Whaddaya Mean, Firefox isn’t Secure?
Posted on July 29, 2007
14 Comments
Did you see the articles this past week about Firefox 2.0.0.5 vulnerabilities? Here’s a snip from a linux.com article:
According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw.
It seems obvious that the work-around is to disable javascript, right? When was the last time you tried surfing “modern” or Web 2.0 sites without javascript? They’re almost worthless. If I wanted that user experience I’d still be using IE5.
Or stop using the password management features of Firefox. Which brings up a question: If the master password is set, is this still a vulnerability? Granted, I don’t know anyone who has ever actually set the master password… but maybe this would be a good excuse to do so? A couple comments on the slashdot article seem to indicate that it would be helpful.
I know at least one friend spending a lot more time in Internet Explorer this week. I’ll admit I’ve been using mostly IE and Opera this week as well. How are other folks handling this?
Tags: firefox, IE7, javascript, opera, security, web2.0
Possibly Related Posts
Comments
14 Responses to “Whaddaya Mean, Firefox isn’t Secure?”
Leave a Reply



I am still using Firefox. I would rather use the browser with one known vulnerability, than the browser with an unknown # of major vulnerabilities that we won’t know about until they are in the wild.
Nathan - great way of putting it in perspective.
Jesus that is scary.
I use the no script addon already, so I don’t think I’m that vulnerable, but still, I have every password I use saved on firefox.
I am with Nathan and John. I will use Firefox over IE any day, and I store all my passwords, but use no script plugin.
I just wonder how long it will take Mozilla to come up with a fix and new version. Can they beat Microsoft and their horrible turnaround rate?
There’s an extension you can get called NoScript, which I am using until Mozilla fix this. It stops all javascript from running unless you personally authorise each individual one or a whole page.
It is without doubt one of the most annoying extensions I have ever used, but I prefer it to having someone steal all my passwords..
Snoskred
http://www.snoskred.org/
Ok ok! Gee, I think I’ll go check out NoScript and start whitelisting trusted sites.
I guess I can take a hint. Eventually.
The password stealing vulnerability seems like a bit of an overreaction. The reason being the security whole doesn’t allow an a page to get ahold of all of your saved passwords. Rather a password can only be stolen from a page on the same server that the password is attached to.
So your bank password is okay. Your paypal password is okay. So are the passwords to access your utilities and cell phones.
What’s at risk are passwords that are used to access user generated webpages. Pretty much just places like myspace.
This is pretty scary! I use the password manager a lot! Thanks for letting me know this vulnerability.
The original article (linked to from slashdot) is good reading.
It goes on to suggest disabling javascript or the apparently quite popular NoScript plugin.
I ended up with NoScript and I’m being rather picky about the sites I visit for the time being.
Hey Chris - Just fired up Firefox and it’s updated to 2.0.0.6.
Do you reckon they were reacting to this vulnerability and fixing it?
Here’s the fixlist:
http://forums.mozillazine.org/viewtopic.php?t=569539
I’m not sure I see anything about the password stealing stuff listed as fixed?
Firefox is more secure than Internet explorer.
Another plus for Firefox is for those of us using multiple operating systems, Firefox allows a cohesive web experience regardless what system we use.