Firefox update is available

If you use Firefox, get Firefox 1.0.1. It includes some important security patches (including a fix that disabled IDN and thus neutralizes the security exploit I wrote about here). It’s a very small download and well worth it.

The release notes say: “Prior to installing Firefox 1.0.1, please ensure that the directory you’ve chosen to install into is clean and doesn’t contain any previous Firefox installations.” How many people do you think will actually read that? I predict most people will simply install over their existing installations.

More on Firefox pop-ups

I’ve seen a few more pop-ups in Firefox recently (not very many). Apparently I’m not alone. The Bugzilla database has this list of sites with pop-ups that get past the Firefox pop-up blocker.

Firefox spyware to show up this year?

The Linux/open source publication NewsForge interviewed several security experts who believe that Firefox spyware will show up this year:

Webroot Vice President of Threat Research Richard Stiennon said he expects there will be spyware for Firefox this year, adding that while the browser was designed to be immune from the spyware infecting IE, Firefox will face a new breed of spyware tailored specifically for it.

[…]

Stu Sjouwerman — founder and COO of Counterspy maker Sunbelt Software — agreed that Firefox spyware is likely in 2005.

“I’m pretty sure you can expect one or two Firefox (spyware) exploits before the end of the year,” Sjouwerman said. “The more popular a platform gets, the more likely it is to come under attack. Firefox — which I use myself — I don’t think is going to be immune from that. If you go wide like this, you have to expect that your product will be exposed to a trial by fire.”

Sjouwerman reported that his company’s research on Firefox revealed some Explorer-like situations that may draw spyware.

“We looked into it and found that the security of Firefox had similar openings or vectors where spyware can be utilized to exploit or bypass protection,” he said.

Take all these predictions with a grain of salt, of course. The people quoted in the story have avested interest in keeping computer users in a state of fear and anxiety.

A workaround for the Firefox IDN vulnerability

Update: The fix that is documented in the original advisory and recommended by Mozilla doesn’t work reliably. As soon as you restart Firefox, you;re vulnerable again. Worse, the about:config file continues to show that you’ve properly disabled the setting. This issue is throughly discussed in this thread on the MozillaZine Forums, and the behavior itself is documented in Bugzilla as bug 281365 (you may also see it referenced as bug 281377, but that one is a duplicate).

Thanks to John Walkenbach for pointing out this problem.

~~I’ve had a chance to work a little more with the vulnerability that affects Firefox and other non-Microsoft browsers. This fix, which was documented in the original advisory, worked for me.~~

Open Firefox, click in the Address bar, type about:config, and press Enter.

Scroll through the alphabetical list to the entry labeled network.enableIDN.

Double-click that entry to change its value to False.

You don’t need to close or restart Firefox. The change is immediate. Note that any changes you make to default Firefox settings appear in bold in this list. I also expect that a Firefox patch will appear in short order.

Presumably, other Mozilla-based browsers work the same way. At this point there is no known solution for Macintosh Safari users, and the response from Opera (as quoted in the original Shmoo advisory) is that they believe the feature is working properly and plan no changes. Something tells me they’ll change that tune very soon!

Oops! This Firefox security exploit is a doozy

Last month, I predicted that as Firefox became more popular it would face more and more attacks from the Internet’s dark side. A security bulletin issued today appears to identify the first widespread security exploit aimed at non-Microsoft browsers. Ironically, you’re protected if you use Internet Explorer, but you’re vulnerable if you use most Mozilla-based browsers, including Firefox 1.0; this vulnerability also affects Safari 1.2.5 (Macintosh) and Opera 7.54, and perhaps other versions of those browsers as well. Here’s how it works:

You visit an innocent-looking Web page or receive a seemingly authentic e-mail. You click a link that appears to take you to a trusted site (the security advisory uses PayPal as an example) using your default browser, Firefox. The URL in the Address bar says you’re at PayPal’s site, and the locked padlock icon in the lower right corner indicated that you’re on a secure site.

The only trouble is, you’re not at PayPal’s site. You’ve just landed at a site owned by someone who wants to steal your information, and even a careful and suspicious visitor can be fooled by this exploit. The exploit happens because of a flaw in the way these browsers handle “punycode” – links that use codepages and scripts that are similar to Latin-based characters. And the same technique could be used for any site.

A demonstration of the exploit appears here:

http://www.shmoo.com/idn/

Don’t worry, the demo is harmless. But a scam artist who can cut and paste HTML source code can turn the landing page into an exact duplicate of PayPal’s site, or your online banking portal, or a shopping site, or anything they want. This sort of scam will fool a lot of people.

The only indication that you’re not at the correct site appears if you choose the option to use a secure logon and check the security certificate. Even then, you have to dig carefully and look past the opening page of the security dialog box, which appears to display a legitimate security dialog box.

