"Update 2: The official response from the folks at mozilla.org can be found here(http://www.mozilla.org/security/history-title.html). Their results match our testing, that we were able to make it take a long time for Firefox to start, but were not able to make it crash. Further, there doesn't seem to be any credible evidence at this time that this could be exploited to execute arbitrary code."

by John Bambenek

Packetstorm Security obviously has a hidden agenda

Browser vs. Browser: Pick your poison.

I'll take the one that has antidotes prepared the fastest for it ;)

Still far less problems then IE... IMO... FireFox rules...

This actually not a Firefox specific bug, but a long known Mozilla problem.

It's common knowledge among the mozilla hackers that the history database format (as well as address book in mozilla mail) named "Mork" was coded by a guy who was totally out of it.
The format is impossible to understand, the code is hard as hell to maintain, and noone yet dared replacing it with something better, even though there are plans to use a unified storage engine less bug-prone (http://wiki.mozilla.org/Mozilla2:Unified_Storage)

More info about Mork here: http://bjf.id.au/cgi-bin...ware/20050429-mork.html

Nice. I've done some stuff for a... mates? ;) Now they can enjoy all the jacks :D

Come on BetaNews people. It's completely unreasonable to call this an "exploit" or even a "security flaw", as there's no way to exploit or run malicious code.

All this does is cause Firefox to load much slower. So let's all come to our senses here, shall we?

actually according to the first link in the article:

"however, code
execution is possible with some modifcations."

Anyways i still love my firefox :)

I like writtin' 2day much ;)
Japanish says: there's no ackes, there's illness in a body

If you don't like Firefox; don't use it. If you don't like the claims that Firefox is 'safer' then Internet Explorer; don't use it.

The Mozilla Foundation will release a patch for this exploit. They will release a patch for any exploit much faster then Microsoft ever will.

Nothing is completely safe, but at least we can rest easier knowing that the programmers of Firefox will resolve the issue promptly.

Did you miss the whole point of the post or is it just over you head?

Hey, darlin'
What are u talkin 'bout? Safety? Does safety not depends on market share? Oh, sorry. It's in ethic written, answers first. I use Ff, who said it's safer, when all the safety comes from unsupporting activex and virtualizing secure zones, [wo]man? Let's begin from crashes when msdos came, stud'stuff for a while before talking. Unix are crashing easy, but many homics uses winds, so politics are easy at all. Give homes Ff to use more, holes will follow.
No offence, jander*, just my opinion :)

It said 'exploid me', or 'it just over you head'?

Once again I just have to laugh. When will all these MS bashers realize Firefox is no better than the rest of them.

When you write literally millions of lines of code you are going to have vulnerabililities no matter what company you are.

Most of the time they don't know of an exploit until it happens.

There is just way to much testerone here, it's just a browser!

For me, it has nothing to do with bashing Microsoft, though their track record with security is less than stellar. I personally think they deserve it, because they make choices based on sales and marketing instead of what makes for the best software. But that is beside the point.

Firefox generally *is* more secure. Fewer exploits, and the ones that have been found tend to be much less severe.

I'm no fanboy. I agree that software fanboys are truly irritating. But implying that you're not better off running Firefox than IE is irresponsible.

Nobody, at least out of the people who have any idea what they're talking about, has claimed that Firefox never has flaws. We simply argue that when a critical flaw comes to their attention, they fix it in a matter of days or weeks, instead of waiting years to fix it like Microsoft does.

I'll admit, I've bashed MS before but only when they truly deserved it. However, when I started using Firefox, I did so knowing full well that it would have its own set of security flaws to go along with it. I mainly began using it because of it's extensibility, simply because it allows me to choose the features that are best suited to what I need. I don't get stuck with a bunch of stuff I never use, such is the case with Opera (which for some reason I find to be a bit clunky). In the case of IE, there's a serious lack of features that are available to me through Firefox. So yea, I'm not a FF user because I believe it's bullet proof because any fool should know that the very idea of a impervious browser is ludicrous.

Exactly my point, I am not saying IE is better than any of the other browsers only that to bash any of these companies is crazy.

You can't plug a security hole until you know you have one.

I also agree MS does take to long to address some issues.

No reputable company is going to invest tens of millions of dollars to intentionally put out a bad product that could, make them fall on their face. There's just to much at stake. (Oh this includes every reputable company but Sony they're just stupid!)

Now I am not saying some might not rush things to market in hopes to fix it later. (which is stupid)

Agree ;) Nicy thing u wrote. Maybe MS programmers are flat ones? ;) Who knows, when all the docs are included in company side? Anyway, u truth.

Hmm, too bad, but a patch for this bug will be available soon, and the auto update feature will install it fully automatically for you, so what is the big deal?

Nope, I don't even use Mozilla Firefox. I use SeaMonkey, but Mozilla (Firefox/Suite) is compiled from (almost) the same source code so might also be effected.

