Security Issues in Mozilla 454
paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"
A fix? (Score:5, Informative)
==========
All Mozilla users should upgrade to the latest version:
Says the site, implying at least a partial fix is available.
Re:A fix? (Score:3, Interesting)
Why is everyone saying these are fixed?
Re:A fix? (Score:5, Insightful)
I'm more curious as to why they aren't fixed YET? We've been hearing for years that Open Source software is better because any problem is fixed within 24-48 hours. Well, it's been almost 51 hours since that issue was released on SecurityFocus, and I'm sure significantly longer since it was first discovered. Firefox is still not telling me there's an update available. What gives?
For those incapable of grasping the sarcasm, let me spell it out for you: rhetoric gets stale for a reason.
Re:A fix? (Score:4, Informative)
Regards,
Steve
Re:A fix? (Score:3, Interesting)
So? Why is it that when a flaw is found in a MS product that hasn't even been on the market for 4 years everyone jumps up and down and says "SEE! SEE!! They want to keep you on a constant upgrade cycle!!", but when it happens in the open source community, the reaction is "Eh, just upgrade"?
Re:A fix? (Score:3, Insightful)
Re:A fix? (Score:2)
Re:A fix? (Score:2)
cd
chmod 700
I am surprised Mozilla software doesn't set profiles non-world readable by default...
-Z
Re:A fix? (Score:2)
But the first link shows that they are all fixed with the latest releases so not an issue.
Re:A fix? (Score:3, Funny)
Re:A fix? (Score:3, Funny)
Re:A fix? (Score:3, Informative)
The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0).
The first issue was for all versions (for Firefox and Mozilla), as was the third (for Firefox and Thunderbird).
Re:A fix? (Score:3, Insightful)
Only THREE? (Score:3, Funny)
Security (Score:5, Funny)
Not Mozilla!! (Score:5, Funny)
Bet Gates is grinning today hoping everyone will forget his laptop crash.
Don't Tech all day and night, visit:
WillingtonKarateClub.org Training Tips and more
Umm.... (Score:4, Insightful)
The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird)
Can't the same be said of IE or any program that stores information in %SYSTEMROOM%\Documents and Settings\%USERNAME% ? I mean, it's possible for me to see anyone's "habits" that way, right?
Re: (Score:2, Interesting)
Re:Umm.... (Score:3, Informative)
Now everything is stored under Documents and Settings/user/Application Data/thunderbird
or something like that.
Re:Umm.... (Score:5, Funny)
Re:Umm.... (Score:3, Interesting)
When I did a Search for the file, the search window gladly displayed the file in question (from their documents folder) and allowed me to copy it to my documents folder.
Re:Umm.... (Score:2)
Searching for * in C:\Documents and Settings returns the folders in D&S, all the files/folders in my home directory, and all the files/folders in the "All Users" directory. I cannot use the search results dialog to access another user's home directory.
I call shennanigans.
Re:Umm.... (Score:2)
Is this perhaps the Firefox problem? (Score:2)
Like other readers here, I am confused about what Firefox could possibly be doing that is different than other programs. This could be it.
Re:Umm.... (Score:3, Informative)
I believe that the Docs & Settings folder is owned by the user in question and has the permissions set to keep other users out. But, thanks to the way the Windows runs, everyone pretty much need to be an Administrator to do things like, idk, run a CD-Burning app, so a knowledgable user could change the permissions and look inside.
But, this is a generic Windows problem, most users are Administrators, and they can therefore see oth
Re:Umm.... (Score:3, Interesting)
I've had everyone on my XP SP2 machine running as a "limited" user for quite a while, and so far the only application I've seen that didn't work properly was the latest version of Palm Desktop. (it has to be installed by an admin, but puts all of its settings in HKEY_CURRENT_USER. So it has to be installed by whoever needs to run it. So you have to promote any user wh
Re:Umm.... (Score:2)
You can set up your NTFS security such that only %USERNAME% can see the data in %USERNAME%'s folder. Very few home users do this, of course, and most wouldn't want to. Typical users wouldn't be able to function if Mom couldn't view the family pictures that Dad downloaded from the family's digit
Re:Umm.... (Score:2)
Misleading article summary -- the real story (Score:3, Informative)
I'm not too worried about the third one. For one thing, it is easily worked around by se
Misleading Article (Score:3, Informative)
It would have been helpful for this information to be included in the story. Thanks, Slashdot.
Re:Misleading Article (Score:2)
Re:Misleading Article (Score:2)
It is well known, as you know.
