Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Another Denial of Service Bug Found in Firefox 2

samzenpus posted more than 7 years ago | from the be-more-secure dept.

206

An anonymous reader writes "A second security flaw that could cause the new Firefox 2 browser to crash has been publicly disclosed. The vulnerability lies in the way the open-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Mozilla, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different than the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week. That bug is related to a more serious security hole, which was fixed in earlier versions of Firefox, the organization has said. The two 'crashers' are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said."

cancel ×

206 comments

Sorry! There are no comments related to the filter you selected.

JAVASCRIPT HAS BEEN BUKAKKING YOU SINCE '95 (1)

CmdrTaco (troll) (578383) | more than 7 years ago | (#16685423)

N/T

LOL IE Users! (0)

Anonymous Coward | more than 7 years ago | (#16685437)

Switch to Firefox, idiots! None of the security problems!

See? [mozilla.com]

Re:LOL IE Users! (3, Insightful)

Mikachu (972457) | more than 7 years ago | (#16685571)

Except let's see how long it takes for the Firefox team to patch up these flaws as opposed to IE.

Re:LOL IE Users! (1)

biocute (936687) | more than 7 years ago | (#16685605)

It doesn't matter how long.

I'm sure Microsoft will still get hammered even if it issues 0-day patches.

Re:LOL IE Users! (1)

Tim C (15259) | more than 7 years ago | (#16686929)

Of course they will - there shouldn't have been a problem in the first place, rolling out patches is a pain, "what about the ones they've not told us about?", etc.

Make no mistake, a lot of people on here aren't so much pro-OSS as they are anti-MS.

(Disclaimer: I have not and never will use IE as my primary browser)

Re:LOL IE Users! (2, Interesting)

paul248 (536459) | more than 7 years ago | (#16685717)

I filed a bug for another DoS over a year ago and they still haven't fixed it:

Crash Firefox [purdue.edu]

The insta-crash only seems to work on Linux though.

Re:LOL IE Users! (0)

Anonymous Coward | more than 7 years ago | (#16686415)

https://bugzilla.mozilla.org/show_bug.cgi?id=59314 [mozilla.org]

Opened: 2000-11-06

(Interestingly enough, firefox crashed when I was going to post this message...)

Re:LOL IE Users! (1)

Daath (225404) | more than 7 years ago | (#16686649)

Was that link supposed to crash my firefox? Nothing happened using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061025 BonEcho/2.0 (mmoy CE K8C-X01)...

Re:LOL IE Users! (1)

Richard W.M. Jones (591125) | more than 7 years ago | (#16686963)

Firefox 2.0 on Linux - yup, it crashes. Even worse the session save feature causes it to crash when it starts up next time. I had to hand-edit sessionsaver.js to stop it reopening the URL.

Rich.

Re:LOL IE Users! (1)

charlieman (972526) | more than 7 years ago | (#16687081)

It crashed my Firefox 1.5 on Linux...
Weird... opening the image directly doesn't crash...

Re:LOL IE Users! (0, Flamebait)

DeviousDevil (1021597) | more than 7 years ago | (#16685787)

What a suprise slashdot/firefox fan boys don't mind the bugs in FF. If this was a bug being reported in IE you guys would be slagging both it and MS off even if you could simply turn script off, or wait for the patch. But because it's not IE (or an MS product for that matter) you don't bat an eyelid, further more you have a go at MS even though it's a FF problem, for crying-out-loud. You guys are such hypocrites. Oh and by the way MS release patches quite regularly (although they get slagged off for that as well, they can't win).

Re:LOL IE Users! (1)

Propaganda13 (312548) | more than 7 years ago | (#16685863)

Actually, I have no problem bashing FF either. I'm fair about it.

1. Is it a security hole or a just bug?
2. Likelihood of encountering bug
3. Overall effect of the bug
4. Time it takes to actually patch bug (ie no turn-off workarounds)

If it's just a bug that takes a specially coded web site to just crash my browser, I'm not too worried.

Security flaws or common crashes will get me annoyed.

Re:LOL IE Users! (1)

Skreems (598317) | more than 7 years ago | (#16685889)

In the end it doesn't really matter. /. posters are a small but vocal fringe group who more likely than not will have no measurable effect on the browser market. The true test is what the public at large thinks, and they seem to think that Microsoft is relatively good at what they do, but the more tech-savy among the general population has found that Firefox has a better feature set. A couple bugs on either side aren't going to sway a bunch of people one way or another, because bugs "Just Happen". It's an accepted part of computing, and nobody really cares. IE users will feel smug, Firefox users will download a patch, and next time the roles will be reversed. It just doesn't matter.

