The Register® — Biting the hand that feeds IT

Feeds

Firefox exploit sends Mozilla into 'high-priority fire drill' mode

Mozilla's security team is rushing out a fix for its flagship Mozilla browser following the public release of attack code that targets a previously unknown vulnerability. The exploit was released Wednesday online. It attacks a vulnerability present on Windows, Mac and Linux versions of the browser and could be used to …

This topic is closed for new posts.
Steve Evans
Unhappy

High priority...

and we have to wait 5 days?

Now I know that's faster than M$ or Apple will respond, but it's still a long time to be wandering naked on the interwibble!

Rick Stockton
Happy

Um, they finished the fixes YESTERDAY AFTERNOON.

Long before you ever posted this article... It's already in this morning's "nightly" builds on all platforms, and they've fixed Firefox 2 as well as FF 3.0 and all the Development versions.

Fire drill is long over.

Ian Rowe
Happy

Re: High Priority...

https://bugzilla.mozilla.org/show_bug.cgi?id=485217

Status: RESOLVED FIXED

Well, if you want a fix you do not have to wait at all, you can compile a fixed version and even release the fixed version for others to use.

If you want a fix that has some assurance that it won't cause more problems than it prevents then you may want to wait.

Scott
Happy

NoScript

While it does take some finagling on certain sites, I can't imagine surfing without NoScript these days. Glad to see it getting a mention in this story, the updates for that addon are almost annoyingly frequent.

Andy Bright

Javascript

Forgive my ignorance, but wouldn't disabling javascript and java in the Content tab of Firefox's options do exactly the same thing as running Noscript - with the exception that you don't have the option of allowing scripts you think might be safe.

Most users have no idea whether these scripts are safe anyway, so it's not really like you're losing much. Just because an advert comes from a website like CNN doesn't necessarily mean it's a good idea to let it run.

Surely it's easier just to turn it off, as it seems java is the #1 cause of Firefox vulnerabilities. This is nothing new, it's been this way since the days of the Mozilla browser/email suite. Pretty much every other month another javascript related vulnerability (usually several years old) becomes publicly known and needs fixing. And not every fix has worked as intended.

There have been entire versions of Mozilla that we were advised never to turn on Javascript because of known problems - and the advice usually came from Mozilla themselves. You have to at least congratulate them on their honesty, I'm pretty sure Microsoft would just greet the problems with a wall of silence.

And whether these problems stem from Sun's sloppy coding or from the Mozilla foundation I have no idea. But what I can guarantee is in a few months yet another javascript related issue will be 'discovered'.

Doesn't mean I'm switching back to the mother of all security fails though. I'd rather take my chances with Firefox over any incarnation of IE.

Tony The B

Umm

The answer is in the article - it's NoScript. You wouldn't connect without a firewall, so why use FireFox without NoScript? It's probably an essential add-on!

Rich
Coat

Don't panic Mr Mainwaring

Don't Panic! Fix Bayonets! They don't like it up em Mr Mainwairing, they don't like it...

Action Bastard
Paris Hilton

Why are you flogging this as a top story?

Mozilla is acting in a completely responsible manner to some wanker that has posted an exploit to the world-plus-dog. So why does this headliner status?

imacoder.net

@Steve Evans

Well in the mean time use a better browser that doesnt have memory leaks like Opera!

skelband
Thumb Up

@Javascript

Well it actually does a fair amount more than that.

You can browse which domains are trying to run script and enable only the ones that you trust and permanently disable those that you are suspicious of.

Unless I have a very good reason, I disable all by default and only enable script for the domain directly hosting the page I am using and only then if I find the page is not functioning, which isn't all the time, just sometimes.

Avalanche
Boffin

@Andy Bright: Java != JavaScript

@Andy Bright:

You seem to think that JavaScript and Java are the same thing. It is not. Most problems in Firefox stem from *JavaScript*, and Sun has (and had) nothing to do with.

