New Firefox, Mozilla releases to fix bugs

The Mozilla Foundation plans to "shortly" release new versions of its Firefox and Mozilla Web browsers to address a recently disclosed serious security bug as well as several additional flaws, a representative said Wednesday.

The decision for new, so-called point releases was made after the disclosure last week of a problem in the way the browsers handle International Domain Names, or IDNs, Web addresses that use international characters. The vulnerability could let attackers secretly run malicious software on users' PCs. Hackers have been working on exploits for the flaw.

"As soon as we got the report that users might be impacted, we began evaluating our options," said Mike Schroepfer, director of engineering at the Mozilla Foundation. Firefox version 1.0.7 and Mozilla version 1.7.12, which fix the IDN flaw, are now being tested, he said. "We're releasing as soon as we possibly can."

The testing process is to make sure the updates don't introduce any compatibility problems, he said.

In addition to patching the IDN bug, the new releases include one functionality fix and a handful of fixes for yet undisclosed security problems, Schroepfer said.

The Mozilla Foundation, which distributes and coordinates the development of Firefox and Mozilla, responded swiftly to the IDN bug disclosure last week and within 24 hours provided a temporary fix. Though the fix disables support for IDNs, the new updates that are now being tested will actually fix the vulnerability and re-enable IDNs, Schroepfer said.

IDNs have caused trouble for Mozilla in the past. A Firefox security update in February fixed a flaw that would allow domain spoofing using the special domain names.

As the Mozilla Foundation and the open-source community were working on fixing the IDN flaw, the discoverer of that bug reported yet another issue with Firefox. Security researcher Tom Ferris on Wednesday said that Firefox1.5 beta 1 is vulnerable to a problem similar to the IDN bug he disclosed last week.

Another Firefox flaw?
Even with the fix that disables IDN installed, a buffer overflow vulnerability exists in Firefox 1.5 beta 1, Ferris wrote on his Security Protocols Web site. The problem is a variant of the original IDN bug, he wrote.

Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood over the buffer.

Firefox 1.5 beta 1 was released last week and is a test version of a new Firefox browser due out by year's end.

The Mozilla Foundation is investigating Ferris' latest report, Schroepfer said. "At this time, we're not sure whether it is a vulnerability," he said.

The latest problem occurs only in the beta release, which is meant for testing only and typically has bugs. The beta has been downloaded about 500,000 times, according to Schroepfer.

Firefox has risen in popularity in recent years as a viable alternative to Microsoft's Internet Explorer. Though its market share slipped slightly recently, researchers estimate that between 8 percent and 9 percent of the Internet population uses the open-source browser.

Security has been a main selling point for Firefox over Internet Explorer. However, Firefox has had its own security woes. Numerous serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist.

[thedreaming]

How to be safe

The internet used to be like a large library where any information was available. Now, it's more like a huge shopping mall and every 5 feet, someone is trying to sell you something, every 10 feet, someone is trying to get your attention and every 15 feet, someone is trying to either put something in your back pocket or take something out of it!

I treat the internet like sex, if you want to play, you gotta have plenty of protection.

I don't use IE, I use Firefox and when a security flaw is found for it, I switch to opera.

I have a firewall as well as an antivirus program and I scan for spyware either other day and I keep them all updated.

In the end, my best defense is not to be online at all.

[thedreaming]

How to be safe

The internet used to be like a large library where any information was available. Now, it's more like a huge shopping mall and every 5 feet, someone is trying to sell you something, every 10 feet, someone is trying to get your attention and every 15 feet, someone is trying to either put something in your back pocket or take something out of it!

I treat the internet like sex, if you want to play, you gotta have plenty of protection.

I don't use IE, I use Firefox and when a security flaw is found for it, I switch to opera.

I have a firewall as well as an antivirus program and I scan for spyware either other day and I keep them all updated.

In the end, my best defense is not to be online at all.

[thedreaming]

How to be safe

The internet used to be like a large library where any information was available. Now, it's more like a huge shopping mall and every 5 feet, someone is trying to sell you something, every 10 feet, someone is trying to get your attention and every 15 feet, someone is trying to either put something in your back pocket or take something out of it!

I treat the internet like sex, if you want to play, you gotta have plenty of protection.

I don't use IE, I use Firefox and when a security flaw is found for it, I switch to opera.

I have a firewall as well as an antivirus program and I scan for spyware either other day and I keep them all updated.

In the end, my best defense is not to be online at all.

[JorisEvers]

On behalf of J. Newcomer

Posting on behalf of J. Newcomer of Pittsburgh, PA.

It is unfortunate that when finger-pointing about people being clueless about security arises, NOBODY points to the childish and/or incompetent Web designers who insist upon having client-side scripting in their Web sites. Most security exploits I am aware of are coupled to the ability of a browser to run scripts. Lacking that, the fact that browsers run in the same unrestricted security state as the logged-in user is indicative of the irresponsible people who implement browsers that can do this. I run my browser highly restricted. No ActiveVirus controls, no JavaVirus or VBVirus scripting. I run it from an account that has access only to the Web page cache and one download directory, which has no access to any other part of my file system and has no access to the Registry other than a few keys for the browser. It took a long time to figure out how to do this. As a consequence of this, I cannot post TalkBack, because the sociopaths at CNet think that I should enable some form of scripting in order to post talkback comments. As long as people exist who are this mentally handicapped, we will not have security (in earlier eras, people who broke into your home and wandered around in it, and in fact thought it was their right to do so, would be incarcerated; now they become Web designers). The rule is simple: NO CLIENT-SIDE SCRIPTING, EVER! In an era of 2400-baud modems, there may even have been an excuse for this; in an era of broadband, if you can?t do it on your server with nothing but passive HTML on my side, I don?t want to use your site, period. Besides, there?s always a competitor who doesn?t require client-side scripting. If we just dug in our heels and said ?I?ve had enough and I?m not going to take it any more?, and major corporations blocked all client-side scripting at their corporate firewalls, this problem would go away. The ?clueless users? someone referred to are (a) those people too stupid to realize that client-side scripting is an invitation to malware invasions, most especially including all corporate security divisions, and (b) those people who are stupid, irresponsible, or malicious, and thus think it is their right to demand that I open my home to their unsupervised wanderings Once we solve these problems, we will have much better security. It only takes a little adult responsibility. Only children and terrorists love client-side scripting. Those who are not terrorists are merely unsupervised children playing with loaded weapons.

