Author Topic: Firefox hit by multiple drive-by download flaws  (Read 6304 times)

0 Members and 1 Guest are viewing this topic.

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Firefox hit by multiple drive-by download flaws
« on: October 28, 2009, 06:29:39 PM »
Mozilla’s flagship Firefox browser is vulnerable to at least 11 “critical” vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing.


http://blogs.zdnet.com/security/?p=4758&tag=nl.e589


The Firefox 3.5.4 update will be distributed via the browser’s automatic update mechanism.  It should be deployed within the next 24 to 48 hours Or you can manually apply the update.


Be careful out there.
« Last Edit: October 28, 2009, 06:32:25 PM by Marc57 »
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

enddays

  • Guest
Re: Firefox hit by multiple drive-by download flaws
« Reply #1 on: October 28, 2009, 06:51:00 PM »
Thanks for the heads up. Just updated manually  ;)

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: Firefox hit by multiple drive-by download flaws
« Reply #2 on: October 28, 2009, 06:51:43 PM »
Your Welcome.
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

Omega40

  • Guest
Re: Firefox hit by multiple drive-by download flaws
« Reply #3 on: October 28, 2009, 07:00:22 PM »
Thanks for the heads up....Got the update.....mine did it automatically.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: Firefox hit by multiple drive-by download flaws
« Reply #4 on: October 28, 2009, 07:44:08 PM »
Even without the update, those that are running the NoScript add-on are much less susceptible to any drive-by download vulnerability if present.

So if you don't already have NoScript, then it should be added, I feel firefox should have that as an integral part of the program. Though that is unlikely to happen as too many sites would probably get the hump ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: Firefox hit by multiple drive-by download flaws
« Reply #5 on: October 28, 2009, 07:47:39 PM »
Though that is unlikely to happen as too many sites would probably get the hump ;D

and what about novices?.. firefox will get the hump.
« Last Edit: October 28, 2009, 07:51:05 PM by nmb »

Hermite15

  • Guest
Re: Firefox hit by multiple drive-by download flaws
« Reply #6 on: October 28, 2009, 07:52:35 PM »
yeah, noscript can't be installed on novices Firefox installs, that's impossible. While installing Windows a while ago for someone in my family, when came the Firefox phase, I avoided NoScript purposely, knowing in advance that the person would never be able to deal with it. Just like no third party firewall to avoid alerts etc...
« Last Edit: October 28, 2009, 07:54:20 PM by Logos »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: Firefox hit by multiple drive-by download flaws
« Reply #7 on: October 28, 2009, 07:55:14 PM »
What about novices ?

That is why I say the noscript functionality should be incorporated into firefox. As I said, because of business concerns who would see this as restrictive in blocking legit scripting on their site, which could lose them revenue if firefox had something like this was deployed by default.

A user opting to use this add-on (or other add-on) is their own choice so business, etc. haven't got a leg to stand on as that is a users right to protect themselves and to see what they want to see (e.g. also blocking ads).

The problem being novices still have to be educated (as Logos mentions) because they don't know how noscript functions.
« Last Edit: October 28, 2009, 07:56:49 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Hermite15

  • Guest
Re: Firefox hit by multiple drive-by download flaws
« Reply #8 on: October 28, 2009, 07:58:54 PM »
novices can deal with adblock +, 'cause there's nothing to do, but they'd be lost when flash or anything else is blocked on a legit and clean site, they just wouldn't understand what's going on. You spend more time allowing stuff in NS than dealing with legitimately blocked elements, and you can't expect average joes to do that. A majority doesn't want to be "educated"...they want to run their system like they switch their TV on; there's not much one can do against that.
« Last Edit: October 28, 2009, 08:02:59 PM by Logos »

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: Firefox hit by multiple drive-by download flaws
« Reply #9 on: October 28, 2009, 07:59:31 PM »
The problem being novices still have to be educated (as Logos mentions) because they don't know how noscript functions.

that is what I exactly meant when I said "what about novices?".

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: Firefox hit by multiple drive-by download flaws
« Reply #10 on: October 28, 2009, 09:03:56 PM »
That is the unfortunate way of life, we all start out as novices in any area of activity, some remain novices were others seek out information and gain experience.

We can hardly say that those that use the internet haven't seen the growing reports about internet security (or rather threats) in many media reports, to know that we have to exercise caution and to do that we need to be well prepared. To do that we need to seek out information.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Firefox hit by multiple drive-by download flaws
« Reply #11 on: October 28, 2009, 09:27:40 PM »
Hi DavidR,

The NoScript extension brought  into Fx by default? You must be kidding. It would never be tolerated by their main sponsor - Google. I think we can wait a long time for that. Just install Ghostery extension and you will notice why, sometimes 6 trackers installed per page visited.  If Firefox would implement this their main sponsor that likes to track your online ins and outs via script would go. Google would certainly frown upon NS being brought to Fx as default, at least the full flung version, and you can't go for less. For Flock same story with Yahoo as their main sponsor.

Flash cookies came in when users started to cookie cleanse on a large scale, and these Super cookies could restore the lost information. GoogleChrome was launched when ad blocking started on a larger scale.

User tracking and ad-serving are the big roadblocks to either NoScript brought in as default or RequestPolicy for that reason. These considerations overrule user security. Sad but that is the world we live in,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: Firefox hit by multiple drive-by download flaws
« Reply #12 on: October 28, 2009, 10:56:59 PM »
That is exactly what I said why it wouldn't be brought into firefox, business wouldn't put up with it. However, straying further off-topic I don't know how long any google sponsorship will last given they have released Chrome some time ago.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Firefox hit by multiple drive-by download flaws
« Reply #13 on: October 29, 2009, 01:02:19 AM »
Hi DavidR,

Why it is better to have script blocked, can be demonstrated here with the master reconnaissance test at
: http://ha.ckers.org/mr-t/   (you have to enable javascript to see the workings of the script)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: Firefox hit by multiple drive-by download flaws
« Reply #14 on: October 29, 2009, 01:38:56 AM »
That isn't in doubt, the only problem is educating those who don't know this and how the implement script blocking.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security