Re:LOL IE Users! (1)

makomk (752139) | more than 7 years ago | (#16687183)

Are you kidding? Internet Explorer has so many DoS/crash bugs, I don't think a new one would ever make Slashdot - it's just not news anymore (take a look at the Browser Fun blog for some examples, though it's out of date by now). Konqueror has a few too (take MangleMe to it and you'll see what I mean), and I bet Safari and Opera do as well. [blogspot.com]

Re:LOL IE Users! (0)

Anonymous Coward | more than 7 years ago | (#16686229)

Though, I don't doubt the ability for the Firefox team to patch these issues, what irks me are the developers ego's that has taken over Firefox, these issues were discussed and theorized ages ago before even Firefox 1.5 came out (maybe even before Firefox name change itself, not sure) and of course people came up with solutions, that has since never made it into any Firefox update because of complications (mainly DEV ego). Javascript in Firefox is absolutly horrible, a complete mess and just waiting to be exploited, don't be surprised to see more of these crop up. Those hackers who said they had a method to load up spyware via firefox through a JS exploit, I just might believe they have something up their sleeve. The longer these issues remain, the more problematic they'll get version after version.

I am hoping Seamonkey will go on a different path.

Re:LOL IE Users, if you're stupid (1)

Kludge (13653) | more than 7 years ago | (#16686611)

Since when has a crashing browser been a security problem?
Back when mozilla was young, certain sites would make it regularly crash. I just didn't go back to those sites. The browser was still far superior to IE, which drives me nuts if I have to use it.

Re:LOL IE Users, if you're stupid (1)

moogs (1003361) | more than 7 years ago | (#16687087)

today i switched back to IE after getting sick of firefox.

yes, i am ashamed to admit it. but help me solve the problem anyway.

i read about this somewhere (slashdot i think), where sites with flash ads make firefox hang, where i have to end process using the task manager in windows. the site in question is friendster. turning off flash isn't really an option, as i use flash for other sites, and my adblock plus doesn't work on flash ads.

so what do you think?

Old times (4, Insightful)

managementboy (223451) | more than 7 years ago | (#16685441)

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack! Imagine how many DOS my old Windows 3.11 had... come to think of it, it only had one DOS.

We present "DOS reloaded"!

Re:Old times (1)

utlemming (654269) | more than 7 years ago | (#16685451)

If you read the article, Microsoft is calling one of their's a design decision. I love those undocumented features...

Re:Old times (1)

eklitzke (873155) | more than 7 years ago | (#16685461)

Like it or not, the fact remains: if you can cause someone's application to crash, it is a denial of service. Treating it as a security flaw is completely justified.

Re:Old times (0)

Anonymous Coward | more than 7 years ago | (#16685473)

like it or not, if you're using your website to crash the browsers of your visitors, you're running a denial of service against yourself. but what happens with the browser is still a crash ;)

Re:Old times (1)

kfg (145172) | more than 7 years ago | (#16685621)

Treating it as a security flaw is completely justified.

While it is a flaw in the code, I would call shutting down on the detection of a maliciously rigged web site a security enhancement.

KFG

Re:Old times (0)

Anonymous Coward | more than 7 years ago | (#16685667)

Heh. But seriously, what's the impact of a browser DoS: Oh no! A malicious web page can... close your browser window!!! :-\ I think a javascript alert loop would be more annoying.

Re:Old times (1)

Merusdraconis (730732) | more than 7 years ago | (#16685741)

Unless it's IE, in which case it's yet another example of Microsoft's shoddy coding?

Re:Old times (1)

kfg (145172) | more than 7 years ago | (#16685631)

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

Wait until next year when it becomes a suspected cyber warfare attack.

KFG

Re:Old times (4, Insightful)

cperciva (102828) | more than 7 years ago | (#16685651)

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

Not necessarily. Application-crashing bugs are Denial of Service bugs if they can be triggered remotely.

There's a fundamental difference between "I can make my copy of FireFox crash" and "I can make your copy of FireFox crash".

