A false is false, of course of course
February 8, 2005 9:49 AM   Subscribe

1. Download and install.
2. Open Firefox
3. Enter "about:config" on the address line without the quotes.
4. Either scroll or filter for "network.enableIDN"
5. Right click and "Toggle" it to False (or just double click)
6. Fin

You are now safe to browse the interweb.*

(* -- offer only valid against IDN spoofing, the rest of the wild west web is still dangerous)
posted by cavalier at 9:52 AM on February 8, 2005

Time it took Mozilla.org to fix spoofing exploit: 1 day
Time it would have taken Microsoft: n months, where n is an arbitrary number from 1 to 6
posted by neckro23 at 10:18 AM on February 8, 2005

Two of the links under Mozilla refer to Macs but when I clicked on them nothing happened. Were these fixes for Safari? If so, is there another place to get them? Thanks.
posted by Quietgal at 10:22 AM on February 8, 2005

(Safari isn't a Mozilla browser.)
posted by neckro23 at 10:27 AM on February 8, 2005

Quietgal, Mozilla/Firefox is not related to Safari -- completely different web browser. We'll have to wait for Apple to patch Safari (probably in a Security Update). If you use the Saft extension for Safari, it has been recently patched by the developer, though.
posted by bcwinters at 10:27 AM on February 8, 2005

neckro23 — Time it took Mozilla.org to fix spoofing exploit: 3 years. That's when the problem with IDN urls was first reported.

Of course, that's kind of snarky since they only added IDN support 1 year ago (almost to the day!), so feel free to use that number instead.

[posted from Firefox 1.0]
posted by revgeorge at 10:57 AM on February 8, 2005

The fix works for me. Too bad it means no more visiting sites that have IDNs, but it's not like I knew of any to begin with.
posted by riffola at 11:02 AM on February 8, 2005

Thanks! So what's that line right above it, network.dns.ipv4OnlyDomains default string .doubleclick.net?
posted by davy at 11:28 AM on February 8, 2005

revgeorge: This isn't a fix for the IDN url problem; that remains a serious issue with the standard. This just fixes a bug with the configuration page: if you toggled IDN support off (a workaround for the larger security issue), it didn't stay off after a browser restart. This particular bug is number 281365, opened on 2/7/05.
posted by mr_roboto at 11:48 AM on February 8, 2005

Second question: can somebody explain why is the latest nightly v. 1.7.3 rather than the 1.7.5 released on 01/12/2005?
posted by davy at 11:57 AM on February 8, 2005

davy: I guess it's just some sort of work around for something I don't understand.
posted by NoMich at 12:01 PM on February 8, 2005

Crap, that was in reference to your first question, davy.
So what's that line right above it, network.dns.ipv4OnlyDomains default string .doubleclick.net?

And this fix worked for me as well. Thanks for posting this.
posted by NoMich at 12:02 PM on February 8, 2005

I just want to point out that this FPP is a perfect example of how the IDN bug could be exploited.

I clicked the FPP-supplied link, which went to an FTP page. I downloaded the executable. Then, as I double-clicked the executable, I realized -- with a start -- that if the FPP were exploiting the IDN bug, I was about to run an .exe on my system that would do goodness-knows-what.

It was a good reminder that even the most technically-literate and aware of us can easily fall victim to social engineering.
posted by davejay at 12:26 PM on February 8, 2005

Doh! Caught me too davejay. Though I did go the manual route and ran the download from there I had initially just used the link provided.
posted by Mitheral at 1:18 PM on February 8, 2005

I've received a few spoof PayPal emails over the past few weeks, so it's not like they took care of the problem in a day. The weird thing is that the emails didn't have any actual links in them, just text. Now I can't remember if I copied the address and pasted them in a new tab. I've talked to PayPal over the phone and it doesn't seem like any info of mine got compromised. Does anyone know if this exploit would have worked if I copy/pasted plain text from a spoof email into the address bar of a new tab? Or does it only work with actual links?

I'm still not sure if I logged into a real PayPal site or a spoof one. I don't think I have to worry, as I've done the password change thing, and the site I "logged into" already had all the information about me that PayPal reveals (address, 4 digits of CC, etc). I'm guessing the spoofed site would not have this info, and would depend on me opening a new account or some such.

Still, I thought the whole reason I switched to FireFox was to avoid stuff like this... This exploit is sneakier than anything I've ever encountered using IE.
posted by swank6 at 1:22 PM on February 8, 2005

mr_roboto: mea cupla, although it seems like if IDN is being shipped on by default that's almost as big a bug as not being able to turn it off.
posted by revgeorge at 1:37 PM on February 8, 2005

i am worried. i've been using forefox for sometime, and advocating many others to use it because it's safer.

and now i realise it isn't any safer, because nobody is checking the extensions for spyware or exploits.

i guess i now have to go around and tell everyone i recommended firefox, to beware of exploits, known and undiscovered.

sorry, but i just can't trust it anymore, and i feel foolish for recommending it to so many friends and colleagues.
posted by quarsan at 1:38 PM on February 8, 2005

?????

