Next week’s ‘Patch Tuesday’ was already going to be quiet, with an update only for Windows. On Friday, Microsoft pulled that update, saying more testing is needed. In related news, officials at the Mozilla Foundation on Friday acknowledged that a potentially dangerous code execution hole exists in fully patched versions of its flagship Firefox web browser. Update: Seems like there already is a (temporary) fix available.
Quiet Patch Tuesday; Firefox Hole Found (and Fixed, Sort of)
About The Author
Follow me on Twitter @thomholwerda
2005-09-10 6:20 pmAnonymous
You’re funnier than my doberman when he’s trying to dig for roots…
but I kinda wonder- how many buffer overflows are still in there?
Plenty,but then again name an app that doesn’t have any exploitable flaws,vulerabilities:-)?
2005-09-11 11:10 pmAnonymous
“And in general I have to wonder about the bugzilla practices they run…”
“but I kinda wonder- how many buffer overflows are still in there?”
why wonder? the answer is simple you get what you pay for.
2005-09-10 6:30 pmAnonymous
And what are you paying for when you dish out thousands to Microsoft?
2005-09-10 6:42 pmThom Holwerda
This just goes to show that the people working on free software aren’t somehow magically better at coding than the people working at Microsoft or Apple.
They’re the same coders. Just different logos on their nametags.
2005-09-11 11:12 pmAnonymous
Ok, so free Microsoft Internet Explorer with bad CSS support, bad PNG support with no alpha transparency (7 year old standard, guys!) and strange formatting bugs, versus Firefox.
I guess I get more than nothing with Firefox
why wonder? the answer is simple you get what you pay for.
Hmm,i don’t think the Cisco customers would agree with you.
So spyware is all-in on windows?
1.5b1 was intended a real beta release, explicitely stated being released for testers and developers. That said, this IDN issue was here for a while, probably overlooked by some busy developer. Still, about 2 seconds after the release of the IDN security hole the workaround could be performed by anyone knowing enough about firefox, by setting network.enableIDN to false in about:config. As you all know by now, this “workaround” slowly but gets its way to all people through variosu news sites. All in all, IMHO this is not a major showstopper bug, and this “workaround” is quite enough for the short period of time till a fix will be released, which – be not afraid – will probably be released soon enough. I think the smoke is so much bigger than the fire in this case.
Does it affect v1.06 ?
Why bother with a free browser with security breaches every week, if you can get a high-end Internet suite like Opera with unique features, an excellent browser, a wonderfull e-mail client, chat client, RSS reader, BitTorrent client and Usenet reader for only 40 bucks a year, and no stress about the next security update. The fact that Firefox is open-source makes it easier for virus-writters. One shouldn’t hide bugs, but who has to find security breaches is the devs, not the hackers.
Tell me why sticking with a piece of junk like Firefox? Don’t tell me 40 bucks a year is too much money. Or I’m missing something. This behavior makes me sick. What a joke: stay away from IE because it is unsecure. Go for Firefox because… Ok it’s unsecure, but although every week there is a new security patch, at least it is fixed! You don’t have these sorts of headaches with Opera.
2005-09-10 7:40 pmAnonymous
You’re honestly ready to back that load of trash?
Oh, but that of course can’t be correct; as you’ve stated, Opera is perfection made real. Sure sure…
2005-09-10 8:05 pmJoe User
“You’re honestly ready to back that load of trash?
“Load of trash” ? ROTF! I guess you know Opera only by its name. Give it a try, and then tell me if it’s a “load of trash” !
This security breach you’re quoting is historical. Security breaches are very seldom with Opera. With Firefox it happens every week. That’s it.
2005-09-10 8:15 pmAnonymous
I suppose you failed critical reading in school too. You’ve taken the phrase out of context
2005-09-10 7:56 pmMikeGA
May I suggest you do some research?
Does it affect v1.06 ?
Yes it does.
A temporary fix would be entering “about:config” where you would normally enter the http://www…. adresses and edit on the “network.enableIDN” which then goes from enabled to disabled.
The IDN itself is a security mechanism that should protect you against spoofing so this temporary fix isn’t really an solution.Konqueror also has this mechanism.
I am running CentOS 4, and Red Hat released a patch yesterday for the bug (hit the CentOS repos today). I’m not sure whether they just applied the workaround, or else if they actually patched the code. Hopefully they patched the code, as this would allow the Mozilla Foundation to release an update using Red Hat’s code.
Who really uses this… Consider typing http://www.нещоси.com/other_thing/. You will screw up changing you keyboard layout. It doesn’t work with email addresses… It’s totaly unpractical.
I think the best way is to ship firefox with IDN turned off by default.
I’ve seen proofs of concept that make Firefox crash (I’ve also seen some that claim to do it, but don’t). But I haven’t been able to find any code execution exploits yet.
2005-09-10 8:57 pmAnonymous
It doesn’t actually work.. the proof of concept that is. Something tells me this is a big sham.
2005-09-11 7:36 amAnonymous
For more info, see:
So it only works for long strings of soft hyphens. The number of hyphens is very arbitrary :p (The actual code that might get executed isn’t)
According to the bug report, it was opened (reported to Mozilla.org) on Sept 6. Surely the bug had existed for long, but nobody knew about it.
Oh, and the actual analysis was done by the Mozilla.org folks too.
1) That IE doesn’t even support IDM
2) That all projects should run static analysis tools on their code!!! Buffer overflows should be a thing of the past.
How long have they known about this? I’ve had two websites in the past two or uh… no, two months that were able to completely lock up FireFox, to the point that I actually have to terminate the FireFox process in order to get out of it. I wouldn’t have anyway of knowing if there is any “arbitrary code” being run though. Maybe I’m not even typing this, maybe it’s the terroras.
I guess it’s because Americans don’t see the value of IDNs, but can you please stop praising the Mozilla folks because they fixed this bug so quickly?
Firefox is the only modern browser that does not properly support IDNs. (IE 6 does not count as a modern browser.) Enter http://www.müller.de in Firefox – it will display the punycode, even though nobody would mistake the ü for an u. There is no danger of “spoofing”. Opera and Safari understand that and display http://www.müller.de correctly.
And with this “fix”, Firefox will no longer work at all with http://www.müller.de
That’s no fix, that’s ridiculous.
2005-09-11 9:38 amAnonymous
Well duh. Of course this isn’t a fix!
Its a temporary solution.
You do know what the word “temporary” means, don’t you?
People are praising Mozilla because they’re active on security. No, they aren’t maintained by companies like Apple or Opera Software with regular incomes. Its by a bunch of volunteers, people who like to program.
The point of open-source if you have the necessary skills and like to add a feature or support something, you can add it in and contribute to the project.
Rather than whine like a no-clue spoilt rich girl, how about you help out. If you see a problem, either point out the problem so the developers can put it on their to-do list OR provide the solution yourself.
As for sterotypically blaming Americans in general, how about you look at their Governments, greedy Corporations, and completely stupid patent laws?
If you really think about it, some Americans disagree with those who are in charge. They also disagree on greedy SOB companies like the RIAA and MPAA…Heck, everyone around the world disagrees on that!
With IE you get almost 100% compatibilty with previous versions and that is what matters for, for example, corporate users.
Last time I checked, almost every Firefox’s new version (aka patch release) broke compatibility – ie, problems with extensions.
Having said that, competition is good: Firefox 1.5 will bring better patching system, while Microsoft is working on IE 7.
From reading about this on other places, I have to wonder why they released 1.5b1… They knew about the hole days before the release, and still didn’t add it in.
And in general I have to wonder about the bugzilla practices they run… as it is now, if you make sure to get your hands on all newly submitted bug entries, you can potentially get your hands on exploitable holes before anyone gets around to mark these entries as hidden (or whatever it is called).
It’s great that Firefox fixes flaws faster than Microsoft, and it’s great to know that Firefox is still maintaining some level of security, but I kinda wonder- how many buffer overflows are still in there? How many times are they going to have to re-correct how Firefox handles URLs? I would have thought it would be set to reject bad URLs.