Re:Misleading Article (Score:2, Offtopic)
Re:Misleading Article (Score:2)
Re:Misleading Article (Score:2, Informative)
Anyhoo, regarding color schemes, I ran across this the other day...
http://forums.mozillazine.org/viewtopic.php?t=185
Haven't tried it, but it looks pretty basic.
As for the crew, I'm currently working on an extension to replace michael's rants with underscores.
Well, not really.
Re:Misleading Article (Score:2)
Wrong! (Score:5, Informative)
Only the buffer overflow issue has been fixed! This article on the Register should clear things up:
http://www.theregister.co.uk/2005/01/07/mozilla_fl aws/ [theregister.co.uk]
Re:Misleading Article (Score:5, Funny)
You must be new here.
Re:Misleading Article (Score:2)
Actually, "So, instead of being misleading, the Slashdot editor should have confirmed that...".
Buffer overflow? (Score:4, Insightful)
Re:Buffer overflow? (Score:5, Insightful)
Perhaps one reason is they are not really using C++ to its fullest extent like here [mozilla.org] as an example.
Re:Buffer overflow? (Score:2)
It's always depressing to see portability guides that say that sort of thing. (For those who didn't follow the link, it basically says don't use standard libs like iostreams.) C++ has been standardised since '98, with most players knowing the basic rules well before that. That's nearly a decade ago!
We have similar rules at work, where we do work with some seriously old compilers on a very portable code ba
3 Whole Security Issues! Thank God... (Score:5, Funny)
Re:3 Whole Security Issues! Thank God... (Score:2)
Nice little roll, there. I probably oughtn't point out that if you're actually buying a copy of XP these days that it'll have SP2 applied to it already. At least, all the stores around here sell it this way.
Updates (Score:5, Insightful)
Re:Updates (Score:3, Informative)
On linux, you have stuff like apt / yum / portage to keep computers up to date.
Mac version probably updates itself too, but don't quote me on that.
Re:Updates (Score:2)
No and yes, respectively.
Herein lies the fallacy behind much of the MS-bashing on threads like this.
Re:MS already learned this lesson... (Score:2)
Older versions only (Score:2, Informative)
Basically this is a non issue as everyone should have upgraded to v1.0 as soon as it came out.
Re:Older versions only (Score:2)
Sounds like good news to me (Score:3, Insightful)
Re:Sounds like good news to me (Score:2)
Indeed, however the hope is that the security problems will be fixed quickly, and that the developers wont ignore them, pretending they don't exist.
The really important thing as far as I'm concerned is the length of time needed to fix newly discovered bugs, not the number, and this is where the open source development model works so much better.
I'm concerned about 0-Day (Score:5, Insightful)
I'm also concerned about those nasty 0-Day vulnerabilites that are out there but we don't know about. The problem with open source is that the code is out there, so its easier to find the bugs. The saving grace is that the code is generally better, and there are usually more white hats looking for the problem than black hats.
I still think FF is safer than IE, but I also think its just as important to be wary of the bugs we don't know about as the ones we do. The same goes for any software product.
Re:Sounds like good news to me (Score:5, Insightful)
Of course not. But, unlike IE, these aren't 'You open a web page and your machine is taken over as a spam zombie' vulnerabilities. They should be fixed, but are less serious than the usual IE bugs... and they'll likely be fixed a lot faster.
Re:Sounds like good news to me (Score:2)
These are not serious Mozilla bugs, yet. IE didn't have these problems right away. Just like Mozilla are not having these problems, right away.
Re:Sounds like good news to me (Score:2)
There are security advantages to the latter.
Re:Sounds like good news to me (Score:5, Interesting)
If you can have buffer over-run vulnerabilities in your C++ app, then you are potentially vulnerable to absolutely anything. The fact that even one exists, even in a beta development, betrays fundamentally flawed coding standards and/or QA procedures. These things should never happen in a C++ app, and the coding techniques to prevent them are trivial.
Easy, tiger. As others have pointed out, most exploits of Windows/IE systems use vulnerabilities that MS patched months ago, and when critical ones do come up, patches usually do appear (with much hype) PDQ.
Re:Sounds like good news to me (Score:3, Informative)
> in your C++ app, then you are potentially
> vulnerable to absolutely anything.
Not really true.
1) If it's a *read* overrun, it's probably not exploitable. Could possibly be an information leak.
2) If it's a write overrun by at most 1 byte, it probably won't be exploitable.
3) A variety other restrictions may apply that make it not exploitable.
4) The browser might have a buffer overrun bug that cannot be triggered by a remote Web page unless the us
Re:Sounds like good news to me (Score:2)
The only reason it's surprising to me, is that these are bugs that have been already fixed.
