Serious Vulnerability In Firefox 2.0.0.12

Oh, Not Now writes "Mozilla Firefox 2.0.0.12, mere hours old, is vulnerable by default to a directory traversal trick, via the view-source mechanism. Although mitigated by the NoScript plug-in, this is quite a serious bug — the default installation is vulnerable from the get-go."

Damned it all

[Overzeetop]

Just before I opened this session, I had upgraded.

Oh, well, just one more unlocked door in the grass hut I call a computer.

Re:* Stops download of newest Firefox *

[LiquidCoooled]

Why stop downloading it?
I cannot work out from the article whether older versions of Firefox are vulnerable or not.
If its an unfixed bug from previous versions you should continue to download.
Which would you rather:
have 20 known vulns in the wild (stay as you are),
have 1 known vuln wild (latest update).

Until we can be certain though, just click pause ;)

or just visit sites you trust

[hcmtnbiker]

That's right, back to the drawing board with this one. In the mean time you can either use another browser, or install the NoScript plugin to mitigate these issues.

Or you can take the first step like you always should, and not visit sites you don't trust. Vulnerabilities always exist, betting that the developers will find them before someone else can exploit them is not a smart thing to do. Visiting only sites you trust will keep you away from people who want to compromise your computer 99.99999999% of the time, it really is the best thing you can do it terms of browser security.

Re:* Stops download of newest Firefox *

[sundarvenkata]

But but.....don't many eyeballs watch the mozilla codebase?

Re:Fixed is hours!

[BasharTeg]

You gotta love Firefox apologists. They can turn a complete failure on behalf of Firefox development and release engineering into a discussion about how Microsoft is horrible and IE fails.

You're living in the past. Everyone knows IE6 was horrible. I'm running IE7 under protected mode. If you're going to talk shit, at least talk shit about current software. People who spend their time talking about how Windows 98 crashed a lot, IE5 and 6 were really insecure, and IIS 5 was the fastest way for a computer to get hacked on the net, are really starting to sound tired and sad. When we're running Windows 7, Internet Explorer 8.0 in Protected Mode, and IIS 7.0 on Windows Server 2008, fools like you are still going to be apologizing for every bug in by bringing up bugs from Microsoft products 5+ years ago.

And even if IE6 was the most horrible browser ever and they waited for "moths if not years" for patches, how does that make this Firefox vulnerability any better? If IE6 is so bad, why is it your example for trying to minimize this Firefox vulnerability?

Microsoft products are getting better. Deal with it. Quit living in the past.

saved passwords

[robo_mojo]

Does anyone still think that it's a good idea to permanently store your passwords in your browser?

Re:NoScript

[ilikepi314]

Because most are not educated how to use it properly yet. It's terrific, but I know firsthand from trying to introduce it to people that they ignore it, realize many of their websites are broken, then I say "Well, you can allow certain websites you visit with this little button" -- they then promptly pick "Enable Globally" (or simply whitelist every single site they ever visit), and it has no effect.

So instead of teaching people security, it just teaches them "Security is annoying and breaks everything, what's teh point?" and they want to use it less.

Re:* Stops download of newest Firefox *

[bunratty]

Sure, and some of those eyeballs wait until just after the release of a new version to announce they know of a security vulnerability just to draw attention to themselves. Open source does help security bugs to be found, but it doesn't magically keep the finders from blabbing to all hackers worldwide exactly what the problem is and how to exploit it.

Re:NoScript

[Firehed]

How would it work at a slightly reduced paranoia level? There are, I suppose, for options: block everything, block nothing, block off-site scripts, and only allow trusted scripts (somehow including a database of checksums of widely-deployed, known-safe scripts like Google Analytics' urchin, jquery, Amazon affiliate stuff, and... that's all that comes to mind). Foreign scripts aren't going to cause any damage unless the site itself is vulnerable to XSS attacks - malicious websites aren't likely to off-site the scripts. A database of the known acceptable scripts would be so minimal that it would defeat the point, especially as so few of them are of any benefit to the site visitor. Unless a built-in NoScript were to block specific functions in Javascript that could be used for malicious purposes (anything other than strict DOM manipulation, I suppose), it wouldn't do much good - and breaking half the JS on a site is probably going to be much worse than breaking everything.

Re:NoScript

[mrsteveman1]

If it became part of the browser, 3 things would happen: Idiots would scream and cry about being forced to use it, it would integrate better making it more effective, and vulnerabilities like the one referenced here would be a non-issue for a much larger percentage of the user base.

Seriously, running every script a page stuffs into a browser should not be the default, and it should not take an extension to fix it.

Corporate sites

[Overzeetop]

There are quite a few corporate sites which incorporate flash to "enhance" their site, and there are some sites which won't even let you in unless you pass the flash-only home page. If you don't have flash, they don't want your business. (At least, that seem to be the opinion of the web IT staff, I haven't contacted corporate to see if they agree with that assessment). As for examples, Bath & Body Works used to be that way (I emailed them, they are no longer flash-limited...I don't believe those two things are linked, though). Rainforest Cafe is another. BBW didn't get my business back then, and Rainforest missed out on a dinner guest recently - I couldn't find their location, and couldn't use my mobile browser to get to their page. Will they care that they probably lost less than $100, of course not. But it certainly would have been nice if they wouldn't have had a "no flash, no service" sign out front.

Update the title... NOW.

[Anonymous Coward]

Seriously, this title should be changed now (get rid of "Serious"), and a "!serious" tag added. The author of the article is an asshole who just waited for this release to fear monger and gain some attention. This bug exists in previous versions, this is not a new issue. The fact is, 2.0.0.12 fixes issues from previous issues, and does NOT introduce this "new" bug.

You should still upgrade. You are already vulnerable to this "attack" without it, but you can at least gain some new fixes for other issues.

You know, we're trying to promote open source software. To scream that firefox has a "serious vulnerability" when it in fact doesn't is IT treason.

How come?

[dreamchaser]

How come when there's a security hole in an MS product it gets the 'haha' tag, but if it's an OSS project it doesn't?

Re:NoScript

[93 Escort Wagon]

Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level.

Well, to tech-savvy users this would be true; but unfortunately most users aren't even marginally tech savvy. It doesn't matter if NoScript puts up a clear, unambiguous giant flashing red sign that says "This site will have reduced functionality because we're blocking some scripts from running. Click here if you really want to run all these scripts" - based on past experience, most people will just be positively flummoxed and won't have the foggiest idea why some sites are now "broken".

The thing is, looking at it from the designer/developer end, most users seem to want the functionality Javascript provides. My job largely consists of designing "intranet" apps for a university department. With forms, the end users want the ability to click a button or link to add extra fields when necessary. They want web-based calculators that figure out totals and percentages automatically. They like little explanatory pop-up boxes that define terms for them if they don't already understand what it means. They prefer drop-down menus that change, based on choices made further up the form.

I realize that NoScript actually allows white-listing for situations like this (just like IE does for ActiveX, God bless 'em) - but I don't have much confidence that non-technical end users will understand, even with training. Making NoScript or a similar tool the default will end up meaning significantly more of my time being wasted dealing with support calls - after all, if the web's broken you don't call the desktop support people, you call the webmaster, right?

(BTW is Firefox 3.0b2 or b3 vulnerable?)

Re:Fixed is hours!

[zsau]

As someone who uses Linux because I was able to customise it to be exactly compatible with the way I think, and so I'm unable to run Internet Explorer or IIS, I have to say you make an excellent point.

To everyone else: Do you remember before the browser wars, when Netscape was the big, bloated dominant player and Internet Explorer was the fast and light competitor which needed to prove itself (even if it did so by cheating)? Do you remember the time between the wars, when Internet Explorer was buggy and insecure? Now we are in the second browser wars and Internet Explorer is trying to compete. And it's a good thing. The Mozilla foundation cannot afford to sit on their laurels or Firefox will be the also-ran that the Mozilla suite is. Never hold yourself to someone else's standards: Be the very best you can be, and it'll always be better.

And be grateful for it — we on Linux pretty much have no choice but Firefox (or Firefox-based browsers) if we want a vaguely native, somewhat integrated system (well, there's Konqueror if you use KDE but it's not up to the same level as Firefox and Internet Explorer). There's no competition, no choice, and no reason for Mozilla to focus their development effort over on this side of the fence. And we suffer for it, with form widgets that don't look right and menus that don't work properly.

Re:huh?

