first critical security leak by firefox 3 - Mozilla

This is a discussion on first critical security leak by firefox 3 - Mozilla ; Spiderman wrote: > Spiderman schrieb: >> Spiderman schrieb: >>> Spiderman schrieb: >>>> first critical security leak by firefox 3: >>>> >>>> http://www.winfuture.de/news,40223.html >>> And in english: >>> >>> http://dvlabs.tippingpoint.com/blog/...lla-firefox-30 >>> >> Yes, firefox 2 has also the security problem. > ...

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 21 to 40 of 54

Thread: first critical security leak by firefox 3

  1. Re: first critical security leak by firefox 3

    Spiderman wrote:
    > Spiderman schrieb:
    >> Spiderman schrieb:
    >>> Spiderman schrieb:
    >>>> first critical security leak by firefox 3:
    >>>>
    >>>> http://www.winfuture.de/news,40223.html
    >>> And in english:
    >>>
    >>> http://dvlabs.tippingpoint.com/blog/...lla-firefox-30
    >>>

    >> Yes, firefox 2 has also the security problem.

    > Are there any workarounds till the update?


    Yeah, don't be an idiot. Safe Surfing...

  2. Re: first critical security leak by firefox 3

    Phillip M. Jones, C.E.T wrote:
    > Spiderman wrote:
    >> first critical security leak by firefox 3:
    >>
    >> http://www.winfuture.de/news,40223.html

    >
    > I've also noted a link to a ZDnet article about it, in another thread.
    > In fact one of the blog authors is going so far as to recommend not to
    > use FF3 until the problem is fixed.
    >



    Optimistically speaking, that recommendation has little merit, in my
    view, because the nature of the threat was reported privately and has
    not yet been revealed publicly. So, there is very little chance that it
    could possibly be exploited prior to a patch opportunity by Mozilla.

  3. Re: first critical security leak by firefox 3

    Dan wrote:
    > Spiderman wrote:
    >> Spiderman schrieb:
    >>> Spiderman schrieb:
    >>>> Spiderman schrieb:
    >>>>> first critical security leak by firefox 3:
    >>>>>
    >>>>> http://www.winfuture.de/news,40223.html
    >>>> And in english:
    >>>>
    >>>> http://dvlabs.tippingpoint.com/blog/...lla-firefox-30
    >>>>
    >>> Yes, firefox 2 has also the security problem.

    >> Are there any workarounds till the update?

    >
    > Yeah, don't be an idiot. Safe Surfing...


    What are the odds?

  4. Re: first critical security leak by firefox 3

    Dan wrote:
    > Spiderman wrote:
    >> Spiderman schrieb:
    >>> Spiderman schrieb:
    >>>> Spiderman schrieb:
    >>>>> first critical security leak by firefox 3:
    >>>>>
    >>>>> http://www.winfuture.de/news,40223.html
    >>>> And in english:
    >>>>
    >>>> http://dvlabs.tippingpoint.com/blog/...lla-firefox-30
    >>>>
    >>> Yes, firefox 2 has also the security problem.

    >> Are there any workarounds till the update?

    >
    > Yeah, don't be an idiot. Safe Surfing...

    use protection :-\

    --
    ------------------------------------------------------------------------
    Phillip M. Jones, CET http://www.vpea.org
    If it's "fixed", don't "break it"! mailtojones@kimbanet.com
    http://www.kimbanet.com/~pjones/default.htm
    Mac G4-500, OSX.3.9, 1.5GB Mac 17" PowerBook G4-1.67 GHz, 2 GB OSX.4.11
    ------------------------------------------------------------------------

  5. Re: first critical security leak by firefox 3

    Spiderman wrote:
    > Opera has no security leaks at his moment.


    That you know of, anyway.

    FF2 and FF3 had no security leaks either, until yesterday, when one was
    discovered.

  6. Re: first critical security leak by firefox 3

    Phillip M. Jones, C.E.T wrote:
    > Spiderman wrote:
    >> first critical security leak by firefox 3:
    >>
    >> http://www.winfuture.de/news,40223.html

    >
    > I've also noted a link to a ZDnet article about it, in another thread.
    > In fact one of the blog authors is going so far as to recommend not to
    > use FF3 until the problem is fixed.


