Exploit code chases two Firefox flaws (May 9, 2005)

ZDnet ^ | May 9, 2005 | Dawn Kawamotot

[CometBaby]

If you use the Firefox browser .. read this !! .. Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them. The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings Sunday.

[demlosers]

I'm using Firefox 1.5

[clee1]

Who is still using 1.0.3????

[Darkwolf377]

Oh, great, I just started using Firefox.

I dumped AOL (and in response, my bank and I are battling it out, because AOL kept charging my closed bank account, and the bank kept paying!!!!!), and the other browser I tried kept refusing to open certain pages. I have no idea what's the best browser, but this one seems to work ok.

[Sols]

Someone still living in May 2005, apparently.

[New Perspective]

Who is still using 1.0.3????

LOL, ya, that is like finding someone still driving a Pinto.

[dr_who_2]

...which appears to be rather unstable, although the crappy plugins I'm using could be to blame perhaps. Seems like no nifty new feature comes without 5 major regressions in the program.

[Mount Athos]

This is absolutely ancient and fixed long ago

[softwarecreator]

I warned all the anti-Microsoft people a long time ago not to gloat too much over Internet Explorer's flaws because the same will happen to FireFox.

The more people use it, the more vulnerabilities will be revealed.  Pure common sense.

[demlosers]

Because it's still in Beta release.

[Sols]

Anything wrong with the way Firefox displays a website is the problem of the person who built that site. Not Firefox.

[Bloody Sam Roberts]

Who is still using 1.0.3????

Someone who doesn't want to ever download and use any other extensions than the ones they have already installed?

[My2Cents]

1.0.7

[Sols]

No it's not.

[Bloody Sam Roberts]

...which appears to be rather unstable

I was reluctant to upgrade. But I did. It's been just as stable for me as 1.0.7. No problems at all yet.

[demlosers]

Not very long ago:

Mozilla Firefox 1.5 Released

Tuesday November 29th, 2005

The final release of Mozilla Firefox 1.5 is now available for download from GetFirefox.com for most major operating systems or from the mirrors. Users of the release candidates should receive the update soon.

http://www.mozillazine.org/talkback.html?article=7736

[CometBaby]

I'm running Firefox 1.5 as well .. you have to go in and clean our your History cache and set it to store for zero days. What I am hearing, is that it is presently affecting all versions .. even this newest one. They are working hard on a patch.

Here is the official statement from Firefox: http://www.mozilla.org/security/history-title.html

Also, a warning has now come out for Opera .. apparently the same problem. Here is the story on Opera: http://secunia.com/advisories/17963/

[Sols]

So what you're saying is, 1.5 is not in beta. Which is what I said. ;)

[CometBaby]

This is absolutely ancient and fixed long ago

If you think this is ancient, read the official statement from Firefox

http://www.mozilla.org/security/history-title.html

[demlosers]

Well, it was the last time I looked before a few minutes ago...time flies

[Sols]

The history title issue is in no way related to the very old iframe and InstallTrigger bugs. They are two entirely different things. An article from MAY 2005 is in fact ancient news in DECEMBER 2005.

Hello folks, let's read the article we're discussing, please.

[NoCmpromiz]

Ummm.... The article you posted is from May. That's like seven months ago. In case you missed it, Mozilla fixed this almost immediately. (As opposed to myriads of IE flaws that MS knows about but takes years to fix...)

Maybe some attention to date would be in order, since this certainly is not 'breaking' news!

[burzum]

The most important thing that Firefox did was break Microsoft's monopoly on the browser. Now IE has popup blocking and the next version they will have tabs. Other features will follow. This is a good thing. While I have no problem with a natural monopoly, I believe that Microsoft abused their monopoly with the browser wars. Now that the browser wars have started again the quality of web browsers has skyrocketed. Microsoft is even faster on fixing security problems.

I use Firefox because I can't live without tabs and a reasonable popup blocker. If Microsoft makes a better browser I may switch (though they are probably about a year and a half behind right now).

