We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Major vulnerability in FireFox on Windows

A public service warning! You surf the internet at random using FireFox (which generally you should), you may stumble across a website, which could infest your machine with a virus. But this is nothing new, I have heard about these evil websites full of Trojans and other nasty viruses and I know better… I hear you cry. Apparently, this particular attack does not require a download. Which means that is unlikely to be trapped by your anti-virus software, certainly in the short-term.

Protecting yourself for now is fairly simple. You will need to make a trivial modification to your FireFox settings.

To do this, start FireFox, enter the URL “about:config”, scroll down, and for each of the following entries make sure it is set to “true”.

If it isn’t, right-click the line and choose “Toggle”, which will set the value to “true”

network.protocol-handler.warn-external-default
network.protocol-handler.warn-external.mailto
network.protocol-handler.warn-external.news
network.protocol-handler.warn-external.nntp
network.protocol-handler.warn-external.snews

This will at least give you a warning that Firefox is being asked to do something suspicious; you will have to judge for yourself whether it is nasty.

Thanks to Alec Muffett and Geoff Arnold for the heads up and advice.

21 comments to Major vulnerability in FireFox on Windows

  • Sam

    I’ve never messed with these setting before and they were all already set to true, which means probably for a lot of non-technical users they will be true by default. Still good to check, though.

  • Mine were all true as well.

  • Apart from the first, the others were all set at ‘false’ in my vista system laptop; I’ve yet to check my XP laptop. Now changed Vista one to ‘true’ for all. I use Firefox only rarely, but is worth knowing nonetheless.

  • ScotsToryB

    Exactly as Bill – is this a Scottish default setting?!

    STB

  • Nick M

    Thanks Adriana!

    I had to change most of ‘em (XP).

  • Eric Tavenner

    Probably the best thing to improve your internet security would be to move to Linux

  • Eric, I am with you.. in fact, I have installed Ubuntu a couple of months ago to make that transition. There is no way I will use Vista.

    Alas, the Linux OS is still not ready for people like me – power users but not techies. The moment it goes to command line, I am out. Hope future versions will get better at the user friendliness – they already have come a long way.

    As for this vulnerability on Linux, theoretically it applies too. Whether it is exploitable or not, is another question.

  • Probably the best thing to improve your internet security would be to move to Linux

    Even better is to move to Mac OS X. And Mac doesn’t force you to use the command line (though I personally much prefer the command line), so it addresses Adriana’s concern too.

  • Nick M

    Adriana,
    I am a power-user and a techie. And this is why I’m sticking with XP…

    I love command lines (I have enough Unix experience to appreciate the power, especially if you have umpty-hundred photos to resize according to certain criteria and stuff like that).

    One of my biggest beefs with Windows is how it has progressively anti-developed the CLI. Yet it is still there. The first time I got my paws on a Vista system, during install I noted that (very briefly) it flashed up a text screen saying MS-DOS with a version number! Oh, that was also during a crash on install on a mint HP laptop!

    So the truth is that up in the attic of Vista there is still “my wife’s mother” banging her stick on the floor and wailing about “ze flashing knobs”.

    And Vista is fucking awful. I have no intention of spending an hour on this post so I won’t go into details.

    I downloaded Ubuntu and I’ve got an ISO on my laptop. I’m pondering a transition but this is why I’m not doing it. I would have to go dual-boot so I could play my games. So, I’d be dual boot, grand? But I’d then be tempted to keep some of my non-game software in use and I’d end up faffing around with two OSs and getting nothing to the purpose done. My machine has two 21″ screens because I multitask like it’s going out of fashion. So, say, I’m designing a website: I’ve got umpteen programs up and maybe I decide to shave a logo a bit I can do this and then immediately see what it looks like in ACE HTML. I fear that if I went dual-boot I’d end-up rebooting to do that because I’d be using a combination of both Linux and XP tools.

    When Linux can replace everything I need, I’ll switch.

    When Linux sorts it’s licensing out so I don’t have to find and then download and install every device driver for an install (and maybe they aren’t there?) I’ll switch.

    Oh, and I need to keep XP on my laptop (at least) for my work.

    Vista is rot and I hope this is where the revolt starts.

    XP is actually now quite a good OS (with many evil omissions, mind) and I’m happy(ish) with it. I do think though that Linux is the way forward (especially because Vista is such a fucking disaster area which I very much doubt MS will recover from*). I’m glad about that.

    * I don’t mean they’ll go pop. I just mean that the complete awfulness of Vista (“The Oww starts now”) will forever remove them from dominance in OSs.

  • Sam Duncan

    I can go for days without touching the commandline on Linux, too (at least, I could before switching to a version that uses a commandline package manager). With a distribution like Ubuntu, there may be a few initial setup problems which might need a bit of shell-based jiggery-pokery to fix, but after that it should be plain sailing. SimplyMepis and Linux Mint (both based on Ubuntu) are worth looking at if you’re having difficulties, by the way. Mepis is better at identifying and configuring hardware automatically, and Mint is better with multimedia (it plays mp3s “out of the box”, for example).

