Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Mozilla The Internet Security

A Security Bug In Mozilla - The Human Perspective 321

Posted by timothy from the danger-of-success dept.
xslf writes "Alex Vincent, the reporter of the data-loss security bug 259708, writes about the behind the scene process of reporting it, casting light on the problems of dealing with security related bugs reported by the community, which isn't always aware of the security implications of the bugs reported. The issues with the FLOSS process shown in this bug might get worse, once more and more people use FLOSS and add to the process, without being full fledged coders, and rely on binary releases of software." (Note, you'll have to copy and paste that link to view the bug report, or click through from the linked story.)
This discussion has been archived. No new comments can be posted.

A Security Bug In Mozilla - The Human Perspective More

A Security Bug In Mozilla - The Human Perspective

Comments Filter:

  • Don't link to bugzilla!!! (Score:5, Informative)

    by AKAImBatman ( 238306 ) * <<moc.liamg> <ta> <namtabmiaka>> on Wednesday October 06, 2004 @01:38PM (#10452920) Homepage Journal
    What are you trying to do? Shut down the Mozilla project?!? If you absolutely NEED to see the bug, go to MirrorDot [mirrordot.org] and look it up there.

  • Looking for blame in all the wrong places (Score:3, Interesting)

    by thewldisntenuff ( 778302 ) on Wednesday October 06, 2004 @01:41PM (#10452946) Homepage
    "Well, some smarty-pants decided to repost my entire blog entry about bug 259708 as a comment on one of my entries, with an e-mail address of "fulldisclosure@netsys.com". Word for word, no changes, and no commentary either.
    This annoyed the hell out of me. On the one side, I could see this anonymous poster's point: the bug was already in the public domain when it disappeared very suddenly."

    What are you complaining about? Isn't this your fault for taking the entry down to begin with?

    I'm going to troll a bit here, but doesn't this essay/blog entry just bitch about how he feels things weren't handled in a manner to his liking? And shouldn't he be faulted for how he initially handled the bug? (Noted below-)

    "Losing data is horrendous, yes, but not as bad as losing it to someone else. That just wasn't happening here. So I decided not to ask for a security group review. That was my first mistake.

    Lesson Number One: The very instant you start to wonder if a bug might cause a security concern, stop wondering and ask the security group to review. Don't try to do the security group's job by trying to decide if it really is one or not."

    I think the bigger concern here was whether or not the bug got fixed, and once it was properly classified, it was indeed fixed. There probably could have been a faster fix for this bug, but I think most of what happened in this case can be directly faulted to him.....

    -thewldisntenuff
    • Um, that seemed to be the whole point. Again and again throughout the article he does a mea culpa. At the same time, I believe his general frustration with not knowing how to proceed comes through. We in FOSS need a more concrete process on how to handle bug through the system. And even very successful projects, like Mozilla/FireFox, can do a better job at communicating the way to handle these types of situations.

    • Yes, you are... (Score:5, Insightful)

      by Roadkills-R-Us ( 122219 ) on Wednesday October 06, 2004 @02:09PM (#10453161) Homepage
      Hmmm. That's a rather difficult conclusion to reach if you really read the article and think about it. Alex accepted the blame where he messed up, and noted other places he wasn't sure about.

      The fact is,the other person should not have reposted someone else's blog entry without permisison.

      The article was quite insightful. Hopefully it will lead to a better process.

    • Re:Looking for blame in all the wrong places (Score:5, Insightful)

      by Tor ( 2685 ) on Wednesday October 06, 2004 @02:14PM (#10453202) Homepage
      As he tried to convey in the article, the issue is not whether he can be faulted or not (and indeed, he can; then again, you can expect that many/most bug submitters would make "mistakes" like these).

      The quote, however, deals with someone who submitted for his weblog a word-for-word copy of his original bug report, without any comments, return address, or source. That goes a bit beyond useless and unhelpful, IMHO; that borders on disrespectful. At the very least, as he is saying, if that person indeed wanted full disclosure, he should point to where he found the copy of the text, so that the Mozilla security team could be made aware of it.

      Overall a well written article, certainly a lot more thoughtful than your comment.

      -tor

  • 3.5-year-old information disclosure and DoS (Score:5, Informative)

    by Jeffrey Baker ( 6191 ) on Wednesday October 06, 2004 @01:44PM (#10452959)
    Speaking of existing security bugs in Firefox & Mozilla, here's a security bug that's been open for 3.5 years and really needs some hero to come in and fix it. (The bug is assigned to me but I'm not qualified and don't have the time to come up with a real solution).

    Bug 69070 [mozilla.org]

    The bug was on bugtraq in 2001! It allows remote pages to open and use files on the local machine, and is also a denial of service on Linux, since Mozilla stupidly allows the opening of paths which are not regular files (/dev/tty).

