Install critical patch for Firefox

Hi FF-ers,

You should download and install a critical patch for FF here:
https://addons.mozilla.org/messages/307259.html.
When an URL has the 0xAD in it or ‘-’ you can get a buffer overflow that can crash the whole system. In this way it should be possible for an attacker to get control over your machine.
Install the patch therefore,

greets,

polonus

Hi polonus and thanks for the warning ;D
Do I have to install this update on my Firefox 1.5 beta 1?
Because from the link I understand that the update is only for v. 1.0.6 :slight_smile:
thanks ;D

Hi .:x:M:A:S:.,

Yep, you are well advised to do so. Because the vulnerability is a Mozilla one, and not only for Firefox 1.0.6. When do you upgrade for your language version to 1.06?
Here you can read about all the outstanding FF vulnerabilities from Secunia: http://secunia.com/product/4227/.
It is always advisable to have the latest program updates. For browsers and javascript and security programs always. There can be exclusions. Some did never update to the last version of Adobe for instance, because some programs may s*ck, but these things are then privacy related or they do not like new add-ons or restrictions in programs.
Remember: security should be an ongoing daily routine for you.
security must be dealt with systematically and in a flexible way.
And it should be easily manageable.

greets,

polonus

Now I am confused… I see you all made your posts today, and no one even mentioned Firefox 1.0.7, you all mentioned just 1.0.6 and new beta version 1.5

It’s confusing because I have my Firefox updated to 1.0.7 for the last 3 or 4 days, not quite sure, but I know I have it installed more than 2 days by now.

See here:

http://img211.imageshack.us/img211/5747/untitled12rp.jpg

I’ve got the same question, Sasha, since I’ve got 1.0.7 too. But I’d be willing to bet that, since that patch-release is nearly 3 weeks old now, it’s already in 1.0.7.

Old news, 1.0.7 I believe covers this advisory and there was also a work around notified previously.

CVE reference: CAN-2005-2871

Description:
Tom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user’s system.

The vulnerability is caused due to an error in the handling of an IDN URLs that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and allows code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.

NOTE: Exploit code is publicly available.

The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.

Solution:
Update to version 1.0.7.
http://www.mozilla.org/products/firefox/

So those with an up to date firefox (1.0.7) are covered. However, I don’t know what the situation is with 1.5 Beta updates. You can of course apply the work around using about:config in the URL window and change the ‘network.enableIDN’ value to false.

No take a look at No IDN at the bottom of About Firefox screen I posted. You see that No IDN is visible now, but when I installed 1.0.7 first time I wasn’t able to see it there, even though it was there while I was using 1.0.6 because I also applied similar patch like this one from this thread…

So when I installed 1.0.7 over the patched 1.0.6, No IDN disappeared, and I had to patch it again to be able to see it again…

See here what it says on the Firefox page where patch link is provided:

To verify the fix in Firefox and the Mozilla Suite, be sure to restart the browser and then follow these steps: In Firefox Click Help -> About Mozilla Firefox and verify that the user agent string contains "(noIDN)" In the Mozilla Suite Click Help -> About Mozilla and verify that the user agent string contains "(noIDN)"

I did the interim IDN work around and have 1.0.7 installed and as you say now I have 1.0.7 it doesn’t show the (No IDN) in the about firefox.

So it looks like I need to reapply it again.

Exactly and that was really strange… do they know about that ? Maybe someone should alarm them or something…

I don’t know of they know or if it is relevant, there were two options given some time ago, either disable the ‘network.enableIDN’ set to false or apply the patch, I chose to manually change the ‘network.enableIDN’ value to false, so perhaps the patch changes the about firefox to show (No IDN) ?

Anyway I have applied the old patch and now my about firefox shows the (No IDN).

Strange that 1.0.7 includes this fix for this but it didn’t change the about firefox text.

Yes indeed David… I’ve noticed that after I posted my first screenshot in this thread. There was no “noIDN” word in ABOUT MOZILLA FIREFOX. So I applied a patch which Polonus posted a link for in his first post in this thread, and then “noIDN” appeared in above mentioned window. So I edited my reply and posted a new screenshot with “noIDN” inside…

Hi S.Z.Craftec,

So you see, I have the 1.07 also installed, but still it is best to always check for yourself. I do not trust anyone on his words now, especially because I am a member of a security forum. And you see it pays you. I also have the old spoof check java pop up on.
Here is the link to get it, also for IE:
http://blog.kevindonahue.com/archives/2003/12/help_prevent_sp.php
Some vulnerabilities are like window sponges…they last and last and last.

Greets and keep your machine clean,

polonus

Hi everyone

I am really really comfused, mind that isn’t very hard to do.

I asked on the mozilla forums if No IDN if it should show up or not in About Mozilla Firefox in version 1.0.7.

This was there reply : Firefox 1.0.7 fixed that security issue, so your User Agent does not need to say (no IDN).

Does this help to clear it up or does it make it more unclear.
http://forums.mozillazine.org/viewtopic.php?t=322745
Cheers crofty59

Sure helped me Crofty!
JUST what I needed to read. I was getting all confused…
Thank you! :-*

Good post Crofty and resolved the confusion surrounding the instruction that applied to the 1.0.6 patch to confirm it was installed (No IDN); it related to only that patch and not future updates which by default have all previous updates/patches. So when the next firefox update comes along (1.0.8 ? whatever) the (No IDN) text will no longer be displayed.

Hi DavidR,

That means my posting was not necessary. Or did it help in some way in the process of making an informed decision. It is a good thing to be aware all the time is not it?
No product is flawless, as isn’t FF either. In any case it make you and Crofty delve into this a little deeper.

greets,

polonus

Hi polonus

Your post was indeed the most important post as it got people checking.
If it wasn’t for your post i would not have even know about it.

Besides polonus your views on security is second to none, i as one take note of what you post.

Cheers :smiley:

Well I immediatelly noticed something is strange with those noIDN thingies, so I didn’t want to take chances… what can I say, that’s my nature. Polonus posted a link and I felt like I had to do some checking… no one mentioned version 1.0.7, so that was also strange.

Cheers !