Firefox critical update released 21 Sept 2016

[belham2]

Here we go again, time to get all our puppies updated browser-wise (for Firefox, get version 49 or 45.4.0). Ole' Mike Walsh in the browser section is going to need to go fulltime with his work (haha, just kiddin' ya, Mike!!) Seems like these sorts of things are coming every 3 or 4 weeks now...ugh. This particular attack, as article notes, seems a bit of a stretch, but Mozilla wouldn't have updated the overall browser if they didn't think it could not happen. Besides, why take a chance? Love how attackers are using browser "add-on" vectors now, especially widely-used stuff like NoScript, etc, lying in wait for an update to that widely used add-on. I've been telling friends for the past few years, have a separate browser with absolutely zero plugins when doing any/all of your online personal financial transactions (bank, insurance, investment, etc). For everything else browsing online, yes, plug-ins are the way to go. For the former, though, you're just asking for needless trouble by not using just the basic browser. The overall reason? Trust as little as possible when you are doing sensitive work online, and not using any "add-ons" (approved, unapproved, 3rd party, or otherwise) is part of practicing that creed. Don't fall for the oft-repeated trap that add-ons make you fully safe on the web. Despite what you might think, add-on developed code and getting it approved for Firefox (or Chrome, etc) is not hard. Worse, there is no group or enough fin'l resources from Mozilla, Google or otherwise to where we all can be certain they have vetted and stayed on top of all the code getting released in their add-ons..... (if you are an add-on developer, this is not a direct attack against you, all it is trying to tell people for a certain few things on the web, safe is better than sorry; for everything else, yes, they should be using your add-ons to have a better and safer-drive-by-browsing web experience...)

https://threatpost.com/mozilla-patches- ... ox/120747/

[Sailor Enceladus]

Seems like these sorts of things are coming every 3 or 4 weeks now...ugh.

Interesting. I'm using Firefox 28, and never paid much attention. Don't really use addons though so I guess this particular update isn't critical for me. I wonder how many critical vulnerabilities are in FF28, would I be "safer" with a text browser?

[watchdog]

I use palemoon and I recently discovered Palemoon Commander, the add-on from which you can easily toggle javascript. I now browse the web without javascript and turn it on only at need. Is it safe enough?

[Sailor Enceladus]

I use palemoon and I recently discovered Palemoon Commander, the add-on from which you can easily toggle javascript. I now browse the web without javascript and turn it on only at need. Is it safe enough?

Oh yeah, I use to have an addon called JS Switch to easily turn it off and on (you have to right-click the taskbar -> Customise and drag it on) so I didn't have to do it from about:config. Seems like that should kill most security (and speed) problems.

[Semme]

Yeah baby -- JSS fan!

[belham2]

Seems like these sorts of things are coming every 3 or 4 weeks now...ugh.

Interesting. I'm using Firefox 28, and never paid much attention. Don't really use addons though so I guess this particular update isn't critical for me. I wonder how many critical vulnerabilities are in FF28, would I be "safer" with a text browser?

Sailor,

I use Fred's FF 28 (or is it 26, can't recall right this sec) in his DebianDog64 and also 8Geee's FF24 in his Precise 5.7. Compared to the somewhat bloated pig Firefox (and Chrome, et al) have become over the years, you cannot beat these old browsers for opening speed, responsiveness and just general fun browsing (8Geee mods his browsers much as I do, using the same add-ons for browsing). Without add-ons, I still think these old browsers are safe.....but I think it goes without saying they are "more safe" if you for sure know that the url you are going to is legit and not likely to have malware hiding on it (we can hate Google search all we want, but they've brought some peace of mind over the years in this regard).

Where the older browsers can run into trouble is going to sites that are basically legit, but also have lots going on their page from possibly suspect links, ads, etc....most usually, it is suspect scripts waiting in hiding disguised behind links, pics, gifs, et al. When an old browser hits one of these, it can be a worry as those scripts were designed specifically to use the known weakness in that old browser as the hijack vector (it is one of the reasons why browsers are updated so frequently...the other of course is browser makers figuring how to bring us deeper into their & the web world---gotta make the $$$$$ or at least attract them).

