| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Firefox fix plugs security holes | |
|
||
| Time: 11:51 EST/16:51 GMT | News Source: CNET | Posted By: Chris Hedlund | ||
|
Thanks fast_math: The Mozilla Foundation released on Thursday an update to the Firefox Web browser to fix several vulnerabilities, including one that would allow domain spoofing. The open-source project released Firefox 1.0.1 to fix, among other bugs, a vulnerability in the Internationalized Domain Names (IDN), a standard for handling special character sets in domain names that lets companies register domain names that appear to be the same in different languages. The IDN vulnerability allowed an attacker to create a fake Web site on a non-Microsoft browser in order to pull off a phishing scam. A spoofed link would seem to be a legitimate URL in the address bar of affected browsers. But instead of taking the victim to the trusted site, the link would lead to a phony Web site with a domain rendered as the same address under the IDN process. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 347 Last | Next |
The time now is
6:08:14 AM
ET.
Any comment problems? E-mail us |
| #1 By 2960 (68.101.39.180) at 2/25/2005 12:05:06 PM |
|
Installed and posting :)
TL |
| #2 By 1288 (216.196.195.226) at 2/25/2005 12:20:21 PM |
| It seems to render pages a bit quicker too. Or maybe my computer just got excited and is running faster ;-) |
| #3 By 135 (209.180.28.6) at 2/25/2005 12:25:08 PM |
|
So how long did that take?
Public disclosure of the flaw was Feb. 6, 2005... Today is Feb 25, 2005. So it took 19 days for a fix. That's quite a bit longer than the 12 hours open source advocates keep claiming. |
| #4 By 37 (24.183.41.60) at 2/25/2005 12:27:05 PM |
| Seems a tad slower. And they haven't addressed the UI yet, and still doesn't render all the pages properly. |
| #5 By 7797 (63.76.44.6) at 2/25/2005 12:33:33 PM |
|
"That's quite a bit longer than the 12 hours open source advocates keep claiming."
More accurately would be: "That's quite a bit longer than the 12 hours (SOME) open source advocates keep claiming." The point being that it really did take around 12 hours for the fix but as you know there is also testing and quality assurance to think about before being able to release a patch. Overall I'd say 19 days isn't bad, espeicially considering that multiple security issues were fixed as well as stability improvments. |
| #6 By 7797 (63.76.44.6) at 2/25/2005 12:37:00 PM |
|
"Seems a tad slower"
Thats subjective. Someone else in this thread already said it feels faster to them. "And they haven't addressed the UI yet" What is there to address in the UI? "and still doesn't render all the pages properly" Nobody claimed they would! Whats your point. I browse a LOT and have no problems using it to view all sites I need access to except for Windows Update. Other people feel the same. Some people like you have problems with some sites. Oh well, stick with IE then. |
| #7 By 7797 (63.76.44.6) at 2/25/2005 12:38:46 PM |
| TechLarry did you install the full version or an xpi update? |
| #8 By 7797 (63.76.44.6) at 2/25/2005 1:53:52 PM |
|
"1) What? No patch? You have download the whole thing? Get real. "
WRONG! There will be a patch and it will be available on Firefox's auto update as a .xpi "But no. Blind adherence to "standards" at Mozilla meant they went ahead with IDN anyway." WRONG! ALL browsers besides IE support IDN. Can you prove that the reason IE didn't include IDN support was the foresight that this was a broken standard? No you can't so shut the hell up! "3) This should really bump up the download counter. " Why? Most people won't download the new version to update their old version. Most people will receive the update via the auto-update feature. Only a limited number of people who can't wait for the patch will re-download the full version. Most regular users don't read the tech news and will simply update whenever Firefox asks them to. This post was edited by tgnb on Friday, February 25, 2005 at 13:55. |
| #9 By 7797 (63.76.44.6) at 2/25/2005 1:59:43 PM |
|
log from #firefox
Feb 25 09:17:19 tgnb the question is, will firefox 1.0 update feature detect the update to firefox 1.0.1 and prompt the user to upgrade or will users have to manually upgrade. Feb 25 09:17:30 tgnb Furthermore the release notes state: "Prior to installing Firefox 1.0.1, please ensure that the directory you've chosen to install into is clean and doesn't contain any previous Firefox installations." Feb 25 09:18:05 tgnb I'm a bit confused .. this doesnt sound like a simple thing i can tell my non-techie friends to do. do they need to uninstall first? Feb 25 09:19:21 tgnb and lastly.. i'm wondering if the update feature in firefox 1.0 won't detect and install firefox 1.0.1, why is that? shouldnt it? if not .. why :) Feb 25 09:21:06 Quark The update feature is not currently enabled to show 1.0.1. I don't know why (as I haven't been around much lately), but once it's enabled it will work. The release notes talking about clean installs is old, it shouldn't be necessary anymore Feb 25 09:22:52 CrazyFred There are a few bugs in the update code which means the servers get bashed at specific times of the month. They are waiting until after the start of the month to turn update on Feb 25 09:23:28 Quark at least, I haven't heard of any new bugs cropping up from non-clean installs. Feb 25 09:24:03 tgnb Quark thanks. Once the feature is enabled to show 1.0.1 will it "patch" 1.0 to 1.0.1 or will it pretty much download and install the complete 1.0.1 version through the autoupdate or in a more "manual way"? Feb 25 09:25:31 Quark It should patch to it, downloading smaller .xpi files instead of the full version Feb 25 09:25:54 tgnb ok great :) that clears up all my questions. thank you very much |
| #10 By 13030 (198.22.121.120) at 2/25/2005 2:31:54 PM |
|
You anti-Firefoxers* are a riot. You bash Firefox for not fixing security holes quickly enough. You bash Firefox for a quick fix introduced into the nightly builds. When the fix is made available as a new release a couple of weeks after disclosure you knock it for not being a patch. All the while, myself as well as millions of other people keep using it without any problems. For this release, I downloaded the zip file, deleted the contents of the Firefox directory, and unzipped the new release into it. Is this good for the average user? No, but I find it a boon for the power user. The patch capability will be working soon enough, so the most unsophisticated user will be able to update with ease.
* Empirical research has shown the anti-Firefox crowd to be very closely related to the MS apologist crowd. Coincidence? You decide... |
| #11 By 15406 (216.191.227.90) at 2/25/2005 2:54:29 PM |
| #17: I noticed that subtle connection too. |
| #12 By 7797 (63.76.44.6) at 2/25/2005 2:54:31 PM |
|
" #13 There is no patch at the moment. I would conclude the reason is either technical (its broken) or dishonest ( they wish to bump up the download numbers) "
Well as usual your conclusions are WRONG! "I don't have to shut up when I can point to a 3 year old paper on the ICAAN site where the dangers of phishing are well laid out. " The 3 year old paper on ICANN has NOTHING to do with IE or Microsoft. I don't care about ICANN. I want proof that Microsoft didn't include this in IE because they had the foresight that this was broken. If you dont have such proof then we can only assume that Microsoft didnt include this simply because they havent added any features (other than XPSP2) to IE in years. "And if they've left their homepage to Firefox, as I did on my .93 version, it now asks them to download the whole 1.01 version. " WRONG AGAIN! Firefox 1.0's default homepage is http://www.google.com/firefox and it DOES NOT prompt them to download 1.0.1. So once again your full of it and don't know what youre talking about. And since the download counter only counts downloads from 1.0 users on its even irellevant there. "So what you are telling me is that the "servers get bashed" more with a patch than with the full download?" No thats NOT what they are saying. But as usual you dont WANT to understand it. The update feature has a bug that keeps bashing the servers at specific times of the month. Thats why this is currently "disabled" as the previous respondent in IRC stated. They will enable the feature when the servers WON"T get bashed and then users will receive the update. Since none of the security faws are rated highly or extremely critical a few more days of wait is acceptable. Lets review: You claimed that you have to donwload the whole thing: WRONG a patch will be available You claimed that the default Firefox homepage is asking users to download the full version of 1.0.1. WRONG the default homepage points to a google search page. You claim that Mozilla isn't offering a patch: WRONG they WILL offer a patch! This post was edited by tgnb on Friday, February 25, 2005 at 15:11. |
| #13 By 22601 (69.194.226.220) at 2/25/2005 2:59:11 PM |
|
A few clarifications about FF 1.0.1.
Re full install vs updates/patches. Right now you need to uninstall your current FF, then install 1.0.1. Next week updates will be turned on so that this will not be necessary. Re the IDN homograph issue. ICANN has published information about this at http://www.icann.org/topics/idn.html . The bottom line is that, although the problem was forseen years ago, a solution was also outlined years ago, i.e. to institute procedures which prevent domain names from being registered in which code sets are mixed in such a way that there would be a risk of phishing. There is, therefore, only a problem if the procedures are not being followed, which is why a whitelist could be useful, e.g. as implemented in Opera 8 beta 2, released today. |
| #14 By 15406 (216.191.227.90) at 2/25/2005 3:01:48 PM |
| #20: Man, that was a lot of effort. I've chided Parkker/LIT/etc before for being deliberately obtuse, but it doesn't matter as he's a troll looking for your reaction. He knows full well what he's spouting is absolute shit, but he does it with a smile, hoping to get you all upset at his idiocy. |
| #15 By 7797 (63.76.44.6) at 2/25/2005 3:15:33 PM |
| Latch, agree. I've urged others to simply ignore him in the past but people responded anyway to his stuff. So since ignoring a troll only works when EVERYONE does it, and not everyone here does it, i have no other choice than to keep on deFUDing his blather. |
| #16 By 135 (209.180.28.6) at 2/25/2005 4:04:36 PM |
|
tgnb - As I recall, you were one of the chief shills for the "fixed in 12 hours" theme.
