1.0.5

Post by **BenBasson** » June 21st, 2005, 6:50 am

That's such a non-vulnerability it's unbelievable. If people are silly enough to enter arbitrary private data into unexpected dialog boxes then they really have no hope, regardless of what browser vendors do.

colfer · Post by **colfer** » June 21st, 2005, 7:12 am

In case anyone else is searching on it, it is http://secunia.com/advisories/15489/
SA15489 Secunia 15489 Rated "Less critical."

Ancestor · Post by **Ancestor** » June 21st, 2005, 7:55 am

sboulema wrote:tested on the tested builds from here: http://weblogs.mozillazine.org/qa/archi ... 5_tes.html

and they are vulnerable...

is there even a bug for this? I couldn't find one.

sadatoni · Post by **sadatoni** » June 21st, 2005, 8:38 am

Anyone getting this problem? I temporarily accepted a web site's self-signed certificate. Later, after shutting down FF and starting it, it acts like I permanently accepted it, and I cannot
find it in the list of certificates (tools/options/advanced/certificates/manage...).

Tested the certificate w/IE and it's handling it correctly (asking if I want to use it every time
I restart IE). I'm also finding this problem existing with the current nightly.

minipouss · Post by **minipouss** » June 21st, 2005, 1:00 pm

Cusser wrote:That's such a non-vulnerability it's unbelievable. If people are silly enough to enter arbitrary private data into unexpected dialog boxes then they really have no hope, regardless of what browser vendors do.

I totaly agree with you but if it's not solved maybe it's a bad advertisement for Firefox, no? It's already fixed in Opera.

Rishi M. · Post by **Rishi M.** » June 21st, 2005, 1:26 pm

Cusser wrote:That's such a non-vulnerability it's unbelievable. If people are silly enough to enter arbitrary private data into unexpected dialog boxes then they really have no hope, regardless of what browser vendors do.

JST's <a href="http://tinderbox.mozilla.org/bonsai/cvsquery.cgi?module=AviaryBranchTinderbox&branch=AVIARY_1_0_1_20050124_BRANCH&date=explicit&mindate=1119281820&maxdate=1119284519">checkin</a> yesterday sounds like it may be have been related to this, but the bug is still private.

GrailKnight · Post by **GrailKnight** » June 21st, 2005, 3:06 pm

With IE7 around the corner and Opera making inroads it only makes sense for MoFo to release updates
for any/all of their available products including old ones no matter how some users feel that it is a waste of time.

IMHO keeping the image up is just as important as keeping the product updated.

Post by **BenBasson** » June 21st, 2005, 3:18 pm

Don't get me wrong, adding the URL of the site into the title of the alert or dialog box is probably a good idea, but it's a bit far to be calling this an actual browser fault. Rishi, it might be related, but that checkin won't cover the bug.

Sariyan · Post by **Sariyan** » June 21st, 2005, 4:04 pm

this build sucks. i can't see any flash elements/animation although i have flash plugin.

colfer · Post by **colfer** » June 21st, 2005, 6:52 pm

The fixes on the branch to make 1.0.5 are getting pretty complicated. Then everybody will switch to 1.1. Oh well.

Calimo · Post by **Calimo** » June 22nd, 2005, 1:57 am

I just noticed that the Firefox built-in single window mode prevents the dialog box to appear.

You can turn it on by setting the pref "browser.tabs.showSingleWindowModePrefs" to true and then in advanced options force all links to open in the same window/tab.

Xavier

virtualcertainty · Post by **virtualcertainty** » June 22nd, 2005, 5:45 am

Cusser wrote:That's such a non-vulnerability it's unbelievable. If people are silly enough to enter arbitrary private data into unexpected dialog boxes then they really have no hope, regardless of what browser vendors do.

I find this remark very distrubing. Sounds more like something Microsoft would say to justify not spending more time and money on making their products safer and instead pushing to get the next version out. I would hope that users security would always be a first priority. Please don't lose sight of the fact that the average computer user is not a programer. Many people have chosen to study medicine, business or law and have focused much less time mastering computers or learning which dialog boxes to trust or not to trust. Many more users perhaps have high school or less education and are easy prey to those who could exploit this. Was that really a moderator saying that victims of internet fraud have 'no hope'? This is hardly constructive at a time when Firefox is fighting IE for market share. If there is potential for a single person to have their bank account emptied or personal info stolen then this is NOT a 'non' vulnerability. Secunia doesn't feel this is a non-issue, so I'd tend to trust a neutral opinion over Mozilla's PR team. Despits the slew of security holes recently, 1.0.5 reenforces Mozilla's commitment to having the safest browser. I'm looking forward to it.

FFgood · Post by **FFgood** » June 22nd, 2005, 11:42 am

New vulnerabilty affects 1.0.4
http://secunia.com/multiple_browsers_di ... lity_test/

minipouss · Post by **minipouss** » June 22nd, 2005, 1:34 pm

FFgood wrote:New vulnerabilty affects 1.0.4
http://secunia.com/multiple_browsers_di ... lity_test/

hum, we are talking about that since the previous page

FFgood · Post by **FFgood** » June 22nd, 2005, 2:35 pm

Right. And I've been reading this thread, too! LOL.

Brain slip. My bad.