Unpatched Firefox Flaw May Expose Users 390
Corrado writes "CNET is reporting on a new Firefox flaw." From the article: "The problem lies in the way Firefox handles Web links that are overly long and contain dashes, security researcher Tom Ferris said in an interview via instant messaging late Thursday. He posted an advisory and a proof of concept to the Full Disclosure security mailing list and to his Security Protocols Web site...The public bug disclosure comes just as Mozilla released the first beta of Firefox 1.5. The final release of the next Firefox update, which includes security enhancements, is due by year's end, according to the Firefox road map."
Tell all your friends! (Score:5, Insightful)
Well, just another bug (Score:2, Insightful)
Unacceptable (Score:3, Insightful)
We rightly criticize Microsoft for not responding to security concerns in a timely manner. I hope the Mozilla Foundation will be held to the same standard.
He sounds like a self-promoting twit (Score:4, Insightful)
Re:Flaws (Score:4, Insightful)
A browser is a complex piece of software, of course there are going to be subtle bugs that turn up now and then. Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible. Please stop making a fuss about "OMG BROWSER DoS!!".
Comment removed (Score:3, Insightful)
Re:Patent infringement (Score:5, Insightful)
Yes, but would you have said the same thing if you had replaced the word firefox with the word windows in that sentence? I say that only because that's what WAU does these days, though I forget for how long it has been doing the binary diffs. I think that came along with the latest BITS update sometime in early summer this year, but can't be sure. Just FYI.
Re:Tell all your friends! (Score:5, Insightful)
"If you have gotten your non-techie friends to switch to Firefox, be sure to tell them about this problem and the possible fixes. Indeed, it is very important that Firefox be kept up to date on as many computers as possible"
Not trying to troll here, but...
Couldn't the same be said for IE or any other browser? If you have non-techie friends that could be vulnerable on any platform, wouldn't letting them know how to check for security updates be the right thing to do?
Should you let them flounder and possibly become zombies for some nefarious spam network because they don't use your "preferred" browser?
Personally, I use Mozilla at home because I like it much better, and encourage all my friends to do the same, but I'm not above recommending security updates to those who choose not to use Mozilla/Firefox.
Works only in Fx 1.5beta1, 1.0.6 is not affected! (Score:2, Insightful)
This flaw is only present in Firefox 1.5beta1, 1.0.6 is not affected.
So if you are worried just keep using the stable version until at least the next beta release and be happy.
The Mozilla codebase quality is questionable. (Score:3, Insightful)
It doesn't help that a lot of the documentation is out of date, often by several years. Nothing is worse than incorrect or outdated documentation, which can often lead to incorrect code being unintentionally added.
While a rewrite of Mozilla is of course out of the question, there should perhaps be some procedures in place to clean up the code base, and ensure that documentation is correct. Performing such basic engineering practices is what results in quality products, be it software or bridges.
possible bugzilla bugs (Score:5, Insightful)
https://bugzilla.mozilla.org/show_bug.cgi?id=3069
https://bugzilla.mozilla.org/show_bug.cgi?id=3069
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
https://bugzilla.mozilla.org/show_bug.cgi?id=3070
BTW, why is it necessary that so many bug reports be hidden? They can't all be valid security bugs, can they? Besides, full disclosure and an open development model go hand-in-hand.
-molo
Re:Flaws (Score:1, Insightful)
You are a moron. How is the heap overflow going to be exploited? Are you serious? Go look up exploiting buffer overlows. You obviously don't know what the hell you are talking about, and you obviously know nothing of how programs run in memory. Sure the heap overflow is just crashing your browser now, only because it is accessing memory it isn't suppose to. I am sure some nop's and jmp statements could point it in the right direction
"This looks like a regular crash"
You keep thinking that!
"Nobody is perfect, and visualizing every possible execution path through a billion SLOC application is impossible."
Hahahahahaha, no comment here because your stupidity speaks for itself.
"Please stop making a fuss about 'OMG BROWSER DoS!!'"
Stop pretending this flaw isn't harmful, and "only a crash". Buffer overlows are serious.
Re:Well, just another bug (Score:4, Insightful)
MS vs Firefox is irrelevant (Score:5, Insightful)
Honestly, who cares? Why does this have to be compared to a Microsoft response? Why can't this just be viewed as an event in its own right and not constantly looked at as some insult which might be handing Microsoft an edge?
Objectively, if I use Firefox I have no interest in how Microsoft might have responded to a similar situation. I am purely interested in the Mozilla response (which I'm explicitly not passing judgement on in this post). Can people give it a rest with the constant defensiveness against Microsoft?
Cheers,
Ian
what a whiny runt. (Score:3, Insightful)
and basically he acts like 4 days is all he needs to wait.. and apparently Mozilla isn't doing enough for this?
Mozilla isn't Microsoft or Cisco in two catagories.
A. They arn't ultra large coporatitions that can fix stuff in an instant.
B. They don't ignore problems, especially like this. They're likely working as fast as they can and they are willing to admit fuckups, but they want to have a fix for the fuck up first.