Halcyon - Yes, they were in the nightlies. But patches are also in the nightlies for IE. That's irrelevant, since I'm not going to deploy a nightly beta build to supported desktops. I don't see how you can justify the claim "At least it is faster than the competition". You know. Parkker keeps saying tax cuts help reduce the deficit, over and over again too... but that hasn't helped to make it true. |
| #17 By 7797 (63.76.44.6) at 2/25/2005 5:38:19 PM |
|
" Is there a patch to download? No. "
Is this a big deal since the vulnerability was neither highly or extremely critical and since the patch will be available in a few days. NO "Will there be patch? Maybe someday when they fix the update bug that "bashes the servers" " WRONG, re-read what was written about this. the bug causes the servers to be bashed. fixing the bug is not mentioned as a condition to releasing the patch. They will wait a few days to release the patch during a time when the servers WONT be bashed by the bug. "maybe someday" NO WRONG AGAIN. The patch will be available definetley soon. I never said maybe someday. Stop putting words into my mouth i never said. "Why would downloading a patch "bash the servers" and downloading a full install not?No believable reason given" THe question is wrong. DOWNLOADING the patch is not what causes the servers to be bashed. the bug in the update code is what is causing this. "Why did Firefox screw up IDN?Everyone else did (excpet for IE) so its ok" Nobody screwed up IDN. Everyone supported it except for IE. But LinuxIsTeft is continuously fails to show what the reason for the non support in IE Is. "Why did everyone but IE impliment a "standard" designed for phishing?To bash IE " The IDN standard was not "designed for phishing". YOU are a MORON! "Why does the .93 Firefox ask me to download 1.01 instead of a patch?There is no patch" .93 isnt asking you to download anything. Why havent you upgraded to 1.0 yet? LAZY? "Why is there no patch? To inflate the number of downloads " WRONG there is a patch but its not yet available on autodownload. Prove your claim. Got a link that shows that Mozilla did this to inflate the number of downloads? If you have no proof then shut up. "Is this wise?No" Why is this not wise? it is not extremely urgent for the patch to be released since none of the vulnerabilities were highly or extremely critical. This post was edited by tgnb on Friday, February 25, 2005 at 17:45. |
| #18 By 7797 (63.76.44.6) at 2/25/2005 5:42:52 PM |
|
sodable IT WAS fixed in 12 hours. That doesnt mean that the patch was quality tested or regression tested or anything else. but it WAS fixed. and 19 days is not a long time although it could have been faster. It probably WOULD have been faster if the vulnerability was more critical.
"The default homepage(s) for Firefox 0.93 is:" Nobody but you cares what the homepage for 0.93 was. Firefox 0.93 was not marketed as a final release to end users. It was a beta version. It was not released with the intent to go to the joe shmo computer user. IT WAS A BETA YOU TOOL! Only computer savvy people should download a beta. Obviously your not one of them otherwise you would know better and would know its OK to wait for the patch. |
| #19 By 37 (67.37.29.142) at 2/25/2005 9:59:29 PM |
|
"Thats subjective. Someone else in this thread already said it feels faster to them."
It's FACT on my end. Not to mention it's already slow upstart time. "What is there to address in the UI?" Poor layout, lack of customization, and it's horrendous web based UI of the file system. "Nobody claimed they would!" I never said anyone claimed it did. "Whats your point." That it doesn't render many webpages properly. IE renders pages better. So what's your point? "I browse a LOT and have no problems using it to view all sites I need access to except for Windows Update." I browse a LOT and have no problems using IE to view all sites, but FF causes grief. I don't mind the daily crashes of FF because I have come to expect it for a free product, but if they are serious about it, they should address it's instability. "Other people feel the same." And they are in the minority. So what's your point? "Some people like you have problems with some sites." Yup...as do many others. "Oh well, stick with IE then. " I do. It's a better browser. |
| #20 By 12071 (203.217.78.107) at 2/26/2005 12:15:56 AM |
|
#24 "tgnb - As I recall, you were one of the chief shills for the "fixed in 12 hours" theme."