The other big thing with old browsers that most don't think about is "encryption"----older ones cannot usually handle the ubiquitous RSA 128-bit well (this doesn't even mention not rendering many sites correctly, and the user doesn't even realize this). One thing (for firefox specifically) you should religiously do for every browser when first setting it up (puppies and/or large distros) is go to "about:config", head straight to "security", make sure TLS is a minimum is "1" (for financial browsers, the min should be "2") and also all "...rc.4" (there's 4 of them) and the "..ede3" is set to "false", and also set both "ssl_require_safe_negotiation" & "ssl_treat_unsafe_negotiation_as_broken" to true). These simple changes will help a lot, and also disable your browsers "offline cache" (set it to "false" and its size to "0").

There's a lot of other stuff I change and/or rip out of current Firefoxes. But just doing the above (along with removing flash and, if possible, java/javascript completely, from your system) will make any fin'l thing you do on the web pretty much safe. Everything else, just surf away, add-on or no add-ons, old browser and/or new browser......

.................just tryo to keep one browser as dead clean, and current, and even better, have it residing on a USB/CD of DebianLiveCD or Ubuntu/FedoraLive CD, that you yourself put together (love the pups and all, but stick with the bigs when its for sh!t that matters). Then, all you have to do worry is about man-in-the-middle, router, and actual public-facing server hacks----lol, crap that is way out of our hands.

[purple379]

The whole problem is -- if we did a good job Sandboxing Browsers. Or at least restricting them not have access to our OS, and our Data. Whether one can trust a Sandbox to really do that?

[puppy9000]

QUESTION

How to update Firefox in puppy?

I'm new to puppy since just a few months. I have 45.3.0esr and I want to update to the new 45.4.0esr but when I go to the menu in Firefox "Help -> About Firefox" it tells me I have the latest version and shows 45.3.0.

Then when I go to through the Puppy start menu "Setup -> Updates manager" it shows that 45.4.0esr is available and when I select it then it pops up a message that says something like "You already have 45.3.0esr installed and you should uninstall it first before installing 45.4.0esr".

So what gives? If I uninstall it first then it's not really updating but just doing a new clean install. So I'll lose all my bookmarks, addons and settings which is undesireable.

Is there a way to do a normal update in Puppy? Thanks

[Makoto]

puppy9000: Your Firefox profile information (including your bookmarks, addons, settings, etc.) is normally stored under the hidden directory ".mozilla". You can safely uninstall or update Firefox without worrying about that directory being erased.

[solo]

Using Shinobar's portable FF on Precise 5.7.1, but had to turn off automatic updates because FF required GTK3 to run, and I don't want to go through the motions of updating GTK with all the hassle that comes with it.

Using FF 44 now, and the only add-on I have is NoScript, which is perfectly safe, because for NoScript to become an 'attack vector' at all, you'd have to install a malicious add-on.

[rokytnji]

http://www.murga-linux.com/puppy/viewtopic.php?t=106670

Live and learn. Remember., Do-acracy rules here.

Love how attackers are using browser "add-on" vectors now, especially widely-used stuff like NoScript, etc, lying in wait for an update to that widely used add-on

errr. Okey dokey I guess.

[belham2]

Using Shinobar's portable FF on Precise 5.7.1, but had to turn off automatic updates because FF required GTK3 to run, and I don't want to go through the motions of updating GTK with all the hassle that comes with it.

Using FF 44 now, and the only add-on I have is NoScript, which is perfectly safe, because for NoScript to become an 'attack vector' at all, you'd have to install a malicious add-on.

Solo,

Wow, the misinformation continues....yes, NoScript (and things like it, for example: BetterPrivacy, Self-Destructing Cookies, even Https Everywhere) are great, but they are definitely NOT perfectly safe. Try to read up on the new attack vectors, hackers have evolved and have learned now how to come in through "updates" to programs like Noscript (if they can get between the server hosting that crap, which is turning out to be "easy" and you, the "user"). When they come in to you this way--as the user---you would never know it happened until it was too late because you have blind trust in the add-on. If the add-on is not there, they could not have come in through this way...as the browser does not update anything except itself (and that is ridiculously easy for us to control and shutoff---not so for add-ons, you either take the updates on most (not all) of them, or you don't, it's part of the package you accept. New attack vectors like this have zippo/nothing to do with the user having to "install a malicious add-on". That is becoming old school

http://www.murga-linux.com/puppy/viewtopic.php?t=106670

Live and learn. Remember., Do-acracy rules here.

Love how attackers are using browser "add-on" vectors now, especially widely-used stuff like NoScript, etc, lying in wait for an update to that widely used add-on

errr. Okey dokey I guess.