It wouldn't be a slashdot story if it read, "the Bugzilla for the Firefox project notes that in version
Right?
It's fulfilling its prophecy (Score:2, Redundant)
And.... (Score:2, Insightful)
The difference between Mozilla/other OSS and MS software is that while a bug in IE will remain unfixed for months (unless it's such a glaring error that the media grills them for it,) a bug in Moz/Firefox won't last very long. So the real issue that we need to remember is not that three bugs were found, but that unlike MS three bugs will be fixed.
Cheers,
-maztuh
Re:And.... (Score:2)
Oh wait, that wouldn't be news, that would be business as usual.
Read The Article. These are fixed.
So what about. . . (Score:2)
Third item... (Score:5, Informative)
Re:Third item... (Score:3, Informative)
Re:Third item... (Score:2)
Doing this leaves a world readable file in
Jeebus Kriced (Score:5, Funny)
RTFA - Answers await (Score:2, Informative)
This article is BOGUS! (Score:5, Informative)
They affect Firefox versions BEFORE 1.0, Thunderbird BEFORE
This article was posted by some MS shill who is hoping the because Slashdot is spidered by Google news they will get some mainstream journalism about Firefoxes bugs!
This is TOTAL crap! Let the MS Smear campaign begin!
Re:This article is BOGUS! (Score:2)
Re:This article is BOGUS! (Score:2)
http://www.bugnet.com/analysis/reports/win98_1.ht
Re:This article is BOGUS! (Score:2, Informative)
How did this pass muster? The article clearly states:
Various vulnerabilities were found and fixed [emphasis added] in Mozilla-based products, ranging from a potential buffer overflow and temporary files disclosure to anti-spoofing issues.
While I recognize the article does state in the middle of it that it was for releases prior to the current ones, why not say that in the title or somewhere in the first sentence. Saying something like, "People using older versions of.....may be vulnerable to security f
These vulnerabilities will be fixed in three... (Score:2)
What, they're fixed already?
Never mind.
I love open source.
The reality... (Score:2, Insightful)
I still prefer Firefox for it's usability features. It wasn't long ago that they got in place a "Software
So we have (Score:4, Insightful)
Problem Two: Beta Firefox? That's not an issue then. Otherwise, who let a buffer overflow get into the codebase?
Problem Three: Surely this is more of a problem with Windows' Security model? if an OS is used essentially as a single user machine (e.g., 9x) then there is little that can be done between profiles.
Re:So we have (Score:2)
Open Source/Security (Score:2)
The UI hole (right-aligning the URL) is also in an unexpected place.
I always hear talk about the problem with Open Source is people only do the fun stuff. Well, for different people, different things are fun. For some people a security review is very fun. Of course, not as fun as doing a security review on the otherwise most interesting pa
Does no one read anymore? (Score:3, Informative)
=================
Package / Vulnerable / Unaffected
1 mozilla / < 1.7.5 / >= 1.7.5
2 mozilla-bin / < 1.7.5 / >= 1.7.5
3 mozilla-firefox / < 1.0 / >= 1.0
4 mozilla-firefox-bin / < 1.0 / >= 1.0
5 mozilla-thunderbird / < 0.9 / >= 0.9
6 mozilla-thunderbird-bin / < 0.9 / >= 0.9
So, lets try reading this data. If you are running version 1.0 of Firefox, version 1.0 of Thunderbird or version 1.7.5 of Mozilla (all the latest versions) you have NONE of these issues. Geez....
Re:Does no one read anymore? (Score:5, Informative)
"The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected."
So it's actually just one spoofing vulnerability. It's probably a result of fixing the bug in 0.9.something where an overly long (>4kb, IIRC) URL in the address bar could cause firefox to lock up the x-server.
Obligatory fix... (Score:2)
Seriously, all of these are fixed in the current version. The poster even says it with regards to the buffer overflow problem!
Quick! Somebody submit a story! (Score:2)
Time to troll Slashdot! Seriously...Given that all three bugs are ALREADY fixed, it shouldn't be too hard to sneak a 'troll' story by about how the Mozilla foundation responded instanteously to these bug reports.
Use this urlhttp://www.mozillazine.org/talkback.html?artic l e=5844 [mozillazine.org] for the nntp flaw, and link to the same security focus article regarding the other two.
Why? Because the security article tells you to update your mozilla based software to the latest ve
Long URL? (Score:3, Funny)
is this long enough?
Re:Long URL? (Score:2)
Not as critical as they appear in the submission (Score:4, Informative)
Issue 2: Fixed (Affected Versions: Mozilla Browser
This bug is fixed in Mozilla 1.7.5. (Bug 264388)
Mozilla developer Dan Veditz claims that it cannot be exploitable:
"A '\' on the end will certainly trash memory, but at that point you're no
longer reading attacker-supplied data;".