    Did he also recommend not to use FF2?

    I feel reasonably safe with NoScript installed.

  7. Re: first critical security leak by firefox 3

    On Thu, 19 Jun 2008 19:49:33 +0200
    Spiderman wrote:

    > Gudmund Areskoug schrieb:
    > > squaredancer skrev:
    > >
    > >> so now you know why I don't like updates... my 1.5.0.9 doesn't leak
    > >> *hehehe*!

    > >
    > >
    > >
    > >

    >
    > Ok. FF 1.5 is safer.


    That seems extremely unlikely. None of the white hats are going to
    waste time testing a browser whose user base consists entirely of reg,
    so there aren't be any more advisories issued.



  8. Re: first critical security leak by firefox 3

    On 19.06.2008 20:09, CET - what odd quirk of fate caused Gudmund
    Areskoug to generate the following:? :
    > Spiderman skrev:
    >
    >> Gudmund Areskoug schrieb:
    >>
    >>> squaredancer skrev:
    >>>
    >>>> On 19.06.2008 11:12, CET - what odd quirk of fate caused Spiderman to
    >>>> generate the following:? :
    >>>>
    >>>>> Spiderman schrieb:
    >>>>>
    >>>>>
    >>>>>> Spiderman schrieb:
    >>>>>>
    >>>>>>
    >>>>>>> first critical security leak by firefox 3:
    >>>>>>>
    >>>>>>> http://www.winfuture.de/news,40223.html
    >>>>>>>
    >>>>>>>
    >>>>>> And in english:
    >>>>>>
    >>>>>> http://dvlabs.tippingpoint.com/blog/...lla-firefox-30
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>> Yes, firefox 2 has also the security problem.
    >>>>>
    >>>>>
    >>>> so now you know why I don't like updates... my 1.5.0.9 doesn't leak
    >>>> *hehehe*!
    >>>>
    >>>
    >>>
    >>>
    >>>
    >>> FWIW, BR,
    >>> Gudmund
    >>>

    >> Ok. FF 1.5 is safer. Does anybody know a workaround for the actual
    >> security problem in FF 2 and FF3?
    >>

    >
    > Other than using some other browser (Opera 9.x?
    > ), being careful
    > seems like all there is to do until someone says what's actually the
    > problem.
    >
    > So except using another browser: continue safe practices.
    >
    > BR,
    > Gudmund
    >


    Gudmund

    These are the Bugs that really *get me* - some of them are 5 and more
    years on the list and still in the release version - but of course, the
    release version has LOTS MORE bells and whistles - but do they cancel
    out the bugs??

    reg

  9. Re: first critical security leak by firefox 3

    On 19.06.2008 20:12, CET - what odd quirk of fate caused Spiderman to
    generate the following:? :
    > Spiderman schrieb:
    >
    >> Gudmund Areskoug schrieb:
    >>
    >>> squaredancer skrev:
    >>>
    >>>> On 19.06.2008 11:12, CET - what odd quirk of fate caused Spiderman to
    >>>> generate the following:? :
    >>>>
    >>>>> Spiderman schrieb:
    >>>>>
    >>>>>
    >>>>>> Spiderman schrieb:
    >>>>>>
    >>>>>>
    >>>>>>> first critical security leak by firefox 3:
    >>>>>>>
    >>>>>>> http://www.winfuture.de/news,40223.html
    >>>>>>>
    >>>>>>>
    >>>>>> And in english:
    >>>>>>
    >>>>>> http://dvlabs.tippingpoint.com/blog/...lla-firefox-30
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>> Yes, firefox 2 has also the security problem.
    >>>>>
    >>>>>
    >>>> so now you know why I don't like updates... my 1.5.0.9 doesn't leak
    >>>> *hehehe*!
    >>>>
    >>>
    >>>
    >>>
    >>>
    >>> FWIW, BR,
    >>> Gudmund
    >>>

    >> Ok. FF 1.5 is safer. Does anybody know a workaround for the actual
    >> security problem in FF 2 and FF3?
    >>

    > I don't found any workaround. So will have to wait for the patch. I'm
    > watching on http://wiki.mozilla.org/Releases/
    >


    no use waiting for a patch - the bug won't be resolved until the next
    release, as Moz refuses to run patches.

    reg

  10. Re: first critical security leak by firefox 3

    On 19.06.2008 23:05, CET - what odd quirk of fate caused Virtual Guy to
    generate the following:? :
    > Phillip M. Jones, C.E.T wrote:
    >
    >> Spiderman wrote:
    >>
    >>> first critical security leak by firefox 3:
    >>>
    >>> http://www.winfuture.de/news,40223.html
    >>>

    >> I've also noted a link to a ZDnet article about it, in another thread.
    >> In fact one of the blog authors is going so far as to recommend not to
    >> use FF3 until the problem is fixed.
    >>
    >>

    >
    >
    > Optimistically speaking, that recommendation has little merit, in my
    > view, because the nature of the threat was reported privately and has
    > not yet been revealed publicly. So, there is very little chance that it
    > could possibly be exploited prior to a patch opportunity by Mozilla.
    >


    huch - it's been made public now!!!!

    reg

  11. Re: first critical security leak by firefox 3

    Tarkus schrieb:
    > Spiderman wrote:
    >> Opera has no security leaks at his moment.

    >
    > That you know of, anyway.
    >
    > FF2 and FF3 had no security leaks either, until yesterday, when one was
    > discovered.

    Secunia says four security holes in FF.

  12. Re: first critical security leak by firefox 3

    Tarkus wrote:
    > Phillip M. Jones, C.E.T wrote:
    >> Spiderman wrote:
    >>> first critical security leak by firefox 3:
    >>>
    >>> http://www.winfuture.de/news,40223.html

    >>
    >> I've also noted a link to a ZDnet article about it, in another thread.
    >> In fact one of the blog authors is going so far as to recommend not to
    >> use FF3 until the problem is fixed.

    >
    > Did he also recommend not to use FF2?
    >
    > I feel reasonably safe with NoScript installed.


    No he didn't. Only FF3.

    --
    ------------------------------------------------------------------------
    Phillip M. Jones, CET http://www.vpea.org
    If it's "fixed", don't "break it"! mailtojones@kimbanet.com
    http://www.kimbanet.com/~pjones/default.htm
    Mac G4-500, OSX.3.9, 1.5GB Mac 17" PowerBook G4-1.67 GHz, 2 GB OSX.4.11
    ------------------------------------------------------------------------

  13. Re: first critical security leak by firefox 3

    On 6/20/08 5:57 AM, _squaredancer_ spoke thusly:
    > On 19.06.2008 23:05, CET - what odd quirk of fate caused Virtual Guy to
    > generate the following:? :
    >> Optimistically speaking, that recommendation has little merit, in my
    >> view, because the nature of the threat was reported privately and has
    >> not yet been revealed publicly. So, there is very little chance that
    >> it could possibly be exploited prior to a patch opportunity by Mozilla.

    >
    > huch - it's been made public now!!!!


    The existence of it is public, not the actual exploit.

    --
    Chris Ilias
    List-owner: support-firefox, support-thunderbird, test-multimedia

  14. Re: first critical security leak by firefox 3

    squaredancer wrote:
    > On 19.06.2008 20:09, CET - what odd quirk of fate caused Gudmund
    > Areskoug to generate the following:? :
    >> Spiderman skrev:
    >>
    >>> Gudmund Areskoug schrieb:
    >>>
    >>>> squaredancer skrev:
    >>>>
    >>>>> On 19.06.2008 11:12, CET - what odd quirk of fate caused Spiderman to
    >>>>> generate the following:? :
    >>>>>
    >>>>>> Spiderman schrieb:
    >>>>>>
    >>>>>>
    >>>>>>> Spiderman schrieb:
    >>>>>>>
    >>>>>>>> first critical security leak by firefox 3:
    >>>>>>>>
    >>>>>>>> http://www.winfuture.de/news,40223.html
    >>>>>>>>
    >>>>>>> And in english:
    >>>>>>>
    >>>>>>> http://dvlabs.tippingpoint.com/blog/...lla-firefox-30
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>> Yes, firefox 2 has also the security problem.
    >>>>>>
    >>>>> so now you know why I don't like updates... my 1.5.0.9 doesn't leak
    >>>>> *hehehe*!
    >>>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>> FWIW, BR,
    >>>> Gudmund
    >>>>
    >>> Ok. FF 1.5 is safer. Does anybody know a workaround for the actual
    >>> security problem in FF 2 and FF3?
    >>>