The official security advisory is here. According to one site, there’s a manual fix you can apply to a Firefox configuration file that can block this vulnerability, but I can’t confirm that it works.

(Via Boing Boing and Discourse.net.)

Update: Edited opening paragraph to prevent confusion. See comments for details.

Firefox tweaks: one size doesn’t fit all

I’ve seen a bunch of links to various tweaks intended to make Firefox run faster. Boing Boing probably spread this go-faster tweak for Firefox farther than anyone. In addition, Brian Livingston published a lengthy Secrets of Firefox 1.0 article in his Windows Secrets newsletter last month.

I’ve been writing about various Windows speed-up tricks through the years, many of which are very popular and either misleading or flat-out wrong. Often, someone who follows all the advice in one of these articles winds up with a system that runs slower and is less stable than it was before.

That may well be the case with these Firefox tweaks as well. Brian is a reliable source of information, and I trust his advice. I also believe him when he writes:

The most sought-after performance improvements in any browser will always involve how quickly it downloads and renders Web pages. The good news is that Firefox (which is already pretty fast in its default configuration) includes numerous about:config settings that can improve the downloading and display of content. The bad news is that the optimum settings will differ from machine to machine, and there’s no consensus on what they should be.

After extensive research, I haven’t found a utility or even a well-tested explanation that can guarantee the optimum settings for any particular Windows scenario (Windows 2000 vs. XP, DSL vs. T1, etc.).

There are scores of Web sites that speculate on configuration settings that are said to speed up the browsing experience in Firefox. But these sites largely don’t show that they’ve done adequate testing of the alternatives, much less explain how such tests might have been conducted.

Asa Dotzler of Mozilla has written a cautionary note about some of the speed-up tips going around. He says something very similar:

Just note that what works for one person/system, may not work for another.

Yes, there are tuning change you can make (even at compile time, see Moox’ optimized builds) that will dramatically alter the performance characteristics of Firefox. Feel free to experiment, but remember that most of the defaults are defaults for a reason. If your browser starts misbehaving or web sites look broken, it might be worth going back to default settings.

That seems like a good opportunity to mention what I consider as one of Firefox’s greatest features: You can create and copy profiles anytime so you can test settings and extensions. If you’re trying out some odd tweak or extension, keep a copy of your old profile. If the tweak doesn’t work or the extension causes problems, you can quickly return to your old profile.

Windows XP users can open the Firefox Profiles folder by clicking Start, then Run. In the Open box, type %userprofile%\Application Data\Mozilla\Firefox\Profiles (include the percent signs, which automatically take you to your personal data folders). Make a copy of the profile folder you see there, which consists of a random eight-character string and the name of your default profile. You can then make changes to your current profile; you can undo those changes by closing Firefox and restoring the backed-up folder.

To create a new profile, use the well-hidden Profile Manager. Use the Run dialog box again and type firefox.exe -profilemanager as the command.

You can use the Profile Manager to switch between profiles. I actually keep several profiles – one for everyday use, one for some special-purpose tasks that require extensions I don’t normally use, and one that is completely clean, so I can test pages without fear that an extension is distorting my results.

Firefox is not a security cure-all

I have lost count of the number of times I have read reviewers telling people that they should switch to Firefox because it is secure, unlike Internet Explorer. This is simply untrue. Mozilla-based browsers are somewhat more secure than IE, for two main reasons: one, they don’t support ActiveX controls (although with Service Pack 2, the likelihood of being attacked by an ActiveX control has dropped dramatically); and two, because most virus/spyware writers have historically targeted the IE platform. But the more successful Mozilla/Firefox becomes, the more likely it is that bad guys will start targeting it too. Over time you will see more alerts like this one:

SecurityTracker.com Archives – Mozilla Buffer Overflow in Processing NNTP URLs Lets Remote Users Execute Arbitrary Code

(This vulnerability is fixed in the version of Mozilla that forms the core of Firefox 1.0, so don’t worry if you’re running the released version of Firefox.)

Virtually every virus and spyware attack in recent memory has taken advantage of a vulnerability for which there was a patch. Windows users who conscientiously apply patches and security updates (a painless process using Automatic Updates) don’t get hit. Those who ignore updates become victims.

Firefox does script. It uses buffers. Most viruses and many spyware programs use buffer overflows and hostile scripts to force unwanted software onto users’ machines. If you install a copy of Firefox and then don’t update it when a security patch comes out, you are vulnerable to these exploits.

The programmers who put together Firefox have done a remarkable job. But I guarantee you they are on the lookout for reports like this one. When (not if) someone discovers a critical flaw in Firefox, they’ll write a patch. Will all 14 million people who have downloaded Firefox 1.0 also install each new patch? We’ll see.

Update: For news of a later and apparently more ominous security hole that affects Firefox but not Internet Explorer, see “Oops! This Firefox security exploit is a doozy.”