Firefox 41-50 is well and truly fucked
-
Summary:
A few hours ago a zero day vulnerability emerged in the Tor browser bundle and the Firefox web browser. Currently it exploits Windows systems with a high success rate and affects Firefox versions 41 to 50 and the current version of the Tor Browser Bundle which contains Firefox 45 ESR.
If you use Firefox, we recommend you temporarily switch browsers to Chrome, Safari or a non-firefox based browser that is secure until the Firefox dev team can release an update.
SVG parser has free-after-use bug, which gives R/W access to memory.
Oh, and needless to say. FF22?
-
/me is on Chrome
isn't
:relaxed:
, it's:shit-eating-grin:
-
@RaceProUK said in Firefox 41-50 is well and truly fucked:
/me is on Chrome
isn't
:relaxed:
, it's:shit-eating-grin:
-
The only thing I ever use Firefox for is testing this forum for the crazy people who still use Firefox.
-
@ben_lubar said in Firefox 41-50 is well and truly fucked:
The only thing I ever use Firefox for is testing this forum for the crazy people who still use Firefox.
But, do you test it on FF22, or you wait for Lorne to complain ?
-
@ben_lubar I use firefox when I want a browser and a game up.
I'm strapped for memory, and chrome gobbles it all up.
-
@xaade Time to buy yourself some more RAM then.
-
@AlexMedia said in Firefox 41-50 is well and truly fucked:
@xaade Time to buy yourself some more RAM then.
I hear you can download it!
-
Note that Pale Moon, being a wildly divergent fork of Firefox with all the bullshit stripped out, is not affected by this vulnerability: https://forum.palemoon.org/viewtopic.php?f=1&t=13984
-
@AlexMedia said in Firefox 41-50 is well and truly fucked:
@xaade Time to buy yourself some more RAM then.
I have 8 right now, is 16 enough?
-
@xaade that should cover Chrome, then you just need enough for whatever game it is
-
@Jaloopa said in Firefox 41-50 is well and truly fucked:
that should cover Chrome
-
@xaade said in Firefox 41-50 is well and truly fucked:
I have 8 right now, is 16 enough?
You can never have too much RAM
Unless you're stuck on 32-bit, in which case, 4GB is all you can have.
-
@ben_lubar said in Firefox 41-50 is well and truly fucked:
I hear you can download it!
-
@RaceProUK said in Firefox 41-50 is well and truly fucked:
You can never have too much RAM
Well, in theory you can but by the time 16 exabytes is common, 128 bit computing will be coming
-
@Lorne-Kates LOL Windows.
-
Firefox has been more leaky than a bucket full of holes, and Mozilla packaging a chat client by default (which they are only now removing) pretty much marked the beginning of questionable decisions.
Use Iridium. Literally the same as Chrome, but with telemetry disabled and with some other privacy features.
-
Yeah good thing Firefox 22 only has 25 critical vulnerabilities eh?
-
@xaade I have 16 GB in my home pc and that's sufficient for Chrome + Visual Studio + a game.
Although 32 GB is even nicer, of course.
-
@Sumireko said in Firefox 41-50 is well and truly fucked:
Use Iridium. Literally the same as Chrome, but with telemetry disabled and with some other privacy features.
For a long time Iridium would phone home to their servers whenever Chrome would phone home to Google. Plus not everyone even likes Chrome.
-
@ben_lubar said in Firefox 41-50 is well and truly fucked:
The only thing I ever use Firefox for is testing this forum for the crazy people who still use Firefox.
And we thank you for that.
Well, I do anyway.
-
@Sumireko said in Firefox 41-50 is well and truly fucked:
Use Iridium. Literally the same as Chrome, but with telemetry disabled and with some other privacy features.
Is that another browser like Iron, which was also supposed to be Chrome - Google + privacy but turned out to be identical code with slightly altered config defaults? IOW, can you get from Chrome to a functional equivalent of Iridium just by messing about with settings?
-
@Lorne-Kates said in Firefox 41-50 is well and truly fucked:
free-after-use bug
Do you mean use-after-free bug? Because otherwise that isn't a bug to free memory after you're done using it.
-
@LB_ said in Firefox 41-50 is well and truly fucked:
@Lorne-Kates said in Firefox 41-50 is well and truly fucked:
free-after-use bug
Do you mean use-after-free bug? Because otherwise that isn't a bug to free memory after you're done using it.
"I threw away this apple core after I ate the apple."
"YOU ATE GARBAGE?"
-
@anonymous234 said in Firefox 41-50 is well and truly fucked:
Yeah good thing Firefox 22 only has 25 critical vulnerabilities eh?
:noscript.txt:
-
@RaceProUK said in Firefox 41-50 is well and truly fucked:
Unless you're stuck on 32-bit, in which case, 4GB is all you can have.
If you're running Windows on a non-server SKU; otherwise, PAE gives you up to 64 GB.
-
@Lorne-Kates I think you meant to say Firefox 4-21 and 23-50.
-
-
@flabdablet said in Firefox 41-50 is well and truly fucked:
@Sumireko said in Firefox 41-50 is well and truly fucked:
Use Iridium. Literally the same as Chrome, but with telemetry disabled and with some other privacy features.
Is that another browser like Iron, which was also supposed to be Chrome - Google + privacy but turned out to be identical code with slightly altered config defaults? IOW, can you get from Chrome to a functional equivalent of Iridium just by messing about with settings?
Pretty much.
-
@dcon said in Firefox 41-50 is well and truly fucked:
Fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
50.0.2
.. Is there something I'm not getting?
-
@CreatedToDislikeThis said in Firefox 41-50 is well and truly fucked:
@dcon said in Firefox 41-50 is well and truly fucked:
Fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
50.0.2
.. Is there something I'm not getting?