Re:Old times (1)

phorm (591458) | more than 7 years ago | (#16685827)

It is, but it seems that the term is broadly. In many cases, the term DOS was often used as a term to describe an attack which would render an entire system inoperable. That is to say, when I heard it used in this context, I expected that it would crash the browser, and lock or disable the OS. As it is, it's still an annoying bug, but having to simply restart the browser hardly seems as serious as a full-out machine crash.

Re:Old times (1)

WilliamSChips (793741) | more than 7 years ago | (#16686655)

I remember DOS making entire systems unusable... :P

Re:Old times (0)

Anonymous Coward | more than 7 years ago | (#16685935)

There's a fundamental difference between "I can make my copy of FireFox crash" and "I can make your copy of FireFox crash".

Indeed. So how exactly do you use this bug to crash my copy of FireFox without asking me to do something? You can't, can you. So then it's not a "DOS" attack.

Re:Old times (3, Insightful)

jesser (77961) | more than 7 years ago | (#16686109)

More to the point, there's a fundamental difference between "I can make your copy of Firefox crash when you visit my site" and "I can make your copy of Apache crash".

Crash bugs in client software such as web browsers are "crashes", not "DoS vulnerabilities".

firefox 2 (1)

tedmg09130913 (635019) | more than 7 years ago | (#16685445)

Is anyone else thinking that running firefox 2 with noscript installed means this vulnerability is no big deal?

Yes, idiots are thinking that. (0)

Anonymous Coward | more than 7 years ago | (#16685479)

A non-mofo extension that avoids the problem by disabling javascript isn't really a solution. 99% of Firefox users don't even know what noscript is.

Re:Yes, idiots are thinking that. (0)

Anonymous Coward | more than 7 years ago | (#16685589)

For the enlightened 1% it solves the problem, though. You could become one of them. Or could have become one before this was known because you had some shitty experiences with JS on certain websites.

Re:firefox 2 (1)

bassgoonist (876907) | more than 7 years ago | (#16685807)

noscript ftw! https://addons.mozilla.org/firefox/722/ [mozilla.org]

should be part of FF...

Re:firefox 2 (1)

baadger (764884) | more than 7 years ago | (#16686169)

Interesting you say that, the Gentoo Linux Firefox ebuild (package) maintainers recently added a "restrict-javascript" USE flag (install option) which installs the NoScript extension system wide (for all users).

Re:firefox 2 (1)

Caesar Tjalbo (1010523) | more than 7 years ago | (#16686451)

Javascript is apparantly a big deal. Even on completely static pages ffs not to mention entire sites coded in js. It can be very useful but the average sitebuilder seems to include js by default, useful or not. [/rant]

Want to know a secret? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16685529)

Check out my site sosecret.com [sosecret.com] and tell me what you think.

It also has newbie's privacy bug (1)

cucucu (953756) | more than 7 years ago | (#16685533)

It also has a beginner's privacy bug: (full disclosure: my blog) http://tech-dissect.blogspot.com/2006/10/firefox-p rivacy-bug.html [blogspot.com] .
In short: Ctrl-Shift-Del doesn't delete everything you expect it to delete, your browse history can still be recovered.

Re:It also has newbie's privacy bug (1)

smeagols_ghost (644286) | more than 7 years ago | (#16685635)

1.5.0.7 on xp clears the javascript console on browser close.

But it should wipe it on ctrl-shift-del

Re:It also has newbie's privacy bug (1)

AlHunt (982887) | more than 7 years ago | (#16687019)

>It also has a beginner's privacy bug: (full disclosure: my blog) http://tech-dissect.blogspot.com/2006/10/firefox-p [blogspot.com] rivacy-bug.html

Interestingly, your blog crashes Konqueror on my machine. Repeatedly.

Re:It also has newbie's privacy bug (1)

cucucu (953756) | more than 7 years ago | (#16687043)

That's curious as its a standard blogger blog (with google analytics).
Do other blogger blogs crash Konqueror too?
Which exact URL causes the crash?

Not for Mac users (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16685535)

They never deny anyone the service of their assholes. The filthy little fags.

Ah, browsers... (0)

Anonymous Coward | more than 7 years ago | (#16685545)

FF: "It's a bug!"
IE: "It's a feature!"

Semi-off topic but (0)

Anonymous Coward | more than 7 years ago | (#16685553)

Just FYI, Microsoft has officially put IE 7 on Microsoft/Windows Update as an option to automatically upgrade.

For reals this time.

