Critical Flaws Open Up Firefox 2.0x To Attack
Posted by Daniel Fleshbourne on 03 July 2008 - 13:12 · 14 comments & 4514 views
About the Author
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(2 replies)
#1 Posted by 
markjensen on 03 Jul 2008 - 13:26
- Is it just me, or does it seem that the Mozilla team has been focusing too much on 3.x while letting more and more items go unmaintained in 2.x?
-
#1.1 Posted by +stevember on 03 Jul 2008 - 13:40
- Nah, its just Firefox gaining larger userbase as a result more out there are looking for exploits in it.
It will probably get worse. -
#1.2 Posted by markjensen on 03 Jul 2008 - 13:59
- (stevember said @ #1.1)Nah, its just Firefox gaining larger userbase as a result more out there are looking for exploits in it.Exploitable code either exists, or it doesn't. A larger userbase makes for a more tempting target. But I am not talking about number of issues. I was talking about lack of patches. And patches have nothing to do with userbase.
It will probably get worse.
It will only get worse if Mozilla gets worse at addressing problems.
-
(4 replies)
#2 Posted by +Lt-DavidW on 03 Jul 2008 - 13:35
- 2.x is obsolete. If you want to fix this bug, simply upgrade.
-
#2.1 Posted by markjensen on 03 Jul 2008 - 14:05
- That is a poor attitude (btw, I have been on 3 since late beta). But no other group of developers shows that awful opinion to legacy products when it comes to security. Microsoft issues security updates to older versions, even when the newer version is out. Red Hat does. Ubuntu does. Apple does (I think, but I haven't personally verified by checking each unsorted secunia advisory).
Firefox 2.x just recently became "obsolete", but where the hell were the patches and maintainers for the past year? Oh yeah, mostly on 3.x.
I use Firefox almost exclusively (konqueror and epiphany on more rare occasions), but I am not happy with their recent reduction in apparent effort in maintenance. -
#2.2 Posted by +GreyWolfSC on 03 Jul 2008 - 14:51
- (Lt-DavidW said @ #2)2.x is obsolete. If you want to fix this bug, simply upgrade.
I will as soon as the real version 3 comes out, not the alpha one they released. Anyway, they already fixed this bug. I got an update yesterday with this remote-code bug listed in the changelog.However, users are only susceptible to exploitation if they're running versions prior to 2.0.0.15, the advisory warned. -
#2.3 Posted by markjensen on 03 Jul 2008 - 15:39
- (GreyWolfSC said @ #2.2)... Anyway, they already fixed this bug. I got an update yesterday with this remote-code bug listed in the changelog.Ah, this is acceptable to me. I might have been confusing this particular issue with the several others that are known and open. In fact, once they get the recent "high" severity item closed, they will be back to an overall "low" severity rating on Secunia.However, users are only susceptible to exploitation if they're running versions prior to 2.0.0.15, the advisory warned.
Thanks for pointing that out, as this isn't something for me to get on my rant box, like I thought it was.
Maybe switching to decaf would be a good idea for me.
-
#2.4 Posted by +mrbester on 04 Jul 2008 - 10:46
- However, users are only susceptible to exploitation if they're running versions prior to 2.0.0.15, the advisory warned.
Huh. I updated to 2.0.0.15 yesterday (auto-update) and on start-up this morning I found that my settings had gone. All of them. This includes the settings for the gazillion extensions I've got installed. All of them.
-
#3 Posted by Jeremy of Many on 03 Jul 2008 - 17:01
- Uh, then update to version 3?
-
(1 reply)
#4 Posted by Cryton on 04 Jul 2008 - 12:25
- 2.0 is not obsolete.. it will receive continuing updates until december 2008
-
#4.1 Posted by Jeremy of Many on 04 Jul 2008 - 16:45
- (Cryton said @ #4)2.0 is not obsolete.. it will receive continuing updates until december 2008
3.0 is a lot faster than 2.0 so it is pointless to continue using 2.0.
-
(2 replies)
#5 Posted by obsolete_power on 05 Jul 2008 - 03:18
- 2.0 has memory leaks and is slower than 3.0. I see no reason for anyone to still be using 2.0....does it really take that long to upgrade? There is absolutely no excuse for still using 2.0.
-
#5.1 Posted by night_stalker_z on 05 Jul 2008 - 13:56
- I have to completely agree with that. The only thing that might make people stay with 2.0 are certain extensions which aren't updated as well as certain sites like hotmail.
-
#5.2 Posted by SakuraKira on 05 Jul 2008 - 16:19
- Some people act like they can't use the browser at all without their extensions. Though I guess I really shouldn't say anything, as I use no extensions and have no basis for comparison. I've never really understood not upgrading to major versions, I've noticed the same behavior with Windows Service packs.
@+GreyWolfSC: How is Firefox 3 still an "Alpha"?
If exploited, the critical vulnerabilities could potentially allow remote attackers to conduct cross-site scripting and spoofing attacks, bypass security restrictions, disclose sensitive or system information, potentially compromise a user's system, access a user's system or launch a denial of service attack, according to the advisory.