Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Serious Vulnerability In Firefox 2.0.0.12

kdawson posted more than 6 years ago | from the that-was-quick dept.

Security 355

Oh, Not Now writes "Mozilla Firefox 2.0.0.12, mere hours old, is vulnerable by default to a directory traversal trick, via the view-source mechanism. Although mitigated by the NoScript plug-in, this is quite a serious bug — the default installation is vulnerable from the get-go."

cancel ×

355 comments

Sorry! There are no comments related to the filter you selected.

* Stops download of newest Firefox * (1)

Doug52392 (1094585) | more than 6 years ago | (#22364710)

Good thing I just read this, I was in the middle of downloading that version :0

What we can count on is that this bug will be fixed in a few days... maybe even hours, unlike all those Microsoft vulnerabilities that have taken months to fix :)

First post :

Damned it all (4, Insightful)

Overzeetop (214511) | more than 6 years ago | (#22364744)

Just before I opened this session, I had upgraded.

Oh, well, just one more unlocked door in the grass hut I call a computer.

Re:* Stops download of newest Firefox * (5, Interesting)

webmaster404 (1148909) | more than 6 years ago | (#22364746)

Also, one thing that I have noticed about OSS bugs is that those severe enough to cause execution of code, there are very very few utilities to easily attack systems unlike their MS counterparts. Most OSS flaws are rarely exploited in the wild. The only thing that annoys me about them is that someone will surely come up to me on Monday stating how bad Firefox is because of this while blissfully ignoring all the flaws that Windows/IE has had for years.

Re:* Stops download of newest Firefox * (4, Informative)

De Lemming (227104) | more than 6 years ago | (#22364796)

As far as I understand, versions before 2.0.0.12 are also vulnerable...

Re:* Stops download of newest Firefox * (3, Insightful)

sundarvenkata (1214396) | more than 6 years ago | (#22364910)

But but.....don't many eyeballs watch the mozilla codebase?

Re:* Stops download of newest Firefox * (4, Insightful)

bunratty (545641) | more than 6 years ago | (#22364984)

Sure, and some of those eyeballs wait until just after the release of a new version to announce they know of a security vulnerability just to draw attention to themselves. Open source does help security bugs to be found, but it doesn't magically keep the finders from blabbing to all hackers worldwide exactly what the problem is and how to exploit it.

Re:* Stops download of newest Firefox * (1)

HartDev (1155203) | more than 6 years ago | (#22365340)

who really cares, I am gonna use firefox, not to many hackers are that good at getting into Linux Machines, and if I wasn't gonna use FireFox then I would use Opera. Cheers!

Re:* Stops download of newest Firefox * (5, Insightful)

LiquidCoooled (634315) | more than 6 years ago | (#22364804)

Why stop downloading it?
I cannot work out from the article whether older versions of Firefox are vulnerable or not.
If its an unfixed bug from previous versions you should continue to download.
Which would you rather:
have 20 known vulns in the wild (stay as you are),
have 1 known vuln wild (latest update).

Until we can be certain though, just click pause ;)

Re:* Stops download of newest Firefox * (-1, Troll)

Vectronic (1221470) | more than 6 years ago | (#22365248)

At the risk of being modded as FlameBait...

(http://www.mozilla.org/projects/security/known-vulnerabilities.html)
"Critical" ones marked with *

MFSA 2008-11 Web forgery overwrite with div overlay
MFSA 2008-10 URL token stealing via stylesheet redirect
MFSA 2008-09 Mishandling of locally-saved plain text files
MFSA 2008-08 File action dialog tampering
*MFSA 2008-06 Web browsing history and forward navigation stealing
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-04 Stored password corruption
*MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 Multiple file input focus stealing vulnerabilities
*MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)

There's quite a few problems with 2.0.0.12, infact more bugs in *.12 than *.11

Re:* Stops download of newest Firefox * (5, Informative)

Rakishi (759894) | more than 6 years ago | (#22365398)

Parent is an idiot or a troll, not informative.

To quote the link itself, where it is written in large bold print right above what was quoted (emphasis mine):
FIXED in Firefox 2.0.0.12

Re:* Stops download of newest Firefox * (2, Informative)

More_Cowbell (957742) | more than 6 years ago | (#22364808)

You don't run NoScript? Personally I'm using 3.0 beta2 (the few bugs are totally worth the better memory management, IMO), but I would never dream of running any version without NoScript.

Re:* Stops download of newest Firefox * (2, Interesting)

croddy (659025) | more than 6 years ago | (#22364844)

Oh, you make a good point. I always wondered what people were talking about when they went on and on about Firefox consuming tons of memory because I would look at mine and it would never look even remotely like what people were describing. Of course, it all makes sense now -- less crappy unnecessary javascript running, fewer memory leaks. I can't imagine web browsing without manually whitelisting scripts either.

Re:* Stops download of newest Firefox * (1)

More_Cowbell (957742) | more than 6 years ago | (#22365066)

For memory leaks I was only referring to the difference between version 3.0 and any 2.0.x.x. Not sure at all, but I suspect that the huge memory consumption others reported and you did not experience was more to do with the total memory available on the system. Surely something must prevent Firefox form using more than x% of available RAM?

