LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-21-2010, 07:24 AM   #166
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027

The only criticism I'd throw at Mozilla is that even though they now know what the issue is they've still not made it clear which platforms are potentially vulnerable, or whether there's anything that can be done to mitigate this other than swapping back to 3.5 or using another browser entirely until the new release on the 30th.

Anyone know any further details on this? So far, all I know is that there's a confirmed exploit out there for firfox 3.6 on the Windows platform.
 
1 members found this post helpful.
Old 03-21-2010, 12:39 PM   #167
catilley1092
Member
 
Registered: Aug 2009
Location: East Coast, USA
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61

Rep: Reputation: 17
I guess I'll stay away from 3.6 for a while, until there's a fix. I seldom use Windows anyway, it's so insecure, FF is the least of their problems. With Windows, regardless of the version, you best be up to date with your virus and malware protection. And every day, scan, scan, and scan again. Thank God for Mint & Ubuntu, I don't have to go through this daily routine anymore. The only thing I even need Windows for is printing, mine is not in the Linux database. And as far as Firefox goes, they'll get the problem fixed, they always do.
 
Old 03-21-2010, 12:47 PM   #168
catilley1092
Member
 
Registered: Aug 2009
Location: East Coast, USA
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61

Rep: Reputation: 17
Quote:
Originally Posted by win32sux View Post
Uh, why are you getting all defensive about this? Besides, AFAIK it wasn't Mozilla that was taking a beating, it was Secunia. Mozilla had even gone ahead and let it be known on their security blog that they had no idea what the problem was.
Sorry, I'm a FF fan, as well as a Mint one, and I don't like to see FF going through the wringer here. As long as you're using Linux, there shouldn't be a problem. Linux OS's are the safest to run, and even if you did have FF 3.6 installed, there should be no problem.
 
Old 03-21-2010, 02:15 PM   #169
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by catilley1092 View Post
for the most part, this is only going to affect Windows users.
Quote:
Originally Posted by catilley1092 View Post
Linux OS's are the safest to run, and even if you did have FF 3.6 installed, there should be no problem.
Unless you have some credible source which confirms this vulnerability doesn't affect the Linux version of Firefox 3.6, I request that you stop making these claims here. As GazL has stated, most of us don't really know yet whether or not this is a Windows-only Firefox 3.6 vulnerability, so anything that encourages Firefox 3.6 users on Linux to lower their guard until we have all the facts is not only extremely counter-productive but also downright negligent.

Last edited by win32sux; 03-21-2010 at 05:25 PM.
 
Old 03-21-2010, 02:50 PM   #170
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Squeeze 2.6.32.9 SMP AMD64
Posts: 3,245

Rep: Reputation: 121Reputation: 121
From: http://blog.mozilla.com/security/201...isory-sa38608/
Quote:
Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue. As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience. Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here: https://ftp.mozilla.org/pub/mozilla....idates/build3/

Update: To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. People testing “3.7″ development builds should upgrade to 3.7 alpha 3 or the latest nightly build to ensure they have this fix.

Last edited by Quakeboy02; 03-21-2010 at 03:01 PM.
 
Old 03-21-2010, 02:58 PM   #171
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
From what I see, it is impossible to test whether it would work with Linux or not ... so it's probably better to be safe than sorry, upgrade when they release it.
 
Old 03-22-2010, 08:50 PM   #172
catilley1092
Member
 
Registered: Aug 2009
Location: East Coast, USA
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61

Rep: Reputation: 17
Quote:
Originally Posted by win32sux View Post
Unless you have some credible source which confirms this vulnerability doesn't affect the Linux version of Firefox 3.6, I request that you stop making these claims here. As GazL has stated, most of us don't really know yet whether or not this is a Windows-only Firefox 3.6 vulnerability, so anything that encourages Firefox 3.6 users on Linux to lower their guard until we have all the facts is not only extremely counter-productive but also downright negligent.
I've used Mint over a year now, and Firefox has had their share of problems, as all browsers do. I have 3.6 installed on Windows, and have had no problems. The reason(s) that I have Mint and Ubuntu are speed and security. I've yet to have to reinstall either over virus or malware issues. During the install process, it states that with Mint, you need no anti-virus or malware scanners, no defragglers or registry cleaners. So with that in mind, why worry? That's the number one advantage of Linux, being virus free. Whatever happens with Firefox is not going to break our installs, if it does, then it's not what it claims to be, and I'll simply uninstall it from my computer. But I don't think it will come to that, as Mint is the #4 browser in the world, and I highly doubt that Firefox will break it. I'm not being negligent, just stating the facts.
 
Old 03-22-2010, 09:46 PM   #173
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by catilley1092 View Post
I've used Mint over a year now, and Firefox has had their share of problems, as all browsers do. I have 3.6 installed on Windows, and have had no problems. The reason(s) that I have Mint and Ubuntu are speed and security. I've yet to have to reinstall either over virus or malware issues. During the install process, it states that with Mint, you need no anti-virus or malware scanners, no defragglers or registry cleaners. So with that in mind, why worry? That's the number one advantage of Linux, being virus free. Whatever happens with Firefox is not going to break our installs, if it does, then it's not what it claims to be, and I'll simply uninstall it from my computer. But I don't think it will come to that, as Mint is the #4 browser in the world, and I highly doubt that Firefox will break it. I'm not being negligent, just stating the facts.
catilley1092, your personal experience has nothing to do with this arbitrary code execution vulnerability, which is one of the most serious security issues an application can be afflicted with. Your posts thus far make it clear that you don't understand why this is the case, so take this as an opportunity to do some research instead of posting more unsubstantiated, incoherent, destructive claims here. Any further posts from you along these lines (in this thread) will result in punitive action on my part. This is an official public warning to you, which has been logged.
 
1 members found this post helpful.
Old 03-22-2010, 10:04 PM   #174
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Squeeze 2.6.32.9 SMP AMD64
Posts: 3,245

Rep: Reputation: 121Reputation: 121
This may possibly clear this issue up. In a post here http://www.theinquirer.net/inquirer/...y-flaw-firefox , there is a link to here https://forum.immunityinc.com/board/...ge=1#post-1165 supposedly by Evgeny Legerov, the author of the report. In it, he says
Quote:
clientside/vd_ff - 0day Firefox exploit (XP SP3, Vista)
So, if anyone can verify whether or not those are reliable links, this maybe can be put to bed.
 
Old 03-22-2010, 10:15 PM   #175
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Thanks for the links, Quakeboy02. As stated by GazL, though, the fact that the exploit in question is for the Windows version doesn't rule out that the underlying vulnerability affects Firefox on other platforms. Hopefully, we'll know for certain soon enough (perhaps the release notes will shed light on this).
 
Old 03-22-2010, 10:20 PM   #176
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Squeeze 2.6.32.9 SMP AMD64
Posts: 3,245

Rep: Reputation: 121Reputation: 121
Quote:
Originally Posted by win32sux View Post
Thanks for the links, Quakeboy02. As stated by GazL, though, the fact that the exploit in question is for the Windows version doesn't rule out that the underlying vulnerability affects Firefox on other platforms.
Nothing rules out a zero vulnerability on any platform on any version of FF, present or future. At some point you just have to accept that there are risks, or disconnect from the internet. I'm not championing the other poster's attitude, but I question whether FUD contributes to a better LQ experience. Maybe people are just upset over the health care bill and are taking it out on others here at LQ? A few deep breaths might be appropriate.
 
Old 03-22-2010, 10:27 PM   #177
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Quakeboy02 View Post
Nothing rules out a zero vulnerability on any platform on any version of FF, present or future.
That's true, but we're talking about a specific one in this case.

In that sense, this one can indeed be ruled out with the right information.

Quote:
At some point you just have to accept that there are risks, or disconnect from the internet. I'm not championing the other poster's attitude, but I question whether FUD contributes to a better LQ experience.
It's not FUD to accept that we don't yet know for sure whether something affects us or not. I do hope it turns out to be Windows-only, but it would be irresponsible of me to promote jumps to conclusions in a thread like this. All we can go by are facts, and so far the facts we've seen here are inconclusive in this regard.

Last edited by win32sux; 03-22-2010 at 11:19 PM.
 
Old 03-23-2010, 04:23 AM   #178
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Firefox 3.6.2 has been released.

It includes a fix for a security vulnerability (rated as Critical).

Last edited by win32sux; 03-23-2010 at 04:31 AM.
 
2 members found this post helpful.
Old 03-23-2010, 04:32 AM   #179
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
And yes, the relevant bug report confirms that all x86 platforms were affected.

Last edited by win32sux; 03-23-2010 at 04:51 AM.
 
Old 03-23-2010, 04:52 AM   #180
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by win32sux View Post
Firefox 3.6.2 has been released.

It includes a fix for a security vulnerability (rated as Critical).
great, I'll upgrade
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Mozilla Thunderbird to Find New Home as Mozilla Foundation Focuses on Mozilla Firefox LXer Syndicated Linux News 0 07-27-2007 10:16 AM
LXer: Mozilla Firefox 1.5.0.8 and Mozilla Thunderbird 1.5.0.8 Released LXer Syndicated Linux News 0 11-09-2006 06:21 PM
LXer: Mozilla Corporation Signs Mozilla Firefox Distribution Deal with RealNetworks LXer Syndicated Linux News 0 08-03-2006 04:21 PM
LXer: Mozilla Firefox and Mozilla Thunderbird 1.5.0.5 Community Test Day LXer Syndicated Linux News 0 07-14-2006 09:54 AM
Mozilla flaws could allow attacks, data access into Firefox & Mozilla web browsers! t3gah Linux - Security 6 04-09-2006 05:00 AM


All times are GMT -5. The time now is 09:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration