Skip to comments.
FireFox IDN patch released
Mozillas.org ^
| 9/10/2005
| Mozilla
Posted on 09/10/2005 8:38:15 PM PDT by zeugma
What Firefox and Mozilla users should know about the IDN buffer overflow security issue
On September 6 a security vulnerability affecting all versions of Mozilla Firefox and the Mozilla Suite was reported to Mozilla by Tom Ferris and on September 8th was publicly disclosed.
On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user. Instructions on administering these changes can be found below.
How to update
There are two methods for resolving this problem. The first method is to install a small download and the second method is to manually change the browser configuration. You only need to do one of the two.
Installing the Patch
- To install the security patch for Firefox or the Mozilla Suite, follow these instructions:
- Firefox and Mozilla Suite users click this link: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.6/patches/307259.xpi
- In the Software Installation window, click the "Install Now" button.
- Exit and restart your Mozilla or Firefox browser.
- To verify the fix in Firefox and the Mozilla Suite, be sure to restart the browser and then follow these steps:
- In Firefox Click Help -> About Mozilla Firefox and verify that the user agent string contains "(noIDN)"
- In the Mozilla Suite Click Help -> About Mozilla and verify that the user agent string contains "(noIDN)"
Manually Configuring the Browser
- To manually change the browser configuration for Firefox or the Mozilla Suite, follow these instructions:
- Type about:config into the address field and hit Enter.
- In the Filter toolbar, type
network.enableIDN
. - Right click on the the network.enableIDN item and select toggle to change value to false.
- To verify the fix in your Firefox or Mozilla application, be sure to restart the browser and then follow these steps.
- Type about:config into the address field and hit Enter.
- In the Filter toolbar, type
network.enableIDN
. - Ensure that the the value for this item is set to false.
We value our users' safety and security and will continue to make all efforts to release secure products and respond quickly when security vulnerabilities are identified in our software.
TOPICS: Computers/Internet
KEYWORDS: browser; firefox; patch; update
Navigation: use the links below to view more comments.
first 1-20, 21-23 next last
In reference to
this FreeRepublic post, concerning a browser vulnerability identified yesterday, the above patch and configuration setting is the fix.
In post 25 I commented that I'd download the patch today, confident that there would be a patch released within 24 hours. The above fulfills that expectation.
1
posted on
09/10/2005 8:38:17 PM PDT
by
zeugma
To: ShadowAce; Bush2000
ShadowAce, please post to the usual ping lists.
B2K, please see comment above.
2
posted on
09/10/2005 8:40:37 PM PDT
by
zeugma
(Muslims are varelse...)
To: N3WBI3
Ping. Thought you might be interested.
3
posted on
09/10/2005 8:51:40 PM PDT
by
zeugma
(Muslims are varelse...)
To: zeugma
It's amazing how the tech media will yield to a security researcher trying to look like he's doing something.
Mozilla's fixed at least 15, IIRC, various security flaws in the leadup to the 1.5 beta... but Secunia has to look busy and productive. Ugh.
4
posted on
09/10/2005 8:56:13 PM PDT
by
Terpfen
(http://www.pattonhq.com/unknowntext.html)
To: zeugma
well, mine was already set to false, but it's nice theyr'e getting this out there.
I loved the fact that bush2000 posted it. Of course, it was jsut to highlight the fact that 'no web browser is 100% secure', of course.
If this was an IE flaw, there wouldn't be a patch 4 days later. Roughly 14 days after it was announced, microsoft would issue a press release announce they would soon disclose their plans to announce a patch for the flaw which may or may not exist.
5
posted on
09/10/2005 9:06:00 PM PDT
by
flashbunny
(Why do I have to defend the free market on a web site called free republic???)
To: zeugma
6
posted on
09/10/2005 9:11:47 PM PDT
by
N3WBI3
(If SCO wants to go fishing they should buy a permit and find a lake like the rest of us..)
To: flashbunny
If this was an IE flaw, there wouldn't be a patch 4 days later. Roughly 14 days after it was announced, microsoft would issue a press release announce they would soon disclose their plans to announce a patch for the flaw which may or may not exist.Pretty much. :-)
I hear that MS has postponed their scheduled montly Tuesday patch. The must be having quality control problems with all those jobs they outsourced to China.
7
posted on
09/10/2005 11:03:17 PM PDT
by
zeugma
(Muslims are varelse...)
To: zeugma
"The must be having quality control problems with all those jobs they outsourced to China."
Hey, at least windows isn't used by the commies! (It's just programmed by them - or will be, soon.)
8
posted on
09/10/2005 11:30:57 PM PDT
by
flashbunny
(Why do I have to defend the free market on a web site called free republic???)
To: zeugma
9
posted on
09/11/2005 1:25:30 AM PDT
by
martin_fierro
(Have You Forgotten?)
Comment #10 Removed by Moderator
11
posted on
09/11/2005 3:05:35 AM PDT
by
USF
(I see your Jihad and raise you a Crusade ™ © ®)
To: flashbunny
If this was an IE flaw, there wouldn't be a patch 4 days later.
So what. Making a patch available doesn't mean that everybody affected is going to apply that patch. If history has proven anything, it's that people don't apply patches in a timely fashion.
12
posted on
09/11/2005 4:29:41 PM PDT
by
Bush2000
(Linux -- You Get What You Pay For ... (tm)
To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...
13
posted on
09/11/2005 7:21:14 PM PDT
by
ShadowAce
(Linux -- The Ultimate Windows Service Pack)
To: Bush2000
I cant worry about what everyone else would do, point is I would harden *my* boxes..
14
posted on
09/11/2005 7:25:07 PM PDT
by
N3WBI3
(If SCO wants to go fishing they should buy a permit and find a lake like the rest of us..)
To: N3WBI3
I cant worry about what everyone else would do, point is I would harden *my* boxes..
Yeah, but you don't represent the majority of users. Many (if not most) of them are clueless about patching requirements.
15
posted on
09/11/2005 8:48:49 PM PDT
by
Bush2000
(Linux -- You Get What You Pay For ... (tm)
To: Bush2000
I'll be damned. Bush2000 said something I can agree with. I guess a stopped clock is right twice a day and all that...
One of the reasons people have stopped installing MS updates in a timely manner is many of them cause problems worse than what you're trying to fix. That XP SP2 pack screwed a lot of machines. Also MS has a history of sneaking undocumented fixes and system setting changes into these patches. Not nice.
It's all about trust. Many people don't trust MS as much as they once did.
Meanwhile, Apple's cred keeps on growing. Apple is enjoying a "halo effect" where 1 in 7 consumers who purchased an iPod purchased a Mac as their next box. Owch. And have you seen those new iPod Nanos? Damn. Those things are so cool Microsoft might not be able to pay you soon, Bush2000.
Say 'hi' to Team13 for me. 'night.
To: zeugma
Automatic Update This! bump.
17
posted on
09/11/2005 9:11:52 PM PDT
by
clyde asbury
(Whoever controls the present controls the future - or so they think.)
To: shadowman99
I agree with you and B2K about the patching not being done in a timely manner, but it seems to me Apple has botched a lot of patches lately, so I even wait a bit on them.
18
posted on
09/12/2005 5:18:59 AM PDT
by
Salo
(WWFSMD?)
To: zeugma
My Internet Explorer is up to date but always lets a Trojan enter my computer from a certain site. McAfee AV immediately detects and wipes it out. I have no such problem when I visit this site with Firefox and Opera. The Trojan never gets past those two browsers
19
posted on
09/12/2005 5:26:15 AM PDT
by
dennisw
(***)
To: Bush2000
I understand that, but ti does mean I have a 4 day window to patch myself, thats all anyone can do on any system. MS does not typically provide such a short window..
20
posted on
09/12/2005 7:49:48 AM PDT
by
N3WBI3
(If SCO wants to go fishing they should buy a permit and find a lake like the rest of us..)
Navigation: use the links below to view more comments.
first 1-20, 21-23 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson