Forgot your password?
typodupeerror
Firefox Bug Mozilla Security Technology

Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release 140

Posted by Soulskill
from the sooner-than-later dept.
Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."
This discussion has been archived. No new comments can be posted.

Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release

Comments Filter:
  • There's a disturbing amount of "Microsoft" in this.
    • Re: (Score:3, Informative)

      by bunratty (545641)
      The flaw was disclosed to Mozilla only recently (perhaps just a few days ago), and there is already a patched build available.
      • The flaw was disclosed to Mozilla only recently

        Well, we don't actually know when the flaw was disclosed. We only know that it was acknowledged to be disclosed recently, but it could have been a while back. However, I don't have a problem with it taking time to do the find, fix and test. The fix for the bug may have ramifications in other parts of the code, and it takes time to check this.

        I think people can be a bit unreasonable with their expectations of patch times.

      • https://bugzilla.mozilla.org/show_bug.cgi?id=552350 [mozilla.org] Please see this bug if you are running FF 3.6. I have a sneaking suspicion that it's the culprit. I wouldn't mind anyone reproducing it, it's sitting unconfirmed as I reported it.
    • Re: (Score:3, Informative)

      by wizardforce (1005805)

      Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability.

      A fix already exists, it's just not in the official release.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        1) about:config
        2) app.update.channel = beta

        And join the beta testers :)

      • Re: (Score:1, Troll)

        by AmberBlackCat (829689)
        Is this the part where some government official is supposed to recommend people stop using Firefox until March 30th, or does that only apply to Internet Explorer?
      • Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here:

        https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/ [mozilla.org]

        • Re: (Score:3, Informative)

          by camperslo (704715)

          The 3.6.2 beta has worked fine for me, but those uncomfortable with that and not willing to wait can avoid the bug by using a 3.5x version. The vulnerability is only in 3.6 series releases.

          • by jonadab (583620)
            > The vulnerability is only in 3.6 series releases.

            I should be fine, then. I downgraded to Firefox 2 after I got tired of losing data (specifically, open tabs) to two different bugs that were introduced in 3.0 and are still present in 3.6.

            Maybe Firefox 4 will be better...
      • This seems like a very risky strategy to me. If the vulnerability is already in the wild they should be pushing out the fix ASAP. If it's not in the wild they should be keeping details quiet until they can make a proper release.

    • "But, does it run on Linux?"

      Hey, if the damned exploit won't run on Linux, then it's not a real exploit, is it? This kind of thing kinda pisses me off. There are all KINDS of neat software out there, that just won't run on Linux. It's definitley not fair. I think it might even be illegal. In today's modern world, no one is supposed to be excluded from anything. Not even nerds!!

  • Ok, so, since the summary didn't make this clear and I didn't find any explanation in the article, maybe someone on Slashdot can shed some light on this. What took Mozilla so long? It's a critical vulnerability that allows remote code execution. Why did is it taking over a month to fix?

    • Re:What kept them? (Score:4, Informative)

      by bunratty (545641) on Saturday March 20, 2010 @12:16PM (#31549916)
      Because the vulnerability was not disclosed to Mozilla at first.
    • Re: (Score:1, Insightful)

      Also if this was IE, browser fanboys would take the flamebait oh-so-quickly. Every browser has its own issues. Deal with it.
      • by NotQuiteReal (608241) on Saturday March 20, 2010 @12:19PM (#31549930) Journal
        Lynx is pretty secure
        • Well, the code surface area exposed is pretty small, and the code is old and stable, but how do you know? Have you checked, ran a fuzzer against it? (Only half joking. The punchline being, you never do know until you go look.)
        • by TheLink (130905)
          > Lynx is pretty secure

          Yeah, no botnet creator in his right mind is going to target lynx.
        • by csmanoj (1760150)
          Wow. If only someone added images, javascript and css support (and still kept it secure), I'll dump all these other browsers.
        • by 68kmac (471061)

          Lynx is pretty secure

          Even Lynx has had security issues. While searching for an example, I found this [cgisecurity.com], which is even better ;-)

      • Re: (Score:3, Insightful)

        If it's patched on March 30 then that's just over a month since it was revealed. That's not too bad and better than Microsoft's record as a whole.

        No one claims Firefox is perfect (or any browser for that matter) but IE gets more grief because it most certainly has more problems than the rest. If it weren't for competition as well we'd probably still be stuck on IE6 too since MS was quite happy to stop updating IE when they thought they had the market cornered.