Rokytnji,

Defn agree we are the do-acracy here on murga. Most of us stay on top of this stuff. What worries me is the casual user who doesn't, or misses the pup's developer's notice in the 1st thread post telling them to update something (or Mike W telling people to get on the new updates for security fixes for the browsers). Nice thing is that most of us who actualy post here don't do dumb things (when we do sensitive fin'l info online).

Problem is, the dam# hackers are moving away from "us" the user and onto the middle pipe playground, which changes the whole ballgame. Thus the vectors are new. There's no way in heck we as the "end-user" can know for sure if any public-facing server and/or router (or whatever) has been so-called "touched". Thus, if your unaware enough nowadays to use add-ons in your browser while you do sensitive online fin'l info, then you are slowly becoming your own worst enemy.

For what it is worth, the huge fin'l institutions are discussing something thatis ominous, imho. It has been brought up at big meetings lately that if an online customer's account gets owned, and they determine that it came from your end, no matter what the reason, they are not going to cover your losses. This is scaring a lot of people if they actually do codify this stuff in their policy/rules/regs. As an example, recently there was a woman in Michigan who ran a small-business (and also did her home/personal browsing there), and, well, she got pwned. End result was her business & personal acct lost a few million, all in one day, because her bank account was hacked as they, iirc, came in through her browser (and not email). This was not click/link hijacking, either. The bank flatout said they are not going to cover one penny if you are going to use programs & scripts that are not fully vetted; they immediately armed themsef with lawyers to fight her claim that the bank should have known the transfers should not have occurred. They are arguing should not be willynilly installing crap in her browser, and there was no way for them to know the transfers (to seemingly legit businesses) were not legit.

So the precedents are starting to be set, and this is going to get both ugly and worrisome going forward for all us 'emnd-users". Start preparing now by using a clean browser on a clean system (if possible), where that system is only booted up for one reason---doing sensitive stuff. I'll find the link to this story (it was on threatpost.com and securityweek.com a few months back, iirc) if you're interested.

What is triply worrisome to me is where this thinking by large fin'l institutions leads. (and who is backing it).....is this another attempt by MSFT (like they did in higher education online courses) along with Apple, to say to online fin'l providers "heh. your users have to stay inside our walled, vetted garden, and thus everything else you shouldn't cover"?? Ignore the fact that Linux powers most of the web, these fin'l institutions are actually debating this crap now. My God, think of the numbers who bank with their Android Phone??? Hopefully Apple and all the tech world will come to its senses and squash this "only our walled gardens are safe" push. It makes it seductively easy for an online fin'l provider to think "hey, yeas, they are right!". Bigger ugh........................

[Semme]

Hey, P9k.. Have you managed the FF update thing yet?

[puppy9000]

QUESTION

How to update Firefox in puppy?

I'm new to puppy since just a few months. I have 45.3.0esr and I want to update to the new 45.4.0esr but when I go to the menu in Firefox "Help -> About Firefox" it tells me I have the latest version and shows 45.3.0.

Then when I go to through the Puppy start menu "Setup -> Updates manager" it shows that 45.4.0esr is available and when I select it then it pops up a message that says something like "You already have 45.3.0esr installed and you should uninstall it first before installing 45.4.0esr".

So what gives? If I uninstall it first then it's not really updating but just doing a new clean install. So I'll lose all my bookmarks, addons and settings which is undesireable.

Is there a way to do a normal update in Puppy? Thanks

puppy9000: Your Firefox profile information (including your bookmarks, addons, settings, etc.) is normally stored under the hidden directory ".mozilla". You can safely uninstall or update Firefox without worrying about that directory being erased.

@Makoto: Thank you. So is that the actually correct way to be updating Firefox in Puppy Linux? To uninstall it and then install the new version? Is that what everyone here is doing? Because I just want to make sure I'm doing it the right way. I know that normally it's possibe to update Firefox from within Firefox at the "Help -> About Firefox". So another question, why does my Firefox 45.3.0 tell me I have the latest version when in fact it's not the latest version? Does this happen for everyone else or just me?

Thanks! Like I said, I'm new to Puppy and it's my first time updating a software in it so I want to make sure I'm ok. Because I think something is definitely wrong if Firefox is telling me I have the latest version when I dont I think Firefox should know that there is a new version no?

Hey, P9k.. Have you managed the FF update thing yet?

Nope not yet. Too scared about doing it the wrong way. And I want to see if I can get my Firefox 45.3.0 to know a new version exists. Did you have this problem too?

[Semme]

Cats aren't scared. Sometimes surprised, but never scared.

If that's Slacko you're on, I think it ships a *branded* version. << FF's *misread* >

I always dwnld what I want and run clean as I see fit.

Running clean means not letting the current build populate my settings folder >> ~/.mozilla/firefox/*.default.

<I simply rename it ~/.mozilla/ffirefox to make sure the new build isn't buggy.>

All you'd need from there anyways are your bkmrks..

Extensions and all that other guff is easy enough to address.

==

For YOU however, and provided your box has the hp, I'd toss the ESR build and run current.

Of course, export your bkmrks, then can the above folder for a *clean* install.

==

PS -- Don't run scared. With *safeties* in place, go ahead, break things, learn..

[solo]

Wow, the misinformation continues....yes, NoScript (and things like it, for example: BetterPrivacy, Self-Destructing Cookies, even Https Everywhere) are great, but they are definitely NOT perfectly safe. Try to read up on the new attack vectors, hackers have evolved and have learned now how to come in through "updates" to programs like Noscript (if they can get between the server hosting that crap, which is turning out to be "easy" and you, the "user"). When they come in to you this way--as the user---you would never know it happened until it was too late because you have blind trust in the add-on. If the add-on is not there, they could not have come in through this way...as the browser does not update anything except itself (and that is ridiculously easy for us to control and shutoff---not so for add-ons, you either take the updates on most (not all) of them, or you don't, it's part of the package you accept. New attack vectors like this have zippo/nothing to do with the user having to "install a malicious add-on". That is becoming old school

Well I read this:

http://arstechnica.com/security/2016/04 ... ew-attack/

, which I thought was the vulnrability referred to, and if it was, then yes, you DO have to install a malicious add-on for it to work.

But if this is some kind of deal where they pretend to update your add-on while inserting malicious software, well then by golly, you can pretty much write the whole concept of add-ons off. Your handy add-on creating colored tabs could be an 'attack vector' for all you know.

No I think I'll stick with this setup if you don't mind.

[Scooby]

Does FF do automatic updates of addons?

I really h8 that feature in all software.


About all this seems to be angled in a certain way.

For instance articles are pointing at noScript and 10 other popular addons
when in fact the vulnerability is mozilla's doing for letting addons share javascript namespace.

Seems like mozilla want to put emphasis on the addons themselves.

Another thought is that they want to discredit the old addon system
that allowed addon makers to make FF more secure and privacy
oriented.

You will see, the new addons API won't allow extensions like noscript
and this discrediting is an opening bid at persuade user that it is for their own good.

I personally have no trust in mozilla anymore.

I see mozilla moving from a technocrat society to a more revenue/ad based one.

I think the intention from mozilla and mozilla's payer Google is to limit
the users ability to retain privacy for example through the addon system.

I think there are moneylenders in the temple

[watchdog]

The most safe and suggested browsing mode is to boot a live session of any recent linux distro for online banking and shopping by credit-debit card transactions. Is this the conclusion? This was an old suggestion by online banks: we return to it. If you take surfing the internet with any linux distro and save the sessions then your system cannot be more safe defined.

[rokytnji]

Well.

What I took away from my link.

http://www.filepup.net/files/8VtRY1462863465.html

http://www.murga-linux.com/puppy/viewto ... 658#916658

Not mentioned in this thread yet - Puppy Precise 5.7.1 can run firefox 46.xx and later by installing the libgtk-3 package libgtk-3-0_3.4.2-0ubuntu0.9_i386.deb and dependencies from the puppy package manager. firefox update gtk3 gtk-3 libgtk-3.so.0 libmozgtk.so dead-horse

Which tells me just how to update Firefox. In Puppy Linux. SLack0 is mentioned.

But I understand. Being a uneducated GED certified scooter tramp. Being a patient sort of dude. A do-acracy of one.
Knees in the breeze. Not in the chair.

But then. Lookeeeeeeee here.
http://www.murga-linux.com/puppy/viewto ... 363#902363

Deja Vu

Posting in Dillo2 by the way. I am on my P3 IBM T23. Lions, tigers and bears. Oh my.

[slavvo67]

Firefox has an auto-update feature. For full installs such as Quirky Xerus and the derivative RU Xerus, these will update automatically. So any security holes should patch themselves with the update.

The Woof-CE derivatives are a slightly different animal, as they are live version. Either the author will need to update the version, Firefox will update each time you login or your pupsave will contain the update.

In Firefox, if you choose the Open Menu Icon on the top right of your browser windo and go to Preferences-->Advanced-->Update, you can choose auto-update, it should update for you.


Slavvo67