All I have to say is, HAHAHA! Take that you retarded firefox fanboys. Your precious browser has been compromised and will continue to get compromised as it becomes ever more popular.

NOTE: I am no IE/Opera fanboy. All browsers have their flaws. It's just that i'm sick of FF fanboys. It's a browser, get over it.

Obviously a well-reasoned comment. How long did it take you to get the wording just-so?

However, you're correct - all browsers do have their flaws and I think it would be unreasonable to assume a browser never has any flaws discovered. The real proof will be in the time it takes for a fix to appear.

what is your opinion on osirisX fanboys

You're not a fanboy, you're a troll. Fortunately your post only applies to those who are 1) Retarded, 2) Fanboys, such as that which your very own zealousy exhibits.

"Your precious browser has been compromised"

By whom? When? PoC is not a threat. Now, if it actually existed in the wild, and not on some lab-machine, you might be right.

Nice try.

wrong place...deleted

This should be a good first public test for the new auto-update feature in Firefox.

Meanwhile, it's worth noting that although this vulnerabilility has come to light
within a fortnight of the newest major upgrade for Firefox, it's really not that
big a deal, seeing as Secunia have rated the bug as "Not critical".

It's also worth noting that, aside from this relatively minor security issue that
has arisen in Firefox, one of the current security bugs in IE, has been there
for about six months now, and is rated as "Extremely Critical" by Secunia.
Is there a patch for it? Nope. Nada. Zilch. Zero. Not a sausage!

The tiny hole in Firefox: www.secunia.com/advisories/17934
The massive hole in IE: www.secunia.com/advisories/15546

Precisely what I was thinking.

Yay for auto-update, now I won't have to manually download Firefox 1.51 on 6 Different machines.

Not even a POC for that IE hole, and after two years of searching I have yet to see this issue ever exploited. BTW--it's a java issue--not an IE issue!

That would be funny if it wasn't so retarded!

Yay for lazy MS again! This isn't the first (or last) time either!
Maybe they don't understand what "Extremely Critical" means OR more simply, they just don't care!

Then why isn't it an issue in any other browser? Are they just not looking?

I'd think securina would not post it at all, or at the very least, cross link it to all browsers supporting Java if it was a java-only issue.

Just wondering...

(Oh, and on that page..in case you missed it...

"A PoC exploit has been released for this vulnerability"

...apparently you missed it.)

Or...if it's not likely to be used to exploit, perhaps they are actively ignoring it and focusing on more important matters, possibly less critical, but more likely to be exploited in the near future.

"Proof of concept" != In the Wild.

I don't know where you come up with this stuff, man. I know sensational headlines draw readers, but that's just plain false and misleading.

"A malicious Web page could cause..." (Could...but isn't...I could beat my cube-mate with a Louisville...but I didn't.)

Link us up with a malicious site that does. Not some hack to prove a concept, but some hacker or kiddie trying to break people's machines and then we'll worry.

Mozilla will have this fixed before it gets anywhere near that point.

"Proof of concept exploit *CODE* for an unpatched security flaw in the newly released Firefox 1.5..." [emph. added]

That's close enough for me. Even if I showed you a website you wouldn't believe me--even if you're right FF still has a security flaw. I'll remember to never listen to your rants about IE/Opera "flaws" until you show me a link to an exploit that is "in the wild" for every post...

"A malicious Web page could cause..."

This is the same for nearly every IE exploit reported and all the haters jump all over it saying "Yup that's MS for ya, insecure and buggy".

Such fanboi hypocrites, this news report is identical to IE reports with FF substituted, had it been IE you would have said different.

So the only two responses accuse me of being a fanboy and ranting against IE?

Sounds pretty hypocritical to me, there, dude.

Proof of Concept *CODE* is still only PoC....no matter how many asterisks or caps you add to it.

I really don't care if you *think* I would believe you or not, it's not the point.

It was you who brought up IE...not I.

Want to try explaining how your response is not a typical fanboy response?

Great! IE gets PoC exploits too? Wow. Now if only this topic had anything at all to do with IE, your comments might be somewhat nearer the realm of on-topic.

"had it been IE you would have said different."

And what makes you think you know me so damn well, eh? Read my post again. I said nothing about IE. You brought it up, not I.

Thanks anyway.

Why do you have to be the one who brings up IE for it to be used in a reply? I read the news here, I see your Tool-ish replies to other reports, there is a trend. The point is, that because it is FF, you write a defensive post where if it were "another product" it would have (and has) been a different response. Cherry pick the reply all you want, you are still a hypocrite.

When was the last time I posted an IE flame in a topic where a flaw was found in IE?

Easy enough to search on. Good luck.

Claiming I'm a hypocrite does not make it so.

Now, I might be mistaken, but I'm pretty sure PortableFirefox would be immune since by default it doesn't store a history of what sites you visit...

