QuickDraw 0 #1 February 27, 2005 I was looking at a new UK security awareness site http://www.itsafe.gov.uk/index.html and the first update was this. QuoteITsafe Advisory 2005-ADV-002 What is it?: Problem with Mozilla Firefox browser What does it do?: This could aid phishing attacks on users of this product How do I fix it?: Update the software to "Firefox 1.0.1" - the URL is: http://www.mozilla.org/products/firefox/ Technical Information: The specific problem is described by the supplier at http://www.mozilla.org/press/mozilla-2005-02-24.html. The underlying problem is described at CVE, as CAN-2005-0233. Notes: Advisories are issued when not enough ITsafe users are likely to be affected to justify sending an Alert or Bulletin by email. http://www.mozilla.org/press/mozilla-2005-02-24.html Reads: QuoteAll Firefox users are encouraged to download security update at mozilla.org February 24, 2005, (Mountain View, CA). The Mozilla Foundation, a non-profit organization dedicated to preserving choice and promoting innovation on the Internet, today released an update to its award-winning Firefox 1.0 browser. The Firefox security update is available for the 27 million users who have already downloaded the free browser. The Mozilla Foundation encourages all users to download the update, which is available now on all platforms at www.mozilla.org. "Regular security updates are essential for maintaining a safe browsing experience for our users," said Chris Hofmann, director of engineering for the Mozilla Foundation. "The Mozilla Foundation has developed a community of users and developers who continuously provide feedback on Mozilla software, and as a result of that constant vigilance, we are able to provide quick and effective responses to security vulnerabilities." The Mozilla Foundation evaluates security issues on an ongoing basis and will issue security updates as warranted. The security update for Firefox includes several fixes to guard against spoofing and arbitrary code execution. More information is available in the release notes at http://www.mozilla.org/products/firefox/releases/. Firefox has been widely praised for its stability, trustworthiness and innovative features including tabbed browsing, live bookmarks, built-in pop-up blocking, and hundreds of available extensions. SC Magazine, a leading security magazine, recently awarded the Mozilla Foundation with its Editor in Chief award. The browser has been downloaded more than 27 million times and is available in 28 languages. -- Hope you don't die. -- I'm fucking winning Quote Share this post Link to post Share on other sites
PhreeZone 14 #2 February 27, 2005 But I thought open source was so much better because it eliminated the possibilites of something like this from happening Yesterday is history And tomorrow is a mystery Parachutemanuals.com Quote Share this post Link to post Share on other sites
jjiimmyyt 0 #3 February 27, 2005 The exploit was noted, posted and sorted ASAP. Instead of waiting until mounting pressure and world wide media attention forced them to fix it. Then all 6 of us went round to Linus's for Pizza, RMS pitched up later with a six GNU\pack. Edit for GNU\spelling "This isn't an iron lung, people. You can actually disconnect and not die." -Dave Quote Share this post Link to post Share on other sites
GTAVercetti 0 #4 February 27, 2005 QuoteBut I thought open source was so much better because it eliminated the possibilites of something like this from happening No, open source was never said to be like that. But as was posted, changes and problems noted by users get fixed ALOT faster. For instance, I found a problem in MySQL control center. Emailed them and the fix was in the next version. Try doing that with Microsoft.Why yes, my license number is a palindrome. Thank you for noticing. Quote Share this post Link to post Share on other sites
PhreeZone 14 #5 February 27, 2005 I do it all the time. We used to find bugs in some MS code with our internal apps. Call MS up, report the issue and they would issue us a patch. Wait till the next SP and it was in there. That happened like 4 times I can remember. I reported some files being missed on their Spyware tool. next dats they were detected and deleted.Yesterday is history And tomorrow is a mystery Parachutemanuals.com Quote Share this post Link to post Share on other sites
GTAVercetti 0 #6 February 27, 2005 QuoteI do it all the time. We used to find bugs in some MS code with our internal apps. Call MS up, report the issue and they would issue us a patch. Wait till the next SP and it was in there. That happened like 4 times I can remember. I reported some files being missed on their Spyware tool. next dats they were detected and deleted. How much money does your company put into MS products? Coming from a company is one thing, coming from your average consumer is quite another. Especially since MS makes it so difficult for the average person to have that kind of dialogue. Anyway, the point here is that Mozilla has issued quite a few less patches and fixes since Firefox's inception than I got LAST WEEK from MS.Why yes, my license number is a palindrome. Thank you for noticing. Quote Share this post Link to post Share on other sites
PhreeZone 14 #7 February 27, 2005 What product did MS release the patches on? Mozilla is just one product. MS monthly security patches are for all their products. Last count of last year was only about 1/3rd or less of the patches were related directly to IE and the majority of those were due to trying to build more int oa browser then needed. LDAP intergration makes things nice but is not needed through a web browser. Yesterday is history And tomorrow is a mystery Parachutemanuals.com Quote Share this post Link to post Share on other sites
GTAVercetti 0 #8 February 28, 2005 QuoteWhat product did MS release the patches on? Mozilla is just one product. MS monthly security patches are for all their products. Last count of last year was only about 1/3rd or less of the patches were related directly to IE and the majority of those were due to trying to build more int oa browser then needed. LDAP intergration makes things nice but is not needed through a web browser. The patches I got last week included, Xp, Office XP and the current one in my queue, XP again. Sorry, but for the AVERAGE JOE, MS does NOT respond to bugs. There simply is no well organized mechanism in place to the an error fixed by a user who simply owns a copy of an MS product. If you are a business that spends a fuckton of cash on MS, then yes, you will get your problems fixed. But if you are Steve McKracken from the Osarks....good luck. The fact is that MS had no intention of upgrading IE until Longhorn comes put...that is, until they realized that Firefox is causing a mini-revolution. Because of Firefox and other free, faster, more versitile, and MOST IMPORTANTLY, STANDARD COMPLIANT browsers, MS is FINALLY releasing IE7. The most ridiculous thing is that MS is on the World Wide WEb Consortium to create Internet standards for HTML, CSS, and the like and yet when you create webpages that adhere to the standards, in what browser do they look completely screwed up? Answer: Internet Explorer. I am sorry. I got completely off topic. MS always gets me going. I apologize for going a little nuts. Why yes, my license number is a palindrome. Thank you for noticing. Quote Share this post Link to post Share on other sites
lummy 4 #9 February 28, 2005 I can't tell for certain, Is this in response to the vulnerability found in browsers that support Unicode that will allow a phisher to create websites using alternate languages? The funny thing is that IE isn't vulnerable since it doesn't support Unicode. Thanks for the infoI promise not to TP Davis under canopy.. I promise not to TP Davis under canopy.. eat sushi, get smoochieTTK#1 Quote Share this post Link to post Share on other sites
newsstand 0 #10 February 28, 2005 Considering your wide open attacks on various subjects in other forums I am surprised by your apparent undying devotion to Microsquish products. Non-MS products will almost certainly come under attack from the insecure idiots who send out the various worms, trojans, etc. but as has been pointed out by others the response to these problems is much more immediate in open source products. The prolem at MS is the denial that there are hols in their sotware. I have been writing software for nearly 20 years and I can assure that there are holes in everthing ever written. "Truth is tough. It will not break, like a bubble, at a touch; nay, you may kick it about all day like a football, and it will be round and full at evening." -- Oliver Wendell Holmes Quote Share this post Link to post Share on other sites