I want a refund! (1)

www.sorehands.com (142825) | more than 7 years ago | (#16685587)

Another bug?? I want a refund! It's free? I want double my money back!

Re:I want a refund! (1)

jt2377 (933506) | more than 7 years ago | (#16686009)

it's free thus you don't cry murder but if MS's IE have a bug...you want blood. typical.

Re:I want a refund! (1)

geminidomino (614729) | more than 7 years ago | (#16686873)

IE is "free" in the same way the shell is "free" when you buy the canolli.

Install (2, Informative)

ms1234 (211056) | more than 7 years ago | (#16685601)

You could install NoScript addon... Great utility :)

Re:Install (1)

CCFreak2K (930973) | more than 7 years ago | (#16685623)

Parent has a point. These kinds of attacks are mitigated by user-created plug-ins. Once again, the problem is semi-contained before it's even released. There's still people that will be affected by it, but the simple and elegant plug-in system as well as plug-in writers (yes, they're simple and elegant, too) bring great tools to extend the usability of Firefox.

End marketing rant.

Re:Install (0)

Anonymous Coward | more than 7 years ago | (#16685773)

Unless you are thinking of removing mozilla.org from the permanent blocklist...

NoScript is great though especially with AdBlock.

And... (2, Funny)

Pacifist Brawler (987348) | more than 7 years ago | (#16685671)

I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory. I mean, how hard is it to re-open a browser?

Re:And... (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16686223)

``I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory.''

You mean like garbage collection? I seem to recall that one McCarthy, in the late 1950s, came up with an algorithm that does that _without_ requiring the program to be restarted. Perhaps the FF2 team could look into that.

the difference (0)

Anonymous Coward | more than 7 years ago | (#16685693)

The difference is that the so-called "crashing" (closing the FF screen) is due to miscoding (couldn't handle JavaScript the way it was supposed to be done) whereas for IE 7, the real irony is that the anti-spoofing is one of the feature (read: strong points) the new browser is supposed to deal with. If you consider a bugged feature as a major feature, then

Secunia: If you open up an IE 7 pop-up, the phishing address is masked
Shady M$: Not if you follow our safety browsing guidelines and verify HTTPS contents
End-user: You mean we have to browse to your page to read the safety guidelines before I can browse the Web safely? That is after reading your EULA on Windows, and then the IE 7 installation?

So when is Opera releasing their new browser to compete against these 2 and get their fair share of nit-picking?

Yahoo! mail (1)

Calinous (985536) | more than 7 years ago | (#16685709)

Yahoo! mail seems to use a less dangerous of these vulnerabilities - while stable versions earlier than 2.0 would crash, 2.0 only crashes when exiting Yahoo! Mail or when closing all the tabs of Yahoo Mail. Firebird 0.7 is not affected

Oo (0, Offtopic)

Konster (252488) | more than 7 years ago | (#16685715)

Editors need to RTFA.

Easy solution: NoScript (0)

Anonymous Coward | more than 7 years ago | (#16685879)

Install NoScript [mozilla.org] plug-in and allow Javascript only for the sites that you absolutely have to use. This solution also protects you against any future Javascript related security issues.

So funny (2, Informative)

ZeroExistenZ (721849) | more than 7 years ago | (#16686063)

How slashdotters start pointing and laughing when there's a IE exploit, doesn't matter how big or small, and always the "workaround" is looked at as unacceptable.

When it's about Firefox, they immediatly relativate it and minimalize it. "Oh, just install noscript", "tis just a small exploit", "well, why not restart your browser? If it crashes, so what? Why don't you click the icon again? You lazy bastard!"...

I even read some comments, in reply that there's said IE 7 feels better then FF 2.0, that the faults in FF are acceptable. It's a complete double standard.

For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.

Re:So funny (1)

itsdapead (734413) | more than 7 years ago | (#16686197)

It's a complete double standard.

I completely agree - hyping up a bug that causes the application to exit (oh the humanity! how can that happen?) in Browser A as a "security vulnerability" as if its somehow comparable with a "redirect my secure connection to a phishing site" flaw in Browser B is blatent double standards...

Oh, wait, you mean the other way around? No, don't get that, sorry.

Re:So funny (0)

Anonymous Coward | more than 7 years ago | (#16686227)

It is not normal that Firefox 2.0 crashes all the time, so it should be possible to fix that (if you are still interested in). Try these steps:
http://kb.mozillazine.org/Firefox_crashes [mozillazine.org]

Re:So funny (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16686239)

``For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.''

