Firefox Vulnerability
Just a week back Firefox browser downloads crossed the magical 50 million mark, signifying the growing acceptance of open source softwares.
However on 8th May 2005, two critical bugs were discovered in Firefox. Eventhough both are critical in nature, their effectiveness increased when they were exploited in conjuction.
Check out the Secunia Advisories which is accepted by all in the software industry.
Greyhat security - one of the discoveres of this bug, has this to say.
Normally all critical bugs are patched up in a day or two by Firefox. This one still hasnt been fixed (today is the third day since the discovery). However they have made a workaround and renamed their update servers, making sure that default installations arent vulnerable.
And before you bash Mozilla and dump Firefox, just remember that we got a workaround and response from Mozilla (changing their servers & few more) in hours instead of days and weeks by Microsoft. Not to mention the fact that MS, takes months & years if not never, to patch some of the vulnerabilties. Whereas in Firefox, one can trace the bug status and see what effort is put into it.
If you are interested in tracing the bug status, then check out this bugzilla entry [Update on 11 May: Due to security reasons, one needs to be a registered member to access the details.]
Reproducible Test Case:
If you are keen on testing whether your browser is vulnerable. Then here is a neat test:
Add a website say "http://sudasudacoffee.blogspot.com" as Allowed websites via Tools->options->Allowed sites. Open the sudasudacoffee website in the browser. After that copy and paste this in the url (excluding the double quotes)- "javascript:InstallTrigger.install({'blah':{URL:'http://www.mozilla.org',IconURL:"javascript:eval('alert(Components.stack)')"}});void(0)" If you are vulnerable, you can see an alert box.
Temporary Solution
To protect yourself, goto Tools->Options-> uncheck "allow websites to install software" that should reduce most of the issues. For 100% effectiveness, javascript should be temporarily disabled. However I dont suggest it bcoz the probability is too low and most of the sites expect javascript to be enabled.
Waiting for Firefox update.......
Update on 12 May:
Fixed:
On 11th may itself, updated version 1.0.4 has been rolled out. You can download your copy at http://www.getfirefox.com
posted by Baejaar at 10:13 AM
23 Comments:
its boingboing.net not boingboing.com
Oops. Thanks. Will change it soon.
Kika Gops, Sorry about the long delay. I promise to update this tomorrow. Today I need to worry about http://sudasudacoffee.blogspot.com first.
Lol....do lemme know who started the tag chain...:p!!!
Thanx 4 droppin by my blog on ur tag journey!!!
Can u tell me whats so good abt firefox,,..why is everybody in software industry so eager to spread
I dont think windows is wrong when it bundles IE with its os
anyways i think i have decided to get it....even though i dont use linux..
Anubhav, Here are some of the reasons for me to use Firefox:
1. Bug Fixing:
Bugs are fixed in matter of days instead of months or years.
Firefox 1.x:
Total No of Bugs: 17
No of Unpatched: 4
http://secunia.com/product/4227/
IE 6.x:
Total No of Bugs: 80
No of Unpatched: 19
http://secunia.com/product/11/
2. Innovation:
After all when was the last time, a new feature was added by MS to IE? If it weren’t for Firefox growing popularity, there wouldn’t have been planning next version of IE for few more years.
3. Peer Review:
In fact Mozilla foundation opens up the source code and challenges anyone to find a security bug. Finders of bugs are given monetary reward. Still we have less no of security bugs discovered than IE (where in one finds the bug by reverse engineering the code)
4. W3C compliant:
IE doesn’t implement CSS standards fully. So website developers first have to develop once as per standard and then modify/tweak/patch/work around to make it work with IE. As a web site designer (if u hav edited blog templates), you will be able to appreciate the lost productivity. Waiting for the day these guys implement CSS2, PNG Alpha transparency, XHTML MIME type, Box model and other standards set forth by W3C.
5. Tabbed Browsing:
Like me if you want to browse several websites simultaneously, one is forced to open several IE windows. It not only takes more memory but its also cumbersome to navigate back and forth. In firefox they have tabs, so different pages are different threads - so light weight and increases your productivity.
6. Adwares / Spywares:
Perhaps the worst design decision of the decade was the IE's support of ActiveX. Where else can one install applications just by visiting some website? Leave a Windows PC with IE connected to the net (without a firewall) and I can bet that it will be infected in the first day itself (though tests have shown that 20 mins is all that is required to infect it)
7. Extensions:
There are so many extensions developed by the user community
a) Session saver: I can just close the browser. When I restart, I have all the tabs with all the pages loaded, just like the way it was when I closed it.
b) Mouse Gestures: One needs to use it to realize its advantage
c) GMail Notifier
d) Foxytunes: Control all my media players from within Firefox itself.
e) Adblock: Just blacklist adservers so that they arent loaded
And there is a huge list. One can’t do justice by listing them here
8. Pop-Up Blocking:
It has builtin pop up blocking which IE has only WinXP SP2.
9. Choice:
More importantly I have a choice. The day IE releases a better version than competitors, I am ready to switch. Till then I can’t even uninstall IE (If you can, do let me know as to how you did it)
Thanx for the info sir,
well i was not aware w3c compliant thing
but actaully if u realise opera also has the same features
but for me most imporatnt wud be the choice factor...silly me ...didnt realise it is not possible to uninstall IE
anyways thanx for the info...
Hey I didn't know about the bugs. I haven't kept myself up to date with whats going on :-(
Buts thats good to know!! Thanks!
Hi Deepak...thanks for coming by...
Ram.
Kika, promises are meant to be broken. Isnt it? ;-) Sorry I couldnt get time at all to post here. Though I have the content.....
D4u, I have given up trying to search for it manually. May be I should write an automated bot which will crawl and find the details.
Kroopa, Thanks for dropping by. Hey the bugs have been fixed long time back. May be I should change the title of this post. BTW I am a great fan of Open-source in general and Firefox to be specific.
RustedRim, Thanks to you too for dropping by. Keep up the good work in Jayanagar.
hey good info about firefox. I dint know abt it.
And thanx for dropping by my blog :)
Arathi,
Thanks to you too for linking this site. Though my main blog is http://sudasudacoffee.blogspot.com only.
Greetings from North Cack-A-Lacky! I enjoyed your thoughts, although I give Firefox even a little more credit than you do, I think ;) See what I mean here: opera vs firefox
nice
nice post
Nice article.
Good article
Its very true
Nice article thanks
Nice article thanks
Good.
Very useful article. thanks
Awesome.
Post a Comment
<< Home