Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Mozilla The Internet IT

Patch & Workaround for Firefox Flaw Available 235

mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.
This discussion has been archived. No new comments can be posted.

Patch & Workaround for Firefox Flaw Available

Comments Filter:
  • Done. Work around complete.
  • by Maow ( 620678 ) on Saturday September 10, 2005 @01:19PM (#13526882) Journal
    I thought yesterday's story about the unpatched flaw was a bit hasty.

    I wouldn't be implying laziness on the part of developers until a couple days have passed after the bug report.

    • by Bogtha ( 906264 ) on Saturday September 10, 2005 @01:39PM (#13527014)

      "Unpatched" means there is not a patch available to fix the vulnerability. Yesterday it was unpatched.

      Since when does "unpatched" mean lazy?

    • This is a workaround. It disables the feature that has the flaw. I wouldn't call this patching the bug. When the real patch comes around, this will be even more evident
  • Secure Web Browser (Score:5, Interesting)

    by joelparker ( 586428 ) <joel@school.net> on Saturday September 10, 2005 @01:19PM (#13526890) Homepage
    With two significant security flaws discovered so far in Firefox (and many in IE) what should a high-security company do for a secure web browser?
    • lynx
      • Lynx has had it's problems. You can crash some previous (recent) versions with very large tables. They can be empty tables too like this one [coredump.cx].
      • Nyuh-uh. Lynx still does "rendering", which means it's actually interpreting the information being sent to it. That means there is still a risk of it being sent a piece of data that exploits a vulnerability.

        I was going to argue that the only safe thing to do would be to use wget and interpret the web pages in your head. But the last guy who took that advice got 'sploited anyways. He's in the hospital with his brain stuck in an infinite loop.
        • I was going to argue that the only safe thing to do would be to use wget and interpret the web pages in your head. But the last guy who took that advice got 'sploited anyways. He's in the hospital with his brain stuck in an infinite loop.

          It could be worse. You could receive a link to goatse.cx. Which would:
          • Make you feel insecure.
          • Make you toss your cookies.
          • Cause denial of service to your vision.
      • Telnet
    • by justsomebody ( 525308 ) on Saturday September 10, 2005 @02:11PM (#13527171) Journal
      Well, first thing a high-security company should do is localize machines with internet access and separate them from the rest that need to be secure. It worked out for me when I recieved a job that demanded this task.

      We just separated vital and non-vital computers in two groups with one computer serving as bridge when data needed to be transfered from one network to another. This was one and only node in network visible to all with minimized and highly tracked in-house services for transfering the data.

      Second thing on the secure part is absolute disabling of any kind of install and taking out every removable device.

      But,... there is no better security than being unplugged. So, best answer to your question "which browser?" is NO BROWSER
      • Best. Response. Yet.

        Did you restrict traffic in both directions? You don't want leaks from the "vital" to the "non-vital" network because they would endanger confidentiality, but you also don't want leaks the other way because they could contain malware, or perhaps layer-8 attacks such as virux hoaxes.
        • Did you restrict traffic in both directions?

          Completely, bridge computer had two network cards, with no routing between networks. And one only active port open and 40 non-active (where client registers and gets a real port where his communication will proceed).

          You don't want leaks from the "vital" to the "non-vital" network because they would endanger confidentiality, but you also don't want leaks the other way because they could contain malware, or perhaps layer-8 attacks such as virux hoaxes.

          As I said "vit
    • by mu-sly ( 632550 ) on Saturday September 10, 2005 @02:14PM (#13527193) Homepage Journal

      Memorize this and make it your mantra:

      "Security is a process, not a product."

    • Lynx, of course.

      Or Firefox with everything but basic HTML 4.0 strict disabled. Every plugin disabled, downloading downloading, etc.
    • All software contains bugs. Firefox isn't mature enough to be adequately assessed for its long-term security. Internet Explorer is obviously not secure enough. Perhaps Mozilla is suitable.

      Like others have pointed out, general security policies should already be in place to mitigate risk; web browsing is only one of several ways in which malicious code can get into an organisation.

      However there are some things you can do specifically to reduce the risk of web browsing. CERT have published an adviso [cert.org]

  • That was FAST. (Score:3, Interesting)

    by bluesoul88 ( 609555 ) <`moc.xamfodnegeleht' `ta' `luoseulb'> on Saturday September 10, 2005 @01:23PM (#13526912) Homepage
    From what I read in yesterday's article it was more than a little serious. Going from broken to patched in a day is a damn good turnaround. Or it could just be, you know, breathlessly delivered news. This is possible. :) Either way, thank you Firefox team. The local high school is going to be transitioning over to Firefox within a few weeks, to coincide with moving in to a newly built school. I can't say I'm not more surprised about Firefox than the new school.
    • Re:That was FAST. (Score:5, Interesting)

      by cnettel ( 836611 ) on Saturday September 10, 2005 @01:31PM (#13526975)
      It will just be sad for those users relying on IDN. That may not be U.S. users, but it WILL disturb some Swedish sites, and I assume it's far worse for Japanese and Chinese users, for example. There may be other, older, domain name schemes for those users still used that I'm not aware of, though, but IDN has been seen as the way forward for quite some time.

      It's not a patch anymore than turning of Javascript is a patch for several IE vulnerabilities. It might be argued that this workaround does less in the area of destroying the "experience" for normal surfers, but as I noted, I think that depends much on your nationality/language.

    • How hard is it to change the default IDN toggle to false, from true?
  • by dfunct ( 908889 )
    I'm I imagining it or is this the second time a bug has been found in IDN?
  • What is IDN and what about it causes vulnerability?
    • by Anonymous Coward on Saturday September 10, 2005 @01:34PM (#13526992)
      IDN -> International Domain Names

      It allows you to create a domain name with international characters ( like böghåla.se ), create the A/PTR records with a coded name that bind can handle ( xn--bghla-ira0j.se ) and a method to convert between the two ( look up PUNY ).

      That way, when you type in your browser "http://www.böghåla.se", you are directed to "http://www.xn--bghla-ira0j.se".

      Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

      I wonder if the guy who coined the advice "turn it off" would cut off his arm if he got a zit on the elbow ? Same thing..
      • by Professor_UNIX ( 867045 ) on Saturday September 10, 2005 @01:51PM (#13527081)
        Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

        I disagree. I would wager at least 98% of Firefox users do not need IDN functionality at all. The only thing it's really used for in reality are phishing sites. Unless you regularly interact with foreigners who refuse to conform to the proper ASCII character set in their domain names you shouldn't notice any difference in your browsing at all. When Jesus established the original RFC for domain names he used sensible restrictions, but now with this new IDN garbage we have people using characters that don't even make sense or appear on our keyboards! What villainy is this?

      • Turning IDN off in Firefox is mighty a stupid solution. Stupid on a planetary scale. A problem should be fixed, not circumvented by removing the functionality.

        If you were driving down the highway and you discovered that running your air conditioner caused your brakes to stop working, would you keep running your A/C until you got to a repair station, or would you turn it off?

        Besides, most people probably rarely, if ever, use IDN. So it's more like disabling the child safety locks in your car. Who's
      • IDN is inherently insecure. [shmoo.com] I already had it disabled for this reason.
      • Pay attention. This is a temporary workaround. Just like the previous vulnerability, the workaround was "disable JavaScript". That was until the real fix was landed.
      • Turning IDN off in Firefox is mighty a stupid solution.

        Not really. IDN is a botch and an abortion and deserves to die a hasty and violent death. DNS is 8-bit clean. Just send UTF-8.
        -russ
  • actually. (Score:5, Informative)

    by asa ( 33102 ) <asa@mozilla.com> on Saturday September 10, 2005 @01:25PM (#13526929) Homepage
    We actually had the patch and workaround up yesterday.

    It's unfortunate that the bug reporter gave us so little time to respond to the issue before going public. He filed the confidential security bug on the afternoon of the 6th, and then went highly public (to c|net) in less than 72 hours.

