«  
  »

Whaddaya Mean, Firefox isn’t Secure?

Did you see the articles this past week about Firefox 2.0.0.5 vulnerabilities?  Here’s a snip from a linux.com article:

According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw.

It seems obvious that the work-around is to disable javascript, right? When was the last time you tried surfing “modern” or Web 2.0 sites without javascript? They’re almost worthless. If I wanted that user experience I’d still be using IE5.

Or stop using the password management features of Firefox. Which brings up a question: If the master password is set, is this still a vulnerability? Granted, I don’t know anyone who has ever actually set the master password… but maybe this would be a good excuse to do so? A couple comments on the slashdot article seem to indicate that it would be helpful.

I know at least one friend spending a lot more time in Internet Explorer this week. I’ll admit I’ve been using mostly IE and Opera this week as well. How are other folks handling this?

Possibly Related posts:

  1. Are you still using Internet Explorer? New Exploit
  2. Torpark – Secure Browsing from USB Key
  3. Firefox 3.5 beta 4 Out
  4. Firefox 2.0.0.5
  5. Public Service Announcement: Password Maintenance
July 29th, 2007 Tags: , , , , ,


14 comments to Whaddaya Mean, Firefox isn’t Secure?

  • University Update - Firefox - Whaddaya Mean, Firefox isn’t Secure?
    July 29th, 2007 at 11:54 am · Reply

    [...] Contact the Webmaster Link to Article firefox Whaddaya Mean, Firefox isn’t Secure? » Posted at Solo Technology on [...]

  • Nathan
    July 29th, 2007 at 4:32 pm · Reply

    I am still using Firefox. I would rather use the browser with one known vulnerability, than the browser with an unknown # of major vulnerabilities that we won’t know about until they are in the wild.

  • Chris
    July 29th, 2007 at 5:14 pm · Reply

    Nathan – great way of putting it in perspective.

  • Snowboardjohn
    July 29th, 2007 at 5:32 pm · Reply

    Jesus that is scary.

    I use the no script addon already, so I don’t think I’m that vulnerable, but still, I have every password I use saved on firefox.

  • simplerich » When the computer hits the fan…
    July 29th, 2007 at 6:30 pm · Reply

    [...] chose this as a chance to break my addiction to firefox since it’s had security issues. So, no firefox on this computer for the first time in years. I also broke the itunes umbilical. I [...]

  • Web Entrepreneur
    July 29th, 2007 at 7:31 pm · Reply

    I am with Nathan and John. I will use Firefox over IE any day, and I store all my passwords, but use no script plugin.

    I just wonder how long it will take Mozilla to come up with a fix and new version. Can they beat Microsoft and their horrible turnaround rate?

  • Snoskred
    July 29th, 2007 at 8:18 pm · Reply

    There’s an extension you can get called NoScript, which I am using until Mozilla fix this. It stops all javascript from running unless you personally authorise each individual one or a whole page.

    It is without doubt one of the most annoying extensions I have ever used, but I prefer it to having someone steal all my passwords.. :)

    Snoskred
    http://www.snoskred.org/

  • Chris
    July 29th, 2007 at 8:29 pm · Reply

    Ok ok! Gee, I think I’ll go check out NoScript and start whitelisting trusted sites.

    I guess I can take a hint. Eventually. :-D

  • Rob
    July 30th, 2007 at 2:59 am · Reply

    The password stealing vulnerability seems like a bit of an overreaction. The reason being the security whole doesn’t allow an a page to get ahold of all of your saved passwords. Rather a password can only be stolen from a page on the same server that the password is attached to.
    So your bank password is okay. Your paypal password is okay. So are the passwords to access your utilities and cell phones.
    What’s at risk are passwords that are used to access user generated webpages. Pretty much just places like myspace.

  • Jack
    July 30th, 2007 at 1:07 pm · Reply

    This is pretty scary! I use the password manager a lot! Thanks for letting me know this vulnerability.

  • Chris
    July 30th, 2007 at 7:48 pm · Reply

    The original article (linked to from slashdot) is good reading.

    From the users’ perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened (see our password stealing demo for that). This category of sites includes many content management systems including blogs and social networking sites [...].

    It goes on to suggest disabling javascript or the apparently quite popular NoScript plugin.

    I ended up with NoScript and I’m being rather picky about the sites I visit for the time being.

  • Collin
    July 31st, 2007 at 1:57 am · Reply

    Hey Chris – Just fired up Firefox and it’s updated to 2.0.0.6. :)

    Do you reckon they were reacting to this vulnerability and fixing it?

  • Chris
    July 31st, 2007 at 9:53 am · Reply

    Here’s the fixlist:
    http://forums.mozillazine.org/viewtopic.php?t=569539

    I’m not sure I see anything about the password stealing stuff listed as fixed?

  • AV Enthusiast
    August 10th, 2007 at 3:50 pm · Reply

    Firefox is more secure than Internet explorer.

    Another plus for Firefox is for those of us using multiple operating systems, Firefox allows a cohesive web experience regardless what system we use.

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>