Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > New Firefox bug (and fix)

Reply
Thread Tools

New Firefox bug (and fix)

 
 
Imhotep
Guest
Posts: n/a
 
      09-11-2005
One thing about firefox those guys fix their software's problems very, very
quickly...

Please read immediately:

http://it.slashdot.org/article.pl?si...25241&from=rss
 
Reply With Quote
 
 
 
 
Hairy One Kenobi
Guest
Posts: n/a
 
      09-12-2005
"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> One thing about firefox those guys fix their software's problems very,

very
> quickly...
>
> Please read immediately:
>
> http://it.slashdot.org/article.pl?si...25241&from=rss


"Fixed" in the same way that "turn off JScript" is a valid fix for IE \

"IDN functionality will be restored in a future product update". My
suggestion would be a nested RFC-compliant filter on the URI... sometimes
the simplest approaches *are* the best.

/Very/ neat way to change the config, though - haven't had to take a look
before now. Hope that it's inaccessible from the outside world!

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!


 
Reply With Quote
 
 
 
 
Imhotep
Guest
Posts: n/a
 
      09-12-2005
Hairy One Kenobi wrote:

> "Imhotep" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> One thing about firefox those guys fix their software's problems very,

> very
>> quickly...
>>
>> Please read immediately:
>>
>> http://it.slashdot.org/article.pl?si...25241&from=rss

>
> "Fixed" in the same way that "turn off JScript" is a valid fix for IE \
>
> "IDN functionality will be restored in a future product update". My
> suggestion would be a nested RFC-compliant filter on the URI... sometimes
> the simplest approaches *are* the best.
>
> /Very/ neat way to change the config, though - haven't had to take a look
> before now. Hope that it's inaccessible from the outside world!
>


I believe this posting was to inform people about a bug and temp fix. So,
what is you point anyway? That it is a temp fix? Do you really want to
compare IE to Firefox, if so, let's talk about the mean time to fix
security holes. Don't think you want to go there :-O

P.S. I agree that interface was pretty cool. First time I saw it too.

Im
 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      09-13-2005
"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hairy One Kenobi wrote:


<snip>

> I believe this posting was to inform people about a bug and temp fix. So,
> what is you point anyway? That it is a temp fix? Do you really want to
> compare IE to Firefox, if so, let's talk about the mean time to fix
> security holes. Don't think you want to go there :-O


This isn't a fix. It's a workaround.

A fix isn't a workaround.

As it stands, FF is significantly more vulnerable than IE at the moment
(gasp, shock, horror). Heck, noone's even /bothered/ to test the older
versions ("older" meaning a month or two. How many 200k desktop
organizations roll-out every fortnight?)

Look. They're just bloody browsers, not some kind of weapons in a Jedi
conflict. Or something.

It's a bit like comparing car sparkplugs by judging the damage they'd cause
if you threw them at someone - they're there to do a job and (specifically)
not get in the way of that job. TBH, I'm getting pretty tired of "software
(written by bad programmers) is better than your software (written by bad
programmers)".

For the next couple of weeks, FireFox has just gone the way of Internet
Explorer - a bloody obvious flaw that should have shown up in *any* decent
testing regime. It failed. Live with it. It'll be fixed eventually, but for
now there's a workaround (turning off a whole chunk of code that turns out
to not be quite as RFC-compliant as its author(s) envisaged).

Having an RFC dosen't mean it's any good (sometimes quite the contrary -
read some of the recommendations in SMTP!). My software is *all* RFC
compliant (no exceptions that I'm aware of), but - crucially - I get to pick
which RFC ;o)

> P.S. I agree that interface was pretty cool. First time I saw it too.


Ditto. I generally write servers, so I manage to avoid this whole issue.
Next time I write a "proper" client with options, then I'll be copying that
idea. Sod all this INI vs. registry crap - this *is* the future for rational
people.

