Mozilla says a new Firefox security bug is under active attack(techcrunch.com)
techcrunch.com
Mozilla says a new Firefox security bug is under active attack
https://techcrunch.com/2020/01/10/firefox-security-bug-zero-day/
71 comments
Previous discussion: https://news.ycombinator.com/item?id=21995055
A warning and a fix within two days of releasing the affected version. I appreciate this team’s transparency and priorities.
They could be more transparent by saying exactly which Firefox versions are affected, which is an accepted norm. Unfortunately, this is not the first time users have been left guessing.
It just says "Firefox and Firefox ESR" are affected... no versions published there https://www.mozilla.org/en-US/security/advisories/mfsa2020-0...
I assume some research into IonJIT will be done to see where it was introduced but by the sounds of what it does it could have been long ago.
I assume some research into IonJIT will be done to see where it was introduced but by the sounds of what it does it could have been long ago.
Those are the only two maintained versions of Firefox, so it makes complete sense for their report to be limited to those two. It seems a bit useless to go back and find the point in time where it first appeared, but I guess it could be interesting.
Can anyone confirm if 73.0b3 includes the same fix?
Their "what's new" link in the beta's About window doesn't track with the beta release cycle. There's no revision listed, so I think the notes are for 73.0b1 still? At any rate, there's no mention of any security fixes.
https://www.mozilla.org/en-US/firefox/73.0beta/releasenotes/
Their "what's new" link in the beta's About window doesn't track with the beta release cycle. There's no revision listed, so I think the notes are for 73.0b1 still? At any rate, there's no mention of any security fixes.
https://www.mozilla.org/en-US/firefox/73.0beta/releasenotes/
I don't know my way around Firefox's source control at all, but I tried to do some digging. My first thought was to look through the changelogs on recent release tags, but there's no mention of the CVE that I can find in any of them.
I did find these changes in 72 which look related to the bug:
https://hg.mozilla.org/releases/mozilla-release/rev/8260da04...
And poking at one of those referenced files in the beta channel looks like it has the same changes:
https://hg.mozilla.org/releases/mozilla-beta/file/tip/js/src...
So I think we're good on beta channel?
I did find these changes in 72 which look related to the bug:
https://hg.mozilla.org/releases/mozilla-release/rev/8260da04...
And poking at one of those referenced files in the beta channel looks like it has the same changes:
https://hg.mozilla.org/releases/mozilla-beta/file/tip/js/src...
So I think we're good on beta channel?
Even security fixes run the Nightly -> Beta -> Release gauntlet, so yes, Beta is fixed.
I asked on Twitter if 73.0b2 had the fix and was told that it did, so we should be good!
Thanks! I don't really do twitter, but maybe I should! Pretty quick turnaround there.
Looks like they've been updated now to mention that the fix was included in beta 2. I guess they're reading this thread :)
I sure hope so since 73.0b3 is the most recent available version of Developer Edition. It's odd to not have any messaging about the non-mainstream editions.
The 73.0b3 release tag is 18 hours ago, compared to that "What's new" page dated 1/7, so it does appear to be newer. See my reply to myself above; as far as I can tell the beta has the same changes (though I didn't manage to fumble my way to the specific commit that fixed it, or whatever the analogous term is for mercurial).
Their developer edition "What's new" page seems more about marketing upcoming changes before they land in the mainline release than anything else.
I'd like to assume they're always on top of getting the same fixes into developer versions at the same time, but since they don't actually tell us anywhere I always feel like I have to check.
Their developer edition "What's new" page seems more about marketing upcoming changes before they land in the mainline release than anything else.
I'd like to assume they're always on top of getting the same fixes into developer versions at the same time, but since they don't actually tell us anywhere I always feel like I have to check.
> The vulnerability, found by Chinese security company Qihoo 360...
Isn't this the same company that was just being roasted for having spyware installed in Samsung phones?
Isn't this the same company that was just being roasted for having spyware installed in Samsung phones?
Just because they ship spyware doesn't mean they want other people spying on their customers or setting up botnets...
Alternately, who knows whether they found this exploit a while back and only went public once they discovered someone else was using it?
Alternately, who knows whether they found this exploit a while back and only went public once they discovered someone else was using it?
Or they sat on it and released it to distract from the bad press they got. Everything is possible.
It looks like if you are running OpenBSD you probably want to be on -current or using the esr package. https://undeadly.org/cgi?action=article;sid=20200109141600
Use noscript. It's possibly one of the best add-ons out there now.
Not sure if this has changed but I ditched noscript when I discovered it doesn't block inline script execution. These days I use Ublock Origin:
Settings -> check 'I am an advanced user'. You should now be able to block 1st party, third party and inline JS from executing and save on a per-site basis. Hope this helps someone!
