Firefox 0.10.1 Released, Fixes Security Hole 441
_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."
done already! (Score:5, Informative)
this is what i call being secured
Re:done already! (Score:2, Insightful)
I wonder what IE can do about this...
The windows update site takes a hell of a time to load and then scan @ a snails pace.
And live feeds are simply amazing... thats how i check slashdot now, and cot this post.
great work guys.
Re:done already! (Score:4, Informative)
Firefox can scan a lot faster than Windows Update because it is only checking for updates to a single program.
Of course, Microsoft could make an option within IE to scan for IE-only updates, which would make updating IE much faster, but they don't.
Re:done already! (Score:4, Funny)
Of course, Microsoft could make an option within IE to scan for IE-only updates, which would make updating IE much faster, but they don't.
What is the point? Since IE is integrated into the operating system, updates require reboots even under Windows XP which is a lot better with regards to rebooting than previous versions. Anyway, even if the actual update is faster, you would still have to wait for the reboot.
I just updated Firefox in less than ten seconds, and I did not have to restart the browser, certainly not the entire operating system (Windows XP in this case).
Re:done already! (Score:5, Informative)
I ran into this same problem with the update under Linux. MS Windows users won't run into it since they are running as local Admin or have write permissions to the firefox directory. When I ran it as root, it worked fine so I take it the update needs to write to the root firefox directory it probably then updates your firefox profile. As a normal user you cannot run the update and it never writes to your profile. I think it was just a poor update design for this one update. Hopefully the firefox team will fix it or fix this issue for future updates.
You could grab the latest firefox tarball from here [mozilla.org] and just untar it into your current firefox installation folder and restart.
Re:done already! (Score:2, Funny)
BTW, I tried to follow the upgrade instructions, but apparently the exploit doesn't affect the Linux version, so you folks might want to consider an OS upgrade while you're at it.
Re:done already! (Score:4, Informative)
Re:done already! (Score:3, Informative)
But, the name "1.0PR" is purely a marketing thing. The actual version number is 0.10, as you can see in the "Help -> About Firefox" screen where it says this:
"Firefox version 1.0 preview release"
followed by:
"Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10.1"
That about sealed the deal there. The HTTP_USERAGENT string says 0.10.1, but the fancy-schmancy tit
Re:done already! (Score:5, Funny)
Re:done already! (Score:3, Informative)
Re:done already! (Score:4, Interesting)
Re:done already! (Score:3, Informative)
Re:done already! (Score:3, Interesting)
I was just over at a friend's place and made the pitch for FF... The response I got? "But I LIKE Internet Explorer". Touch pitch. She liked clicking on the blue "e" to surf the web instead of that strange FF logo.
I've switched a tonne of people already though. Many more comverts on the way. The campaign for FF is on!
Re:done already! (Score:3, Funny)
As for the icons, well, it says "Mozilla" in the titlebar and she hasn't noticed that, either. I could probably give her firefox with a mozilla theme and she wouldn't notice. If she asks I'll just say there was an important system update or something.
Re:done already! (Score:3, Funny)
Seriously though, I didn't have the problem you stated...I wonder what caused it and why it affected you and not me? It happened as soon as you clicked the link or when you tried to update? If it was when you tried to update, did you ever alter the list of sites that Firefox can install software from?
Re:done already! (Score:3, Informative)
Re:done already! (Score:5, Insightful)
its very different to have an exploit in the wild and be able to prevent it in 3 seconds, or waiting 1,2..10 weeks for a fix
Re:done already! (Score:3, Insightful)
This may sound stupid... (Score:5, Interesting)
Re:This may sound stupid... (Score:5, Insightful)
Re:This may sound stupid... (Score:3, Funny)
well, it would be quite frustrating if your download directory is your Desktop, homedirectory or any other place where you keep other files too.
not to mention all the pron you have to download again
Ricardo.
Depends on your download directory (Score:3, Insightful)
There are, however, a lot of users who pack all their stuff onto the desktop or into "My Documents" with no or little subfolders. For such use cases, the patch is indeed worth installing.
Re:This may sound stupid... (Score:5, Informative)
1. Suppose your download directory isn't dedicated to just downloads. Any files in that directory are vulnerable.
2. You don't need to uninstall and reinstall. As the article says, just go to tools: options: advanced: software updates and hit the Check Now button
Re:This may sound stupid... (Score:2)
Re:This may sound stupid... (Score:5, Funny)
Re:This may sound stupid... (Score:5, Informative)
defending this post worth loosing karma (Score:2, Insightful)
has just been modded, within seconds of being posted, as "Flamebait".
How on earth is that post flamebait?