You're confusing me, here. There isn't a buffer flow or critical flaw in how Firefox operates.

There is a flaw in a standard that has been publicized (just not, er, well) for a while now.

Some folks lit the house on fire yesterday and said "HAYYY This is bad FIX IT STANDARDS FU)(#!@%KRS!" and the Mozilla browsers like nearly every other browser who had adopted the standard showed their vulnerability.

The configuration to safe-guard the vulnerability was busted though, and it was fixed the same day the house was lit on fire.

I'm not drawing parallels here on a known exploit being in the wild for several months I don't see any spyware in Firefox. I see a properly functioning implementation of IDN, with a recent development branch leading up to 1.0 breaking the toggle functionality of a functioning implementation. How the heck is this the thing that kills Firefox for you?

It still blocks a majority of the pop ups and other nasties that threaten modern web surfing. How is it now unsafe for you and embarrassing to recommend? The mind boggles.
posted by cavalier at 2:25 PM on February 8, 2005

Am I right in thinking that this Firefox fix is in a nightly build? Is a fix release planned for the stable 1.0 branch?
posted by cobra libre at 2:25 PM on February 8, 2005

quarsan that's the nature of the beast. Even OpenBSD has been hit once. If you want 100% safety unplug the box and incase in concrete.

Firefox is wildly better than IE in any metric you care to choose.

Safe surfing is common sense. Just because you drive a volvo doesn't mean you should stop wearing seat belts.
posted by Mitheral at 2:32 PM on February 8, 2005

I would say that's a safe bet, cobra.
posted by cavalier at 2:35 PM on February 8, 2005

I'm sorry, I'm a little confused here.

My about:config settings don't change after restart.

The bug is listed as fixed in aviary1.0.1, fixed1.7.6. I have firefox 1.7.5. but going to shmoo's site still reveals that I have the vulnerability.
I'm still stumped as to the update process, clicking on 'check for updates doesn't do anything. and I can't find 1.7.6 on the firefox site. I'm not familliar with the update process on mozilla's site. but it's certainly not clear to me what the hell is going on.

would someone be willing to post an accurate, zipped (not exe) patch?
posted by djdrue at 2:55 PM on February 8, 2005

thanks for the update. now i can click with impunity.
posted by blendor at 3:00 PM on February 8, 2005

Does anyone know if this exploit would have worked if I copy/pasted plain text from a spoof email into the address bar of a new tab? Or does it only work with actual links?

Yes it would.
The only safe thing you can do is type the url into your address bar.
Even though this is a potential problem, I've every confidence that the mozilla guys will sort out a solution quickly.
To reiterate what people have said before. This isn't a bug in the software, it's a problem with the standard. (Approved international design). Saying that it's a bug is like saying that the ability to send spam over open proxies is a bug. Unfortunately, even international comittees cannot give us nice things without somebody spoiling it for everyone.
posted by seanyboy at 4:10 PM on February 8, 2005

I'm so ill of people saying that this is proof that Mozilla fixed a security vulnerability faster than Microsoft would have. No, no, no! I'm no Microsoft apologist, but for all anyone here knows, Microsoft regularly has internal code fixes within hours for exploits that get publicized. The difference we're seeing here is that the folks over at Mozilla make their nightly builds, with whatever code's been checked in over the past 24 hours, available for download that night. But note what this means: if you want to take advantage of the purported fix, you need to download and run a version of the browser that has a kajillion other bits of code in it that haven't been properly tested, debugged, or otherwise run through the quality control grist mill. That's why it's a nightly build -- it doesn't meet the standard of a release build. And honestly, most nightly builds of Firefox on the Mac make my Powebook seize up and lose continence, so if I want a browser that's stable, I still have to run one that doesn't have the fix integrated.

To be clear, the difference between the Mozilla people and Microsoft isn't in how fast they fix bugs, but rather, how fast they put those bugfixes in the hands of the public. Microsoft waits for them to be appropriately regression-tested; Mozilla throws 'em out there with the caveat that you're going to be running software that might have a whole host of other known and unknown bugs in it. If you're cool with that (like most personal computer users), the have at the nightly builds; if you're not (like most corporations), then you're still gonna have to wait for the release build.
posted by delfuego at 4:41 PM on February 8, 2005

Nicely put, delfuego.
posted by _sirmissalot_ at 5:11 PM on February 8, 2005

thanks, bcwinters and neckro23
posted by Quietgal at 5:20 PM on February 8, 2005

If this is the best of the web, I'm upgrading to Internet2.
posted by VulcanMike at 8:31 PM on February 8, 2005

I agree somewhat with delfuego here.

