71 comments

[ 1.6 ms ] story [ 125 ms ] thread
> But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer.

The phrasing may unfortunately mislead the less technical readers of their audience.

JavaScript always runs “on the host computer”, this should be described as a sandbox escape.

I’d say “allowing the code to run on the host computer” is way less confusing for the less technical people than “allowing the code to run outside the sandbox”. Most people have absolutely no idea what sandboxing means.
IHMO lying / being vague is never good when trying to educate someone. Non-technical people are not dumb and can understand what a sandbox is.
Have you ever read a summary of a license or a legal document? It's the same idea.

Simplifying terms and using approximations so that the uninitiated can understand is not lying, it's good communication. We can't use jargon all the time.

You can still cut the jargon and tell the essence. E.g. "the exploit allows malicious code to run without the confines of the browser, giving it access to everything the user normally has access to".
> JavaScript always runs “on the host computer”

But they carefully qualified it with "outside of the browser [meaning sandbox]" and you left that out of your quote.

“Browser” does not mean “sandbox” though.
I think they're using it short for 'browser's sandbox.' Try reading it charitably rather than bending over backwards to find fault and making wild accusations of 'lying.'
Not really, I think. "[O]utside of the browser on the host computer" implies that there are other possible ways in which JavaScript could execute, one of those inside of the browser on the host computer, which is pretty much the expected thing and tangentially covers the concept of sandboxing.
A chain is as strong as its weakest link. Firefox's privacy characteristics are as strong as its security track record.
I'm amazed this is allowed on hacker news. Anytime I've said anything remotely critical of Firefox it has been flagged and removed from here.
Perhaps it's the way you say it, rather than what you say?
There's a steady stream of criticism from other users that is not getting flagged (and is often highly upvoted). Consider contacting the mods using the footer link to ask what they think might be different about your comments that results in HN readers flagging them.
Look again, a bunch of the original comments are gone.
Please email the mods using the contact link in the footer and indicate that you think Firefox comments are being unduly flagged for inappropriate reasons. They can see and search all flagged comments, in order to evaluate your concerns. We normal users can't prove the negative you're declaring and your concern of a conspiracy against Firefox criticism is offtopic for this post about a zero-day security issue.
Complaining about getting flagged or downvoted makes it likely to be flagged or downvoted, on HN or elsewhere. Your comment doesn't even say anything negative about Firefox, it's just vague complaining.
My most recent post was about the performance of Firefox on MacOS and comparing it to chrome and safari, then also looking at battery life. It was immediately removed.
Use noscript. It's possibly one of the best add-ons out there now.
Or uMatrix (which I prefer in terms of UI but should be equal feature-wise)
Unfortunately there are too many sites that refuse to work without javascript, so any security benefits is negligible because it's very easy to be social engineered into enabling javascript.
(comment deleted)
There are surprisingly few, and importantly you don't have to enable all the adtech networks that may or may not have a good security track record.
It’s defense in depth. And most sites work fine with 90% of their script-serving domains blocked.
You can get most to work by whitelisting one domain while keeping the cesspool of trackers off your computer. If it still doesn't work there are better things in life to spend time on than somebody's poorly constructed website.
This is what I do and I 100% agree about lazy people that aren't willing to make a halfway decent website. I'm not that old, but sometimes I just want a website with text. I don't need autoplaying videos with a billion slideshow images and shown how fantasmagical your company is.
What I would like is the ability to replace scripts (including (but not limited to) inline scripts) with my own versions.
...but it's not enough.

With some effort javascript from known sites could be fingerprinted and vetted.

An unexpected change could trigger a warning and blocking.

But with WASM we are really in trouble.

... or use Chrome, which has a much better security track record.
(comment deleted)
Throw your privacy away? The privacy features in chrome are labeled bugs in firefox.
Not sure if this has changed but I ditched noscript when I discovered it doesn't block inline script execution. These days I use Ublock Origin:

Settings -> check 'I am an advanced user'. You should now be able to block 1st party, third party and inline JS from executing and save on a per-site basis. Hope this helps someone!

citation on the inline script claim?
I don't have one. I did use the web interface for Spotify though and it did some JS stuff when I left it for a bit; that's how I noticed.
Can anyone confirm if 73.0b3 includes the same fix?