The article discusses a vulnerablility.
kertrats asks:
How is asking others on /. for their insight into this vulnerability "flamebait"? Isn't that what /. is all about, discussion? He/she didn't bash on Mozilla, or t
Re:defending this post worth loosing karma (Score:2)
Re:defending this post worth loosing karma (Score:5, Funny)
The Gecko God of Mozilla and Open Source is a jerk. A complete kneebiter. Thanks for your time. Now I'm off to see Gentoo. Later.
Re:This may sound stupid... (Score:3, Funny)
Re:This may sound stupid... (Score:5, Insightful)
Any vulnerability that allows remote users to alter content is by definition critical. It doesn't matter if you think it's a big deal. There should be no unauthorized access to files, period.
Your non-critical files aren't 777, are they? Now why is that? Well, despite the fact that data is non-critical, recoverable or maybe even pure gargabe you still wouldn't want people to mess with it, would you?
Think about it: you probably have a lots of old stuff, bank statements and what not somewhere. That data is useless to me (value == 0). By your logic, I could just throw it all out since it doesn't matter to me. It may still be valueable to you though. And even if it weren't, you still probably wouldn't appreciate me going through your stuff and tossing whatever I don't deem important.
See, all attacks that allow any access control circumvention at all are critical. Just because it's not critical to you, doesn't mean every feels the same way.
That's why disclosing the vulnerability and making an update available ASAP was a very good move on part of the fine folks at Mozilla. I just wish there was a mechanism to do manual network-wide mass roll-outs of critical updates (ie. rolling out critical updates immediately without having to wait for Firefox's periodical checks).
Am I the only one . . . . (Score:5, Insightful)
Re:Am I the only one . . . . (Score:5, Informative)
Re:Am I the only one . . . . (Score:3, Funny)
Re:Am I the only one . . . . (Score:3, Informative)
It's a traditional numbering scheme. I've used similar ones for about 15 years!
To eliminate some confusion, I tend to use numbers like this ...
... instead of ...
... since the leading zeros sort more easily!
The numbers breaks down like this;
Where
Version numbers seem odd? (Score:3, Interesting)
Ah nevermind (Score:3, Insightful)
Re:Version numbers seem odd? (Score:2, Interesting)
0.10.1 = Version 0, 10=October, 1=day of release.
Re:Version numbers seem odd? (Score:2, Informative)
Regards,
Steve
Re:Version numbers seem odd? (Score:2, Funny)
At each release point, this algorithm will be run and the version will be numbered accordingly.
Helpful bug (Score:5, Funny)
My download directory in Windows is my desktop. Have you seen my desktop? [man.ac.uk] It's a fairly old screenshot, too - it's only got worse since then. My iBook's equally bad, except everything's just randomly strewn around the place...
A bit of remote tidying-up would be greatly appreciated.
Re:Helpful bug (Score:2, Funny)
Re:Helpful bug (Score:2)
Re:Helpful bug (Score:5, Funny)
Re:Helpful bug (Score:3, Insightful)
Seriously, I hear there's a thing called folders you can use to store stuff. Might be worth a try?
When... (Score:5, Interesting)
Re:When... (Score:5, Informative)
http://bugzilla.mozilla.org/show_bug.cgi?id=259
Currently, it's not scheduled to be marked as public before 4th October. It's still marked as private so that people have an opportunity to upgrade before the details are made public.
Re:When... (Score:3, Informative)
Looking through Mozilla's Bugzilla [mozilla.org], it would seem as if the bug was first realised on the 23rd of September in a comment to bug 240068 [mozilla.org], and then had a seperate security-sensitive -- and hence restricted access -- bug report opened yesterday. I'll leave others to comment on the acceptability.
Bugzilla links referring from Slashdot are blocked, so the above links will have to be manually opened unless your referrer header is obfus
No go (Score:3, Interesting)
Re:No go (Score:3, Informative)
Firefox will probably block it, but two more button-presses to whitelist www.mozilla.org for patch installations and you'll be able to apply it.
If this sort of thing continues they should definitely add www.mozilla.org to the default whitelist.
Cool. Upgrade Path (Score:5, Insightful)
Now if only Gaim does this.
Will
Re:Cool. Upgrade Path (Score:5, Insightful)
These hurt... (Score:4, Insightful)
Sure it isn't that bad, but nonetheless, it doesn't help the Firefox's image at all and looking at Secunia, Firefox has had more advisories than any other browser, (yes, that includes Internet Explorer and the Mozilla Suite) since May this year.
Re:These hurt... (Score:5, Informative)
What you're seeing are the results of this program.. people are finding bugs, submitting them, and the bugs are being fixed before blackhats can exploit them.
This is a very wise decision on the part of Mozilla considering how close they are to a v1.0 release.