What this thread started with - a critical security flaw in FF. If your Help->About->Update didn't find it...
-
Either way, I'll stay on firefox until I can either find or get arsed to write a fork of chromium that has at least all the customized UI niceties I've come to rely on.
-
@dcon said in Firefox 41-50 is well and truly fucked:
@CreatedToDislikeThis said in Firefox 41-50 is well and truly fucked:
@dcon said in Firefox 41-50 is well and truly fucked:
Fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
50.0.2
.. Is there something I'm not getting?
What this thread started with - a critical security flaw in FF. If you're Help->About->Update didn't find it...
-
@CreatedToDislikeThis Weird...
(hot damn! copy/paste images works in FF again!)
-
@dcon - For what's it worth (which is a lot, actually), Help->About->Update did find and upgrade to 50.0.2 for me.
Still can't access any info on it on firefox's site. (Even after the ol' ctrl+F5ing). Guess it's some kinda cache thing somewhere upstream.
-
@bugmenot said in Firefox 41-50 is well and truly fucked:
Note that Pale Moon, being a wildly divergent fork of Firefox with all the bullshit stripped out, is not affected by this vulnerability: https://forum.palemoon.org/viewtopic.php?f=1&t=13984
Big fan of Palemoon. Works great. One of the nice things is that its pretty much being developed by one guy. Which means he doesn't have the time or resources to keep coming up with stupid, pointless shit to add.
-
@El_Heffe said in Firefox 41-50 is well and truly fucked:
@bugmenot said in Firefox 41-50 is well and truly fucked:
Note that Pale Moon, being a wildly divergent fork of Firefox with all the bullshit stripped out, is not affected by this vulnerability: https://forum.palemoon.org/viewtopic.php?f=1&t=13984
Big fan of Palemoon. Works great. One of the nice things is that its pretty much being developed by one guy. Which means he doesn't have the time or resources to keep coming up with stupid, pointless shit to add.
Palemoon apparently has its own layout engine which, combined with its unpopularity, is a big con for me - I want a browser whose functionality is equivalent to that of the most popular browser (currently chrome) and whose UI/'chrome'/feel is very highly customizable.
-
@CreatedToDislikeThis said in Firefox 41-50 is well and truly fucked:
I want a browser whose functionality is equivalent to that of the most popular browser (currently chrome)I spend a lot of time doing webby internety stuff and I have yet to come across something I want to do that can't be done with Palemoon.
and whose UI/'chrome'/feel is very highly customizable.
Chrome's UI has nearly ZERO customizability.
-
@El_Heffe a whoosh is you; a program's UI is also known as its chrome.
-
@Arantor said in Firefox 41-50 is well and truly fucked:
@El_Heffe a whoosh is you; a program's UI is also known as its chrome.
Chrome is called Chrome because it doesn't have much.
-
@Arantor said in Firefox 41-50 is well and truly fucked:
@El_Heffe a whoosh is you; a program's UI is also known as its chrome.
OK. I know that. I don't see that's a
Chrome's chrome is shit and has zero customizability. That's the number one reason i don't like it.
-
@El_Heffe Yeah, but it seems like Created is looking for a sweet spot: as good at rendering as Chrome, but much more customizable
-
@El_Heffe said in Firefox 41-50 is well and truly fucked:
that can't be done with Palemoon
I tried once and extensions didn't work but maybe its fixed now.
-
@CreatedToDislikeThis I like Vivaldi. It has vertical tabs and tab stacking. Why can't other browsers copy at least that?
-
@Yamikuronue said in Firefox 41-50 is well and truly fucked:
@El_Heffe Yeah, but it seems like Created is looking for a sweet spot: as good at rendering as Chrome, but much more customizable
It's not about good or bad rendering, though:
it's about when you have two rendering engines each with their own misinterpretations, inventions and bugs - the one used by most people is the one that's going to be relied on by more websites.
I've already seen it happen here and there - something that worked on chrome but not on firefox. Could either have been a firefox bug or a chrome bug, but the net result is the same - chrome's renderer is more popular so using another renderer is going to lead to bugs.
-
@Adynathos said in Firefox 41-50 is well and truly fucked:
@El_Heffe said in Firefox 41-50 is well and truly fucked:
that can't be done with Palemoon
I tried once and extensions didn't work but maybe its fixed now.
So much this. I have 6 or 7 extensions, of which NoScript was the only one to work on Palemoon.
-
@Yamikuronue said in Firefox 41-50 is well and truly fucked:
as good at rendering as Chrome
So, Firefox? Blink has some nasty bugs even if it has support for a few hot new useless things that FF doesn't.
And by nasty bugs I mean I had to completely re-architect a webpage's HTML and CSS to get around a misimplementation of
vw
.
-
@AlexMedia said in Firefox 41-50 is well and truly fucked:
@xaade Time to buy yourself some more RAM then.
Umm, actually I prefer to have 10,000 tabs open so this won't work.
(No I'm not crazy like that but I like my tab tree and mouse gestures that work 100% of the time regardless of whatever JavaScript fuckery the web page is doing)
-
Emmm, aren't this only affect people who uses Tor bundle on their Firefox installation? :O
EDIT: Oops, the bug is in SVG rendering.
-
@Adynathos said in Firefox 41-50 is well and truly fucked:
@El_Heffe said in Firefox 41-50 is well and truly fucked:
that can't be done with Palemoon
I tried once and extensions didn't work but maybe its fixed now.
Some extensions originally written for FF don't work because Palemoon changed its GUID and some extensions specifically look for the Firefox GUID. AdBlock Plus is one. Most of the time a modification to
chrome.manifest
orbootstrap.js
to add/change the hard-coded GUID fixes most extensions, except those specifically targeting the Australius UI.