And for those of you wishing to stick with open source software, there's Konqueror. Compared to Firefox, it runs faster, uses way less memory, and several of the new features in Firefox 2 (like an integrated spell checker) have been available for ages. I can't comment on the stability, as neither Firefox (1; I haven't ran 2 yet) nor Konqueror crashes particularly often for me.

Re:So funny (1)

ZeroExistenZ (721849) | more than 7 years ago | (#16686323)

Thanks for the tip, I'm downloading it now.

Re:So funny (0)

Anonymous Coward | more than 7 years ago | (#16686935)

Waiting for the Windows version of Konqueror since 2003 or so... its in sight since there is a GPLed port of QT4 for Windows. Though I haven't followed such development. And no, an old Cygwin version doesn't cut it (e.g. requires X11, bad integration w/OS), and is slow.

How do you know Konqueror in non-KDE uses less memory than Firefox in non-GNOME (or GTK DE)?

Re:So funny (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16687089)

``How do you know Konqueror in non-KDE uses less memory than Firefox in non-GNOME (or GTK DE)?''

You use a tool that displays memory usage?

Re:So funny (1)

mackyrae (999347) | more than 7 years ago | (#16686253)

You think 2.0 is slower/crashier than 1.5.0.7? The old one locked up on me at least 3 or 4 times a day. 2.0 never does.

Re:So funny (1)

tsa (15680) | more than 7 years ago | (#16686789)

I find it strange that there are so many people who all have different experiences with FF. For me it just works, regardless of which version it is, and regarless of the OS I run it on (Windows, Linux, or OS X).

Nice sig, BTW

Re:So funny (1)

maxume (22995) | more than 7 years ago | (#16686321)

There are over one million user names registered. Pick a fence and slashdot has jackasses sitting on either side of it.

Welcome to Netscape 4.xx (1)

Shivetya (243324) | more than 7 years ago | (#16686439)

I already ditched FF2 and went back to the previous version.

What is up with the developer team? Were they just so horny to get a "2.0" out before the end of the year that it was "ok" to release this thing?

You are right, there is a double standard. MS is an easy target as negative comments are expected and encouraged by the moderation system here.

Firefox is no longer Firefox most of us want. Sorry, its nearing the point where we will need to clamour for that slim browser that we had when Firefox first came out (well before the naming hassles).

As for the Netscape 4.xx title, remember the days when IE was better than Netscape? Netscape was great until the 4.xx series, you could never tell which version would work.

Re:So funny (2, Insightful)

snero3 (610114) | more than 7 years ago | (#16686711)

Personally I think the comments you are referring to come from a number of different factors

  1. Microsoft is often not the one to admit the security flaw. Where as Mozilla/firefox community is.
  2. Often Microsoft will denie the flaw pointed out in point number 1
  3. There have been numerous occurrences where an IE bug has allowed a whole PC to be taken over from bug that either MS denies exists or is very slow to patch. Holes like that in firefox generally get patched well before it is public knowledge.
  4. for the longest time IE was the ONLY browser that would work properly on a windows environment and MS thought that was a "fair and just" way to do business.
  5. Firefox is OSS, so you can go in there and fix/find the bug yourself where as with IE you have to rely on MS fixing it for you.

As for you issues with it crashing I think that is a bit personal/related to your system? Come on! you swapped to a completed different browser after little over a week of use? I personal run firefox 2 on OS X, windows XP/2000 and Linux (FC4,RHEL4u3) and have had not problems on any platform, but maybe that is just me.

Re:So funny (0)

Anonymous Coward | more than 7 years ago | (#16686777)

comma much?

Re:So funny (1)

DrSkwid (118965) | more than 7 years ago | (#16686799)

What are these "slashdotters" that think and act as one?

Perhaps you should use :

Whenever I read a discussion, there is usually some group of posters that play down an issue, some who play it up and those that use it as a platform for discussion of wider issues. Often those who shout the loudest have the least to say.

Re:So funny (0)

Anonymous Coward | more than 7 years ago | (#16686823)

I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.

You know, there are certain zealots that I can't stomach... even on this site:

Gentoo -- OMG... "emerge openoffice" r00lez... it only took two days before i could type my letter)

KDE -- didn't you know that *everything* KDE is new, and r00lez. It's much better than GNOME in every possible way. What's that, GNOME has internationalization, accessibility, a stable ABI. Well... yeah, but KDE has 44 ways to set color of your window close button and Qt just roxxors because it uses C++.

Slackware -- slackware taught me all about Linux. It's great for newbies too. They really learn about computers that way.

Opera -- opera did everything that could ever be done in a browser first, and back in 1989 when they also invented the intarweb and Firefox just copied it all. Oh, and the webs stats showing Opera usage at about 0.0000001% are all wrong. I'm an Electrans BTW... and elite group of beta testers who get all the latest stuff and let me tell you, the next Opera is going to be bitchin. It reads your mind and downloads the next page before your fingers click. Seriously... Firefox is already getting ready to copy that.

and increasingly:

Ubuntu -- Ubuntu is going to kill red hat. The latest release "Da Jungle" is just awesome. I installed it on my mom's PC and she never calls me about it ... duh. I tried Fedora and it just crashed.

and finally, the radical fringe of the Ubuntu zealots: KUBUNTU. Ubuntu with KDE. (the horror, the horror).

Re:So funny (0)

Anonymous Coward | more than 7 years ago | (#16687391)

For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.


Firefox 2 has been rock solid for me. I suspect you are using themes? I suspect also that you did not do a clean install? Using any undocumented tweaks?

Procedure for stable Firefox 2: Export bookmarks as a file, Uninstall, Delete profile, cache and installation directories/files. Install, import bookmarks from file but import no other settings, make settings (none undocumented), do not install themes, use only current extensions and a minimum of them. Works perfectly.

See? (0)

Anonymous Coward | more than 7 years ago | (#16686077)

Firefox 2 is not ready for the desktop! The world speaks AJAX today and Firefox just jibberish. This is not the performance someone would expect... especially when he tries Firefox 2 on advanced operating systems like Windows.

I suggest you rethink the ways of your project and have a look at IE to see what quality looks like. Because 80+% of a net-citizens can't be wrong.

Re:See? (1)

Short Circuit (52384) | more than 7 years ago | (#16686469)

I suggest you rethink the ways of your project and have a look at IE to see what quality looks like. Because 80+% of a net-citizens can't be wrong.

79%...78%...77%...76%...

Denial of Service, my ASS! (1)

slashbart (316113) | more than 7 years ago | (#16686081)

What a load of utter crap, calling a bug that crashes an application a "Denial of Service'. Morons!

Bart

Re:Denial of Service, my ASS! (1)

tsa (15680) | more than 7 years ago | (#16686815)

Bart,

Your website acts a bit strange on FF 2.0. Pictures on the text. Take a look at it, it doesn't come over very professionally this way.

Moderators, please mod me down OT.

Re:Denial of Service, my ASS! (1)

geminidomino (614729) | more than 7 years ago | (#16686901)

Looks like a bad stylesheet, making too many assumptions about the browsers font-size...

+1 Wrong (1)

remembertomorrow (959064) | more than 7 years ago | (#16687309)

If I can interrupt your usage of a particular program remotely, it IS a denial of service attack. I am denying you the ability to use a service.

DoS does not always involve botnets, although they are one way to bring a service down.

There's a browser safer than Firefox... (4, Interesting)

Giorgio Maone (913745) | more than 7 years ago | (#16686135)

... it is Firefox with NoScript [noscript.net] :)

I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins [noscript.net] ), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript [noscript.net] , though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

Domain-Specific Options in Konqueror (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16686285)

I'll just add my 0.02 Euros by saying that domain-specific JavaScript settings are available in Konqueror, too (I don't know since which version, but 3.5.2 has them). It also has domain-specific settings for Java, images, and cookies.

Re:There's a browser safer than Firefox... (1)

Daath (225404) | more than 7 years ago | (#16686771)

Thanks man! I just started using it recently. You have to get used to it, but I really like it! Especially that if you allow a site to run javascript, no external javascript from, say, advertizers get run :) Very cool add-on!

Who needs a DOS bug... (1)

TheBogBrushZone (975846) | more than 7 years ago | (#16686427)

when Firefox 2.0 seems to quite happily lock up on its own with no need for help from the script-kiddies?

