Firefox 20.0 Final

Several people have stated the same. But if you look at the comments for the addon you'll see that I'm hardly alone here. D-S has become broken for MANY people due to this FF 20 upgrade.

I've yet to see anyone isolate the cause, or what accounts for the discrepancies.

Between this and breaking Keyscrambler 2.9.3, I'm just not upgrading yet. I get the feeling 19.0.2 may become the new 3.6... the version many people just don't want to move away from because it works just fine, and what's more, everything I use with it works fine with it.

I'm about to the point where I might not even bother updating anything anymore. I feel I have stable, dependable, usable, and secure versions of everything... from my OS on down (in the right hands). It's not an approach I'd recommend to others. I believe I can live just fine on XP Pro SP3 with Comodo FW/D+ 5.10, SBIE 3.76, VirtualBox and/or Shadow Defender 1.1.0.325, TrueCrypt 7.1, EMET 3.0, OpenVPN 2.2.1, and FF 19.0.2 as long as I keep Flash updated (no Java). Newer versions of stuff these days seem to only benefit Win7/8 users, break stuff, add adware/backdoors/privacy unfriendly stuff, bloat, etc... I see CCleaner also has a new major version out... think I'll stick with 3.28. It aint broken, so...

 

Only that 19 has several known open security holes and won't get more vulnerability fixes, unlike 17 which is ESR and supported for a year.

So, 17 ESR is the only decent option if the stable/beta/aurora channels don't satisfy IMO.

 

But will those vulnerabilities ever really apply to me as a user personally, or do a half dozen other variables have to fall in line for them to work?... like having Java enabled (which I don't even have installed on my machine to enable). Could they foil a NoScript user with scripts denied globally? No PDF either. Would it survive a closed/sandboxed session? A reboot running in a VM? Even Hardware DEP or other shellcode injection measures built into D+, if it managed to bust out of my sandbox?

Would I even put myself into a position in the first place to test these theories, just browsing the half dozen or so places I visit online?

I do appreciate the advice though, and it is an excellent point, don't get me wrong here.

 

Probably.

http://secunia.com/advisories/product/44230/?task=advisories
http://www.mozilla.org/security/known-vulnerabilities/firefox.html

Impact:
Cross Site Scripting
Spoofing
Privilege escalation
System access

Where:
From remote

 

It would either have to cripple NoScript or I'd have to disable that functionality to be effected at all.

Then it'd have to bust out of my sandbox.

Then enter my admin PW to elevate those privileges to get around my default deny SRP... and before that, I'd have to ignore a dozen red warnings from my D+ basically telling me my box was being taken over remotely.

But honestly, I think my SPI router would turn that back before any of that even happened. That and/or system hardening which has any & all things remote disabled other than traffic I specifically initiate outbound from my end.

My odds are better of having the feds/bad guys simply kick in my door and put a gun to my head demanding my passwords/info.

 

I didn't read any evidence that disabled scripting prevents that vulnerability from being exploited.

So, I will assume that at least one or more separate browsing sessions could be compromised.

As for bypassing your other measures and compromise more parts of your system, that would require more work, but not very hard for a dedicated black hat - especially because your OS is XP.

 

good points there m8!

for about a year, there has been only NoScript to give me some protection.
and on-demand scanners when using Windows to scan downloaded files.
that's all i need it seems and it works for me.

i'd say the user is in large part responsible for his/her own security/privacy.
and the user is more important than the OS or security apps used.

 

The civilian is "more important than everything" but shouldn't be totally responsible for his (or his family) security against dangerous criminals.
Unless he passed by military training with approval, he will usually fail.

Just like...

The user is "more important than everything" but shouldn't be totally responsible for the security of his system against cyber crime.
Unless he was deeply educated for that and really learned his lessons, he will usually fail.

.

Please, let's stop downplaying the importance of secure software, especially of the most important software - the OS and the browser.

This is dangerous and can lead to bad consequences.

 

I'm with luciddream & moontan on this. I'm a little fatigued with the 'nanny state' approach to security. The 'user' doesn't necessarily have to be educated at a postgraduate level in computing to take basic precautions. Admittedly they need to know what they are doing though.

 

Initially paranoids, some here are getting overconfident in their "guns" and "skills".

 

Don't you have any links or 'statistics' about this WH?

 

It's an interesting phenomenon, I have to admit.

 

Yes, but I'm sure with the right attitude & some decent security apps XP could be every bit as safe as Win 7. Although what this has to do with the Firefox 20.0 Final thread I am rather at a loss to explain.

 

The talk headed to downgrading from Firefox 20 to vulnerable Firefox 19 and I pointed out why this isn't a good idea and what I considered better alternatives (Firefox 17 ESR, for example).

After that, the now almost usual overconfidence demonstrations entered to the scene. Threads can easily get off topic when that happens.