    My experience with 69070 has been educational. I've learned if there's a security bug you care about, you had better fix it yourself. Unfortunately I can't but maybe someone in the audience has the spare time to step up.

    • Re:3.5-year-old information disclosure and DoS (Score:4, Insightful)

      by TrollBridge ( 550878 ) on Wednesday October 06, 2004 @01:49PM (#10452989) Homepage Journal
      But I thought the very nature of OSS makes this sort of thing impossible. What did I miss?

      • Re:3.5-year-old information disclosure and DoS (Score:5, Insightful)

        by julesh ( 229690 ) on Wednesday October 06, 2004 @02:09PM (#10453157)
        That Mozilla has a _huge_ number of bugs, many of which have existed for a number of years, a lot of which probably won't be fixed any time soon. Those working on the project don't generally care about them enough to fix them -- this is, after all, "only" a denial of service bug (note: I'm not condoning or excusing this behaviour, just saying that this is how a lot of people think).

      • Anyone actually saying that (Score:4, Insightful)

        by bogie ( 31020 ) on Wednesday October 06, 2004 @04:14PM (#10454305) Journal
        That's what you missed, listening to anyone with any level of maturity and experience in the OSS community . Red Hat doesn't say that can NEVER happen with OSS. Linus doesn't say its IMPOSSIBLE for OSS software to ever have bugs or security issues that aren't found and fixed. The Debian developers don't claim they have fixed every single potential bug in every single package they put out.

        One of the most annoying things users do is pick one single instance and say "HA!!!, this proves OSS is whatever". Newsflash, one OSS project doesn't=every OSS project. There is well written and secured OSS code out there and there is shoddy insecure OSS code out there. Nobody ever claimed that OSS is a panacea for all security issues.

        Nice straw man though. Insightful my ass.

    • Re:3.5-year-old information disclosure and DoS (Score:5, Insightful)

      by The Bungi ( 221687 ) <thebungi@gmail.com> on Wednesday October 06, 2004 @01:56PM (#10453050) Homepage
      Interesting. People around here bitch about Microsoft having these "dozens" of "unpatched vulnerabilities" in IE for "years" and "hiding, lying" and "sitting on security issues" and here's a three year old bug in the darling of open source development, who also has a "security classification" for certain bugs that "should not be disclosed" until they are fixed. But it's OK for some dude to publish an IE vuln without first contacting Microsoft and giving them a chance to fix it (which they have been doing very diligently for the past two years), in fact it's fantastic because it makes Microsoft (or "M$") look all the worse. But if it's Mozilla, it's perfectly acceptable. The recent GUI spoofing vuln (related to XUL, I believe) published a few months ago also had a "security classification" and was at least three years old, IIRC. But that's OK, because it's Mozilla.

      Fantastic. Talk about having your cake and eating it while telling everyone they can't have any.

      • Re:3.5-year-old information disclosure and DoS (Score:5, Funny)

        by daserver ( 524964 ) on Wednesday October 06, 2004 @02:07PM (#10453145) Homepage
        You could just have written: hypocrite :-)
      • I agree with everything you said, but remember this.

        Any Mozilla/Firebird vulnerability will not ruin my system. It will not cause me to reformat and re-install linux. It will not cause suspect programs to be installed on my computer without my knowledge. I might lose my $HOME, but not the use of my computer or applications.

        Think about how IE is different in this manner.
        Enjoy,

        • Re:3.5-year-old information disclosure and DoS (Score:5, Insightful)

          by CaptainABAB ( 771281 ) on Wednesday October 06, 2004 @02:34PM (#10453382)
          "I might lose my $HOME"

          Please tell me why losing all the documents/files/data you personally created is better then reinstalling an OS/apps, which are available on CDs and the net?

          Hopefully, you have a good back-up plan, but my personal files are 100x more important then any 3rd party binaries.

          IMO - both situations are equally terrible.
          • "IMO - both situations are equally terrible."

            I think the point was that it's worse to lose your personal files and OS/apps, than it is to only lose your personal files. In both cases you lose any personal files you don't have backed up. However, in one case you also lose the OS and applications.

            Both are bad, yes, but I wouldn't classify them as equal. I don't know about you, but I know it takes me longer to restore an entire system than just a few documents.

          • Not in business (Score:3, Insightful)

            by brunes69 ( 86786 )
            In business, if a virus sweeps your network and deletes 10-15 peoples home directories, no sweat. You tell them to keep working, and one at a time restore their files from the backup you did of those directories yesterday. (Any non-braindead company I would hope would be doing daily backups of user data). But if the virus takes out the *OS*, thats a whole other ball of wax. The sysadmin, who is a limited resource, has ot go around to N machines and re-install/re-image them. And for the hours this takes him

        • Re:3.5-year-old information disclosure and DoS (Score:4, Insightful)

          by The Bungi ( 221687 ) <thebungi@gmail.com> on Wednesday October 06, 2004 @02:39PM (#10453426) Homepage
          Think about how IE is different in this manner.

