TippingPoint’s Zero Day Initiative reported a critical vulnerability affecting Firefox 3.0 yesterday. It includes the 2.0 versions as well. It’s unreleased and Mozilla is working on a fix already. Whatever the exploit is, it does require the user to visit a malicious site or click a link to executed. It came in 5 hours after the FF3 release, but since it affects previous versions, we wonder if the researcher was just sitting on it to be first. The Zero Day Initiative pays researchers for the exploits they submit.
[Nick] sent in his quick hack for getting rid of extra menu options in Firefox 3, like the ever useless ‘Work Offline’ option. (OK, maybe modem lovers like it…) If you’re tired of seeing cluttered menu choices that you never use, [Nick]’s simple trick of editing the XML formatted XUL files in Firefox to clean things up. There’s some risk involved, but it’s nothing that a quick re-install can’t repair. The writeup includes a basic introduction to the XML tags, so you can probably do it. You can use a text editor right? (Just don’t forget to have the installer or a backup copy handy before you start playing around.)
In honor of Firefox 3.0 download day, Waxy.org has posted the full Code Rush documentary. It spans March ’98 to April ’99, as the Mozilla team publishes the first source code and then the eventual AOL acquisition of Netscape. Embedded above is a short clip of [Jamie Zawinski] pushing the code live at 10AM on March 31, 1998. The hour documentary is well worth watching.
If you’re unsure about moving from FF2 to 3, MultiFireFox still works perfectly fine with the new release.
It’s five hours till the official release of Firefox 3. We know your hands are sweating in anticipation, waiting to click that download link and contribute to the greatest World Record known to man… What? You don’t want your browser to have all the notoriety afforded to fat twins? Well then, let’s just go grab the file now since they’re already on the mirrors.
First, pick out a mirror from the official list. Navigate to the the directory of the Firefox 3.0 release: /pub/mozilla.org/firefox/releases/3.0/ You’ll be greeted by a message that says, “We’re not quite ready yet!” and that “Downloading them directly can harm our ability to distribute Firefox efficiently.” Also, you won’t be in the world record count. Think about that, jerk. All releases are named using a consistent pattern. Looking at an earlier release you can determine that the Mac version of 3.0 will be named: Firefox 3.0.dmg Add on the OS and language directories and it will look like this: /pub/mozilla.org/firefox/releases/3.0/mac/en-US/Firefox%203.0.dmg
You can find out more about the new release by reading Dria’s Field Guide to Firefox 3.
One of the best tools we saw at LayerOne was the Exploit-Me series presented by [Dan Sinclair]. Security Compass created these tools to help developers easily identify cross site scripting (XSS) and SQL injection vulnerabilities.
[Rich] over at Securosis takes us through some of his browser paranoia exercises. He uses different browser profiles for different types of web activities. Based on potential risk, various tasks are separated to protect from CSRF attacks and more. Everyday browsing with low risk passwords is done in one. RSS reading with no passwords is done in another. He runs his personal blog in a browser dedicated just to that.