Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Unpatched Firefox Flaw May Expose Users

Zonk posted more than 8 years ago | from the again dept.

Bug 390

Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

cancel ×

390 comments

Sorry! There are no comments related to the filter you selected.

Flaws (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#13518993)

are not good

Re:Flaws (1, Funny)

Anonymous Coward | more than 8 years ago | (#13519175)

How on earth can the first post be redundant?

Re:Flaws (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#13519223)

Because it's been said before ad infinitum?

(as has this, so please mod this down too).

Re:Flaws (4, Insightful)

Anonymous Coward | more than 8 years ago | (#13519221)

Oh please, how is a heap overflow of 0x78787878787878... going to be exploitable. This looks like just a regular crash, if these turn you on just watch bugzilla for a few days, they turn up all the time.

A browser is a complex piece of software, of course there are going to be subtle bugs that turn up now and then. Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible. Please stop making a fuss about "OMG BROWSER DoS!!".

Re:Flaws (1)

HvitRavn (813950) | more than 8 years ago | (#13519317)

A billion lines of code? That includes the operative system, then? And maybe your moms operating system as well?

here you go.... (0)

Guru Goo (875426) | more than 8 years ago | (#13518995)

www.mozilla.org/products/firefox/

This is impossible! (4, Funny)

pdpTrojan (454023) | more than 8 years ago | (#13519003)

Firefox is open source... how can it have a bug in it? Lol, they must have meant Internet Explorer!

Everybody knows that security flaws are only available in Microsoft products. I read it on Slashdot!!! It has to be true!!!

Expose users? (4, Funny)

jdray (645332) | more than 8 years ago | (#13519004)

Did anyone else have a sudden concern that using Firefox would cause you to be "pants'ed"?

Re:Expose users? (5, Funny)

.sig (180877) | more than 8 years ago | (#13519332)

I'm counting on it, I'm passing out copies of firefox to all the women I know....

Tell all your friends! (5, Insightful)

CyricZ (887944) | more than 8 years ago | (#13519012)

If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible, even if it means a short trip to install it for somebody. Nothing will hurt Firefox's reputation more than unpatched installations being exploited.

Re:Tell all your friends! (4, Interesting)

TargetBoy (322020) | more than 8 years ago | (#13519127)

How about having the update checker stop working?

I've seen several computers now where the red arrow icon is always displayed and the update wizard never successfully downloads anything.

Reinstalling doesn't seem to help fix it.

Re:Tell all your friends! (5, Insightful)

killproc (518431) | more than 8 years ago | (#13519389)


"If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible"

Not trying to troll here, but...

Couldn't the same be said for IE or any other browser? If you have non-techie friends that could be vulnerable on any platform, wouldn't letting them know how to check for security updates be the right thing to do?

Should you let them flounder and possibly become zombies for some nefarious spam network because they don't use your "preferred" browser?

Personally, I use Mozilla at home because I like it much better, and encourage all my friends to do the same, but I'm not above recommending security updates to those who choose not to use Mozilla/Firefox.

Well, just another bug (2, Insightful)

guruevi (827432) | more than 8 years ago | (#13519016)

For trolling sake, it is still better then IE.

Re:Well, just another bug (2, Interesting)

Doches (761288) | more than 8 years ago | (#13519057)

Sure. Yea. But it makes us open-source religinuts look a bit silly, touting our "secure browser" when CNET (which has a very questionably technical readerbase) and others run stories like this. Argh. I'm just going to hit the first IE-phile who uses this little bug in an argument.

Re:Well, just another bug (4, Interesting)

ikkonoishi (674762) | more than 8 years ago | (#13519396)

Yeah because in IE you can't write a greasemonkey script that fixes it.
var links = document.getElementsByTagName("a");
for (var i = 0;i<links.length;i++) {
  if (/-{5,}$/.test(links[i].href)) {
      links[i].href = "";
      links[i].onclick = function () {
        alert("This link was trying to cause a buffer overflow. It has been appropriately punished. That bad ol' puddy link.");
      }
  }
}
The above was proof of concept and may not work, but I see no reason why it shouldn't

Oh Crap! (-1, Offtopic)

TripMaster Monkey (862126) | more than 8 years ago | (#13519020)


And here I was, browsing Warez sites not five minutes ago*, using Firefox because I thought it was safer!

( * Hand to God...I actually was.)

