Weekly Edition
Return to the Security page
| |||||||||||||
A fix for the Firefox IDN buffer overflow vulnerability
Mozilla.org has announced
a simple workaround that closes the Firefox International Domain
Name (IDN) security vulnerability.
"On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user."
(Log in to post comments)
Firefox must update automagically Posted Sep 12, 2005 15:16 UTC (Mon) by oseemann (subscriber, #6687) [Link] In the long term Firefox can only prove its security-related advantages (over IE) when they can not only fix related issues in a short period of time, but much more importantly: communicate that change to the users and make them update their installation.
While it is not a problem for us tech-savvy people, my grandmother and Joe Average will not read that news and might probably even ignore the red icon in Firefox, telling them to perform an online update.
The only solution can be an update mechanisms that runs automatically in the background, downloading and applying patches as they come, with the only notice to the (ignorant) user being a message dialog, telling that Firefox needs to restarted because an update has been successfully applied. And on click Firefox will shutdown and restart with all the tabs and windows opened as it was 10 seconds ago.
Otherwise in a year or two, 75% of Firefox installations will still be at their ancient downloaded version and equally vulnerable as a default IE installation.
Firefox must update automagically Posted Sep 12, 2005 15:49 UTC (Mon) by iabervon (subscriber, #722) [Link] Actually, what would be more useful is something that applied workarounds automatically and generated warnings and information for going back to the original configuration. So people would start up their browsers and get a message that IDN had been temporarily disabled, due to a security issue, and that they could re-enable it by applying an update. That way, people automatically get a safe configuration even before a patch is ready, and people who don't apply the patches are left with some functionality disabled, but are safe. If you find the option that's been disabled, get the warning, refuse the patch, and re-enable it anyway, you clearly have some strong motivation to go through this and understand the danger.
Firefox must update automagically Posted Sep 12, 2005 16:06 UTC (Mon) by higuita (guest, #32245) [Link] go check the latest firefox (1.5) and thunderbird...they have binary diffs to make updates lighter, and it now also updates automaticly, it only asks for restart the browser/email client to apply then at least until now, it works fine in the nightly
Firefox must update automagically Posted Sep 12, 2005 16:23 UTC (Mon) by carcassonne (guest, #31569) [Link] I wonder what would be the chances of fake update mechanisms finding their way to client computers running Firefox and doing automatically 'something else'.
Automatic updates over the internet are nice, but we should give a thought or two about security so that the next big news in 1-3 years won't be about some kind of a virus/worm/exploit/etc affecting thousands of computers open and minimally secured for Firefox updates. Joe Average or not.
Firefox must update automagically Posted Sep 13, 2005 0:39 UTC (Tue) by proski (subscriber, #104) [Link] Having any such "update" means the system is compromised already. It doesn't matter what software will be have a malicious payload embedded into it.If you mean attacks on the network to make Firefox download a compromised update, that's a valid concern. The updates should be cryptographically signed or at very least they should be downloaded over https. I'd be surprised if it's not done already.
Firefox must update automagically Posted Sep 13, 2005 4:46 UTC (Tue) by khim (subscriber, #9252) [Link] Having any such "update" means the system is compromised already. It doesn't matter what software will be have a malicious payload embedded into it. Why are you sure ? Phishers already tried to reroute traffic for bank sites with hijaked ISPs! Successfully (for a time). Will it be so hard to reroute traffic from addons.mozilla.org to phisher site ? Of course it'll produce warning (addons.mozilla.org is using certificate issued by addons.mozilla.org, do you want to continue?), but most Windows users are trained to ignore such warnings - this is basic problem with MS IE, right ?
Single point of vulnerability Posted Sep 12, 2005 20:56 UTC (Mon) by dark (subscriber, #8483) [Link] I think that would be much too dangerous. You'd be able to subvert every firefox installation in the world, overnight, by cracking a single update site. With a client-driven update, you would also reach through firewalls.
Single point of vulnerability Posted Sep 12, 2005 21:25 UTC (Mon) by oseemann (subscriber, #6687) [Link] The patches would be signed with a private key that's not on any server anywhere.
But I agree to some extent. From a paranoid/security aware point of view, the idea of downloading stuff without explicit user consent might sound somewhat scary.
That way lies madness Posted Sep 12, 2005 21:57 UTC (Mon) by rqosa (subscriber, #24136) [Link] Programs should rely on the package manager for updates, rather than having their own update mechanisms. Imagine what it would be like if every program had its own update mechanism! Unfortunately, the Mozilla developers aren't making it easy for distributors to provide updates that way.
|
|||||||||||||