Mozilla flaws could allow attacks, data access (http://news.zdnet.com/2100-1009_22-5674883.html?tag=nl.e589)
April 18, 2005
By Munir Kotadia, CNET News.com

Multiple vulnerabilities that could allow an attacker to install malicious code or steal personal data have been discovered in the Mozilla Suite and the Firefox open-source browser. Details of the nine flaws were published on Mozilla's security Web site over the weekend.
"There are some permission issues related to running JavaScript at an escalated privilege level. They remove some of the security measures used to keep JavaScript sandboxed and allow it to potentially do malicious things to your computer," Latter said. Another issue could allow malicious scripts to gain access to random pieces of memory, he said.
On Monday, security advisory firm Secunia issued a "highly critical" rating on the flaws found in Mozilla Firefox 0.x and 1.x versions. Secunia posted its advisory on eight of the flaws.

According to the French Security Incident Response Team, attackers could run malicious code on a user's system because of a flaw in the Mozilla browser's pop-up blocker.

An advisory from the French group said, "When a pop-up is blocked, the user is given the ability to open that one pop-up...If the pop-up URL were JavaScript: selecting 'Show JavaScript:...' from the infobar or pop-up blocking status bar icon menus would run the JavaScript with elevated privileges, which could be used to install malicious software."

Another of the Firefox flaws can be exploited when a user visits a Web page that requires a plug-in that has not already been installed. The French advisory claims that if the browser's Plug-in Finder Service is used to automatically locate an appropriate plug-in, the "manual install" function can be used to "launch arbitrary code capable of stealing local data or installing malicious code."

All versions of Mozilla Suite prior to version 1.7.7 and all versions of Firefox prior to 1.0.3 are vulnerable.

New Exploits released for Mozilla and Firefox (http://www.f-secure.com/weblog/)
Sunday, April 17, 2005
Posted by Mikko @ 19:15 GMT

Proof-of-concept exploits for the popular Mozilla and Firefox web browsers have been posted on public mailing lists. They target the following vulnerabilities: Code execution through favicons link
Arbitrary code execution from Firefox sidebar panel These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7.

We advise all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen on your computer just by surfing to the wrong site.

I still have not downloaded it yet since my last box went down, do they have a new patched version up yet :confused:

Yes they do, Anthony.

http://www.mozilla.org/download.html

I just had a similar problem with www.openoffice.org and had to remove the old version and get the new beta 2.0, it is quite a nice program.

Thanks for the notice and the link :o

Here's a wake-up call for those who ditched Internet Explorer for Firefox, believing it's more secure than Microsoft's much-attacked browser:

Proof-of-concept code targeting security holes in Firefox and the Mozilla Suite have started appearing on public mailing lists. An attacker could exploit the flaws to launch malicious code. But users can protect themselves by updating to Firefox 1.0.3 and Mozilla Suite 1.7.7.

"These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7," Mikko Hypponen, director of AV research for Finish security firm F-Secure Corp., said in the lab's daily blog. "We advise all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen[ing] on your computer just by surfing to the wrong site."
Full story: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1080895,00.html

The difference is that the Firefox team fired off a fix immediatly.

MS has to spin it's wheels while they decide how bad the patch will affect the OS as IE is so closely intergrated. Just plain old bad planning on MS's part.

Bugs will always exists. The quality of the software and the software provider should be guaged by reation time IMO.

Firefox wins hands down there.

The difference is that the Firefox team fired off a fix immediatly.It is true - I checked when some of the serious bugs were entered to bugzilla:

http://www.mozilla.org/projects/security/known-vulnerabilities.html

In some cases Mozilla folks fix the problem within a day!

J.D.

The difference is that the Firefox team fired off a fix immediatly.

MS has to spin it's wheels while they decide how bad the patch will affect the OS as IE is so closely intergrated. Just plain old bad planning on MS's part.

Bugs will always exists. The quality of the software and the software provider should be guaged by reation time IMO.

Firefox wins hands down there.
I agree 100%. And considering that I don't have any of those aforementioned features turned on or utilized, it would not affect me anyway.

The difference is that the Firefox team fired off a fix immediatly.

MS has to spin it's wheels while they decide how bad the patch will affect the OS as IE is so closely intergrated. Just plain old bad planning on MS's part.

Bugs will always exists. The quality of the software and the software provider should be guaged by reation time IMO.

Firefox wins hands down there.

Nicely Said.

Firefox remains the way to go IMHO. The bug fixes seem to be very quick.

Suit yourself. It's nice to have choice. But I do find it funny that we first get the open source crowd trying to tell us that the software is invulnerable and then when bugs are announced we get the "yes but look how fast they were fixed" stuff. In this case, no matter how many people proclaim the "one day fix" myth, some of these bugs were common knowledge before the weekend (Thursday I believe) and the new versions were not available for downloads until Monday. That's a bit longer than 24 hours, wouldn't you say?

Have you noticed that many of the bug fixes announced by Microsoft are for bugs you didn't even know existed until the fixes were released?

All that said, this thread was about warning people to upgrade Firefox. One of the things that concerns me is that many people have been fed the myth that Firefox avoids the security issues seen in IE. Based on that belief. my son and a nephew recently converted. I don't think the open source community does themselves or their users any favors by making false claims -- if you are using Firefox, it is just as important for you as it is for IE users to keep up with updates. And I wish Mozilla/Firefox would get it's act together and develope some way of automatically notifying people of vulnerabilities and then issuing PATCHES instead of forcing a download of the entire new version.

Suit yourself. It's nice to have choice.