The only thing they have in common is that when Sun released Java in '95, Netscape thought they could use the hype by rebranding their LiveScript product to JavaScript.

TeeCee

@imacoder.net

Did you intend to state that Opera has memory leaks or is that just poor punctuation?

dan russell
Paris Hilton

@ Umm

Yep, why isn't No Script part of the good 'fox?

Paris knows, but she's not telling

foo_bar_baz
Paris Hilton

@Andy Bright

JavaScript is not Java. Nothing to do with Sun. Nada. Nix. Bupkiss. Even Paris knows.

Ash
Thumb Up

@Andy Bright

That's fine if you're happy with browsing just one page on a site with JS navigation, not being able to use any streaming video (YouTube, Veoh, god forbid Break), any rich content apps (Google Docs, Bookface) etc... Essentially, it's fine if you want to browse the web as it was a decade ago.

Anonymous Coward
Flame

Where are the....

....usual..

Firefox is indestructable.....

Linux / Mac are perfect and unexploitable.......

interesting the trolls were so quick to slag of a BETA version of ie8 on Windows.....

Normal people know that all platforms are exploitable....

as for Opera being perfect....

When was the last hack you saw for Netscape v1 or i.e1

Doesn't that make them even more secure?

Market share dear ladies......

" Chrome and Opera round out the top five with 1.15 percent and 0.71 percent, respectively."

Source:

http://www.pcmag.com/article2/0,2817,2343767,00.asp

So why bother targeting something with less than 1% share?

N

Seems a reasonable thing to do...

Theres found a problem so they are fixing it.

As opposed to:

Shit theres another problem, lets wait until Tuesday, no the Tuesday after that, wtf? which Tuesday? oh fuck it, lets just hope no one notices and we'll do it in a couple of weeks time.

Although dosnt sandboxie & no-script help stop this sort of stuff, Ive always assumed that no web browser will ever be 100% secure & used add ins to make it a bit harder to break.

Mark
Flame

Does this affect Opera?

nah, I thought not....

Honestly, I don't understand why people are stil using Firefox, I mean it's not like it's secure, or good at memory management, it's not like it's fast either. Still they are good at innovating new ideas... (ohh hang on....)

Hud Dunlap
Alert

No script interferes with my bank website

I tried running no script and I got tired of trying to get it to work with my bank. My solution has been to use my older computer for financial use only since speed doesn't really matter and my new computer for everything else.

breakfast

@imacoder.net

I have never noticed Opera having memory leaks...

Fraser

@Rick

Inclusion of a fix into nightly builds is _not_ a resolution. The resolution comes when the rollout is commencing and the fix is installed on joe user's browser. I'm currently running FF on Windows and Fedora10, I haven't been told to install a fix on either and they've been running all morning. It is therefore not fixed.

Anonymous Coward
Joke

I wonder if M$ is dropping exploit into...

the wild now. I don't think it would surprise anyone to find out that they are doing so.

LET FLAME WARS BEGIN............

Anonymous Coward
Stop

Java/Javascript and what master??

@ Andy Bright

Maybe I'm just as ignorant here, but from what I know Java and Javascript are totally different beasts. I don't see anything in the article saying that this is a Java problem, and suddenly Sun get a slating for 'sloppy coding'.

Also, call me petty, but there is a greengrocer's apostrophe in the article...

"a master's candidate" implies that someone is a candidate belonging to a master, rather than a candidate for a masters degree.

Anonymous Coward
Anonymous Coward

Not Microsoft...

So you headline a security hole which was published openly in the past couple of days and has already been fixed.

Can you update your sensationalist story stating that its fixed?

Of course if this was IE Microsoft would still be sitting on their arses with a "possible" fix a few weeks down the line.

Ken Hagan
Dead Vulture

Re: Why are you flogging this as a top story?

Because people might like to *know* about it?

It masy astonish you to learn that the principle function of journalism is to inform rather than simply to carp. Top billing doesn't mean "These guys are the biggest wankers at the moment.". It means "This story is most likely to interest you at the moment.". You may disagree with that verdict, but I think a significant vulnerability in the browser used by probably *most* of the readership is a reasonable candidate for that billing.

Of course, if El Reg are going to indulge in responsible and impartial *journalism* then I think it is time to stop reading and get on with some work.

David Dawson
Go

java != javascript

The similarity in name was a marketing ploy. The two languages have nothing in common beyond a bit of syntax they both got from C.

Pabs
Thumb Up

good old NoScript!

Glad I started using it!

And glad to see the Devs have already fixed the issue, good work!

Anonymous Coward
Anonymous Coward

@ Andy Bright

"Surely it's easier just to turn it off, as it seems java is the #1 cause of Firefox vulnerabilities."

If you think that that IE8 without compatibility mode would "break the web", can you imagine running any browser without javascript?

NoScript makes poorly written sites look like crap. It breaks huge amounts of stuff. For that reason, no-one in my family use it - it's too much hassle to whitelist (or temporarily allow some sites) as they go along.

Their loss. I'd rather have a sub-par but safe initial site experience than get shafted because I'm lazy.

The advantage of NoScript over arbitrarily disabling JS is that it's easy to turn it back on again for sites you do trust. Remember, some sites have sniffers and just fail to display anything if you're not running javascript (or they display "helpful" instructions on how to turn it on). I tend to ignore these as pretentious, but every now and again, you do need to look at them...

Mark
Stop

re: Umm

So let me get this right. Firefix is not secure out the box, you need to download additional stuff to make it secure..

Nice...

Bob Gateaux
Stop

Now we must all beware

This show the risk of using the fringe browsers. We must all take away the heed from this story and not spread using the insecure ones.

If you see on the Internet Explorer they have the padlock which tells you all is well. On the Jav ones they cannot do this with the full knowledge of our safety. Who is to know if a terrorist has my password once you have been on the web pages with a Javs browser like this Firefox one?

Charles King
Paris Hilton

FF lost the security crown long ago

'RESOLVED FIXED'? You guys should know better. The vuln will only be fixed once it's rolled out to all users using FF's automatic update system. Oh, wait, let me show my grandma how to compile FF...

The fact is that NoScript is the only thing keeping FF reasonably secure these days, and that heavily relies on users showing a decent amount of discretion, as it's easy to rig a website to lure people into enable scripts.

Opera, chrome, even IE8 on Win7 are probably better options if you go browsing dodgy sites.

Paris, because she's weeping over the state of FF security.

Anonymous Coward
Anonymous Coward

Noscript - Noproblemo

Updates for Giorgio Maone's Noscript come faster than a flying bullet. Why walk naked in the jungle when for a little extra effort you can have the protection of a Superman outfit.

Save the planet - get Noscripted.

Cameron Colley

@Andy Bright

Since many sites require JavaScript to be switched on simply disabling this leaves you unable to use many internet banking and commerce sites -- OK that is _much_ safer, but it also pretty much defeats the object of using Firefox in the first place -- if you have no personal information to loose, or no sites that can be spoofed, you may as well just run IE.

@imacoder.net:

When they do simple things like cookie, image and JavaScript whitelisting I might give Opera a go again, until then I'll use a browser that doesn't piss me off with popups every time I change the page.

Steve

Amiga Voyager

Time to fire up Amiga Voyager 2.95 me thinks

Eddie Johnson
Flame

If NoScript can mitigate this..

It would be nice if you provided a brief 2 sentence explanation of the preferred config. I need to know what to do to my 2.0.0.20 installs that they aren't going to update. It's probably already set that way but it would be nice to know. And no, I can't just upgrade to 3.x, 2.0 is in use on several of my NT machines where Firefox 3 isn't supported. I guess they can't render that stupid remote control forward/back button without DirectX or something.

Tom
Flame

@AC 27th March 2009 08:47 GMT

Oh, we were just waiting for you to get close enough for us to see the whites of your eyes before opening fire.

