Firefox Browser Security Flaw

[smearbrick1]

http://news.yahoo.com/s/pcworld/120756

Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.

The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.

A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

Two Vulnerabilities Found
The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org.

[jimmalenko]

It was only a matter of time - Firefox's growing popularity was always going to be a carrot to those who find it within themselves to be PITA's.

[State Of Mind]

What the hell are you going on about jimmy? Firefox is a damn good browser and so is Opera. No browser is perfect. They all have vulnerabilities. But there are differences. IE has more vulnerabilities than FF and Opera. Once a vulnerability in IE is found, it takes a month for a patch to come out and then its released on Windows Update. When a vulnerability in FF or Opera is found, it's fixed immediately and a new executable is ready for download, which is how IE should be. Anyone who thinks Firefox and Opera suck need to get their facts straight, simple as that.

[jimmalenko]

What the hell are you going on about jimmy? Firefox is a damn good browser and so is Opera. No browser is perfect. They all have vulnerabilities.
...
Anyone who thinks Firefox and Opera suck need to get their facts straight, simple as that.

I think the question is .... what the hell are YOU overreacting at ???

All I said was that as things become popular, this almost encourages those of bad ilk to try to stuff it up, because then they get a wider audience. Because IE is used by so many people, that's why people try to find flaws in it. Because of this, Firefox and Opera are being used by more and more people, and as such, the target audience is getting wider and wider. Hence people take it upon themselves to find vulnerabilities and exploits. What would be the point of trying to find a flaw in something that could only affect 1% of users ?

I actually quite like it. I don't use it, but I like it nonetheless.

[AlecWest]

All I said was that as things become popular, this almost encourages those of bad ilk to try to stuff it up, because then they get a wider audience. Because IE is used by so many people, that's why people try to find flaws in it.

Exactly. I have Mac-user friends who crow all the time about how Macs are "invulnerable" to virii (ahem). Truth be known, they're just as vulnerable as PCs ... but hackers and script-kiddies target the popular systems and software, not the niches.

It's kinda like when people crow about getting a new Honda Accord when I drive an ugly Plymouth. I crow back, reminding them that thieves tend to avoid my car and target theirs because it's a popular car. And 4 months ago, a coworker had his Accord stolen right out of the supposedly secure parking structure where we work.

As always, the best defenses are (1) good firewall software, (2) good antivirus software that is used often, and (3) avoidance of shady websites, certain P2P situations, and certain chatroom/IRC situations.

[Tidy]

What the hell are you going on about jimmy? Firefox is a damn good browser and so is Opera. No browser is perfect. They all have vulnerabilities. But there are differences. IE has more vulnerabilities than FF and Opera. Once a vulnerability in IE is found, it takes a month for a patch to come out and then its released on Windows Update. When a vulnerability in FF or Opera is found, it's fixed immediately and a new executable is ready for download, which is how IE should be. Anyone who thinks Firefox and Opera suck need to get their facts straight, simple as that.

First off you need to calm down man. It is a web browser not your final destination. Secondly, I think FF sux. It will not do half the things I need it to and has decreased functionality in comparison to IE. Don't get me wrong I do not think MS is the best software company in the world but as soon as anybody else's product gains 98% market share I am SURE you will find as many if not more flaws.

The fact remains that people are entitled to their opinion. A lot of people love FF it just so happens it won't do half the things I need it to and I do not experience the speed increases people claim and I have not experienced any greater security with it than anything else if you use good judgement.

[Sam Ontario]

When my IE was attacked, I use FF. Just don't want to reinstall everything. Both IE and FF are not perfect but they are quite OK for my general internet surfing.

[VegasBud]

...I think FF sux. It will not do half the things I need it to and has decreased functionality in comparison to IE.

I'm curious. What is it that IE does that FF won't? My experience is pretty much the exact opposite, i.e., FF does things that IE doesn't.

[BJ_M]

well FF does not support activeX , other than that -- it's fine and i use it ..

[VegasBud]

well FF does not support activeX , other than that -- it's fine and i use it ..

Actually, not supporting ActiveX is one of the reasons I switched from IE, so that would be a plus to me. After I wrote my first ActiveX control, I realized the incredible security risks they could present in the internet environment.

[winifreid]

To me the advantages to FF are many, but it isn't easy to update. I like the ad and popup blockings and the extensive configurability. Tab browsing is great. But I still using 1.0 because it is such a pain to upgrade. Often extensions will not work with updates and it is a pain to backup the profile. Also, so far updates have been complete downloads. IE usually just has partial updates. I am sure that once 1.1 comes out I will update since that is supposed to have a better update engine.

[Gildas]

I never had to back up my profile before updating Firefox. Just install the new version over the previous one. It is smart enough to know not to delete your personal settings.

