PDA

View Full Version : Firefox suffers 'extremely critical' security hole


MacBytes
May 10, 2005, 08:58 AM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: 3rd Party Software
Link: Firefox suffers 'extremely critical' security hole (http://www.macbytes.com/link.php?sid=20050510095856)

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

Gizmotoy
May 10, 2005, 09:21 AM
And they're already fixed. Gotta love developers that actually care about security and fix holes right away. You can get the latest nightly build for the fixes, or wait for the next version.

Edit (Included link):
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/

MacBandit
May 10, 2005, 09:29 AM
More MacWorld propaganda against security with a smaller market share. I'm sorry but Foxfire is more secure than IE period. A huge part of it's security is it's lack of integration with Windows. IE is just a huge pipeline asking people to dive in and take control of windows machines.

cwtnospam
May 10, 2005, 10:57 AM
Hmmm... Why do I have the feeling that this security hole really only affects Windows users? Could it be that the malicious code wouldn't have admin rights on a Mac even if it were written for the Mac?

shamino
May 10, 2005, 12:41 PM
Hmmm... Why do I have the feeling that this security hole really only affects Windows users? Could it be that the malicious code wouldn't have admin rights on a Mac even if it were written for the Mac?
Well, you couldn't take over the system without admin rights, but:

It can still delete/corrupt anything in your home directory
It can still open a connection to a remote server and upload anything you have read-access to
If your're logged in from an admin account, it can clobber your Applications folder
It can ask for your admin user/password. A lot of users will provide this information. (A lot of virusses have been able to spread due to "human engineering" like this.)

The biggest protection that Mac users have is that arbitrary binary code is likely to be x86 code, with a PowerPC won't run. But you don't want to rely on that.

For now, I've removed all sites from the software-install whitelist. That should prevent the exploit. I've got no problem downloading and manually-installing my updates.

And, since a fix has already been submitted to the head-of-line code, I suspect a patched Firefox should be available any time now.