxone-v86 (1080801) | more than 4 years ago | (#28716805)

If you had read the bugzilla thread (I know, I know) you'd know it's already fixed ;)

Re:Nice test for the open source community (3, Interesting)

maxume (22995) | more than 4 years ago | (#28716843)

They haven't released an update yet though, which is probably the more interesting event.

Re:Nice test for the open source community (3, Insightful)

fedxone-v86 (1080801) | more than 4 years ago | (#28717335)

They haven't released an update yet though, which is probably the more interesting event.

That's true of course. And I don't want to split hairs but point out the open source nature of the Firefox browser:

The patch is already available.

Re:Nice test for the open source community (4, Insightful)

jank1887 (815982) | more than 4 years ago | (#28717991)

But, the majority of users only update firefox when it pops up a "hey, there's an update. Click here!" prompt.

The issue is unfixed for 90% of users until that occurs.

Re:Nice test for the open source community (-1)

Anonymous Coward | more than 4 years ago | (#28718021)

So they are releasing a patch this time? That would make it the first time, as always before it has been "here is a whole new install" (which is about the same as "here is all the source, compile it yourself and you have a new binary" - still a whole install.).

If they start making patches, that will make it much better - but somehow I doubt that they started making patches and what you probably meant was "the fixed source code is available" which is not an installable patch.

Re:Nice test for the open source community (1)

AmberBlackCat (829689) | more than 4 years ago | (#28718243)

It's possible Microsoft has an update somewhere to patch all known vulnerabilities of every version of Windows.

Re:Nice test for the open source community (1)

ioErr (691174) | more than 4 years ago | (#28716881)

Just remember to start counting from the day the bug was reported and not from today.

Actually, patch in progress was abused by a lamer (1)

Ilgaz (86384) | more than 4 years ago | (#28718131)

milw0rm who can be easily put to definition of "script kiddie lamer" spied bugzilla bug reporting system which should not be open regarding security issues and posted a quick exploit code to a bug which its was already in progress of fixing.

So, open source system was abused in some form. It was error on mozilla's part though, security issues of open source apps shouldn't be discussed in public along with crashers etc.

Not a surprise. These people subscribe to all update/security mailing lists and grab couple of issues and claim they hacked OS X.

On the other hand, Mozilla should be glad that he picked it. If it was a real black hat professional, he wouldn't be stupid enough to publicly disclose it and milk it as long as possible.

By Vulnerability, you mean... (1)

Haffner (1349071) | more than 4 years ago | (#28716523)

I've wondered: will having an up to date NoScript addon for firefox prevent these attacks? or will this bypass NoScript?

Re:By Vulnerability, you mean... (0)

Anonymous Coward | more than 4 years ago | (#28716661)

No, it won't.

It's a combination of a stack overflow and a return-to-enclosure-on-trap expection sitting between the parser and the image renderer.
All points to the line 465, in prasscall.cc

for(i=norb(j);pst();bnarf(), onWrote(a,j+2,refStr)->frtz(inp,hCall,grt), j-=exp(trh(sref,n)+sin(tptr+srand(5)))) if norb()== barf(sprt,j+15,nObj->ptrWin()) ytr(a,conObj->recall()) ;

Nothing is safe for now.

Maybe off topic but... (2, Informative)

vertinox (846076) | more than 4 years ago | (#28716525)

Has anyone notice performance degradation in 3.5? Opening a slew of bookmarked pages into tabs tends to make it feel like my internet connection has slowed down. Yet when all the tabs load, they all respond snappily.

And sometimes certain sites act sluggish when opening the same exact site works fine in Safari.

It wasn't like this in 3.01

Re:Maybe off topic but... (2, Interesting)

FlyingBishop (1293238) | more than 4 years ago | (#28716831)

Yes, but a single Slashdot article with comments loads at least 30% faster, and I do that a lot more often than opening a ton of bookmarks in tabs. I think on the whole it saves me a lot more time than it costs.

Re:Maybe off topic but... (1)

troylanes (883822) | more than 4 years ago | (#28717147)

It certainly "feels" less responsive. Particularly when scrolling through a page then subsequently stopping and clicking a link, etc. A 3-5 second 'spinning ball of death' is not uncommon when traversing any given page.

