from the update-your-browser-now^W-in-a-release-or-two-when-they-finally-release-a-fix dept.
Actively exploited bug in fully updated Firefox is sending users into a tizzy
Scammers are actively exploiting a bug in Firefox that causes the browser to lock up after displaying a message warning the computer is running a pirated version of Windows that has been hacked.
The message, which appears without any user interaction upon visiting a site, reads:
Please stop and do not close the PC... The registry key of your computer is locked. Why did we block your computer? The Windows registry key is illegal. The Windows desktop is using pirated software. The Window desktop sends viruses over the Internet. This Windows desktop is hacked. We block this computer for your safety.
The message then advises the person to call a toll-free number in the next five minutes or face having the computer disabled.
[...] The attack works on both Windows and Mac versions of the open source browser. The only way to close the window is to force-close the entire browser using either the Windows task manager or the Force Close function in macOS. Even then, Firefox will reopen previously open tabs, resulting in an endless loop. (Update: as a commenter pointed out, restore tabs is turned off by default.) To resolve the problem, users must force-close Firefox and then, immediately upon restarting it, quickly close the tab of the scammer site before it has time to load.
Jérôme Segura, head of threat intelligence at security provider Malwarebytes, said the Firefox bug is being exploited by several sites, including d2o1sv4d11x6bc[.]cloudfront[.]net/firefox/index.html. He said the offending code on the site was written specifically to target the browser flaw.
On Monday, Segura reported the bug to the Bugzilla forum. He said he has since received word Mozilla is actively working on a fix. In a statement sent seven hours after this post went live, a Mozilla representative wrote: ""We are working on a fix to the authentication prompt bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1593795) that we expect to land in the next couple of releases (either in Firefox 71 or 72)."
(Score: -1, Flamebait) by Anonymous Coward on Thursday November 07 2019, @06:39AM
Allowing Indians to use our technology was a mistake.
(Score: 5, Funny) by driverless on Thursday November 07 2019, @07:14AM (2 children)
The Mozilla comment
was incomplete. The rest of it is:
(Score: 0) by Anonymous Coward on Thursday November 07 2019, @08:17AM
Don't forget changing their well-known and easily-identifiable logo. I had three family members call me to troubleshoot when the last update rolled out because their "internet" disappeared. I had to argue with one that refused to believe the logo had changed because "that's not the FoxFire logo. It looks nothing like a fox on fire!"
Yes, despite all the times my spouse and I have tried to correct him over the years, he really does call it "FoxFire." Every. Single. Time.
(Score: 3, Interesting) by jmichaelhudsondotnet on Thursday November 07 2019, @01:02PM
this is awesome roflmao
Don't forget they will push a few more autoupdates for auto-opt-on pocket and telemetry features with unique id's for every install!
That this bug takes until a whole new point release to fix, seems to me batshit, bonkers, wtf, who are these people.
Isn't this what the auto-update push bullshit is for? We can't be trusted to run our own updates when needed because some bug will hit the wild and need to be fixed urgently?
Why not in this case? So many questions for mozilla, so few answers. I guess we shouldn't worry our pretty little heads.
(Score: 1, Funny) by Anonymous Coward on Thursday November 07 2019, @07:15AM (1 child)
If only my Windows registry key was illegal! I pine for the day when my Microsoft software was illegal, prohibited, and quite wrong in many ways! So they managed to rope in some clueless Mac users, ha! Servers them right! For the rest of us, I only run Windows recognizable servers filled with Windows malware, to accelerate the demise of the beast. I will add this one.
(Score: 2) by SDRefugee on Thursday November 07 2019, @01:57PM
I'm waiting to see this bug, I'll laugh my ass off if/when I do... You see, I DO use Firefox BUT I don't use Windows.. Only Linux.
America should be proud of Edward Snowden, the hero, whether they know it or not..
(Score: 5, Touché) by Quicksilver on Thursday November 07 2019, @08:59AM (3 children)
And this is why we run noscript in Firefox.
(Score: 1) by slashnot on Thursday November 07 2019, @08:49PM (1 child)
Good point. I prefer uBlock, but some sort of script blocker is a must.