Re:Oh Crap! (1, Informative)

CyricZ (887944) | more than 8 years ago | (#13519052)

Why would you be browsing warez sites? You are a Linux user, right? If so, you'd have all the software you ever need. That's the beauty of open source: no need for piracy.

Re:Oh Crap! (0)

Anonymous Coward | more than 8 years ago | (#13519097)

It's for str33t cr3d. He wants to be 1337.

Re:Oh Crap! (1)

beanyk (230597) | more than 8 years ago | (#13519112)


Why would you be browsing warez sites? You are a Linux user, right? If so, you'd have all the software you ever need. That's the beauty of open source: no need for piracy.


I hear they make FireFox for Windows, too ...

Re:Oh Crap! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13519139)

Why are you stealing? That is the Microsoftie way? If you are a Linux user, then you should have better ethics than that. Next you will be telling us that you voted for bush, all but assuring us that you are a true Microsoftie.

Re:Oh Crap! (1)

therealking (223121) | more than 8 years ago | (#13519212)

Oh that is such bull.

Using Linux doesn't not automatically make you born again. All ethically and morally clensed.

It should be noted (4, Interesting)

GweeDo (127172) | more than 8 years ago | (#13519032)

That the posted exploit only causes Firefox to crash to stop responded (that is what it did to 1.5b1 on my Linux box). The person that found the exploit claims he has tweaked the code to actually run arbitrary code on the system, but I would like to se e proof of this since as of right now we only have a hanging browser.

Re:It should be noted (-1, Troll)

B3ryllium (571199) | more than 8 years ago | (#13519125)

So you admit that there's a crack in the levee, but you want to see a gushing torrent of water before you'll admit that there's a problem?

Zealot much?

Re:It should be noted (2, Insightful)

finkployd (12902) | more than 8 years ago | (#13519224)

I was not aware that wanting to classify the severity of a problem made one a zealot...

Finkployd

Re:It should be noted (1)

B3ryllium (571199) | more than 8 years ago | (#13519329)

I meant it in the context of willingly turning a blind eye to the potential severity simply because of an intrinsic belief that it (in this case Firefox) can do no wrong.

I realize it came out as a troll, and I didn't intend that, I just wanted to use an analogy to make a counterpoint about blind faith in engineering ... :)

Re:It should be noted (1)

Gaima (174551) | more than 8 years ago | (#13519201)

Doesn't do a damn thing to me, 1.0.6 on linux.
With a proxy I get squids error page, without I get a google search.

Re:It should be noted (1)

photon317 (208409) | more than 8 years ago | (#13519262)


In many cases, a bug which causes a crash when triggered with inappropriately long data turns out to be a bug which can be exploited to execute arbitrary code if the data is carefully crafted to do so. Your test merely reconfirms the basics of this bug. In all likelyhood, the guy can run arbitrary code via this bug if he's claiming he's done it.

Re:It should be noted (1)

m50d (797211) | more than 8 years ago | (#13519339)

The only way he could prove it would be to release an exploit that gave a shell or similar, and we don't want that happening.

Re:It should be noted (1)

Itchy Rich (818896) | more than 8 years ago | (#13519360)

The person that found the exploit claims he has tweaked the code to actually run arbitrary code on the system, but I would like to se e proof of this since as of right now we only have a hanging browser.

How do we know he didn't already run arbitrary code on your browser? For all we know he 0wn3d your machine and posted that comment himself.

Any Way To Stop This? (1)

TubeSteak (669689) | more than 8 years ago | (#13519035)

I know the Adblock Extension doesn't let you banish [a href="
Anyone know of any stable extension(s) that would?

Bogus (0)

Anonymous Coward | more than 8 years ago | (#13519167)

I get a redirect to google "keyword:--------------------" for both http:${dashes} and http://${dashes} including SSL versions on 1.0.5 on windows. I can try 1.0.6 linux and deerpark alpha but why?

Re:Bogus (1)

_bug_ (112702) | more than 8 years ago | (#13519265)

Same here, 1.0.6/Win.

I've tried every possible combination I can think of and nothing but the same.

Patent infringement (4, Funny)

confusion (14388) | more than 8 years ago | (#13519050)

I thought MS had a patent on unpatched browser flaws?!?!?

Jerry
http://www.cyvin.org/ [cyvin.org]

Re:Patent infringement (1)

dolphinling (720774) | more than 8 years ago | (#13519135)

They do. Everyone else's flaws are automagically patched the instant they're found. Since 12 hours have gone by, you can be sure that not only has this been patched already, but your version of firefox updated itself and you're now safe.