Their "what's new" link in the beta's About window doesn't track with the beta release cycle. There's no revision listed, so I think the notes are for 73.0b1 still? At any rate, there's no mention of any security fixes.

https://www.mozilla.org/en-US/firefox/73.0beta/releasenotes/

I sure hope so since 73.0b3 is the most recent available version of Developer Edition. It's odd to not have any messaging about the non-mainstream editions.
The 73.0b3 release tag is 18 hours ago, compared to that "What's new" page dated 1/7, so it does appear to be newer. See my reply to myself above; as far as I can tell the beta has the same changes (though I didn't manage to fumble my way to the specific commit that fixed it, or whatever the analogous term is for mercurial).

Their developer edition "What's new" page seems more about marketing upcoming changes before they land in the mainline release than anything else.

I'd like to assume they're always on top of getting the same fixes into developer versions at the same time, but since they don't actually tell us anywhere I always feel like I have to check.

I don't know my way around Firefox's source control at all, but I tried to do some digging. My first thought was to look through the changelogs on recent release tags, but there's no mention of the CVE that I can find in any of them.

I did find these changes in 72 which look related to the bug:

https://hg.mozilla.org/releases/mozilla-release/rev/8260da04...

And poking at one of those referenced files in the beta channel looks like it has the same changes:

https://hg.mozilla.org/releases/mozilla-beta/file/tip/js/src...

So I think we're good on beta channel?

Even security fixes run the Nightly -> Beta -> Release gauntlet, so yes, Beta is fixed.
I asked on Twitter if 73.0b2 had the fix and was told that it did, so we should be good!
Thanks! I don't really do twitter, but maybe I should! Pretty quick turnaround there.
Looks like they've been updated now to mention that the fix was included in beta 2. I guess they're reading this thread :)
A warning and a fix within two days of releasing the affected version. I appreciate this team’s transparency and priorities.
Well, it also affected 68 ESR which was released in July, so detection wasn't that fast.
And it likely existed many years before that but these were the only 2 active versions to get a patch.
They could be more transparent by saying exactly which Firefox versions are affected, which is an accepted norm. Unfortunately, this is not the first time users have been left guessing.
It just says "Firefox and Firefox ESR" are affected... no versions published there https://www.mozilla.org/en-US/security/advisories/mfsa2020-0...

I assume some research into IonJIT will be done to see where it was introduced but by the sounds of what it does it could have been long ago.

Those are the only two maintained versions of Firefox, so it makes complete sense for their report to be limited to those two. It seems a bit useless to go back and find the point in time where it first appeared, but I guess it could be interesting.
Firefox is creepy AF. I was just listening to "Diamond Ned Flanders" by MadeinTYO on Apple Music, and when I open Firefox the "suggested article" on the front page is about Ned Flanders. That's some Facebook type shit right there. Uninstalled.
If it makes you feel any better, I've the same article on mine with no previous Flanders activity.
The rolling stone article? I also had it
Yeah but they knew you were going to read this comment obviously.
Time travel confirmed.
Provided by Quantum Entanglement Advertising. You want it now because we sold it to you later.
Could you please stop posting unsubstantive and/or flamebait comments to HN? We've already had to ask you this, and you've been doing it a lot.

Also, while I have you, please stop using HN for ideological battle—you've been doing a lot of that as well, and it destroys what this site is for (https://news.ycombinator.com/newsguidelines.html), regardless of which ideology you favor or disfavor.

Also, can you please not systematically delete comments? Deletion is for things that shouldn't have been posted in the first place. Deleting more than half of what you post is not an intended use of the threads.

Oh, I didn't see it, maybe it was flagged.
I wish there was a way to PM on HN, atleast for mods to HN users. I mean no offense, but public humiliation isn’t useful most of the times.
Is this any different from the bug that was patched in 72.0.1 already?
No, it's the same bug. From the article: "... advising users to update to Firefox 72.0.1, which fixes the vulnerability".
> The vulnerability, found by Chinese security company Qihoo 360...

Isn't this the same company that was just being roasted for having spyware installed in Samsung phones?

Just because they ship spyware doesn't mean they want other people spying on their customers or setting up botnets...

Alternately, who knows whether they found this exploit a while back and only went public once they discovered someone else was using it?

Or they sat on it and released it to distract from the bad press they got. Everything is possible.