RSSFirst Firefox 3 patch fixes a security hole linked to Safari
By Scott M. Fulton, III | Published July 16, 2008, 11:40 AM
12:35 pm EDT July 16, 2008 - BetaNews has confirmed users' reports of Firefox 3.0.1 download attempts being met with "550 Permission Denied" errors, off and on throughout the day today. We've already downloaded and installed v3.0.1 ourselves previously, and thus far have noted no trouble with it.
In another sign that the good guys are not only becoming more clever but are cooperating more closely with vendors, a potentially serious problem with the newest Firefox was fixed before anyone could sound the alarms of impending doom.
Last month, an independent security researcher named Nitesh Dhanjani made news in Brian Krebs' security column in the Washington Post, for having advised Apple of a serious security hole he discovered in Safari for Windows, and how Apple responded with relative indifference. That news helped Apple to change its tune, and issue a security fix for the Windows-based Safari that plugs what Dhanjani referred to as a "carpet bomb" attack.
It's an aptly named exploit, emerging from the fact that Safari didn't inform users in advance when a script triggered it to download files, including to the desktop. As screenshots sent to Krebs at the Post indicate, the exploit results in a desktop chock full of unwanted files.
So what has this to do with Mozilla Firefox? As it turns out, another well-known security researcher named Billy "BK" Rios took Dhanjani's exploit one step further. Specifically, he discovered that if an unpatched Safari and any version of Firefox were installed on the same system, Safari could be triggered to download files that are, in fact, XUL scripts executable by Firefox. If Safari could place the downloaded file in a fixed or guessable location, Firefox could be triggered to execute that file by sending it a URI with the file:// prefix.
Once that happens, a script may give a malicious user access to the client's file system. Mozilla, to its credit, did not treat the issue with indifference, releasing a fix for Firefox 2 and the first security patch for Firefox 3.
In its security bulletin, Mozilla advised users of possible workarounds prior to implementing the patch, one being to leave Firefox running -- the browser can't be triggered into running the script unchecked, if it's already active. It also implied that the absence of Safari may also prevent the situation from occurring.
I'm a little confused. Yes, I see the problems reported in the update. However a look on Mozilla's ftp server shows 3.0.1 and I was able to download without any problems.
Can anyone confirm this? Link to US-EN Firefox v 3.0.1
http://releases.mozilla....eases/3.0.1/win32/en-US/
EDIT: My mistake. This is a beta test of 3.0.1 Sorry about that.
Score: 0
|Nah, it's the actual 3.0.1. The reason the URL refers you to a beta page is cos it's not out officially but it's in the "3.0.1" directory. Betas wouldn't be in the "3.0.1" folder but in a completely differently named folder.
Score: 0
|but in a completely differently named folder.
Like:
/Beta's go here.
Or:
/Tazmanian Midget Wrestling
Ya know....something like that.
Score: 0
|As I understand this problem,it relates to a relationship between FF and Safari. So unless you are using a Mac or have Safari installed on a Windows systems, this security hole does not affect Windows. Hence, no need to update your windows version unless you have Safari on your Windows system.
Score: 0
|apple knows nothing about security. This is stupid
Score: 0
|While I believe that no Os is perfect, I disagree with your comment:
"apple knows nothing about security" The problems with the Apple OS that have come up over the last year and 1/2 are problems that have always been there but not exploited because of market share. As Apple's share has increased, these "holes" have come to light and Apple has dealt with them just as MS has had to deal with their "holes". Just my opinion and this not is not designed to start a flame war though I suspect Betanews would love to see that as it means more clicks on "news" and they can use this to charge more for ads.
Have a nice day:)
Score: 0
|Apache has ~50%+ marketshare, is used on hundreds of thousands of servers, and has very few vulns. Even IIS6 has few vulns. These are internet facing webservers. If anything can be hacked, it is these, yet they remain secure.
Pwned Apple!
Score: 0
|is used on hundreds of thousands of servers
I think you're missing a key point here:
Most malware targets Desktops. Systems that are actually *used* ... by *humans* to get them to buy stuff.
It's evolved into less of a hacking instrument (hacking the webserver isn't going to make them rich) and more of a marketing tool (hacking the desktop to display spam has made the spammers billions).
If anything can be hacked, it is these, yet they remain secure.
Not exploited!=secure.
Score: 0
|Safari has already been patched for a little while.
Score: 0
|releasing a fix for Firefox 2 and the first security patch for Firefox 3.
Download Firefox 2.0.0.16 from FileForum now.
....where's the patch for FF3? Not available yet?
Score: 0
|I was about to quote the same thing.
However, if you'd looked at the right hand side of the BetaNews homepage you'd have spotted this:
http://fileforum.betanew...Windows_v3/1032985422/4
Score: 0
|It is confusing that the article links to the previous version for your convenience. ;)
Score: 0
|Just type in Opera.com and the fix is called Opera 9.51 I believe.
Score: 0
|Another case of jumping the gun on releasing an update? Its funny how often this happens with BN attempting to be the first to get any news out about a new FF release.
Score: 0
|That is still version 3. You've confused an already confusing issue.
People that beta tested FF3 have randomly gotten 3.0.1 already.
Score: 0
|*gasp*
What happened to all my extensions?!?!?
Where did all my bookmarks go???
Why did my address bar lose nearly all of it's new functionality???
Yeah...some fix.
Score: 0
|Right, and they're working on version 9.52, for some reason.
Score: 0
|I updated from 9.2x to 9.5 without any issues... and updated to 9.51 when it came out - again no issues.
Maybe just bad luck PC_Tool?
Score: 0
|Ummm, I believe he's saying that his Firefox bookmarks, extensions, etc., for some reason, don't show up automagically in Opera, so it's not really a fix for Firefox.
Score: 0
|I can see that... Though, I've been able to upload my bookmarks from FF to Opera without any hassle. *shrugs*
Score: 0
|Look up sarcasm:
Try google.
Look at any of my other posts...including this one, for reference material.
Let me know how it goes. ;)
Score: 0
|Meh. It was 3.01 earlier. They've rolled it back.
Score: 0
|Indeed. I quite agree.
Score: 0
|Hrmm... the only common thread I see in most of your previous posts is that you're a jerk.
Oh wait, never mind... I get it! ;)
Score: 0
|What's funny is that the moment I was reading your post, I wondered the same thing myself... and then Firefox popped up a little window stating an updated version was available.
That one made me look over my shoulder... briefly. :)
Score: 0
|I got the sarcasm PC_Tool...
I just mis-understood the direction. I read it as you updated previous verions of Opera to the new 9.5X and had some issues.
Not that changing browers would cause you to loose your apps, etc, etc, etc...
Though, that being said, I did a install of 9.5 a couple weeks ago on the GF's laptop, she had been using FF2, and it took all of her bookmarks without any issues. She had no plugins so that wasn't a concern.
*shrugs*
Score: 0
|you're a jerk.
Most people aren't that kind. ;)
Thank you!
Score: 0
|Nah...tried Opera when 9 was released, haven't touched it since.
Just preference. ;)
Score: 0
|Yup, that's me. Always one step ahead. ;)
(OK...maybe there *is* such a thing as too much coffee...)
Score: 0
|"OK...maybe there *is* such a thing as too much coffee..."
*gasp*
Score: 0
|Indeed. =)
Score: 0
|