Re:Nope (Score:4, Informative)
Re:Nope (Score:2)
Well then it was a hell of a coincidence that 1 second after my virus scanner picked up on the email, that my inbox was empty. Complete and total coincidence. Of course, I've only been using email since about 1994. I could be wrong.
Re:Nope (Score:3, Informative)
A proper virus scanner should be scanning incoming e-mail _before_ it hits your hard disk (through the use of a Winsock LSP), not after. Both Norton and NOD32 implement this type of scanning.
If it only picked up the virus after it's allowed Thunderbird to write it to disk, and then "cleaned it", then it has effictively nuked your inbox for you since Thunderbird keeps all your e-mail for a given folder in 1 file.
Re:These hurt... (Score:2)
In otherwords, it's beta. This kind of stuff is going to happen.
Aside from that rather mediocre detail, rather than counting the number of holes in something, try and take a look at the period of time that exists between initial discovery and when the hole gets closed.
Re:These hurt... (Score:5, Informative)
And how many are there in IE that we haven't found yet? The dangerous exploits are the ones we don't know about.
And besides, do you expect Secunia to have all the security flaws from when IE was in beta? Or do you find it strange that a beta product has had more security flaws found in the last 6 months than the one that's been around and insecure for years.
Not to mention that none of the advisories were ranked "extremely critical", and only 2 were critical.
Not to bad for a beta product. Also (from Secunia):
Currently, 19 out of 60 Secunia advisories, is marked as "Unpatched" in the Secunia database.
Currently, 2 out of 13 Secunia advisories, is marked as "Unpatched" in the Secunia database.
Which would you trust?
it's nice to see ms finally losing the browserwars (Score:2)
Re:it's nice to see ms finally losing the browserw (Score:5, Interesting)
Note that the Opera browser shown in Rank 3 should not be taken as accurate as this merely runs a "ticker" on auto-refresh setting every 10 minutes.
# Hits User Agent
1 31005 15.75% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
2 20925 10.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
3 11074 5.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.50
4 10596 5.38% Opera/7.50 (Windows NT 5.0; U) [en]
5 9893 5.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko
6 8281 4.21% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
7 7856 3.99% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProd
8 6113 3.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
9 5286 2.69% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
10 4868 2.47% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
11 4795 2.44% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko
12 2915 1.48% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2) Opera 7.50
13 2885 1.47% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko
14 2783 1.41% Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
15 2645 1.34% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54
Re:it's nice to see ms finally losing the browserw (Score:4, Insightful)
Re:it's nice to see ms finally losing the browserw (Score:2)
evidence like this is worthless without a clearer picture of your target audience, number of hits, etc., etc.
remember too that the giant OEMs like Dell continue to ship seven to nine million XP-SP2 systems each month with IE 6 installed as the default browser.
On Linux the advanced items are ... (Score:5, Informative)
Probable bug . . . . (Score:5, Informative)
Seeing the error mesage and remembering this fact I lit Firefox as root and ran the update. This left Firefox mangled and incapiable of downloading things from the user accounts.
The moral of the story: do be careful using the update thingy. Now, off to fill out a bug report.
Re:Probable bug . . . . (Score:5, Informative)
Re:Probable bug . . . . (Score:3, Informative)
Don't have that menu option (Score:2)
Is the terminology different on different versions?
Re:Don't have that menu option (Score:4, Informative)
i guess thats because of the gnome integration..
Re:Don't have that menu option (Score:2)
Reminds me of the old Netscape days.
Re:Don't have that menu option (Score:2)
Preferences --> Advanced --> Software Update
Hope this helps -- and slashdot -- please check that *all* OSs have the same update instructions.
david614
Re:Don't have that menu option (Score:2)
Linux users, take note (Score:5, Informative)
If this doesn't work, of course, you'll have to download and install, which is almost as painless as the upgrade frob. The red 'upgrade' icon may still be present, so you'll have to click that so that Firefox will find that all is well with the world.
As always, YMMV.
Re:Linux users, take note (Score:4, Informative)
Upgrade was even easier then described... (Score:4, Interesting)
Best way to find out ... (Score:3, Insightful)
No software is perfect, any software that has any contact with the internet can have a exploit. It all depends on how fast the developers are able to discover and fix the problems.
Don't upgrade (Score:5, Funny)
I would consider this a feature more than a bug. It's like someone breaking into your house and taking out the garbage for you...
Re:Don't upgrade (Score:3, Insightful)
Or for most of us, it would mean someone breaking into your house, shreding your porno mags, demagnetizing the VHS porn, and scratching and shredding the DVD porn...bastards!
