Posted on 02/09/2006 9:50:40 AM PST by ShadowAce
Computer code that could be used in cyberattacks on Firefox users has been released, increasing the urgency for people to upgrade to the latest version of the Web browser.
The two pieces of exploit code, posted online earlier this week, take advantage of a security vulnerability in Firefox that Mozilla patched in an update Thursday. In response to the exploit release, the browser maker on Tuesday upgraded the severity rating of the flaw from "moderate" to "critical," its most serious rating.
"This exploit was published after we released the 1.5.0.1 update," said Mike Schroepfer, vice president of engineering at Mozilla. "Most of our users had already been upgraded by the time this exploit was published."
The code could be used to commandeer computers running a vulnerable version of the open-source Web browser on Linux or Mac OS X systems. It has been published as part of the Metasploit Framework, a widely used hacking tool.
The specific flaw exists only in Firefox 1.5 and was fixed in Firefox 1.5.0.1. The problem could cause a memory corruption an outsider could use to run code on a vulnerable PC, according to a Mozilla advisory. The corruption would come from calling the "QueryInterface" method of the Location and Navigator objects in the browser.
Firefox users have already been urged to install the patched version of the browser. Security monitoring company Secunia last week rated the Firefox update "highly critical," and Mozilla has pushed out updates.
If for some reason users have not upgraded, they should definitely do so, Schroepfer said.
This is impossible because we know that open source code is invincible. We've been told. By "They".
Wonder if ver 1.0.7 is at risk?
I keep hearing that.
< Inigo Montoya >I do not think it means what you think it means.< /Inigo Montoya >
I believe it is. I'd recommend going to 1.5.0.1
Arrgh! I missed that. Sorry
Good for them. Patch before exploits are released. Microsoft can learn from this.
Firefox automatically notified me as soon as the update was available.. ( Thursday )
My browser was updated less than 5 minutes later..
I was wondering why fc3 is still rinning 1.0.7 until I read this article...
Probably is, but why keep using 1.0.7?
When I try to download it the dialoge box says it must go to a disc and I cannot change it. Is there a way to download it directly? Thanks
Some of us just want to use the one (RPM) that came with our distro to centralize the update service..
What OS are you patching it on?
For all those complaining about IE and Microsoft flaws...It just goes to show that ANYTING can be exploited....it's just a matter of time and popularity.
FYI
Windows XP
But I have heard people say that the architecture of a program does not matter *ONLY* its popularity and that is flat out wrong.
Well Im using Linux (Fedora) right now so I cant try the update but Ill see if I get time tomorrow..
1.5 was a piece of crap.
I installed it on all my machines and it would hog CPU time like nobody's business. Had to uninstall and go back to 1.07.
My love affair with Firefox is badly damaged. I don't trust what they're putting out anymore.
Can't say I see the reason in that. If software offers its own update service, I say use it.
Of course, I have qualms with using Linux in the first place, so I'll be quiet.
That makes two of us. Every single time Mozilla breaks wind it breaks extensions and themes, one of the features they beat their chest about. They're screwed up the themes and extensions site so that it's a pain to keep going back and finding and reloading it all. (Used to be you could select 50 items on a page, now it's at 10 only. Yawn....)
>>>"Probably is, but why keep using 1.0.7?"<<<
I don't anymore, just spent 5 minutes updating and everything still works fine.
I'm also confused as to whether this is a remote-site issue like we had this January with the Microsoft WMF defect? By that, I mean, can you execute arbitrary code via a link from FR? I'm sure you could post a link to an external site and sucker people into clicking it by saying it was a poll or something though, so I guess the distinction really doesn't matter much.
It's time for Microsoft and Firefox to fund a new class of users - internet bounty hunters.
http://www.freerepublic.com/focus/f-chat/1572512/posts?page=131#131
I don't care to keep track of FireFox, OpenOffice, Gimp, and the dozens of other apps I run so I let the update agent for fedora take care of it. Until there is a seriously compelling feature, Performance enhancement, or security threat to software I'm running Ill leave it that way..
Thanks. See post #10 -- If option is turned on (by default it should be) Firefox will notify automatically if an update is available.