[Shippy]

It's still a vulnerability. It's allowing something that shouldn't be allowed. Does that mean people will take advantage of it and exploit it a lot? Not necessarily, but it's still a vulnerability.

Re:NoScript

[pipatron]

So because you decide to use the browser as some sort of generic code execution engine and GUI for your own hacks instead of writing your programs to run as a real application like everyone else, people browsing the web should remain a target for javascript abuse, bloat and exploits.

I can't say I agree.

Re:NoScript

[93 Escort Wagon]

So because you decide to use the browser as some sort of generic code execution engine and GUI for your own hacks instead of writing your programs to run as a real application like everyone else, people browsing the web should remain a target for javascript abuse, bloat and exploits.

It's not 1994 anymore. People don't just work on their own discrete data sets living on their own desktop computer now. People use webapps because the information is often centralized in places such as MySQL databases, and numerous different people need read and/or write access to it for differing reasons depending on their job function.

The "real" applications (gotta love that required platform lock-in, btw) you talk about would still need access to that centralized data. So you pick your poison - do you provide direct access to that central data repository for a wide number of computers, or do you limit access just to connections from a web server (which is then open to that wide number of computers)? Personally I'd rather keep as much insulation as possible between that back-end data and the rest of the world.

Re:or just visit sites you trust

[saleenS281]

If the sites you trust have been compromised, no script isn't really going to help now is it? People tend to whitelist sites they trust...

Re:NoScript

[thejynxed]

Easy fix for the issue you mentioned...

In about:config, you put noscript.firstRunRedirection into the filter box. Modify the boolean from true to false. Restart FireFox.

No more NoScript Update page. Enjoy.

Re:* Stops download of newest Firefox *

[gaspyy]

Let me get this straight: do you honestly think that something being Open Source will magically protect you? I was going to mod you but there's no "-1 Naive".

There are enough malware targeted specifically at Firefox - I've seen them in action. The good thing with Firefox is that it gets patched pretty quickly, by the time an exploit has been written, hopefully we'll all have 2.0.13 installed.

Still, that's no excuse. It saddens me to say that the quality of Firefox (2.x.x branch) is steadily declining. It's slow, eating too many resources, and it crashes - on some sites it just constantly crashes. If it weren't for all the extensions, I'd dump it in a heartbeat and move to Opera.

Re:NoScript

[PReDiToR]

God save us all from creature feep.

While you're at it, why not put AdBlock Plus in there and FlashBlock and Greasemonkey and Fasterfox and GMail Notifier and ...

Some people don't want everything included in the distribution, some developers don't want to have to make all those things work with every release and compile they do of test builds.

AutoUpdate of things you choose to install works just fine, and the people who build the add-ons make sure they work without having to work for MozFoundation.

Re:* Stops download of newest Firefox *

[scooter.higher]

Yes, but I feel that "-1: Disagree" is wrong.

To facilitate the discussions we should be having here on /. it should be "+1: Disagree" so that we can respectfully disagree with each other and elevate the discussion so that more people can weigh in on the topic.

But I agree that a post in response would better serve the discussion.

Re:text mode browsers that Just Work

[doom]

So, you demolish the good design of the good sites, so you can avoid the bad design on the bad sites? Why don't you just skip the poorly designed sites entirely and stick to the good ones?

I'm not sure what you're trying to say here -- I suspect you're yet another "designer" who resents the fact that you're fabuloso designs are irritating the hell out of a large chunk of the populus -- but you're logic is totally whacked. Why blame the author of some text for the decisions made by other people in the organization?

Consider the way the world looks when I use Firefox. I go to read a column by Robert Fisk in the Independant, and a bar appears at the edge of the screen telling me that the execution of some script has been blocked. I habitually use custom colors with light text on black -- my opinion is this minimizes eye-strain, by the way: computer screens are not paper and should not try to mimic paper -- and the various little graphics they've squeezed in on the page are glaringly bright in comparison, because they presume I'm using a white background. Then I come to the dread Flashing GIG advertisement, and it's once again time to right click and use Adblock to make it go away.

Do you see what I'm getting at? Lynx (or w3m) is not without it's annoyances, but using Firefox is not without it's annoyances either: I need to constantly fuss with it to fight the faddish nonsense that the web is always infested with.

What's so crazy about using a text-mode browser if what you want to do is read some text?