</sarcasm>Actually, if you're using a nightly, that probably will happen in a few hours. The new patching system is awesome. Binary diffs, so no downloading huge files, it downloads in the background so it doesn't disturb you, and installs when you restart firefox. It's amazingly convienient.

Re:Patent infringement (4, Insightful)

SonicBurst (546373) | more than 8 years ago | (#13519375)

The new patching system is awesome. Binary diffs, so no downloading huge files, it downloads in the background so it doesn't disturb you, and installs when you restart firefox. It's amazingly convienient.

Yes, but would you have said the same thing if you had replaced the word firefox with the word windows in that sentence? I say that only because that's what WAU does these days, though I forget for how long it has been doing the binary diffs. I think that came along with the latest BITS update sometime in early summer this year, but can't be sure. Just FYI.

The response is the key (1)

d-rock (113041) | more than 8 years ago | (#13519061)

IT all comes down to how quickly a patch can be made and distributed. IIRC, the next version of FireFox will have support for incremental updates which will make this kind of thing easier to deal with on updates. I'm curious if it affects the Mozilla suite in any way; I had thought they shared a lot of code.

Derek

Hmm... (1)

WhiteWolf666 (145211) | more than 8 years ago | (#13519065)

Doesn't work on Firefox for Mac OS X, 1.0.6

Anyone got an experiences on other platforms?
Anyone know if this can do anything other than crash the browser?

Re:Hmm... (1)

Anonymous Custard (587661) | more than 8 years ago | (#13519206)

I made an HTML file (with editplus 2), and pasted <A HREF=https:---------- > into the body.

I opened the local html file in firefox, and... nothing happened.

?

Also, I wonder what happened between him and the firefox developers that made him go public so soon after reporting it to them.

Re:Hmm... (1)

kryten_nl (863119) | more than 8 years ago | (#13519296)

(GNU/)Linux RH9 (sort of :] ) and am having no problems.
<html><body>
<A HREF=https:-------{repeat} >test</a>
</body></html>
This should do it if I understand correctly. But try for yourself.

more info at (2, Funny)

jbeaupre (752124) | more than 8 years ago | (#13519076)

more information on the bug at: www.youissostupid.ru/scriptyuiopuioqwhjklfashuiopy uiopuiopuiopuouihjklasd-2789789-hfsjadkhuiof

Re:more info at (0)

Anonymous Coward | more than 8 years ago | (#13519107)

It should be here [slashdot.org] .

Re:more info at - Bogus FUD bug (1)

HermanAB (661181) | more than 8 years ago | (#13519280)

Sorry, that also doesn't trigger anything in Firefox. This seems to be a bogus exploit.

Re:more info at (1)

advocate_one (662832) | more than 8 years ago | (#13519324)

that gave
404 File Not Found


The requested URL (--------------(rest deleted cos of lameness filter)) was not found.

If you feel like it, mail the url, and where ya came from to xxxxx@slashdot.org.

and this was with Firefox 1.0.6...

Re:more info at (0)

Anonymous Coward | more than 8 years ago | (#13519362)

didn't work on 1.5b either

exploits? (4, Interesting)

samjam (256347) | more than 8 years ago | (#13519101)

The bug depended on the host name being all ---

It will be hard to craft some exploit code using only the - character.

It may DOS and cause instability; as for those "but, open source should be proof against this" nay-sayers, I'm pretty certain from the advisory [security-protocols.com] that this could only be properly discovered because the source was available.

hmmmm, maybe if you can trick users to click on bad links a few times it might cause heap corruption and crashing; maybe if you get them to download the right page a few times to pre-load the heap, and then a few ----- might cause the browser to execute from the heap,

A look at the soucre will show the consequences of this and show what sort of pathway there is to arbitrary code execution. I guess it could be exploitable...

Sam

Re:exploits? (1)

Lehk228 (705449) | more than 8 years ago | (#13519174)

if you can convince users to click a link why not just send them to goatse?

Re:exploits? (1)

samjam (256347) | more than 8 years ago | (#13519371)

Cos you don't want them to know that they've been exploited?

Sam

buffer overflows (3, Interesting)

diegocgteleline.es (653730) | more than 8 years ago | (#13519106)

The security vulnerability is a buffer overflow flaw that "allows for an attacker to remotely execute arbitrary code" on a vulnerable PC,

Just for curiosity, can be Firefox compiled with the compiler parameter which adds code to detect a wide variety of such bugs? It's what Microsoft did at IE in the XP SP2; does it have "sense" to do the same for firefox?