        So no need to get defensive about an awful
        • Re: (Score:2, Flamebait)

          No one claims Firefox is perfect

          Part of the problem with trying to have a sensible discussion on this topic is that so many people do pretty much claim $FOSS_APP is perfect: with enough eyes, all bugs are shallow, yada yada. If a large chunk of your culture and advocacy is based on that sort of foolishness, you're bound to get negative press when inevitably you can't always live up to your own hype.

          Even the parent poster seems to be somewhat guilty of this, throwing in a couple of knee-jerk IE bashing responses. Have you actually looked a

          • by Korin43 (881732)
            Oh my god! Not all of the tabs in the same process! That's the worst security problem I've ever heard of!
            • It's a fundamental flaw in the architecture, which allows (at a minimum) any web page to trivially lock up the entire browser, causing the loss of whatever is being done in the other tabs.

    • It's a critical vulnerability that allows remote code execution. Why did is it taking over a month to fix?

      Answer: Further details available in Customer Area [secunia.com]

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Regardless of your stance on full disclosure, disclosure in return for payment seems to be little more than extortion. I'm going to blame this one on secunia.

  • Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.
    • by causality (777677)

      Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

      Agreed. Personally I use Gentoo Hardened [gentoo.org] with PaX and Grsecurity in the kernel plus a hardened toolchain and userspace measures against buffer overflows. That includes things like address randomization, non-executable pages, mprotect() restrictions, etc. Further measures are also available, like capability systems. It's good, though I would not call it "bulletproof", not even if I thought it was.

      Really none of this is any substitute for patching known vulnerabilities. What it does provide is a secon

      • Personally, I just run Arch with the standard security (ASLR, not sure about NX), and use an OpenBSD VM when I need to touch "places" that have a risk for targeted attacks. I even run sudo without password prompting. For hardening Windows boxes, take a look at eEye's products? Frankly, however, I don't know about exploitation prevention frameworks/apps on Windows (other than signature-based IDS) either.
      • by fluffy99 (870997)

        I'd be interested in knowing what options are available for similarly hardening Windows. What I'd really like to see is for the average system to become difficult enough to compromise that there is no longer fertile ground for automated attacks and the botnets that follow. I think that's achievable too, if we really wanted to do it.

        You could start with using the features already provided in Windows http://technet.microsoft.com/en-us/library/cc507874.aspx [microsoft.com] and http://www.microsoft.com/downloads/details.aspx?familyid=A3D1BBED-7F35-4E72-BFB5-B84A526C1565&displaylang=en [microsoft.com].

        The nice part is that almost all of the security settings are trivially deployed via Active Directory and GPOs. Deploying Linux security settings in a corporate environment generally involves rolling your own scripts and distribution methods.

        I'm not saying Windows does

    • Re: (Score:3, Interesting)

      by Rick17JJ (744063)
      I run Firefox sandboxed from within SandboxIE on my Windows XP computer. SandboxIE builds a virtual sandbox around the default browser on a computer. In addition, my computer is set up to where I am normally logged in with a user name. I only log in as administrator, when needed. I also use the NoScript and Adblock Plus extensions for Firefox. I only enable the running of scripts for certain Websites that I trust. Perhaps, those measures might help, but I am not a computer expert and do not know for sure.

      I
  • by mrsteveman1 (1010381) on Saturday March 20, 2010 @12:36PM (#31550036)

    Why are companies so unwilling to micro-patch their software? If Mozilla has a fix NOW, why are they waiting another ~2 weeks to push it out with the next minor upgrade? Just to avoid making users upgrade too often?

    • Re: (Score:3, Informative)

      by marcansoft (727665)

      QA. New releases need to go through QA anyway to make sure they haven't botched anything up.

      Usually the release process for a large piece of software requires a certain degree of human interaction (anywhere from light to extreme), and there's always the possibility that something will mess up, even if the bugfix itself is perfectly trivial or safe.

      • So you can get the untested version now which may or may not fix the vulnerability and potentially botch-up your system. This is better than waiting until March 30th in what way?

      • Yes, i know.

        I'm asking why companies insist on patching 20-30 things all at the same time, surely it is easier to test for regressions when you're only including a single patch? Why can't you patch, test, release, and move on to the next problem?

        Isn't this what MS does with their micro-patch KB fixes?