          It is not different. If more people stopped running under an administrator account the great majority of IE vulnerabilities would result in the same thing. Most email worms would as well.

          You can happily run under a non-privileged account in Windows NT4 and higher. The opearating system has supported it for at least eight years. That most applications break under such a scenario is Microsoft's fault to a certain extent, but not entirely so. Software vendors are just too lazy to code that way and they assume that they have the go of the entire machine.

          I would like to point another type of hypocrisy however - whenever there's a bug in a Microsoft product that is not "critical" in the sense you use, the slashbots come out of the woodwork claiming it's the end of the world yet again. But a bug in Mozilla that wipes out ~/ is OK, because it's "not critical". Do you really think it's "OK" for the average user to see their files wiped while /sbin is untouched? Tell you what: they would not. They'd rather have to wipe the machine and see it turned into a spam zombie than lose the vacation pics and whatever else they have under there.

          The problem with your assesment of this problem is that you say "user" and you're thinking about a developer or a sysadmin (in a corporate environment perhaps) with nightly backups and whatnot. In that scenario this bug is a nuisance. In reality it's a disaster.

        • I might lose my $HOME, but not the use of my computer or applications.

          I know that you'll say "backups", but for me $HOME is the most precious part of my Linux system. I don't backups every hour, and sometimes the loss of an hour's worth of programming/writing hurts a lot.
          • I use the following shell script to create hourly backups using rsync. It was taken from a very nice tutorial called something like "easy automated backups using rsync". Google should find it.

            Ad the script to an hourly cron cycle. All the backups will take only ORIGINAL_SIZE + CHANGED_FILES_SIZE. This script does 9 backups spanning nine hours into the past. Or days, or weeks or whatever you set your cron cycle to.

            You can restore from backups simply by copying the desired file from one of the bak.n di
      • There's a difference between bugs that have existed for three years and never been discovered and bugs that were reported three years ago but never fixed.
      • One point you seem to have missed is that people pay Microsoft for their software and therefore have a right to expect Microsoft to correct security vulnerabilities in a timely manner. As we are not paying for Mozilla we really have no right to make demands. We do have the right to fix the bugs ourselves or pay someone else to fix them, of course.

      • Re:3.5-year-old information disclosure and DoS (Score:4, Insightful)

        by L0rdJedi ( 65690 ) on Wednesday October 06, 2004 @03:07PM (#10453690)
        But it's OK for some dude to publish an IE vuln without first contacting Microsoft and giving them a chance to fix it

        Maybe I'm in the minority here, but it's NOT ok for that to happen either. And if I'm not mistaken, the Bugtraq mailing list has very clear guidelines for handling disclosure of any bugs found in any programs. I believe one of those guidelines is that if you're having ongoing discussion with the vendor about a bug, there's no need to report it to Bugtraq. If, however, the vendor is ignoring you or has ignored you for months, post away. Sometimes posting in a public forum is the only way to get a vendors attention.

      • Hypocrisy (Score:4, Insightful)

        by wtrmute ( 721783 ) on Wednesday October 06, 2004 @03:28PM (#10453881)
        But it's OK for some dude to publish an IE vuln without first contacting Microsoft and giving them a chance to fix it

        It's certainly not all right for someone to publish a vulnerability without contacting MS; any responsible FOSS developer will agree. However, once a security vulnerability is in the wild, it's in the wild, and pretending it doesn't exist will not help matters any.

        The big beef most FOSS developers have with MS lies in the fact that the current rendering engine for MSIE, Trident, is obsolete, MS acknowledges it as such, and yet still refuses to overhaul it. I quote from Wikipedia [wikipedia.org] (emphasis mine):

        In a May 7, 2003 Microsoft online chat, Brian Countryman, Internet Explorer Program Manager, declared that on Microsoft Windows, Internet Explorer will cease to be distributed separately from the operating system (IE 6 being the last standalone version); it will, however, be continued as a part of the evolution of the operating system, with IE updates coming bundled in OS upgrades. Thus, IE and Windows will be kept more in sync: it will be less likely that people will use a relatively old version of IE on a newer version of Windows,
        and newer versions of IE will not be usable without an OS upgrade.

        Now, this is a problem because many Windows users use versions of Windows which are obsolete: 98SE, ME, 2000. When Longhorn comes, this trend will of course hold true: people don't rush to the stores to buy the newest Operating System version. This means that people will be using still old versions of MSIE long after IE7 comes, which will, of course, be unsupported by MS because they don't want to trail support for 5 or 10 different versions of a single product.

        Finally, tying the web browser to the OS version ensures that a product that is upgraded for free today won't be in the future: remember, you may get the "newest" version of MSIE for free, but you must pay $50 or $60 (if memory still serves) for a new version of Windows, not counting the hardware upgrades which prove necessary. Most people will think that the old version works "well enough" and blissfully go on surfing the Web. Remember, security vulnerabilities are such because they're not obvious.

        In conclusion, FOSS developers do not criticize MS for keeping quiet about security vulnerabilities which do not yet have a fix; they criticize it for denying the need for a complete overhaul of their application even faced with massive evidence that their rendering engine has given what it had to give; instead, they concoct a scheme to force users to upgrade (spending money they might not have) in order to keep their data safe.

        • Re:Hypocrisy (Score:4, Interesting)

          by The Bungi ( 221687 ) <thebungi@gmail.com> on Wednesday October 06, 2004 @07:27PM (#10455712) Homepage
          Now, this is a problem because many Windows users use versions of Windows which are obsolete: 98SE, ME, 2000. When Longhorn comes, this trend will of course hold true: people don't rush to the stores to buy the newest Operating System version. This means that people will be using still old versions of MSIE long after IE7 comes, which will, of course, be unsupported by MS because they don't want to trail support for 5 or 10 different versions of a single product

          I don't contest what you're saying, and personally I think it's a bad idea from Microsoft, assuming it actually happens. But I find this argument quite interesting.

          Let's assume for a second that Mozilla becomes the most widely used browser in the world (for whatever operating system). 100 million people download and install it. And then someone finds another serious vulnerability with it. The Mozilla folks patch it. Then what? 20 million people upgrade, and 80 million don't. What then? The exploits come. How does Mozilla handle this? Because they're going to have exactly the same type of problem Microsoft has today: people who just don't give a damn if their computers are turned into spam zombies or get bogged down with malware. These are the people from whose machines you and I still get those stupid mass-mailing worm messages, and of course spam.

          Mozilla can very well damn rewrite the entire Gecko codebase and it will do them absolutely no good. Just like Microsoft with IE. With the small distinction that Microsoft does still support three versions of IE, while Mozilla likely won't even go there.

          Today you can find thousands of Linux machines out there that have year-old holes in Sendmail, SSH and the kernel itself. It's just that very few of them are being run off Comcast cable modems and virus writers just don't see much value in taking them over. It's no different from Windows.

          Even if Microsoft decided to bite the bullet and support seven versions of IE, I doubt it would do much good. What they can do is "force" users to upgrade to minimize the problem, which is what people around here call "the upgrade train" and is exactly what RedHat started doing with their corporate customers because support costs are prohibitive. And that's what Mozilla will have to do ("we don't support version X anymore, sorry. Upgrade to Y now!") because there's no other way to approach it.

          And BTW, the fact that some obscure company decided to "support" older versions of RHEL means nothing in the desktop/home user space, so "having the source" is useless.

          The people who write free software seem to think they can engineer all these problems away by writing "cool code" and making it "absolutely secure" from the get-go. That's not going to happen. They're still finding bufer overflows in Sendmail, for crying out loud. No, they're going to be in the same situation as Microsoft is today and they're going to get the same beatings left and right. I really hope I get to see that, if only for the chuckles.

    • Re:3.5-year-old information disclosure and DoS (Score:5, Informative)

      by Anonymous Coward on Wednesday October 06, 2004 @02:03PM (#10453103)
      "It allows remote pages to open and use files on the local machine"

      You make it sound like it allows remote servers to open and use files from the local machine. In fact what it allows is remote server to cause the local machine to open files locally, which is a different thing altogether.

      It still should be fixed, but it's only a DoS, not a remote-execute or a remote-data-access.

      • Re:3.5-year-old information disclosure and DoS (Score:5, Insightful)

        by mdfst13 ( 664665 ) on Wednesday October 06, 2004 @02:26PM (#10453309)
        "not ... a remote-data-access."

        According to comment 58 in the bug report: "Given that this vulnerability actually allows sites to do useful things like steal passwords, I feel that we should address it ASAP."

        This bug allows the browser to open and access a local file. The information about the file can then be sent to a remote site with some basic javascript. How is it not a remote data access again? The DoS issue is not good, but the file opening is worse, particularly if someone figures out a way to get the contents of the file rather than just the characteristics.
      • It does allow the remote server to discover if the local file exists, which is an improper disclosure.