Settings -> check 'I am an advanced user'. You should now be able to block 1st party, third party and inline JS from executing and save on a per-site basis. Hope this helps someone!
citation on the inline script claim?
I don't have one. I did use the web interface for Spotify though and it did some JS stuff when I left it for a bit; that's how I noticed.
Unfortunately there are too many sites that refuse to work without javascript, so any security benefits is negligible because it's very easy to be social engineered into enabling javascript.
What I would like is the ability to replace scripts (including (but not limited to) inline scripts) with my own versions.
[deleted]
There are surprisingly few, and importantly you don't have to enable all the adtech networks that may or may not have a good security track record.
It’s defense in depth. And most sites work fine with 90% of their script-serving domains blocked.
You can get most to work by whitelisting one domain while keeping the cesspool of trackers off your computer. If it still doesn't work there are better things in life to spend time on than somebody's poorly constructed website.
This is what I do and I 100% agree about lazy people that aren't willing to make a halfway decent website. I'm not that old, but sometimes I just want a website with text. I don't need autoplaying videos with a billion slideshow images and shown how fantasmagical your company is.
Or uMatrix (which I prefer in terms of UI but should be equal feature-wise)
...but it's not enough.
With some effort javascript from known sites could be fingerprinted and vetted.
An unexpected change could trigger a warning and blocking.
But with WASM we are really in trouble.
With some effort javascript from known sites could be fingerprinted and vetted.
An unexpected change could trigger a warning and blocking.
But with WASM we are really in trouble.
> But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer.
The phrasing may unfortunately mislead the less technical readers of their audience.
JavaScript always runs “on the host computer”, this should be described as a sandbox escape.
The phrasing may unfortunately mislead the less technical readers of their audience.
JavaScript always runs “on the host computer”, this should be described as a sandbox escape.
I’d say “allowing the code to run on the host computer” is way less confusing for the less technical people than “allowing the code to run outside the sandbox”. Most people have absolutely no idea what sandboxing means.
You can still cut the jargon and tell the essence. E.g. "the exploit allows malicious code to run without the confines of the browser, giving it access to everything the user normally has access to".
IHMO lying / being vague is never good when trying to educate someone. Non-technical people are not dumb and can understand what a sandbox is.
How would they know what it is if nobody explains it to them? It's not like the term is obvious.
Not knowing something is better than "knowing" something false.
Have you ever read a summary of a license or a legal document? It's the same idea.
Simplifying terms and using approximations so that the uninitiated can understand is not lying, it's good communication. We can't use jargon all the time.
Simplifying terms and using approximations so that the uninitiated can understand is not lying, it's good communication. We can't use jargon all the time.
> JavaScript always runs “on the host computer”
But they carefully qualified it with "outside of the browser [meaning sandbox]" and you left that out of your quote.
But they carefully qualified it with "outside of the browser [meaning sandbox]" and you left that out of your quote.
“Browser” does not mean “sandbox” though.
I think they're using it short for 'browser's sandbox.' Try reading it charitably rather than bending over backwards to find fault and making wild accusations of 'lying.'
Not really, I think. "[O]utside of the browser on the host computer" implies that there are other possible ways in which JavaScript could execute, one of those inside of the browser on the host computer, which is pretty much the expected thing and tangentially covers the concept of sandboxing.
A chain is as strong as its weakest link. Firefox's privacy characteristics are as strong as its security track record.
Firefox is creepy AF. I was just listening to "Diamond Ned Flanders" by MadeinTYO on Apple Music, and when I open Firefox the "suggested article" on the front page is about Ned Flanders. That's some Facebook type shit right there. Uninstalled.
Could you please stop posting unsubstantive and/or flamebait comments to HN? We've already had to ask you this, and you've been doing it a lot.
Also, while I have you, please stop using HN for ideological battle—you've been doing a lot of that as well, and it destroys what this site is for (https://news.ycombinator.com/newsguidelines.html), regardless of which ideology you favor or disfavor.
Also, can you please not systematically delete comments? Deletion is for things that shouldn't have been posted in the first place. Deleting more than half of what you post is not an intended use of the threads.
Also, while I have you, please stop using HN for ideological battle—you've been doing a lot of that as well, and it destroys what this site is for (https://news.ycombinator.com/newsguidelines.html), regardless of which ideology you favor or disfavor.
Also, can you please not systematically delete comments? Deletion is for things that shouldn't have been posted in the first place. Deleting more than half of what you post is not an intended use of the threads.
If it makes you feel any better, I've the same article on mine with no previous Flanders activity.
So it's probably just the Baader-Meinhof phenomenon: https://science.howstuffworks.com/life/inside-the-mind/human...
The rolling stone article? I also had it
Yeah but they knew you were going to read this comment obviously.
Time travel confirmed.
Provided by Quantum Entanglement Advertising. You want it now because we sold it to you later.