OSNews

From reading about this on other places, I have to wonder why they released 1.5b1... They knew about the hole days before the release, and still didn't add it in.

And in general I have to wonder about the bugzilla practices they run... as it is now, if you make sure to get your hands on all newly submitted bug entries, you can potentially get your hands on exploitable holes before anyone gets around to mark these entries as hidden (or whatever it is called).

It's great that Firefox fixes flaws faster than Microsoft, and it's great to know that Firefox is still maintaining some level of security, but I kinda wonder- how many buffer overflows are still in there? How many times are they going to have to re-correct how Firefox handles URLs? I would have thought it would be set to reject bad URLs.

but I kinda wonder- how many buffer overflows are still in there?

Plenty,but then again name an app that doesn't have any exploitable flaws,vulerabilities:-)?

why wonder? the answer is simple you get what you pay for.

Hmm,i don't think the Cisco customers would agree with you.

So spyware is all-in on windows?

1.5b1 was intended a real beta release, explicitely stated being released for testers and developers. That said, this IDN issue was here for a while, probably overlooked by some busy developer. Still, about 2 seconds after the release of the IDN security hole the workaround could be performed by anyone knowing enough about firefox, by setting network.enableIDN to false in about:config. As you all know by now, this "workaround" slowly but gets its way to all people through variosu news sites. All in all, IMHO this is not a major showstopper bug, and this "workaround" is quite enough for the short period of time till a fix will be released, which - be not afraid - will probably be released soon enough. I think the smoke is so much bigger than the fire in this case.

Does it affect v1.06 ?

Does it affect v1.06 ?

Yes it does.

A temporary fix would be entering "about:config" where you would normally enter the http://www.... adresses and edit on the "network.enableIDN" which then goes from enabled to disabled.

The IDN itself is a security mechanism that should protect you against spoofing so this temporary fix isn't really an solution.Konqueror also has this mechanism.

I am running CentOS 4, and Red Hat released a patch yesterday for the bug (hit the CentOS repos today). I'm not sure whether they just applied the workaround, or else if they actually patched the code. Hopefully they patched the code, as this would allow the Mozilla Foundation to release an update using Red Hat's code.

Who really uses this... Consider typing www.нещоси.com/other_thing/. You will screw up changing you keyboard layout. It doesn't work with email addresses... It's totaly unpractical.
I think the best way is to ship firefox with IDN turned off by default.

I've seen proofs of concept that make Firefox crash (I've also seen some that claim to do it, but don't). But I haven't been able to find any code execution exploits yet.

1) That IE doesn't even support IDM

2) That all projects should run static analysis tools on their code!!! Buffer overflows should be a thing of the past.

How long have they known about this? I've had two websites in the past two or uh... no, two months that were able to completely lock up FireFox, to the point that I actually have to terminate the FireFox process in order to get out of it. I wouldn't have anyway of knowing if there is any "arbitrary code" being run though. Maybe I'm not even typing this, maybe it's the terroras.

I guess it's because Americans don't see the value of IDNs, but can you please stop praising the Mozilla folks because they fixed this bug so quickly?
Firefox is the only modern browser that does not properly support IDNs. (IE 6 does not count as a modern browser.) Enter www.müller.de in Firefox - it will display the punycode, even though nobody would mistake the ü for an u. There is no danger of "spoofing". Opera and Safari understand that and display www.müller.de correctly.

And with this "fix", Firefox will no longer work at all with www.müller.de
That's no fix, that's ridiculous.

With IE you get almost 100% compatibilty with previous versions and that is what matters for, for example, corporate users.

Last time I checked, almost every Firefox's new version (aka patch release) broke compatibility - ie, problems with extensions.

Having said that, competition is good: Firefox 1.5 will bring better patching system, while Microsoft is working on IE 7.