Re:buffer overflows (2, Interesting)

CTho9305 (264265) | more than 8 years ago | (#13519385)

Releases are built with Microsoft Visual C++ 6, because there are concerns that the license of newer versions would not allow the builds to be distributed.

Unacceptable (3, Insightful)

goldspider (445116) | more than 8 years ago | (#13519109)

"The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."

We rightly criticize Microsoft for not responding to security concerns in a timely manner. I hope the Mozilla Foundation will be held to the same standard.

article is misleading, 1.07 will come soon (1)

free2 (851653) | more than 8 years ago | (#13519250)

The article is misleading,since firefox 1.01, 1.02, 1.03 and so on up to 1.06 are all security updates that were quickly released each time such bug was found. I do expect 1.07 this monday.

Inconsequential (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#13519110)

Not enough people use Firefox to give a fuck.

AGAIN?!?!?!? (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13519113)

Buffer overflow - AGAIN??

Vulnerability disclosure immediately after new version release - AGAIN???

WTF is up with Firefox? It's getting to be as bad as Internet Explorer!

Proof of concept (1, Redundant)

patio11 (857072) | more than 8 years ago | (#13519114)

Re:Proof of concept (1)

patio11 (857072) | more than 8 years ago | (#13519169)

Unfortunately (?), Slashdot autorepairs the URL in a way which defeats the attack. But you can still see an example of it at his website [security-protocols.com] .

Re:Proof of concept (1)

patio11 (857072) | more than 8 years ago | (#13519229)

I lied. I can't get this to crash my install, either. Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Thats what I get for repeating a security bulletin without testing it, I suppose.

Re:Proof of concept (1)

LizardKing (5245) | more than 8 years ago | (#13519298)

No crash here: Firefox 1.0.6 on NetBSD 2.0.2.

Re:Proof of concept (1)

lpangelrob (714473) | more than 8 years ago | (#13519170)

This redirects me to a Google search, specifically with URL "keyword:(insert 40 -'s here)"

I am on a Win2kPro box. Hasn't crashed the browser session, though.

Re:Proof of concept (1)

molo (94384) | more than 8 years ago | (#13519186)

No crash for me.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414

-molo

Re:Proof of concept (2, Informative)

Gori (526248) | more than 8 years ago | (#13519284)

Actually, I have searching from the location bar setup as default, and only thing I get is firefox opening a google search with a bunch of dashes in it. (this is on linux)

So kind of pointless exploit in this case ?

So, to protect yourself
go to about:config and change keyword.URL to http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8 &q= [google.com]

and keyword.enabled to true

Re:Proof of concept (1)

tgd (2822) | more than 8 years ago | (#13519367)

Something here, probably the google toolbar, just sent me to a google search for that.

Re:Proof of concept (1)

advocate_one (662832) | more than 8 years ago | (#13519387)

nah nah... I got this...
No such domain Your request for
https://--------------deleted/ [--------------deleted] cos of lameness filter):443/ could not be fulfilled,
because the domain name ------------(deleted cos of lameness filter) could not be resolved.

This is often a temporary failure, so you might just try again.

with firefox version: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.10) Gecko/20050721 Firefox/1.0.6 (Ubuntu package 1.0.6)

privoxy in use... not caring enough to specially disable privoxy... someone could probably try

So, the question is ... (3, Interesting)

WillAffleckUW (858324) | more than 8 years ago | (#13519119)

would you rather find about about a bug and fix it:

A. before you release a version (Firefox);

or

B. years after you release a version (IE).

Well? Which is better? If you choose option B, you can deny there's a problem for 1-2 years, start working on a fix in 2-3 years, nay-say press rumors about the bug in 3-4 years, and fix it and release the bug fix in 4-5 years.

I choose option A.

Re:So, the question is ... (1)

hagrin (896731) | more than 8 years ago | (#13519230)

I choose option A and have to develop for IE here at work:

From TFA:

Ferris has found bugs in Microsoft software before, including a yet-unpatched flaw in Internet Explorer that Microsoft still has under investigation.

I work at a Windows based company and I can't even begin to describe my frustration over issues just like the one above. I spend a lot of unnecessary time as a networking guy as opposed to a programmer because the only way to protect my users from their insecure browser is to configure Websense to block everything on the web and create ACLs on all of routers to prevent any traffic from problem domains.

