SillyDog701

[J-M]

Result:

....Gecko/20050729 (No IDN) Netscape/8.0.3.3

It works, but I don't know how safe this is. Any opinions?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20050729 (No IDN) Netscape/8.0.3.3

[Alice]

[Thanks for spreading your thorough notes.

No problemo, I had the notes handy (I save all my notes as text files.)

Yes, examining of .xpi package with WinZip is possible, many users tried this method to old http://ftp.mozilla.org/pub/mozilla.org/ ... lblock.xpi patch (see details at http://www.mozilla.org/security/shell.html ) as well.
It seems that the manual method (about:config) doesn't affect to user agent at all. In fact, this is what many users want. If she/he has skills to modify about:config or prefs.js file, there is skills enough to check the state of [tt]network.enableIDN[/tt] value too.

I used the manual about:config" method in DeerPark and SeaMonkey, as mentioned in my notes, and also in my two Netscape 7.2 profiles. I have four Mozilla Suite and three Firefox 1.0.6 profiles so it was easier to simply use the XPI and get all those profiles done at once.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 (No IDN)

[Alice]

Result:

....Gecko/20050729 (No IDN) Netscape/8.0.3.3

It works, but I don't know how safe this is. Any opinions?

I probably would have used the manual method (I no longer have Netscape 8 installed) but if Netscape 8 about:config now shows the [tt]network.enableIDN[/tt] default preference value as "false" then I would guess that the XPI update did it's job, if that's what you meant.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 (No IDN)

[J-M]

The recent version of Mozilla Foundation security advisory from Mozilla Update site (advisory link now redirects to https://addons.mozilla.org/messages/307259.html :

How to update

There are two methods for resolving this problem. The first method is to install a small download and the second method is to manually change the browser configuration. You only need to do one of the two.

Installing the Patch

* To install the security patch for Firefox or the Mozilla Suite, follow these instructions:
1. Firefox and Mozilla Suite users click this link: http://ftp.mozilla.org/pub/mozilla.org/ ... 307259.xpi
2. In the Software Installation window, click the "Install Now" button.
3. Exit and restart your Mozilla or Firefox browser.
* To verify the fix in Firefox and the Mozilla Suite, be sure to restart the browser and then follow these steps:
1. In Firefox Click Help -> About Mozilla Firefox and verify that the user agent string contains "(noIDN)"
2. In the Mozilla Suite Click Help -> About Mozilla and verify that the user agent string contains "(noIDN)"

Manually Configuring the Browser

* To manually change the browser configuration for Firefox or the Mozilla Suite, follow these instructions:
1. Type about:config into the address field and hit Enter.
2. In the Filter toolbar, type network.enableIDN.
3. Right click on the the network.enableIDN item and select toggle to change value to false.
* To verify the fix in your Firefox or Mozilla application, be sure to restart the browser and then follow these steps.
1. Type about:config into the address field and hit Enter.
2. In the Filter toolbar, type network.enableIDN.
3. Ensure that the the value for this item is set to false.

Font size changes in titles done by me.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.10) Gecko/20050717 (No IDN) Firefox/1.0.6

[Antony]

I mentioned this earlier, Security Vulnerability Threatens Firefox:
A security researcher has issued an advisory on a new vulnerability in Firefox that could lead to the remote execution of arbitrary code. The flaw was first reported to Mozilla developers by Tom Ferris earlier this week, but he opted to publicly disclose the problem following a disagreement.

What happened between Tom Ferris and Mozilla Foundation? What has Mozilla Foundation done to him?

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5

[Alice]

The recent version of Mozilla Foundation security advisory from Mozilla Update site (advisory link now redirects to https://addons.mozilla.org/messages/307259.html

That's the url where I found the 307259.xpi download link (from my 09-10-2005 notes).

By the way, in case anyone else was wondering, 307259 refers to the bugzilla bug report number:
https://bugzilla.mozilla.org/show_bug.cgi?id=307259
Bugzilla Bug 307259 Firefox 1.0.6 buffer overflow with hostname of all soft hyphens

More here:
http://forums.mozillazine.org/viewtopic.php?t=315656
...which links to:
http://forums.mozillazine.org/viewtopic.php?t=315499
Highly Critical Vulnerability Reported by Secunia

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 (No IDN)

[Fulvio]

I used 307259.xpi to drag and drop into Mozilla1.7.11 and Seamonkey1.1 nightly shortcuts, and dragged and dropped the same .xpi in my extention box of FF1.0.6 and FF1.5b1 nightly. I used the same file, because the drag and drop has only the effect to waking up the browser to accept the installation. This way I get things done very quickly. In all cases the network.enableIDN line was changed to false.
For NS8.0.3 the switch was done were quickly, as well, and the change was done by selecting the line|right click|toggle.
And, for NS7.2, the change was similar, but I had to select to change, and type false. This is one of my two profiles in 7.2. It shows false in the about: config, but not in my useragent.
But, the Secunia test is still telling me that I am vulnerable. Same with 8.0.3.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[Alice]

But, the Secunia test is still telling me that I am vulnerable.

Which test is that?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 (No IDN)

[Fulvio]

Alice,
I found out a few things. 1. I must have gotten the wrong link.
2. It had been my understanding that the patch was not for Netscape.
3. Apparently, the patch changes the username, but would I not be protected by just making the config change?
Did I get anything right?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050905 (No IDN) Firefox/1.0+

[Alice]

3. Apparently, the patch changes the username, but would I not be protected by just making the config change?
Did I get anything right?

You would be protected by simply modifying the "network.enableIDN" preference to false using about:config in EACH Netscape 7.2 profile.

The patch adds the preference value ("network.enableIDN", false) as the default for each profile. It also changes the UserAGENT, adding a (No IDN) entry. In my case, the patch removed the (ax) portion of my Firefox UA (which I later fixed, per my notes). I don't know if the patch will also remove the (ax) from the Netscape 7.2 UA since I used the manual workaround (about:config) in both of my Netscape 7.2 profiles.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 (ax)

[Fulvio]

I am using a NS7.2 with ax, and I, finally, got the patch in. I reversed the about: config from false to true, just in case.
I have two NS7.2 profile, and this was the most stubborn. My technique of drag and drop into the desktop shortcut, which worked for Mozilla1.7.11, Seamonkey1.1a and one NS7.2 profile, by opening the browser, and coming up with the install of the .xpi, did not work for this profile. I had to use the link to get the installation with NS open. Now, for all it is worth, all browsers have the patch.
By the way, I was misled by the article about the patch , which said:

* To install the security patch for Firefox or the Mozilla Suite, follow these instructions:
1. Firefox and Mozilla Suite users click this link: http://ftp.mozilla.org/pub/mozilla....ches/307259.xpi etc.

, while it said

Manually Configuring the Browser - Firefox, Mozilla, and Netscape 7.2 and Netscape Browser 8.0.3.3

there was no mention of NS in the writeup. On top of it I was trying to do tests which were not applicable, so you can see my confusion.
But everything has "no IDN", and it works ok.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 (No IDN) Netscape/7.2 (ax)

[Alice]

Fulvio,

After seeing your Netscape 7.2 UA I went back and UNfixed the bug307259.js line I had commented out and I see that both (No IDN) AND (ax) DO appear in Firefox 1.0.6 UA as tested here: http://gemal.dk/browserspy/basic.html

It's just that the (ax) appears to be missing from the end of the UA when you check in Help > About Mozilla Firefox. The (ax) does appear if you highlight the UA and then drag the mouse down.... )

How embarrassing

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 (No IDN) Firefox/1.0.6 (ax)

[J-M]

But, the Secunia test is still telling me that I am vulnerable.

Which test is that?

Yes, there is no any test URL from Secunia etc.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20050729 (No IDN) Netscape/8.0.3.3

[Fulvio]

Alice,
why did you bring that up? I was happy that all was well. Then I take a look at Firefox, and, did I have an ax? Who knows? But, I highlighted and, dragged down, and nothing shows up. And, this is what shows up in gemal.dk website: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 (No IDN) Hyperturtle/1.0.6
There is a npmozax.dll file in the plugins folder. The test for Active X plugin works.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 (No IDN)

[Alice]

this is what shows up in gemal.dk website: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 (No IDN) Hyperturtle/1.0.6
There is a npmozax.dll file in the plugins folder. The test for Active X plugin works.

My activex.js file (in C:\Program Files\Mozilla Firefox\defaults\pref) includes the line, pref("general.useragent.vendorComment", "ax"); which is what adds the (ax) to my UA.

Hyperturtle/1.0.6?
You have a Firefox extension of some sort that changes your UA? That may also be a factor.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 (No IDN)