Security Issues in Mozilla 454
paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"
Comment removed (Score:2, Interesting)
Re:Umm.... (Score:3, Interesting)
When I did a Search for the file, the search window gladly displayed the file in question (from their documents folder) and allowed me to copy it to my documents folder.
Re:Misleading Article (Score:1, Interesting)
Software: Mozilla 1.7.x
Mozilla Firefox 1.x
How can his post be rated informatve when it isn't true?
Re:A fix? (Score:3, Interesting)
Why is everyone saying these are fixed?
Re:Sounds like good news to me (Score:5, Interesting)
If you can have buffer over-run vulnerabilities in your C++ app, then you are potentially vulnerable to absolutely anything. The fact that even one exists, even in a beta development, betrays fundamentally flawed coding standards and/or QA procedures. These things should never happen in a C++ app, and the coding techniques to prevent them are trivial.
Easy, tiger. As others have pointed out, most exploits of Windows/IE systems use vulnerabilities that MS patched months ago, and when critical ones do come up, patches usually do appear (with much hype) PDQ.
Re:Umm.... (Score:3, Interesting)
I know it was an off-the-cuff example, but Nero's BurnRights handles the CD-burning problem for Nero users. Users of other commercial software should consult their software vendor. Users of the Microsoft CD-burning "solution" are part of the problem. Users of cdrecord and cdrdao should look into the available documentation on Windows services and gin up something equivalent to BurnRights on their coffee break.
You can prevent administrators from changing the permissions on your files. Administrators can still take ownership of your files, giving themselves "full control" permissions along the way, but they can't give them back so there's a fairly obvious audit trail if they go that route. I have a particularly pernicious piece of spyware on my machine that none of the usual tools seem to be able or willing to get rid of (the existence of which is why all of my normal users, including myself, are limited.) I've disabled it by denying all permissions on its directory to everybody, thus prohibiting it from running and even from reinstalling itself if another copy of it should happen to run if some idiot admin (me) should happen to go insane, run IE, and go to an infe[cs]ted website.</rant>
Why is it... (Score:3, Interesting)
Re:A fix? (Score:3, Interesting)
So? Why is it that when a flaw is found in a MS product that hasn't even been on the market for 4 years everyone jumps up and down and says "SEE! SEE!! They want to keep you on a constant upgrade cycle!!", but when it happens in the open source community, the reaction is "Eh, just upgrade"?