 

Oh right, I really should pay attention to earlier threads. I'd love to give Firefox 2 a spin for old times sake as I loved it so much. It was the first non-IE browser that I used regularly. Would I be in danger of infection if I only surfed 'good' & familiar sites? Or maybe taking some other legacy browsers for a spin maybe? I doubt any extensions could be run on them anyway.

BTW, I'm not going to.

The first line of defence is really the browser anyway. NoScript with ABP & RequestPolicy inter alia may give you as much protection on an older OS as a newer one. If the extensions & Fx were up to date though, I should imagine.

 

I would say yes, because the many possibilities of exploitation are fully disclosed and present in regularly updated exploit kits, of easy management and availability - even for script kiddies.

Also because all it takes is one visit to a compromised page - which isn't really hard, considering that even major, "good", "familiar" websites are hacked frequently.

 

Yes, it's more or less a 'no brainer'. The only time I was infected I was up to date with everything. I wasn't running NoScript then though (on SeaMonkey). I do think that a suitably hardened browser is your first real line of defence though.

 

I haven't looked at 20.x yet but I just stumbled across something about Firefox Health Report (FHR) and wanted to gather up some links to look over when I do prep for 20.x. For those who are interested...

https://bugzilla.mozilla.org/show_bug.cgi?id=718066
http://mxr.mozilla.org/mozilla-release/search?string=healthreport
http://mxr.mozilla.org/mozilla-release/source/services/healthreport/
http://mxr.mozilla.org/mozilla-release/source/services/datareporting/

 

After installing Firefox 20.01 FINAL, I went to the Microsoft Download Center web-site
https://www.microsoft.com/en-us/download/default.aspx,
clicked on "April Updates, and my Firefox crashed.
I've restarted Firefox again, went to the MS Download Center, clicked on "April Updates, and my Firefox crashed again.
Before blaming Firefox for it, I need to tell that I also updated Sandboxie to version 4.01.05.


Some messages from Firefox's Error Console:

Timestamp: 4/12/2013 8:08:44 AM
Error: The stylesheet https://c.microsoft.com/trans_pixel...772118215&ts=1365772118215&qos.tl=&qos.n=init was not loaded because its MIME type, "image/gif", is not "text/css".
Source File: jar:file:///C:/Users/.../AppData/Roaming/Mozilla/Firefox/Profiles/ifuehg9d.default/extensions/notrace@unisa.it.xpi!/components/HtmlFilter.js
Line: 141

Timestamp: 4/12/2013 8:08:44 AM
Error: [Exception... "'Image HTTP->HTTPS redirection to https://www.microsoft.com/global/en-us/download/PublishingImages/sprite.png' when calling method: [nsIContentPolicy::shouldLoad]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "native frame :: <unknown filename> :: <TOP_LEVEL> :: line 0" data: no]

 

have you tried running Firefox without Sandboxie to see if the problem continues?

 

Without Sandboxie, my Firefox did not crashed when I clicked on "April Updates".
With Sandboxie, Firefox crashed, but Sandboxie gave me the following messages:




I did not have enough time to "double-click on this message line", like before.
It crashed within 1 second.

 

agcp.exe, that's Silverlight, isn't it?

if so, you're gonna have to add it to your Sandboxie whitelist or whatever it's called.
or temporarily disable SBie while you go to the Microsoft site to get your updates.

 

Download Statusbar still working properly here with v20, perhaps it's related to the profile?

While it may be dangerous, it's probably safer than most think as a lot of exploits won't work because they target features and code that is not present in v2, because it is so old

Or disable silverlight The page works fine without it, it's just some video that needs it.

 

I added agcp.exe to the SBIE whitelist, clicked on "April Updates", and my Firefox crashed.
I've "double-clicked" on the message line from Sandboxie.

I've checked that agcp.exe is in my Sandboxie whitelist.



After restarting sandboxed Firefox, I went to the MS Download Center, clicked on "April Updates", AND MY FIREFOX CRASHED.
There was a difference - I did not get ANY ERROR MESSAGES FROM SANDBOXIE this time.




Some new messages from Firefox's Error Console:

-------------------------------------------
Timestamp: 4/12/2013 9:50:13 AM
Error: this.docShell is null
Source File: chrome://global/content/bindings/browser.xml
Line: 323

--------------------------------------------

Timestamp: 4/12/2013 9:50:13 AM
Error: [Exception... "'TypeError: isisNoTraceShare.isisNoTraceSharedObjects.completeTechArray.noidheader is undefined' when calling method: [nsIObserver:bserve]" nsresult: "0x8057001c (NS_ERROR_XPC_JS_THREW_JS_OBJECT)" location: "native frame :: <unknown filename> :: <TOP_LEVEL> :: line 0" data: no]