        • by breser (16790)

          I interviewed with Mozilla a few years back when they were looking for a Release Engineer. I think you underestimate the amount of work that goes into producing a release. Firefox is released in 70+ languages for 3 platforms. On top of this they release upgrade versions and not just full binaries, which of course is different for each platform. So you're looking at around 420+ different versions. There are also branded versions as well, which adds even more versions.

          This was a few years ago and they we

          • Right, but isn't the end result of the way they do things right now, an increase in the time between disclosure and patching of critical security vulnerabilities?

            • by breser (16790)

              First of all I think you need a timeline to help you understand how this vulnerability was handled:

              Feb 1st, 2010: VulnDisco is updated with a zero day exploit for Firefox 3.6. No details on how the exploit works are provided. The exploit is only available in binary form when you buy a copy of VulnDisco. Some people buy VulnDisco and have difficulty in making the exploit work. https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/ [immunityinc.com]

              March 16th, 2010: First 3.6.2 nightly builds that contain a fix are

        • by tlhIngan (30335)

          Yes, i know.

          I'm asking why companies insist on patching 20-30 things all at the same time, surely it is easier to test for regressions when you're only including a single patch? Why can't you patch, test, release, and move on to the next problem?

          Isn't this what MS does with their micro-patch KB fixes?

          Because you'd be running the test case 20-30 times? And people really, really, really hate updating their software hourly?

          That means for each patch they have to go through a whole release test of the software,

      • by AmiMoJo (196126)

        Surely the QA should not take that long though. There are plenty of people willing to test the code.

        Microsoft uses the excuse that they need to test every language on every OS version in every configuration but what is worse - breaking the Hungarian version on Windows XP SP2 or leaving everyone with an unpatched critical vulnerability for weeks?

        • by BZ (40346)

          > There are plenty of people willing to test the code.

          Are there? The number of people testing your typical Firefox minor release is about an order of magnitude lower than the number of people testing bleeding-edge Firefox trunk last I checked. And it's at least two orders of magnitude lower than the number of people testing a major release beta.

          If you talk to the Mozilla QA and release folks, one of their big problems is in fact the lack of minor release testers...

    • by oldhack (1037484)
      Uhh... cuz it takes time to write and test patches and not add more (security) bugs?
    • When a flaw is found they have to find how to fix it, write the code to fix it and the test it (so they're not left with a flaw due to the fix) and that isn't just a case of opening Firefox on one computer. They have numerous versions to test for.

      I'm not sur eif the fix was pushed out already because this week I've have updates cropping up for all my instances of Firefox at home and work. So either they're early or I'll get another one on the 30th. Either way, they're clearly doing their best.
    • by eulernet (1132389)

      I guess that it's because it costs a ton of bandwidth (and thus money) to make a patch available.
      Mozilla's patch system is pretty ugly, since it needs to download 3 megabytes for a few bytes changed.

      And NO, it doesn't have anything to do with validating the patch, since it's very easy to check that the behaviour doesn't change, especially when the impact is very small.
      Microsoft uses the "we need some time to check the patch" because they have to maintain a lot of differents versions of their OS.

      • But surely a 3MB patch is still less than the entire browser download - so therefore less bandwidth?

    • Re: (Score:3, Insightful)

      by The MAZZTer (911996)

      Because the fix could break other things, or even not actually fix anything or fix the security vulnerability completely, or even cause a different security vulnerability (possibly worse).

      Testing is important, especially when you want to attract users, not drive them away. Unstable software will do that.

    • Re: (Score:3, Informative)

      by bunratty (545641)
      If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.
      • by fluffy99 (870997)

        If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.

        You mean like having an automated exploit tool published 1-1/2 months ago? https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/ [immunityinc.com]

    • In Linux world, it’s normal that the packages you get via your package manager have custom patches in them. So we get the fixes ASAP anyway. (Of course Windows, being the Playmobil OS that is is, lacks a general package manager.)

      But I also wonder why they don’t just shove the minor updates in patch form trough their update functionality. Just like addons can get updated every time you start Firefox. It would be what? A a couple of bytes?

    • by BZ (40346)

      > Just to avoid making users upgrade too often?

      Yes. The typical monthly Firefox minor update ships on the order of 30-100 fixes depending on the month (security problems, stability problems, compat problems, etc). Micro-patching would involve 1-3 upgrades a day.

      If the upgrade could happen silently and without any user notification (which is what Chrome is working and and what Mozilla would like to get to), that may be acceptable. But even just telling the user three times a day "hey, I just updated" i

  • Fuck I just upgraded too, like a week or so ago. =\

"How do I love thee? My accumulator overflows."

Working...