It's a little um, cavalier to just urge people running 1.0 (especially those who waited for a stable release) to ditch that for a nightly build which may or may not be stable (we'll know tomorrow ...). They should at the very least be warned about the risk.

I'm still stumped as to the update process, clicking on 'check for updates doesn't do anything. and I can't find 1.7.6 on the firefox site. I'm not familliar with the update process on mozilla's site. but it's certainly not clear to me what the hell is going on.

There is no update for Firefox 1.0 as of yet. When they do update it, and they may do that (call it Firefox 1.0.1?), then Firefox will let you know with the toolbar icon. What was pointed to was an FTP directory where Firefox and Mozilla test updates are available for those willing to assume the risk of beta-testing software for the Mozilla Foundation. It is not in any sense guaranteed or bug-tested the way Firefox 1.0 was nor the way an IE Automatic Update would be.

Firefox 1.1 is due out in June, and 1.1 will incorporate changes to the stable Mozilla trunk. (Firefox 1.0 was based originally on Mozilla 1.2; Firefox 2.0 will be based on Mozilla 1.8.) The differences between 1.7.3 and 1.7.5 have to do with the various "branches" of the Mozilla "trunk" that are in play at any given time. Anybody concerned about stability or getting a nice neat package that won't break things should not be downloading this stuff. This is a problem for people who are dumb enough to click on paypal links they get in mail; if you're that dumb you're probably not ready to handle a Mozilla nightly build, sorry to say. I just don't see this as a great emergency. The only thing that made this urgent was some (well-intentioned) trashcan-rattling, not a sudden new vulnerability being discovered.

In short: if you don't really understand what this does, you should probably leave your Firefox 1.0 installation as is. And don't click on links to financial sites in e-mail, mmmmkay?
posted by dhartung at 9:19 PM on February 8, 2005

This isn't a fix for the IDN url problem; that remains a serious issue with the standard. This just fixes a bug with the configuration page: if you toggled IDN support off (a workaround for the larger security issue), it didn't stay off after a browser restart.

so, the wording of this post is misleading and erroneous. niiiiiice.
posted by quonsar at 5:22 AM on February 9, 2005

Hello quonsar, I've never had the pleasure of confronting your trolling before, so, Hi. As I made this post, I hope I can elucidate the post's title for you:

New Firefox build fixes IDN toggle Hear about the IDN debacle yesterday? Last night's build of Firefox fixes it. Download and install over your existing Firefox. The Mozilla tree is fixed too. [instructions inside]

Do you see where it says toggle? Or are you being intentionally daft?
posted by cavalier at 7:26 AM on February 9, 2005

woops, and, dhartung, thank you. nicely stated :)
posted by cavalier at 7:28 AM on February 9, 2005

Updated Firefox SpoofStick Extension to Display Homograph Spoofs
posted by TheNakedPixel at 9:21 AM on February 9, 2005

Hear about the IDN debacle yesterday? Last night's build of Firefox fixes it.

see, in common english, "it" refers to "IDN debacle". but nice try.
posted by quonsar at 3:03 PM on February 9, 2005

Ah, but this update does fix the "IDN debacle", or "it", as it's linked not to a news report about the "IDN hack", but to a page of comments DISCUSSING the "IDN hack". In the comments he linked to, the forum is full of people having repeated conversations along these lines:

Person A> How do you avoid this on Firefox?
Person B> Do this toggle thing.
Person A> Didn't work, still vulnerable!
Person B> Restart your browser.
Person A> Didn't work, still vulnerable!
Person C> There's a bug in the toggle, after reboot it says one thing and does another.
Person A> Crapdoodle!
Person B> Crapdoodle!

That's a debacle if I ever read one. Also, as I remember that debacle from yesterday, I read the FPP and immediately thought "oh, the toggle thing's fixed!". So I vote that you're wrong on this one. :)
posted by davejay at 3:55 PM on February 9, 2005

Thanks, TNF! I'll try this "Updated Firefox SpoofStick Extension to Display Homograph Spoofs" upon restarting. Of course it's pretty much academic for me anyway: i've known better than to click on such things in email for years.

One thing I must repeat: legitimate Paypal email addresses you by name, not as "Paypal user" or by your eBay ID or anything. If it says "J. Alfred Random" on your credit card that's what they'll call you. In general, if some email calls you "Dear account holder" or something it's probably spoofed -- and you should NOT click on any links it includes.
posted by davy at 6:24 PM on February 9, 2005

I vote that you're wrong on this one.

drat!

*toggles to off position*
posted by quonsar at 5:30 AM on February 10, 2005

:) q , I look forward to your custom in future lives.

I heartily recommend the Spoofstick, too. While we are always savvy about unsavory emails, it never hurts to wear protection when you're surfing.
posted by cavalier at 11:03 AM on February 10, 2005