FireFox IDN patch released

Mozillas.org ^ | 9/10/2005 | Mozilla

[zeugma]

What Firefox and Mozilla users should know about the IDN buffer overflow security issue

On September 6 a security vulnerability affecting all versions of Mozilla Firefox and the Mozilla Suite was reported to Mozilla by Tom Ferris and on September 8th was publicly disclosed.

On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user. Instructions on administering these changes can be found below.

How to update

There are two methods for resolving this problem. The first method is to install a small download and the second method is to manually change the browser configuration. You only need to do one of the two.

Installing the Patch

• To install the security patch for Firefox or the Mozilla Suite, follow these instructions:
  1. Firefox and Mozilla Suite users click this link: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.6/patches/307259.xpi
  2. In the Software Installation window, click the "Install Now" button.
  3. Exit and restart your Mozilla or Firefox browser.

• To verify the fix in Firefox and the Mozilla Suite, be sure to restart the browser and then follow these steps:
  1. In Firefox Click Help -> About Mozilla Firefox and verify that the user agent string contains "(noIDN)"
  2. In the Mozilla Suite Click Help -> About Mozilla and verify that the user agent string contains "(noIDN)"

Manually Configuring the Browser

• To manually change the browser configuration for Firefox or the Mozilla Suite, follow these instructions:
  1. Type about:config into the address field and hit Enter.
  2. In the Filter toolbar, type network.enableIDN.
  3. Right click on the the network.enableIDN item and select toggle to change value to false.

• To verify the fix in your Firefox or Mozilla application, be sure to restart the browser and then follow these steps.
  1. Type about:config into the address field and hit Enter.
  2. In the Filter toolbar, type network.enableIDN.
  3. Ensure that the the value for this item is set to false.

We value our users' safety and security and will continue to make all efforts to release secure products and respond quickly when security vulnerabilities are identified in our software.

---

---

• Site Map
• Security Updates
• Contact Us

[zeugma]

In reference to this FreeRepublic post, concerning a browser vulnerability identified yesterday, the above patch and configuration setting is the fix.

In post 25 I commented that I'd download the patch today, confident that there would be a patch released within 24 hours. The above fulfills that expectation.

[zeugma]

ShadowAce, please post to the usual ping lists.

B2K, please see comment above.

[zeugma]

Ping. Thought you might be interested.

[Terpfen]

It's amazing how the tech media will yield to a security researcher trying to look like he's doing something.

Mozilla's fixed at least 15, IIRC, various security flaws in the leadup to the 1.5 beta... but Secunia has to look busy and productive. Ugh.

[flashbunny]

well, mine was already set to false, but it's nice theyr'e getting this out there.

I loved the fact that bush2000 posted it. Of course, it was jsut to highlight the fact that 'no web browser is 100% secure', of course.

If this was an IE flaw, there wouldn't be a patch 4 days later. Roughly 14 days after it was announced, microsoft would issue a press release announce they would soon disclose their plans to announce a patch for the flaw which may or may not exist.

[N3WBI3]

http://www.freerepublic.com/focus/f-chat/1481139/posts?page=64#64

Already pinged the OSS list to this fix. I do, however, appreciate the ping..

[zeugma]

If this was an IE flaw, there wouldn't be a patch 4 days later. Roughly 14 days after it was announced, microsoft would issue a press release announce they would soon disclose their plans to announce a patch for the flaw which may or may not exist.

Pretty much. :-)

I hear that MS has postponed their scheduled montly Tuesday patch. The must be having quality control problems with all those jobs they outsourced to China.

[flashbunny]

"The must be having quality control problems with all those jobs they outsourced to China."

Hey, at least windows isn't used by the commies! (It's just programmed by them - or will be, soon.)

[martin_fierro]

placemarker

[USF]

marking...

[Bush2000]

If this was an IE flaw, there wouldn't be a patch 4 days later.

So what. Making a patch available doesn't mean that everybody affected is going to apply that patch. If history has proven anything, it's that people don't apply patches in a timely fashion.

[ShadowAce]

[N3WBI3]

I cant worry about what everyone else would do, point is I would harden *my* boxes..

[Bush2000]

I cant worry about what everyone else would do, point is I would harden *my* boxes..

Yeah, but you don't represent the majority of users. Many (if not most) of them are clueless about patching requirements.

[shadowman99]

I'll be damned. Bush2000 said something I can agree with. I guess a stopped clock is right twice a day and all that...

One of the reasons people have stopped installing MS updates in a timely manner is many of them cause problems worse than what you're trying to fix. That XP SP2 pack screwed a lot of machines. Also MS has a history of sneaking undocumented fixes and system setting changes into these patches. Not nice.

It's all about trust. Many people don't trust MS as much as they once did.

Meanwhile, Apple's cred keeps on growing. Apple is enjoying a "halo effect" where 1 in 7 consumers who purchased an iPod purchased a Mac as their next box. Owch. And have you seen those new iPod Nanos? Damn. Those things are so cool Microsoft might not be able to pay you soon, Bush2000.

Say 'hi' to Team13 for me. 'night.

[clyde asbury]

Automatic Update This! bump.

[Salo]

I agree with you and B2K about the patching not being done in a timely manner, but it seems to me Apple has botched a lot of patches lately, so I even wait a bit on them.

[dennisw]

My Internet Explorer is up to date but always lets a Trojan enter my computer from a certain site. McAfee AV immediately detects and wipes it out. I have no such problem when I visit this site with Firefox and Opera. The Trojan never gets past those two browsers

[N3WBI3]

I understand that, but ti does mean I have a 4 day window to patch myself, thats all anyone can do on any system. MS does not typically provide such a short window..