11 replies [Last post]
HellsBells
HellsBells's picture
Offline
Leader
Bedford, UK
Last seen: 11 years 12 weeks ago
Bedford, UK
Joined: 2004-04-07
Posts: 851
Points: 0

Quote:
Security Advisory (September 9, 2005) The Mozilla Foundation is aware of a potentially critical security vulnerability in Mozilla and Firefox browsers' support for IDN, as reported publicly on September 8. There are currently no known active exploits of this vulnerability although a "proof of concept" has been reported. To protect yourself against this exploit, follow these instructions: https://addons.mozilla.org/messages/307259.html

My strategy is so simple an idiot could have devised it!

"Also, your CSS (no offence) makes me want to gouge my eyes out with a rusty spoon" - TPH

n8gz4ez
n8gz4ez's picture
Offline
Leader
Last seen: 10 years 25 weeks ago
Timezone: GMT-6
Joined: 2005-06-13
Posts: 802
Points: 0

Firefox Security Advisory

HB,

Thanks for the update, I probably wouldn't have looked for it otherwise.

So is the future of FF going to be similar to IE, having boat loads of security updates?

Nate

This is my big chance . . . yep, I blew it . . .

gary.turner
gary.turner's picture
Offline
Moderator
Dallas
Last seen: 1 day 19 hours ago
Dallas
Timezone: GMT-5
Joined: 2004-06-25
Posts: 9738
Points: 3817

Firefox Security Advisory

That's the way open source, community development works, Nate; release early, release often. That applies especially to security updates. All nontrivial software has bugs. Compare IE's numerous bugs and many known vulnerabilities and MS's penchant for fixing a few of them every three years[1] or so to the open source tactic of fixing things as soon as they're brought to light and releasing the fix immediately. By example, my update log shows 13 upgrades for Apache 1.3 modules, libraries, and the core itself since April of this year. Apache-common has had minor revisions or security fixes taking it from v1.3.33-4 to 1.3.33-7.

Compare, too, the relative ease of upgrading oss apps to fixes in most Windows apps. If nothing else, you only need restart the fixed app, not reboot the system!

So, yes. You'll be seeing a lot of releases, if for no other reason than a large community working to improve the application in a transparent environment.

cheers,

gary

[1] Until recently MS preferred to wait until ready to release a major revision as a 'service pack'. The new release policy is an improvement, if poorly implemented (IMO).

If your web page is as clever as you can make it, it's probably too clever for you to debug or maintain.

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 4 years 28 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Firefox Security Advisory

Thanks for posting this HellsBells;

The vulnerability mentioned is to the IDN (International domain names )service and is fairly serious; in this latest guise it refers to a Buffer overflow exploit and a previous problem with the same service allowed a vile person to mask the real domain you were visiting with something familiar in the address bar

The fix might as well be posted as it's simple and quick to implement

type about:config in the address bar of FF scroll down to the network entries and locate:

network.enableIDN

Right click on it and select 'toggle' to set the value to false.

Nate ALL applications open to the internet are likely exploitable in some fashion, FF is no exception but what Gary says is true that Open source does tend to fix things very rapidly due to the nature of the code development.

However Gary in this instance I wonder what is happening with this IDN problem as it was discussed in it's spoofing guise as long ago as Feb the 9th of this year and the workaround (as there was no fix for it ) was to set to false the network.enableIDN line in config.

The issue mentioned this time is a buffer overflow exploit (and I thought that only MS allowed buffer exploits through bad programming ) So I suppose that it is a new variation of an exploit directed towards the same service, but I do wonder that Mozilla have not actually produced a fix for this yet.

Hugo.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

roytheboy
roytheboy's picture
Offline
Guru
North Wales, UK
Last seen: 5 years 52 weeks ago
North Wales, UK
Timezone: GMT+1
Joined: 2004-09-18
Posts: 2233
Points: 41

Firefox Security Advisory

Cheers HellsBells Wink

Hugo wrote:
Right click on it and select 'toggle' to set the value to false.

Mac users should simply double-click the entry.

Life's a b*tch and then you die!

n8gz4ez
n8gz4ez's picture
Offline
Leader
Last seen: 10 years 25 weeks ago
Timezone: GMT-6
Joined: 2005-06-13
Posts: 802
Points: 0

Firefox Security Advisory

Hugo wrote:
Nate ALL applications open to the internet are likely exploitable in some fashion, FF is no exception but what Gary says is true that Open source does tend to fix things very rapidly due to the nature of the code development.

The more I use open source programs, the more I question MS.
:roll:

Thanks for the insight.

Nate

This is my big chance . . . yep, I blew it . . .

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 4 years 28 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Firefox Security Advisory

Oh sorry I was forgetting about you special people with your lovely Macs :mad:

Actually highlighting the line and double clicking on it toggles the value in Windows as well. (so there ! does right clicking work for Macs ? )

Hugo.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

roytheboy
roytheboy's picture
Offline
Guru
North Wales, UK
Last seen: 5 years 52 weeks ago
North Wales, UK
Timezone: GMT+1
Joined: 2004-09-18
Posts: 2233
Points: 41

Firefox Security Advisory

Hugo wrote:
(so there ! does right clicking work for Macs ? )

Right-click, left-click; it's all the same to us Wink

Life's a b*tch and then you die!

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 4 years 28 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Firefox Security Advisory

Following on with a little more detail:
from Slashdot : http://slashdot.org/article.pl?sid=05/02/15/1922215&from=rss

slashdot 15th Feb wrote:

The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved."

Hm, that's not the default setting in my config file FF version 1.06

It's worth checking the setting after closing and re-opening FF and when installing add-ons.

Hugo.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

gary.turner
gary.turner's picture
Offline
Moderator
Dallas
Last seen: 1 day 19 hours ago
Dallas
Timezone: GMT-5
Joined: 2004-06-25
Posts: 9738
Points: 3817

Firefox Security Advisory

roytheboy wrote:
Hugo wrote:
(so there ! does right clicking work for Macs ? )

Right-click, left-click; it's all the same to us Wink
Unless you have a Mighty Mouse?

Of course, I'm kinda partial to my three-button mouse on Gnu/Linux; left button and drag = copy, middle button = paste, right button = context sensitive. That sure speeds things in a gui environment. Works in pty too.

cheers,

gary

If your web page is as clever as you can make it, it's probably too clever for you to debug or maintain.

gary.turner
gary.turner's picture
Offline
Moderator
Dallas
Last seen: 1 day 19 hours ago
Dallas
Timezone: GMT-5
Joined: 2004-06-25
Posts: 9738
Points: 3817

Firefox Security Advisory

hugo wrote:
Hm, that's not the default setting in my config file FF version 1.06

It's worth checking the setting after closing and re-opening FF and when installing add-ons.
My default in 1.06/Win was true, 1.04-2 in Debian was true, and in Mozilla 1.7.?/Win was false. Debian Mozilla 1.7.8-1sarge1 defaulted to true.

What Hugo said!

cheers,

gary

If your web page is as clever as you can make it, it's probably too clever for you to debug or maintain.

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 4 years 28 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Firefox Security Advisory

The man with the fastest mouse buttons in the west wrote:
Mozilla 1.7.?/Win was false


Strange my Mozi 1.7.5/Win was set true, there's something going on here, If they were going to set it false by default why does it seem they haven't; is there something switching values ?

I treated myself to one of those fancy optical wireless mice once, 5 programable buttons plus wheel, took a day to decide what functions to programme only to find myself continually starting functions by accident, the slightest twitch and I had closed every running programme. Needless to say it lasted about two days before I accidentally dropped it, enough to drive anyone to the command line that was Laughing out loud

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me