Firefox hit by multiple drive-by download flaws

[Marc57]

Mozilla’s flagship Firefox browser is vulnerable to at least 11 “critical” vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing.


http://blogs.zdnet.com/security/?p=4758&tag=nl.e589


The Firefox 3.5.4 update will be distributed via the browser’s automatic update mechanism.  It should be deployed within the next 24 to 48 hours Or you can manually apply the update.


Be careful out there.

[enddays]

Thanks for the heads up. Just updated manually 

[Marc57]

Your Welcome.

[Omega40]

Thanks for the heads up....Got the update.....mine did it automatically.

[DavidR]

Even without the update, those that are running the NoScript add-on are much less susceptible to any drive-by download vulnerability if present.

So if you don't already have NoScript, then it should be added, I feel firefox should have that as an integral part of the program. Though that is unlikely to happen as too many sites would probably get the hump

[nmb]

Though that is unlikely to happen as too many sites would probably get the hump

and what about novices?.. firefox will get the hump.

[Hermite15]

yeah, noscript can't be installed on novices Firefox installs, that's impossible. While installing Windows a while ago for someone in my family, when came the Firefox phase, I avoided NoScript purposely, knowing in advance that the person would never be able to deal with it. Just like no third party firewall to avoid alerts etc...

[DavidR]

What about novices ?

That is why I say the noscript functionality should be incorporated into firefox. As I said, because of business concerns who would see this as restrictive in blocking legit scripting on their site, which could lose them revenue if firefox had something like this was deployed by default.

A user opting to use this add-on (or other add-on) is their own choice so business, etc. haven't got a leg to stand on as that is a users right to protect themselves and to see what they want to see (e.g. also blocking ads).

The problem being novices still have to be educated (as Logos mentions) because they don't know how noscript functions.

[Hermite15]

novices can deal with adblock +, 'cause there's nothing to do, but they'd be lost when flash or anything else is blocked on a legit and clean site, they just wouldn't understand what's going on. You spend more time allowing stuff in NS than dealing with legitimately blocked elements, and you can't expect average joes to do that. A majority doesn't want to be "educated"...they want to run their system like they switch their TV on; there's not much one can do against that.

[nmb]

The problem being novices still have to be educated (as Logos mentions) because they don't know how noscript functions.

that is what I exactly meant when I said "what about novices?".

[DavidR]

That is the unfortunate way of life, we all start out as novices in any area of activity, some remain novices were others seek out information and gain experience.

We can hardly say that those that use the internet haven't seen the growing reports about internet security (or rather threats) in many media reports, to know that we have to exercise caution and to do that we need to be well prepared. To do that we need to seek out information.

[polonus]

Hi DavidR,

The NoScript extension brought  into Fx by default? You must be kidding. It would never be tolerated by their main sponsor - Google. I think we can wait a long time for that. Just install Ghostery extension and you will notice why, sometimes 6 trackers installed per page visited.  If Firefox would implement this their main sponsor that likes to track your online ins and outs via script would go. Google would certainly frown upon NS being brought to Fx as default, at least the full flung version, and you can't go for less. For Flock same story with Yahoo as their main sponsor.

Flash cookies came in when users started to cookie cleanse on a large scale, and these Super cookies could restore the lost information. GoogleChrome was launched when ad blocking started on a larger scale.

User tracking and ad-serving are the big roadblocks to either NoScript brought in as default or RequestPolicy for that reason. These considerations overrule user security. Sad but that is the world we live in,

polonus

[DavidR]

That is exactly what I said why it wouldn't be brought into firefox, business wouldn't put up with it. However, straying further off-topic I don't know how long any google sponsorship will last given they have released Chrome some time ago.

[polonus]

Hi DavidR,

Why it is better to have script blocked, can be demonstrated here with the master reconnaissance test at
: http://ha.ckers.org/mr-t/   (you have to enable javascript to see the workings of the script)

polonus

[DavidR]

That isn't in doubt, the only problem is educating those who don't know this and how the implement script blocking.