Re:Maybe off topic but... (1)

rtyhurst (460717) | more than 4 years ago | (#28717595)

FF3.5 eats a lot of system resources, especially when it's been open for a while.

I think this accounts for these observations.

Re:Maybe off topic but... (0)

Anonymous Coward | more than 4 years ago | (#28717695)

Yeah while clicking a link on the awesomebar, it was still thrashing through its buffer making my mouse click on the awesome bar turn into a click on the bookmark behind it.

And I still wonder why I prefer seamonkey despite this 'superior' browser that can pass the Acid tests but can't pass the interface tolerance tests...

Re:Maybe off topic but... (1)

Lord Ender (156273) | more than 4 years ago | (#28717581)

When complaining about Firefox performance issues, always disable all addons to verify that the problem is, in fact, with Firefox itself.

I can say that Firefox is quite fast on my i7 with 12GB RAM and an Intel X25 Extrem SSD ;-)

Chrome/Opera/Safari all ----- that way (0)

slyborg (524607) | more than 4 years ago | (#28717841)

I'd say, when complaining about FF performance, GTFO. The whining is just brutal ever since 3.0 came out, and I just don't get it. There is no shortage of alternatives. If FF doesn't do improve their performance enough, they will surely fall by the wayside. If you don't have the energy to put a repeatable scenario in Bugzilla, cya, and godspeed.

Re:Maybe off topic but... (1)

Propaganda13 (312548) | more than 4 years ago | (#28718853)

I haven't noticed a problem except when I went into the history section and told it open all of yesterday's sites. It did warn me that opening 500+ tabs could cause performance issues.

You Do It To Yourself (0)

Anonymous Coward | more than 4 years ago | (#28716533)

As the man sung:

You do it to yourself, you do
and that's what really hurts
Is that you do it to yourself
Just you, you and no-one else
You do it to yourself

But, then, isn't that how it always is?

Republicans are Retarded (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28716565)

How else could you vote for George W Bush, Sarah Palin, and the rest of the goof troup with a straight face.

Poor republicans are even so dumb as to vote for policies that directly harm them.

Religion helps keep these people stupified, but you have to wonder if you still have to be born retarded to vote Republican.

Democrats are Retarded too (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28716909)

still stuck on their momma's nipple ... they feel they cannot do anything without the help of others ... please momma, let me live in your house cause i'm scared of going out on my own ... please big government pay me money and give me free food cause you know i can't hold a job ... lmao political parties are retarded in general ... vote independent

Unacceptable (4, Funny)

Anonymous Coward | more than 4 years ago | (#28716585)

What do you mean there is a security exploit in a brand new version of a web browser? This is crazy, new versions of software should always be more secure then the previous versions.

Personally I'll be sticking with IE6, I never bought into this whole "Firefox" thing.

Wimp! (2, Funny)

argent (18001) | more than 4 years ago | (#28716615)

I only use IE 5.5!

Re:Wimp! (1)

GaratNW (978516) | more than 4 years ago | (#28717585)

My first reaction to seeing the headline for this post was basically "Shit! I forgot I need to update Firefox to 3.5!"... Humans are kinda dumb sometimes. Or maybe it's just me.

Re:Wimp! (1)

RiotingPacifist (1228016) | more than 4 years ago | (#28718329)

3.5 is good for speed ups and being able to disable the awsomebar (if you want), but generally most mozilla browsers need a couple of security patches before they are truely ready for the masses. 3.5.1 or 3.5.2 would be a good one to upgrade to.

Re:Wimp! (3, Funny)

mcrbids (148650) | more than 4 years ago | (#28718713)

Pshaw. I use telnet, and read the native code. I don't even see the code anymore... Blonde, Brunette, Red-Head...

Reading sites that use SSL is a bit tricky, though.

Yeah, right (5, Funny)

DoofusOfDeath (636671) | more than 4 years ago | (#28716607)

'[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported [mozilla.com] Tuesday."

Oh sure, I'm definitely going to follow that link now.