2.0 Good reasons to switch to Opera (1)

giriz (966704) | more than 7 years ago | (#16686489)

I'm a Opera user and i keep wondering why do ppl adamently use a software which keeps crashing and yet they find a reason to either bash it (IE) or support it (FF fanboys) saying there is such and such workarounds. Why don't ppl switch to the browser with fewest bugs/security holes. Don't give me the crap by saying IE has lot of users so the attackers target IE. While it may be true, a common security analyser like Secunia.com has identified fewest bugs in Opera compared to FF and IE. .... and yet the slashdot crowd is so much in love with FF. and look at the comments above from FF fanboys, they just keep writing suggestions and saying how it is not a flaw. If the posting had IE instead of FF, we would've seen hundreds of posts scolding IE and Bill.

Talk about hypocrisy.

Re:2.0 Good reasons to switch to Opera (0)

Anonymous Coward | more than 7 years ago | (#16686797)

Compared to 1.5.x, 2.0 has very good cookie management (like IE, Opera and Konqueror had for ages, but now better). Biggest reason to switch from 1.5.x, for me. Crashes I don't care about: sessionsaver (built-in or extension) and I always use NoScript due to malicious sites abusing the power of JS/Java/Flash. I expected the 2.0 release not to be flawless, and expected several bugfixes in 2.0.x for no reason but a weird feeling about it. Seems I was right.

Re:2.0 Good reasons to switch to Opera (2, Insightful)

Ash-Fox (726320) | more than 7 years ago | (#16687375)

I'm a Opera user
Good for you
and i keep wondering why do ppl adamently use a software which keeps crashing
Firefox v2 has only crashed once on me, when I tried to get it to crash on that bug. It's never crashed otherwise.
yet they find a reason to either bash it (IE) or support it (FF fanboys) saying there is such and such workarounds.
Well, the fact they suggest workarounds is a good thing in my opinion. It's good that there are workarounds.
Why don't ppl switch to the browser with fewest bugs/security holes.
Links [sourceforge.net] doesn't provide what I need.
Don't give me the crap by saying IE has lot of users so the attackers target IE.
Alright, netcraft showed that Apache was the dominant webserver, yet the webserver that gets exploited the most is IIS -- This could be the case with other Microsoft software if they were put into that situation.
While it may be true, a common security analyser like Secunia.com has identified fewest bugs in Opera compared to FF and IE.
They've identified even fewer in Links.
and yet the slashdot crowd is so much in love with FF.
I can't speak for Slashdot, however I use Firefox (not always official mozilla builds) primarily because it runs on all the architectures I use. That includes PPC and ARM. It runs on most of the operating systems I use (unfortunately not on AmigaOS though). Also other browsers lack really important functions [google.com] I need.
and look at the comments above from FF fanboys, they just keep writing suggestions and saying how it is not a flaw.
I see people saying it isn't a exploit. But rather something that causes a crash. A exploit meaning, "A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service."
If the posting had IE instead of FF, we would've seen hundreds of posts scolding IE and Bill.
Could you show me a Slashdot article about a bug that causes IE to crash, no exploits. Just for comparison please.
Talk about hypocrisy.
Using your own logic, why aren't you using Links anyway? It's "the browser with fewest bugs/security holes".

I'm confused... (1)

Milton Waddams (739213) | more than 7 years ago | (#16686499)

The title reads " Another Denial of Service Bug Found in Firefox 2" but the summary says "... the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different from the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week."

So which do I trust? There's no way in hell I'm gonna actually read the article!

Re:I'm confused... (1)

jesser (77961) | more than 7 years ago | (#16686727)

There's no contradiction between the sentences you pasted. It's entirely possible that there are two (or more) "denial of service" bugs (bugs that can't be exploited to run arbitrary code, but do make your browser crash/exit) in Firefox 2.

Re:I'm confused... (1)

Milton Waddams (739213) | more than 7 years ago | (#16686751)

Yeah but the summary refers to two bugs, a bug announced last week which is a DOS bug and a bug announced this week which isn't. The title says that there are more than one DOS bugs in Firefox. I presumed that the bug announced this week was also a DOS bug but it isn't. Tis a but confusing. It looks like Slashdot's reporting on the week-old bug.

Third d.o.s. attack affects ALL BROWSERS! (3, Funny)

suv4x4 (956391) | more than 7 years ago | (#16686543)

Immediately stop using Internet if you're using one of those browsers:

IE
Firefox
Safari
Konqueror .. ..

A new denial of service attack was discovered floating in the cyberspace, that can render any browser inoperable, and it has to be forcefully crashed and reopened. The signature of the exploit was reported to be:

while(true) alert('Hahaha, suckers!');

People are advised to immediately move to Lynx: the only browser known to be immune to this attack.