I?d post this on talkback, but I can?t. Some of those children are employed by cnet. When you get mature Web designers who don?t drool when they hear the phrase ?site security?, I will be able to participate.

[JorisEvers]

On behalf of J. Newcomer

Posting on behalf of J. Newcomer of Pittsburgh, PA.

It is unfortunate that when finger-pointing about people being clueless about security arises, NOBODY points to the childish and/or incompetent Web designers who insist upon having client-side scripting in their Web sites. Most security exploits I am aware of are coupled to the ability of a browser to run scripts. Lacking that, the fact that browsers run in the same unrestricted security state as the logged-in user is indicative of the irresponsible people who implement browsers that can do this. I run my browser highly restricted. No ActiveVirus controls, no JavaVirus or VBVirus scripting. I run it from an account that has access only to the Web page cache and one download directory, which has no access to any other part of my file system and has no access to the Registry other than a few keys for the browser. It took a long time to figure out how to do this. As a consequence of this, I cannot post TalkBack, because the sociopaths at CNet think that I should enable some form of scripting in order to post talkback comments. As long as people exist who are this mentally handicapped, we will not have security (in earlier eras, people who broke into your home and wandered around in it, and in fact thought it was their right to do so, would be incarcerated; now they become Web designers). The rule is simple: NO CLIENT-SIDE SCRIPTING, EVER! In an era of 2400-baud modems, there may even have been an excuse for this; in an era of broadband, if you can?t do it on your server with nothing but passive HTML on my side, I don?t want to use your site, period. Besides, there?s always a competitor who doesn?t require client-side scripting. If we just dug in our heels and said ?I?ve had enough and I?m not going to take it any more?, and major corporations blocked all client-side scripting at their corporate firewalls, this problem would go away. The ?clueless users? someone referred to are (a) those people too stupid to realize that client-side scripting is an invitation to malware invasions, most especially including all corporate security divisions, and (b) those people who are stupid, irresponsible, or malicious, and thus think it is their right to demand that I open my home to their unsupervised wanderings Once we solve these problems, we will have much better security. It only takes a little adult responsibility. Only children and terrorists love client-side scripting. Those who are not terrorists are merely unsupervised children playing with loaded weapons.

I?d post this on talkback, but I can?t. Some of those children are employed by cnet. When you get mature Web designers who don?t drool when they hear the phrase ?site security?, I will be able to participate.

[JorisEvers]

On behalf of J. Newcomer

Posting on behalf of J. Newcomer of Pittsburgh, PA.

It is unfortunate that when finger-pointing about people being clueless about security arises, NOBODY points to the childish and/or incompetent Web designers who insist upon having client-side scripting in their Web sites. Most security exploits I am aware of are coupled to the ability of a browser to run scripts. Lacking that, the fact that browsers run in the same unrestricted security state as the logged-in user is indicative of the irresponsible people who implement browsers that can do this. I run my browser highly restricted. No ActiveVirus controls, no JavaVirus or VBVirus scripting. I run it from an account that has access only to the Web page cache and one download directory, which has no access to any other part of my file system and has no access to the Registry other than a few keys for the browser. It took a long time to figure out how to do this. As a consequence of this, I cannot post TalkBack, because the sociopaths at CNet think that I should enable some form of scripting in order to post talkback comments. As long as people exist who are this mentally handicapped, we will not have security (in earlier eras, people who broke into your home and wandered around in it, and in fact thought it was their right to do so, would be incarcerated; now they become Web designers). The rule is simple: NO CLIENT-SIDE SCRIPTING, EVER! In an era of 2400-baud modems, there may even have been an excuse for this; in an era of broadband, if you can?t do it on your server with nothing but passive HTML on my side, I don?t want to use your site, period. Besides, there?s always a competitor who doesn?t require client-side scripting. If we just dug in our heels and said ?I?ve had enough and I?m not going to take it any more?, and major corporations blocked all client-side scripting at their corporate firewalls, this problem would go away. The ?clueless users? someone referred to are (a) those people too stupid to realize that client-side scripting is an invitation to malware invasions, most especially including all corporate security divisions, and (b) those people who are stupid, irresponsible, or malicious, and thus think it is their right to demand that I open my home to their unsupervised wanderings Once we solve these problems, we will have much better security. It only takes a little adult responsibility. Only children and terrorists love client-side scripting. Those who are not terrorists are merely unsupervised children playing with loaded weapons.

I?d post this on talkback, but I can?t. Some of those children are employed by cnet. When you get mature Web designers who don?t drool when they hear the phrase ?site security?, I will be able to participate.