[Tidy]

...I think FF sux. It will not do half the things I need it to and has decreased functionality in comparison to IE.

I'm curious. What is it that IE does that FF won't? My experience is pretty much the exact opposite, i.e., FF does things that IE doesn't.

Well lets start with ASP for whatever reason FF has problems displaying pages built with the server side technology called Active Server Pages

[Sabro]

BTW, as of this posting (time) 1.0.4 is available from mozilla.org but its not reflected on their website.

Just change the download link from 1.0.3 to 1.0.4 (for windows, not sure about other OSes) and enjoy

Sabro

[Colindale]

I'm using Firefox in Linux, twice the protection!, in fact I now only use Suse Linux when
venturing on the Internet.

I only use Windoz for things that are a little harder in Linux, but that will change.!

[vitualis]

I don't seem to have any problem with ASP with FF. As per the others... the only thing that doesn't work on FF compared to IE for me is ActiveX -- and I consider that a BONUS.

The breaking of plugins and extensions is a weakness of FF (IMHO) but since v1.0+ of FF, this hasn't been an issue with the plugins/extensions that I use (which are not many).

I also like the fact that I can use FF on both my Windows and Linux machines.

Backing up a profile in FF is annoying on Windows but easy on Linux. At the same time, there isn't really a way of backing up a profile on IE AFAIK.

Regards.

[VegasBud]

...for whatever reason FF has problems displaying pages built with the server side technology called Active Server Pages

I can't say I've had any problems with asp, so I checked at "The Official Microsoft Asp.Net Site", and found that most of the problems are related to the "Adaptive Rendering" used by asp.net delivering W3C compliant HTML4.0 only to IE, and sending 3.2 compliant html to anything else ("down-level" browsers).
There are two good articles here and here about how to configure an asp application or server to have the Web controls render HTML 4.0-compliant markup for modern, non-Microsoft browsers.

[guns1inger]

In the very few cases where FF hasn't dislpayed a page correctly, the View in IE plugin has solved the problem. As a general rule though, any correctly coded page not using M$ extensions to the standard (dah, it's meant to be a standard, Bill) works. I have also never had a problem upgrading, although the complete install method isn't subtle. I did avoid the beta's because I wasn't that impressed, but since version 1 I have been a convert.

[Sabro]

I believe alot of the install/upgrade issues were during the early beta stages, as I heard of some people ending up with non-functional FFs after upgrading.

I have yet to expirence any install/UG problems from the late betas to the current release 1.0.4.

Although, I've used IE a few times, I've been an avid Lynx, Netscape, FireFox user and have avoided alot of the nightmares IE users seem to expirence.

Sabro

[BJ_M]

http://news.com.com/IBM+backs+Firefox+in-house/2100-7344_3-5704750.html?tag=st_lh


IBM backs Firefox in-house


IBM is encouraging its employees to use Firefox, aiding the open-source Web browser's quest to chip away at Microsoft's Internet Explorer.

Firefox is already used by about 10 percent of IBM's staff, or about 30,000 people. Starting Friday, IBM workers can download the browser from internal servers and get support from the company's help desk staff.

IBM's commitment to Firefox is among its most prominent votes of confidence from a large corporation. Based on development work by the nonprofit Mozilla Foundation, Firefox has been downloaded by more than 50 million people since it debuted in November. Internet Explorer still dominates the overall market by far, though, with Firefox's share in the single digits.

For IBM, the move is a significant step in lessening dependence on a product from rival Microsoft.

By supporting Firefox internally, IBM is also furthering its commitment to open-source products based on industry standards, said Brian Truskowski, chief information officer at IBM.

"This is a real good example of walking the talk when it comes it comes to open standards and open source," Truskowski said.

Because Firefox is based on industry standards--as opposed to proprietary technology--IBM has some "comfort" that it will interoperate well with third-party products, Truskowski said. By contrast, Microsoft's Internet Explorer uses some proprietary technology, such as ActiveX for running programs within a browser.

"What I will avoid is anything that is proprietary in nature," Truskowski said.

The company is training its help-desk staff on Firefox and certifying that internal applications will work with the browser, he said.

[wulf109]

Version 1.0.4 is available from the Mozilla home page and says it fixes these security issues.

[Tidy]

...for whatever reason FF has problems displaying pages built with the server side technology called Active Server Pages

I can't say I've had any problems with asp, so I checked at "The Official Microsoft Asp.Net Site", and found that most of the problems are related to the "Adaptive Rendering" used by asp.net delivering W3C compliant HTML4.0 only to IE, and sending 3.2 compliant html to anything else ("down-level" browsers).
There are two good articles here and here about how to configure an asp application or server to have the Web controls render HTML 4.0-compliant markup for modern, non-Microsoft browsers.