IE at this point takes away from my development time, forces me to code with rudimentary(sp?) CSS and only has the benefit of having me keep up to date with ACL policies and networking/security issues.

Re:So, the question is ... (1)

WillAffleckUW (858324) | more than 8 years ago | (#13519304)

From TFA:

Ferris has found bugs in Microsoft software before, including a yet-unpatched flaw in Internet Explorer that Microsoft still has under investigation.

I work at a Windows based company and I can't even begin to describe my frustration over issues just like the one above. I spend a lot of unnecessary time as a networking guy as opposed to a programmer because the only way to protect my users from their insecure browser is to configure Websense to block everything on the web and create ACLs on all of routers to prevent any traffic from problem domains.


Back when I was a MSDN Developer, it took me over three months to get them to admit there was an Access bug that they had a patch for (as it was in another suite, I could see the version number and date), and let me download a copy so I could use it to fix a serious flaw that it addressed. It was another year before they admitted in the press it existed, and was only released after the press hounded them for six months.

Sigh.

If it was open source, of course, one could fix it oneself if it was important.

Re:So, the question is ... (1)

LnxAddct (679316) | more than 8 years ago | (#13519363)

Well I went to the guys exploit site that he had in his advisory and nothing happened despite my browser being supposed to crash. He also said that you can execute arbitray code, but the exploit depends on everything being dashes. I'd be suspicious about the severity of the bug, but yes it does need fixing.
Regards,
Steve

Re:So, the question is ... (1)

HermanAB (661181) | more than 8 years ago | (#13519380)

How about: Fix it before the bug is found?

This seems to be a Bogus FUD Bug - it does't affect FF at all.

I call Bullshit.

Uhm, your point? (2, Interesting)

Alien Venom (634222) | more than 8 years ago | (#13519123)

Well, unlike Microsoft (and IE) which doesn't really care about the bad press its browser gets; I know for a fact that Mozilla and the people that work on Firefox, do.

Does CNET really think that Mozilla group is going to ignore it? I don't really see the point of the article. It seems like they were more interested in saying, "Oh, hey. Look, we're cool too because we found a flaw in Firefox."

I'm sure it'll be fixed in a couple day in the nightly builds. The new auto-update mechanism in 1.5 wasn't implemented for nothing. And it's the things like these that make Mozilla (Firefox) a good browser. No matter what kind of press (or lack of) that it gets, bugs still get fixed.

Personally, I think CNET is trying to jump on the Firefox-bug-reporting bandwagon like everyone else.

Re:Uhm, your point? (1)

Frankie70 (803801) | more than 8 years ago | (#13519196)


Does CNET really think that Mozilla group is going to ignore it?

Maybe the Mozilla group already knows about it for many many months but because the bug is tagged as "Security-Sensitive", nobody else knows about it. Didn't that happen with a few security bugs in Mozilla?

This doesn't work for me... (1)

lpangelrob (714473) | more than 8 years ago | (#13519126)

Other users are reporting hangs... this doesn't work for me.

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

I suspect I may have an extension that is preventing the hang, but I have 17 extensions and no time to isolate. :-)

  • Web Developer 0.9.3
  • TargetAlert 0.8.7.3
  • Adblock 0.5.2.039
  • Gmail Notifier 0.4.3
  • Linkification 0.9.20
  • Firesomething 1.7.0
  • ColorZilla 0.8.2
  • Sage 1.3.5
  • SlashFix 0.21
  • Greasemonkey 0.3.3
  • InfoLister 0.8.2
  • Minimize to Tray 0.0.1.20050212
  • Flashblock 1.3.1
  • Tab Mix 0.2.1
  • netcrafttoolbar 1.0.3.1
  • SessionSaver .2 0.2.1.027
  • Bookmarks Synchronizer 1.0.1

Re:This doesn't work for me... (1)

LiquidCoooled (634315) | more than 8 years ago | (#13519247)

I think you have too many addins running to allow a new window/tab to open ;)

Thats like the startup list of a middle manager.

Do you find all the extra menus and options a bit of a headache, or is everything used often?