H1K


 
Reply With Quote
 
Winged
Guest
Posts: n/a
 
      09-13-2005
Hairy One Kenobi wrote:
> "Imhotep" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>One thing about firefox those guys fix their software's problems very,

>
> very
>
>>quickly...
>>
>>Please read immediately:
>>
>>http://it.slashdot.org/article.pl?si...25241&from=rss

>
>
> "Fixed" in the same way that "turn off JScript" is a valid fix for IE \
>
> "IDN functionality will be restored in a future product update". My
> suggestion would be a nested RFC-compliant filter on the URI... sometimes
> the simplest approaches *are* the best.
>
> /Very/ neat way to change the config, though - haven't had to take a look
> before now. Hope that it's inaccessible from the outside world!
>


It is relatively inaccessible to the outside world because the path to
the file has a pseudo random directory assignment making targeting the
user config file difficult via a file replacement to a defined path,
though it might be achieved using programmatic logic. This would
increase the virus size but it could be possible to accomplish.

To avoid this potential flaw however is to make the browser run with
dropped privileges This works not only in IE but Firefox and other
browsers as well.

Then do not give standard user privileges modify permissions to the
directory (read only) or certain system files you do not want to allow
modified by "standard user". This prohibits the browser from making
these modifications.

A guide on using the MS drop my rights MSI utility can be found at:

http://msdn.microsoft.com/security/s...re11152004.asp

The neat thing about learning this methodology is it can be used with
almost any application and even used to break certain functionalities
without breaking the application such as certain DRM software which uses
a certain DRM directory....but that is outside the scope of this
newsgroup.

Using this methodology you can make IE almost safe. Though I still
prefer Firefox. This method reduces the potential vulnerability of
having the user config files modified in Firefox. It also dramatically
reduces possibility of web based sites doing drive by shootings of the
registry. This does not mean the method is safe, but would require a
significant change of approach for most malware, and limit most issues
to the specific session.

Note: If you use this method you may want a shortcut configured that
does not drop rights for certain activities for example windows update
(in IE) or for example doing about:config in Firefox. Elevated
shortcuts should be placed somewhere not readily accessible (i.e. not
directly on the desktop) to prevent inadvertent running with elevated
permissions.

Winged
 
Reply With Quote
 
Imhotep
Guest
Posts: n/a
 
      09-13-2005
Winged wrote:

> Hairy One Kenobi wrote:
>> "Imhotep" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>
>>>One thing about firefox those guys fix their software's problems very,

>>
>> very
>>
>>>quickly...
>>>
>>>Please read immediately:
>>>
>>>http://it.slashdot.org/article.pl?si...25241&from=rss

>>
>>
>> "Fixed" in the same way that "turn off JScript" is a valid fix for IE \
>>
>> "IDN functionality will be restored in a future product update". My
>> suggestion would be a nested RFC-compliant filter on the URI... sometimes
>> the simplest approaches *are* the best.
>>
>> /Very/ neat way to change the config, though - haven't had to take a look
>> before now. Hope that it's inaccessible from the outside world!
>>

>
> It is relatively inaccessible to the outside world because the path to
> the file has a pseudo random directory assignment making targeting the
> user config file difficult via a file replacement to a defined path,
> though it might be achieved using programmatic logic. This would
> increase the virus size but it could be possible to accomplish.
>
> To avoid this potential flaw however is to make the browser run with
> dropped privileges This works not only in IE but Firefox and other
> browsers as well.
>
> Then do not give standard user privileges modify permissions to the
> directory (read only) or certain system files you do not want to allow
> modified by "standard user". This prohibits the browser from making
> these modifications.
>
> A guide on using the MS drop my rights MSI utility can be found at:
>
>