Explaining 0.10.1 (Score:5, Insightful)
The reason (for as far as I know) that Firefox uses this versioning scheme:
If 1.0PR would have a version-tag with 1.0 in it, it would be more complicated for (for example) extensions to differentiate 1.0PR and the real 1.0. And home-users would probably not even get to see these version-numbers. They would just notice there is a new update.
And about the bugs, I know I'm stating the obvious, and that it's been said before in this thread, but I'll try again:
First of all, because Firefox performs so well people tend to forget this is still beta-software! Second, these bugs are discovered partially because of the bughunting program with rewards. So these bugs could well have existed for months before being discovered. It's good news they have already been squashed! And third, some of these bugs actually appeared because of the way Windows fucks up! (Remember the shell:// protocol?)
Hope this helps,
XoloX
Helping people emigrate from MSIE etc. (Score:3, Interesting)
I haven't done (ms-)windows since the beginning of time and since he doesn't know *anything* about computers it was hard trying to figure out what might've been the problem, but it sounded like the typical standard unprotected ms-windows setup that was probably also loaded with spam and ad-ware, bogging down even his simple efforts at browsing the web.
Knowing that quite a few people here have experience with cleaning up the standard MS-install mess, I would like to ask what needs to be done to plug the major holes and deficiencies in a new MS setup?
Firefox is an obvious rescue tool to replace MSIE so are there any issues when installing it or does it automatically and painlessly migrate all necessary MSIE data?
And what about utilities to remove the spyware his machine may already be infested with? Any suggestions?
I'm hoping to be able to burn all these goodies on a CD to give him so I also wonder whether they're easy enough to operate by a total non-techie?
Since his "computing needs" appear to be very simple I'm also giving him a Linux liveCD (perhaps Ubuntu-based Gnoppix would be a good starter with its simplified GUI and it also comes with Firefox) to try out and play with but before completing his conversion I'd need to evaluate how well e.g. OpenOffice.org fulfills his needs at this point.
Re:Helping people emigrate from MSIE etc. (Score:3, Interesting)
I also usually try to get them to install a router wit
Automatic stuff == bad security (Score:5, Insightful)
Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.
I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.
Re:Automatic stuff == bad security (Score:3, Informative)
Re:Automatic stuff == bad security (Score:5, Interesting)
To provide full support for the W3C standards, you need widgets that provide very specific capabilities. Toolkits like wxWidgets have the opposite goal: they work by hiding specifics from the application programmer. There is a fundamental mismatch between the two.
If you want to fully support all the standards that make up the web across different operating systems, you end up with something like Firefox. It's not primarily some geek pride thing (although that always plays a role); it is primarily a consequence of the complexity and scope of the standards involved.
It isn't completely automatic (Score:3, Informative)
"Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead."
Don't you think they've thought of that? Update installs are coded for mozilla.org only and I expect other layered security to come as well. Give them a little credit already. When mozilla/firefox becomes t
Re:Automatic stuff == bad security (Score:3, Informative)
I don't think that. Because mozilla uses whitelisting to mark servers you're allowed to install from. If you try installing from another server, it throws up an error. A user would have to manually add a server to the allowed list before an exploit could be installed. Ofcourse, there might be a bug in the
0.9.3 is *VERY* lame security-wise. (Score:2)
Ok with the release of 1.0 it's been fixed, I grant that, but still, I'm really annoyed after seeing this. And while at it, why do we have to go so deep to get updates? there should be an upgrade butto
Too Complicated? (Score:5, Insightful)
Re:Too Complicated? (Score:5, Funny)
More information, please (Score:2, Insightful)
Though a much more serious bug remains unfixed... (Score:5, Funny)
Just because most of us don't live in South America doesn't mean it isn't huge problem.
Re:Though a much more serious bug remains unfixed. (Score:3, Funny)
ooh, bugzilla you sassy wench
Update/Extension Install permissions control (Score:3, Interesting)
Another flawless Install, but... (Score:5, Insightful)
Re:WTF?? (Score:5, Informative)
Firefox 1.0 has *not* been released yet.
The current (Firefox 0.10.x) is a preview of what will become 1.0 when it is released (thus PR).
Re:luckily for me... (Score:2)
Re:luckily for me... (Score:3, Funny)
Re:luckily for me... (Score:4, Informative)
Um, no. That is absolutely not the case. The information bar and the trusted sites list is simply a user convenience/inforamtion mechanism like the pop-up blocking bar. After adding a site to the whitelist, a user still has to agree to the software installation. A site cannot "insert arbitrary code into your Mozilla install without your knowledge" because the install doesn't happen until you agree to the install. There are no prompt-less installs.
--Asa
Re:but which idiot deciced... (Score:3, Funny)
OS difference` (Score:3, Informative)