We saw the time coming, that Firefox was to become vulnerable by default: http://www.0x000000.com/index.php?i=515
Just shortly after a major upgrade and 10 patches, a new even more serious information hole has been found up, that could be abused without vulnerable plug-ins.
I would advice not to use Firefox any longer without the NoScript add-on installed.
Patches take too long, code is brought in too early. Mozilla developers should step up.
I rather use Flock because it is a smaller platform, and that was 'the advantage of Firefox in the past.
This was the previous one, that was fixed with the latest update to version 2.0.0.12. This one that is of a much more general nature, goes beyond plug-ins and extensions or jar or flat plug-ins right into the heart of Firefox, much more dangerous and attacking Firefox by default, so the browser is vulnerable. The leak was published just a couple of hours after the latest version had been launched, that patched the less serious hole you mentioned. The new hole makes it possible for attackers to steal confidential information. The standard open source browser Firefox is now vulnerable, extensions installed or not.
An attacker can open local files inside the Mozilla directory and read out all browser settings. "Funny but rather sad really, because Firefox 2.0.0.12 has just been launched, to find itself broken again.
The Dutch security researcher R. Van den Heetkamp accuses Mozilla not doing a full job. “I accused Mozilla before, not half of all the holes are being patched, they should take the time to really go to the core of the problem.” The researcher advises Firefox users to use another browser or install the NoScript plugin as I mentioned in the previous posting.
Starting to believe you there.
Firefox has some underlying problems waiting to be dug up, and they started to find things for prefs/all.js. back in May last year:
See then what this code reveals “Master Reconnaissance Tool”, and yep only NoScript protects you here, they even can establish with this script whether you have tor running: http://ha.ckers.org/mr-t/
This script is not malicious, checked it with DrWeb’s av-hyperlink plug-in but mr-t’s script reveals loads
of browser information.
Back to the pref function. Another useful info is the real User Agent/Current FF version:
<script>
function pref(param,value){
if (param==”general.useragent.extra.firefox”) {
alert(”Your real FF version is: “+value)
}
};
</script>
<script src=”resource://gre/defaults/pref/firefox.js”></script>
This will bypass the “User Agent Switcher” add-on.
And then there are problems with xpinstall.js & browserconfig.properties
But some POC’s were patched as the "5%c"resource URL traversal, but as you see the prefs/all.js has a lot of potentiality, and it will certainly take some time to make FF more secure in this respect,
I was a big fan of Firefox, I used it since it was a pre-release.
I didn’t like Opera. I first tried Opera when it was ad suported. I didn’t like it after it went totally free in version 8 either. Everytime I would try Opera, I would soon uninstall it, except on my laptop. I got a laptop so I can take it with me. I have a free dial-up ISP on my laptop for when I can’t hook up to WIFI or any other broadband ISP. Opera made a big difference on dial-up. Opera is the only way to go with dial-up.
I got tired of the memory “leakage” in FF, it’s slow start-up & other issues. I was just going to use Opera till FF got it’s act together.
After a while Opera grew on me. Now I don’t want to use any other browser.
Doesn't look like a vulerability to me. So it can read files in /usr/lib/firefox, but those are just the standard files from the firefox package. User configuration and stored passwords etc are not stored there... It still can't get to $HOME/.mozilla...
all.js is not user data, it’s public app data. Your preferences are stored in prefs.js which are not exposed by greprefs.
Seriously, this title should be changed now (get rid of "Serious"), and a "!serious" tag added. The author of the article is an asshole who just waited for this release to fear monger and gain some attention. This bug exists in previous versions, this is not a new issue. The fact is, 2.0.0.12 fixes issues from previous issues, and does NOT introduce this "new" bug.
“Vulnerable by default” seems to be sexing up the story on WMD scale. :