What's really interesting to my mind is that because of bad parsing by IE, the flaw is actually more dangerous when IE passes the flaw to FF.

As other posters have noted, FF didn't try to sweep this under the rug or obfuscate the danger of the exploit like MS did with the IE critical flaw revealed at the same show. There was no "DEP prevents this on the public release" statement that needed to be retracted 24 hours later. The fix will be autodeployed shortly and for those who are adventurous enough to compile their own code, a fix has already been released. Not possible with MS. No, I think Mozilla handled this pretty well. I also have some level of confidence that unlike MS, Mozilla will have a real 'lessons learned' meeting of the programmers after the fix has been fully deployed to make sure similar errors don't happen in the future. With MS I just expect a recap of events by the marketing team, with an eye toward how to spin it better next time.

Anonymous Coward
Stop

Meh

"meh meh meh meh meh, firefox is secure and IE is rubbish". Well you're not preaching now are you!

wake up and smell the coffee fox-lovers. your beloved firefox is subject to the same facts of life as any other bit of software.

if this was an IE story you'd all be gathering like hounds to have a pop-shot at the incumbent.

hypocrites the lot of you. except the 'normal' minority who just use whatever tool they need to get the desired task done, regardless of the sticker on the box.

FF, Safari, IE, Chrome etc. Really - and i want you to take a good long moment to consider this very carefully:-

who gives a shit?

get your FF patched and the web will be a marginally safer place again until the next browser hole is found - and the sharks circle again to throw their 2 cents worth in.

Paris - cos she's had every square inch of her body browsed, and renders fairly well in them all.

Del Merritt

@AC -> @Andy Bright

"Remember, some sites have sniffers and just fail to display anything if you're not running javascript (or they display "helpful" instructions on how to turn it on). I tend to ignore these as pretentious, but every now and again, you do need to look at them..."

I really appreciate the sites that say, "You can view stuff here without JavaScript, but if you want to use our secure payment system to buy, you'll need to enable it." So if I'm willing to trust them with my money in the first place, I'm OK with them doing JavaScripting for form validation and all that. I wish I didn't have to open it up in all-or-nothing, but that's the slippery slope of allowing someone else's code to run on your computer.

The sites that present nothing - or, worse, silently fail during a payment transaction when JavaScript is off - really irk me.

Anonymous Coward
Flame

re: NoScript

How strange, I don't use NoScript, but I've yet to experience any problems caused by Javasscript hacks in Firefox.

It's probably because I have some common sense and don't visit the kind of sites (warez/pronz) where these exploits are hanging around, nor blindly follow links like some kind of digital sheep.

These exploits are for the stupid and unwary, who frankly deserve everything they get.

Do Not Fold Spindle Mutilate
Stop

April Fools

The fix is scheduled for April 1! April Fools day is a terrible day to release software because I always assume anything received on that day may be a joke or just plain hazardous.

Robert A. Rosenberg
Happy

FF2 is being updated

Eddie Johnson Posted Friday 27th March 2009 13:09 GMT

I need to know what to do to my 2.0.0.20 installs that they aren't going to update. It's probably already set that way but it would be nice to know. And no, I can't just upgrade to 3.x, 2.0 is in use on several of my NT machines where Firefox 3 isn't supported.

The answer is to wait until April 1 when 2.0.0.21 with the fix will get released per this posting (which was the 2nd in this thread):

Rick Stockton Posted Friday 27th March 2009 00:34 GMT

Long before you ever posted this article... It's already in this morning's "nightly" builds on all platforms, and they've fixed Firefox 2 as well as FF 3.0 and all the Development versions.

Anonymous Coward
Anonymous Coward

FF just updated itself to 3.0.8

Easy and fast. No waiting until April 1st after all.

Anonymous Coward
Thumb Up

3.08 @ 0150GMT

Just got it.

Nice work Mozilla

Anonymous Coward
Thumb Up

3.08 update

Arrived on my Ubuntu laptop this morning.

This topic is closed for new posts.