Comments on: Unpatched Firefox 1.5 exploit made public

A flaw in the open-source browser's history.dat file potentially puts users at risk of a DoS attack.

[KTLA_knew]

<cough>

<cough>

[libertyaikido]

Here's a lozenge.

Here's a lozenge.

[System Tyrant]

My understanding.

Someone correct me if I am wrong here, but I would have to visit a site that performs the exploit in order for this to actually affect me. So if I don't visit sites I'm not familiar with then I shouldn't be affected (assuming the site wasn't hacked).

However, Mozilla needs to get a fix out for it ASAP. A flaw is a flaw no matter how hard or easy it is to exploit.

[Nathan Lunn]

Correct

Not only do you have to visit a site, but the proof of concept requires you to click a link (not that that would necessarily be required on the site you visit).

[jpickett]

As with 'most' browser flaws

You're correct. Most browser bugs in general require you to go to a site that intentionally exploits the hole, whether it be Firefox, IE, Opera, etc...

[elioncaplan]

Now that you've scared us...

How does one disable the history.dat file?

[Eskiegirl302]

Go to tools then

Options>Privacy>History Set the save history to 0 Days

[Stating]

Bugs 'O Plenty

After using v1.5 for 2 days I had to revert back to v1.0.7. Problems I ran into included broken images on pages (which refresh did not fix), cookies that didn't stick, and jumpy scrolling. My impression is that this is NOT a very good release of the product.

[PlaceHolder]

Sounds like bad luck to me

Hard to know if it was just back luck, or whether you go to some "out of the way" sites... but I use Firefox 1.5 for browsing on mainstream sites (such as this one, news.com) and have never had those kinds of problems. Not that I haven't had other problems (such as pages appearing to never finish rendering, or the URL text being out of sync with the current tab) but in general I found 1.5 to be much faster and stable that 1.07.

[katamari]

I'm glad you call it a product.

Because I do as well -- although most open-source advocates would argue with you and I on this point. "It's not a product, a product is something you buy or pay for. This is free, as in free beer. You should write a patch and submit it."

*yawn* Same old rhetoric...

[Stating]

Disabling History

Tools/Options/Privacy/History set Days=0

[hansschmucker]

Exploit seems to work on only a very limited number of systems

I don't know who tested this exploit, but it seems like the majority of users is not affected... The majority of posts about this on Heise.de is about the exploit not working, and I couldn't get it to work on Firefox 1.5 / XPSP1 either... seems like a publicity stunt to me.

[System Tyrant]

I thought...

they said it worked on Windows XP SP2.

[Hernys]

Publicity stunt?

It's not. It's a security vulnerability. If it's less serious than others, good. But reporting a security vulnerability is far from a publicity stunt.

[pentium4forever]

False bug reported or a bug that is hard to exploit

I haven't noticed anything like this yet. I downloaded the 1.5 release the day it was released. I don't visit any sites I'm not familiar with. If the Mozilla team can duplicate this problem then that's another story. It seems most people can't even get this exploit to work. At least it's not a security flaw!

[Hernys]

Security flaw: yes

Denial of service is one of the categories of a security threat, so this IS a security flaw. Denial of service vulnerabilities are generally considered less serious than information disclosure and remote code execution, but they are still serious vulnerabilities. And the fact that the publisher hasn't acknowledged it or that you haven't been attacked yet doesn't mean it's not real.

[CharlesAK]

Did not even know.

I did not even know about this flaw and I upgraded the same week it came out. The thing is though I never use my history so I always set it to erase after 1 day and use firefox's new feature to clean out my history, saved form info, download history, cookies, cache, and authincated sessions. Thats everything except my saved passowrds. I also have zone alram that earses all my tracks and another program that erases all history on my comp and get rid of excess junk on the hd. Anyways if this is a flaw it's not bothering me at all I am happy with my firefox browser and I think they are doing a great job!

[Eskiegirl302]

FireFox

As long as there is technology (and this will now be forever) there will be new products, new flaws to go with them, virus writers, testers, analyst, patchers, open source, and whatever else you can think of. This is the computer world. I love it, you love it (or you would not be on one) and the whole world loves it. Information is key to being safe. Knowledge about your systems, and knowing what you are doing with it is what is going to keep you up and running.

Finding out about flaws and vunerability, may be somewhat scary, but researching, asking the support teams questions, putting the info you know out here so we all can stay ahead of the game, is the computer world.

If I find news on here say, I will visit many sites to find what I need to understand what to do.

Stay safe all

[bjbrock]

The contents of this article are incorrect!!!!

Follow the link in this article to SANS and find out the truth. The browser does NOT crash and NO DOS attacks can be proven!!!!

This is pitiful journalism!!!

[driftwolf]

Should change the headline

Sure, they posted a correction, but the headlines remains, trumpeting a simple bug as a deadly security flaw. If crashing is a symptom of a security breach, then Microsoft, and most other software makers, should be in court on charges or something.

What a load of utter crap, written by someone without a clue. I want to know who is paying CNet to publish **** like this?

News.com keeps this up, they're going to lose any sort of respect they might have had.

Oh, wait, they already have. As you were then.

[grey_eminence]

firefox - What a joy to use.

I love Firefox and the options.