I don't understand how any of you MS-only zealots can stand there and complain about how long it takes anyone to release a patch given how long it takes Microsoft to do the same thing! 190 days to patch - http://www.eeye.com/html/research/advisories/AD20050208.html 57 days to patch - http://www.eeye.com/html/research/advisories/AD20050111.html 71 days to patch - http://www.eeye.com/html/research/advisories/AD20041012A.html 208 days to patch - http://www.eeye.com/html/research/advisories/AD20041012.html 216 days to patch - http://www.eeye.com/html/research/advisories/AD20040413A.html 216 days to patch - http://www.eeye.com/html/research/advisories/AD20040413B.html 188 days to patch - http://www.eeye.com/html/research/advisories/AD20040413C.html 144 days to patch - http://www.eeye.com/html/research/advisories/AD20040413D.html 64 days to patch - http://www.eeye.com/html/research/advisories/AD20040413E.html 144 days to patch - http://www.eeye.com/html/research/advisories/AD20040413F.html ... Bunch of hypocrites whinging about 19 days - even though anyone that was truly worried about this bug could have applied a patch that same day instead of waiting the 19 days! "But patches are also in the nightlies for IE." I won't repeat all the questions that Hal has already asked, I look forward to hearing your reply on where we can all download the nightly builds of IE with all those patches in them as well as the answers to the rest of his questions. I think I'll be waiting a long time for that answer! "Parkker keeps saying" Parkker says a lot (of crap), no-one's listening, but he does say a lot! #33 "I do. It's a better browser." Given your feelings, which you have made everyone here aware of many times now, why do you continue to download new versions of FireFox? Why do you continue to use it if it, by your own admissions, crashes daily on you? Just so you can whinge that it doesn't render poorly non-standards-based half assed put together pages? Save yourself some time and effort, stop downloading and using FireFox given how you feel about it! You must get a kick out of pain given all the apparent troubles you are having with FireFox (irregardless of whether anyone else is having the same problems) - I guess that's why you enjoy Microsoft software so much :) |
| #21 By 3653 (68.54.224.219) at 2/26/2005 1:35:16 AM |
|
tgnb/schill - lets review what you said...
"You claimed that you have to donwload the whole thing: WRONG a patch will be available" READ that twice. "will" be available? who are you trying to fool? He said there wasn't a patch available and you say WRONG that one WILL BE available? "You claim that Mozilla isn't offering a patch: WRONG they WILL offer a patch!" Just because you say it twice doesn't make it true. You do realize that even the folks that hate msft think you are nuts now, right? How many months until you haters start to claim that the reason FF lost momentum is because MSFT and its unlimited resources put an end to it by pouring money on it? Tick tock, the time-tested, completely predictable progression of your argument awaits... This post was edited by mooresa56 on Saturday, February 26, 2005 at 01:36. |
| #22 By 37 (24.183.41.60) at 2/26/2005 8:37:15 AM |
|
"You can change the layout"
It's pretty limited, and I am not fond of the standard menu dropdown. In addition, when right clicking on the dropdown for bookmarks and choosing sort by name the menu closes immediately after the items are sorted. This requires me to go back to the menu every time I continue to sort each sub folder by name. This is just one of many items that constitute a poor layout IMO. Heck, try to drag/drop the toolbars. "You can theme the browser, and if you still don't like it you can rewrite the UI" I don't want to theme it, and I don't know how to write UI's. I don't know a single person who knows how to rewrite a UI. "It's not a file manager, but a file manager in Firefox is possible: http://filemanager.mozdev.org/" I don't want an extension for something I feel should be standard (sounds familiar OSS apologists? remember you complain about having to get add-ons or extensions for FF features in IE?). "I really don't experience any crashes... Maybe it's something in the OS?" Could be. I have crashes with FF on Windows 98, Windows XP, and for the short time I used Novell Linux Desktop a couple months ago FF crashed for me on that as well. Maybe I should buy a Mac just so that I can use FF? This post was edited by AWBrian on Saturday, February 26, 2005 at 08:38. |
| #23 By 37 (24.183.41.60) at 2/26/2005 9:34:08 AM |
|
"#34
