|
10 May 05 - 08:19 PM (#1482078) Subject: Tech: FIREFOX USERS CRITICAL ALERT From: JohnInKansas FIREFOX USERS CRITICAL ALERT: It appears that Firefox browser users have reached critical mass, and are now of interest to malware producers. A just-issued alert confirms that code for a new "critical vulnerability" has been released to the world, and Firefox is scrambling to get fixes out. Partial fixes have been released, but more will be needed, and are being developed. A summary article on the new vulnerability can be found in Zero-Day Firefox Exploit Sends Mozilla Scrambling at eWeek: By Ryan Naraine May 9, 2005 Firefox users may also want to look at Mozilla's Public Announcement. Additional information is included at the Sequoia Alert. For those not familiar with them, Sequoia is a "threat collector" organization that receives information on new threats from many sources and consolidates them so that all of the AV groups get the information. The Greyhat Security Tech Report claims to give some "techy details" about this latest p.o.s. Mozilla warns that an attacker could combine vulnerabilities to execute code on a user's machine without user interaction.. Firefox users are urged to disable JavaScript immediately as a temporary workaround. Additionally, Mozilla recommends that the browser's software installation feature be disabled. This can be done by unchecking the "Allow web sites to install software" box, which can be found by selecting Options on the Tools menu and then Web Features. Mozilla also modified the update servers to block a possible attack but made it clear this only provides partial protection. The updates were made to "update.mozilla.org" and "addons.mozilla.org," the two sites white-listed by default in Firefox. Software installation requests will now be redirected to "do-not-add.mozilla.org" to stop the publicly available exploit code from targeting the two vulnerabilities. The latest security hiccups follow a rapid batch of patches from Mozilla for Firefox flaws. In late February, Mozilla shipped a major security makeover to provide a temporary workaround for a widely reported IDN (International Domain Name) bug, and to correct two serious flaws that could allow malicious attackers to spoof the source displayed in the "Download Dialog" box or to spoof the content of Web sites. Two weeks later, Mozilla rolled out Firefox 1.0.3 to correct a serious vulnerability caused by the way GIF files are processed by the browser. Then, on April 16, another Firefox refresh shipped to correct a JavaScript Engine flaw that put users at risk of information disclosure attacks. Regular IE users are pretty much used to this kind of stuff, but those who have enjoyed being unmolested using Firefox should take this seriously. The code has been published and is available to any criminal who wants to attack you. Check the recommended fixes, get them done, and watch for the rest of the patches yet to come. John |
|
10 May 05 - 08:29 PM (#1482089) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: JohnInKansas For Mac drivers who might look here: More in the annoyance category, and not rating a separate thread, anyone interested in the new Mac Tiger OS may want to take a quick look at Malicious Widgets May Torment Tiger Users eWeek, By Robyn Weisman, May 9, 2005. The Tiger OS isn't too widespread yet, and appears to be really good. Patches should be availabe for "widget management" by the time most people will need to be concerned. John |
|
10 May 05 - 08:35 PM (#1482091) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: Amos Thank you, John. My wife -- who handles scores of Mac clients every month -- needs to know this if she doesn't already. Much appreciated! A |
|
10 May 05 - 08:58 PM (#1482104) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: mack/misophist Note, however, that there is no record of these Firefox vulnerabilities being explouted yet. |
|
10 May 05 - 09:03 PM (#1482109) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: JohnInKansas Check the posting date when the code was published and made available to all the criminals. I don't think a week is too long to wait around for something bad to happen. This is pretty new, but does have some good folk rather concerned. This is the first Firefox vulnerability to be officially listed in the "extremely critical" category by AV groups. They mean it - it's dangerous. John |
|
10 May 05 - 09:18 PM (#1482118) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: JudyB Thanks, John! My home computer has the workarounds in place and I'll fix my work computer in the morning. JudyB |
|
12 May 05 - 08:32 AM (#1483227) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: JohnInKansas Just a refresh, for those who may come in today. John |
|
