First big Firefox 1.5 vulnerability and workarounds

[szc]

Source:

http://isc.sans.org/diary.php?storyid=920

[polonus]

Hello Sasza,


Apparently they have an awful lot of trouble to replicate the bug, see here: http://it.slashdot.org/article.pl?sid=05/12/08/2146238&threshold=-1&tid=154&tid=218

greets,

polonus

[szc]

I'm just a messenger, please don't shot me     

Btw, that Flock looks really nice... does it work that way too ? I am interested just don't have enough time to play with it right now...

[DavidR]

This sounds like it should also have an effect on earlier versions of firefox, not just 1.5. I personally can't see why this would only effect 1.5 as the other versions also have history.dat.

[szc]

I have no clue, but I know they mentioned that just because they wanted to point our attention that if the same problem existed before, sure it's not solved in so much advertised version 1.5

Maybe that's the reason they brought it out, I am not quite sure though...

[polonus]

Hi Sasza,

Try that Flock. I have it since the preview was out. It is so stable and fast, haven't seen any  browser like it. It was developed by good coders, that got a milion from Bessemer's to develop it.
I am beta testing their security. Waiting for the Dr. Web plug-in coming in. Add-ons in it: Dom Inspector, Adblock Plus G., NoScript, Cookie Culler, Nuke Anything (ported this myself with PtoF), Linkification, All text for links, Web Developer, Translate Page.
Various security search engines in ConQuery. Your ConQuery file you can copy as such from Firefox to Flock, no sweat. Try it, you will be amazed, and download the nightly if you do not belong to the fainthearted. It is a developers' edition, but I find it better than the official editions of FF, I have seen. Oh and the Firefox always start to connect to google.com, while Flock tries to contact web.roundtwo,com.

Have a nice day,

polonus

[Lisandro]

But I find it better than the official editions of FF, I have seen.

Me too... Flock in this stage is, for me, better than Firefox ever.

[DavidR]

Interesting one for you, I just installed the DrWeb extension for firefox 1.5. I was experiencing lots of hassle with updating extensions or installing them in ff 1.5. I visited the firefox forums to see if this was a common problem and no sign of it being a problem.

On the unsuccessful extension updates or installs it kept mentioning check the JavaScript consol, I could see lots of errors relating to parameters, etc. and it took ages to twig, NoScript. It was effectively blocking the extensions being installed or updated, when disabled, the DrWeb extension installed fine (nice to have it back). So watch out if using NoScript in firefox 1.5 and getting extensions.

[Umath]

To work around the flaw, which is not called vulnerability now, marking history.dat file as read-only would work as well.  Personally, I use bookmarks and don't need Mozilla to record the history.

But I find it better than the official editions of FF, I have seen.

Me too... Flock in this stage is, for me, better than Firefox ever.

Nice to see Flock seems to be promising, which offers another option.   

Interesting one for you, I just installed the DrWeb extension for firefox 1.5. I was experiencing lots of hassle with updating extensions or installing them in ff 1.5. I visited the firefox forums to see if this was a common problem and no sign of it being a problem.

On the unsuccessful extension updates or installs it kept mentioning check the JavaScript consol, I could see lots of errors relating to parameters, etc. and it took ages to twig, NoScript. It was effectively blocking the extensions being installed or updated, when disabled, the DrWeb extension installed fine (nice to have it back). So watch out if using NoScript in firefox 1.5 and getting extensions.

It may be suitable for Firefox users to refrain from updating to 1.5 till their favorite extensions get compatible with 1.5 since this is not a minor update.  If it's not broken...

[DavidR]

Interesting one for you, I just installed the DrWeb extension for firefox 1.5. I was experiencing lots of hassle with updating extensions or installing them in ff 1.5. I visited the firefox forums to see if this was a common problem and no sign of it being a problem.

On the unsuccessful extension updates or installs it kept mentioning check the JavaScript consol, I could see lots of errors relating to parameters, etc. and it took ages to twig, NoScript. It was effectively blocking the extensions being installed or updated, when disabled, the DrWeb extension installed fine (nice to have it back). So watch out if using NoScript in firefox 1.5 and getting extensions.

It may be suitable for Firefox users to refrain from updating to 1.5 till their favorite extensions get compatible with 1.5 since this is not a minor update.  If it's not broken...

Well How are they to find that the extensions that are currently disabled in 1.5 (but not uninstalled) without checking for updates. I was regularly checking individual extensions for update and monitoring the home pages of the extension.

My problem was not with the checking for updates, but having NoScript, which compatible with 1.5 and running. It was blocking the java script from being used in the update extensions process.

[Umath]

My problem was not with the checking for updates, but having NoScript, which compatible with 1.5 and running. It was blocking the java script from being used in the update extensions process.

I see.　　Since it is the job of NoScript to block any script which is not allowed and FF extensions need scripts for installation, it is natural for the users should need to exclude some scripts.

I guess my previous comment was prejudiced by Eweek's review on FF 1.5 and the impression when I spotted FF 1.5 RC on your sig while reading the phrase "When it's not broken…" in one of your posts. 

[DavidR]

Yes, there are a number of people (Scot Finnie's newsleter for one) suggesting to wait for the extensions to catch up before making the update to firefox 1.5.

Most of my extensions are working with 1.5 just a few which are disabled because of compatibility so not a deal braker for me.

[MikeBCda]

This vulnerability/exploit was brought up over at Wilders a couple of days ago, and there seemed to be agreement that if you have your history set to zero days then there's no history.dat for the thing to mess with.

So that's one more work-around, till Mozilla comes up with a "real" fix.

[polonus]

Hi MikeBCda,

The new Dr.Web browser plug-in works great for Flock.
The browser at once is a lot safer, when I can scan my hyperlinkies in advance.

greets,

polonus

[neal62]

Polonus,

I agree with your last post. Works just fine for me with me using Flock also.