Re:* Stops download of newest Firefox * (1)

bunratty (545641) | more than 6 years ago | (#22365142)

No, limiting the memory Firefox uses could cause sites to fail to work properly, especially on computers with very little RAM. The thing about the huge memory consumption is that very few users see it, and those that do cannot explain how others can see it so no one can investigate what the problem is or how to fix it.

Memory Usage / No Script (1)

milsoRgen (1016505) | more than 6 years ago | (#22365412)

It uses a lot of memory at times for me personally, but well within reason. 200mb max (4-6+ hour session) with 2gigs RAM. Not wholly unreasonable. I seem to recall, tho certainly can't say definitively, never seeing it top 80mb on another box I have with 512mb.

I've been using Noscript for a while now, and personally it hasn't really effected my peak memory usage for better or worse. I also have constant access to CPU/Memory usage percentages through my G-15 keyboard's display, so I tend keep an eye on that more than most people.

Re:* Stops download of newest Firefox * (1)

Nullav (1053766) | more than 6 years ago | (#22365218)

the few bugs are totally worth the better memory management, IMO
Statements like this were exactly why I decided to switch to FF3 a month ago. Personally, I saw no improvement in regards to memory leaks; I'd end up with it clinging on to 200-300MB or so after an hour or two of normal activity (a dozen Wikipedia articles, a YouTube link or two, and perhaps messing around with one of those addictive sand games). Making it trim on minimize (something it should do by default) helped somewhat, but then it would slowly make its way back up to 70-100MB without me doing anything, with only one page, even about:blank, open. That and little annoyances like the new URL bar showing page history, rather than *gasp* URLs convinced me to drop FF entirely two weeks ago and switch to K-meleon.

Somehow, I just don't see FF getting any better in the near future.

Re:* Stops download of newest Firefox * (4, Informative)

omeomi (675045) | more than 6 years ago | (#22365378)

Making it trim on minimize (something it should do by default) helped somewhat

What you're describing has nothing to do with Firefox. Even if Firefox frees it's memory, that freed memory doesn't get reflected in the Task Manager until the program is minimized or you wait long enough...

More info: http://www.garagegames.com/blogs/4517/11311 [garagegames.com]

"The Windows OS employs something like a memory cache for each actively running program. This cache may grow as the needs of a particular program require using magical algorithms Microsoft developers have produced for determining the optimal size for that program. For instance a program over the course of it's life time may require 20 megs of memory but occasionally needs to load data requiring allocations of up to 10 additional megs which is released seconds after it is loaded and processed. The Windows OS may determine then, that the memory cache for this program must increase from the base 20 megs to 25 megs instead. Looking at the Windows Task Manager then, you may see that this program is now using 25 megs of memory, even though currently, it may only be using 20 megs.

That is, the Windows Task Manager is reporting the memory cache allotment and not the memory allocated and used by the program. This is not the same as a memory leak. The program has little to no control over the memory cache allotment the OS has given it."

Re:* Stops download of newest Firefox * (1)

smitty_one_each (243267) | more than 6 years ago | (#22364812)

Furthermore, there is a freely-available fix, which I pulled down and installed easily, has a look-ma-no-manual-needed interface, and a convenient means to tip the developers for a job well done.
Mad Propz.

It must be Microsoft's fault (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22364714)

LOLZ. Somebody, quick explain how this the evil M$ is responsible for this!!

Re:It must be Microsoft's fault (1)

Nazlfrag (1035012) | more than 6 years ago | (#22365346)

Well it appears they are attacking an MS box, by the Program Files part of the filename string. I doubt this would do much on a *nix box with proper access permissions set up. So yes, this is indirectly MSs' fault if theirs is the only platform vulnerable, which is likely.

I for one welcome our (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#22364730)

...buggy Firefox overlords. Or is that joke getting really, really, really old now?

Re:I for one welcome our (-1, Offtopic)

techno-vampire (666512) | more than 6 years ago | (#22364956)

In Korea, only old people make overlord jokes.

Re:I for one welcome our (0, Offtopic)

networkzombie (921324) | more than 6 years ago | (#22365358)

Your sig is an advertisement. Do you know that it reflects poorly upon you and ruins the integrity of your posts?

Payload (3, Informative)

milsoRgen (1016505) | more than 6 years ago | (#22364748)

So my I understanding is that this vulnerability can be used to read the host computer, and...

Other issues can emerge also, this is only a short-hand proof of concept.
I'm just curious if this could be eventually exploited to actually alter data on the affected host?

Re:Payload (1)

Schraegstrichpunkt (931443) | more than 6 years ago | (#22364772)

Why bother? If a script can read stuff (e.g. your Firefox password list, your cookies file) from the host computer and send it back to a remote machine, you're screwed.

Re:Payload (0)

Anonymous Coward | more than 6 years ago | (#22364860)

My understanding is that you can only read the Firefox directory, which is NOT where your cookies, etc are stored, well atleast on my pc...

Re:Payload (1)

HappySmileMan (1088123) | more than 6 years ago | (#22364952)

My understanding is that you can only read the Firefox directory, which is NOT where your cookies, etc are stored, well atleast on my pc...
It says Directory traversal, which means if "view-source:resource:///example.txt" reads "file:///C:/Program Files/Mozilla Firefox/example.txt"... Then by my understanding, "view-source:resource:///../../Windows/system32/example.txt" reads "file:///C:/Program Files/Mozilla Firefox/../../Windows/system32/example.txt" (or more directly "file:///C:/Windows/system32/example.txt")

If you aren;t able to do this and move up directories then it isn't, AFAIK "directory traversal".