12 May 05 - 08:40 AM (#1483238) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: GUEST,Dale Just giving my thanks to you, John for your timely help. When you originally posted this thread, I immediately went to my preferences and made your suggested changes. Firefox runs a little rough now, but I will stick with that for the moment. PS, it still beats IE. |
|
12 May 05 - 08:57 AM (#1483247) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: artbrooks Firefox 1.0.4 has been released. Release notes are here. |
|
12 May 05 - 09:43 AM (#1483279) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: JohnInKansas artbrooks - I haven't kept track of Firefox releases, and the latest (1.0.4) may include some of what they're talking about here. The info I got indicated that what's needed now are patches, rather than just a new version, and as of a day or so ago the patches available were only "partial fixes;" but three or four prior vulnerabilities were fixed in versions releases, so it would be well to update, probably. Firefox people have made changes in their download sites because of this latest glitch, but you should be redirected automatically using old bookmarks you have. A newsblast I got today said something about a new Firefox toolbar that incorporates some "extra security" and blocks popups, but I haven't looked at whether it's really anything new. It was a "marketing newsletter" rather than a tech one, and asks for a signup to a "free membership" on the site with the info. Too many of those, and you loose track of passwords, and if you use the same password too often it gets "too much exposure." - - maybe later. There are a lot of plugins available - you'll have to do your own looking for what might be helpful. John |
|
12 May 05 - 05:09 PM (#1483623) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: treewind I think today's 1.0.4 release covers the vulnerabilities mentioned above. Here's a summary of the story, the rest of which you'll find at slashdot.org complete with several links: "Firefox has been updated to 1.0.4 and they have fixed a few critical security holes, all javascript vulnerabilities. The Mozilla Foundation announced these vulnerabilities May 7th. 'There are currently no known active exploits of these vulnerabilities although a proof of concept has been reported." You don't have to upgrade, but it's recommended.'" We've reported on these vulnerabilities previously." Anahata |
|
12 May 05 - 05:24 PM (#1483634) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: Bill D I've upgraded, but I 'think' there are a few minor bugs that may have crept in with the rush to address the security issues...tabbed browsing and installation of 'extensions' and display properties seem not perfect... Look for a few clean-up releases soon as the experts tweak the settings. If it is not a big deal for YOU, you may want to hold off a few weeks before downloading 1.0x |
|
18 May 05 - 03:31 AM (#1487059) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: GUEST |
|
18 May 05 - 10:14 AM (#1487227) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: Stilly River Sage What extensions are you using with Firefox, Bill? |
|
18 May 05 - 02:19 PM (#1487390) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: open mike i have been waiting to hear bout this from fire fox and have heard nothing.. what's the latest? do they send updates, patches, etc. to registered users? |
|
18 May 05 - 03:57 PM (#1487490) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: JohnInKansas open mike - So far as I've heard, there's no automatic update for Firefox. The "Mozilla Announcement" link in the first post, or treewind's link to "slashdot.org" about 5 posts up will get you a fairly current status. I believe they're recommending you get ver 1.0.4, but you'll want to read the info and comments before charging in, perhaps ... John |
|
18 May 05 - 05:51 PM (#1487576) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: Bill D oh my, SRS--I use a bunch of extensions---- AdBlock, FireFTP, Google Bar, Target Alert, PrefBar, Enhanced history manager, Resize search box, ForecastFox (puts weather on toolbar), Download Sort, Linky, Tab Mix, Easy Gestures, Groowe Search toolbar, Super Drag&Go, and maybe the most helpful one, "Session Saver"...maybe 2-3 others... |
|
18 May 05 - 05:53 PM (#1487580) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: Bill D (I exchanged ideas and comparisons with a guy who uses 47 different ones!) |
|
18 May 05 - 05:56 PM (#1487582) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: skipy Can someone let Clint Eastwood know ASAP, he is the only one that I know of that flies a Firefox. Regards Skipy |
|
18 May 05 - 06:55 PM (#1487619) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: The Fooles Troupe Firefox - a brick with lots of power. "You can fly a brick if you have enough power." |
|
18 May 05 - 11:18 PM (#1487772) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: Bill D ???..I must be getting slow in my old age. The last 2 posts eluded me.. |