Did I say that you rant against IE? Nope. Read it again carefully (I did not edit it since your post, either). Proof of concept != in the wild? First of all I don't mean to sound like Bill Clinton but what is the definition of "in the wild" anyway? I see your point on this, but to me PoC means just hours--if not minutes--before it is on a website somewhere. Of course you disagree with me on this point.

BTW: Even if I put twelve asterisks around it? Thirteen? :)

"I'll remember to never listen to your rants about IE/Opera "flaws" "

You said it.

In the Wild = Currently being used to exploit vulnerable machines.

And 12-13 is nothing. Gotta be at least over 20, man.

Possibly, but how many folks actually use PF? I only just heard of it 2 days ago, and according to many here, apparently, I am a fanboy.

*shrug*

Still don't know if that'd work as a valid reason to avoid FF over PF. I mean, the exploit isn't even in use, and the Mozilla Foundation will have it patched likely well before it ever is.

"I'll remember to never listen to your rants about IE/Opera "flaws""

Alright, here's another one: I will remember to never listen to your rants about George Bush. Does that mean you have ever "ranted" about him? Nope. What I said is true though.

I'm sure you can see how I understood it the way I did, though, eh? Why say it if you don't think it, and what-not.

I agree that it's a security flaw. I never claimed it not to be, I simply had a problem with the headline blowing it out of proportion...of course, my disagreement with that headline has now also been blown out of proportion, so I guess all is good.

:P

I suppose it comes down to a difference of definition. To me, ITW means it's out there, on warez sites, waiting to tear your heart out, stomp on it, date your girlfriend, and steal your Cap'n Crunch. Under that assumption, the headline is dead wrong.

Kinda gives anyone who thinks ITW means the same as I do the wrong impression, eh?

That's my beef, and I'm sticking to it.

DOH!
No browser will ever be 100% safe. Just like Windows OS and most other programs.
At least the competition will help promote more innovation within browsers.

IE would still be using windowed browsing if Firefox (and others) hadn't started using tabs.

Every program has competitors, they help increase innovation, new features and overall safety. It's easier to attack people's computer if they all use the same program.
At least if there's 2 browsers, you've got a smaller chance of being targetted. Even less if there's more competition!

Personally my main problem is with websites installing spyware and the like, for now Firefox works best for me.
I also like all the different extensions (weather, adblock, etc.) I have installed.
It's each to his own really, you should choose which one works best for you.
None will ever be 100% truly safe. Just enjoy the results of a little healthy competition!!

Oh, but that's impossible... Open source doesn't have bugs... END SARCASM

Actually I think that's the very nature of open source, so your sarcasm is kind of off-base. The whole idea behind open source is to put the source code out there so developers/testers/etc. can help find and fix bugs and make improvements. Most people that support open source aren't going to claim there are no bugs.

On the other side though, for Firefox users (who I am one of) who claim it has no flaws and is air tight (who I am NOT one of) are a little over zealous. Everything has its flaws... it just comes down to who decides to capitalize on them.

Days after 1.5 comes out too...As I said from the beginning, just a matter of time before FF gets attacked as quickly as IE does. Still hasn't reached that point, but getting closer.

EDIT: Oh and guess what? *MICROSOFT* Windows XP SP2 combined with a Data Execution Prevention CPU would limit this problem!

Data Execution isn't going to solve the problem of poorly programmed or written software. It just prevents known program hacks to run, and you can set a limit on software that will run on the machine.

Have you actually setup Data Execution? There is a BIOS setting, a BIOS update, additional software to install in the OS, changing a registry setting, and then monitoring the list of software that is ALLOWED to run. Its more work to use than its worth. Unless they find a much easier and better way to admister it, it will NEVER get noticed. If you miss an add-on, or a program, you are screwed. Some suites, like office, you have to INCLUDE "ALL" the applictions in the suite.

You can't choose "Microsoft Office" as an allowable package, you have to choose, word, outlook, excel, access, paint, mstoolbar, open document, save document, and each and every excutable.. Yeah, Data Execution is a GREAT idea..

*rolling eyes*

"Have you actually setup Data Execution? There is a BIOS setting, a BIOS update, additional software to install in the OS, changing a registry setting, and then monitoring the list of software that is ALLOWED to run. Its more work to use than its worth. Unless they find a much easier and better way to admister it, it will NEVER get noticed. If you miss an add-on, or a program, you are screwed. Some suites, like office, you have to INCLUDE "ALL" the applictions in the suite."

*sigh* Apparently you forgot about the processor support. You're refering to SOFTWARE DEP. I have an AMD Athlon 64 4400+ X2 CPU with HARDWARE DEP and I don't have to deal with all that %$@! you're rambling about.

Kerio Personal Firewall. Prevents exe's from launching or being loaded into memory. Sure it can execute malicious code on my machine fine, but it's not installing anything! :P

Thats why i still use avant browser.
more stable than FF :)

*enough said.

EDIT: ... limit this problem until crash ;) Ye, I like all the multiused things like IE. Many people uses, many holes found, many investments follow... it's cool I think. Or we could go back 20 years ago and be homo erectus