(Score: 2) by cmdrklarg on Thursday November 07 2019, @08:52PM
I use both NoScript and uBlock, along with Ghostery. No problems for quite a long time...
The world is full of kings and queens who blind your eyes and steal your dreams.
(Score: 0) by Anonymous Coward on Thursday November 07 2019, @09:31PM
Don't get too sure about its safety.
Recently I found a GitHjub "badges" catalog site in one of these news links aggregates. Displaying these pages with NoScript was a mess for my processor. Why? Over 20kB of interlocked CSS... PER ITEM. Yes, per a small picture, I tried to analyze it and found that:
- Generally this just resizes the picture.
- In some case it fallbacks to PNG instead of SVG.
- In some cases it resizes the PNG.
- Its "compression" adds ambiguity.
- It overuses browser CSS extensions.
And it needs about 20-30 seconds of CPU time to do it.
No scripts needed to hang your browser.
Hope that Mozilla will not work as they usually do. In exact: They will not remove an entire http simple authentication thinking that everyone should use a company-provided (I bet this will be CF) 6-factor authentication, giving them all data about you only to log into this RPi's HTTP status page.
(Score: 5, Insightful) by inertnet on Thursday November 07 2019, @09:37AM (2 children)
Or disconnect from the internet before restarting your browser.
People nowadays seem to think that an internet connection is involuntary.
(Score: 2) by jmichaelhudsondotnet on Thursday November 07 2019, @01:09PM (1 child)
If you use computers without understanding anything about computers, there is a 60/40 chance of you having a bad time.
Everything you do to understand computers better increases that chance a tiny, tiny bit.
You can quote me on this, it is an iron law.
For someone looking at this 5 minutes to doom message, who has no background and wants to know as little about technology or 'hard stuff' as possible, determining the correct response is a real challenge. You know literally nothing about why or where this message came from.
The message could say 'in 30 seconds this message will self destruct' and you would have to believe it.
My first computer program on the apple 2e was just a FLASH statement that covered the screen with 'The police have been alerted to your crime. You are under arrest.'
It just looks so convincing, I just laughed and laughed. If my parents had walked in they would have actually thought it was true even though we didn't have the modem attachment, and it might have been logical for them to actually call the police and confirm we were not under arrest.
lol this technology shit
(Score: 0) by Anonymous Coward on Thursday November 07 2019, @03:01PM
Wish this blackpill wasn't true. Imagine being a luser, happily going through life unconcerned by systemd, windows, and the like. Sure, your computer doesn't work half the time, but when it does work, you can just enjoy it.
(Score: 1, Informative) by Anonymous Coward on Thursday November 07 2019, @01:07PM (3 children)
So basically there's a bug that bricks the browser and they may get to it in a few releases?
Wow, just, wow
I switched to Pale Moon a few weeks back, it seems I shouldn't bother looking back.
(Score: 2, Insightful) by Maskawanian on Thursday November 07 2019, @04:03PM (2 children)
That doesn't make sense Pale Moon is just an older version of firefox, it should have the exact same denial of service attack. Pale moon would even be worse for this since they are stuck with the old UI that likely limited updating this in the first place.
(Score: 1, Informative) by Anonymous Coward on Thursday November 07 2019, @06:37PM (1 child)
palemoon is a fork of firefox and its codebase is updated and improved separately from firefox.
See: https://www.palemoon.org/ [palemoon.org]
(Score: 0) by Anonymous Coward on Friday November 08 2019, @12:19AM
Nothing of that invalidated their point. In fact Palemoon does have the same problem. However, it appears the same patch will fix the underlying logic, as the file in question isn't touched too much. Well other than fixing bugs that is. Of course, they don't actually fix the problem, they just hid the prompts unless you are the kind of power user who wants them.
That's it. Other than adding the preference and changing the code comments, that is the whole change.
(Score: 2) by Alfred on Thursday November 07 2019, @02:08PM (1 child)
(Score: 2) by Mojibake Tengu on Thursday November 07 2019, @03:57PM
Mac users use mostly Safari. It's Firefox on Mac what sucks all the time.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 0) by Anonymous Coward on Thursday November 07 2019, @03:30PM
just made his annual bonus.