Re:This doesn't work for me... (1)

Ark42 (522144) | more than 8 years ago | (#13519315)

Tested under VMWare, under both Windows 2000 and Windows XP clean install images. Installed both FF 1.0.6 and then later 1.5 Beta 1 (after restoreing the OS image to remove traces of 1.0.6). I tried tag soup and with a strict doctype. I tried putting quotes around all the ---. I tried putting hundreds of extra ---s. Nothing resulted in anything except being redirected to Google with keyword:----- appearing in the location bar.

Re:This doesn't work for me... (1)

Jane_Dozey (759010) | more than 8 years ago | (#13519349)

The "exploit" doesn't work for me either, I get sent over to google.

The only extensions that I have in your list are adblock and flashblock, neither of which I can imagine being the random fix.

I'm guessing the guy who found the problem didn't bother checking this out very well before he published.

using extensions against explits (1)

diegocgteleline.es (653730) | more than 8 years ago | (#13519374)

Actually...I wonder: Could someone develop a extension which stops a (this) exploit?

1.5 safe? (1)

crabpeople (720852) | more than 8 years ago | (#13519140)

I dont understand. Is 1.5 safe? or is the version comming "sometime in the distant future" the safe one?

I mean if i just downloaded the new firefox 1.5 (wtf last version was 1.06 THAT wont confuse people, skipping 44 versions). I just want to know if 1.5 is secure against this. It would be pretty ironic if the version annouced for download today did not address a security flaw also posted to slashdot on the same day :P

do i expect too much?
 

Re:1.5 safe? (1)

dolphinling (720774) | more than 8 years ago | (#13519279)

You didn't download 1.5, you dowloaded the 1.5 beta 1 release candidate . That's triply qualified as not 1.5.

It's not fixed yet, but when it is, you'll get it automatically when firefox updates itself (the new update system is awesome).

Re:1.5 safe? (2, Informative)

beerman2k (521609) | more than 8 years ago | (#13519340)


I dont understand. Is 1.5 safe?
I'd say RTFA, but this is Slashdot after all...

If you had read the article you would have found a link to the advisory [security-protocols.com] which clearly states the following:

Vendor:
Mozilla

Versions Affected:
Firefox Win32 1.0.6 and prior
Firefox Linux 1.0.6 and prior
Firefox 1.5 Beta 1 (Deer Park Alpha 2)

Overview:
A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior
versions which allows for an attacker to remotely execute arbitrary code on a affected
host.

Re:1.5 safe? (0)

Anonymous Coward | more than 8 years ago | (#13519388)

1.5 have not been released yet. What was released today was the first beta of 1.5. 1.5 is apparently expected at years end.

Elinks (1, Interesting)

Jessta (666101) | more than 8 years ago | (#13519150)

I use elinks.
maybe it's secure, maybe not.
Due to the lack of graphics support and javascript there is a good chance it is more secure than most other browsers.
Also nobody is going to target it. :)

Let the Celebrations begin (0, Flamebait)

Frankie70 (803801) | more than 8 years ago | (#13519152)

This is a good time for slashdot's OSS cheerleaders
to start celebrations about how fast this bug is going to be fixed & how great Open Source is.

He sounds like a self-promoting twit (4, Insightful)

93 Escort Wagon (326346) | more than 8 years ago | (#13519176)

I can see why some folks will publicize exploits if they feel the software maker isn't responding in a timely manner. But c'mon - he just reported this to the Mozilla folks on Sunday!

Re:He sounds like a self-promoting twit (1)

Jane_Dozey (759010) | more than 8 years ago | (#13519384)

And to make matters worse he's not been keeping in contact with them to check on the status of the problem.

I think he needs to take a more responsible approach to disclosing security holes instead of rushing off to publish and get his little bit of fame.

Here's my fix (1)

El_Muerte_TDS (592157) | more than 8 years ago | (#13519180)

Tell everybody to type in the URL instead of clicking on it.

Nobody is going to type those long URLs, so they won't even visit those pages.

Buffer overflow (2, Interesting)

Spy der Mann (805235) | more than 8 years ago | (#13519191)

From TFA:

"The security vulnerability is a buffer overflow"

Buffer overflows aren't very easy to catch, but I thank the guy who discovered it. This way we can make Firefox a more secure browser everytime.

But frankly, I don't know how to feel. Embarrassed because buffer overflows are the result of sloppy buffer programming, or proud because Firefox has much fewer buffer overflows than windows products?

