Security Issues in Mozilla

paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

A fix?

[Blapto]

Resolution
==========

All Mozilla users should upgrade to the latest version:

Says the site, implying at least a partial fix is available.

Misleading Article

[Asacarny]

All of these security issues are fixed in the latest releases of Firefox/Thunderbird/Seamonkey. They have all been fixed for quite some time now.

It would have been helpful for this information to be included in the story. Thanks, Slashdot.

Re:Unacceptable

[PommeFritz]

"spotted before rollout"?
Dude, the article says that only versions before Firefox 1.0 are vulnerable, and 1.0 has been out for 2 months already. What are you talking about?

Older versions only

[martin_b1sh0p]

Note that it appears from what I read that these issues only affect the beta versions of FireFox. Who uses a beta once a released version is out???

Basically this is a non issue as everyone should have upgraded to v1.0 as soon as it came out.

Re:A fix?

[Anonymous Coward]

"Firefox versions before 1.0"

Just upgrade to 1.0 and no more problems. You really should have upgraded a while ago...

Third item...

[Anonymous Coward]

This only applies to Windows platforms. Linux and Unix versions maintain all user information in the homedir, preventing access to ordinary users.

RTFA - Answers await

[Anonymous Coward]

As the article clearly state, all three have been fixed. Simply use the latest versions of the software.

This article is BOGUS!

[WhiteWolf666]

The Slashdot article, not security focus. In plain text, at the top, it says these were FIXED in the latest versions.

They affect Firefox versions BEFORE 1.0, Thunderbird BEFORE .9, and Mozilla BEFORE 1.7.5.

This article was posted by some MS shill who is hoping the because Slashdot is spidered by Google news they will get some mainstream journalism about Firefoxes bugs!

This is TOTAL crap! Let the MS Smear campaign begin!

It *is* already fixed!

[Freggy]

Guys, wake up, old news. According to the article, all bugs were fixed in Mozilla 1.7.5 and Firefox 1.0.

Move on people,nothing to see here!

Re:Umm....

[IcEMaN252]

I'll admit to not doing exhaustive research before making my commentary.

I believe that the Docs & Settings folder is owned by the user in question and has the permissions set to keep other users out. But, thanks to the way the Windows runs, everyone pretty much need to be an Administrator to do things like, idk, run a CD-Burning app, so a knowledgable user could change the permissions and look inside.

But, this is a generic Windows problem, most users are Administrators, and they can therefore see other users files. This might not be true in corporate enviornments, but at home its usually the case.

Remember what your mother said, and do not take the name of root in vain.

Re:I bet they will be fixed within 24hours!

[I confirm I'm not a]

If I read TFA correctly, they're fixed already: Mozilla is listed as unaffected in >=1.7.5, Firefox unaffected in >=1.0, and Thunderbird unaffected in >=0.9.

Interestingly, the original bug report came from the Gentoo security people - is there anyone running Gentoo with anything other that the very latest apps?!

Does no one read anymore?

[GweeDo]

Affected packages
=================

Package / Vulnerable / Unaffected
1 mozilla / < 1.7.5 / >= 1.7.5
2 mozilla-bin / < 1.7.5 / >= 1.7.5
3 mozilla-firefox / < 1.0 / >= 1.0
4 mozilla-firefox-bin / < 1.0 / >= 1.0
5 mozilla-thunderbird / < 0.9 / >= 0.9
6 mozilla-thunderbird-bin / < 0.9 / >= 0.9

So, lets try reading this data. If you are running version 1.0 of Firefox, version 1.0 of Thunderbird or version 1.7.5 of Mozilla (all the latest versions) you have NONE of these issues. Geez....

Re:This article is BOGUS!

[elecngnr]

How did this pass muster? The article clearly states:

Various vulnerabilities were found and fixed [emphasis added] in Mozilla-based products, ranging from a potential buffer overflow and temporary files disclosure to anti-spoofing issues.

While I recognize the article does state in the middle of it that it was for releases prior to the current ones, why not say that in the title or somewhere in the first sentence. Saying something like, "People using older versions of.....may be vulnerable to security flaws." At first glance, this article is a little misleading.

Re:Does no one read anymore?

[BenjyD]

Apart from the first issue, of course, which reads:

"The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected."

So it's actually just one spoofing vulnerability. It's probably a result of fixing the bug in 0.9.something where an overly long (>4kb, IIRC) URL in the address bar could cause firefox to lock up the x-server.

Re:Updates

[rainman_bc]

AFAIK Firefox [ on win ] checks for updates itself. It should never be out of date.

On linux, you have stuff like apt / yum / portage to keep computers up to date.

Mac version probably updates itself too, but don't quote me on that.

Re:Third item...

[shis-ka-bob]

Please read the third item. This is clearly describling a Unix-like system with a /tmp directory and xpdf as a pdf viewer. This isn't what you find on Windows. This whole issue is a tempest in a teapot. All of these issues are closed and the 'fix' is simply to run the current package. Just 'portupgrade' or whatever your system uses to update packages and ignore this warning.

Re:A fix?

[stupidfoo]

That was only for the second issue

The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0).

The first issue was for all versions (for Firefox and Mozilla), as was the third (for Firefox and Thunderbird).

Wrong!

[the_mighty_$]

Only the buffer overflow issue has been fixed! This article on the Register should clear things up:

http://www.theregister.co.uk/2005/01/07/mozilla_fl aws/ [theregister.co.uk]

Re:Misleading Article

[GoodbyeBlueSky1]

#638, huh? It'd be a shame if you left now.

Anyhoo, regarding color schemes, I ran across this the other day...
http://forums.mozillazine.org/viewtopic.php?t=1853 93 [mozillazine.org]
Haven't tried it, but it looks pretty basic.

As for the crew, I'm currently working on an extension to replace michael's rants with underscores.

Well, not really.

Not as critical as they appear in the submission

[Spy der Mann]

Issue 1: Spoofing, unpatched (yet). Moderately critical.

Issue 2: Fixed (Affected Versions: Mozilla Browser
This bug is fixed in Mozilla 1.7.5. (Bug 264388)
Mozilla developer Dan Veditz claims that it cannot be exploitable:
"A '\' on the end will certainly trash memory, but at that point you're no
longer reading attacker-supplied data;".
So, at most it would be a DOS attack, not a true "hack into your computer". And from the Security focus link:

Affected packages
=================
mozilla < 1.7.5
mozilla-bin < 1.7.5
mozilla-firefox < 1.0
mozilla-firefox-bin < 1.0
mozilla-thunderbird < 0.9
mozilla-thunderbird-bin < 0.9

So Firefox 1.0 is indeed safe.

Issue #3:From the link:

This exact issue affects Mozilla Firefox 0.9.3. I haven't tested
older/newer versions, and all of this was tested under Debian Unstable.

In other words, 1 outdated, another unconfirmed, and the first one real, but it's moderately critical.

So the Mozilla guys have only to fix ONE bug, and CONFIRM another. Issue #2 is fixed already.

Re:It *is* already fixed!

[generic-man]

Guys, wake up. According to the first advisory [secunia.com], Mozilla 1.7.5 and Firefox 1.0 are still vulnerable.

Re:A fix?

[ichimunki]

I don't think that does much to help protect the temporary files stored in /tmp, does it? The problem is files in /tmp with the wrong permissions as I understand it. Which, if we're really being paranoid, the files shouldn't even be in /tmp in the first place, because even exposing the knowledge that there is a file is a security lapse (if you can `ls /tmp` you can see that there is a file, even if you can't read it).

Frankly I think the third warning is mostly hype. On many multi-user machines and even multi-system LANs, simply using a tool like tcpdump is going to expose a lot of web traffic to anyone who wants to listen. But because there are ways to be paranoid in such situations, the browser shouldn't casually discard your efforts at security.

Misleading article summary -- the real story

[Old Man Kensey]

The problem is not with the way Firefox and Thunderbird "store user's files". The problem has to do with the way they temporarily open files in helper apps for viewing -- on *nix, at least, they use the global /tmp directory, which means anyone can see what files you have open, and because of the way it sets up permissions on them (makes them world-readable), anybody may be able to read them while you have them open.

I'm not too worried about the third one. For one thing, it is easily worked around by setting your $TMP or $TEMP environment variable. Really the global visibility of the files isn't a "bug" in Firefox/Thunderbird or any other app that does this. They're just following the standard system practice of using whatever directory is specified by TMP/TEMP to open their temporarily files in. The issue is that common practice on that score is moderately insecure and may expose info to other users, but there's nothing application authors should do about that.

The permissions issue is the only real "security" problem, but I would bet they did it that way to allow viewers that may be running setuid nobody to still view the file for the user. Perhaps the answer is simply to have documentation about viewers running setuid nobody (or other restricted users) and a configurable list of such viewers that the user can add to. After that, files destined for ordinary viewers should be permissioned 500, and files destined for setuid restricted-user viewers could be permissioned 544 or something else appropriate.

Re:Umm....

[justsomebody]

Last time you checked it was TB 0.5:) (until then mail was stored under thunderbird program directory)

Now everything is stored under Documents and Settings/user/Application Data/thunderbird

or something like that.

Re:Umm....

[UNCfan4life]

IN XP, unless you specifically tell it otherwise, every user can access the Documents and Settings folder of every other user with equal or lesser permissions. So, if everyone in the lab is set up as a power user, you can see each other's information, you just can't see the Administrator's info.

Re:Sounds like good news to me

[roca]

> If you can have buffer over-run vulnerabilities
> in your C++ app, then you are potentially
> vulnerable to absolutely anything.

Not really true.

1) If it's a *read* overrun, it's probably not exploitable. Could possibly be an information leak.

2) If it's a write overrun by at most 1 byte, it probably won't be exploitable.

3) A variety other restrictions may apply that make it not exploitable.

4) The browser might have a buffer overrun bug that cannot be triggered by a remote Web page unless the user does some other actions than just viewing the page (e.g., save an image). Although this is still technically exploitable, it's much a less dangerous bug than something that leads to a "view this page and you're 0wned" attack.

Bugzilla numbers

[egoots]

I know you cant link to Bugzilla directly from Slashdot, but for those of you who are interested the relevant Bugzilla bug numbers to look at for these are:

• 273699
• 275417

Re:A fix?

[LnxAddct]

Did you read the security alerts? They only affect Firefox 0.9.3 and earlier. They have been fixed since 1.0 ( not sure if it was intentional or not, but whatever code caused this no longer causes it).
Regards,
Steve