Two very critical security vulnerabilities in FireFox, were discovered by security researchers. The security breaches affect all versions, including the latest release, and allow an attacker to take control of the system. read more
Firefox with more security holes
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
what does that “system” mean? what os do they mean, or do they mean all?
Mozilla: “We believe most users aren’t at risk.”
Typical Journalist: “Woh is me, they’ve failed us by only protecting those who haven’t been tweaking things! Make a big deal of this! Click my sponsors!”
The register has a little more detail, with out the subjective pleading:
http://www.theregister.co.uk/2005/05/09/firefox_0day_exploit/
It sounds like you can fool firefox into thinking it’s installing software automatically from the default sites.
I believe this affects users on Windows, Mac OSX, and *nix. Me personally, I’m thinking about a jump to Opera. The security holes aren’t bad, but updating Firefox can be a PITA when all your extensions break and such – they really need to fix that.
If people have to play this cat & mouse game with upgrades and don’t use any of Firefox’s advanced features, they might as well go back to IE.
a vunerability on “*nix javascript”… interesting… tell me more of this “*nix javascript”, please… come on tell me … that should be good for a laugh hahahaha
Stop the FUD. Read from the source: http://www.mozillazine.org/talkback.html?article=6582
just disable the “software installation” option, which fixes the issue…and version 1.0.4 will probably have a permenant fix.
move along….nothing to see here.
If people have to play this cat & mouse game with upgrades and don’t use any of Firefox’s advanced features, they might as well go back to IE.
You don’t help much giving the serious issues that plagued IE with trojans, viruses and spywares.
At least those critical bugs in Firefox were found earlier allowing Mozilla to quickly get a workaround. The source code is available to the public anyway so why crackers would waste their times on open sources where closed sources like IE is more fun for them? Rmemember that Mozilla reward about US$500 for anyone who can find a critical bug thus allowing crackers to work on that issue to enhance the browser. AFAIK, neither IR nor Opera provided that idea.
Bwahaha, just imagine if I posted such a lame comment about IE. “Oh, just disable Active Scripting and everything will be okay…”
Just because firefox is not made by Microsoft, it should not get a pass…
a vunerability on “*nix javascript”… interesting… tell me more of this “*nix javascript”, please… come on tell me … that should be good for a laugh hahahaha
You are welcome, most users don’t allow software installation from sites other than updates.mozilla.org. That was fixed serverside in less than a day.
I imagine users of modern Linuxes could improve security firther by not allow files downloaded or otherwise touched by firefox to be executable.
that was not FUD that is a good warning to firefox users.
“A”
Doesn’t work. You just write a short shell and run `sh shell.sh` and boom you got executive access.
At least they don’t try to deny that the issues exist and are fixed almost as fast as they are found. M$ tries to eiter deny they have any any or keep them hush, hush for months or longer while they try to fix them.
It’s not really fixed, it’s just been controlled.
Some of these security holes are probably fixed in the nightly build before the official fix is ready for download. You can find the nightly builds here http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk…
I’m using the Nightly Build and they mostly work fine, it would help Mozilla if more people used them for bug tracking purposes at least.
http://bitsofnews.com & http://tech.bitsofnews.com
>>Doesn’t work. You just write a short shell and run `sh shell.sh` and boom you got executive access.<<
I’m wondering why sh (as well as perl, and others) don’t check for the executable bit before they start interpreting the file. I don’t do much programming anymore, but it seems trivial to implement.
At least they don’t try to deny that the issues exist and are fixed almost as fast as they are found. M$ tries to eiter deny they have any any or keep them hush, hush for months or longer while they try to fix them.
——————————————-
Well, if you keep things hush, hush until the fix, in theory less hackers would be aware of the issue and it if they dont know about it, how can they exploit the problem. Imagine if Chry$ler had a problem where you could hit the car a certain way and just drive off with it. Keep it a secret until the fix, and fewer potential thieves would know about it.
I have never seen Microsoft actually deny the problem. Sure, they may try and downplay it, but really, thats just typical company BS, not just a Microsoft double standard.
how can users fix this? Is there an update that can be installed to fix this or does one have to reinstall the whole Firefox again with the patch.
-D
Not to start a flamewar or anything, i have a machine at home that has both Firefox and IE and though I like IE cause its simple and fast, I just fail to see the point of having FF. Sure IE had and has its share of problems, but man FF seems not so immune to its fair share of problems. Remember when IE 6 came out. It was a time when security and so on was not an issue. But now there are exploits for the browser everywhere. Enter FF, seems like it should theoretically be a more solid browser and though it is its security is not that great! And this is without the dreaded ActiveX! I am being disillusioned here…I thought the whole point of jumping on the FF bandwagon was cause of security and a distant second was the plugin 🙂 But seems like either way we go these retards who have nothing better to do but cause trouble by writing malware will always be around.
extentions should not break on x.x.y releases as they are more or less bugfixes. and if they break then it will be a matter of days before the fix is out there. that is unless your using a very obscure extention, care to fill us in on past experiences?
i have yet to have a extention break on me after the 1.0 release.
Remember there will be no software that will be totally secure due to human errors. AFAIK, most of these flaws have yet to be exploited. http://www.mozillazine.org/talkback.html?article=6582
thought the whole point of jumping on the FF bandwagon was cause of security and a distant second was the plugin
Passive security is not enough. Active security like the discovery of holes before incidents prevent malicious cracker to take advantages since the source code is available to the public.
Like someone on the last page said, quit spinning. This is a very serious security problem which should _never have happened_, and is making me question the value of some of Firefox’s more whizz-bang flashy features. I think I’m going to go back to Epiphany or Galeon at this rate, simpler, fewer whizzy features, less to break…I’ll miss live bookmarks, though. Ah well.
Doesn’t work. You just write a short shell and run `sh shell.sh` and boom you got executive access.
I can’t see how. If you let firfox run in a SELinux security domain of its own and doesn’t allow transitions that allow it to be run it doesn’t matter if you start it from a shell.
There will be many more holes in FF in the future.
This is how software is and the reason my permission were created in operating systems.
On a properly configured system this exploit should be a problem.
Yes, the simpler the software the less possibility for exploits, but also the less people use it so the less exploits are found and patched.
When IE6 came out one of my first memories was getting my machine rebooted by a website a friend showed me…
I think people tend to not remember the bad experiences. Anyway, this seems to be under control. Simply put your extensions whitelists to the only two sites that should ever stay on it.
Geez, half of IE security right now is this sort of just limiting sources of apps instead of truly sandboxing the apps. You don’t hear people complaining about that! No, because they were saying they should have started that way for years
.
Yes, there is a bug. It currently only affects windows users and can potentially be used on other platforms.
1) Fools your whitelist. I don’t use a whitelist
2) Don’t enable auto-install
As for item 2, why would anyone want to enable auto install of software. At one point, a long time ago, I hit a hostile web site that tried to install an XPI modual. It made 50 requests or so. At that point I disabled the software install policy.
Theory is that I might have been typing an accidently clicked yes. I use find as you type extensivly. The message could have pop’d up while I was typing (surfing).
Common sense people.
“Well I didnt start using XP until 2 yers ago and the worst experience I had was….I didnt have one!!”
consider yourself lucky. you dont represent the majority
Maybe off-topic to this specific topic, maybe not…., but would not be good to create an user called browser (/home/browser) and then opening firefox under that user ?
If one day there will be a security hole the attacker could see the firefox data but not my personal data / documents.
Same for e-mail.
just a thought, not too tech detailed…
Hey guyz, check out this page:
https://bugzilla.mozilla.org/show_bug.cgi?id=293302
“Well, if you keep things hush, hush until the fix, in theory less hackers would be aware of the issue and it if they dont know about it..”
Not a chance,you presume they wait till some new exploit is falling from the sky.Certainly not all 0day’s are discovered by “white hats”.
You have to wonder when people are willing to opening show there ignorance in such blatent attacks as this:
“FireFox definitely can be proud in 50 millions downloads, but who really takes care about the popularity when it comes to security breaches that risk our computers…? ”
Have you seen the number of holes in IE ? Have you seen how many virus and spyware propagate thru IE? I could rant for hours on IE’s complete lack of any form of security. But many have done so already.
Firefox may not be perfect, but it and opera represent far better and FAR MORE SECURE products than IE has ever been.
I openly prefer Opera to firefox, but such stupid statements make me wonder if you got a little microsoft bribe going.
Not to start a flamewar or anything, i have a machine at home that has both Firefox and IE and though I like IE cause its simple and fast, I just fail to see the point of having FF
1) You get a better, more standards compliant browser.
2) You cut out a large number of security exploits by not using ActiveX.
3) In the IE world the only way to make a difference for a hacker is to be a black hat or work at Microsoft, in the mozilla world he can make a difference by fixing things. Where do you think the probability is greatest of running into a black hat.
But if you really want a more secure system, you can’t trust only one layer of security. To get better security you need help from the OS. E.g. in Linux you have standard Unix permissioins/ACLs, role based mandatory access control, and chrooting to chose from or combine to make it safer (not safe). In windows you probably can use TCPA to improve security above what you get from standard ACLs.
In reality the only way to make it really safe regardless if you use FF or IE or something else is to pull the plug to the Internet, there is no such thing as safe software, and there never will be.
>>> 1) You get a better, more standards compliant browser.
You kidding right ? What planet do you live on ? A quick vist to google will enlighten you. Research before you speak drivel and waste everyones time.
>>> IE cause its simple and fast ??
Right. Yes. Good one.
Sorry I don’t follow.
How would a visit to google, prove that IE follows w3c specifications better than Firefox? For one thing the CSS support in IE is awful.
If you claim IE is faster than FF, perhaps you are right, I really don’t know, I havn’t done much research into the subject. Firefox is fast enough for me. The increased feature set and better standards compliance is enough reason for me to chose Firefox.
The poster was stating that FF is better and more standards compliant than IE.
Really hard to argue, uh?
Or are you implying that IE has better support for XHTML, CSS1 and CSS2, PNG and so on?
Are all those sites devoted to “workaround to IE rendering bugs” for designers/developers full of fantasies?
At least they don’t try to deny that the issues exist and are fixed almost as fast as they are found. M$ tries to eiter deny they have any any or keep them hush, hush for months or longer while they try to fix them.
Not really. Several of this year’s fixed security vulnerabilities in Mozilla (including Firefox) dated back several years. There are numerous other security vulnerabilities that the Mozilla developers (and the world at large) have known about for months but refuse to fix. Heck, even Secunia has open vulnerabilites for Mozilla Firefox dating back to August of last year.
As soon as a browser has some security holes everyone is like I’m switching to Firefox ,then Firefox has some holes.So I’m switching to opera.That gets popular.I’m switching to galeon,etc.. Where does it stop at lynx lol. I’m using Firefox right now because I like the extensions and the feature set.If you like IE wait for microsoft to fix the really bad security holes and use that.Or take a risk and learn about making your system secure.Usually a hole lets me learn some things(which I still have alot to learn).
So, where is this greater security because it’s not ‘integrated’ into the system? People need to stop copy and pasting words like ‘integrated’ without understanding what the hell it actually means. Fortunately, I didn’t pick Firefox because it was ‘more secure’, so I couldn’t care less, but if the Moz Fountation and FF advocates want to stop making themselves look stupid, they should focus on something else besides FF’s so-called security.
What are we going to see next? Vulnerbilities that were fixed in IE and Opera years ago? If you use FF because it’s more ‘secure’, you better wake up to the reality instead of dreaming on.
more features
more exploits
looks like it is time to start yet another fork and slim down firefox this time
So some security problems have been found on Firefox and all of a sudden it is not a secure browser anymore?
What do you expect?
Software will never be 100% secure. If you want a system that is 100% secure against hackers, don’t connect it to the internet. Simple as that.
The difference is how the problem is dealt with, and at that Mozilla Foundation has done a respectable job. Has security flaws been found in Firefox? Yes. Will more security flaws be found in Firefox? Of course. But the thing is, MoFo has an active attitude when it comes to dealig with these problems. Something that has not been mentioned in this thread is the fact that by the time some of these flaws are published in online articles with the “oh noes Firefox is sooo insecure” theme, they already are fixed in the trunk, or there is at least some workaround dealing with the problem. Yes, right now to get the patches you need to reinstall Firefox, but that problem will no longer exist in 1.1
So if you want to go back to IE, sure, go ahead. But don’t be surprised if all of a sudden you get random ads and spyware. As insecure as you might want to make Firefox look like, it is definitively not the main door for mailicous software in the web.
Speed? I don’t know. Maybe Internet Explorer launces faster and renders pages faster, but at the end, the biggest bottleneck is the interface. Any second that IE saves by rendering pages faster is insignificant if I already have the pages I am going to read in background tabs.
If you ask me, I’d say that for a 1.0.x release, Firefox is doing pretty damn good.
>>> 1) You get a better, more standards compliant browser.
<You kidding right ? What planet do you live on ? A quick vist
to google will enlighten you. Research before you speak drivel and waste everyones time.>
I’ve been making web pages and looking for workarounds for IE CSS bugs is veeeeeeeeeeeeery annoying. Especially when it’s the only browser that shows the page wrong.
…so, mr researchers, why don’t you work on IE a bit, maybe your sechole/day ratio will grow a bit faster
To clear this up for people that don’t understand the problem, there are currently two overlapping vulnerabilities.
One affects extension installation and escalated priviledges. update.mozilla.org temporarily fixed that problem, as long as you don’t have anything else in your Allowed Sites list. Its recommended that you remove all sites from that list, and disable “Allow sites to install software”
The second issue involves javascript and stealing cookies, personal information, etc. This affects both Firefox and Mozilla Suite. Read the security advisory for the official word:
http://www.mozilla.org/security/announce/mfsa2005-42.html
Its disappointing to see so many exploits in such a short period of time. Any browser will have them, but its been a nice couple of years without paranoia till now. I just hope this is fixed within a matter of a couple of days, and the binary patch update system works in 1.1.
Yes or no
<quote>
I believe this affects users on Windows, Mac OSX, and *nix. Me personally, I’m thinking about a jump to Opera. The security holes aren’t bad, but updating Firefox can be a PITA when all your extensions break and such – they really need to fix that.
</quote>
It is not true that your extensions break when upgrading. It was true before version 1.0 but it isn’t nowadays…