High priority...
and we have to wait 5 days?
Now I know that's faster than M$ or Apple will respond, but it's still a long time to be wandering naked on the interwibble!
Mozilla's security team is rushing out a fix for its flagship Mozilla browser following the public release of attack code that targets a previously unknown vulnerability. The exploit was released Wednesday online. It attacks a vulnerability present on Windows, Mac and Linux versions of the browser and could be used to …
https://bugzilla.mozilla.org/show_bug.cgi?id=485217
Status: RESOLVED FIXED
Well, if you want a fix you do not have to wait at all, you can compile a fixed version and even release the fixed version for others to use.
If you want a fix that has some assurance that it won't cause more problems than it prevents then you may want to wait.
Forgive my ignorance, but wouldn't disabling javascript and java in the Content tab of Firefox's options do exactly the same thing as running Noscript - with the exception that you don't have the option of allowing scripts you think might be safe.
Most users have no idea whether these scripts are safe anyway, so it's not really like you're losing much. Just because an advert comes from a website like CNN doesn't necessarily mean it's a good idea to let it run.
Surely it's easier just to turn it off, as it seems java is the #1 cause of Firefox vulnerabilities. This is nothing new, it's been this way since the days of the Mozilla browser/email suite. Pretty much every other month another javascript related vulnerability (usually several years old) becomes publicly known and needs fixing. And not every fix has worked as intended.
There have been entire versions of Mozilla that we were advised never to turn on Javascript because of known problems - and the advice usually came from Mozilla themselves. You have to at least congratulate them on their honesty, I'm pretty sure Microsoft would just greet the problems with a wall of silence.
And whether these problems stem from Sun's sloppy coding or from the Mozilla foundation I have no idea. But what I can guarantee is in a few months yet another javascript related issue will be 'discovered'.
Doesn't mean I'm switching back to the mother of all security fails though. I'd rather take my chances with Firefox over any incarnation of IE.
Well it actually does a fair amount more than that.
You can browse which domains are trying to run script and enable only the ones that you trust and permanently disable those that you are suspicious of.
Unless I have a very good reason, I disable all by default and only enable script for the domain directly hosting the page I am using and only then if I find the page is not functioning, which isn't all the time, just sometimes.
@Andy Bright:
You seem to think that JavaScript and Java are the same thing. It is not. Most problems in Firefox stem from *JavaScript*, and Sun has (and had) nothing to do with.
The only thing they have in common is that when Sun released Java in '95, Netscape thought they could use the hype by rebranding their LiveScript product to JavaScript.
That's fine if you're happy with browsing just one page on a site with JS navigation, not being able to use any streaming video (YouTube, Veoh, god forbid Break), any rich content apps (Google Docs, Bookface) etc... Essentially, it's fine if you want to browse the web as it was a decade ago.
....usual..
Firefox is indestructable.....
Linux / Mac are perfect and unexploitable.......
interesting the trolls were so quick to slag of a BETA version of ie8 on Windows.....
Normal people know that all platforms are exploitable....
as for Opera being perfect....
When was the last hack you saw for Netscape v1 or i.e1
Doesn't that make them even more secure?
Market share dear ladies......
" Chrome and Opera round out the top five with 1.15 percent and 0.71 percent, respectively."
Source:
http://www.pcmag.com/article2/0,2817,2343767,00.asp
So why bother targeting something with less than 1% share?
Theres found a problem so they are fixing it.
As opposed to:
Shit theres another problem, lets wait until Tuesday, no the Tuesday after that, wtf? which Tuesday? oh fuck it, lets just hope no one notices and we'll do it in a couple of weeks time.
Although dosnt sandboxie & no-script help stop this sort of stuff, Ive always assumed that no web browser will ever be 100% secure & used add ins to make it a bit harder to break.
Inclusion of a fix into nightly builds is _not_ a resolution. The resolution comes when the rollout is commencing and the fix is installed on joe user's browser. I'm currently running FF on Windows and Fedora10, I haven't been told to install a fix on either and they've been running all morning. It is therefore not fixed.
@ Andy Bright
Maybe I'm just as ignorant here, but from what I know Java and Javascript are totally different beasts. I don't see anything in the article saying that this is a Java problem, and suddenly Sun get a slating for 'sloppy coding'.
Also, call me petty, but there is a greengrocer's apostrophe in the article...
"a master's candidate" implies that someone is a candidate belonging to a master, rather than a candidate for a masters degree.
So you headline a security hole which was published openly in the past couple of days and has already been fixed.
Can you update your sensationalist story stating that its fixed?
Of course if this was IE Microsoft would still be sitting on their arses with a "possible" fix a few weeks down the line.
Because people might like to *know* about it?
It masy astonish you to learn that the principle function of journalism is to inform rather than simply to carp. Top billing doesn't mean "These guys are the biggest wankers at the moment.". It means "This story is most likely to interest you at the moment.". You may disagree with that verdict, but I think a significant vulnerability in the browser used by probably *most* of the readership is a reasonable candidate for that billing.
Of course, if El Reg are going to indulge in responsible and impartial *journalism* then I think it is time to stop reading and get on with some work.
"Surely it's easier just to turn it off, as it seems java is the #1 cause of Firefox vulnerabilities."
If you think that that IE8 without compatibility mode would "break the web", can you imagine running any browser without javascript?