I never even thought about that. iw illc heck those articles out. maybe I will use FF a little more. I still se a lot of ActiveX though so I can't completely dump IE.

[Tidy]

If you ask me the "nighmares" that most IE users experience are their own fault. I have no problems with it whatsoever. I use adequite (spelling?) protection and everything is fine. I use MS anti-spyware (giant) and Norton Antivirus 2k5 as well as a decent hardware firewall and a decent software firewall and I have no problems at all and haven't had a problem in years. I think people just don't have the experience or knowledge needed to use IE in a manner that is safe and non compromising. It seems to me that PC's are getting back to the time when you had to "know something" about them to use them. Strange how history seems to repeat itself in cycles.

[shelbyGT]

A lot of webpages simply don't work in FF because they were built for IE. Unfortunately, that's what happens when something gains 90% of the market. People stop writing in the common language and use the specific, IE friendly one.

My business' website doesn't run in FF at all. Something I have no control over, but think our IT dept is stupid for doing. All to save a penny, though.

[edDV]

Version 1.0.4 is available from the Mozilla home page and says it fixes these security issues.

Good because switching off JavaScript caused many problems with many sites including this one.

[spiderman2k1]

I do not hate Firefox but I like Mozilla better. To me Mozilla and with book mark tabs as a group is a must have I have no clue why it's not in firefox. If Firefox had book mark tabs in one group I might change over.

Opera book marks are more stable then Mozilla or IE. I one time had a crash and when i reboot my IE and Mozilla book marks went BY BY--Opera book marks still there. I think they use a different file system or some thing.

This is also a good browser

http://kmeleon.sourceforge.net/

It uses the Netscape code just like Mozilla and FireFox.

[Nilfennasion]

If you ask me the "nighmares" that most IE users experience are there own fault.

Yeah, Billy (I almost wrote Bully... just as appropriate) Gates tried to convince users of the world that all the security holes and exploits in his products were the users' fault, too. This would be fine, since all products encounter untested conditions or have users do things that nobody thought of, but for one thing. Mickeysoft has by far the worst track record in just about every market when it comes to security. Why do you think their efforts to take over the TIVO and video games markets haven't flown? It's because even the ageing granny who is impressed when she clicks on an icon and things happen knows that MS-level reliability is utterly unacceptable with other devices.

[jimmalenko]

I'm just another IE user that never has any problems - I must just be lucky that I don't visit websites of ill ilk, blindly open attachments in my emails from people unknown to me, or that I update my software / anti-virus / firewall regularly ...


Who woulda thought, eh ?

[Nilfennasion]

that I update my software / anti-virus / firewall regularly ...

I also regularly scan my hard drives and keep up a firewall, but I have one other reason to not use IE:

Put simply, I am stuck with an ISP that expects me to. They even refuse to help in terms of tech support when you're having a major problem (often which has nothing to do with the browser) unless you use it. Pardon me, I once told one tech support desk warmer, but wasn't MicroShaft hauled into court, and lost, for this kind of behaviour? And correct me if I am wrong, but don't all other browsers follow a standard set of protocols? Why are you working when I keep getting told I can't?

Einstein was right when he said the difference between stupidity and genius was that genius had limits.

[cincyreds]

Yeah, Billy Gates tried to convince users of the world that all the security holes and exploits in his products were the users' fault, too.

When did he do this? Can you provide specifics because I certainly don't remember him saying anything like that.

Mickeysoft has by far the worst track record in just about every market when it comes to security.

What exactly do you mean by "every market?" Please expound and show statistics to support your statement and what criteria was used to establish "track records."

Why do you think their efforts to take over the TIVO and video games markets haven't flown?

They haven't? MCE is continuing to grow with new MS innovation and Xbox 360 is just around the corner beating Sony's next gen console to market. Sounds like things are going quite well.

It's because even the ageing granny who is impressed when she clicks on an icon and things happen knows that MS-level reliability is utterly unacceptable with other devices.

How is it that an aging granny can be so "dumb" as to be impressed by a mouse click, but still be smart enough to be aware of the acceptance level of MS reliability? This is nonsense.

Ya know, I'm not specifically a MS supporter. I don't use IE (I prefer Opera). But I just get a little tired of people bashing MS with the same old rhetoric, but with absolutely no facts whatsoever to back up anything said.

MS is always a target because they are the biggest and richest and therefore are "bad."

Frankly, I'm tired of MS bashers. If MS is so bad and you're so smart, then design your own operating system, build a 90% market share and successfully market and expand your product line across the globe to become one of the most successful corporations to ever exist. At which point I would applaud you and say you deserve every penny you earn - as does Bill Gates.