So, at most it would be a DOS attack, not a true "hack into your computer". And from the Security focus link:
So Firefox 1.0 is indeed safe.
Issue #3:From the link:
In other words, 1 outdated, another unconfirmed, and the first one real, but it's moderately critical.
So the Mozilla guys have only to fix ONE bug, and CONFIRM another. Issue #2 is fixed already.
Another fair objective article.... (Score:2)
Notice how every bug report about IE starts by saying how bad IE is, then saying MS sucks, and Mozilla doesn't have this bug because it's so great.
Now read the post about a Mozilla bug. No mention that IE does not have the bug. No mention that the coders who left this bug are crappy, and no mention that you could switch to IE to avoid this bug.
I know, IE has its bugs too, but it seems like we could be a bit more fair around here and at least either treat both browsers as if they suck, or treat them both
Third problem (Score:2)
Why is it... (Score:3, Interesting)
Mozilla outfoxed (Score:2)
Wait, I thought the reason to still use Mozilla instead of Firefox is that bugfixes make it to Mozilla releases first. Now it looks like the only reason is that Mozilla integrates Google/search into the same UI field as "Go to URL".
I wouldn't lose any sleep over this. (Score:5, Insightful)
Click 'cancel' if you are not sure about what you are downloading; Addtionally, you should be able to hover the mouse over a link and see the actual URL in the display bar at the bottom of the window. I do this all the time because I want to be sure where my browser will be connecting when I click anything. Of course, if you go to sites that don't use standard HTML for their links, you could be scammed. Generally speaking, unless you are running IE, downloading a trojan isn't going to be that bad - as long as you don't then try to run it. If you were expecting a picture, or a zip file, and got an executable instead, that could also tip you off. This is probably the worse problem of the three - but nothing to lose sleep over.
The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0).
If you aren't using the latest version of the browser - you are wrong. Additionally, who reads news groups anymore? I gave up wading through all the spam and flame wars long ago...
The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon! - should do the trick on most unix/linux systems. I can't see this breaking the browser, because presumably it is being run by you as you. This is irrelevant on a Windoze machine because it is not truely multi-user (and I can slap a knoppix disk into your windows machine, reboot linux, and read all your files provided I have physical access anyway - which is how most people 'share' a windows box).
Re:Unacceptable (Score:2, Informative)
Dude, the article says that only versions before Firefox 1.0 are vulnerable, and 1.0 has been out for 2 months already. What are you talking about?
Re:Unacceptable (Score:2)
They were spotted and corrected before rollout
It *is* already fixed! (Score:2, Informative)
Move on people,nothing to see here!
Re:It *is* already fixed! (Score:2, Informative)
Re:I bet they will be fixed within 24hours! (Score:5, Informative)
If I read TFA correctly, they're fixed already: Mozilla is listed as unaffected in >=1.7.5, Firefox unaffected in >=1.0, and Thunderbird unaffected in >=0.9.
Interestingly, the original bug report came from the Gentoo security people - is there anyone running Gentoo with anything other that the very latest apps?!
Re:I bet they will be fixed within 24hours! (Score:2)
Yep. I have two Gentoo machines and although I frequently sync with portage, I view the changelogs and only update when a bugfix or feature enhancement sounds reasonable. Especially since the second Gentoo machine runs my MythTv, something I am very careful about hastily installing new software on.
Wrong! (Score:2)
Only the buffer overflow issue has been fixed! This article on the Register should clear things up:
http://www.theregister.co.uk/2005/01/07/mozilla_fl aws/ [theregister.co.uk]
Re:Even then.... (Score:5, Insightful)
Both will have flaws, some major, some minor. And, for me, there seems no real evidence that the Firefox community corrects problems quicker than MS. Both appear to me to fix major problems relatively quickly.
The only real difference is the experience a user gains from using an individual browser. And for me, I personally prefer the FF experience, as I should, having configuring it until it fits like a glove.
Re:The important thing is how quickly they get fix (Score:2)
These affected firefox beta, not release. Check the article..
By my calculations, fixed over 2 months ago.
Re:Difference ... actually (Score:3, Insightful)
Moral of the story: run Mozilla for the features, run as Limited user to be truly secure.
Re:Yipee (Score:2, Funny)
Never download Mozilla with IE or any other insecure product! Only download Mozilla with Mozilla!
If you download it with IE you may not be downloading the REAL Mozilla. That's what I tell people who report Mozilla crashing and stuff like that. The real Mozilla is flawless. How do you know you are using t