Microsoft Caught This 0-day (1)

_bug_ (112702) | more than 4 years ago | (#28716689)

I had heard about this earlier in the week and decided to give the demo exploit (which executes calc.exe) a run. As soon as I tried to save the HTML to a file Microsoft's Forefront A/V popped up with an alert detecting the shellcode within the sample code. Not bad, MS.

But if you really want to be safe you should be running noscript [noscript.net]. It'll save you from running malicious code on sites you don't trust.

Re:Microsoft Caught This 0-day (0)

Anonymous Coward | more than 4 years ago | (#28717135)

Except for the fact that NoScript itself is malicious [adblockplus.org]. If I install NoScript there is a 100% chance that dodgy software is installed on my computer, if I browse without it there is less than that. Honestly I'm going to take my chances with the script kiddies, at least they don't pretend to be nice.

forgive me (1)

neonprimetime (528653) | more than 4 years ago | (#28716705)

but isn't every application vulnerability self-inflicted? unless perhaps somebody hacked in and wrote the code for you!

Re:forgive me (1)

bunratty (545641) | more than 4 years ago | (#28716933)

They mean that they publicly released the example exploit code. Of course they coded the vulnerability!

WTF (2, Interesting)

wumpus188 (657540) | more than 4 years ago | (#28716709)

"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier"

Nice attitude, guys...

Re:WTF (4, Insightful)

bunratty (545641) | more than 4 years ago | (#28716915)

You mean that you actually want example exploit code to be available to everyone? Why?

Re:WTF (0)

Anonymous Coward | more than 4 years ago | (#28717447)

Exploits such as this one should be stapled in the forehead of every programmer and CS student that doesn't get why knowledge must be shared.
You start with "random" crashes in your ASCII game, then your browser sells someone into a bot farm, and finally somebody is charged 2 trillion dollars for a cigarette.

Re:WTF (0)

Anonymous Coward | more than 4 years ago | (#28719013)

I thought open source meant precisely what it does but hey, I guess security by obscurity works sometimes. If you're not Microsoft.

Re:WTF (5, Insightful)

maxume (22995) | more than 4 years ago | (#28716935)

So when they know about and are actively working on fixing a bug that is an exploit vulnerability, you think they should do it in public?

I get the argument that telling your users about it means that they can protect themselves (say, by running noscript), but for a consumer facing organization like Mozilla, the majority of users aren't going to notice or do anything.

Full disclosure (2, Insightful)

fedxone-v86 (1080801) | more than 4 years ago | (#28716711)

Go on and mod me troll but, IMNSHO, this is just a display of the expertise of the full disclosure movement: Just post a test-case from an open bugtracker as your own exploit and enjoy your 15 minutes of fame amongst all the other skript-kiddies.

Well done, hacker!

Re:Full disclosure (2, Interesting)

broken_chaos (1188549) | more than 4 years ago | (#28718769)

Mozilla doesn't even practice full disclosure. They normally hide security bugs from the public, but they missed this one, as well as not fixing it before 3.5's release.

Unless you're seriously suggesting that all bugs should be hidden from the public on the off chance they'll be exploitable, meaning a lot more duplicate bug reports, no independent confirmation of a bug's existence, and an inability for anyone else to fix the problem, except those granted permissions to read bugs.

Temporary fix (5, Informative)

AdmiralXyz (1378985) | more than 4 years ago | (#28716977)

According to TFA, the temporary fix is to disable TraceMonkey (JavaScript will still work). Set 'javascript.options.jit.content' in about:config to false until the patch is released.

MOD PARENT UP (4, Insightful)

argent (18001) | more than 4 years ago | (#28717059)

Mod Parent Up "this should have been in the summary, Taco".

Re:MOD PARENT UP (1)

kestasjk (933987) | more than 4 years ago | (#28717299)

Except then the bug is patched, and all of a sudden you aren't running the default settings for FF and things get weird.

Better not to visit suspicious sites, and if you have to install NoScript, it'll hugely decrease the potentially vulnerable "surface area" of your web browser.

Re:MOD PARENT UP (2, Insightful)

argent (18001) | more than 4 years ago | (#28717677)

Except then the bug is patched, and all of a sudden you aren't running the default settings for FF and things get weird.