Re:Third d.o.s. attack affects ALL BROWSERS! (0)

Anonymous Coward | more than 7 years ago | (#16686705)

Actually, I think you could write a DCOP script to fix Konqueror in this case, and browse it away to a site of your choice. See:

http://www-128.ibm.com/developerworks/linux/librar y/l-dcop/index.html?ca=dgr-lnxw12ConnectKDE [ibm.com]

(though I'm not currently at my KDE box to see if this works when a modal dialogue is open)

Re:Third d.o.s. attack affects ALL BROWSERS! (1)

bheer (633842) | more than 7 years ago | (#16687011)

> A new denial of service attack was discovered floating in the cyberspace, that can render any browser inoperable

Opera 9 is immune to this; every alert dialog has a [ ] Do not run scripts on this page checkbox.

Issue shrinking (TM) technology (2, Funny)

suv4x4 (956391) | more than 7 years ago | (#16686571)

The two "crashers" are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said...

They also added, that the reason the issues are minor, is because Firefox 1.5x and later releases of the popular Mozilla browser feature a special "issue shrinking" technology, patent pending, where no matter what happens, the issue becomes small.

This is opposition to Microsoft, which appears to ship all their products with "issue expanding" FUD generator technology, now considered by many specialists as obsolete, where never mind what's the trouble, it's blown out of proportions, and brings chaos and despair among geeky web users.

React to this... (0)

Anonymous Coward | more than 7 years ago | (#16686713)

I'd like to see how this would be received by slashdotters had the story instead been:

"A second security flaw that could cause the new IE7 browser to crash has been publicly disclosed. The vulnerability lies in the way the closed-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Microsoft, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running IE7, the representative said. This flaw in the JavaScript Range object is different from the denial-of-service vulnerability in IE7 that was confirmed by Microsoft last week. That bug is related to a more serious security hole, which was fixed in earlier versions of IE7, the organization has said. The two "crashers" are the only publicly released vulnerabilities that have been confirmed by Microsoft in the week since IE7 was launched. The issues are only minor, the organization has said."

Why is this news? (1)

jesser (77961) | more than 7 years ago | (#16686761)

If you go search Firefox's bug database for bugs with the "crash" and "testcase" keywords at any time, you'll find dozens of known crash bugs. I imagine it's the same for any other major browser. Meanwhile, very few sites intentionally crash web browsers. It makes more sense for developers to focus on lowering the average time between crashes (by fixing the most common crashes), or on fixing actual security holes, than to focus on squashing the largest number of crash bugs.

Why are CNet and Slashdot so interested in these particular two crash bugs? They aren't crashes that can be exploited to run arbitrary code.

Re:Why is this news? (0)

Anonymous Coward | more than 7 years ago | (#16686897)

It is news when your browser is touted by millions as super secure and coded to a supposed higher standard...

A program that crashes on it's own is not news and certainly not a DOS attack. Someone intentionaly causing your browser to crash remotely does qualify as a DOS and is news because of the browsers reputation as being very secure and stable.

This's it! I'm going back to IE! (1)

Petkov (1011081) | more than 7 years ago | (#16686967)

Firefox is too insecure as a browser!

Its no surprise... (1)

s31523 (926314) | more than 7 years ago | (#16687055)

With a tremendous amount of code there is bound to be bugs. The difference between Firefox and IE will be what the Firefox team does about the bugs, and how serious they are. If the Firefox team doesn't handle the bugs well and the bugs are "serious", Firefox might be, *gasp*, put in the same bucket as IE! I'll still use it though..

Javascript, eh? (1)

cloudmaster (10662) | more than 7 years ago | (#16687291)

So, what, is it a link like <a href="javascript:window.close()">Click Here for Money!!!</a> that causes this "DOS"?

This is not new (1)

Chris whatever (980992) | more than 7 years ago | (#16687449)

This is not new because There isnt a browser out there with no flaw, no bug, Firefox is as vulnerable as any other software, you just need to keep prying at something until you found the desired problem, problems are starting to appear in firefox because it has become largely distributed and soon enough they will be viruses specially designed for it. The truth about internet browser is, if you dont want people to find flaws, dont be big. I have never seen a hacker trying to hack a technology or software that is not taking a large market share. Have you seen MAC viruses.....i think not
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>