|
19 May 05 - 12:15 AM (#1487800) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: open mike www.imdb.com/title/tt0083943/ - SOMETHING ABOUT AN ENTERTAINING COLD WAR FANTASY MOVIE.. |
|
19 May 05 - 12:22 AM (#1487802) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: GUEST,Jon Re the updates, on my main PC, I just leave in up to Suse's online update which I usually run once a week. Firefox 1.0.4 hasn't come through yet but I'm sure it will soon if needed. I really like the system as just about everything I run is covered. Firefox could be patched in the same job as a Linux Kernal update, an Apache fix, as an open-office fix, as an acrobat fix and it all (except a couple of kernel fixes where a reboot has been recommended) goes through without a single reboot. |
|
19 May 05 - 12:46 AM (#1487811) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: GUEST I updated to 1.0.4 a couple of days ago. Works fine, PLUS has a new Find: search. Instead of the pop up, it is in a bar down at the bottom of the page. First time or two that I tried a search after the update, I was saying "What th~~ no search box!", then I saw the bar and find that I really like it there. Xing it out is no harder than the old Find box. |
|
19 May 05 - 12:54 AM (#1487813) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: Stilly River Sage Bill, I never called those ancillary programs anything, so I wasn't sure what you meant by extensions. I use a few myself. Number one favorite is the Google Toolbar. I recently installed the Macromedia suite (Dreamweaver et al) and the darned thing put the Yahoo toolbar in also, but I knocked it out again. One toolbar is enough. I use several ad aware and spy block programs that have browser-specific settings. But nowhere near the number you use. I'll have to search on some of the names and see what they're all about. Thanks for listing them. SRS |
|
19 May 05 - 08:52 AM (#1488032) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: JudyB Regarding automatic updates for Firefox, under Tools: Options: Advanced, there's a place you can choose to have the program periodically check for updates to the program and/or to your themes/extensions. That's also where the "check for updates now" button hides. JudyB |
|
19 May 05 - 12:20 PM (#1488196) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: hesperis AdBlock is great, although it messes up the prettiness of some sites that have flash or applets that you want to keep in. But overall it's awesome. Session Saver really helps. Love it. I've also got DOM Inspector, OpenBook, QuickTabPrefToggle, Show Failed URL, and View in IE, as well as some extra search options like dictionary search, amazon search, etc. 1.0.4 didn't mess up any of the above extensions, but that is something to be aware of in new versions. Sometimes extensions will need to be updated as well. |
|
19 May 05 - 12:21 PM (#1488198) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: Bill D SRS...under 'tools' in the toolbar, one items should be 'extensions'...that brings up a box showing whatever you have installed (perhaps ONLY GoogleBar for you so far) look here for an almost complete list. Googling "firefox extensions" will get you lots of places where they are discussed. For security purposes, (this new alert) they have slightly increased the complexity of installing new ones..(so that naughty sites don't install other stuff using the automated process), but it's mostly just a matter of manually putting .xpi files in the right folder. There sure are a lot of possible extensions....read before you install. *grin*...(I do love "session saver" which allows me to keep what I had in my tabs just as I left it and not go searching again...(Opera has this built in)) and "tab mix" allows you to control umpty-leven options about how you want tabs to behave....but there are a couple other good tab control extensions, and they don't play well together. |
|
04 Jun 05 - 03:23 AM (#1499937) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: JohnInKansas There's probably a better thread for this, but this one was easy to find. It's maybe a good one for getting "non-IE" users attention? Latest newsblasts from the tech world, some of which are actually of potential interest(?). NETSCAPE: Netscape 8 May Give Green Light to Spyware Sites By Paul F. Roberts, eWeek, June 1, 2005. This is not a major panic, since I don't think a lot of people have gone to the latest version of Netscape; but it might be something a few would want to look at, to watch for developments and possibly fixes. WINDOWS 2000: Microsoft to Roll Out Windows 2000 Update Rollup By Ryan Naraine, eWeek, June 2, 2005. Formal announcement of this "last blast" rollup of prior fixes has not been made, but Microsoft has announced that it is "imminent." As