[Poser]

Because Firefox has no auto-update function, there are lots of people still using older versions. This security problem will be real if the Microsoft hating virus writers divert their hate for a few seconds.

Of course, that will not happen.

[NoCmpromiz]

You might want to consider moving this from 'latest news' since it is from May, and is no longer an issue...

[CometBaby]

You may be right about that .. I don't recall anything from May. I only know that this is some form of exploit because I was *punked*. I am no techie .. but I am not exactly a newbie as my client is on the net 24/7.

Today I had problems with the slow bootup, and my computer was hanging (I have a P4 with 1 gig of memory)so there is no reason it should.

To make a long story short, I went in and cleared my history cache, set my saved days to zero .. problem gone.

[demlosers]

I'm running Firefox 1.5 as well .. you have to go in and clean our your History cache and set it to store for zero days. What I am hearing, is that it is presently affecting all versions .. even this newest one. They are working hard on a patch.

Will do. Thanks :)

[flashbunny]

Maybe you should warn secunia about hyping problems with a very old version of firefox.

[cooldog]

In the News/Activism forum, on a thread titled Exploit code chases two Firefox flaws, Poser wrote:

Because Firefox has no auto-update function, there are lots of people still using older versions. This security problem will be real if the Microsoft hating virus writers divert their hate for a few seconds.

Of course, that will not happen.

FireFox DOES auto-update ... if/when a little red circle with an up-arrow appears on the right-hand end the menu bar, just give it a single click. Couldn't be easier ...

[PAR35]

I'll just switch back to my Firebird 0.7 version. That should be safe.

[spunkets]

The link

<a href-"http://www.mozilla.org/security/history-title.html>(text goes here)</a>

[thoughtomator]

Version 1 Firefox browser is already on 1.07

[b4its2late]

I'm at 1.0.7

[John Williams]

I'm not using Firefox, per se......

I'm using Mozilla 1.7.11, and it's working flawlessly.

[Poser]

"FireFox DOES auto-update ... if/when a little red circle with an up-arrow appears on the right-hand end the menu bar, just give it a single click. Couldn't be easier"


You are describing something I have never seen. Are you running Linux?

[softwarecreator]

Maybe you should warn secunia about hyping problems with a very old version of firefox

HAHAHA.  Your'e probably right, but a lot of people are already making that suggestion!

[dr_who_2]

Any website that can kill firefox is Firefox's problem.

[cooldog]

I run Firefox on both WinXP and Linux. Let me see if I can find some info for you ....

Here you go: Firefox update info

[smith288]

You are describing something I have never seen. Are you running Linux?

I am on XP and i tnotifies me of an available update as well.

[Poser]

Thanks.

It was so small I never noticed it before.

[CometBaby]

Here is an explanation on the exploit dated Dec 8, 2005 (very recent) about this exploit ..

"Unpatched Firefox 1.5 exploit made public" .

The way it affected me is becuase I leave my browser open and when I came back in the morning, it was chucking down 2GB of ram.

http://news.com.com/Unpatched+Firefox+1.5+exploit+made+public/2100-1002_3-5987401.html

[flashbunny]

from your link:

"Correction: This story incorrectly stated the affiliation of Mike Schroepfer. It also misstated Mozilla's results in verifying the Firefox 1.5 flaw. The problem itself was not a security vulnerability but actually a flaw in the browser, according to Mozilla. In addition, it misstated PacketStorm's assessment of the situation."

[demlosers]

What you described, it looks like Firefox has a "memory leak."

[NoCmpromiz]

Except that the exploit you reference is not the subject of the ZDNet article from May. Here is Mozilla's official response to the current issue:

Long-title temporary startup unresponsiveness

[The Westerner]

How do I know which version I'm using?
I never get popups with Firefox. But I do have trouble using Cookies on it. Sometimes I want to accept something but I had at another time denied its cookie. Firefox could be easier with this. I use Cookie Pal for IE and it's easy to wipe up after.
I have more complaints about Gmail (can't edit anymore and can't link anymore).