You should download and install a critical patch for FF here: https://addons.mozilla.org/messages/307259.html.
When an URL has the 0xAD in it or ‘-’ you can get a buffer overflow that can crash the whole system. In this way it should be possible for an attacker to get control over your machine.
Install the patch therefore,
Hi polonus and thanks for the warning ;D
Do I have to install this update on my Firefox 1.5 beta 1?
Because from the link I understand that the update is only for v. 1.0.6
thanks ;D
Yep, you are well advised to do so. Because the vulnerability is a Mozilla one, and not only for Firefox 1.0.6. When do you upgrade for your language version to 1.06?
Here you can read about all the outstanding FF vulnerabilities from Secunia: http://secunia.com/product/4227/.
It is always advisable to have the latest program updates. For browsers and javascript and security programs always. There can be exclusions. Some did never update to the last version of Adobe for instance, because some programs may s*ck, but these things are then privacy related or they do not like new add-ons or restrictions in programs.
Remember: security should be an ongoing daily routine for you.
security must be dealt with systematically and in a flexible way.
And it should be easily manageable.
Now I am confused… I see you all made your posts today, and no one even mentioned Firefox 1.0.7, you all mentioned just 1.0.6 and new beta version 1.5
It’s confusing because I have my Firefox updated to 1.0.7 for the last 3 or 4 days, not quite sure, but I know I have it installed more than 2 days by now.
I’ve got the same question, Sasha, since I’ve got 1.0.7 too. But I’d be willing to bet that, since that patch-release is nearly 3 weeks old now, it’s already in 1.0.7.
Old news, 1.0.7 I believe covers this advisory and there was also a work around notified previously.
CVE reference: CAN-2005-2871
Description:
Tom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user’s system.
The vulnerability is caused due to an error in the handling of an IDN URLs that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.
Successful exploitation crashes Firefox and allows code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.
NOTE: Exploit code is publicly available.
The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.
So those with an up to date firefox (1.0.7) are covered. However, I don’t know what the situation is with 1.5 Beta updates. You can of course apply the work around using about:config in the URL window and change the ‘network.enableIDN’ value to false.
No take a look at No IDN at the bottom of About Firefox screen I posted. You see that No IDN is visible now, but when I installed 1.0.7 first time I wasn’t able to see it there, even though it was there while I was using 1.0.6 because I also applied similar patch like this one from this thread…
So when I installed 1.0.7 over the patched 1.0.6, No IDN disappeared, and I had to patch it again to be able to see it again…
See here what it says on the Firefox page where patch link is provided:
To verify the fix in Firefox and the Mozilla Suite, be sure to restart the browser and then follow these steps:
In Firefox Click Help -> About Mozilla Firefox and verify that the user agent string contains "(noIDN)"
In the Mozilla Suite Click Help -> About Mozilla and verify that the user agent string contains "(noIDN)"
I don’t know of they know or if it is relevant, there were two options given some time ago, either disable the ‘network.enableIDN’ set to false or apply the patch, I chose to manually change the ‘network.enableIDN’ value to false, so perhaps the patch changes the about firefox to show (No IDN) ?
Anyway I have applied the old patch and now my about firefox shows the (No IDN).
Strange that 1.0.7 includes this fix for this but it didn’t change the about firefox text.
Yes indeed David… I’ve noticed that after I posted my first screenshot in this thread. There was no “noIDN” word in ABOUT MOZILLA FIREFOX. So I applied a patch which Polonus posted a link for in his first post in this thread, and then “noIDN” appeared in above mentioned window. So I edited my reply and posted a new screenshot with “noIDN” inside…
So you see, I have the 1.07 also installed, but still it is best to always check for yourself. I do not trust anyone on his words now, especially because I am a member of a security forum. And you see it pays you. I also have the old spoof check java pop up on.
Here is the link to get it, also for IE: http://blog.kevindonahue.com/archives/2003/12/help_prevent_sp.php
Some vulnerabilities are like window sponges…they last and last and last.
Good post Crofty and resolved the confusion surrounding the instruction that applied to the 1.0.6 patch to confirm it was installed (No IDN); it related to only that patch and not future updates which by default have all previous updates/patches. So when the next firefox update comes along (1.0.8 ? whatever) the (No IDN) text will no longer be displayed.
That means my posting was not necessary. Or did it help in some way in the process of making an informed decision. It is a good thing to be aware all the time is not it?
No product is flawless, as isn’t FF either. In any case it make you and Crofty delve into this a little deeper.
Well I immediatelly noticed something is strange with those noIDN thingies, so I didn’t want to take chances… what can I say, that’s my nature. Polonus posted a link and I felt like I had to do some checking… no one mentioned version 1.0.7, so that was also strange.