Firefox 1.02

[t0rek]

Yep, Firefox 1.02 has been released today. Here's what they changed:

http://www.mozilla.org/projects/security/known-vulnerabilities.html

As usual you can download it at www.mozilla.org

 

[Doomulation]

That's not much :crazy:
Hardly worth downloading since it means closing down all the tabs you're using... hehe.
I wish they'd sort out the small annoying issues instead.

 

[Bengoshia]

They need to update their ad-blocking materials. Now these friggen "pop-unders" are coming up, what happens is you go to a site, and it'll pop up but then immediately drop down so you don't see it. So then when your x-ing out you see crap loads of ads.

 

[2fast4u]

uh, how would that work? a popup blocker prevents *any* windows from poppping up usually. whether its visible or not doesnt matter ... the concept is to prevent any windows that arent specifically opened from appearing at all.

 

[2fast4u]

That's not much :crazy:
Hardly worth downloading since it means closing down all the tabs you're using... hehe.
I wish they'd sort out the small annoying issues instead.

they actually fixed a rather critical problem so im quite happy they put out a small release. its not really a regular update, more a security fix. since firefox is becoming increasingly popular in the mainstream market its good to see them respond to those issues fast as the people trying to exploit vulnerabilites firefox is bound to rise in future.

http://www.mozilla.org/security/announce/mfsa2005-30.html

An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine.

 

[Gladiac0190]

This update is quite important btw... 3 security holes got closed...

the popupshit that is getting more and more popular works using flash... here examples:

old school (using javascript):

window.onclick=pop;
function pop() {window.open('http://www.kernel.org')}

new school with flash:

<embed src=http://cdn.fastclick.net/fastclick.net/ffp.swf?url=http%3A//www.kernel.org&width=200&height=200&top=100&left=100" quality="high" wmode="transparent" width="1" height="1" allowScriptAccess="always" type="application/x-shockwave-flash"/>

Those are not blockable since popupblockers can only block things, that get compiled by the browser itselfs. Flash is not part of it. Macromedia should integrate somethling like a popup-blocker into their plugin ot integrate an interface where the browser is able to decide...

 

[2fast4u]

iirc you can block out flash elements with the "adblock" extension to firefox though problem is, there is no automatic blocking possible here.

 

[zAlbee]

www.zophar.net pops up on me... from what i can tell, it takes advantage of firefox allowing popups that occur when the user clicks (probably assumes that the user wanted that popup). so it just popups when you click anywhere on the window. it also has a multitude of extra workarounds for other popup blockers (norton internet security is mentioned), but i don't know how effective those are.

 

[smegforbrain]

uh, how would that work? a popup blocker prevents *any* windows from poppping up usually. whether its visible or not doesnt matter ... the concept is to prevent any windows that arent specifically opened from appearing at all.

In concept, yes. And at first, Firefox's was flawless.

But either these sites are using old methods that Firefox didn't cover (for whatever reason) or there are new methods of getting popups to, well, pop up, because now and then I too will hit a site that gets a popup past Firefox.

 

[Gladiac0190]

www.zophar.net pops up on me... from what i can tell, it takes advantage of firefox allowing popups that occur when the user clicks (probably assumes that the user wanted that popup). so it just popups when you click anywhere on the window. it also has a multitude of extra workarounds for other popup blockers (norton internet security is mentioned), but i don't know how effective those are.

Hmmm, just checking the source... zofar.net includes a javascript-file... here the codesnip:

<script language=javascript><!--
var HMsection = "zo";
//--></script>
<SCRIPT LANGUAGE="JavaScript"
SRC="http://www.hermoment.com/realmedia/ads/click_px.js"></SCRIPT>

the js-file's scripting-contents are:

var HMpxServerURL = "http://www.hermoment.com/realmedia/ads/click_px.mvc"; 
var HMpxsectionURL = HMpxServerURL+'?'+HMsection;
document.write('<IFRAME NORESIZE=NORESIZE FRAMEBORDER=0 WIDTH=1 HEIGHT=1 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO SRC='+HMpxsectionURL+'></IFRAME><br>');

what shall i say... outputs are now in an iframe... seems to be one more method to make popups possible... The .msv-file's contents are also javascripts referring to a cgi-script...

see here

<META HTTP-EQUIV="Set-Cookie" CONTENT="coSHORT=AT; expires=Friday, 31-Dec-2008 23:59:59 GMT; path=/">
<script language="javascript">
<!--//
	var rnum=new Number(Math.floor(99999999 * Math.random())+1); 
	var AdURL = "http://ad.trafficmp.com/tmpad/banner/itrack.asp?id=4157&nojs=1&rnd="+rnum;
   	var popwindow = window.open(AdURL,"Ad","width=720,height=300,toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,resizable=no");
   	// var popwindow = window.open(AdURL,"Ad","width=720,height=300,toolbar=yes,location=yes,directories=yes,status=yes,menubar=yes,scrollbars=yes,resizable=yes");
   	popwindow.blur();
   	self.focus();
   //-->
</script>
<META HTTP-EQUIV="Set-Cookie" CONTENT="pTM1t=1112216949; expires=Friday, 31-Dec-2008 23:59:59 GMT; path=/">
<script>
<!-- //
lok="http://www.clicksplus.com/cgi-bin/logitpro/logitpro.cgi";
d=document;
document.write('<img src="'+lok+'?count&',
'jref='+escape(d.referrer)+'&',
'juri='+escape(d.location)+'" ',
' width=1 height=1 border=0 alt="LogIT PRO (www.logitpro.com)" nosave>');
    // -->
</script>
<script language="JavaScript">
<!-- //
jva="enabled";
    // -->
</script>
<script language="JavaScript1.2">
<!-- //
jva="enabled v1.2";
    // -->
</script>
<script language="JavaScript">
<!-- //
	lk="http://www.clicksplus.com/cgi-bin/logitpro/logitpro.cgi";
	d=document;s=screen;nav=navigator.appName;sw=s.width;sh=s.height;j="0";cd="0";
	nav!="Netscape"?cd=s.colorDepth:cd=s.pixelDepth;
	document.write('<img src="'+lk+'?ctrk=1&sw='+sw+'&sh='+sh+'&cd='+cd+'&jva='+jva+'" width=1 height=1 alt="LogIT PRO VIP">'+'');
    // -->
</script>
<NOSCRIPT>
<IMG SRC="http://www.clicksplus.com/cgi-bin/logitpro/logitpro.cgi?nojva" ALT="LogIT PRO VIP" BORDER=0 width=1 height=1>
</NOSCRIPT>

I can't get the output without f**king around with a self-written file giving the cgi the paramters it wants... maybe there's a flash-file to be included or maybe not... ah, i get sick of this...

 

[xamenus]

Get the Adblock extension from the Firefox extension page, then get Filterset.G. Just follow the instructions link on that page. Then say goodbye to Zophar pop-ups.

 

[Gladiac0190]

Get the Adblock extension from the Firefox extension page, then get Filterset.G. Just follow the instructions link on that page. Then say goodbye to Zophar pop-ups.

Uh, nice find . Rules using regular expressions seem to be the best solution atm... thanx for this

 

[smcd]

to block zophar.net popups, add *paypopup.com/* as a filter, seems to work just dandy

 

[Doomulation]

they actually fixed a rather critical problem so im quite happy they put out a small release. its not really a regular update, more a security fix. since firefox is becoming increasingly popular in the mainstream market its good to see them respond to those issues fast as the people trying to exploit vulnerabilites firefox is bound to rise in future.

http://www.mozilla.org/security/announce/mfsa2005-30.html

An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine.

Well, how often have I encountered such problems? Remember that windows and internet explorer are full of security holes such as these. And to think that it has never really troubeled me. It hasn't caused any harm.

Yeah... it's good they respond with fixes quickly, but I want more features and bug fixes! If possible... at least.

 

[2fast4u]

yeah, so while you are at it why dont you just get rid of that firewall too? i mean, in 99% of cases you wont be harmed anyway. and just to be consistent, stop looking before you cross the street - in 99% of cases there wont be a large chicken truck coming to flatten you. do i have to set your house on fire before you take a hint?

 

[Trotterwatch]

You know he'd be the first to bitch about it if his PC were damaged by a security hole that Microsoft/Mozilla knew about yet didn't patch. Remind me never to download any software you make Doom, y'know probably full of holes that you warrant unworthy to fix.

 

[Doomulation]

You take it too harshly
All I try to state is that it is not a BAD thing that they quickly release patches for these security holes, but for some, such as me, I've never truly needed them.
I am simply awaiting a new version with new features and bug fixes... for the careful out there, there is nothing wrong with downloading fixes to security holes. But for some, such as me, it is but a pain to download patches for things like this all the time.
I am not that careful, yet no harm has come to me. Yet. It will be my own undoing though, and you should not be blamed for it.

And btw, I HATE bugs. HATE them. If I notice one, I try to root them out and destroy them, if possible. If there was a security hole, OF COURSE I would fix it as soon as possible, since some of you out there are concerned about such things as this. But I tend to never release things if I see they are not stable from my testing.