    But it’s certainly true that Linux is harder to get used to than its fans are willing to concede. I’ve never used an OS without a commandline interface, and it still had me tearing my hair out for the first few months. Going by my experience though, stick it out for three or four months and you won’t go back.

  • I use Firefox for (almost) everything, and I’ll check the settings, although on one of my machines I use Linux Mepis exclusively, and I dual-boot it on the other.

    I switched over to Linux about two months ago, and I agree with the general tenor of comments on it here. I tried to switch back in early 2006, and it was a disaster. Every distro I tried waqs semi-useless, even for a geek like me. Linux supporters were basically operating in religious mode: “You have to believe – and why should you worry about having to learn new languages, interfaces, and programs to run our God?”

    Mepis was a new world. They have a package manager that operates on about two clicks, and so far has installed everything I wanted flawlessly.

    What I still can’t do is run Quicken on Linux, nor can I run Roboform native. Those two alone are enoug to keep that dual boot on the other machine. I live on the Web, doing all sorts of research (and buying lots of stuff, and filling out endless forms) so Roboform is non-negotiable: I have to have it. Same for Quicken: I’m self employed, my finances are ridiculously complicated, and my Quicken records go back to 1993. I can’t take chances with that, either.

    But beyond that….some Linux distros are more or less ready for prime time, and I expect that by this time next year, even my caveats about Quicken and Roboform will have been answered.

    So I’m running Mepis, Open Office.org, Gimp, and a host of Linux utilities. They all match, or exceed, MIckeysoft’s Vista/Office combo.

    I’m almost a Linux guy now. I expect I’ll have a lot of company over the next couple of years.

  • Ted Schuerzinger

    No Opera users? :-p

  • Both ends against the middle; but my Linux is very soothing to the assaulted ego; for example I could not get MySQL working properly if at all.
    Eventually I tried so many remedies, I screwed up the basic file dependencies.
    So it was totally wrecked.
    Undaunted and for the umpteenth time I tried reinstalling via different methods, especially(as any operating system at all is wont to need) a clean install.
    Following the instructions at PHPMySQL.com(or whatever) I cleaned out the sticky default bullshit and set it up; now it works, including an interface at least as good as SQLServer 2005 Express Manager on windows;.
    Thing is, my Eureka moment took till 2AM.
    G’night.

  • Thanks for the tip, 3 of mine were set to false…

  • tranio

    all mine were set TRUE

  • No Opera users? :-p

    I’m a blogger. Opera doesn’t support Scribefire, so, sorry, no dice.

  • Thanks for the information.

    Reading the bug report on this, it appears to be about Windows XP – it doesn’t handle certain protocols correctly.

    It looks like there’s a bug release going through the development process.

  • If Linux ran windows games (ie all the commercial ones) I would switch completely like a shot. As it is My stepson runs linux on his machine (to prevent the playing of games, my decision) and my home fileserver runs linux, both Ubuntu.
    I too find the command line tricky and don’t like using it but there’s plenty of help out there and many of the chatrooms I’ve come across are very welcoming of n00bs, gladly reeling off commands which can be copied and pasted into the terminal.
    I too think that MS has shot themselves in the foot with vista, and they’re planning another OS for three years time? Yeah right.
    Vista is designed to do one thing and one thing only, make money. this is its primary purpose, and along the way making users happy has been forgotten. As a result vista will not make money.

  • David

    It has been fixed in patch 2.0.0.6

  • Couple of points about UBUNTU; the command line has a memory between boot sessions, so you need never ‘lose’ a successful command once installed; also Feisty Fawn(UBUNTU7.04) will still play MP3 files without much trouble; it’s been so long I don’t remember whether any messing with codec installations was required, but if it was the installer will do most of the work including finding them and ‘downloading’ them.
    You must ensure that the MPeg compression is at least 128Mb however or things will fail.(ie bigger file size preferred relative to older versions of UBUNTU).
    I never use my CD player since installing UBUNTU, just ‘Banshee’ on random except for search.

  • I have to agree, the latest Linux distributions are really quite polished compared to what was available just two years ago. All credit to guys like Mark Shuttleworth of Ubuntu for focusing heavily on the user experience, something that should’ve happened years back.

    Yet I’m still not a Linux user, having decided instead to go the OS X route with a lovely MacBook. I have to admit, it’s one of the best decisions I’ve ever made and I certainly don’t regret it. I’ve also begun to understand a bit more about Mac zealotry.

    But if I do abandon the Mac, it’ll be in favour of something running Linux. In fact, I’d recommend something like Ubuntu Linux for anybody who doesn’t need specialised Windows-specific apps but merely, like most of us, requires a machine to surf the internet, email, use Office on, organise/edit photos and play media with. The sheer peace of mind you get from not dealing with the hassles that come with using a virus and spyware magnet is more than worth any initial difficulties in setting it up and getting used to a new environment.