I've got at least a dozen non-default settings I've set in about:config. What's one more?

Granted bugs happen and is obviously nice exploit (1)

qurk (87195) | more than 4 years ago | (#28717073)

Still it was fixed by the time I heard about it, yesterday. I've become a recent Microsoft convert, but they tend to pretend this isn't happening, till they release a fix on their own good time. And Apple just breaks everything for everyone else all the time so let's not go there. I'll be the first ever person to ever say I bought Apple hardware just to find out that Apple broke it for me cause I wasn't just cool.

Re:Granted bugs happen and is obviously nice explo (2, Informative)

jank1887 (815982) | more than 4 years ago | (#28718047)

fixed, but not pushed out yet. For the 'days to a fix' count, you need to count all days from the time the hole was discovered to the day a fixed version / patch is pushed out to users. (if I have to go looking for it, it's not 'fixed' yet) Most people are trained to only respond to Firefox's Update popups.

Why didn't you post the (simple) fix??? (2, Informative)

brunes69 (86786) | more than 4 years ago | (#28717175)

Why not post in the summary the simple fix?

    In lieu of a patch, users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine.
    To do that, users should enter "about:config" in Firefox's address bar, type "jit" in the filter box, then double-click
    the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.

Re:Why didn't you post the (simple) fix??? (1)

g-san (93038) | more than 4 years ago | (#28718881)

That is not a simple fix, that is a temporary workaround. Turning off the JIT compiler has performance implications.

This is why NoScript should be a core feature (1)

metamatic (202216) | more than 4 years ago | (#28717219)

Of course, Mozilla won't add a NoScript-like UI to Firefox, as it would make it convenient to block scripting, and hence annoy advertisers.

Re:This is why NoScript should be a core feature (1)

e9th (652576) | more than 4 years ago | (#28717767)

I was going to point out that NoScript was near the top of the recommended add-ons [mozilla.org] page, but now I see that is no longer there at all! You have to search for it. Adblock Plus still tops the list, however.

Re:This is why NoScript should be a core feature (4, Informative)

VGPowerlord (621254) | more than 4 years ago | (#28718787)

I was going to point out that NoScript was near the top of the recommended add-ons page, but now I see that is no longer there at all! You have to search for it. Adblock Plus still tops the list, however.

NoScript got buried after the incident with it fucking around with AdBlock's settings, then once that was discovered and pointed out, them adding an AdBlock filter set to bypass blocking on NoScript's author's site.

As far as I know, it does neither any more, but it pissed off a lot of users, myself included, and its author's reputation went through the floor.

Re:This is why NoScript should be a core feature (1)

g-san (93038) | more than 4 years ago | (#28718937)

> Adblock Plus still tops the list, however.

Which doesn't annoy advertisers. In fact, it helps them by conserving their bandwidth!

Re:This is why NoScript should be a core feature (1)

Ilgaz (86384) | more than 4 years ago | (#28718223)

A browser's job is to execute scripts securely, safely and in fast manner. If a browser comes with "opt in" scripting which is really impossible in real web these days, it wouldn't really have a good image and experience.

What they should do is, think about the biggest lamer they have ever met and multiply it with 10 and act accordingly dealing with security issues. Spying bugzilla in progress and release an exploit(!) based on it is lowest one can get.

Re:This is why NoScript should be a core feature (1)

metamatic (202216) | more than 4 years ago | (#28718293)

If a browser comes with "opt in" scripting which is really impossible in real web these days, it wouldn't really have a good image and experience.

If it's impossible, why is NoScript so popular?

And not downloading images makes for a bad web experience, but Firefox still has an option for that.

Glad I didn't rush to upgrade (2, Interesting)

OrangeTide (124937) | more than 4 years ago | (#28718025)

Sometimes it's better to just hold back and wait until my distro decides it is time to update my versions.

the whole point of open source (0)

Anonymous Coward | more than 4 years ago | (#28718479)

I thought the whole point of open source was not hiding bugs, so that they got fixed faster.

To me it's an essential difference with closed source.

That being said, until there's a fix, it's no porn, no online gambling, no pirate bay, no nothing!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...