A security company has reported two new flaws in the Mozilla Firefox browser that may leave locally saved files vulnerable to outside attacks
Hi marc57,
One of the flaws has been patched here:
https://bugzilla.mozilla.org/attachment.cgi?id=254137
The fix can be found on the Burning Edge for the Minefield version.
nsGlobalWindow originally was old Netscape code from 1998, sure it produced some flaw over the years, the code is pre-historical really. This code was also changed:
// XXXjst - Note that when this is fixed to work with multi-framed sites,
// also back out the fix for bug 343772 where
// nsGlobalWindow::CheckOpenAllow() was changed to also
// check if the top window's location is whitelisted.
var uri = gBrowser.selectedBrowser.webNavigation.currentURI;
More than half of all the security issues in Firefox or Flock can be avoided by not allowing script to run inside a browser, only for those sites that can be considered safe (scan with scandoo or McAfeeSiteAdvisor and have the NoScript extension on, and lift this temporally only for those sites that are found to be secure). Clear Private Data or using Stealther can help considerably also. Secure browsing, whatever browser you use, is a matter of adopting the right attitudes. On the other hand, too much is "broken"on the Net. If we could start over again from scrap, this is a wish list that could alter the situation by heaps:
1. Complete language separation of JavaScript from HTML
2. Nuke Basic and Digest Auth for something way more secure, but just as simple.
3. HTTP stripped down and streamlined (no off-domain referers, no passive third-party cookies, native support for URL and cookie encryption)
4. Browsers only support well-formatted XHTML
5. Compliable web pages (HTML/JavaScript) into byte-codes
6. SSL certificates may contain trademarked logos that show up in the browser chrome
7. Browser integration of Secure Cache, Safe History, and Netcraft’s anti-XSS URL features in their toolbar
8. Implement Content Restrictions
9. Same-origin policy applied to the JavaScript Error Console
10. Restrict websites with public IP’s from including content from websites with non-routable IP address
polonus
Thanks for the update polonus, That’s good to hear.
Hello people !
Just wondering, does this affect Flock too ?
thanks for the info polonus and marc57
kiss still rules marc57 my friend ;D
There was me thinking KISS was something entirely different, ‘Keep It Simple Stupid’ ;D
Hi Hard_Rocker,
The patch I gave also can be saved in Flock, saven as nsGlobalWindow.cpp inside the components file. Whenever you run NoScript as an extension inside FF or Flock, you are secure from these kind of vulnerabilities. I for one think NoScript is one of the most valuable security extensions that goes into the Firefox or Flock browser.
Polonus
OK so it affects Flock aswell , i have NoScript installed so i guess i’m fine.
Hi Hard_Rocker,
With NoScript installed, my friend, you are not only safe now, but also in many, many cases for the future.
Insecure script is the main vector by choice for malware to enter onto your machine, and it is one of the main malware vectors in the case of flaws, and many 0-zero exploits can be explained as such as well.
Lift the NoScript barrier only for those sites you know to be secure, temporarily lift if you need access to some functionality on safe sites.
The extra security of Flock comes because it is a relative rather small platform (less chosen to be attacked).
The Flock code is based on Mozilla’s, but there are different coding solutions, e.g. Clucene.cvs & CLucene_build.
As you have noticed Flock is smoother, and more stable.
Coders that code now, do this with more security at heart than in the old days.
It is the old dinosaur code (either Google’s, Netscape’s, IBM’s) where they should give a second glance what complexity does…
polonus
Thanks drhayden, I’ve been in the KISS Army since 1975 and I still think they’re the best.
me since 1974 when i heard this album on “8-track”
and have seen them 6 times ;D
sorry about being off-topic on this
Don’t worry about it being off-topic, It still serves it’s purpose(to give people a heads up) and we get to talk about KISS! ;D