
Mozilla says a new Firefox security bug is under active attack - hckrnwsbt
https://techcrunch.com/2020/01/10/firefox-security-bug-zero-day/
======
floatingatoll
Previous discussion:
[https://news.ycombinator.com/item?id=21995055](https://news.ycombinator.com/item?id=21995055)

------
andrei_says_
A warning and a fix within two days of releasing the affected version. I
appreciate this team’s transparency and priorities.

~~~
sp332
Well, it also affected 68 ESR which was released in July, so detection wasn't
that fast.

~~~
zamadatix
And it likely existed many years before that but these were the only 2 active
versions to get a patch.

------
wlesieutre
Can anyone confirm if 73.0b3 includes the same fix?

Their "what's new" link in the beta's About window doesn't track with the beta
release cycle. There's no revision listed, so I think the notes are for 73.0b1
still? At any rate, there's no mention of any security fixes.

[https://www.mozilla.org/en-
US/firefox/73.0beta/releasenotes/](https://www.mozilla.org/en-
US/firefox/73.0beta/releasenotes/)

~~~
wlesieutre
I don't know my way around Firefox's source control at all, but I tried to do
some digging. My first thought was to look through the changelogs on recent
release tags, but there's no mention of the CVE that I can find in any of
them.

I did find these changes in 72 which look related to the bug:

[https://hg.mozilla.org/releases/mozilla-
release/rev/8260da04...](https://hg.mozilla.org/releases/mozilla-
release/rev/8260da04c9b13f7c0e9cc6984a75e689b5fcb8c8)

And poking at one of those referenced files in the beta channel looks like it
has the same changes:

[https://hg.mozilla.org/releases/mozilla-
beta/file/tip/js/src...](https://hg.mozilla.org/releases/mozilla-
beta/file/tip/js/src/jit/MIR.h)

So I think we're good on beta channel?

~~~
dblohm7
Even security fixes run the Nightly -> Beta -> Release gauntlet, so yes, Beta
is fixed.

------
oriel
> The vulnerability, found by Chinese security company Qihoo 360...

Isn't this the same company that was just being roasted for having spyware
installed in Samsung phones?

~~~
kevingadd
Just because they ship spyware doesn't mean they want _other people_ spying on
their customers or setting up botnets...

Alternately, who knows whether they found this exploit a while back and only
went public once they discovered someone else was using it?

~~~
tinus_hn
Or they sat on it and released it to distract from the bad press they got.
Everything is possible.

------
protomyth
It looks like if you are running OpenBSD you probably want to be on -current
or using the esr package.
[https://undeadly.org/cgi?action=article;sid=20200109141600](https://undeadly.org/cgi?action=article;sid=20200109141600)

------
earlINmeyerkeg
Use noscript. It's possibly one of the best add-ons out there now.

~~~
gruez
Unfortunately there are too many sites that refuse to work without javascript,
so any security benefits is negligible because it's very easy to be social
engineered into enabling javascript.

~~~
kevin_thibedeau
You can get most to work by whitelisting one domain while keeping the cesspool
of trackers off your computer. If it still doesn't work there are better
things in life to spend time on than somebody's poorly constructed website.

~~~
earlINmeyerkeg
This is what I do and I 100% agree about lazy people that aren't willing to
make a halfway decent website. I'm not that old, but sometimes I just want a
website with text. I don't need autoplaying videos with a billion slideshow
images and shown how fantasmagical your company is.

------
blackearl
Is this any different from the bug that was patched in 72.0.1 already?

~~~
yaantc
No, it's the same bug. From the article: "... advising users to update to
Firefox 72.0.1, which fixes the vulnerability".

------
Eikon
> But researchers found that the bug could allow malicious JavaScript to run
> outside of the browser on the host computer.

The phrasing may unfortunately mislead the less technical readers of their
audience.

JavaScript always runs “on the host computer”, this should be described as a
sandbox escape.

~~~
asutekku
I’d say “allowing the code to run on the host computer” is way less confusing
for the less technical people than “allowing the code to run outside the
sandbox”. Most people have absolutely no idea what sandboxing means.

~~~
Eikon
IHMO lying / being vague is never good when trying to educate someone. Non-
technical people are not dumb and can understand what a sandbox is.

~~~
wtetzner
How would they know what it is if nobody explains it to them? It's not like
the term is obvious.

~~~
anoncake
Not knowing something is better than "knowing" something false.

~~~
eitland
Whats is false in this case?

~~~
anoncake
[https://news.ycombinator.com/item?id=22011910](https://news.ycombinator.com/item?id=22011910)

------
Scarbutt
A chain is as strong as its weakest link. Firefox's privacy characteristics
are as strong as its security track record.

------
throwno
Firefox is creepy AF. I was just listening to "Diamond Ned Flanders" by
MadeinTYO on Apple Music, and when I open Firefox the "suggested article" on
the front page is about Ned Flanders. That's some Facebook type shit right
there. Uninstalled.

~~~
neonIcon
If it makes you feel any better, I've the same article on mine with no
previous Flanders activity.

~~~
empath75
Yeah but they knew you were going to read this comment obviously.

~~~
neonIcon
Time travel confirmed.

~~~
ohyeshedid
Provided by Quantum Entanglement Advertising. You want it now because we sold
it to you later.