We don't need everyone running around thinking that EVERY company conducts business the same way that Cisco does... How all of them are part of a conspiracy. Firefox is getting known in the industry to be basically good at avoiding problems other browsers have and fixing major bugs.
By having a guy run around like this only 4 days (notice the dates in that link) it can only cause a higher likelyhood that someone will use that find maliciously and Firefox will get blamed for it when it's really the disclosure that's the problem.
The fact is those of us who find these bugs need to give the company time to react, we don't need to act like they don't care. 4 days is hardly enough unless he got back a letter that said screw you, which it doesn't sound like he did. Giving Full Disclosure the first time you hear about a problem, just creates a bigger problem because now more people will learn of the problem.
And there's a definate difference between waiting a couple monthes like the Cisco incident where the company was being forced into an uncomfortable positions and waiting less then a full week with apparently no provacation.
Re:He sounds like a self-promoting twit (Score:5, Insightful)
Aren't firefox users heading back to IE over this? (Score:5, Insightful)
Re:Tell all your friends! (Score:5, Insightful)
The ridiculous part, though, is that software doesn't *have* to be vulnerable to buffer overflows! We've had languages for more than 20 years that are completely invulnerable to such a simplistic attack. Even C/C++ have large numbers of libraries available to make such overflows a thing of the past. Yet here we are in 2005 and the number one exploit across systems is still...
(wait for it)
Buffer overflows.
Am I the only one who's getting just a smidge annoyed by this? No wonder we don't have any flying cars! We can't debug the darn things worth a damn!
Wow, I thought only.... (Score:3, Insightful)
Were the people championing these other browser lying to me, or just ignorant in the fact that all software when given mass distribution will exhibit growing pains and exploits will be found no matter how good the programmers think they are.
Hm... (Ok, mark this as Flamebait - even though what I say is factually correct.)
Browser Bugs/Flaws? no way! (Score:2, Insightful)
Re:Interesting... (Score:3, Insightful)
But the opposite is also true...it's a proof that it's much easier to debug open sourced applications.
By the same token (Score:1, Insightful)
Re:Well, just another bug (Score:3, Insightful)
Every few weeks there's evidence that I was correct
Anyway, I use both IE and Mozilla (which appears to crash more often than IE and worse of all you can't easily launch multiple independent Mozilla processes).
For security, my normal IE has active scripting off - which seems to prevent most security bugs from working. For sites which require javascript and IE, I use IE in a virtual machine.
At work, I use mozilla and set it up to run using a different user account from my normal user account, so it will be harder for exploits to affect my normal user files. I used to do that for IE in my prev office - I had XP there and it's easier to do that with XP. But the vmware thingy is good enough I guess
Once you do stuff like this, it's harder for browser exploits to do significant harm to your system. It can still do harm to other people's systems unless you have other firewall stuff or other countermeasures.
p.s. Same goes for Linux vs Windows security. The same Joe Average users are as likely to update Linux systems as they are to update windows systems (typically never).
Re:Firefox is the fix for Internet Explorer proble (Score:5, Insightful)
I deployed Firefox on the corporate network to improve security. Five updates later, I'm explaining to my manager that Firefox, just like IE, is full of security holes that need to be patched.
Unlike IE, Firefox can't be updated through Windows Update and it doesn't have a patch release cycle. That makes it harder to plan for and harder to deploy Firefox patches.
Having "fewer" vulnerabilities than IE isn't good enough - particularly when your patching system sucks. Open source can do better.
Re:The Mozilla codebase quality is questionable. (Score:3, Insightful)
Just so people don't think that means the upcoming SeaMonkey [mozilla.org] release will be using shoddy code, I'd like to point out that code review for firefox-only code is significantly less thorough than review for suite-only code. In many cases, large Firefox patches have been checked in with no code review at all! On multiple occasions when porting features from Firefox to SeaMonkey, the patches were initially rejected due to code quality, and had to be fixed up.
Re:Buffer overflow (Score:3, Insightful)
"Security is a process."
Being open source programmers doesn't make them perfect programmers. Not working at Microsoft doesn't make them perfect programmers.
The phrase never never said, "given enough eyes, there are no bugs." It said "given enough eyes, all bugs are shallow." That phrase even admits there will be bugs. Security is a process, not an accumulated number of crash bugs.
I would hope Firefox has fewer overflows than IE, only because that would mean less headaches for me, and less bad press.
Re:It should be noted (Score:1, Insightful)
It is very time consuming and difficult and you have to track down all the corner cases and have a good selection of normal use stuff, but it can be done.
I wrote something in a day, and then spent a week writing a test harness and testing everything out inside gcov to ensure that the test cases covered every line of code.
I found that I could test and fix all sorts of bizare bugs before we ran into the problems in normal use and this testing allowed me to put the code into use in dozens of places with no new side effects discovered.
You will find that proper testing is 10 times more time consuming than writing the code module that implements the functionality in the first place.
And additionally when you find a bug in your implementation you should add the bug to your testing system to ensure you can detect the issue, and then fix it and run the tests again to ensure you didn't break anything else in that code module. At this point your testing harness will slowly grow and develop on it's own as long as you take the time to maintain and expand it.