  • I will save this bugtrack for later reading.. (Score:5, Funny)

    by Tei ( 520358 ) on Wednesday October 06, 2004 @01:44PM (#10452961) Journal
    Opps.. where are ALL my precious precious downloaded files?
  • You know we can't access bugzilla from slashdot links. It's just everytime I go to the clubs with a beanie, I get turned away. Why are we doings this to each other, HUH?!

  • There's that FLOSS word again (Score:5, Funny)

    by h00pla ( 532294 ) on Wednesday October 06, 2004 @01:56PM (#10453048) Homepage
    I really hate that acronym. FLOSS reminds me of brushing and FLOSSing (ie - picking the crap out from between your teeth). Is it really too much to ask to write out Free and Open Source software or how about Free/Open Source software? I can just see what's next - we'll be referrring to some development process as ENEMA.

    Acronym loving developer: I advocate the use of FLOSS and if it's with ENEMA, all the better.
    CIO: You're fired.

  • What is FLOSS ? (Score:2, Insightful)

    by babbage ( 61057 )

    What the heck is FLOSS ?

    There was a 2002 paper [linuxdevices.com] published by the Mitre Corporation [egovos.org] that used the term "FOSS", meaning "free and open-source software". As far as I know, this was the first use of the term, but it may go back a bit farther than this.

    I don't, however, have any idea what "FLOSS" is supposed to mean. Assuming that it isn't related to dental hygiene, what is it supposed to stand for ? "Free {Linux, liberty, low-cost} open-source software" ? Just a nonsense corruption of "FOSS" ?

    The closest e

    • The L is for "Libre", to distinguish it from free "Beer" software.
    • ""Free-Libre / Open Source Software". Is this really what people are trying to say ?"

      Ick. Under that name, the F or the L is entirely redundant. They might both be considered somewhat redundant depending on how pedantic a person is about it. That said, FOSS sounds weird, LOSS sounds negative, and the pedants don't think OSS is enough to thoughroughly describe the movement in one acronym. Sigh.
      • The "Libre" is there to "thoroughly describe the movement in one acronym". This is becasue of the dual meaning of the word "free" in the English language. The French have two words that translate to "free": Libre and Gratis. The later refers to cost rather than freedom and "free-gratis" software such as Acrobat Reader, Yahoo Messenger or Bonzi Buddy have nothing to do with the movement.

        I agree that the acronym is unfortunately rather stupid. "Remember kids to use FLOSS daily"...whatever...

    • Re:What is FLOSS ? (Score:3, Informative)

      by caseih ( 160668 )
      Yes. See http://en.wikipedia.org/wiki/FLOSS.
    • What the heck is FLOSS ?
      FLOSS [musculardevelopment.com] - it's not just for teeth anymore.

  • IAAPST (I am a professional software tester) (Score:5, Insightful)

    by Anonymous Coward on Wednesday October 06, 2004 @02:11PM (#10453173)
    This guy made the #1 mistake you can make when it comes to bug advocacy. He assumed his bug was more important than all the others. It had to be fixed now! Now! Now! Now!

    Which can be entirely correct, but you don't get anywhere by running around like chicken little trying to make everybody look at your bug. They heard you the first time. If you don't have any new substantive information to give them, sit back and relax. People never respond to selfish requests well. It can even discourage them from taking a look at it.

    • Re:IAAPST (I am a professional software tester) (Score:5, Insightful)

      by joey ( 315 ) <joey@kitenet.net> on Wednesday October 06, 2004 @02:36PM (#10453401) Homepage
      Bugzilla seems to encourage this with its system of various ways of voting on a bug, which encourages users to advocate their pet bug in order to get it fixed. I've seen this advocacy spill over into projects that don't use bugzilla recently, and IMHO it just causes a lot of distracting noise.
    • If you are a professional, as in a company pays you to do this, then they listen to you for that reason. You test, hand a list of bugs back, the programmers get them and the cycle goes on. You know they'll listen to you since they are paying you to do this. Also the programmers will work on them since they are paying them to do so.

      Well OSS is a whole idfferent ball game. First, just because you report a bug, doesn't mean the developers will listen to you. You are, after all, just some guy on the web. You h

  • smart defaults (Score:5, Insightful)

    by osssmkatz ( 734824 ) on Wednesday October 06, 2004 @02:19PM (#10453243) Journal
    This bug was a security bug in part because Firefox 1.0 changed the default download directory so that downloadable files were saved directly to the desktop.
    Microsoft is always criticized for having bad defaults. In this case, having the default download directory be the desktop was a bad default. I would argue that you wouldn't neccessarily do bad to create a folder for each downloadable file. No one would be annoyed by that, and it would provide protection in the file system for any future holes.

    You could also have a "recently downloaded files" directory on the desktop. Even a shortcut to "Location of downloaded files". Mozilla has been known for its innovation. Using the desktop is not innovative--the desktop should never be a permenant storage location. Everything Microsoft puts there is a shortcut.