http://msdn.microsoft.com/security/s...re11152004.asp
>
> The neat thing about learning this methodology is it can be used with
> almost any application and even used to break certain functionalities
> without breaking the application such as certain DRM software which uses
> a certain DRM directory....but that is outside the scope of this
> newsgroup.
>
> Using this methodology you can make IE almost safe. Though I still
> prefer Firefox. This method reduces the potential vulnerability of
> having the user config files modified in Firefox. It also dramatically
> reduces possibility of web based sites doing drive by shootings of the
> registry. This does not mean the method is safe, but would require a
> significant change of approach for most malware, and limit most issues
> to the specific session.
>
> Note: If you use this method you may want a shortcut configured that
> does not drop rights for certain activities for example windows update
> (in IE) or for example doing about:config in Firefox. Elevated
> shortcuts should be placed somewhere not readily accessible (i.e. not
> directly on the desktop) to prevent inadvertent running with elevated
> permissions.
>
> Winged



Wow. Good info man...

Im
 
Reply With Quote
 
Imhotep
Guest
Posts: n/a
 
      09-13-2005
Hairy One Kenobi wrote:

> "Imhotep" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hairy One Kenobi wrote:

>
> <snip>
>
>> I believe this posting was to inform people about a bug and temp fix. So,
>> what is you point anyway? That it is a temp fix? Do you really want to
>> compare IE to Firefox, if so, let's talk about the mean time to fix
>> security holes. Don't think you want to go there :-O

>
> This isn't a fix. It's a workaround.
>
> A fix isn't a workaround.
>

<snip>

It is a temp fix. Most importantly, they informed people with the fix
preventing people from getting infected, etc, etc in impressive time. I
monitor a lot of security sites (some quite shaddy) and the firefox people
did not waste any time getting this out to the people who use their
software. Good job. Now look at MS. The delayed a patch that, I believe
will be for the outlook and IE apps leaving people vulnerable for at least
another week. And yes, many people know of the flaw...the kind of people
you do not want to know...

My background is software too. And let's face it the more complex the code
the higher the probability of flaws. Again, when I judge I look at how a
company deals with their software bugs. Do they ignore it until there are
numerous hacks out there? Do they get the info out right way (even with a
temp fix)?

Again, good job Firefox!

>> P.S. I agree that interface was pretty cool. First time I saw it too.

>
> Ditto. I generally write servers, so I manage to avoid this whole issue.
> Next time I write a "proper" client with options, then I'll be copying
> that idea. Sod all this INI vs. registry crap - this *is* the future for
> rational
> people.
>
> H1K


Yes, I liked it too. Pretty cool and easy to alter the config...


Im
 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      09-13-2005
"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hairy One Kenobi wrote:
>
> > "Imhotep" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> Hairy One Kenobi wrote:

> >
> > <snip>
> >
> >> I believe this posting was to inform people about a bug and temp fix.

So,
> >> what is you point anyway? That it is a temp fix? Do you really want to
> >> compare IE to Firefox, if so, let's talk about the mean time to fix
> >> security holes. Don't think you want to go there :-O

> >
> > This isn't a fix. It's a workaround.
> >
> > A fix isn't a workaround.
> >

> <snip>
>
> It is a temp fix.


Sorry, we're going to have to disagree. "Don't turn your computer on" if a
workaround, not a fix.

Likewise turning off an entire chunk of functionality (in this case,
absolutely everything to do with IDN)

> My background is software too. And let's face it the more complex the code
> the higher the probability of flaws


Software mantra: you can always reduce the size of the executable by one
machine code operand. There is always one more bug. Corollary: you can
reduce any piece of software down to one machine code operand. That doesn't
work )

H1K


 
Reply With Quote
 
Imhotep
Guest
Posts: n/a
 
      09-13-2005
Hairy One Kenobi wrote:

> "Imhotep" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hairy One Kenobi wrote:
>>
>> > "Imhotep" <(E-Mail Removed)> wrote in message
>> > news:(E-Mail Removed)...
>> >> Hairy One Kenobi wrote:
>> >
>> > <snip>
>> >
>> >> I believe this posting was to inform people about a bug and temp fix.

> So,
>> >> what is you point anyway? That it is a temp fix? Do you really want to
>> >> compare IE to Firefox, if so, let's talk about the mean time to fix
>> >> security holes. Don't think you want to go there :-O
>> >
>> > This isn't a fix. It's a workaround.
>> >
>> > A fix isn't a workaround.
>> >

>> <snip>
>>
>> It is a temp fix.

>
> Sorry, we're going to have to disagree. "Don't turn your computer on" if a
> workaround, not a fix.
>
> Likewise turning off an entire chunk of functionality (in this case,
> absolutely everything to do with IDN)


Well I guess I look at it differently. I prefer a temp fix over being
vulnerable and yes even if it turns off a piece of functionality. Look at
the alternative. Users of MS are going to be vulnerable for yet another
week because they pulled the patch because of quality issues. Honestly, why
not turn off the functionality that has the security hole, providing a temp
fix. Then when the permanent fix arrives, install the patch which restores
the functionality. That is doing it the rightway.

>> My background is software too. And let's face it the more complex the
>> code the higher the probability of flaws

>
> Software mantra: you can always reduce the size of the executable by one
> machine code operand. There is always one more bug. Corollary: you can
> reduce any piece of software down to one machine code operand. That
> doesn't work )
>
> H1K


 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      09-13-2005
"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hairy One Kenobi wrote:
> > "Imhotep" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> Hairy One Kenobi wrote:
> >>
> >> > "Imhotep" <(E-Mail Removed)> wrote in message
> >> > news:(E-Mail Removed)...
> >> >> Hairy One Kenobi wrote:
> >> >
> >> > <snip>
> >> >
> >> >> I believe this posting was to inform people about a bug and temp

fix.
> > So,
> >> >> what is you point anyway? That it is a temp fix? Do you really want

to
> >> >> compare IE to Firefox, if so, let's talk about the mean time to fix
> >> >> security holes. Don't think you want to go there :-O
> >> >
> >> > This isn't a fix. It's a workaround.
> >> >
> >> > A fix isn't a workaround.
> >> >
> >> <snip>
> >>
> >> It is a temp fix.

> >
> > Sorry, we're going to have to disagree. "Don't turn your computer on" if

a
> > workaround, not a fix.
> >
> > Likewise turning off an entire chunk of functionality (in this case,
> > absolutely everything to do with IDN)

>
> Well I guess I look at it differently. I prefer a temp fix over being
> vulnerable and yes even if it turns off a piece of functionality.


I too prefer a workaround to *nothing*.

But a workaround isn't a t-fix.

Meaning no disrespect whatsoever, I do this **** for a living and can tell
the difference between the two.

There are undoubtedly cases where a t-fix doesn't involve a code change.
Let's be generous and call it 1 in 500. A quick config hack is a
/workaround/ that stops you experiencing a problems but (by definition) has
potential impact to the running of your Production system.

Let's take a specific example that (hopefully) is quite hard to refute: stop
running Flight Trials software on a (random) aircraft if it causes it to
fall out of the sky. This is a workaround, because you no longer gather
flight trials data.

Give it to a software engineer to work out why it caused the avionics
lock-up, fix it, and patch the software so that you can run it - /that's/ a
t-fix. Once it's passed full, safety-critical, QA then it becomes either a
fix or an enhancement (depends upon the contract and acceptance rules)

Are we now clear on this, or have I again somehow been obtuse?

H1K


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Javascript new-new-new-new-newbee weblinkunlimited@gmail.com Javascript 2 03-11-2008 01:15 AM
*bug* *bug* *bug* David Raleigh Arnold Firefox 12 04-02-2007 03:13 AM
Firefox 1.0.7 or Firefox 1.5 Beta New releases are out Wild Will Computer Support 0 09-29-2005 07:00 AM
Re: BUG? OR NOT A BUG? John ASP .Net 2 09-21-2005 10:31 AM
Bug in my Javascript or bug in Firefox Howard Kaikow Javascript 9 12-01-2004 06:05 AM



Advertisments