1) But I do find it funny that we first get the open source crowd trying to tell us that the software is invulnerable and then when bugs are announced we get the "yes but look how fast they were fixed" stuff. In this case, no matter how many people proclaim the "one day fix" myth, some of these bugs were common knowledge before the weekend (Thursday I believe) and the new versions were not available for downloads until Monday. That's a bit longer than 24 hours, wouldn't you say?

2) Have you noticed that many of the bug fixes announced by Microsoft are for bugs you didn't even know existed until the fixes were released?

All that said, this thread was about warning people to upgrade Firefox. One of the things that concerns me is that many people have been fed the

3) myth that Firefox avoids the security issues seen in IE. Based on that belief. my son and a nephew recently converted.

4) I don't think the open source community does themselves or their users any favors by making false claims -- if you are using Firefox, it is just as important for you as it is for IE users to keep up with updates. And I wish Mozilla/Firefox would get it's act together and develope some way of automatically notifying people of vulnerabilities and then issuing PATCHES instead of forcing a download of the entire new version.

1) Where did the "open source" community make such a statement please?

2) Um er, percentages please, not speculation based on how informed you think you may be please.

3) Again, if you look up the quotes, no one said it won't happen. And I stand by the fact open source responds faster. They can because they are not working in the fragile inner rings of the windows core like IE.

4) They probably do that because of the seeming inability of windows to do an upgrade of anything without it tripping over remants of the previous install it left behind. In other words, it's a damn smart move, you know you have new code.

Both have their place, but I hate IE because while MS postures this big facade that they hate spam, down the hall they delvelop IE so vendors in their graces can do exactly that, spam you. But worse, on your desktop.

The IE argument is lost there and cannot recover, that is bills intention and they will keep providing hooks for vendors to get around email and spam your desktop.

Don't let one known failed attempt at this make you think it won't happen, it will. Then you will be able to hate IE for what it is, not because you don't undersatnd open source methods that actually work.

I think you know full well that the myth of invulnerability has been widely propagated. You can't have missed the geelful headlines, initiated by the open source community and picked up and circulated even further by the popular press. This thread wasn't started to bash Firefox -- it was started to warn people of vulnerabilities because too many people are now convinced that if they use Firefox they don't need to worry any more.

I think you know full well that the myth of invulnerability has been widely propagated. You can't have missed the geelful headlines, initiated by the open source community and picked up and circulated even further by the popular press. This thread wasn't started to bash Firefox -- it was started to warn people of vulnerabilities because too many people are now convinced that if they use Firefox they don't need to worry any more.

Now that sounds more like you. Yes, the propganda wagon got out of control by wanna be zealots. However the purists are probably not speaking but know as well too of the inevitable.

What sparked the thread was a comment from my son, who recently returned from a trip to the UK where his cousin apparently told him he should use Firefox so he wouldn't get all those viruses and stuff.

We have a large extended family and I just know I'm going to be re-formatting a lot of hard drives in the next little while :(

My reason for switching to firefox was for features--in particular, I really like tabbed browsing. The fact that it isn't a microsoft product was a bonus.

I do agree that it is annoying that updates aren't simply patches but Firefox does notify you when new updates are available (little red arrow on the top right of the browser window)

Well, I'll be! I thought that little red arrow meant, "You're shafted now, bud"... :D

Fred Langa: FireFox Pros And Cons (http://langa.com)

In the current article on Firefox (http://www.informationweek.com/story/showArticle.jhtml?articleID=160900911), my opening argument was "FireFox is a good browser, but not at all the panacea its most ardent fans think it is." My closing argument was "It's great that there are open-source alternatives to try, and it's smart to proactively explore all your options. But go in with your eyes open: All software has flaws. There are no panaceas!"

To me, it's hard to imagine less inflammatory statements. I mean: "All software has flaws." How can anyone disagree with that?

But the froth-on-the-lips crowd is out in force, claiming I'm shilling for Microsoft, or have my head far up a nether orifice. If members of the rabid pro-Firefox crowd admit to any flaws in that software at all, they say that the numbers of flaws are tiny, and the security holes insignificant.

This view, however appealing, is totally false. There is no objective evidence--- zero, zip, nada, nil--- to support that view. Instead, there is a large and growing body of evidence that indeed and of course, there are problems in Mozilla/Firefox, and some of them are quite severe, opening the door to data theft, backdoor infections of your PC, and so on--- exactly the same kinds of problems that Internet Explorer is reviled for!

...

Does all this mean that Firefox is a bad browser? Not at all. It means it's a normal browser, and will require vigilance to use safely.

Does this mean that Internet Explorer is wonderful? Not at all. It's a normal browser, and requires vigilance to use safely.

If you keep either browser patched, and use the other security tools we discuss here issue after issue, you'll be fine using either IE or Firefox. In point of fact, most of the actual real-life exploits in IE have affected out-of-date, unpatched, and/or unprotected systems. If you keep your software up to date and protected, you'll be fine.

Bottom line: Firefox is a fine tool. If you like it, by all means use it. But don't think that using it will automatically make you safe from serious browser security issues--- in fact, cold, hard facts prove exactly the opposite. So, once again: "It's great that there are open-source alternatives to try, and it's smart to proactively explore all your options. But go in with your eyes open: All software has flaws. There are no panaceas!"

More bourgeois bashing of good working class browser, FireFox. The flaws are propaganda launched by comrade bill. A revolt will happen one of these days. The proletariats will rise up, and squash the flaws that rule over us.

:)

LOL :D

Before you start flaming him, mikmik is being sarcastic here... :)

Back to that familiar routine, minstrel saving mikmik from himself ;)
LOL, minstrel got the brains, and I got the looks :p