    I also question whether it was wise to change or set defaults in a "1.0" milestone release.
    • ...wouldn't neccessarily do bad to create a folder for each downloadable file. No one would be annoyed by that...

      Sorry, I'd be annoyed. It means extra time accessing the files. That's probably why they moved the download directory to Desktop in the first place.
      • "...wouldn't neccessarily do bad to create a folder for each downloadable file. No one would be annoyed by that..."

        "Sorry, I'd be annoyed. It means extra time accessing the files. That's probably why they moved the download directory to Desktop in the first place."

        So would I be annoyed. Also, think of the case where you cancel the download. If it left an empty directory you can be sure a bug would be filed for the directory to be removed on download cancel. This could allow this bug to happen again.

    • This bug was a security bug in part because Firefox 1.0 changed the default download directory so that downloadable files were saved directly to the desktop. Microsoft is always criticized for having bad defaults. In this case, having the default download directory be the desktop was a bad default.

      I'm sorry -- can you elaborate? Maybe I'm too Mac OS X-centric to see the point, but how is ~/Desktop any different from any other directory? I personally find it real handy to have all those installers and dis

  • My impressions of the Mozilla project (Score:5, Insightful)

    by jd ( 1658 ) <imipak&yahoo,com> on Wednesday October 06, 2004 @02:21PM (#10453256) Homepage Journal
    I've honestly not heard too many good things about Mozilla. Oh, the team is certainly bright, and they have produced an excellent browser, but the politics are hairy and some of the coding quality isn't what I'd expect.


    First off, if someone reports a bug, it should be ASSUMED that there is a potential security issue there, until proven otherwise. Why? Because there are generally side-effects. Even if the bug doesn't directly do anything nasty, it may very well cause something unintended which, in turn, causes something else unintended, and so on. Programmers generally talk of such effects "cascading" or "snowballing", because the effects usually do build up over time. Sooner or later, this will result in a corruption of data, a program crash or an exploit due to insufficient value checking.


    There are two classes of bugs in a computer program. Those that cause the program to crash, and those that don't. The second type are much harder to track down (because you've no real indication of where the problem started), but they are generally much worse and much more prevelent.


    The "correct" way to handle bugs is to assume that (almost) any problem puts the software at risk of a non-fatal bug that could (eventually) destabilize the program or open an exploit. Spelling errors in text messages are probably OK, but even there, if you're placing them in fixed-length buffers, it is saner to check and be sure that the risks are low than to ignore apparently trivial "appearance" stuff that could be catastrophic. I've seen programmers give themselves buffer overflows, I've even seen programmers rely on certain OS quirks when an overflow occurs. The code may not be portable, and it sure as hell isn't safe, but it does work.


    (I've actually seen some code that won't run, unless the debug flag is present. The code will actually segfault if the extra padding the debug data creates is not there. Not from the Mozilla team, this was in a prior place of employment, but it does demonstrate that coding is not just about making something "work" it's about making it work for the right reasons.)


    Now, the Mozilla team is probably simply too small to regard every bug entered in their database as a potentially critical show-stopping security hazard. This, however, reflects more on the userbase than on the Mozilla folks. Open Source works if, and only if, the "lots of eyes" out there looking for problems also translate into "lots of hands" for fixing problems.


    Sure, not everybody is going to be a coder. So? If a mere 1 in every 100 users took the time to chase down not only the bug as seen, but at least some of the prior bugs that that bug depended upon to do anything at all... Mozilla would be in a lot better shape.


    Politics in projects don't help. GCC and Glibc suffer badly from a management style that can be diplomatically summed up as "Old-Style IBM without the money - or the justification". There's a lot of "Not Invented Here", "Somebody Else's Problem" and "It Works For Us", although the GCC team is apparently a lot better than it used to be.


    The moment any project suffers from any of those three things is the moment that it is under a self-imposed sentance of death, to be carried out the moment a better alternative arrives, where the only possible hope of a reprieve is to tackle those attitudes and eliminate them.


    9 out of every 10 security bugs are caused by a fault in attitues, at the time of coding or later, and not by any fundamental nature of computing.


    BTW, this is off-topic, but biologists and geneticists are mourning the passing of one of the three scientists who discovered the structure of DNA. The BBC [bbc.co.uk] is reporting the death of Professor Maurice Wilkins, aged 87. He died in hospital, no cause was given.

    • First off, if someone reports a bug, it should be ASSUMED that there is a potential security issue there, until proven otherwise.

      Okay, just a moment. Consider the feasibility of this. Even small FLOSS projects may have a hundred bugs open.

      I mean, you *could* consider it a "security hole", but if you take such a policy, you won't be able to actually do much about "security holes".