Re:Payload (1)

Flaming_cows (798162) | more than 6 years ago | (#22365132)

Firefox doesn't parse identifiers like . and .. in URIs that refer to local data. And view-source properly blocks file:// access.

Re:Payload (1)

jrumney (197329) | more than 6 years ago | (#22365168)

And view-source properly blocks file:// access.

Not if you type it in the URL bar. I can't seem to get the resource:/// hack to work from an http:/// [http] page though, so I'm not sure about whether file:/// gets through under the same circumstances.

NoScript (5, Interesting)

bazald (886779) | more than 6 years ago | (#22364756)

Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level.

Re:NoScript (3, Interesting)

milsoRgen (1016505) | more than 6 years ago | (#22364826)

Why isn't NoScript just a mandatory extension at this point?
I wouldn't be surprised if it becomes a part of the browser (or something like it), just as pop-up blockers of yore have been incorporated.

Re:NoScript (5, Insightful)

mrsteveman1 (1010381) | more than 6 years ago | (#22365008)

If it became part of the browser, 3 things would happen: Idiots would scream and cry about being forced to use it, it would integrate better making it more effective, and vulnerabilities like the one referenced here would be a non-issue for a much larger percentage of the user base.

Seriously, running every script a page stuffs into a browser should not be the default, and it should not take an extension to fix it.

Re:NoScript (1)

punissuer (1036512) | more than 6 years ago | (#22365400)

Seriously, running every script a page stuffs into a browser should not be the default, and it should not take an extension to fix it.
Agreed. Also, one would hope that a script whitelister from Mozilla wouldn't need to be updated every three days or so.

Re:NoScript (5, Insightful)

ilikepi314 (1217898) | more than 6 years ago | (#22364958)

Because most are not educated how to use it properly yet. It's terrific, but I know firsthand from trying to introduce it to people that they ignore it, realize many of their websites are broken, then I say "Well, you can allow certain websites you visit with this little button" -- they then promptly pick "Enable Globally" (or simply whitelist every single site they ever visit), and it has no effect.

So instead of teaching people security, it just teaches them "Security is annoying and breaks everything, what's teh point?" and they want to use it less.

Re:NoScript (5, Insightful)

Firehed (942385) | more than 6 years ago | (#22364990)

How would it work at a slightly reduced paranoia level? There are, I suppose, for options: block everything, block nothing, block off-site scripts, and only allow trusted scripts (somehow including a database of checksums of widely-deployed, known-safe scripts like Google Analytics' urchin, jquery, Amazon affiliate stuff, and... that's all that comes to mind). Foreign scripts aren't going to cause any damage unless the site itself is vulnerable to XSS attacks - malicious websites aren't likely to off-site the scripts. A database of the known acceptable scripts would be so minimal that it would defeat the point, especially as so few of them are of any benefit to the site visitor. Unless a built-in NoScript were to block specific functions in Javascript that could be used for malicious purposes (anything other than strict DOM manipulation, I suppose), it wouldn't do much good - and breaking half the JS on a site is probably going to be much worse than breaking everything.

Re:NoScript (1)

calebt3 (1098475) | more than 6 years ago | (#22365266)

NoScript would be a bit too much for n00bs to grasp. Maybe integrate it but turn it off by default? On a similar note, I would not mind integration of Adblock Plus.

Re:NoScript (5, Insightful)

93 Escort Wagon (326346) | more than 6 years ago | (#22365320)

Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level.
Well, to tech-savvy users this would be true; but unfortunately most users aren't even marginally tech savvy. It doesn't matter if NoScript puts up a clear, unambiguous giant flashing red sign that says "This site will have reduced functionality because we're blocking some scripts from running. Click here if you really want to run all these scripts" - based on past experience, most people will just be positively flummoxed and won't have the foggiest idea why some sites are now "broken".

The thing is, looking at it from the designer/developer end, most users seem to want the functionality Javascript provides. My job largely consists of designing "intranet" apps for a university department. With forms, the end users want the ability to click a button or link to add extra fields when necessary. They want web-based calculators that figure out totals and percentages automatically. They like little explanatory pop-up boxes that define terms for them if they don't already understand what it means. They prefer drop-down menus that change, based on choices made further up the form.

I realize that NoScript actually allows white-listing for situations like this (just like IE does for ActiveX, God bless 'em) - but I don't have much confidence that non-technical end users will understand, even with training. Making NoScript or a similar tool the default will end up meaning significantly more of my time being wasted dealing with support calls - after all, if the web's broken you don't call the desktop support people, you call the webmaster, right?

(BTW is Firefox 3.0b2 or b3 vulnerable?)

Re:NoScript (2, Interesting)

punissuer (1036512) | more than 6 years ago | (#22365382)

Have you noticed how often NoScript gets updated? I wouldn't quite call it unobtrusive, especially since NoScript likes to make your browser open a tab to the NoScript site after an update. Really, how hard is it to prevent execution of javascript that didn't come from a site that's been whitelisted? I now use AdBlock Plus instead.