Re:Buffer overflow (1)

LnxAddct (679316) | more than 8 years ago | (#13519386)

The exploit depends on everything being dashes, it causes the borwser to crash, but I don't believe code can be executed as the guy claims. You just get a really corrupted heap.
Regards,
Steve

Year's end? (2, Funny)

Swamii (594522) | more than 8 years ago | (#13519214)

This is why open source is better! M$ expects me to wait until year's end for a patch?! What am I supposed to do until then, hide in a cave?

What's that you say? This isn't an article about Microsoft?

Oh, nevermind then.

workaround (3, Informative)

Anonymous Coward | more than 8 years ago | (#13519228)

about:config -> network.enableIDN -> false

be happy!

Nope - not on my v1.06 Firefox (2, Informative)

HermanAB (661181) | more than 8 years ago | (#13519234)

I made a page with the supposed bad link full of dashes and all that happens, is that FF tries to do a Google lookup on "keyword:---lots of dashes here---"

This seems to be a dud exploit...

Re:Nope - not on my v1.06 Firefox (1)

greenskyx (609089) | more than 8 years ago | (#13519364)

Same exact thing happened to me. You figure someone would try this before reporting it. What crap. Although I can't say CNET has ever been a good source for news.

How is this even news? (-1, Flamebait)

omglol (913666) | more than 8 years ago | (#13519242)

It's not like anyone other than basement dwelling anime/manga geeks use Firefox.

Best way to find out (1)

RUFFyamahaRYDER (887557) | more than 8 years ago | (#13519267)

I like hearing about Firefox exploits this way rather than having it mess up my computer by learning about these exploits the hard way.

I've had problems with another browser (guess) in the past where I found out about an exploit the hard way and then found out that the exploit had been a known problem for a very long time. At least we know that the people behind Firefox will have a fix probably within the next few days, but no longer than a couple weeks.

not crashing (2)

roman_mir (125474) | more than 8 years ago | (#13519283)

under winxp I can't get this to crash. Crap! I thought windows should help with things like this! (Clippy: -So, it looks like you are trying to crash your browser. Need help?)

Re:not crashing (2, Funny)

kryten_nl (863119) | more than 8 years ago | (#13519393)

Clippy: 'If you would like to see the BSOD: create a new Word document, make it 50 pages long and try to save.'

Simple solution (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13519310)

Just blame it on MS and keep quiet (or say "Firefox is great" and keep quiet)...

So what should I do? (0)

Anonymous Coward | more than 8 years ago | (#13519318)

I followed several links from other posters, as well as TFA, and all anybody said was "it's unpatched."

Hell, most IE exploits can be gotten around by disabling Active-X.

So as a Firefox user (at home, I'm on a Windows IE boxen here), what should I do to protect myself? Use IE?

That doesn't seem like a particularly safe thing to do to me. Anybody have any workarounds, short of not browsing /. and its 100 redundant "you can get a fix <h t t p://www.slashdot.org/-----------------">here</a>" posts?

Won't fix - Bogus FUD Bug (1)

HermanAB (661181) | more than 8 years ago | (#13519323)

I guess this Bogus FUD Bug will be another "Won't Fix" item in the Firefox Todo list, since you can't really fix a bug that isn't there...

Oh well, what the hell - Yosarian, Catch 22.

Is Won't fix a Bogus FUD Bug, or real like Yahoo? (1)

WillAffleckUW (858324) | more than 8 years ago | (#13519366)

I think most Won't Fix items in the Firefox To do list are probably more like the bug I submitted for music.yahoo.com where it won't run something that another person wrote who won't fix it.

That would be my guess.

It's kind of mystifying why, even if they are closed source, people like the folks at music.yahoo.com won't fix such an obvious problem - it's not like Firefox created the problem per se, and it is kind of awkward to go and fix it - but I guess the Yahoo folks are sitting on their piles of cash and feeling sorry they're not Google coders or something like that, instead of fixing flaws in major browser implementations caused by their code.

That would be my guess

Time to swtich back!?! (0)

Anonymous Coward | more than 8 years ago | (#13519376)

OMG!

A bug in firefox, lets all go back to IE because its so much better and has none... no wait, it does!

In short im sure alot of people will cry over this bug (yes I know its not the only one) and stupidly switch back just on that basis. Wonder how long until this one will get sorted compared to Microsoft's patch turn around ;)

Not A Problem: Win98 and Mozilla 1.7.8 (0)

Anonymous Coward | more than 8 years ago | (#13519397)

I get a dialog box indicating that the URL could not be found. No error, no hang, no interruption or problem whatsoever.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>