  • hiding previously public bugs does not work (Score:5, Insightful)

    by joey ( 315 ) <joey@kitenet.net> on Wednesday October 06, 2004 @02:28PM (#10453331) Homepage
    I'm flabbergasted that the mozilla security people seem to think that "hiding" a previously public bug after it's noticed that it has security ramifications is an effective way to keep black hats from noticing it.

    I think it's safe to assume that black hats interested in finding 0-day security holes in mozilla have already, or soon will create a mirror of the bugzilla archive, with history. Then they can look for bugs that are suddenly removed from the public bugzilla archive, and have some very good candidates for fresh security holes.

    And there's no way the mozilla security people can effectively combat this. At best they get into a technology arms race with the black hats, trying to figure out what techniques they're using to spider and mirror the archive.

    Once a bug is posted to a public bug tracking system, even if it's only been there for an hour, you might as well give up and assume it's widely publically known.

    Oh and in my personal experience, the best way to get a security bug fixed once you discover it is to immediatly write an exploit, clearly flag the bug as a security hole, and post it to a public forum with a sifficuently broad readership that someone in a position to fix the bug will, be that the project's BTS or bugtraq.
    • Oh and in my personal experience, the best way to get a security bug fixed once you discover it is to immediatly write an exploit, clearly flag the bug as a security hole, and post it to a public forum with a sifficuently broad readership that someone in a position to fix the bug will, be that the project's BTS or bugtraq.

      Great, and now while users are surfing the web between checks of [windows update | product's website], they're getting hacked. Good job.

      If you file a Mozilla bug and mark it as securit
  • It is not a bug in Mozilla. It is a bug in Firefox.
    Please don't confuse Mozilla users with security bugs that are not in their browser.

  • Give us CHROOT! (Score:5, Interesting)

    by freelunch ( 258011 ) on Wednesday October 06, 2004 @02:31PM (#10453355)
    Running Mozilla or Firefox in a chroot environment would greatly enhance security.

    I recently tried to get this working but didn't have much luck (haven't given up yet). There isn't much info on the web.

    I currently run Firefox under a separate user ID, which is better than the default.

    Any suggestions to get chroot working with Firefox?

    • Re:Give us CHROOT! (Score:5, Informative)

      by pe1chl ( 90186 ) on Wednesday October 06, 2004 @02:49PM (#10453501)
      > Running Mozilla or Firefox in a chroot environment would greatly enhance security

      Of course it would not have helped in this case.
    • a few starting bits from a gentoo box (in bash):

      mkdir ffchroot && cd ffchroot;
      ldd /usr/lib/MozillaFirefox/firefox-bin|while read libname separator libfile hex; do echo $libfile|sed "s#$libname##g"; done|sort|uniq|grep "/"|while read x; do mkdir -p ./$x; done
      ldd /usr/lib/MozillaFirefox/firefox-bin|while read libname separator libfile hex; do echo $libfile; cp $libfile ./$libfile; done;
      cp -a /usr/lib/MozillaFirefox usr/lib
      mkdir -p etc usr/bin home/$USER
      cp /usr/bin/firefox usr/bin
      cp /etc/passwd etc

      Un

  • OSS Is Not A Magic Bullet (Score:4, Insightful)

    by EXTomar ( 78739 ) on Wednesday October 06, 2004 @02:43PM (#10453452)
    Anyone who is claiming that FLOSS is the perfect software development model is either trying to sell you something or simply mistaken. One of the weaknesses is simply everything is subject to interptation.

    The people who find the bugs are often do not agree with the people fixing/writing the application. If you are using one of the "for profit" models, its easier to prioritorize bugs: you target the ones that are the most expensive first. With FLOSS it is the one that is most anoying. A bug might be the most anoying bug in the world but if the core team is not going to hit it they aren't inclined to fix it.

    What is implied in the FLOSS development model is that the reporter is savy enough to jump into the code and either fix it themselves or give enough inside help to someone who can to cut down the fix time. When this does not happen you have problems.

    In short, OSS is IMHO a better model for colaborative project development. However no one should ever believe it it is perfect. Everyone must remember that neither colaboration nor agreement are guarenteed with FLOSS.
  • He seems [mozillazine.org] to have gotten a bounty from the Mozilla Foundation [mozilla.org] for this.

  • Actually, things went really well. (Score:5, Insightful)

    by dwheeler ( 321049 ) on Wednesday October 06, 2004 @02:55PM (#10453555) Homepage Journal
    The author makes the process (from the user point of view) sound much worse than it really was. Was this a bad bug? Of course, all agree that dataloss is a terrible thing. But:
    1. this was immediately marked as a blocker, so the official (initial) release of Firefox was NOT going to go out with this bug, anyway, no matter what.
    2. once it was identified as a security issue, it was fixed within a half hour, even though it was an incredibly difficult bug to find (3 project developers had tried and failed).

