Paid Advertising
web application security lab
« Spam-me-not Obfuscation
Netvibes XSS Hole On Homepage »

Firefox 2.0 Released

Well, technically Firefox 2.0 has been ready for a while now, but tomorrow is really the big day that it gets pushed out. But Firefox 2.0 is available today for download. And download I did. Almost the first thing I noticed was the spell check in text areas. I almost didn’t notice it at first because it was so intuitive, but there it was. Very cool feature. Next I tried the anti-phishing filter:


Click to enlarge

Picked up the very first site I threw at it. So all of that appears to be great for the consumer and great from a security perspective. Now here’s the bad. Upon install it broke a number of installed plugins. Namely:

  • Fasterfox (oh well, who needs speed)
  • Switch Proxy (ugh! this is one of the most useful plugins I have for switching back and forth between burp suite)
  • Server switcher (not particularly useful anyway - useful when switching back and forth between QA environments seamlessly but nothing really lost)
  • Firefox View (never used it anyway so it’s okay)
  • SEOopen (I don’t use it much anymore since I got Search Status so that’s okay too)
  • Safe History (I guess the CSS history hack is back in force again)

So if you can handle that annoyance I’d say upgrade. It handles about the same, but only time will tell what major differences lay under the nice new exterior. Also, I was amazed that Firefox still hasn’t implemented HTTPOnly. I think it’s just getting ridiculous. I know it’s a Microsoft non-standard convention, but it’s a good idea, and I’m amazed that it’s still not implemented. Overall though I’m pretty happy except for the switch proxy plugin being broken. That one is going to hurt bad since that simple plugin is one of the major reasons I use Firefox for testing more than Internet Explorer. Oh well, back to doing things by hand.

This entry was posted on Monday, October 23rd, 2006 at 11:32 am and is filed under General News, Phishing. You can leave a response as well.

16 Responses to “Firefox 2.0 Released”

  1. john Says:
    October 23rd, 2006 at 12:50 pm

    To replace SEOpen you might want to try the oy-oy.eu extension - it runs in FF2.0 and has a few more tricks …

  2. RSnake Says:
    October 23rd, 2006 at 1:26 pm

    Thanks, John… what sort of features is it? I’m always a little hesitant to download random things from random websites.

    Apparently, this exploit works in Firefox 2.0 final:
    http://lcamtuf.coredump.cx/ffoxdie.html

  3. dre Says:
    October 23rd, 2006 at 2:35 pm

    Use Mr. Tech Local Install. It allows you to override the compatibility issues. I also use SafeHistory and SwitchProxy with no problems under Firefox 2.0 and have been doing so for awhile.

  4. Spikeman Says:
    October 24th, 2006 at 12:10 am

    You can turn off Firefox 2’s extension compatibility checking in about:config and all of your extensions should work.

    To do this follow these steps:

    1) Goto about:config
    2) Right click and goto New>Boolean
    3) As the name enter extensions.checkCompatibility
    4) Set the value to false
    5) Restart Firefox, everything should work

  5. pagespank Says:
    October 24th, 2006 at 2:19 am

    In older extensions, you may want to try changing the value for the tag in the ‘install.rdf’ file to “2.0.*”. You can find the relevant install.rdf file in:

    C:\Documents and Settings\[user]\Application Data\Mozilla\Firefox\Profiles\zvi5k40c.default\extensions\[extension gui]

    As there appear to be few changes in the way extensions work for Firefox 2.0 this should work for most older extensions that haven’t been updated.

  6. Stefan Esser Says:
    October 24th, 2006 at 6:15 am

    I just released a little extension for Firefox 2.0 that uses a funny hack to implement httpOnly cookies.

    Your comments are welcome…

    The idea is described here: http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html

  7. RSnake Says:
    October 24th, 2006 at 8:28 am

    Dre: Where do you find that? I haven’t heard of it. What exactly does it do?

    Spikeman: you’re a lifesaver - Switchproxy is back up and running again, thank god.

    pagespank: Thanks for the tip, Spikeman’s trick worked like a charm. I think they probably do the same thing anyway.

    Stefan: Very cool! I got it installed and verified that it worked. But unfortunately, my main problem with HTTPOnly is that it isn’t supported by all browsers. Having me and you being the only people with this extention it doesn’t make HTTPOnly a more viable option to protect against cookie theft. Of course there are still ways around HTTPOnly but I’d rather create the hurdle where possible.

  8. alf. Says:
    October 24th, 2006 at 8:45 am

    hehe, RSnake, didn’t think you’re using Win :-(
    Come over get SuSe it fuckin rocks ;)

    cheers !

  9. RSnake Says:
    October 24th, 2006 at 8:49 am

    alf, I use a lot of different things: http://sla.ckers.org/forum/read.php?11,62,page=1#msg-72 (for a list) and http://sla.ckers.org/forum/read.php?11,62,page=1#msg-253 (for photos)

    Basically my philosophy is this. I need to be testing whatever is relevant. That means if Windows XP SP2 with IE7.0 is 75% of the market share, I need to be testing that. If SuSe with Firefox 1.5 is relevant due to market share, you can bet money I have it installed the very same day.

  10. Sven Vetsch / Disenchant Says:
    October 24th, 2006 at 12:18 pm

    Hi RSnake,
    a few minutes ago I posted something in my Blog (www.disenchant.ch) which could be interesting. At the moment I found two ways for bypassing the phishing-filter of the new Firefox. That’s what I’ve found in about 30 minutes so I’m looking forward to hear about or finding other possibilities :)

    PS: The first one is stupid I know but the second is really interesting I think.

    Regards,
    Sven

  11. Stefan Esser Says:
    October 24th, 2006 at 1:48 pm

    Hey Rsnake,

    I mainly wrote this extension as a proof of concept.
    Maybe the existance of this extension and maybe a high download count from the addons.mozilla.org site can convince them, that this feature is really wanted and needed.

    And I also demonstrated that it can be implemented in a way compatible to the old fileformat. Okay I admit, I am doing a little hack, but it works…

    Stefan

  12. john Says:
    October 24th, 2006 at 2:38 pm

    RSnake: it’s a simple extension that like SEOpen lets you fire off a bunch of search engine queries (and other online tools) for the current page / domain. If you ever worry about extensions, remember you can rename them the .xpi to .zip, open the file with a zip-manager, rename the .jar to .zip as well and open that as well. The javascript is usually in the jar-file. Of course the javascript in the extension could do more than the code on a page - lots of interesting exploits are possible from a trojan extension.. hmmmm :-) That’s why I prefer code-signed extensions (assuming you can trust the signer / certificate issuer)

  13. Sven Vetsch / Disenchant Says:
    October 24th, 2006 at 3:26 pm

    It seems like there was an anomaly in my Firefox. Option 2. will not work in the way I described in my Blog. It’s interesting anyway that the message which says that it’s a phishing site poping up about one second later as it does if you directly navigate to the same site. Sorry for false alarm :(

  14. RSnake Says:
    October 24th, 2006 at 3:27 pm

    Don’t worry, false alarm or not it got me thinking. I’m sure there will be many many more to come…

  15. Shazbot Blog » Blog Archive » SwitchProxy for Firefox 2 Says:
    October 30th, 2006 at 3:39 am

    […] Update 2: You can bypass firefox version extension checking, details here. […]

  16. asdf Says:
    November 9th, 2006 at 2:06 am

    please hack for Cookie Button https://addons.mozilla.org/firefox/1247/

Respond here or Discuss On the Forums