Re:NoScript (1)

SleepyHappyDoc (813919) | more than 6 years ago | (#22365436)

It's mandatory for you and I, sure, but I've had so many people act all shocked when they use my computer, and discover they need to 'turn on' scripting to use whatever stupid site they want to look at. That's one of the many things that makes my computer 'suck' compared to theirs.

yahoo or mozilla (2, Interesting)

erat123 (1114479) | more than 6 years ago | (#22364764)

Maybe microsoft should have looked into mozilla instead of yahoo...

reason to switch to IE (0)

Anonymous Coward | more than 6 years ago | (#22364774)

well that tears it.... the apocalypse is nye!

Fixed is hours! (-1, Troll)

skelator2821 (958729) | more than 6 years ago | (#22364778)

Yes this is not good BUT! It will only take them hours or a day at most to patch it.. You IE-6 users waited for months if not Years and then the only reason M$ released patches and tried to act like they were really supporting their users was because they were starting to get Serious competiton again.. Don't believe me? just Google it.

Re:Fixed is hours! (3, Insightful)

BasharTeg (71923) | more than 6 years ago | (#22364916)

You gotta love Firefox apologists. They can turn a complete failure on behalf of Firefox development and release engineering into a discussion about how Microsoft is horrible and IE fails.

You're living in the past. Everyone knows IE6 was horrible. I'm running IE7 under protected mode. If you're going to talk shit, at least talk shit about current software. People who spend their time talking about how Windows 98 crashed a lot, IE5 and 6 were really insecure, and IIS 5 was the fastest way for a computer to get hacked on the net, are really starting to sound tired and sad. When we're running Windows 7, Internet Explorer 8.0 in Protected Mode, and IIS 7.0 on Windows Server 2008, fools like you are still going to be apologizing for every bug in by bringing up bugs from Microsoft products 5+ years ago.

And even if IE6 was the most horrible browser ever and they waited for "moths if not years" for patches, how does that make this Firefox vulnerability any better? If IE6 is so bad, why is it your example for trying to minimize this Firefox vulnerability?

Microsoft products are getting better. Deal with it. Quit living in the past.

Re:Fixed is hours! (2, Funny)

Anonymous Coward | more than 6 years ago | (#22365030)

>Microsoft products are getting better. Deal with it. Quit living in the past.

So are realplayer's products, but you don't see anyone telling anyone to install them.

Re:Fixed is hours! (0, Flamebait)

Anonymous Coward | more than 6 years ago | (#22365112)

Microsoft "products" (software is not really a product anyway, that's a marketing lie) still don't work on my Linux system. Why should I give a fuck about them?

Re:Fixed is hours! (1)

tubapro12 (896596) | more than 6 years ago | (#22365128)

It's hideous Fred, they all sit by him to look good...
-Forgotten someone

Re:Fixed is hours! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22365144)

Dude, are you on crack?

Re:Fixed is hours! (0)

Anonymous Coward | more than 6 years ago | (#22365290)

Hmmm...not a product. If you're trying to say what I think you're trying to say, you're using the same old tired lame-ass argument that software is 'Intellectual Property' and should not subject to patents, copyright, etc. etc. etc.
Really? What about books? Should we use the same argument? I can almost bet that you think music should be free also.
I'd bet that a long list of 'intellectual' items could be put into that 'non-patentable/non-copyrighted' category.
What would you pay for? What do you think should be patentable?
Do I think some things should be free? Yes. Especially research (or any product for that matter) that's paid-for with public money.

Now, if software is developed with public funds then it better be available to all!

Re:Fixed is hours! (0)

Anonymous Coward | more than 6 years ago | (#22365172)

I prefer to stick with bugs I know how to fix, I can't say I have the money or balls to go out and blow money on bigger bugs than my dinky little roach motel is capable of handling. :P

(Especially considering I literally cannot even afford to put gas in my car to go apply for a job.)

Re:Fixed is hours! (1)

LordLucless (582312) | more than 6 years ago | (#22365236)

While I have to develop for it, I'm going to bitch about it. IE6 is still alive and well, and making up a significant proportion of site hits. It's still a piece of crap, and I still have to take it into consideration when I'm developing. Granted, the flaws I care about are rendering rather than security, but complaining about IE6 is most definitely not "living in the past".

Re:Fixed is hours! (2, Informative)

DMoylan (65079) | more than 6 years ago | (#22365306)

> Everyone knows IE6 was horrible. I'm running IE7 under protected mode. If you're going to talk shit, at least talk shit about current software.

well in their defence more people still use ie6. so they are talking about current software.

http://www.w3schools.com/browsers/browsers_stats.asp [w3schools.com]

at my job it is split about 90% ie6 v 10% ie7 for internet explorer users. thankfully the number of ie users is dropping as more switch to firefox. ie7 has speeded up that switch as many hate the interface.

but to be on topic firefox has a serious bug. i expect it will be patched in a day or so. firefox is good at that.

> Microsoft products are getting better.

only because they have serious competition from firefox, apache etc.

> Deal with it. Quit living in the past.

i don't live in the past i use linux and mac osx.

Re:Fixed is hours! (3, Insightful)

zsau (266209) | more than 6 years ago | (#22365328)

As someone who uses Linux because I was able to customise it to be exactly compatible with the way I think, and so I'm unable to run Internet Explorer or IIS, I have to say you make an excellent point.

