Firefox bug also affecting old legacy versions and forks

[gepus]

Actively exploited bug in fully updated Firefox is sending users into a tizzy

The bug applies also to old legacy versions of Firefox and forks.

[Moonchild]

Long since been patched in Pale Moon. (also, not sure why you are calling attention to something from May)

[coffeebreak]

(also, not sure why you are calling attention to something from May)

The article is dated: 11/5/2019. Moonchild, it's from November (it uses U.S. dating conventions).

[gepus]

also, not sure why you are calling attention to something from May

Simply because the bug applies to Pale Moon 28.7.2 as well.

[moonbat]

The fact that someone would be halfwitted enough to think that <random Cloudfront subdomain> asking you for a password is a legitimate Microsoft site is why my faith in the human race firmly remains at zero. And that's after you see a poorly worded message like that.

Then again there are also people who insist that Firefox respects privacy no matter what.

[Night Wing]

When I was down volunteering at the computer repair shop I frequent quite often about three weeks ago; since the shop is owned by my next door neighbor, a customer came in with his desktop tower computer. He was using Firefox in Windows 7 as his default browser. This bug was in Firefox and he told me Firefox was locked up.

I asked him if he used the Task Manager to close Firefox. He said he had, but when he restarted Firefox, the process in one of his five tabs started again and locked up Firefox. He asked me if I could fix it. I told him I should be able to solve the problem in a "few minutes of time".

So I hooked up his desktop tower to a power cord, a keyboard, a mouse and a monitor, but I didn't install the ethernet cable. Without the ethernet cable, there was no way to get to the internet. Then I booted up Firefox, saw the tabs trying to load, but without an internet connection, none of the sites could load. I then closed all five tabs by the "X" in them. Then I quit Firefox which took me to his Desktop photo.

Then I reconnected the ethernet cable so I could gain access to the internet, then booted Firefox again and all of his tabs were gone. He was then a happy camper. He asked me how much did he owe the shop. I told him "no charge". I then told him to remember what I had done if he ran into this minor problem again.

The shop does this type of "repair", for the want of a better term, but this type of quick service without charge brings the shop quite a lot of repeat business when customers have a very real serious problem with their computers and which also gives the shop, "referrals".

[Lootyhoof]

The referenced bug #1571003 does seem to still apply. It includes a link to a PoC which I won't directly link here (care should be taken as it DOES continually spam dialog boxes).

[RoestVrijStaal]

By the way, the website of the PoC features several other exploits which affect Pale Moon as well, after testing it at my side.

[Moonchild]

The screenshot in the article shows a regular auth prompt which is something that was addressed a while back. That's why I didn't look any further. As for the date confusion, since this -was- an issue around the time I misread it as, it's an easy mistake to make. I usually deal with either DD/MM/YYYY or YYYY-MM-DD dates

Apparently the linked bug is about the abuse of a different prompt related to the same (basic auth) method. I've read through it and the cases these prompts were added for really don't seem to apply on today's Internet, so preffing it and defaulting to off is certainly something to do.

[Moonchild]

Tracking this in Issue #1275 (UXP).

[vannilla]

Apparently the linked bug is about the abuse of a different prompt related to the same (basic auth) method. I've read through it and the cases these prompts were added for really don't seem to apply on today's Internet, so preffing it and defaulting to off is certainly something to do.

Can you elaborate on this? I'm courious to know what's different than the already-addressed prompts.
The article linked in the OP isn't really explanatory on the matter.

[Admin]

How about this very clear explanation (in the already-linked bug): https://bugzilla.mozilla.org/show_bug.cgi?id=1571003#c4

[vannilla]

Thanks. Somehow I missed Lootyhoof's post with the bugzilla link.

[therube]

I've posted a real, live link (& in that regard, tread carefully) in this thread, if you're inclined:

https://www.dslreports.com/forum/r32565 ... ding-users