Serious Vulnerability In Firefox 2.0.0.12 355
Oh, Not Now writes "Mozilla Firefox 2.0.0.12, mere hours old, is vulnerable by default to a directory traversal trick, via the view-source mechanism. Although mitigated by the NoScript plug-in, this is quite a serious bug — the default installation is vulnerable from the get-go."
Damned it all (Score:5, Insightful)
Oh, well, just one more unlocked door in the grass hut I call a computer.
Re:* Stops download of newest Firefox * (Score:5, Insightful)
I cannot work out from the article whether older versions of Firefox are vulnerable or not.
If its an unfixed bug from previous versions you should continue to download.
Which would you rather:
have 20 known vulns in the wild (stay as you are),
have 1 known vuln wild (latest update).
Until we can be certain though, just click pause
or just visit sites you trust (Score:4, Insightful)
Re:* Stops download of newest Firefox * (Score:3, Insightful)
Re:Fixed is hours! (Score:3, Insightful)
You're living in the past. Everyone knows IE6 was horrible. I'm running IE7 under protected mode. If you're going to talk shit, at least talk shit about current software. People who spend their time talking about how Windows 98 crashed a lot, IE5 and 6 were really insecure, and IIS 5 was the fastest way for a computer to get hacked on the net, are really starting to sound tired and sad. When we're running Windows 7, Internet Explorer 8.0 in Protected Mode, and IIS 7.0 on Windows Server 2008, fools like you are still going to be apologizing for every bug in by bringing up bugs from Microsoft products 5+ years ago.
And even if IE6 was the most horrible browser ever and they waited for "moths if not years" for patches, how does that make this Firefox vulnerability any better? If IE6 is so bad, why is it your example for trying to minimize this Firefox vulnerability?
Microsoft products are getting better. Deal with it. Quit living in the past.
saved passwords (Score:4, Insightful)
Re:NoScript (Score:5, Insightful)
So instead of teaching people security, it just teaches them "Security is annoying and breaks everything, what's teh point?" and they want to use it less.
Re:* Stops download of newest Firefox * (Score:5, Insightful)
Re:NoScript (Score:5, Insightful)
Re:NoScript (Score:5, Insightful)
Seriously, running every script a page stuffs into a browser should not be the default, and it should not take an extension to fix it.
Corporate sites (Score:4, Insightful)
Update the title... NOW. (Score:5, Insightful)
You should still upgrade. You are already vulnerable to this "attack" without it, but you can at least gain some new fixes for other issues.
You know, we're trying to promote open source software. To scream that firefox has a "serious vulnerability" when it in fact doesn't is IT treason.
How come? (Score:2, Insightful)
Re:NoScript (Score:5, Insightful)
The thing is, looking at it from the designer/developer end, most users seem to want the functionality Javascript provides. My job largely consists of designing "intranet" apps for a university department. With forms, the end users want the ability to click a button or link to add extra fields when necessary. They want web-based calculators that figure out totals and percentages automatically. They like little explanatory pop-up boxes that define terms for them if they don't already understand what it means. They prefer drop-down menus that change, based on choices made further up the form.
I realize that NoScript actually allows white-listing for situations like this (just like IE does for ActiveX, God bless 'em) - but I don't have much confidence that non-technical end users will understand, even with training. Making NoScript or a similar tool the default will end up meaning significantly more of my time being wasted dealing with support calls - after all, if the web's broken you don't call the desktop support people, you call the webmaster, right?
(BTW is Firefox 3.0b2 or b3 vulnerable?)
Re:Fixed is hours! (Score:4, Insightful)
To everyone else: Do you remember before the browser wars, when Netscape was the big, bloated dominant player and Internet Explorer was the fast and light competitor which needed to prove itself (even if it did so by cheating)? Do you remember the time between the wars, when Internet Explorer was buggy and insecure? Now we are in the second browser wars and Internet Explorer is trying to compete. And it's a good thing. The Mozilla foundation cannot afford to sit on their laurels or Firefox will be the also-ran that the Mozilla suite is. Never hold yourself to someone else's standards: Be the very best you can be, and it'll always be better.