    As anyone can see now that the bug is no longer confidential, we were hard at work diagnosing the problem when he went public. Not only that, but the public release he made was based on our developer's analysis of the problem, not his -- which happened to be wrong.

    This workaround that we posted (on the same day as the problem was made public) is only temporary and causes some of our users a loss of functionality (IDN). We will be issuing a full browser update for our stable Firefox 1.0.x and Mozilla 1.7.x releases which contains the real fix (also available as a patch to both 1.0.6 and 1.5 Beta yesterday) that avoids the security issue without disabling IDN.

    Expect that new release shortly.

    - A
    • will the 1.5 Beta Patch be offered through the new Update System? (or will 1.5 Beta1 users have to wait for 1.5 Beta2)

      bzw: if anyone wants the Bug# its https://bugzilla.mozilla.org/show_bug.cgi?id=30725 9 [mozilla.org] (copy/paste link, Bugzilla doesnt like /. links)
    • The Mozilla team should start thinking about a security patch feature. We have had a lot of security releases in Mozilla where the change probably affected only one or two small files, yet the user is forced to re-install the whole package.

      At least in Mozilla (don't know about Firefox) there is the issue that default browser, default mailer, and desired file associations in Windows are lost even when the new version is installed directly over the existing one.
      We use Mozilla in a corporate environment, and
      • Re:actually. (Score:4, Informative)

        by bogie ( 31020 ) on Saturday September 10, 2005 @01:42PM (#13527029) Journal
        That's coming in 1.5. See the release notes here.

        http://www.mozilla.org/products/firefox/releases/1 .5beta1.html [mozilla.org]

        Note that future updates to Firefox "may now be half a megabyte or smaller."
        • I hope something like that goes in Mozilla 1.8, if it ever appears.

          I still find it regrettable that Mozilla development was forked into separate browser and mailer (leaving the composer in the dust). We like the Mozilla suite, yet we are more or less forced to migrate to a separate browser and mailer, split the user configuration files, and decide whether to install an html editor, and which one.

          What a nice product would we have had when all the effort spent on Firefox/Thunderbird was actually spent on the
          • The suites still alive, just renamed to Seamonkey. Uses the same Gecko engine as Firefox and works the same as always.
            Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.9a1) Gecko/20050909 SeaMonkey/1.1a
            • Re:actually. (Score:3, Insightful)

              by pe1chl ( 90186 )
              How did forking help the project?
              IMHO it didn't.
              The option to install only the browser has always been there.

              Now we are stuck with forks, always confusing about what problem is caused by what part and appears in what versions, and even more wasted work on releases, internationalisation, etc.

              How are we going to explain to the employees that this "non-standard" browser/mailer Mozilla (most businesses use IE and Outlook, so that is what most people think of as the standard) that we use is going to be replaced
    • Re:actually. (Score:4, Interesting)

      by mroch ( 715318 ) * on Saturday September 10, 2005 @01:53PM (#13527087)
      The description of the vulnerability is copied verbatim out of the bug report, yet Tom Ferris claims copyright at the bottom of the announcement. This is plagiarism, and public disclosure of confidential information, isn't it? Can Mozilla go after him? (IANAL)
      • Tom Ferris is the reporter of this bug
        see https://bugzilla.mozilla.org/show_bug.cgi?id=30725 9 [mozilla.org]
        • Yes, but he didn't write the comment that he copied. And just because he had permission to see a security bug (which was confidential at the time) doesn't mean he's allowed to publicly share that information.
          • These days, you don't need to explicitly attach a copyright notice to a text to make it copyright. Given that the report was confidential, I think it's fair to say that 'fair use' rights probably don't apply to his public promulgation of it ... You could probably also prosecute him under the trade-secrets act if you wanted to (IANAL, but I can play one on the stage)
    • Here is a list of every currently exploitable problem in Microsoft products that a SINGLE company has found.

      http://www.eeye.com/html/research/upcoming/index.h tml [eeye.com]

      They have currently been waiting 165 days for a patch for remote code execution.
  • by slobber ( 685169 ) on Saturday September 10, 2005 @01:28PM (#13526952)
    Going to

    about:config:

    does nothing in firefox (at least version 1.0.4)

    use

    about:config

    instead.
  • by i_ate_god ( 899684 ) on Saturday September 10, 2005 @01:35PM (#13527000)
    I'm amazed at how surprised some people are at the fact that Firefox has serious exploit. They think, "oh well, it's an alternative to microsoft, it's therefore immune to everything!". Then something bad happens and these same people act like they no longer have anywhere to turn to. They act like their faith was completely misguided and now they have no one to put said faith into.

    The same thing applied to other people as well, as we saw in a previous slash dot article [slashdot.org] about macs. While not impossible, it's extremely difficult to make software that is in a constant state of development completely exploit proof. Firefox is ultimately a better browser than IE for numerous reasons, but it is not 100% perfect, nor is OSX, nor is Linux or FreeBSD or Windows, or anything else on this planet and it's silly to expect otherwise.

    Nature doesn't operate on 100% uptime, only 99.9%.
    • Nature doesn't operate on 100% uptime, only 99.9%.

      Really? I must have missed the time nature went down. What was that like?
    • by darkonc ( 47285 )
      This is one of the reason why some people promote interoperability, compatability and standards. If you aren't forced to use only one browser (IE, firefox, whatever) for browsing the net, then you can choose whichever one is
      1. safe
      2. preferred
      3. convenient
        (pretty much in that order)

      When Microsoft creates 'tools' that don't even allow you to try a different browser, word processor, etc., then you're totally screwed when that 'one and only' browser has a flaw.

      Given that I'm running Linux(FC4), I have the cho

  • Deja vu anyone? I've always thought that this "bug" and its corresponding "patch" has been out for a while... I know for sure that when I heard about this a while ago, I disabled IDN...
  • While I always type in potentially system modifying commands into my computer based on what a news site tells me to type, this time I'll give it a day or so in order to let the tech guinea pigs report back just what the changes have done for them.

    If the Sulfnbk.exe "virus" taught me anything [and I didn't since I had that hoax figured out when I saw it], it's don't assume someone's helping your computer if you don't know them from a hole in the ground, and you never asked for their help.
  • by That's Unpossible! ( 722232 ) on Saturday September 10, 2005 @01:54PM (#13527093)
    I believe this is the second problem to arise from the support for IDN. I checked my setting, and I already had it disabled from the last one (where you could essentially spoof a domain name by using unicode characters that look exactly the same as ascii characters, but are in fact, different).

    Someone give me one good reason why I should EVER enable IDN?
  • by heinousjay ( 683506 ) on Saturday September 10, 2005 @02:04PM (#13527139) Journal
    Removed wayward colon.

    Ewwwwwww.
  • How about we just kill off IDN entirely instead?
  • Ouch. (Score:5, Funny)

    by x136 ( 513282 ) on Saturday September 10, 2005 @02:24PM (#13527259) Homepage
    Update: 09/10 18:59 GMT by Z : Removed wayward colon.
    That sounds exceedingly painful.
  • Mozilla Suite, Too (Score:4, Informative)

    by alacqua ( 535697 ) on Saturday September 10, 2005 @02:43PM (#13527355) Homepage
    For all of you dinosuars who, like me, still use and prefer mozilla suite, this applies to us also. And for all of you lazy slashdot readers who, like me, hate to track down a link in another comment, here's that link:

    What Firefox and Mozilla users should know about the IDN buffer overflow security issue [mozilla.org]
  • If you don't want to disable IDN, or if you want to help test the change so Mozilla can release updated versions faster, try these nightly builds:

    Today's Gecko 1.8 branch nightly [squarefree.com] - Firefox 1.5 Beta 1 plus the fix for this security hole.

    Today's Aviary 1.0.1 branch nightly [mozilla.org] - Firefox 1.0.6 plus the fix for this security hole. There isn't a Linux build here; I don't know why.

You will have many recoverable tape errors.

Working...