of June 30, 2005, Win2K enters the "extended support" phase of the Microsoft "lifecycle support system." This means that, as with Win98 and WinME, first level free support will effectively terminate. It likely means as well that security updates, using the autoupdate system, will end, and that only "extermely critical" updates will be available to Win2K users. Less significant, in the FWIW department: Microsoft Adds XML File Formats to Office 12 By Mary Jo Foley, eWeek, June 2, 2005. Mickey has announced that XML will be the default format for Office files in the coming Office 12. They say that you will be able to select "Office 2003" as a personal default, and that there will be a utility to make "mass conversions" to the new XML format if you want to use it. I'm whelmed by this one…. PC Magazine GPS receiver review. Someone was asking about GPS receivers recently. I don't think this is directly applicable to the question asked, but I don't have a trace on the thread. Perhaps someone can point them here if it seems relevant and if they remember whowannedtunoe. Dvorak on Open Forums. Since mudcat is a sort of unique open forum, this opinion may stir some thoughts. Dvorak is not one to be always believed, but he does have a way of getting to the guts of an issue – sometimes when there isn't even an issue. He's predicting the death of open forums - generally, completely, and totally. The question is, could the 'cat be affected if the attitude spreads? John |
|
04 Jun 05 - 06:08 PM (#1500271) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: Stilly River Sage BillD, I haven't checked this for a while. Thanks for the information--I've added several extensions to play with. I looked in IE under "Tools" and "Managed Add-ons" and found quite a few there. Big programs that linked themselves to IE. John, as usual, thanks for the updates. Interesting stuff. I guess whoever stole my old HP with Win2000 will have to think of something new pretty soon. Just don't come looking here again--I now have bars on the door, finished installing the decorative iron over the windows, and have a dog in the back yard. All low-tech "updates" in response to computer crime. (The dog is a Staffordshire Terrier, AKA pitbull, a stray who wandered in injured, but now that she's recovered she's such a sweetheart our only hope is that her barks will scare people off before they come through the gate and find out she's found another long-lost friend. . .) SRS |
|
05 Jun 05 - 05:34 AM (#1500414) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: treewind I took a quick look at the Dvorak link. As you imply, he's a famous troll. Any forum which (a) uses email and (b) publishes a list of its members on a web site deserves what it's going to get. Dvorak doesn't mention usenet on the page that I read, but "Death of usenet" has been predicted for so may years the the expression has long been a standing joke. There are many email forums (including the closed yahoo groups) that are subject to enough control that they don't get out of hand. Mudcat comes into that category too, being privately owned and run as a benign dictatorship. Anahata |
|
05 Jun 05 - 06:56 AM (#1500431) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: The Fooles Troupe I stopped allowing open acess to the Yahoo Groups I run cause I got sick of Spammers and Religious Nutters spraying garbage everywhere. Now when you join, you wait till I approve you, then your first message or two wait for approval by me till they get posted - if you seem genuine, then you get open posting priveleges. Has stopped the idiots dead in the water. The only hassles is teh idiots using the 'group-owner' address as an address to spam to - but now Yahoo intercepts those and adds a 'spam' tag to the subject line. Mailwasher kills those. |
|
05 Jun 05 - 07:24 AM (#1500438) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: GUEST,JohnInKansas treewind - You sort of have to get to know Dvorak to appreciate him. He does a regular couple of columns in PC Magazine and in a couple of other Ziff publications. He's known as the house curmudgeon, and does spout some rather outlandish stuff fairly often, but he's a really good source for a lot of "inside stuff" that nobody else wants to talk about. But I figured the Netscape and Win2K stuff would be what most people would be interested in.... John |
|
05 Jun 05 - 03:02 PM (#1500640) Subject: RE: Tech: FIREFOX USERS CRITICAL ALERT From: treewind John, I hope you didn't take my comments about JCD as a personal criticism about anything you posted. It's all useful and worthwhile and likely to be of interest to other mudcatters. I've seen most of those news items myself, but I like to read tech news on the web. I appreciate that many others won't have seen them and collating and summarizing relevant items like this is a good thing to do. Anahata |