NoScript makes poorly written sites look like crap. It breaks huge amounts of stuff. For that reason, no-one in my family use it - it's too much hassle to whitelist (or temporarily allow some sites) as they go along.
Their loss. I'd rather have a sub-par but safe initial site experience than get shafted because I'm lazy.
The advantage of NoScript over arbitrarily disabling JS is that it's easy to turn it back on again for sites you do trust. Remember, some sites have sniffers and just fail to display anything if you're not running javascript (or they display "helpful" instructions on how to turn it on). I tend to ignore these as pretentious, but every now and again, you do need to look at them...
This show the risk of using the fringe browsers. We must all take away the heed from this story and not spread using the insecure ones.
If you see on the Internet Explorer they have the padlock which tells you all is well. On the Jav ones they cannot do this with the full knowledge of our safety. Who is to know if a terrorist has my password once you have been on the web pages with a Javs browser like this Firefox one?
'RESOLVED FIXED'? You guys should know better. The vuln will only be fixed once it's rolled out to all users using FF's automatic update system. Oh, wait, let me show my grandma how to compile FF...
The fact is that NoScript is the only thing keeping FF reasonably secure these days, and that heavily relies on users showing a decent amount of discretion, as it's easy to rig a website to lure people into enable scripts.
Opera, chrome, even IE8 on Win7 are probably better options if you go browsing dodgy sites.
Paris, because she's weeping over the state of FF security.
Since many sites require JavaScript to be switched on simply disabling this leaves you unable to use many internet banking and commerce sites -- OK that is _much_ safer, but it also pretty much defeats the object of using Firefox in the first place -- if you have no personal information to loose, or no sites that can be spoofed, you may as well just run IE.
@imacoder.net:
When they do simple things like cookie, image and JavaScript whitelisting I might give Opera a go again, until then I'll use a browser that doesn't piss me off with popups every time I change the page.
It would be nice if you provided a brief 2 sentence explanation of the preferred config. I need to know what to do to my 2.0.0.20 installs that they aren't going to update. It's probably already set that way but it would be nice to know. And no, I can't just upgrade to 3.x, 2.0 is in use on several of my NT machines where Firefox 3 isn't supported. I guess they can't render that stupid remote control forward/back button without DirectX or something.
Oh, we were just waiting for you to get close enough for us to see the whites of your eyes before opening fire.
What's really interesting to my mind is that because of bad parsing by IE, the flaw is actually more dangerous when IE passes the flaw to FF.
As other posters have noted, FF didn't try to sweep this under the rug or obfuscate the danger of the exploit like MS did with the IE critical flaw revealed at the same show. There was no "DEP prevents this on the public release" statement that needed to be retracted 24 hours later. The fix will be autodeployed shortly and for those who are adventurous enough to compile their own code, a fix has already been released. Not possible with MS. No, I think Mozilla handled this pretty well. I also have some level of confidence that unlike MS, Mozilla will have a real 'lessons learned' meeting of the programmers after the fix has been fully deployed to make sure similar errors don't happen in the future. With MS I just expect a recap of events by the marketing team, with an eye toward how to spin it better next time.
"meh meh meh meh meh, firefox is secure and IE is rubbish". Well you're not preaching now are you!
wake up and smell the coffee fox-lovers. your beloved firefox is subject to the same facts of life as any other bit of software.
if this was an IE story you'd all be gathering like hounds to have a pop-shot at the incumbent.
hypocrites the lot of you. except the 'normal' minority who just use whatever tool they need to get the desired task done, regardless of the sticker on the box.
FF, Safari, IE, Chrome etc. Really - and i want you to take a good long moment to consider this very carefully:-
who gives a shit?
get your FF patched and the web will be a marginally safer place again until the next browser hole is found - and the sharks circle again to throw their 2 cents worth in.
Paris - cos she's had every square inch of her body browsed, and renders fairly well in them all.
"Remember, some sites have sniffers and just fail to display anything if you're not running javascript (or they display "helpful" instructions on how to turn it on). I tend to ignore these as pretentious, but every now and again, you do need to look at them..."
I really appreciate the sites that say, "You can view stuff here without JavaScript, but if you want to use our secure payment system to buy, you'll need to enable it." So if I'm willing to trust them with my money in the first place, I'm OK with them doing JavaScripting for form validation and all that. I wish I didn't have to open it up in all-or-nothing, but that's the slippery slope of allowing someone else's code to run on your computer.
The sites that present nothing - or, worse, silently fail during a payment transaction when JavaScript is off - really irk me.
How strange, I don't use NoScript, but I've yet to experience any problems caused by Javasscript hacks in Firefox.
It's probably because I have some common sense and don't visit the kind of sites (warez/pronz) where these exploits are hanging around, nor blindly follow links like some kind of digital sheep.
These exploits are for the stupid and unwary, who frankly deserve everything they get.
Eddie Johnson Posted Friday 27th March 2009 13:09 GMT
I need to know what to do to my 2.0.0.20 installs that they aren't going to update. It's probably already set that way but it would be nice to know. And no, I can't just upgrade to 3.x, 2.0 is in use on several of my NT machines where Firefox 3 isn't supported.
The answer is to wait until April 1 when 2.0.0.21 with the fix will get released per this posting (which was the 2nd in this thread):
Rick Stockton Posted Friday 27th March 2009 00:34 GMT
Long before you ever posted this article... It's already in this morning's "nightly" builds on all platforms, and they've fixed Firefox 2 as well as FF 3.0 and all the Development versions.