And just who designed it that way? Who designed it for third party stuff? It makes absolutely no sense to have to find another extension because 1.5.0 changed to 1.5.0.1
If I'd been an extension writer, I'd have long ago given up on trying to keep up with the changes, and some have.
Actually, the version number for the 1.5.0 series is 1.5.0.*. There's a reason why most extensions haven't broken after 1.5.0.1 was released.
Windows allows third-party programs to run: does that mean I should be angry with Microsoft when Photoshop screws up? If not, why should I be angry with Mozilla when Adblock screws up?
Redirect your anger. Or just install the Nightly Tester Tools extension, use its Force Extension Compatibility feature, and be at ease.
Don't give me any lectures, fanboi. I can get that garbage at the MoZine forum.
Facts are now lectures? Huh.
I'll give some facts to an adolescent "Mozilla can do no wrong" fanboi.
Mozilla is not ready for Prime Time and never will be. It's only a curiosity for geeks. For close to a year there was a major flaw, where uninstalling Firefox took out the whole frickin' Program Files folder with it. Mozilla should have dropped everything right then and there to address it, but they didn't, and that spoke volumes to me.
To this day there's still RAM problems. The MoZine forum is loaded with threads about lost bookmarks and posts from peckerheads who say it's always the fault of the user. There were some good themes and extensions from the 0.8 days that you can't find any longer because the writers got tired of the crap about having to break it all down whenever Mozilla changed a decimal point.
Why should I sing the praises of something like that? You get Firefox set up the way you like it, and in no time you'll have to raise the hood and tinker tinker tinker, and if you need help you'll damn sure not get it from a forum run over with know-it-all zit farmers.
I gave them their chance. Adblock and Flashblock is all they have left in their favor.
BTW: I have been using firefox since version .3, (when it was still called phoenix i believe), yet someohow I managed to still have the same bookmark file that I've been using for more than 10 years now, though it gets larger every year. I don't know of any IE users who can say the same.
Show me where I said I never had a choice.
I think writing software so that its easy to interface with for a third party is a good thing! Now maybe they need a separate project at mozilla to certify the cream from the crap in the extensions pile but its certainly not the job of the people who code FireFox itself.
If I'd been an extension writer, I'd have long ago given up on trying to keep up with the changes, and some have.
And others have written extensions that survive a version change.
Spoken with all the zealotry and bitterness I'd expect.
Good day.
Also "Mozilla is not ready for Prime Time and never will be. " is a pretty sweeping statement. One tends to wonder what is behind such comments.
Because some poorly written third party software breaks FireFox itself is not ready?
It's only a curiosity for geeks.
A 10% market share says differently, with the exception of IE it is bigger than every browser out there *PUT TOGETHER*. But Im am sure to you there is only one browser and bill gates is its Profit.
For close to a year there was a major flaw, where uninstalling Firefox took out the whole frickin' Program Files folder with it.
So because it *used* to have a flaw its not now ready for prime time? wow!
Why should I sing the praises of something like that?
Who asked you to? my question is why are you trolling FR threads and, apparently, MoZine for something you dont use and dont like?
What an ignorant statement.
Accurate after the recent WMF fiasco.
Ooooh la la! All of a sudden I have three fanbois on my back, alluding that I'm some kind of MS troll. If the fanbois would'nt get so frenzied they might check out my posts over the years concerning Mozilla, my fights with Bush2000, etc.
All you guys are doing is making my point for me. I or anyone else need not go to MoZine to find the zit farmers who knows all.
Firefox is not ready for the general populace. It's still a lab rat.
Live with it.
I don't think you're an MS troll, I never said so... I asked if you don't use firefox and hate firefox why are you here and why do you spend so much time on MoZine?
All you guys are doing is making my point for me.
Hmm what point would that be, people here have asked question and gotten at worst "Ill have to look at that later but Ill check it out for you". You OTOH came spoiling for a fight.
Firefox is not ready for the general populace.
Based on what? some people have written bad third party software for it? the fact that when it was beta more than a year ago the upgrade utility was poorly implemented? the fact that they dont lock people out of interfacing and writing extensions for it? or the fact it has a higher market share than every browser on the market except IE?
Why not? That's the standard for blaming Microsoft.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.