    Yes, ideally all bugs are fixed even more rapidly. But originally this wasn't marked as a security bug, and nonsecurity bugs often take more time to fix than you'd wish in any development process:

    1. The bug appeared to be an extremely unlikely occurance, and thus while important to fix before release, it's not clear that the delays were in any way unusual for ANY development project. Although it had bad ramifications, it's also clear that triggering this accidentally is extremely difficult. None of the millions of users using Firefox had reported it before, and previous versions have been out for a while. The priority of a bug doesn't just depend on the severity of the problem, but on the likelihood. If a dataloss can happen 1/day, that's much more serious than one that happens 1/millenium. For extremely unlikely triggers, it's not at all unusual for those to take longer to correct in either proprietary or open source software. In part that's because of the difficulty of tracking down such uncommon problems to their source.
    2. This was obviously a hard bug to fix. Three people tried to find the bug, and couldn't do so. The author wishes that even more people would've worked on it in the early days, but all projects have a limited number of people and much to do. Heck, in most proprietary projects, you assign only one person to handle the bug, and that person has 100 other assignments too. He had three people directly working on it, with discussion by others... that's far more help than many projects get.

    What changed everything was marking it as a security requirement. Here I agree with the author - the author should have identified this as a security problem in the first place. And I'm really sympathetic to his sitatuation; we all make mistakes, and at least he reported the bug in the first place. Thankfully, a later reader DID realize this, and raised it to a security issue. As a security issue, suddenly the "unlikely" problem becomes "near certainty" since an attacker WANTS to cause trouble, and will work to cause the unlikely to happen.

    And once it was labelled as a security problem - look at the speedy response! It was fixed in less than a half hour - that's extraordinarily fast in any software development process, OSS/FS or proprietary. It's even more amazing because the problem was in a completely different place than 3 previous developers had thought... so this was clearly not an easy bug to find and fix (at least for most project developers).

    And Firefox is still at the "previous release" level, it's not even officially released! I routinely use Mozilla and Netscape, not Firefox, because Firefox THEMSELVES state that the product's not ready. When they say it's ready, I'll let other people try it out first; version 1.0s are often a little wet behind the ears (remember Windows 1.0? Probably not, and there's a reason for that). But once Firefox 1.0 is out for a little while, I'll probably switch to it; it looks really nice. Obviously a lot of people

    Getting ansy about taking a little extra time to find a non-security bug, when the product can't be released til it's fixed anyway, and it's hard to fix, seems a little excessive.

    The process issues he raises are interesting issues, and they're certainly worth addressing. E.G., how do you "make secret" that which is already public? But I'm sure there are many possible answers; discuss, pick one, and move on.

  • The headline makes me laugh (Score:5, Funny)

    by wazzzup ( 172351 ) <astromac@nOsPaM.fastmail.fm> on Wednesday October 06, 2004 @03:02PM (#10453614)
    Today's Headline - A Security Bug In Mozilla - The Human Perspective

    Tomorrow's Headline - A Security Bug in IE - Sweet Jesus, Microsoft Fucking Sucks Yet Again

    Don't worry, I hate Microsoft too ;o)

  • Dental Hygene (Score:4, Funny)

    by GoRK ( 10018 ) on Wednesday October 06, 2004 @03:13PM (#10453759) Homepage Journal
    FLOSSing by itself is not enough. You must also BRUSH to prevent tooth decay and maintain your health.

  • Maybe I'm missing something (Score:4, Insightful)

    by k12linux ( 627320 ) on Wednesday October 06, 2004 @03:30PM (#10453900)
    The bug was flagged as a security issue the same day it was added to bugzilla. A patch was released within a couple of weeks and it made it into the binaries pretty soon after that. At least that's the impression I get looking over the bug entries which run from 9/15 through 10/4.

    So.. please help me understand how this reflects so poorly on the Mozilla developers? Also, how does the way this was handled put them in the same crowd as MS? Especially after MS is caught sitting on serious security flaws for six months or more then sneaking the patches into a service pack without ever telling anyone the flaw existed?

  • Its FOSS not FLOSS! ..and security si a 2 step or 2 parts of a whole:

    -Finding bugs
    -Clean/Clear Architecture

    implying that finding bugs is imperfect as far as fixing security is a misnomer as it never was designed to fix security..the architecture was!!

    For example, in inventory audits its not the coutners accuracy that you depend on becasue they are only minmum wage and not skiled..you depend upon the framework of the audit to gurantee some accuracy by using analysis and stts..

    Same principle applies here.

Slashdot Top Deals

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Close