Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

First Firefox 3 patch fixes a security hole linked to Safari

By Scott M. Fulton, III, BetaNews

July 16, 2008, 11:40 AM

Update ribbon (small)

12:35 pm EDT July 16, 2008 - BetaNews has confirmed users' reports of Firefox 3.0.1 download attempts being met with "550 Permission Denied" errors, off and on throughout the day today. We've already downloaded and installed v3.0.1 ourselves previously, and thus far have noted no trouble with it.

In another sign that the good guys are not only becoming more clever but are cooperating more closely with vendors, a potentially serious problem with the newest Firefox was fixed before anyone could sound the alarms of impending doom.

Last month, an independent security researcher named Nitesh Dhanjani made news in Brian Krebs' security column in the Washington Post, for having advised Apple of a serious security hole he discovered in Safari for Windows, and how Apple responded with relative indifference. That news helped Apple to change its tune, and issue a security fix for the Windows-based Safari that plugs what Dhanjani referred to as a "carpet bomb" attack.

It's an aptly named exploit, emerging from the fact that Safari didn't inform users in advance when a script triggered it to download files, including to the desktop. As screenshots sent to Krebs at the Post indicate, the exploit results in a desktop chock full of unwanted files.

So what has this to do with Mozilla Firefox? As it turns out, another well-known security researcher named Billy "BK" Rios took Dhanjani's exploit one step further. Specifically, he discovered that if an unpatched Safari and any version of Firefox were installed on the same system, Safari could be triggered to download files that are, in fact, XUL scripts executable by Firefox. If Safari could place the downloaded file in a fixed or guessable location, Firefox could be triggered to execute that file by sending it a URI with the file:// prefix.

Once that happens, a script may give a malicious user access to the client's file system. Mozilla, to its credit, did not treat the issue with indifference, releasing a fix for Firefox 2 and the first security patch for Firefox 3.

In its security bulletin, Mozilla advised users of possible workarounds prior to implementing the patch, one being to leave Firefox running -- the browser can't be triggered into running the script unchecked, if it's already active. It also implied that the absence of Safari may also prevent the situation from occurring.

Download Firefox 2.0.0.16 from FileForum now.

Add a Comment (31 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By midfingr

edited Jul 16, 2008 - 4:06 PM

I'm a little confused. Yes, I see the problems reported in the update. However a look on Mozilla's ftp server shows 3.0.1 and I was able to download without any problems.
Can anyone confirm this? Link to US-EN Firefox v 3.0.1
http://releases.mozilla....eases/3.0.1/win32/en-US/
EDIT: My mistake. This is a beta test of 3.0.1 Sorry about that.

Score: 0

By testman

posted Jul 16, 2008 - 5:07 PM

Nah, it's the actual 3.0.1. The reason the URL refers you to a beta page is cos it's not out officially but it's in the "3.0.1" directory. Betas wouldn't be in the "3.0.1" folder but in a completely differently named folder.

Score: 0

By PC_Tool

edited Jul 16, 2008 - 5:22 PM

but in a completely differently named folder.

Like:

/Beta's go here.

Or:

/Tazmanian Midget Wrestling

Ya know....something like that.

Score: 0

By tscar13

edited Jul 16, 2008 - 12:17 PM

As I understand this problem,it relates to a relationship between FF and Safari. So unless you are using a Mac or have Safari installed on a Windows systems, this security hole does not affect Windows. Hence, no need to update your windows version unless you have Safari on your Windows system.

Score: 0

By orizng

posted Jul 16, 2008 - 11:58 AM

apple knows nothing about security. This is stupid

Score: 0

By bousozoku

posted Jul 16, 2008 - 2:45 PM

Safari has already been patched for a little while.

Score: 0

By tscar13

edited Jul 16, 2008 - 12:35 PM

While I believe that no Os is perfect, I disagree with your comment:
"apple knows nothing about security" The problems with the Apple OS that have come up over the last year and 1/2 are problems that have always been there but not exploited because of market share. As Apple's share has increased, these "holes" have come to light and Apple has dealt with them just as MS has had to deal with their "holes". Just my opinion and this not is not designed to start a flame war though I suspect Betanews would love to see that as it means more clicks on "news" and they can use this to charge more for ads.

Have a nice day:)

Score: 0

By mjm01010101

edited Jul 16, 2008 - 1:48 PM

Apache has ~50%+ marketshare, is used on hundreds of thousands of servers, and has very few vulns. Even IIS6 has few vulns. These are internet facing webservers. If anything can be hacked, it is these, yet they remain secure.

Pwned Apple!

Score: 0

By PC_Tool

edited Jul 16, 2008 - 1:58 PM

is used on hundreds of thousands of servers

I think you're missing a key point here:

Most malware targets Desktops. Systems that are actually *used* ... by *humans* to get them to buy stuff.

It's evolved into less of a hacking instrument (hacking the webserver isn't going to make them rich) and more of a marketing tool (hacking the desktop to display spam has made the spammers billions).

If anything can be hacked, it is these, yet they remain secure.

Not exploited!=secure.

Score: 0

By PC_Tool

posted Jul 16, 2008 - 11:50 AM

releasing a fix for Firefox 2 and the first security patch for Firefox 3.

Download Firefox 2.0.0.16 from FileForum now.

....where's the patch for FF3? Not available yet?

Score: 0

By yountmj

posted Jul 17, 2008 - 12:41 AM

What's funny is that the moment I was reading your post, I wondered the same thing myself... and then Firefox popped up a little window stating an updated version was available.

That one made me look over my shoulder... briefly. :)

Score: 0

By PC_Tool

posted Jul 17, 2008 - 8:42 AM

Yup, that's me. Always one step ahead. ;)

(OK...maybe there *is* such a thing as too much coffee...)

Score: 0

By yountmj

posted Jul 17, 2008 - 12:25 PM

"OK...maybe there *is* such a thing as too much coffee..."

*gasp*

Score: 0

By sturgess

posted Jul 16, 2008 - 12:46 PM

Just type in Opera.com and the fix is called Opera 9.51 I believe.

Score: 0

By bousozoku

posted Jul 16, 2008 - 2:43 PM

Right, and they're working on version 9.52, for some reason.

Score: 0

By PC_Tool

posted Jul 16, 2008 - 1:54 PM

*gasp*

What happened to all my extensions?!?!?

Where did all my bookmarks go???

Why did my address bar lose nearly all of it's new functionality???

Yeah...some fix.

Score: 0

By Heero

posted Jul 16, 2008 - 4:43 PM

I updated from 9.2x to 9.5 without any issues... and updated to 9.51 when it came out - again no issues.

Maybe just bad luck PC_Tool?

Score: 0

By bousozoku

posted Jul 16, 2008 - 4:48 PM

Ummm, I believe he's saying that his Firefox bookmarks, extensions, etc., for some reason, don't show up automagically in Opera, so it's not really a fix for Firefox.

Score: 0

By Heero

posted Jul 16, 2008 - 5:00 PM

I can see that... Though, I've been able to upload my bookmarks from FF to Opera without any hassle. *shrugs*

Score: 0

By PC_Tool

posted Jul 16, 2008 - 5:20 PM

Look up sarcasm:

Try google.

Look at any of my other posts...including this one, for reference material.

Let me know how it goes. ;)

Score: 0

By Heero

posted Jul 17, 2008 - 1:42 AM

I got the sarcasm PC_Tool...

I just mis-understood the direction. I read it as you updated previous verions of Opera to the new 9.5X and had some issues.

Not that changing browers would cause you to loose your apps, etc, etc, etc...

Though, that being said, I did a install of 9.5 a couple weeks ago on the GF's laptop, she had been using FF2, and it took all of her bookmarks without any issues. She had no plugins so that wasn't a concern.

*shrugs*

Score: 0

By PC_Tool

posted Jul 17, 2008 - 8:41 AM

Nah...tried Opera when 9 was released, haven't touched it since.

Just preference. ;)

Score: 0

By Heero

posted Jul 17, 2008 - 1:28 PM

Indeed. =)

Score: 0

By yountmj

posted Jul 17, 2008 - 12:38 AM

Hrmm... the only common thread I see in most of your previous posts is that you're a jerk.

Oh wait, never mind... I get it! ;)

Score: 0

By PC_Tool

posted Jul 17, 2008 - 8:41 AM

you're a jerk.

Most people aren't that kind. ;)

Thank you!

Score: 0

By k3of4

posted Jul 16, 2008 - 12:03 PM

It is confusing that the article links to the previous version for your convenience. ;)

Score: 0

By Paul Skinner

posted Jul 16, 2008 - 11:52 AM

I was about to quote the same thing.

However, if you'd looked at the right hand side of the BetaNews homepage you'd have spotted this:

http://fileforum.betanew...Windows_v3/1032985422/4

Score: 0

By mjm01010101

posted Jul 16, 2008 - 1:37 PM

That is still version 3. You've confused an already confusing issue.

People that beta tested FF3 have randomly gotten 3.0.1 already.

Score: 0

By Paul Skinner

posted Jul 16, 2008 - 6:08 PM

Meh. It was 3.01 earlier. They've rolled it back.

Score: 0

By Metshrine

posted Jul 16, 2008 - 1:00 PM

Another case of jumping the gun on releasing an update? Its funny how often this happens with BN attempting to be the first to get any news out about a new FF release.

Score: 0

By Paul Skinner

posted Jul 16, 2008 - 6:09 PM

Indeed. I quite agree.

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue