Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Bug Mozilla The Internet IT

Critical Mozilla, Thunderbird Vulnerabilities 596

d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability. The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."
This discussion has been archived. No new comments can be posted.

Critical Mozilla, Thunderbird Vulnerabilities

Comments Filter:
  • by goldspider ( 445116 ) on Wednesday September 15, 2004 @01:37PM (#10258539) Homepage
    ...when people don't upgrade to versions that aren't vulnerable?

    Afterall, it's Microsoft's fault when their users don't keep up to date with security patches.

    • by duffbeer703 ( 177751 ) * on Wednesday September 15, 2004 @01:38PM (#10258550)
      No, it will still be Microsoft's fault.
    • by Nos. ( 179609 ) <andrew@nOSPAm.thekerrs.ca> on Wednesday September 15, 2004 @01:38PM (#10258566) Homepage
      That's right... of course a lot of use Geeks are also at fault since a good number of us have told friends, families, even clients that "no, you can't get a virus from a picture".
      • by Junior J. Junior III ( 192702 ) on Wednesday September 15, 2004 @02:03PM (#10258878) Homepage
        MS saw security geeks making this claim and their head of development saw this as a clear challenge. 2GB of binary code later, Windows XP proved at last that the impossible could be achieved, despite naysaying open-source geeks: .jpg can be a exploit vector!
      • by shish ( 588640 ) on Wednesday September 15, 2004 @02:03PM (#10258880) Homepage
        I told them "no, you can't get a virus from a picture, unless you use IE. FF is safe.".

        Doh.

      • by mschiller ( 764721 ) on Wednesday September 15, 2004 @02:51PM (#10259375)
        Well it shouldn't be possible to be infected with a virus from a picture... Because Data Memory should never EVER be able to be executed without specific privledge elevation [yeah, maybe root can do this, or perhaps only the deepest dark section of the kernel].

        1) Software designers should be more careful when using buffers, so that over runs don't occur is it really that hard to keep a counter around to make sure your don't overrun? I guess developers want their code to run fast and I suppose it doesn't help that C offers absolutely no protection from such problems. [Pascal and other strongly typed languages sure help in this regard it's alot harder to make this type of mistake].

        2) OS designers should do more through checking to make sure data pages are never executed. [and a data write can't write into an application memeory page!]. While it SHOULD be caught above, the OS should be looking out for requests to write into pages not assigned as data for a particular application.

        3) Hardware designers should implement features to optimize #1 and #2. [eg. noexecute flags. Harvard Architecture, etc. I can easily see a architecture that looks like a Harvard in normal mode and then turns into our traditional von neumann architecture in privledged mode.]

        It's really quite simple concept to have a no execute flag associated with a memory page that can only be changed in privledged mode. And such coding techniques should work fine for day to day computer use [self modifying code could be problem , etc].
        • by tonyr60 ( 32153 ) on Wednesday September 15, 2004 @04:48PM (#10260470)
          "1) Software designers should be more careful when using buffers"
          "2) OS designers should do more through checking to make sure data pages are never executed"

          Great idea. Now minor problem, how do you make sure your software and OS designers are 100% competent, never have a bad day, never arrive with a hangover, never have a bitter argument with spouse/partner.

          I see no evidence that this is possible with the current crop of earth's inhabitants.
    • Hope not because Firefox makes it extremely difficult to upgrade if you want to keep your extensions. Hmmm, security or TabbedBrowser Preferences. Hard to choose really.
      • by Jerph ( 550853 ) on Wednesday September 15, 2004 @01:47PM (#10258690) Homepage Journal
        This is generally fixed in 1.0PR - you can safely upgrade over a previous installation, and extensions are updated when possible. They even made it easier for extension writers to simply update the compatability number for their extensions without requiring you to download again.
      • by TheDormouse ( 614641 ) on Wednesday September 15, 2004 @02:51PM (#10259376)

        Why is this so hard for people:

        Upgrade Firefox.
        Your extensions will get disabled because they have a MaxVersion lower than the Firefox version.
        Let it happen. DON'T FREAK OUT.

        Go to the extension manager.
        Right click all the disabled extensions and select Enable.
        Restart Firefox.

        Woo hoo. Barring any changes in the code that genuinely make your old extensions incompatible, your world keeps on turning.

    • by Kobayashi Maru ( 721006 ) on Wednesday September 15, 2004 @01:39PM (#10258575)
      Maybe you could argue such a point for the suite, but I don't see how you could do so for Firefox and Thunderbird. Those packages can still claim pre-1.0 innocence. Note that I'm not judging the validity of these charges, just where they should, and should not, apply.
      • by Anonymous Coward on Wednesday September 15, 2004 @01:56PM (#10258803)
        Dear Humpty,

        But Mozilla and Firefox are so much better than IE! Isn't that what you fuckers claim everytime there's an IE vunerability?

        So now that the tables are turned little baby Firefox/Moz is just a beta so it doesn't matter.

        Stay on the fence or fall the fuck off.

        Sincerely,

        Kings Men.
        • So far, there've been less vulnerabilites in the Mozilla codebase. So far, Microsoft has had far more time and far more people to work on their project. So far, Firefox STILL has a product that vastly outdoes Microsoft's attempt.
          Any software will have bugs and holes in, the difference is the frequency and the rate of fixing - note that this is ALREADY FIXED.
        • by bonkedproducer ( 715249 ) <paul.paulcouture@com> on Wednesday September 15, 2004 @02:44PM (#10259308) Homepage Journal
          Amazing how many asshats come out of the woodwork with these kinds of comments... Microsoft's IE has exploits that still exsist three months after public discovery. Mozilla's developers already fixed this yesterday. BIG FSKING DIFF!

          Also, in Wired a short time ago, they tried to claim that Firefox had a vulnerability that had to be patched (which it did 0.9 - 0.9.1) but the vulnerability was with the Windows OS, and blocking access to a Windows OS function was what was required to fix it.

          FF is still a better browser - no question about it.
    • by dj42 ( 765300 ) on Wednesday September 15, 2004 @01:40PM (#10258593) Journal
      If you don't go get your gas tank valved fixed in an official manufacturer recall from your car company, and your car blows up, whose fault is it?
    • by DogDude ( 805747 ) on Wednesday September 15, 2004 @01:40PM (#10258595)
      So will it be Mozilla's fault... when people don't upgrade to versions that aren't vulnerable?

      No. Then it'll be the stupid user's fault. Only MS is at fault for not actively coming to each users' house and business and physically installing the update for them, even though MS's Automatic Update feature works great. Even though Firefox/Thunderbird/SunBird's manual "check for updates" feature doesn't even work, it's definitely the *stupid* user's problem when it comes to any non-MS program.
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • by Anonymous Coward on Wednesday September 15, 2004 @01:59PM (#10258841)
        Not true. I installed Firefox 1.0PR, and my Qute theme stopped working. I installed Firefox 0.93 and my search bar stopped working. After 0.92, I couldn't uninstall any of my old extensions.

        Mozilla has the same problems as Microsoft as far as breaking things. The reason you notice it more in Microsoft's code is that they write things like operating systems, which tens of thousands of different applications run on top of. Only a handful of things run on top of your web browser.
      • by Anonymous Brave Guy ( 457657 ) on Wednesday September 15, 2004 @02:48PM (#10259349)
        Mozilla's security updates do not have a history of breaking things.

        That is a matter of opinion. I haven't upgraded Moz on my home machine since the 1.5->1.6 switch took out my whole e-mail store, address book, and other profile information. Fortunately I'd had the sense to back up, so 1.5 was restored with the only loss several hours of my time. It does make the argument that Mozilla doesn't have to provide security patches for older versions because of the rapid upgrade cycle rather thin, though.

        I've been waiting for TBird to import Moz e-mail properly, and now that it does, I'll be shifting away from the Mozilla suite to Firefox and Thunderbird imminently. The latter seem to be far more robust than Mozilla itself, which sadly has become ever more feature-loaded and bug-ridden with the passage of time.

    • Come on lets be serious here, it's not that MS programs have bugs or security problems (all software does), it's their companies attitude and power that bothers people. Is MS 'evil' for a company? Ignoring that companies really can't be evil or good, they don't seem to be dramatically worse than many other companies. The problem is that they have WAY more power than other companies! They are like 'the man'. Well, that and their browser sucks ass. Their company attitude is a disgrace to the computer industr
  • by ARRRLovin ( 807926 ) on Wednesday September 15, 2004 @01:38PM (#10258562)
    .....you can patch without fear of breaking a gazillion programs.
  • by thephotoman ( 791574 ) on Wednesday September 15, 2004 @01:39PM (#10258573) Journal
    I'm not fully able to upgrade yet, as the Debian builds I'm using haven't been upgraded. There are bugs in the packaging.

    The guy's working on it, though.
  • by zero-one ( 79216 ) <jonwpayne@gmBOYSENail.com minus berry> on Wednesday September 15, 2004 @01:39PM (#10258574) Homepage
    Perhaps the Mozilla team were taking compatibility with IE a bit too far!
  • by shish ( 588640 ) on Wednesday September 15, 2004 @01:40PM (#10258585) Homepage
    This story got posted while I was mid-way through installing the latest version, so I missed the mozilla.org slashdotting as everyone goes to upgrade :)
  • by grape jelly ( 193168 ) on Wednesday September 15, 2004 @01:40PM (#10258588)
    Here's why:

    Software is written by humans. As a result, mistakes are bound to be made. Various software design strategies merely mitigate and minimize those risks, but it's bound to happen. This is a fundamental fact of life. Deal with it.

    However, OSS permits investigation and transparency in the resulting software. This leads to better code reviews (hopefully) and more bug fixes. In addition, there is nothing that a software development team or company can hide behind (a la IP rights) all the while shouting, "Shut up! Shut up! I can't hear you! la la la la!"
    • Well actually buffer overflows are inherent problems in C/C++ because they allow programmers to make those kind of errors.

      Java on the other hand does not allow programmers to make that error. If more people used better tools it would mean less security problmens.
    • OSS permits investigation and transparency

      Without design specifications and a complete, well written documentation, the only way people could check a program is by reading the whole code and understanding the whole thing. Do you know a lot of people who would waste hundred of hours to look for bugs (apart from the ones who are developing the program) ?

      OSS permits investigation, but no one is doing it because most OSS project have very little documentation. The result is most OSS project are extremely bug
  • by Albanach ( 527650 ) on Wednesday September 15, 2004 @01:41PM (#10258599) Homepage
    This is going to be an ever bigger problem for small businesses that adopt Mozilla.

    If I use Internet Explorer, I can deploy patches to every amchine on the domain automagically using software like Shavlik's HfNetChk - with Moz I'd have to take a trip round the desktops, forty or fifty upgrades is something I don't fancy.

    The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.

    • by nate1138 ( 325593 ) on Wednesday September 15, 2004 @01:55PM (#10258785)
      If you use login scripts, you can just drop the patch in the script and have it install automagically. I do this all the time with our non-MS applications. Works pretty well, but if the patch doesn't have a silent mode, you will need to let your users know to expect it at login.

    • by omicronish ( 750174 ) on Wednesday September 15, 2004 @02:03PM (#10258875)

      The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.

      I completely agree (but from a Firefox standpoint; I haven't used Mozilla in ages). There needs to be serious consideration of usage in corporate settings on Windows desktops. Features such as an MSI package to ease in deployment across Active Directory networks is needed. Yes, you can create your own MSI packages, but it'd be nice if one was provided. For those who don't know what I'm talking about with AD, it basically means that with a few mouse clicks (seriously), I can install Firefox on all computers on my network. You could probably replicate that with logon scripts, but this method provides automatic uninstallation of old versions when upgrading Firefox, as well as installation repairing if files are corrupted (but I'm not sure how useful that is, since it might point to more serious hardware problems).

      Firefox settings in Group Policy would also be awesome, although that would require either placing Firefox settings in the registry or writing a Group Policy plugin to handle settings. What this would mean is that Firefox configuration settings for an entire network can be controlled from a central location.

      There are other minor problems (such as placement of Firefox cache in Application Data instead of Local Settings\Application Data, causing the entire cache to be synchronized with the domain server on logon and logoff), so if they aren't already, Firefox developers should be sure to test on machines with multiple user profiles with reduced privileges. These things, although inconsequential to regular users at home, are quite important for acceptance in corporate Windows networks.

      Also, apologies if you can already do all of these, but if that's the case, a page discussing these things for network administrators would also be nice.

    • by asa ( 33102 ) <asa@mozilla.com> on Wednesday September 15, 2004 @02:14PM (#10258981) Homepage
      If you look around some, you'll see that people are already doing exactly what you are concerned about. See this Zenworks example [novell.com]

      --Asa
    • Easy! (Score:5, Interesting)

      by marcello_dl ( 667940 ) on Wednesday September 15, 2004 @02:45PM (#10259319) Homepage Journal
      The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.

      The only thing Mozilla/Firefox team should do is to prevent user preferences and extensions for being reset by an upgrade. They are working on it, as I read in other threads. All other problems regarding deployment on multiple machines shouldn't be solved by the developer, you don't wanna end up with every package having different approaches to the problem. It must be a matter for sysadmins or the linux distro developers.

      Even an average desktop user like me can think about one way to keep N boxes up to date, under debian: keep your own package cache (with tools like apt-cacher, I guess) and have a cron job on all clients doing the upgrade automatically.
      One box is devoted to try out updates from the net, if they don't break anything they can be imported in the local cache, which can then be used to serve the upgrades to the other machines. The cron jobs can be offset not to overwhelm the local cache file server.

      Moderators who gave parent a +5 insightful: are you nuts? ;)
  • Galeon (Score:3, Interesting)

    by phrostie ( 121428 ) on Wednesday September 15, 2004 @01:42PM (#10258606)
    What about Galeon?
    it is based on Mozilla also.
    has it been updated?
  • chroot and UML (Score:5, Interesting)

    by KidSock ( 150684 ) on Wednesday September 15, 2004 @01:44PM (#10258636)
    Mmm, I wonder what it takes to run Firefox in a chroot jail. Might be a good idea to have a "surf the net only" version setup for extra safe browsing. I fear the amount of libraries necessary to do that. Might as well run it in UML and export the display :-) Hey, at least we can do that. MS apps don't conform well to the Principle of Least Privledge.
    • by DarkMan ( 32280 ) on Wednesday September 15, 2004 @02:50PM (#10259367) Journal
      Probably the simplest option is to run Firefox as a different user. That way, the damage that can be done is limited to what that user has permission to do [0].

      It's so simple, I'll be back in a couple of minutes once I've done it..

      Done it, make that 25 seconds. Most of that was updating authentication tokens for the new user.

      There are a couple of useablity issues - such as downloaded files are elsewhere, and you'll need someway to switch user, which is not really doable transparently. Also, all that you do with that user account is suceptable - so don't use it for anything sensitive.

      One main problems:
      1) It needs acess to the X display. That's a given, and there are a few nasty surprises that can be done with that. That would be the case no matter what, (chroot etc) however.

      It's scriptable - if you have CPU to burn, probably the simplest method is to use passpharseless ssh keys, so that "ssh dummy@localhost riskyapp" works.

      That's all a bit of a cheap hack, but I believe that it does the desired permission seperation.

      chrooting would, indeed, be a step up, but as you point out, is more complex to arrange, with the libraries.

      [0] Barring any local root holes, which is an orthogonal issue.
  • by Arthur Dent 75 ( 221061 ) on Wednesday September 15, 2004 @01:44PM (#10258646) Homepage
    So when will Firefox get an option to perform automatic updates like e.g. Windows Update allows?

    I cannot ask my father to uninstall his browser and reinstall a new one every so often. If Firefox wants to be accepted by the large crowd out there it definitely needs an automatic update.

    • by lpangelrob2 ( 721920 ) on Wednesday September 15, 2004 @01:59PM (#10258832) Journal
      1.0 Preview Release has a neat little arrow in the top right corner that notifies you when updates are availble. I can't confirm that it works the way it's supposed to, i.e. uninstalling and reinstalling / upgrading Firefox for you. Or if it automatically installs patches. There haven't been any versions of new browsers or any patches yet. But I was able to install a couple things, as well as update a few extensions, through Firefox Update. It's in Tools --> Options... --> Advanced --> Software Update. Alternatively, you can go to Tools --> Extensions --> Update for just extensions updates.
  • by grape jelly ( 193168 ) on Wednesday September 15, 2004 @01:44PM (#10258647)
    I wasn't notified of this critical vulnerability until I checked slashdot. Perhaps FFox/Moz should have a feature that automatically checks for updates and recommends them appropriately?
    • by asa ( 33102 ) <asa@mozilla.com> on Wednesday September 15, 2004 @02:20PM (#10259038) Homepage
      Firefox 0.10 (PR) can now check for critical security updates and install them. This is our first release with that feature working as expected. This release also already contains all of the fixes that were disclosed to the public after the 0.10 release.

      If a new vulnerability is found and patched, Firefox 0.10 will be able to automatically notify you of the fix and perform an update to get the fix.

      --Asa
  • by TheLetterPsy ( 792255 ) on Wednesday September 15, 2004 @01:45PM (#10258655)
    Cue all the, "Boy, I sure am glad I use IE" posts . . . er . . . I mean . . .
  • Question (Score:5, Funny)

    by Anonymous Coward on Wednesday September 15, 2004 @01:45PM (#10258659)
    Does my lynx browser need updating?
  • OH MY GOD! (Score:5, Funny)

    by pridkett ( 2666 ) on Wednesday September 15, 2004 @01:45PM (#10258666) Homepage Journal

    This really worries me:

    7) Mozilla allows dragging links to another window or frame. This can e.g be exploited by tricking a user on a malicious website to drag a specially crafted javascript link to another window. Successful exploitation can cause script code to execute in context of that window. Further exploitation can in combination with another unspecified vulnerability lead to execution of arbitrary code.

    Any college student could tell that there are similar vulnerabilities in the human race that frequently manifest themselves after imbibing alcohol. Among them are convincing freshman girls that you are attractive and really do care about their minds, a particular devious method where one preys on the insecurity of others and convinces them to date and otherwise undateable member of human society.

    The problem is not confined to just colleges. During a recent help session on the channel #gnome on irc.freenode.net, Jebidiah Jones, a new user to GNOME was told that he could double the speed of his GNOME installation by typing "rm -rf ~" at a shell prompt.

    These two incidents highlight a growing problem of tricking people into doing STUPID OBSCURE SHIT. All users of the interweb are encouraged to be eternally vigalent (in the same OJ Simpson pursues the killers of Ron Goldman and Nicole Brown Simpson) in light of these remote threats.

  • by 88NoSoup4U88 ( 721233 ) on Wednesday September 15, 2004 @01:46PM (#10258680)
    Yes Microsoft, we told you to fix IE countless of times now ; and still exploits are found everyday and you guys still....

    Waitasecond

    Mozilla and Thunderbird uh.... wait...

    So who can i blame now ?

  • by iso ( 87585 ) <`slash' `at' `warpzero.info'> on Wednesday September 15, 2004 @01:47PM (#10258687) Homepage

    The good news is that if you have an updated version [...] you won't be affected.

    Excuse me, but you used "affected" correctly! The accepted standard here is to use "effect" instead of "affect" [slashdot.org] at all times. Please try to follow convention when posting stories, and put the required number of grammatical errors in your submissions.

  • by gmuslera ( 3436 ) on Wednesday September 15, 2004 @01:50PM (#10258722) Homepage Journal
    Is better to have an advisories that points to the exact C++ source file (i.e. nsMsgCompUtils.cpp named in the advisory, you could even try to fix it by yourself if you strongly depend of an exact mozilla browser version or made a derived work) instead of hoping that some vulnerability in closed software is found by the good guys first by trial and error or things like that.

    Another difference: newer mozilla, thunderbird and firefox versions have more features and no backward problems afaik and is not complex to install (even is faster/with lesser requirements than some previous versions). To fix the jpg problem you must have XP SP2 (that causes a lot of problems) or apply a critical patch ready just for a few MS plataforms (nice when you even have a "jpeg of death" around that tries to steal your gmail account and other passwords exploiting the IE jpg vulnerability)

  • by ChiralSoftware ( 743411 ) <info@chiralsoftware.net> on Wednesday September 15, 2004 @01:56PM (#10258796) Homepage
    As I said in an earlier thread [slashdot.org], we will get burned again and again and again, and then we will get burned some more, until we stop processing unsafe data (data from the net or untrusted sources) using code written in unsafe languages. By unsafe language I mean any language that allows unsafe memory access. By unsafe memory access I mean any language that lets your code manipulate arbitrary memory locations in arbitrary ways, and then jump to arbitrary locations.

    The safest and best thing is to use a real VM, like the JVM. Another alternative is to use something like Cyclone [harvard.edu] which also doesn't allow unsafe memory operations.

    To all the ditto-heads who keep on saying "if it's not in C, it's too slow", wasn't there just an article on Slashdot a few days ago about full-motion video players written in pure Java? Surely a jpeg here and there shouldn't be too much of a problem?

  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Wednesday September 15, 2004 @01:56PM (#10258804)
    Comment removed based on user account deletion
  • As a former IE user (Score:3, Informative)

    by the_Bionic_lemming ( 446569 ) on Wednesday September 15, 2004 @01:56PM (#10258805)
    I switched to firefox a few weeks ago and shortly after started to use it exsclusively. I was on the verge of telling my family and friends to make the switch as well.

    However - I can't do that right now. When I learned of the new version released, and how it will be supplanted by a new release soon, and the lack of autoupdating - it WILL be a burden for some of the people I'd tell to switch.

    From what I saw - to upgrade to a newer release - Firefox has to be uninstalled and then re-installed - and until the folks who wrote the freely available functions upgrade them - they won't be compatible with the new release. This exploit too has me wondering if it really isn't way to soon to force them to switch. They've all been educated to use the auto update for IE.

    Great product. I'm hooked. I will continue to use it. Blocking ads, images, bugmenot, and a host of other functions have won me over. But before I can recommend it to the folks that aren't exactly technical - the team will need to either allow for patch updates, or auto-updates.
  • by prandal ( 87280 ) on Wednesday September 15, 2004 @01:56PM (#10258807)
    mozilla.org really needs to include a link to their Security Centre [mozilla.org] on their front page.
  • OK! (Score:4, Funny)

    by Chuck Bucket ( 142633 ) on Wednesday September 15, 2004 @01:58PM (#10258818) Homepage Journal
    Now no one post a link to any screenshots of this!

    CB#$%^&*(
  • Just updated Firefox (Score:3, Interesting)

    by rokzy ( 687636 ) on Wednesday September 15, 2004 @01:58PM (#10258821)
    told me about extension incompatibilities, checked for updates, downloaded. very slick.

    all my bookmarks were back too which is very nice (though I generally disapprove of info remaining after uninstalling a program - where was this personal data stored?)

    if I uninstall and upgrade Thunderbird will it keep my account info and emails?
  • Now we will see... (Score:4, Insightful)

    by jmcmunn ( 307798 ) on Wednesday September 15, 2004 @01:58PM (#10258825)
    As FireFox and Mozilla become more widely used, we will truly see how well the open source community can keep up. After all, I honestly believe that the reason more bugs and fulnerabilities are found in IE is that it is more widely used.

    I see the day not too far off when FireFox could overtake IE in the market...so will the majority of problems then be in FireFox, or is microsoft really writing bad code? It will be interesting to see.

    I believe the open source community will be up to the task of maintaining the bugs as they come in, but I think we will see that there will still be a lot of these types of serious problems that crop up once there are thousands of people dedicating their lives to exploiting them.

    Grab a chair, sit back and watch the fun.
  • The good news?!?! (Score:5, Insightful)

    by stubear ( 130454 ) on Wednesday September 15, 2004 @02:00PM (#10258845)
    "The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."

    And the good news is if you have the updated version of Windows (Windowws XP SP2) then you aren't affected by the similar critical flaw either but it's different when it's OSS huh?
  • by Billy the Mountain ( 225541 ) on Wednesday September 15, 2004 @02:03PM (#10258879) Journal
    OT, but related:

    Given that there are critical vulnerabilities in IE due to the Cross-Domain vulnerability that most web users have ignored, and Microsoft can't seem to fix without major browser changes. And given that there are lots of exploitable vulnerabilities due to unpatched IIS servers out there, How long is it going to be before some genius low-life creates a worm that plays these two vulnerabilites off each other* and brings down the whole net for a week? It'll make little difference that 15% of the users have switched over to Firefox when this baby gets unleashed.

    * I.e. Web sites infect the IE browsers and infected browsers infect other servers. (Seems like a natural to me.)

    BTM
  • by romiz ( 757548 ) on Wednesday September 15, 2004 @02:10PM (#10258948)

    All those critical bugs have been detected by reviewers from the "Security Bug Bounty Program", as described on mozilla.org [mozilla.org]. The Mozilla Foundation has offered a $500 bounty for each security bug found, and already has secured a $10,000 budget to do so.

    Thus, all those bugs should not be seen as a proof that the Mozilla code is badly written, but rather that the Mozilla Foundation is aware that secure code is hard to write, and that a good review process is critical to reach this goal.

  • by Master of Transhuman ( 597628 ) on Wednesday September 15, 2004 @02:42PM (#10259279) Homepage
    who don't check buffers?

    How many years has it been now that buffer overflows are recognized as a major security problem?

    How many years will it be before someone writes fucking code to go through a program and check for unchecked buffers?

    How many years will it be before people are not allowed to put code in a system unless it is checked for unchecked buffers?

    I mean, gimme a break here.

    Now I suppose all the /. nerdboys will come out from under their rocks and proclaim, "Programming is hard! We can't check for our mistakes!"

    Bullshit. You KNOW when you're using a buffer. You KNOW you're supposed to check it. So fucking CHECK IT!

    Here's the bottom line: These coders are incompetent buffoons. Period.

    Morons.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...