LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-07-2005, 03:04 PM   #1
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation Vulnerability in Firefox / Mozilla




(September 9th, 2005) - A security vulnerability has been detected in Firefox (1.0.6 and prior) as well as Mozilla (1.7.11 and prior), click here to jump to the relevant discussion (in this same thread).





Original Post (For Reference):
-----------------------------------------------------------------------------------------------------

Quote:
A seven year old vulnerability has been re-introduced in Mozilla and Firefox, which can be exploited by malicious people to spoof the contents of web sites.
http://secunia.com/advisories/15601/


EDITS/UPDATES
-----------------------------------------------------------------------------------------------------

(July 19th, 2005) - Firefox 1.0.6 has been released.

(July 12th, 2005) - Firefox 1.0.5 has been released.



Last edited by win32sux; 09-11-2005 at 12:36 PM.
 
Old 06-07-2005, 03:31 PM   #2
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,732
Blog Entries: 12

Rep: Reputation: 456Reputation: 456Reputation: 456Reputation: 456Reputation: 456
I tried following the directions on Secunia's site to do the test, couldn't get it to work.
 
Old 06-07-2005, 03:36 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
it worked for me, in other words i'm vulnerable... the secunia page opened inside a frame of the window i had the microsoft website opened in (a very weird thing to see, indeed)...

i'm using firefox 1.0.4 on slackware 10.1... i hope to see firefox 1.0.5 soon...


Last edited by win32sux; 06-07-2005 at 03:38 PM.
 
Old 06-07-2005, 03:51 PM   #4
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,732
Blog Entries: 12

Rep: Reputation: 456Reputation: 456Reputation: 456Reputation: 456Reputation: 456
Ok I stand corrected. I had to set links to open in a new window. FREAKY. If I use tabs or even manually open the links in a new window the test fails.
 
Old 06-07-2005, 04:51 PM   #5
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
very scary. I wonder how long this bug has been in as it worked with Firefox 1.0.3 in windows, though with very important sites like my banks site, I will close my browser then reopen so it is the first page I visit except my home page then once I've finished I will close the browser again

Last edited by phil.d.g; 06-07-2005 at 04:53 PM.
 
Old 06-07-2005, 05:12 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
i was hoping it was a mistake and wouldn't work on my firefox 1.0.4... but when that secunia page opened in the microsoft frame (in the other window) i immediately started feeling nauseous...

BTW, i take it this is the first flaw for the newly-released Debian 3.1 (Sarge), right??


Last edited by win32sux; 06-07-2005 at 05:15 PM.
 
Old 06-07-2005, 08:11 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Thanks, I'll sticky this thread for awhile.
 
Old 06-08-2005, 08:28 AM   #8
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
I cannot get the test page to work with any option (open in new tab by default, open in new window, same tab/window or anything). Maybe the vuln does not apply to Deer Park Alpa 1? Can anyone confirm this?

Regards.
 
Old 06-16-2005, 01:28 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
anybody heard anything about when 1.0.5 will be out to fix this??

AFAIK, this issue was already fixed in trunk and branches the day after i started this thread... what's taking so long to release a patched stable version??

since it seems this only works with new windows (and not new tabs), the simplest workaround would be to force links meant to open in new windows to instead open in new tabs... if you don't wanna go through the right-click routine, try this from the "known issues" section of the firefox 1.0.4 release notes:
Quote:
The Help documentation refers to "Single Window Mode" options regarding "Force links opened in new windows to open in [New Tab, Same Tab]." This function was disabled at the last minute due to problems we were experiencing with it, so ignore this section of Help. To re-enable the Single Window Mode options (at your own risk - there may be crashes), use the Configuration Console (accessed by entering "about:config" in the Location bar and pressing Enter) to set browser.tabs.showSingleWindowModePrefs to true.
http://www.mozilla.org/products/fire....4.html#issues

i haven't tried it but i assume it works...



Last edited by win32sux; 06-16-2005 at 03:17 AM.
 
Old 06-18-2005, 03:13 AM   #10
llmmix
Member
 
Registered: Jun 2005
Posts: 73

Rep: Reputation: 15
i using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050610 Firefox/1.0.4 (Debian package 1.0.4-3)

by the way, i have tried dillo. it is far better than 2 years ago,

the reasons i trying dillo.
1. it doesn't using "c++" "gecko"
2. it's immaturity make me spend less time doing internet.
3. it small
4. it is safe enough to unable post some message to these kind of board.

if you good at c, you can help them. yeah gtk and c.
from now, i am going back to dillo.
--
growing complexity, swimming somebody's brain.

Last edited by llmmix; 06-18-2005 at 03:15 AM.
 
Old 06-21-2005, 10:51 AM   #11
darkleaf
Senior Member
 
Registered: Jun 2004
Location: the Netherlands
Distribution: debian SID
Posts: 2,170

Rep: Reputation: 45
Couldn't get it to work in firefox 1.0.4 (debian package 1.0.4-3) so that's great Or was it only on earlier versions and fixed already?
 
Old 06-21-2005, 11:04 AM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by darkleaf
Couldn't get it to work in firefox 1.0.4 (debian package 1.0.4-3) so that's great Or was it only on earlier versions and fixed already?
the debian website currently shows 1.0.4-2 as the latest package... so i guess -3 hasn't been listed yet... but yeah, i would assume that the -3 package is the patched firefox... if you already got -3 via apt-get i assume the advisory will be coming in the mail soon and also the firefox page on the debian site will be updated...

http://packages.debian.org/stable/web/mozilla-firefox
 
Old 06-21-2005, 11:07 AM   #13
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation SECURITY ALERT

guys, there's been another security issue found...

i just did the secunia test and it worked (i'm vulnerable)...

Quote:
Secunia Research has discovered a vulnerability in Mozilla, Firefox, and Camino, which can be exploited by malicious web sites to spoof dialog boxes.

The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.
http://secunia.com/advisories/15489/


Last edited by win32sux; 06-21-2005 at 11:13 AM.
 
Old 06-21-2005, 11:10 AM   #14
darkleaf
Senior Member
 
Registered: Jun 2004
Location: the Netherlands
Distribution: debian SID
Posts: 2,170

Rep: Reputation: 45
Quote:
Originally posted by win32sux
the debian website currently shows 1.0.4-2 as the latest package... so i guess -3 hasn't been listed yet... but yeah, i would assume that the -3 package is the patched firefox... if you already got -3 via apt-get i assume the advisory will be coming in the mail soon and also the firefox page on the debian site will be updated...

http://packages.debian.org/stable/web/mozilla-firefox
That's the link to stable. Though security patches go still into it apparently they're first bringing them through unstable and testing. I'm using unstable so that's why I have it.


edit: wow that new test exploit looks real good. Hope they fix it soon this could be something I wouldn't notice.

Last edited by darkleaf; 06-21-2005 at 11:13 AM.
 
Old 06-21-2005, 01:35 PM   #15
titanium_geek
Senior Member
 
Registered: May 2002
Location: Melbourne Australia
Distribution: it died/ macosx
Posts: 2,478

Rep: Reputation: 50
wow. vulnerable to both... it seems a long time since mozilla have come out with 1.0.4 - when are you tipping the next stable to be out?

titanium_geek
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mozilla flaws could allow attacks, data access into Firefox & Mozilla web browsers! t3gah Linux - Security 6 04-09-2006 04:00 AM
Mozilla Firefox 1.0.4 is out! t3gah Linux - News 1 06-13-2005 12:00 PM
Firefox/Javascript security vulnerability...... BajaNick General 2 04-12-2005 09:22 AM
Mozilla Firefox HELP!!! webwally Linux - Newbie 7 03-24-2005 03:27 PM
Mozilla Firefox and Mozilla Thunderbird FireInTheDark Linux - Software 3 08-14-2004 11:52 AM


All times are GMT -5. The time now is 05:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration