Feeds

back to article Unpatched Firefox flaw lets fox into henhouse

An unpatched memory corruption flaw in the latest version of Firefox creates a means for hackers to drop malware onto vulnerable systems. Security notification firm Secunia reports that the security bug (which it describes as extremely critical) stems from errors in handling JavaScript code. The flaw has been confirmed in the …

COMMENTS

This topic is closed for new posts.

Page:

Stop

Too many now

This gets to be beyond the funny joke.

Microsoft must launch program to help user stop Firefox before it starts as part of security suite, or uninformed user will accidentally use it and have their bank stolen.

Why Firfox developers not prosecuted for all this?

0
1

Chrome, Opera and Safari

Security through obscurity is surely worse than an obscure non-exploited bug.

0
0
Bronze badge

@Bob Gateaux

You do realise IE has a security issue with activeX currently don't you?

0
0
Go

Who will patch it first

It's all about days without patching when it comes to security stats.

0
0
Jobs Horns

And now for something completely different...

a security hole in Firefox...

0
0

That's one of the reasons I use NoScript.

That's why I use NoScript - belt and braces all the way: it may not stop the attacks, but it makes it a tad more difficult for those script kiddies and whatnot to execute an attack.

0
1
Thumb Down

I demand

That Firefox's vulnerabilities are not fixed for a year - not doing this would give them an unfair advantage over IE.

0
0
Flame

Opera, Safari and Chrome more secure?

Safari is full of almost as many holes as Internet Exploiter, crapple just don't admit it.

Opera is bloatware, closed source and has a complete lack of good addons as well as being nowhere near perfect in security. Chrome also lacks essential addons as well as basic functionality such as RSS reader, or even menus.

As it is, no browser is secure until you install Adblock Plus and NoScript.

0
0
Anonymous Coward

Time to fix is the key

Bugs happen. Let's see which one gets a fix available first...

0
0
WTF?

A fine theory, but...

"Selecting Firefox over IE when both have unresolved security problems fails to make much sense, leaving Windows users looking for more secure surfing software alternatives with a choice limited to Opera, Safari and Google Chrome."

Other than the fact that with Firefox, anybody with half a brain is using Adblock and Noscript?

0
0
FAIL

Slow hand clap for 3.5...

I know it must be dull as hell pouring over already written code looking at ways to remove leaks and the like but, for fuck's sake, can't they at least try and fix the memory leaks in one major version before releasing the next?

Let me guess, it's because they still have to support XP that this happened?

Makes me wish Opeara wasn't so fucking annoying.

0
0
Boffin

Not rocket science...

The simplest workaround is to install the "NoScript" add-on, and only allow scripts on sites known to be trusted.

0
0
WTF?

Re: Too many now

I'm sure other people will chime in before me, but what the F#@I are you talking about??? If you compare the amount of security vulnerabilities and the length of time until they're patched FF still beats IE hands down.

0
0
Silver badge

A Natural Viral Progression/Regression

Would protection be needed against milfw0rm, or would it be a Active Novel Purge Strain of Alien to Man Code...... Sweet Nectar for Sticky Honey Traps.

0
0

NoScript FTW?

Is NoScript any good at halting this attack vector, oh lords of El Reg?

0
0
Silver badge

More choices

http://lynx.isc.org/

lynx is safe against all attacks that require javascript, java, flash or activex. It works very well with limited bandwidth.

If you are too lazy to compile your own browser, a web search for "lynx browser compiled windows" will give you several choices. Similar searches for links and w3m did not show anything convincing near the top, but I did find this:

http://en.allexperts.com/q/Unix-Linux-OS-1064/install-Konqueror-Windows-XP.htm

0
0
Silver badge

@Cameron Colley

It's a mem corruption not a leak, assuming you know the difference. Perhaps you could be a beta tester/code reviewer instead of moaning. Probably too dull for you though.

Or: use noscript.

0
0
H 5
Flame

FF anyday

Id use FF over any of the others on my PC any day - AdBlockPlus and NoScript are essential addons. FF isnt invulnerable but its a damn sight better and more customisable than IE or Chrome.

0
0

it's only a javascript bug

so no-script will sort it.

0
0
Silver badge

Wot?

"Secunia advises Firefox users to avoid browsing untrusted websites or following untrusted links pending the availability of a fix from Mozilla"

Or maybe just untick the "allow javascript" box?

0
0
Grenade

Shock! Horror!

A serious security bug in JavaScript, "Well who dun thunk it was possible?"!

Seriously, turn off JS in ANY browser you run, it's the worst thing since MS, Oracle and Sun all started boasting about improved securityin their products!

0
0
FAIL

NoScript

Sorry, NoScript isn't the answer. Or rather NoScript is no more the answer to web security than pulling the Ethernet cable out the back of your PC. NoScript is like Vista UAC but ten times more intrusive and annoying, and therefore ten times more likely to get the "yeah, whatever <click OK> <mutter>stupid *%^@ing browser</mutter>" treatment.

0
0
Silver badge
WTF?

And?

"leaving Windows users looking for more secure surfing software alternatives with a choice limited to Opera, Safari and Google Chrome"

Who's fault would that be? No I get it, because OS Xers and linuxites get sooo many more options.

0
0
Grenade

@FF lovers

The thing you are forgetting is that by using IE on Vista or Win7 you aren't exposed to the issues relating to the IE zero day bug or the Firefox bug.

The security pro's should probably be saying "avoid using Firefox until a fix is released, such as using IE7/IE8 on Vista or Windows 7".

Also to the guys gloating about NoScript and AdBlock.... the problem is that the majority of the users out there have less that "half a brain". FF has the market share where it's logical to assume that it's way, way past a geek thing. Mums and Dads, Grandma, kids etc. are all using FF on IT Pro's recommendations.

Do you really think they've installed NoScript? If you've installed it do you really think they haven't disabled it or will the very second they find out it's stopping them from getting their "FREE SCREENSAVER!!!"...? Course not.

Security by picking a product cause it's open source is bollocks. It's no better or worse than closed sourced.

And you can skip the bullshit about taking a year to fix. The IE exploit has been in the public domain for a few weeks, yet the dev's have known about it for a year. The FF one could easily have been in the same boat - where a sole dev has known about it but hasn't fixed it as it's not in the public domain as yet and a fix could break a lot.

P.S. I love the way OSS fans have gone from "it's open source so anyone can read the code. 100,000 devs looking at the codebase must make it more secure that just a few hundred." to moving along to a different angle of "it's all about the speed of a fix which anyone can do as it's open source." FUCK OFF! IT MAKES NO DIFFERENCE. Most people don't give a flying fuck if it's open, closed or ajar source - they won't bother looking at the code.

0
0

Difference with IE...

The difference with IE on Vista and Win7 is that it runs in a sandbox so even if there were an exploit, the OS is safe unlike you'd be using Firefox.

0
0
Joke

title

Back to lynx! Yay!

0
0
Grenade

FFS

Or instead of bitching about which is the bestest way of reading the news/facebook you could do what many IT aware folks do - random surfing in FF with adblock/noscript & "trusted" sites like your Bank/Intranet in IE (ALT tab - not hard is it to switch between browsers?), run a (free) OpenDNS account with phishing/malware sites blocked at dns level. A decent antivirus (Avast (free) is my personal choice for home & Trend Worry Free (Small/Medium biz/SOHO) for the office) & if you MUST look for warez/torrents/cracks/keygens/pr0n/stuff™ either use a limited account, a sandbox or a virtual machine (don't M$ offer theirs free now ??)

ITS NOT ROCKET SCIENCE to spend an hour or so setting yourself a secure system up, you have no-one to blame but yourself if you cant be ar$ed to keep your system reasonably secure.

FFS your reading a IT site with loads of free info handed out not only in the articles - but also in the comments, half a dozen clicks on Google will sort you out.

Back to the article - Ohh another browser with issues - bet your glad you weren't singing the praises of FF in the "IE's knackered" story earlier .... Oh.... Opps, isn't there a saying about pride goes before sticking your foot in your gob or something ??

Browser wars are the same as OS wars use the tools your given and don't click on the "lolz - I saw you doing something stupid in a place you've never been - while you were tucked up in bed with a glass of milk" or the "you have won something" or famous chick with her airbags out" & you know a random stranger is not going to email you a fortune/love letter - you know its a scam & if you click on it your just a retarded moron

</rant>

Deep breath & Calm

*disclaimer

I have been dealing with multiple idiots all day who "know about computers"

Grenade as morons should be made to eat one once in their life

0
0
FAIL

Firefox vs Exploder

The thing with alternative browsers used to be that when someone took advantage of Internet Explorer vulnerabilities it was the equivalent of handing them regular Explorer. They were the exact same piece of software which is why Microsoft always complained that unbundling IE was impossible. Anyone who remembers Windows 1.0 will know that it was nothing more than File Manager, the predecessor to Explorer. Internet Explorer was Explorer with a different skin.

However all that got murky with the release of IE 7 and now Microsoft have started doing things like forcing .Net as an irremovable addon into Firefox. That all they needed to do to make Firefox as vulnerable as IE was to make it an all user addon rather than install it under the current profile is a massive Firefox flaw in of itself. Don't tell me all you need to do is disable the addon, the fact you can't remove it is a joke.

Add this to that the fact Firefox (and Mozilla) has always been Javascript-challenged and now you have something that needs addons to make it safe to use as well as some basic re-configuration that most key-mashing users with no technical background will never do.

So now our choices seem to be handing someone Explorer through IE, handing them Windows through Firefox or hoping that the coders of the next alternative browser have learned something from the mistakes of Microsoft and the Mozilla Foundation. I'm not exactly overwhelmed with optimism when it comes to Chrome and Opera has turned into some sort of adware delivery system.

Yes it is partly Microsoft's fault for making taking out Firefox, and while I never automatically install every update Microsoft claims is vital, I'm stuck with the quandary of wondering what flaws I've left unresolved and whether the updates I do install have introduced new flaws as well as maybe some old flaws that have been cut and paste back into the code.

0
0

This post has been deleted by its author

Go

We will all be safer

when we stop using web browsers like IE and Firefox. Me? I use Lynx.

0
0
WTF?

where is proof-of-concept

So I can see if Firefox with AdBlock Plus+NoScript+RequestPolicy+JavaScript Options can prevent exploit.

Let's see... for IE I can use the extension... um... or... never mind.

0
0
J 3
Joke

@Too many now

Furthermore, what do you have against articles, be they definite or indefinite? There was one lonely "the" there, and it was used incorrectly anyway, poor thing...

Wait a sec... Russian has no articles. Are you a Russian with a French handle?

0
0
Troll

@Bob Gateaux

You forgot "Ha ha, I troll you!"

Silly billy.

0
0
Coat

That's it!

I've had enough and I'm bricking up my intertubes right... no... <carrier lost>

0
0
Alert

All platforms?

Is this advisory for Firefox users on all platforms, or just Windows?

0
0
Silver badge
Joke

Wonderful

After playing with the code from milw0rm I just need to create my own shell code and upload this beauty to all my porn/warez web sites and XSS a few others I have rooted, nice one. Thanks Simon.

I do wonder however, how many people smart enough to choose FF over IE are so dumb that they don't use NoScript.

0
0
Sly
Stop

noscript FTW

javascripts got your idents... block them with noscript...

DUH.

I haven't surfed without noscript for over a yaer now. no issues since either.

I don't see IE having a script blocker on it or add-in for such to work around the active-x bugs. at least firefox users can put on a condom (noscript) unlike IE users that are just open for abuse.

0
0
Stop

Chrome, Safari, Opera

Chrome: Completely unsecure in normal config (only time I ever got drive-by download nastyware was when using Chrome).

Safari on Windows: As bad as FF/IE, security through (relative) obscurity.

Opera: Same

Firefox may not be very good security wise, but NoScript and a small army of other security/visibility-enhancing plugins go a long way towards fixing that, and also makes Firefox much, much easier to keep an eye on. Using any other browser I'm constantly worried about what's going on behind my back.

0
0
Silver badge

Early adopters...

BEWARE!

I'm still waiting for some of my add-ons to be updated for 3.5, so I'm still on 3.0.11... Maybe I'm safe... Maybe I'm not... Anyone know?

0
0
Silver badge

But ...

But what about Konqueror?

0
0
WTF?

Advice

"Secunia advises Firefox users to avoid browsing untrusted websites or following untrusted links pending the availability of a fix from Mozilla"

So now we're advised to avoid untrusted sites while we happen to know of a specific bug our browser has. What do we do the rest of the time? What we really have to do is accept that browsers are crappy applications that we feed every piece of crap we can find into.

0
0
Gold badge
Badgers

NoScript?

You know, even IE is pretty secure if you disable scripting and ActiveX. (I wonder if would-be internet advertisers know that only dumb folks can see their ads.)

0
0
Go

Better Pipeline

A better place to see what is happening security wise is http://blog.mozilla.com/security/ plus a temporary workaround is given.

0
0
Silver badge

Bah!

Predictably the FF support choir starts bleating that it's leaky boat is better than the other leaky boat because when it comes to leaky boats, it's all about the add-ins (C/W duelin' dirty trix by otherwise doctrinally sound open source evangelists), days since the last hole was patched yaddayaddayadda.

Face it foxers, your "better" product is as motheaten as The Other Guy, and for much the same reasons. Now you have to find a new browser to fall in love with & cease thy evangelising of a broken product, or be labeled hypocrites. Instead of directing your ire at the people who don't now, and never will use this ugly bit of tat, direct it at the people who left the bleeding holes in the thing in the first place.

If I understand the open source process, at least as it has been touted in these here comment pages over the years WRT Firefox, that would be yourselves in some cases.

And how ironic is it that Ms Clinton was just being harrangued by "knowledgable" government IT people begging for Firefox?

The whole internet "world in a browser" model is fundamentally flawed anyway. I blame dynamic linking, cascading style sheets and the senseless demand for more shiny in the webpages.

Gah!

0
0
Anonymous Coward

We are running out.......

Of safe browsers. They suggest using an "alternative browser" but please tell me which one isnt full of holes ?. Its like telling someone to rub in one direction away from a bomb ,only to find that they are blown up by a bomb whilst running the opposite way.

0
0

This post has been deleted by its author

RE: Opera, Safari and Chrome more secure?

Opera may be closed source and it might be lacking in add-ons (A lacking which I personally am not bothered by), it is quite secure and most certainly not bloatware. Opera's the only browser I've seen so far that I can leave open for weeks at a time without it gobbling up huge amounts of memory.

Internet Explorer 7 just falls over after a few hours, once I get past a dozen or so tabs IE8 I haven't tested yet, Firefox leaks memory all over the place, having a lot of tabs open just makes matters worse. Chrome does fine with small amounts of tabs and doesn't seem to leak memory, but after a dozen or so tabs starts to use excessive amounts of CPU time.

I haven't tested Safari (No Apple software on my Windows machines, tyvm) myself, so no comments on that.

0
0
Pint

Bloated ?

If Opera is so bloated, why is it only 30% of FFs size ? The addons, some might miss, are already build-in. Closed source it may be, but look at the bright side: It keeps the GPLtards away.

0
0

@OkKTY8KK5U

I don't use NoScript. I've tried to put up with it but it breaks too many sites. Even when you completely disable it I've had dozens of sites that still won't load properly. It's great in theory but it just has too many compatibility problems to make it worth the hassle. I do run AdBlock though as that has never caused me any problems.

0
0
Silver badge

Good.

Two security flaws for MS and Mozilla to address. Let's see who wins, it's a straight race.

0
0

Page:

This topic is closed for new posts.