    >>
    >> Other than using some other browser (Opera 9.x?
    >> ), being careful
    >> seems like all there is to do until someone says what's actually the
    >> problem.
    >>
    >> So except using another browser: continue safe practices.
    >>
    >> BR,
    >> Gudmund
    >>

    >
    > Gudmund
    >
    > These are the Bugs that really *get me* - some of them are 5 and more
    > years on the list and still in the release version - but of course, the
    > release version has LOTS MORE bells and whistles - but do they cancel
    > out the bugs??
    >
    > reg


    I'm guessing there are bugs that can not and will not be fixed, ever,
    because they're a fundamental flaw in the core program and can't be
    fixed without a major rewrite. Firefox.exe running on after the last
    window is closed, as a possible example.
    One 'bug'*, apparent to me anyway, in Thunderbird got fixed a couple
    releases back so I believe they're fixing those things they can...

    *(I have Thunderbird open 24-7 on my work box. Whenever I had to close
    it for a add-on or something, the .exe used to run on for ~10 minutes
    after quiting the application. Now it stops immediately.)

  15. Re: first critical security leak by firefox 3

    Tarkus wrote:
    > Phillip M. Jones, C.E.T wrote:
    >> Spiderman wrote:
    >>> first critical security leak by firefox 3:
    >>>
    >>> http://www.winfuture.de/news,40223.html

    >>
    >> I've also noted a link to a ZDnet article about it, in another thread.
    >> In fact one of the blog authors is going so far as to recommend not to
    >> use FF3 until the problem is fixed.

    >
    > Did he also recommend not to use FF2?
    >
    > I feel reasonably safe with NoScript installed.



    Yes, the NoScript add-on does a good job of plugging what few holes
    there are in Firefox. It gets my vote as the top add-on for Ff.

  16. Re: first critical security leak by firefox 3

    clay wrote:
    > squaredancer wrote:
    >> On 19.06.2008 20:09, CET - what odd quirk of fate caused Gudmund
    >> Areskoug to generate the following:? :
    >>> Spiderman skrev:
    >>>
    >>>> Gudmund Areskoug schrieb:
    >>>>
    >>>>> squaredancer skrev:
    >>>>>
    >>>>>> On 19.06.2008 11:12, CET - what odd quirk of fate caused
    >>>>>> Spiderman to
    >>>>>> generate the following:? :
    >>>>>>
    >>>>>>> Spiderman schrieb:
    >>>>>>>
    >>>>>>>
    >>>>>>>> Spiderman schrieb:
    >>>>>>>>
    >>>>>>>>> first critical security leak by firefox 3:
    >>>>>>>>>
    >>>>>>>>> http://www.winfuture.de/news,40223.html
    >>>>>>>>>
    >>>>>>>> And in english:
    >>>>>>>>
    >>>>>>>> http://dvlabs.tippingpoint.com/blog/...lla-firefox-30
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>> Yes, firefox 2 has also the security problem.
    >>>>>>>
    >>>>>> so now you know why I don't like updates... my 1.5.0.9 doesn't leak
    >>>>>> *hehehe*!
    >>>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>> FWIW, BR,
    >>>>> Gudmund
    >>>>>
    >>>> Ok. FF 1.5 is safer. Does anybody know a workaround for the actual
    >>>> security problem in FF 2 and FF3?
    >>>>
    >>>
    >>> Other than using some other browser (Opera 9.x?
    >>> ), being careful
    >>> seems like all there is to do until someone says what's actually the
    >>> problem.
    >>>
    >>> So except using another browser: continue safe practices.
    >>>
    >>> BR,
    >>> Gudmund
    >>>

