FireFox IDN patch released

Mozillas.org ^ | 9/10/2005 | Mozilla

[zeugma]

What Firefox and Mozilla users should know about the IDN buffer overflow security issue

On September 6 a security vulnerability affecting all versions of Mozilla Firefox and the Mozilla Suite was reported to Mozilla by Tom Ferris and on September 8th was publicly disclosed.

On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user. Instructions on administering these changes can be found below.

How to update

There are two methods for resolving this problem. The first method is to install a small download and the second method is to manually change the browser configuration. You only need to do one of the two.

Installing the Patch

• To install the security patch for Firefox or the Mozilla Suite, follow these instructions:
  1. Firefox and Mozilla Suite users click this link: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.6/patches/307259.xpi
  2. In the Software Installation window, click the "Install Now" button.
  3. Exit and restart your Mozilla or Firefox browser.

• To verify the fix in Firefox and the Mozilla Suite, be sure to restart the browser and then follow these steps:
  1. In Firefox Click Help -> About Mozilla Firefox and verify that the user agent string contains "(noIDN)"
  2. In the Mozilla Suite Click Help -> About Mozilla and verify that the user agent string contains "(noIDN)"

Manually Configuring the Browser

• To manually change the browser configuration for Firefox or the Mozilla Suite, follow these instructions:
  1. Type about:config into the address field and hit Enter.
  2. In the Filter toolbar, type network.enableIDN.
  3. Right click on the the network.enableIDN item and select toggle to change value to false.

• To verify the fix in your Firefox or Mozilla application, be sure to restart the browser and then follow these steps.
  1. Type about:config into the address field and hit Enter.
  2. In the Filter toolbar, type network.enableIDN.
  3. Ensure that the the value for this item is set to false.

We value our users' safety and security and will continue to make all efforts to release secure products and respond quickly when security vulnerabilities are identified in our software.

---

---

• Site Map
• Security Updates
• Contact Us

[Golden Eagle]

In post 25 I commented that I'd download the patch today, confident that there would be a patch released within 24 hours.

That proves nothing other than you don't know the difference between a "patch" and a "workaround" then, since all your procedure does is disable the service. Then again, since an acutal patch still hasn't been released yet, you were wrong about that, too.

[zeugma]

That proves nothing other than you don't know the difference between a "patch" and a "workaround" then, since all your procedure does is disable the service. Then again, since an acutal patch still hasn't been released yet, you were wrong about that, too.

You're 0 for 2 so far. Coming from someone who has publicly stated that he'd recommend someone use CDE on a solaris box so as to keep away from an open source window manager like KDE or Gnome, I don't expect much better.

The post that started this thread, from Mozilla.org says:

Installing the Patch

• To install the security patch for Firefox or the Mozilla Suite, follow these instructions:
  1. Firefox and Mozilla Suite users click this link: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.6/patches/307259.xpi
  2. In the Software Installation window, click the "Install Now" button.

Dufus.

[Golden Eagle]

I could care less what the download site has to say about anything. It's obviously not a patch, it's a workaround that leaves the service disabled. An actual patch would restore the service to normal functionality. Read it and weep:

Techweb.com - Mozilla Fixes Firefox Flaw With Workaround: Mozilla Corp. has posted temporary workarounds for the most recent bug in its Firefox and Mozilla browsers that include both manual and automated fixes. "We’re looking into the problem," said Mike Schroepfer, Mozilla's director of engineering, on Friday in an interview, "and we'll respond with a patch as quickly as possible."

Says a lot about you too, since all you can do in the face of facts is call me names, instead of admitting you were obviously wrong, on all counts. But everybody's used to it by now.