To everyone else: Do you remember before the browser wars, when Netscape was the big, bloated dominant player and Internet Explorer was the fast and light competitor which needed to prove itself (even if it did so by cheating)? Do you remember the time between the wars, when Internet Explorer was buggy and insecure? Now we are in the second browser wars and Internet Explorer is trying to compete. And it's a good thing. The Mozilla foundation cannot afford to sit on their laurels or Firefox will be the also-ran that the Mozilla suite is. Never hold yourself to someone else's standards: Be the very best you can be, and it'll always be better.

And be grateful for it — we on Linux pretty much have no choice but Firefox (or Firefox-based browsers) if we want a vaguely native, somewhat integrated system (well, there's Konqueror if you use KDE but it's not up to the same level as Firefox and Internet Explorer). There's no competition, no choice, and no reason for Mozilla to focus their development effort over on this side of the fence. And we suffer for it, with form widgets that don't look right and menus that don't work properly.

Time to see if Konqueror fixed the damn flash bug (1)

gambolt (1146363) | more than 6 years ago | (#22364806)

I've been using Iceweasl because the flash problems in Konquer were driving me nuts. You don't realize how much flash is on the web until it stops working.

Re:Time to see if Konqueror fixed the damn flash b (1)

solafide (845228) | more than 6 years ago | (#22365036)

Where do you have to go that needs flash? I specifically use 64-bit Epiphany without flash so I don't have that load for the minor benefits. It's cheifly used for advertising, as far as I have observed, and video. For video, it's not that hard to fire up 32-bit firefox with flash when I do want to watch them. Why do you need flash so?

Corporate sites (3, Insightful)

Overzeetop (214511) | more than 6 years ago | (#22365136)

There are quite a few corporate sites which incorporate flash to "enhance" their site, and there are some sites which won't even let you in unless you pass the flash-only home page. If you don't have flash, they don't want your business. (At least, that seem to be the opinion of the web IT staff, I haven't contacted corporate to see if they agree with that assessment). As for examples, Bath & Body Works used to be that way (I emailed them, they are no longer flash-limited...I don't believe those two things are linked, though). Rainforest Cafe is another. BBW didn't get my business back then, and Rainforest missed out on a dinner guest recently - I couldn't find their location, and couldn't use my mobile browser to get to their page. Will they care that they probably lost less than $100, of course not. But it certainly would have been nice if they wouldn't have had a "no flash, no service" sign out front.

Re:Corporate sites (1)

EtoilePB (1087031) | more than 6 years ago | (#22365228)

But it certainly would have been nice if they wouldn't have had a "no flash, no service" sign out front.

Yup. We all have Flash disabled and can't install it at work, because the overlord office in Europe doesn't understand that it's not just for YouTube. We're starting to have serious trouble using travel booking sites, hotel booking sites, and restaurant booking sites (all of which are legitimate and frequent uses of our PCs for our business) because of this. A HUGE percentage of them don't have a single no-flash page left. Many of them don't even generate a "you need Flash to view this site" message; they just come up blank. Or the page frame (borders, margin -- whatever) will come up but you can't get to any content.

It's driving me nuts. Part of the reason I spend so much time on Slashdot is because around here, there's still Actual Text that I can just plain damn read.

Re:Time to see if Konqueror fixed the damn flash b (1)

gambolt (1146363) | more than 6 years ago | (#22365348)

Unfortunately, too many sites use it for navigation and crap like that. The wire image viewers for most major newspapers use it. Embedded media in various blogs, etc.

Re:Time to see if Konqueror fixed the damn flash b (1)

Kjella (173770) | more than 6 years ago | (#22365044)

Well, bug and bug. Short story for those that don't know: Macromedia released a new version (r115) that relied on some functionality currently only in Firefox, but not in typical versions of Konqueror or release versions of Opera. This broke all the distros, including all old supported distros because Macromedia doesn't let repositories host old versions. Last I checked the possible solution was a big backport. Development versions of Konqueror (for hardy heron in my case) and Opera 9.5 supports it, but this is quite simply forced obsolesence on Macromedia's part.

Re:Time to see if Konqueror fixed the damn flash b (1)

KTheorem (999253) | more than 6 years ago | (#22365234)

You can install KMplayer to get around it. It takes a few more steps than normal, but it works (and from my subjective experience is much faster running than the normal nspluginviewer way). Here are instructions for doing it: http://mikearthur.co.uk/?p=171 [mikearthur.co.uk]

Your 'Ron Paul Facts' (-1)

Anonymous Coward | more than 6 years ago | (#22365260)

Each and every one of those makes me think even more highly of them. While the page you link to tries to cast them in an evil light, most are States Rights issues. He just wants the Feds to stay out of it.

Re:Your 'Ron Paul Facts' (1, Funny)

Anonymous Coward | more than 6 years ago | (#22365354)

dude, you just blew my mind.
Maybe Ron Paul is the one to help wipe out browser vulnerabilities!

I sure hope it's only this version... (2, Interesting)

WiglyWorm (1139035) | more than 6 years ago | (#22364824)

Hopefully the Firefox 3 beta is not affected by this, that's what I've been running since Beta 2 came out. Anyone know?

Re:I sure hope it's only this version... (3, Informative)

tetromino (807969) | more than 6 years ago | (#22365408)

It looks like Firefox 3 Beta 2 is vulnerable. The proof of concept from the article works on FF3b2 on my machine (Linux i686).

Re:I sure hope it's only this version... (1)

Ingenium13 (162116) | more than 6 years ago | (#22365458)

The latest nightly is significantly better than beta2. I recommend just installing Minefield and let it update every day. Or you can just disable automatic updates and only update it when you're going to restart the browser anyway.

or just visit sites you trust (4, Insightful)

hcmtnbiker (925661) | more than 6 years ago | (#22364834)

That's right, back to the drawing board with this one. In the mean time you can either use another browser, or install the NoScript plugin to mitigate these issues.
Or you can take the first step like you always should, and not visit sites you don't trust. Vulnerabilities always exist, betting that the developers will find them before someone else can exploit them is not a smart thing to do. Visiting only sites you trust will keep you away from people who want to compromise your computer 99.99999999% of the time, it really is the best thing you can do it terms of browser security.

Re:or just visit sites you trust (4, Informative)

Beryllium Sphere(tm) (193358) | more than 6 years ago | (#22364856)

>Visiting only sites you trust will keep you away from people who want to compromise your computer 99.99999999% of the time

Assuming that the sites you trust haven't been compromised, this still leaves out the serious problem of attack code inserted into advertising.

Re:or just visit sites you trust (1)

dedazo (737510) | more than 6 years ago | (#22365180)

Funny, I used to say the same about most IE vulnerabilities, but it wasn't a very popular argument back then.

Re:or just visit sites you trust (4, Interesting)

11223 (201561) | more than 6 years ago | (#22365324)

Or you can take the first step like you always should, and not visit sites you don't trust.


Ever use an open 802.11 access point? Ever been redirected to a legalese page before being allowed onto the internet? Now what if that page had the exploit in it? For added fun, imagine the hotspot isn't malicious but there's an attacker on the network using a rogue DHCP server to feed you a bogus set of DNS servers.

People assume that their web browser is a trusted execution environment. Vulnerabilities which affect the browser are worth caring about for that reason.

Re:or just visit sites you trust (0)

Anonymous Coward | more than 6 years ago | (#22365350)

Yes, that's brilliant. There's a whole universe of information out there, billions of web sites with everything from useful documentation for work to tips for work around the house, but I should restrict my browsing to the thirteen web sites I know and trust just to keep my computer safe.

No thanks. I'd rather trust my browser, or take the risk. There's too much good stuff out there to wall it all off because of concerns about security.

Re:or just visit sites you trust (0)

Anonymous Coward | more than 6 years ago | (#22365366)

Mind explaining to everybody what magical mental ability you have that allows you to determine what pages can't be trusted simply by visually inspecting them?

Seriously, how did this get modded insightful? "If you don't want your browser to be hacked or exploited, only go to pages made by nice guys!" What the fuck kind of a dreamland are you living in? That's like telling going to a third-world country with abandoned mine fields and yelling out "if you don't want to lose your legs, don't walk anywhere with them!"

Who cares? Use Opera (-1, Troll)

Finallyjoined!!! (1158431) | more than 6 years ago | (#22364842)

's much better :-) Less bugs, more enjoyment. Heh :-)

Re:Who cares? Use Opera (3, Informative)

FudRucker (866063) | more than 6 years ago | (#22365082)

Opera is closed source so you have no idea what vulnerabilities are in it...

Who is to blame? (-1, Troll)

Colourspace (563895) | more than 6 years ago | (#22364850)

Must be Microsofts/Googles/Apples/SCO's fault. Delete as applicable.

nifty trick (5, Informative)

Deanalator (806515) | more than 6 years ago | (#22364874)

It makes me happy that this type of vulnerability is what we call serious these days. If you remember, just a couple of years ago microsoft was downplaying the WMF vulnerability. It was not considered "critical" because the target needed to manually visit a malicious website for the attacker to take over the target machine.

While this is a really neat find, and I am glad that it will be patched pretty soon, I don't think it is quite at the level of "sky falling" etc. From what I understand, an attacker that can execute javascript in your browser has the ability to read any file in the targets mozilla directory. This worst that I think an attacker could do would be to grab your stored password file. While this is definitely something to be concerned about, the headline had me pretty worried :-)

Trojan? (0, Troll)

4D6963 (933028) | more than 6 years ago | (#22364892)

Would that be why I caught a trojan right after installing that version and browsing sites of questionable trustworthiness?

Re:Trojan? (0)

Anonymous Coward | more than 6 years ago | (#22365152)

No.

As an aside, the article is linked to at the top of this page. It explains.

saved passwords (4, Insightful)

robo_mojo (997193) | more than 6 years ago | (#22364924)

Does anyone still think that it's a good idea to permanently store your passwords in your browser?

Re:saved passwords (1)

DigitAl56K (805623) | more than 6 years ago | (#22365054)

Yes, although only in conjunction with something like Firefox's master password to encrypt them.

This brings up my greatest grip with Firefox: If you visit any site that you have stored a password for and you have a master password set, the damn thing pops open a request for any page that contains a password field. Take Slashdot or Digg, for example. If I'm browsing either of these sites almost every page I open requests a master password. You can turn off form auto-fill in about:config (not very end-user friendly), but then Firefox seems to have no method at all for causing the stored passwords to be filled in the page, unless I'm missing something. All in all, Firefox has some issues when it comes to password storage.

Do you have a better way to store all your passwords?

Re:saved passwords (1)

j.sanchez1 (1030764) | more than 6 years ago | (#22365184)

Do you have a better way to store all your passwords?

Try Secure Login [mozilla.org] .

Re:saved passwords (3, Funny)

Nazlfrag (1035012) | more than 6 years ago | (#22365380)

There's this thing called carbon-based memory I use from time to time. Efficient, portable, unfortunately it is easily broken by Johnny Walker and co.

Exactly! That's why I use Internet Exploder (1, Funny)

Anonymous Coward | more than 6 years ago | (#22364940)

I use "Internet Explorer version 7.0" from a company called "Microsoft Corporation". I would recommend trying it out.
It seems to render most web pages accurately and is moderately fast. Yes, I know, it IS slower and uses WAY more memory than the two other dominant browsers (Firefox and Opera), but the company does seem to have a lot of programmers working for it, has been in business for a while, and seems to have some staying power. The company's CEO, a man by the name of "Bill Gates" seems to have his wits about him and seems to have invented a good thing here. I urge people to try it out. The only thing is, that the browser only seems to be available for a small number of available Operating Systems.... namely "Microsoft Windows" and also a small number of "Macintosh OS Ten"... and doesn't seem to be available for the mainline Linux OS, but perhaps they are working on it.

TDz.

Firefox 3b2 (0)

Anonymous Coward | more than 6 years ago | (#22365110)

Is Firefox 3 Beta 2 also vulnerable to this exploit?

What all.js contains (2, Informative)

nonpareility (822891) | more than 6 years ago | (#22365124)

The file they're reading from in TFA (all.js) contains a portion of the default Firefox preferences, not your current settings. There may be other ways to exploit this problem, and web pages definitely shouldn't be allowed to read any file from your computer, but the proof of concept isn't as bad as they say it is. The majority of your personal information is in your profile directory (under Application Data on Windows), not the program directory.

huh? (5, Informative)

jelle (14827) | more than 6 years ago | (#22365188)

Doesn't look like a vulerability to me. So it can read files in /usr/lib/firefox, but those are just the standard files from the firefox package. User configuration and stored passwords etc are not stored there... It still can't get to $HOME/.mozilla...

How is this a serious security problem? (3, Informative)

Anonymous Coward | more than 6 years ago | (#22365198)

I'm confused, how is this a serious security problem? All it allows is reading files from the Firefox application directory, which isn't exactly sensitive data, since you can get the exact same files from just downloading Firefox from Mozilla's website. Your prefs, passwords, etc. are stored in your Firefox profile, which lives outside the Firefox application directory, so they *are not* accessible via this trick.

Pretty bad timing ... (1)

Sepiraph (1162995) | more than 6 years ago | (#22365206)

I literally just switched to Firefox yesterday from Opera, but even with this bad news, I'm going to stick with Firefox. Extensions are just too good a feature in a browser.

is this yet ANOTHER (0)

Anonymous Coward | more than 6 years ago | (#22365224)

WINDOWS program vulnerability? Sure looks like it. Why isn't this made clear in the headline or summary then? How about the microsoft/mozilla stealth alliance make TWO names for the two different programs, or would that be giving away the crown jewel secret that's been hiding in plain sight even larger and more blatantly than the old SCO Microsoft stalking horse? How many times do we have to see a windows vulnerability ascribed to the entire mozilla package called "firefox" on an alarmist headline? Is it really so hard to rename the linux version to something else? Oh it is? "Too confusing" even though they really are two different programs? OK, then maybe could the article submitter or editor append the word windows or Microsoft to the headline to differentiate it? Call it by its real name, which is the Microsoft Windows Mozilla Firefox Browser version whatever, then go on to outline the new vulnerability.

Scare mongering (5, Informative)

Anonymous Coward | more than 6 years ago | (#22365246)

gre is constant data. This report is FUD.

Firefox is open source; anyone who wants to view view-source:resource:///greprefs/all.js can just as easily load http://mxr.mozilla.org/mozilla1.8/source/modules/libpref/src/init/all.js?raw=1 [mozilla.org] it has the same content.

all.js is *not* user data, it's *public* app data. Your preferences are stored in prefs.js which are not exposed by greprefs.

Update the title... NOW. (5, Insightful)

Anonymous Coward | more than 6 years ago | (#22365272)

Seriously, this title should be changed now (get rid of "Serious"), and a "!serious" tag added. The author of the article is an asshole who just waited for this release to fear monger and gain some attention. This bug exists in previous versions, this is not a new issue. The fact is, 2.0.0.12 fixes issues from previous issues, and does NOT introduce this "new" bug.

You should still upgrade. You are already vulnerable to this "attack" without it, but you can at least gain some new fixes for other issues.

You know, we're trying to promote open source software. To scream that firefox has a "serious vulnerability" when it in fact doesn't is IT treason.

Doesn't matter what browser you run (1)

LingNoi (1066278) | more than 6 years ago | (#22365274)

Doesn't matter what browser you run, if you let anyone execute whatever code they want on your own machine via your browser it's the equivalent of running that trojan.exe you just downloaded from Messenger.

Is there a NoScript for IE 7 and Opera?

Re:Doesn't matter what browser you run (1)

Petrushka (815171) | more than 6 years ago | (#22365464)

Is there a NoScript for IE 7 and Opera?

For IE7, I have no idea. I doubt it. In Opera, it's built in.

(... BUT in Opera, enabling scripts for a specific site requires navigating through various sub-menus and five to eight mouse-clicks. And if the site uses cross-site scripting, as do most video sites for example, it could take anywhere up to a couple of minutes to investigate which sites you need to enable scripting for.)

How come? (2, Insightful)

dreamchaser (49529) | more than 6 years ago | (#22365292)

How come when there's a security hole in an MS product it gets the 'haha' tag, but if it's an OSS project it doesn't?

Re:How come? (0)

Anonymous Coward | more than 6 years ago | (#22365406)

Since it's so much less often, I guess it took the taggers by surprise.

But mostly, it's just to piss you off.

You new here? (0, Redundant)

ZxCv (6138) | more than 6 years ago | (#22365442)

Are you seriously asking this question?

Are you at all surprised that, here on /., security vulnerabilities in MS products are always much more severe and worthy of ridicule than those in open source products?

list of files that can be read (win32) (2, Interesting)

Anonymous Coward | more than 6 years ago | (#22365308)

lol, serious stuff 300: file:///C:/Program%20Files/Mozilla%20Firefox/ 200: filename content-length last-modified file-type 201: .autoreg 0 Mon,%2005%20Nov%202007%2016:16:28%20GMT FILE 201: AccessibleMarshal.dll 13952 Fri,%2008%20Feb%202008%2019:42:30%20GMT FILE 201: LICENSE 30869 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE 201: README.txt 177 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE 201: browserconfig.properties 232 Thu,%2026%20Jul%202007%2002:39:26%20GMT FILE 201: chrome 0 Fri,%2008%20Feb%202008%2019:42:39%20GMT DIRECTORY 201: components 0 Fri,%2008%20Feb%202008%2019:42:39%20GMT DIRECTORY 201: defaults 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY 201: dictionaries 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY 201: extensions 0 Fri,%2021%20Dec%202007%2011:21:24%20GMT DIRECTORY 201: firefox.exe 7655024 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: freebl3.chk 476 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: freebl3.dll 200829 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: greprefs 0 Fri,%2008%20Feb%202008%2019:42:40%20GMT DIRECTORY 201: install.log 28197 Fri,%2021%20Dec%202007%2011:20:32%20GMT FILE 201: js3250.dll 456808 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: nspr4.dll 161392 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE 201: nss3.dll 378472 Fri,%2008%20Feb%202008%2019:42:36%20GMT FILE 201: nssckbi.dll 271984 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: old-homepage-default.properties 112 Thu,%2026%20Jul%202007%2002:39:26%20GMT FILE 201: plc4.dll 34424 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: plds4.dll 30320 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: plugins 0 Fri,%2008%20Feb%202008%2019:42:42%20GMT DIRECTORY 201: res 0 Fri,%2028%20Sep%202007%2022:59:27%20GMT DIRECTORY 201: searchplugins 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY 201: smime3.dll 112232 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: softokn3.chk 476 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: softokn3.dll 254060 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: ssl3.dll 132712 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE 201: uninstall 0 Fri,%2008%20Feb%202008%2019:42:48%20GMT DIRECTORY 201: updater.exe 132232 Fri,%2008%20Feb%202008%2019:42:38%20GMT FILE 201: updater.ini 709 Fri,%2019%20Oct%202007%2013:36:24%20GMT FILE 201: xpcom.dll 13416 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE 201: xpcom_compat.dll 73848 Fri,%2008%20Feb%202008%2019:42:38%20GMT FILE 201: xpcom_core.dll 422000 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE 201: xpicleanup.exe 73336 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE 201: xpistub.dll 12400 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE

or not

Thanks (1)

FrozenGeek (1219968) | more than 6 years ago | (#22365426)

Thanks to the OP. Just (less than 5 minutes) before I read the article, I'd upgraded to the latest version of Firefox. NoScript is now installed.

Possibly another bug? (1)

cbiltcliffe (186293) | more than 6 years ago | (#22365432)

Something else weird that happened to me when I upgraded:

I've got Firefox as my default browser on XP, and after the upgrade to 2.0.0.12, all of a sudden IE showed up as my browser at the top of my Start menu. When I went into the control panel to "set program access and defaults", Firefox doesn't even show up as an option. WTF?
It's still installed, as it's in the programs folder, and it runs fine....also doesn't as me if I need to set it as default, so it still is, but Windows has completely lost the fact that it's a browser.

Anybody else have this happen?

Phew (1)

insanechemist (323218) | more than 6 years ago | (#22365446)

As an web developer I thought this meant MY web server directory - maybe it does? Sounds more like the directories on the client. I guess in any case its windows based - but perhaps autoupdate should be turned off on all OSes.

Hogwash (0)

Anonymous Coward | more than 6 years ago | (#22365460)

No vulnerabilities have been shown.

The "PoC" lists only the user's DEFAULTs. Every Firefox installation has the same fucking defaults, and they are no secret.

There is no directory traversal vulnerability either; you can only load the DEFAULT INSTALLED FILES, which are the same for all fucking users, and are obviously no secret.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>