Given your feelings, which you have made everyone here aware of many times now, why do you continue to download new versions of FireFox?" With hopes that it will improve and try to find out why OSS apologist say it's so great. So far I am stumped. "Why do you continue to use it if it, by your own admissions, crashes daily on you?" I like to be educated on these things. Same reason I have OOo. "Just so you can whinge that it doesn't render poorly non-standards-based half assed put together pages?" Those are surely not the pages I visit. In fact, I have made a list of 10 pages I visit daily that are not rendered properly in FF, and they are properly formatted sites. Do a search. "Save yourself some time and effort, stop downloading and using FireFox given how you feel about it!" How can I learn and find out what improvements are if I don't use it? Why would someone want to "limit" themselves or their knowledge or experience. This way I can speak from first hand. "You must get a kick out of pain given all the apparent troubles you are having with FireFox (irregardless of whether anyone else is having the same problems) - I guess that's why you enjoy Microsoft software so much :)" I do get a kick out of the problems and issues that FF has. I find it hilarious and entertaining that the OSS apologists praise it, and I know for a fact that their preaching of the product is not entirely accurate. It makes me grin each time I get the Quality Feedback Send Report. I love MS software because: 1. I don't have many problems with it. (IME) 2. It's easier to use. (IMO) 3. Has better support. (Fact) 4. Has a better UI consistency among apps.(IMO) 5. Has faster applications compared to competing products (Fact) |
| #24 By 12071 (203.217.78.107) at 2/26/2005 10:45:53 AM |
|
#35 "So yes, complaining about 19 days is not that powerful an argument"
Very good, you're part of the way there! Out of all the patch timeframes you listed there there are still 5 on my incomplete list that are much longer (and Secunia lists vulnerabilities from 2002 and 2003 that are still unpatched or partly unpatched). Given that Microsoft has been taking much longer to release patches how can you stand there on your MS apologist soap box and complain about 19 days? Hell, how can you even complain about 153 days if Microsoft kept you waiting 216 days for 2 much higher severity patches? Neither of those timeframes are worth bragging about as far as I'm concerned! But I wouldn't be running around whinging about everyone else if I've continually been left waiting months and months on end waiting for patches! Additionally, given that we all have 0% chance of soda telling us where we can all download those nightly builds of IE with all those patches applied - can you do us the favour of telling us where we can download them from? #39 "With hopes that it will improve and try to find out why OSS apologist say it's so great. So far I am stumped." So what you're trying to tell me, with a straight face I assume, is that you, on purpose, continue to use software that crashes and runs slowly for you... in hope that it will improve and to find out what all the buzz is about? You'll have to forgive me here if I don't believe you. I'm not saying that FireFox can't crash, even though it doesn't and hasn't for me and I use it at work and home everyday, I just find it difficult to believe that anyone would continue to use something that continually crashes. You really must get a kick out of pain as I've said before! But hey, if you keep filling in those Quality Feedback Reports to help sort out all those issues you are having, then I'm right behind you using FireFox and helping to make it a better product. "How can I learn and find out what improvements are if I don't use it? Why would someone want to "limit" themselves or their knowledge or experience. This way I can speak from first hand." Why would someone want to do that? Not sure, why don't you ask the MS-only crowd here, they might have an answer for you. The rest of us try to use as many different OS' and applications as possible because we understand that with only a hammer in hand, everything starts to look like a nail. "I find it hilarious and entertaining that the OSS apologists praise it, and I know for a fact that their preaching of the product is not entirely accurate. It makes me grin each time I get the Quality Feedback Send Report." Psychologically you're an interesting person for getting a kick out of that! What's equally as interesting is that you don't seem to understand that any preaching (on either side) is subjective. Sure I've never had FireFox crash but that doesn't mean it really isn't crashing for you and vice versa you might be in that 0.1% of people that do not have any problems with IE! "I love MS software because" That's really nice, especially those opinions passed off as facts, but my final comment had a smile on the end for a reason. |
| #25 By 12071 (203.217.78.107) at 2/26/2005 11:08:18 AM |
|
#35 By the way, given your strict stance on security, I know you will be happy to hear that in FireFox v1.0.1:
FIXED - 125 days to partial fix (and still counting): http://secunia.com/advisories/12712/ FIXED - 77 days to partial fix (and still counting): http://secunia.com/advisories/13129/ FIXED - 52 days to partial fix (and still counting): http://secunia.com/advisories/13599/ FIXED - 43 days to partial fix (and still counting): http://secunia.com/advisories/13786/ FIXED - 19 days to partial fix (and still counting): http://secunia.com/advisories/14163/ Let's hope that the following two can be patched soon: 153 days and counting: http://secunia.com/advisories/12403/ 135 days and counting: http://secunia.com/advisories/12580/ Mind you, there is a patch available for 12580 and 12403 only affects Apple Java, but that's no excuse for those two still being outstanding after such a long time. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 347 Last | Next |
The time now is
6:08:14 AM
ET.
Any comment problems? E-mail us |