And be grateful for it — we on Linux pretty much have no choice but Firefox (or Firefox-based browsers) if we want a vaguely native, somewhat integrated system (well, there's Konqueror if you use KDE but it's not up to the same level as Firefox and Internet Explorer). There's no competition, no choice, and no reason for Mozilla to focus their development effort over on this side of the fence. And we suffer for it, with form widgets that don't look right and menus that don't work properly.
Re:huh? (Score:3, Insightful)
Re:NoScript (Score:2, Insightful)
So because you decide to use the browser as some sort of generic code execution engine and GUI for your own hacks instead of writing your programs to run as a real application like everyone else, people browsing the web should remain a target for javascript abuse, bloat and exploits.
I can't say I agree.
Re:NoScript (Score:5, Insightful)
So because you decide to use the browser as some sort of generic code execution engine and GUI for your own hacks instead of writing your programs to run as a real application like everyone else, people browsing the web should remain a target for javascript abuse, bloat and exploits.
The "real" applications (gotta love that required platform lock-in, btw) you talk about would still need access to that centralized data. So you pick your poison - do you provide direct access to that central data repository for a wide number of computers, or do you limit access just to connections from a web server (which is then open to that wide number of computers)? Personally I'd rather keep as much insulation as possible between that back-end data and the rest of the world.
Re:or just visit sites you trust (Score:4, Insightful)
Re:NoScript (Score:2, Insightful)
In about:config, you put noscript.firstRunRedirection into the filter box. Modify the boolean from true to false. Restart FireFox.
No more NoScript Update page. Enjoy.
Re:* Stops download of newest Firefox * (Score:5, Insightful)
There are enough malware targeted specifically at Firefox - I've seen them in action. The good thing with Firefox is that it gets patched pretty quickly, by the time an exploit has been written, hopefully we'll all have 2.0.13 installed.
Still, that's no excuse. It saddens me to say that the quality of Firefox (2.x.x branch) is steadily declining. It's slow, eating too many resources, and it crashes - on some sites it just constantly crashes. If it weren't for all the extensions, I'd dump it in a heartbeat and move to Opera.
Re:NoScript (Score:3, Insightful)
While you're at it, why not put AdBlock Plus in there and FlashBlock and Greasemonkey and Fasterfox and GMail Notifier and
Some people don't want everything included in the distribution, some developers don't want to have to make all those things work with every release and compile they do of test builds.
AutoUpdate of things you choose to install works just fine, and the people who build the add-ons make sure they work without having to work for MozFoundation.
Re:* Stops download of newest Firefox * (Score:3, Insightful)
To facilitate the discussions we should be having here on
But I agree that a post in response would better serve the discussion.
Re:text mode browsers that Just Work (Score:3, Insightful)
I'm not sure what you're trying to say here -- I suspect you're yet another "designer" who resents the fact that you're fabuloso designs are irritating the hell out of a large chunk of the populus -- but you're logic is totally whacked. Why blame the author of some text for the decisions made by other people in the organization?
Consider the way the world looks when I use Firefox. I go to read a column by Robert Fisk in the Independant, and a bar appears at the edge of the screen telling me that the execution of some script has been blocked. I habitually use custom colors with light text on black -- my opinion is this minimizes eye-strain, by the way: computer screens are not paper and should not try to mimic paper -- and the various little graphics they've squeezed in on the page are glaringly bright in comparison, because they presume I'm using a white background. Then I come to the dread Flashing GIG advertisement, and it's once again time to right click and use Adblock to make it go away.
Do you see what I'm getting at? Lynx (or w3m) is not without it's annoyances, but using Firefox is not without it's annoyances either: I need to constantly fuss with it to fight the faddish nonsense that the web is always infested with.
What's so crazy about using a text-mode browser if what you want to do is read some text?