    >>
    >> Gudmund
    >>
    >> These are the Bugs that really *get me* - some of them are 5 and more
    >> years on the list and still in the release version - but of course,
    >> the release version has LOTS MORE bells and whistles - but do they
    >> cancel out the bugs??
    >>
    >> reg

    >
    > I'm guessing there are bugs that can not and will not be fixed, ever,
    > because they're a fundamental flaw in the core program and can't be
    > fixed without a major rewrite. Firefox.exe running on after the last
    > window is closed, as a possible example.
    > One 'bug'*, apparent to me anyway, in Thunderbird got fixed a couple
    > releases back so I believe they're fixing those things they can...
    >
    > *(I have Thunderbird open 24-7 on my work box. Whenever I had to close
    > it for a add-on or something, the .exe used to run on for ~10 minutes
    > after quiting the application. Now it stops immediately.)


    Some bugs require fixing at the OS level. Others aren't more than an
    occasional problem, and would be very hard to nail down (like the one
    you mention, that I strongly suspect is a Windows bug).


    --
    Ron Hunter rphunter@charter.net

  17. Re: first critical security leak by firefox 3

    On Fri, 20 Jun 2008 11:55:33 +0200
    squaredancer wrote:

    > no use waiting for a patch - the bug won't be resolved until the next
    > release, as Moz refuses to run patches.


    They've been releasing Firefox patches for years now, ever since
    automatic updating was introduced.

  18. Re: first critical security leak by firefox 3

    On 20.06.2008 20:57, Q wrote:

    --- Original Message ---

    > On Fri, 20 Jun 2008 11:55:33 +0200
    > squaredancer wrote:
    >
    >> no use waiting for a patch - the bug won't be resolved until the next
    >> release, as Moz refuses to run patches.

    >
    > They've been releasing Firefox patches for years now, ever since
    > automatic updating was introduced.


    But it's still a full download IIRC. Don't ever remember seeing a 100k
    "patch" or the like.

    --
    Jay Garcia Netscape Champion
    UFAQ - http://www.UFAQ.org

  19. Re: first critical security leak by firefox 3

    On Fri, 20 Jun 2008 22:00:00 -0500
    Jay Garcia wrote:

    > On 20.06.2008 20:57, Q wrote:
    >
    > > On Fri, 20 Jun 2008 11:55:33 +0200
    > > squaredancer wrote:
    > >
    > >> no use waiting for a patch - the bug won't be resolved until the
    > >> next release, as Moz refuses to run patches.

    > >
    > > They've been releasing Firefox patches for years now, ever since
    > > automatic updating was introduced.

    >
    > But it's still a full download IIRC. Don't ever remember seeing a 100k
    > "patch" or the like.


    They're just globs of binary diff files along with some metadata. The
    patchset for updating Fx 2.0.0.13 to 2.0.0.14 (en-US) is 269 KB.


  20. Re: first critical security leak by firefox 3

    On 21.06.2008 03:57, CET - what odd quirk of fate caused Q to
    generate the following:? :
    > On Fri, 20 Jun 2008 11:55:33 +0200
    > squaredancer wrote:
    >
    >
    >> no use waiting for a patch - the bug won't be resolved until the next
    >> release, as Moz refuses to run patches.
    >>

    >
    > They've been releasing Firefox patches for years now, ever since
    > automatic updating was introduced.
    >


    a genuine patch will d/l and then auto-install OVER the bad code only,
    on user-instruction (see windows patches)... or, in some cases even
    auto-install on d/l.
    The FF / TB updates are *called* updates - not patches - so that the
    User actually believes that s/he is getting the latest version - and to
    disprove your point... d/l and installing FF 2.0.0.14 "from scratch" (ie
    without any Moz previously installed) will d/l and install the *FULL*
    version... not just 269KB of revised code!

    reg

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast