Slashdot Mirror
Critical Mozilla, Thunderbird Vulnerabilities
d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability.
The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."
Afterall, it's Microsoft's fault when their users don't keep up to date with security patches.
"Ask not what your country can do for you." --John F. Kennedy
I'm going to enjoy reading about FOSS fanatics trying to rationalize this away as usual.
//a BSD and .net developer
Some never learn, those who claim they do don't.
wouldn't it just be the anti- microsoft-bashing? or is it the bashing of those who are anti-microsoft? (these seem related).
If other reasons we do lack, we swear no one will die when we attack
This is the difference:
We've found a bug in firefox, we're really sorry. Anyone using old versions of firefox will be affected.
We've found a bug in internet explorer, we're really sorry. We'll fix it... eventually.
.....you can patch without fear of breaking a gazillion programs.
-Randy
I'm not fully able to upgrade yet, as the Debian builds I'm using haven't been upgraded. There are bugs in the packaging.
The guy's working on it, though.
Haec merda tauri est. Ceterum censeo Carthaginem esse delendam.
Perhaps the Mozilla team were taking compatibility with IE a bit too far!
that we shouldnt let hippies and communists write software
f linux
This story got posted while I was mid-way through installing the latest version, so I missed the mozilla.org slashdotting as everyone goes to upgrade :)
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
...here come the holy wars :)
Here's why:
Software is written by humans. As a result, mistakes are bound to be made. Various software design strategies merely mitigate and minimize those risks, but it's bound to happen. This is a fundamental fact of life. Deal with it.
However, OSS permits investigation and transparency in the resulting software. This leads to better code reviews (hopefully) and more bug fixes. In addition, there is nothing that a software development team or company can hide behind (a la IP rights) all the while shouting, "Shut up! Shut up! I can't hear you! la la la la!"
but I have to rush; I need to upgrade to Mozilla 1.7.3. Excuse me.
I'm glad to see they waited for the vulnerabilities to be fixed before making the security advisory public.
If I use Internet Explorer, I can deploy patches to every amchine on the domain automagically using software like Shavlik's HfNetChk - with Moz I'd have to take a trip round the desktops, forty or fifty upgrades is something I don't fancy.
The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.
What about Galeon?
it is based on Mozilla also.
has it been updated?
There are no known exploits on macs.
:-)
Just buy a mac
Plus it runs great Microsoft applications like Excel and Internet Explorer.
Mmm, I wonder what it takes to run Firefox in a chroot jail. Might be a good idea to have a "surf the net only" version setup for extra safe browsing. I fear the amount of libraries necessary to do that. Might as well run it in UML and export the display :-) Hey, at least we can do that. MS apps don't conform well to the Principle of Least Privledge.
I cannot ask my father to uninstall his browser and reinstall a new one every so often. If Firefox wants to be accepted by the large crowd out there it definitely needs an automatic update.
michael at slashdot.org: The real answer is that a couple of the slashdot authors are sick.
I wasn't notified of this critical vulnerability until I checked slashdot. Perhaps FFox/Moz should have a feature that automatically checks for updates and recommends them appropriately?
I hate to download yet again all 11 megabytes just because of a single bug.
The owls are not what they seem
We never should have told anybody about Mozilla. We've made it a target...
Cue all the, "Boy, I sure am glad I use IE" posts . . . er . . . I mean . . .
Does my lynx browser need updating?
In addition, there is nothing that a software development team or company can hide behind (a la IP rights) all the while shouting, "Shut up! Shut up! I can't hear you! la la la la!"
Except for "confidential" bug reports...
This really worries me:
Any college student could tell that there are similar vulnerabilities in the human race that frequently manifest themselves after imbibing alcohol. Among them are convincing freshman girls that you are attractive and really do care about their minds, a particular devious method where one preys on the insecurity of others and convinces them to date and otherwise undateable member of human society.
The problem is not confined to just colleges. During a recent help session on the channel #gnome on irc.freenode.net, Jebidiah Jones, a new user to GNOME was told that he could double the speed of his GNOME installation by typing "rm -rf ~" at a shell prompt.
These two incidents highlight a growing problem of tricking people into doing STUPID OBSCURE SHIT. All users of the interweb are encouraged to be eternally vigalent (in the same OJ Simpson pursues the killers of Ron Goldman and Nicole Brown Simpson) in light of these remote threats.
My Slashdot account is old enough to drink...
Might it be time for architects to design "component sandboxes", within which components such as image viewers would execute?
Waitasecond
Mozilla and Thunderbird uh.... wait...
So who can i blame now ?
The good news is that if you have an updated version [...] you won't be affected.
Excuse me, but you used "affected" correctly! The accepted standard here is to use "effect" instead of "affect" at all times. Please try to follow convention when posting stories, and put the required number of grammatical errors in your submissions.
Thank god I keep at the "bleeding edge" of software, I updated FF as soon as PR0.10 came out. :/
This reminds me, I should update the other computers in the house too... I installed FF and TB on them the day before the new versions were out
Another difference: newer mozilla, thunderbird and firefox versions have more features and no backward problems afaik and is not complex to install (even is faster/with lesser requirements than some previous versions). To fix the jpg problem you must have XP SP2 (that causes a lot of problems) or apply a critical patch ready just for a few MS plataforms (nice when you even have a "jpeg of death" around that tries to steal your gmail account and other passwords exploiting the IE jpg vulnerability)
Does the official Netscape build get the same security fixes that Mozilla gets? Or are there just 50 known ways to exploit users of the latest Netscape browser?
Nobody ever said that Firefox was perfect.
Just a hell off a lot better then IE, which it is.
Is this bug specific to a particular platform?
This is my sig. There are thousands more, but this one is mine.
The Thunderbirds are proprietary, closed source and contain anti-copying technology, so International Rescue cannot be trusted.
Damn you Mr Tracy... damn you and your little dog too.
D'oh!
Well actually buffer overflows are inherent problems in C/C++ because they allow programmers to make those kind of errors.
Java on the other hand does not allow programmers to make that error. If more people used better tools it would mean less security problmens.
Just saying it like it are.
Isn't fault for Microsoft system, that Mozilla have fault on it?
The soft engineer is working in terrible fear that skyscraper "Windows" will be fallen down and to have buried all the soft with himself.
Alexey Mas
www.webnews.tv
The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected.
So, any version prior to the "Preview Release" of Firefox is vulnerable.
In case you don't know, that's the version not guaranteed for stability, so who knows what'll break.
Well, at least the developers are reacting with some option for the user.
Those packages can still claim pre-1.0 innocence IE can still claim this as well, cuz it sure works that way.
That's why the currently-popular programming languages are inappropriate tools for writing software that needs to be secure.
When writing software for something like a web browser, it's critical that it's simply not possible for things like buffer overflows to go unchecked. Languages like Java and C# are a step in the right direction. But there can still be bugs in the Java and C# virtual machine implementations themselves, and both C# and Java rely on massive libraries written largely in native code, and C# in particular makes it far too easy to integrate with native code. This is all ripe for exploitation.
That's why we need a new virtual machine designed from the ground-up with security at the forefront. A simple key point: As small an instruction set as possible (think: just barely past a Turing machine) to reduce the codebase, and in turn reduce the chance of bugs in the virtual machine implementation. A second simple point: No code in the native libraries beyond necessity, and stringent, mandatory checks of every parameter. Third point: Likely re-implement the entire virtual machine within the virtual machine (like running an emulator inside an emulator), ensuring that all the safety measures are in place even in the virtual machine code, and the only code that runs on the "native" version of the virtual machine is the tiny virtual machine emulator, which is extremely small and carefully debugged.
No one has done this yet. Someone will, and they'll be famous.
If you RTFA, and scroll to the botttom, you'll notice they link to all of the relevant Bugzilla entries for the reported problems.
Read them. Do you know how these flaws were found? By people looking at the source code and reporting them. The people who detected the problems couldn't have found them if the source was closed.
This is Open Source at its finest. On the other hand, we have the flaws in IE that are all too often found after someone has created an exploit and it's in the wild.
Personally, I wouldn't mind one bit if Mozilla users and Open Source developers found a security problem once per hour and got the problem fixed quickly. It's vastly better than the closed-source alternative where you have to hope that someone without access to the source reports the fault when they find it, and that Microsoft doesn't take their own sweet time fixing it.
Once again, Open Source at its finest.
Yaz.
The safest and best thing is to use a real VM, like the JVM. Another alternative is to use something like Cyclone which also doesn't allow unsafe memory operations.
To all the ditto-heads who keep on saying "if it's not in C, it's too slow", wasn't there just an article on Slashdot a few days ago about full-motion video players written in pure Java? Surely a jpeg here and there shouldn't be too much of a problem?
so when are we going to be able to update firefox/thunderbird without reinstalling the entire app? I'm sick and tire of this because I also have to reinstall every single extensions and themes I use. Sure I can do this easily, but it's a pain in the ass when I have to tell my not-so-tech-savvy friends to upgrade. it's tedious and stupid. and god bless those poor souls who have to upgrade a whole network of machines.
I switched to firefox a few weeks ago and shortly after started to use it exsclusively. I was on the verge of telling my family and friends to make the switch as well.
However - I can't do that right now. When I learned of the new version released, and how it will be supplanted by a new release soon, and the lack of autoupdating - it WILL be a burden for some of the people I'd tell to switch.
From what I saw - to upgrade to a newer release - Firefox has to be uninstalled and then re-installed - and until the folks who wrote the freely available functions upgrade them - they won't be compatible with the new release. This exploit too has me wondering if it really isn't way to soon to force them to switch. They've all been educated to use the auto update for IE.
Great product. I'm hooked. I will continue to use it. Blocking ads, images, bugmenot, and a host of other functions have won me over. But before I can recommend it to the folks that aren't exactly technical - the team will need to either allow for patch updates, or auto-updates.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
mozilla.org really needs to include a link to their Security Centre on their front page.
I'm starting to buy this idea less and less.
Yes, OSS allows anyone who wants to look at the source. Honestly, do that many people do so? Not really. With enough eyes, true, all bugs are shallow. But I doubt there is anything even close to 'enough' for any software past the simplest of apps.
OSS doesn't usually enjoy the same level of testing that commercial software does. Good commercial software (emphasis on GOOD) has a large, dedicated testing team that has put a lot of time and effort into developing various tools, well-documented test plans, huge suites of test cases, regular automated test runs that catch introduced bugs quickly, and so in. It is the rare OSS project that has anything close to this.
I honestly bet that an OSS project that went through a full commercial development and testing process would be the one to grab the best of both worlds, and really demonstrate quality, but I don't see much of that happening.
"You know your god is man-made when he hates all the same people you do."
If IE breaks, we find out about it when M$ releases a new version.
If Mozilla breaks, we find out about it when M.org releases a new version.
What's the difference?
The difference is, IE is hooked into the OS, so it's a lot easier to run destructive arbitrary code to wreck your external data in IE than Mozilla.
Winner: Mozilla.
It's only an insult if it's not true.
Now no one post a link to any screenshots of this!
CB#$%^&*(
free ipod and free gmail!
told me about extension incompatibilities, checked for updates, downloaded. very slick.
all my bookmarks were back too which is very nice (though I generally disapprove of info remaining after uninstalling a program - where was this personal data stored?)
if I uninstall and upgrade Thunderbird will it keep my account info and emails?
As FireFox and Mozilla become more widely used, we will truly see how well the open source community can keep up. After all, I honestly believe that the reason more bugs and fulnerabilities are found in IE is that it is more widely used.
I see the day not too far off when FireFox could overtake IE in the market...so will the majority of problems then be in FireFox, or is microsoft really writing bad code? It will be interesting to see.
I believe the open source community will be up to the task of maintaining the bugs as they come in, but I think we will see that there will still be a lot of these types of serious problems that crop up once there are thousands of people dedicating their lives to exploiting them.
Grab a chair, sit back and watch the fun.
Personally, I wouldn't mind one bit if Mozilla users and Open Source developers found a security problem once per hour and got the problem fixed quickly
And what job do you have that allows you do do hourly, hell, even daily software updates, pray tell? That's totally and utterly unrealistic for 99.999% of the population that has to work for a living, unfortunately.
I don't respond to AC's.
"The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."
And the good news is if you have the updated version of Windows (Windowws XP SP2) then you aren't affected by the similar critical flaw either but it's different when it's OSS huh?
OT, but related:
Given that there are critical vulnerabilities in IE due to the Cross-Domain vulnerability that most web users have ignored, and Microsoft can't seem to fix without major browser changes. And given that there are lots of exploitable vulnerabilities due to unpatched IIS servers out there, How long is it going to be before some genius low-life creates a worm that plays these two vulnerabilites off each other* and brings down the whole net for a week? It'll make little difference that 15% of the users have switched over to Firefox when this baby gets unleashed.
* I.e. Web sites infect the IE browsers and infected browsers infect other servers. (Seems like a natural to me.)
BTM
That was the turning point of my life--I went from negative zero to positive zero.
Three words to all the Microsoft player-haters: Pot kettle black.
It all comes down to this: The more POPULAR your software is, the more BUGS will be revealed. Leave motive out of the equation.
GetTheJob.com : Nothing but Real Jobs.
Tools-->Options-->Software Update
You see these options:
Periodically check for udates to:
[ ] Firefox
[ ] My Extensions and Themes
Check Now button
In my fresh install, both boxes were checked. I guess in the future it will tell me when there are updates to my browser/extensions/themes.
Just so you know, links is my browser of choice.
/. running thier mouths when a bug appears in software by Microsoft, then try, just like you to turn the same event in FSF/OSS software into something positive.
My point is that, all these brats here on
Man, do you annoy me.
For the common man, diversity is the key to security. As long as we have diversity the less humanity as a whole is vulnerable, such as the DNA.
You people never took biology class right?
There is two key elements to life, simplicity and diversity. The simpler the lifeform, the better for survival in the long run. The more diversity, the less vulnerable you are to specific threats.
I can't stop laughing at how you guys always try to make security an closed vs open source thing. Man am I glad you don't work where I do.
Less people use mozilla then IE (IE being %80+ of the market. Google the numbers yourself). Personally I'd rather audit an application that will get more vulnerable machines then something that doesn't. As mozilla grows in popularity so will the number of vulnerabilities in it as auditing it will be more attractive to virus/bug hunters.
First off, at most you'd be doing daily software updates -- AFAIK, they only build the nightlies, well, once per night. Not every time a bug patch has been submitted.
And note that if there were enough security bugs to satisfy one reported per hour day in and day out (and there aren't), I'd much rather they be identified and fixed every hour on the hour than completely ignored and left insecure.
Yaz.
So, having said that... you should be able to point to commercial software with the same general functionality that doesn't have a history of bugs, right?
In other words, they already fixed it but neglected to tell anybody that they fixed it until someone found the problem. What bullshit is that? Security through obscurity.
All those critical bugs have been detected by reviewers from the "Security Bug Bounty Program", as described on mozilla.org. The Mozilla Foundation has offered a $500 bounty for each security bug found, and already has secured a $10,000 budget to do so.
Thus, all those bugs should not be seen as a proof that the Mozilla code is badly written, but rather that the Mozilla Foundation is aware that secure code is hard to write, and that a good review process is critical to reach this goal.
And thats why Open Source is better! find it one day patch it the next.
Nimbda and Code Red both came out after patches had been available for months. I don't see this as positive or negative for Open Source.
At the end of the day--regardless of platform, it comes down to someone actually installing the patch!
At its finest, eh? The advisory states that as far back as Mozilla 0.x is affected... so, yes, these flaws were found by people looking at the source code... but contrary to your assertation, I don't see that as much quicker than Microsoft's "sweet time."
"Diversity" and "Open Source" are not mutually exclusive. I don't disagree that diversity in software can be highly benificial -- that's why on my personal network I run 5 different OS's (three of them being different Linux distros).
However, you can have diversity and still be Open Source. Mozilla is hardly the only Open Source browser out there, nor is it the only Open Source rendering engine. Links is Open Source as well, and similarily benifits from many people being able to check the code for security problems.
(And don't forget that there are many people who do software security research. Open Source software benifits nicely when every security researcher has direct access to the source code).
Certainly diversity is good. Open Source doesn't preclude software diversity.
Yaz.
I thought only people at Microsoft deliver programs with flaws. How could this have happened. What, are MS people participating in these open source projects now or something?
It must still be MS' fault somehow.
Funny enough, all 50 netscape users have been r00t3d using all 50 different hacks, but they couldn't find an un0wnZ3d victim for this latest one.
Are there even 50 known users of Netscape? o_O
Troll much?
"Diversity" and "Open Source" are not mutually exclusive. I don't disagree that diversity in software can be highly benificial -- that's why on my personal network I run 5 different OS's (three of them being different Linux distros).
No, you do that because you're a huge nerd and have no life.
I live in a giant bucket.
/. rule: when posting info about a bug in OSS, be sure to mention Microsoft so that everyone turns their focus and forgets that OSS has bugs, too.
Read them. Do you know how these flaws were found? By people looking at the source code and reporting them. The people who detected the problems couldn't have found them if the source was closed. This is Open Source at its finest.
That's almost Open Source at its finest. Open Source at its finest is this:
That is so freakin' cool, it almost brought a tear to my eye (sniff).
Ok, I'm bawlin'.
Y'know that's all fine and dandy to say that. Really, it is. And maybe, one day, in the distant future, someone will invent a desktop super-computer capable of running something as large as Java verson of Mozilla at a speed resonable enough not to have the user feel like something is ripping his bowels out, and dragging them across a field of gravel and cactii.
Frankly, it's bad enough that I have to deal with a Java database frontend written by some cut-rate third year Indian CS student when I volunteer at the hostptal.
I'll take my C++, it's speed, and all of it's potential faults, thankyouverymuch. (and if you've written a database frontend for a hospital recently, you'd better watch your back.... You injun!)
Uh yeah, if you were programming in C++ 10 years ago maybe. There's really is no excuse for buffer overruns in modern C++ code except inept programmers. For me, Java forces me to give up too much and I remain skeptical that Java's GC algorithm is smart enough to management memory efficiently when under the gun. Have they outfitted it with something better than the generational algorithms I've seen so far? That algorithm chokes when large amounts of memory end up paged out.
Since we've been watching buffer overflow turn into arbitrary code execution, one would think that programmers would look at the following two choices:
1) Run this loop again and again until the end of the buffer is reached, putting the results $HERE.
2) Run this loop again and again until the end of the buffer is reached, auditing relative pointers at every iteration, and putting the results #HERE.
And start picking number 2!
+++ATHZ 99:5:80
You, sir, are full of this shit you speak of...
No, it will be Bush's fault.
Just like everything else.
Including Hurricane Ivan.
Darn you, Bush!
Do you know how these flaws were found? By people looking at the source code and reporting them. The people who detected the problems couldn't have found them if the source was closed.
I seem to recall that many of the Microsoft vulnerabilities are reported by third parties who do not have access to the source code. Those parties notified Microsoft. Microsoft produced and released the patches thus opening the flood gates for the anti-Microsoft crowd to bitch about how bad Microsoft is.
I see no benefit to OSS. The bogus argument that flaws are discovered because more eyes look over the code has never been shown to be valid. Keep believing that if you'd like. The evidence shows there's no benefit (or else how do vulnerabilities exist in multiple versions?)
Deal with it. Your beloved platform is just a vulnerable as Microsoft. You OSS brats just revealed your hypocrissy (yeah, it's in BETA...That's how we'll explain it THIS time...good thing us OSS brats are good at FUD)
OSS permits investigation and transparency
Without design specifications and a complete, well written documentation, the only way people could check a program is by reading the whole code and understanding the whole thing. Do you know a lot of people who would waste hundred of hours to look for bugs (apart from the ones who are developing the program) ?
OSS permits investigation, but no one is doing it because most OSS project have very little documentation. The result is most OSS project are extremely buggy.
And even worst, since most people who "work" on OSS project do it as a hobby, they prefer to add new shiny things rather than fixing bugs. Take the address book in mozilla/Thunderbird for example. I regularly lose contacts. Also, I once deleted a contact, and it gave the address of the deleted contact to the preceding contact - which means I was sending mail TO THE WRONG PERSON. Last week I tried to copy 34 address from one address book to another, it said 34 address copied, but then there was only 33 address. Found the missing address, tried to copy it (drag and drop), but no, I had to enter it manually. It's a real joke but no one is fixing it.
So who's shouting "Shut up! I can't hear you! la la la la" ?
What I don't understand is why an internet browser or mail reader can't have an automatic version checker. If there's an update or patch, it notifies the user (unless user has specified otherwise - whether it be to just install the thing or leave it be), who can then select to download and install the update. Mozilla has so many other nifty features that they shouldn't be above a feature which is found in many other programs - be it eMule, GetRight or Trillian. It certainly solves the patching problem.
snip
Provided and/or discovered by:
1) Georgi Guninski
2) Wladimir Palant
3) Georgi Guninski
Hey! Georgi! Didn't someome remind you? You're supposed to find out bugs in IE, not Mozilla!!
That guy seems to find a new browser vuln. every 15 minutes - someone write him a Wikipedia entry.
Get your own free personal location tracker
who don't check buffers?
/. nerdboys will come out from under their rocks and proclaim, "Programming is hard! We can't check for our mistakes!"
How many years has it been now that buffer overflows are recognized as a major security problem?
How many years will it be before someone writes fucking code to go through a program and check for unchecked buffers?
How many years will it be before people are not allowed to put code in a system unless it is checked for unchecked buffers?
I mean, gimme a break here.
Now I suppose all the
Bullshit. You KNOW when you're using a buffer. You KNOW you're supposed to check it. So fucking CHECK IT!
Here's the bottom line: These coders are incompetent buffoons. Period.
Morons.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
First of all: oh crap!
Second: why exactly does MandrakeUpdate have nothing to say, despite Mozilla 1.6 being part of the default Mandrake10 installation?
If this bug was already fixed in the latest version, why wasn't the security bug not disclosed by the mozilla team?
How many more security holes do they know about without telling us?
# sect humour (dry)
Haven't you heard? Bill Gates has been bloviating for years that in "Free Software there's no-one to blame when things go wrong." Let's take the leading light of propietary software at his word and blame no-one.
# end sect humour (dry)
The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.
;)
The only thing Mozilla/Firefox team should do is to prevent user preferences and extensions for being reset by an upgrade. They are working on it, as I read in other threads. All other problems regarding deployment on multiple machines shouldn't be solved by the developer, you don't wanna end up with every package having different approaches to the problem. It must be a matter for sysadmins or the linux distro developers.
Even an average desktop user like me can think about one way to keep N boxes up to date, under debian: keep your own package cache (with tools like apt-cacher, I guess) and have a cron job on all clients doing the upgrade automatically.
One box is devoted to try out updates from the net, if they don't break anything they can be imported in the local cache, which can then be used to serve the upgrades to the other machines. The cron jobs can be offset not to overwhelm the local cache file server.
Moderators who gave parent a +5 insightful: are you nuts?
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
RaLink's Linux drivers have a serious bug in 2.6 that was fixed by end users. Just think, if the source code wasn't available, it couldn't have been fixed.
I myself once delved into the Mozilla source code to help Daniel Glazman out, simply because I had a couple of hours free. I also hacked at Dia when I desperately needed a diagram object that it didn't support.
Several of my friends have fixed/extended/enhanced a number of open source projects over the past few years.
minion.de had a set of patches to make NVIDIA's drivers work on 2.5/2.6 kernels long before NVIDIA officially supported anything other than 2.4.
In conclusion, while most people don't look at the source code, some of us *do*. So, ultimately, having the source code available *has* helped me and several people I know.
Are we just talking about Microsoft for this bug or that bug only?
Who thinks open source applications are better than closed source applications?
I think people who favor open source programs will be silent now. They will stop attacking Microsoft.
I had been telling people you COULD get virii from pictures, and lo, I was proven correct. Of course, that's an accidental proof of correctness, but it still makes me feel good that I didn't say you couldn't get a virus from a picture. If you're downloading something that goes through a buffer, there's the potential for a buffer overflow problem, so virtually any use of a computer could be exploited, right?
stuff |
Probably the simplest option is to run Firefox as a different user. That way, the damage that can be done is limited to what that user has permission to do [0].
It's so simple, I'll be back in a couple of minutes once I've done it..
Done it, make that 25 seconds. Most of that was updating authentication tokens for the new user.
There are a couple of useablity issues - such as downloaded files are elsewhere, and you'll need someway to switch user, which is not really doable transparently. Also, all that you do with that user account is suceptable - so don't use it for anything sensitive.
One main problems:
1) It needs acess to the X display. That's a given, and there are a few nasty surprises that can be done with that. That would be the case no matter what, (chroot etc) however.
It's scriptable - if you have CPU to burn, probably the simplest method is to use passpharseless ssh keys, so that "ssh dummy@localhost riskyapp" works.
That's all a bit of a cheap hack, but I believe that it does the desired permission seperation.
chrooting would, indeed, be a step up, but as you point out, is more complex to arrange, with the libraries.
[0] Barring any local root holes, which is an orthogonal issue.
Remind me how many times you've performed a source code check on Mozilla?
Wow... we've slashdotted Mozilla.org... I'm not sure how to feel about that :-)...
IE What I don't understand is why an internet browser or mail reader can't have an automatic version checker.
I was thinking the same thing about Firefox this morning when I noticed that all of our business machines had an IE update downloaded and ready to install.
I don't respond to AC's.
Forget it, Netscape is dead. IMO they won't release a new update, i think they only released Netscape 7.2 because so many people wanted it. But i dont think they'll spend more money on it.
Umm, do you have 1.7.3? That's unaffected.
But yeah, I would like some means to do incrimental updates, if only from the version just prior...
I'm not sure what that was aimed at, but from direct personal experience, Mozilla and Firefox do not play nicely on the same machine. I've been waiting for the Thunderbird release that can import Moz mail before upgrading, but using Firefox as my browser for some time. Simple things like opening mailto: links or following a link in an HTML e-mail don't open the right tool, and they're constantly fighting over who's going to be my default tool for what. I'm looking forward to nuking this system and installing clean, including the new versions of Firefox and Thunderbird, later this month.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The critical exploits were found and the Mozilla team told privately. The bugs were fixed and a new release made, then the bugs were disclosed publically so people knew to upgrade. Apparently the bugs were found due to the cash bounty programme, which was only possible because it was open source.
Compare this to Microsoft, bugs are found and Microsoft told privately, multiple times, eventually the white hat gives up and publically discloses it as the only way to put pressure on Microsoft.
Yeah, many proprietary software projects have a lot of outstanding bugs too.
how to invest, a novice's guide
Thanks, but don't be. Windows and its apps are demonstrably capable of supporting large organisations' networks and remote administration in a way that Linux fans only have wet dreams about right now. You're allowed to bitch about corporate security risks when your alternative can do the basic job at all, and not before.
Do you really think all the smart, well-trained and well-funded senior sysadmins at large organisations are sticking with Windows because they've never heard of or evaluated the alternatives? Do you really think they wouldn't shift to an alternative standard that would fix most of their security worries if they didn't see any downside? Of course not. (Admittedly, there are a significant number who do go for "Nobody ever got fired for buying Microsoft" as well.)
The harsh reality is that even if the compatibility worries are overcome, without the centralised administration tools, Linux is dead on the business desktop. The exception will be companies where the average staffer is sufficiently technical to take advantage of it, which mostly means the smaller techie outfits and not much else. That's why OSS is popular in the (admin-controlled) server market, but rarely seen on (luser-controlled) corporate desktops.
This is changing, of course. More of those smart sysadmins are actively researching alternatives to Microsoft's offerings, which will provide momentum, and possibly even funding to bridge the gaps. With a decent business-wide remote admin/roll-out system, a combination like Linux+Moz apps+OpenOffice apps could become a serious player. But today it's not, so while we Windoze lusers appreciate your sympathy, you'd best keep it for now.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Uh yeah, if you were programming in C++ 10 years ago maybe. There's really is no excuse for buffer overruns in modern C++ code except inept programmers.
Has something changed in the last ten years that I'm not aware of? C++ now does automatic bounds checking?
No one has done this yet. Someone will, and they'll be famous.
Famous for writing the world's slowest virtual machine, yes.
Yeah, me too. It's just ridiculous. Like I have all day to sit here and dow....
SlashDot wouldn't exist if it wasn't for...
STUPID OBSCURE SHIT
Okay, this comment suggesting that somebody should sue Microsoft for an exploit like this was modded to +4, Interesting.
So I'd like to suggest that whoever was in charge of that part of the code in Mozilla should be sued. If that's offensive, then maybe a re-evaluation of the original post is in order?
"Derp de derp."
No but you should never use an [] except for the simplest cases. (i.e inside the same function for temp storage etc).
Any other cases, your just an idiot.
HAHAHAHAHAHAHAHAHA!!!
Somebody mod that guy up as Funny!!!
Or, if you're not trying to be funny, you've clearly never worked in QA, or... maybe you've just explained that there are few GOOD pieces of commercial software...
Anyway, let me assure you that I worked a lot of QA gigs, and in every single one of them, the QA team was dwarfed by the dev team, rarely had good specs to plan from, and found their test time was viewed the most expendable part of the product cycle ( it's the first one to shrink in case of a slip elsewhere ). And those automated tests? Those paths you automate aren't likely to have *glaring* problems- at lest not ones the automated tools can catch - it's just the cases QA didn't have time to code up that'll fail... and of course, you can't automate something until the program is available, can you ? In practice, automated tools are only *really* useful for regression testing.
The most important thing I learned working QA is that the best QA in the world won't save you from a poorly planned or managed project, poor design, coders who don't unit test, or marketing guys who promise the sky and give a fixed do-or-die ship date to go with that sky. Code review is usually better than QA at finding non-design-related bugs. If the coders are good, QA ends up finding usability issues, rather than functionality issues, which is your best-case scenario, even though it means your prototyping and design phase was lacking.
That's one way to get 1,000,000 downloads in 10 days.
In modern C++ idiom buffers are dynamically allocated so they can't overflow. No need for bounds checking. If you still want bounds checking then the at() member function of the standard containers provides it.
Anyone who generalizes about slashdotters is a typical slashdotter.
First, you need to separate the language from the implementations. Buffer overflows formally result in "undefined behavior" in both C and C++, which means the implementation is allowed to do anything with it - including shutting the errant program down with no further damage.
Most C and C++ implementations do not do that, and it is a real difference, but that has nothing to do with the language.
If more people used better tools it would mean less security problmens.
You make a leap of faith here that would only be immediately true if Java was identical to C or C++ in all respects except buffer overflows. Java is a different language, with different strengths and weaknesses. It is not necessarily the better tool for every situation (which includes available programmer skill).
Or you don't feel like using heavyweight STL containers.
YACA (Yet Another Car Analogy).
People would respond to a gas tank valve because it THREATENS THEIR LIFE. In addition, it is more likely they would know about the threat, through the news or their dealer.
However, they likely would never hear about nor understand the technicalities behind a Mozilla vulnerability like this. "What's a JPEG? Dammit, I'm going back to IE."
I hope this will help you, I'll go straight to the point:
Edit -> Preferences -> Advanced ->
Periodically check for updates to:
[X] Firefox
[X] My Extensions
[X] Automatically download AND INSTALL new updates
Like that XUL vulnerability that was marked "Confidential" for years? Funny how the uproar over that has mysteriously dwindled.
count up IE vulnerabilities over the last year. do the same for gecko. ...and don't give me that "there's more people trying to hack MS products" linle.... :-)
...I didn't have to download anything because I was already protected due to SP2.
Anyone know where I can get some 1.7.3 rpms?
both C# and Java rely on massive libraries written largely in native code
I believe that most of Java is now written in Java (and has been for a while).
and C# in particular makes it far too easy to integrate with native code
Well then, you have a problem of programmer education. For that matter though, I've been coding almost exclusively in Java for a little over 4 years now, and have *never* used JNI to write in C.
Just because you *can*, doesn't mean you *will*. At least with Java and C#, the majority of your code will be less prone to buffer overflow errors.
It's official. Most of you are morons.
For the tech illiterate users, MS products might be safer. Most people won't read Slashdot to find out about the latest vulnerabilities in Mozilla/Firefox, and might not hear about this. MS's autoupdate ensures that people will get patches for IE and other MS products.
That would really depend on how well you were notified. If you hadn't been to a mechanic since the recall or somebody else who notified you, the I'd say manufacturer is still at-fault.
How do they contact car owners anyhow, other than the ones known directly by dealer-sales?
I think a good idea might be to put it on the mozilla start page (you know, the one mozilla default to that says "your browser is out-of-date") - indicating to earlier browers may be succeptible to the flaw.
So, the same reason that you hang out on Slashdot and insult people, then? Hell, if nothing else at least he's learning something about those systems, and about networking.
hmmmm . . . I read it as acknowledging that moz shared a vulnerability similar to that which was recently uncovered in IE. In fact, before I got to the part of the post re: microsoft, I thought the same thing: 'hey this sounds alot like what showed up in IE's jpg parsing earlier this week'. Indeed, I am sure that news of the IE jpg parsing flaw motivated ppl to find the bmp parsing flaw in moz ASAP.
OSS permits investigation, but no one is doing it because most OSS project have very little documentation. The result is most OSS project are extremely buggy.
Some people are doing it, obviously. The point of open source availability is that there are 6 billion people on the planet, all you need is one guy in Kazakhstan who sees a particular bug and writes a patch.
And it does happen, all the time. 6 billion people is a lot of people.
And even worst, since most people who "work" on OSS project do it as a hobby, they prefer to add new shiny things rather than fixing bugs.
Most OSS projects are not the big, name brand products like Mozilla, Open Office, Linux. Those projects get very rapid and thorough development, and bugs that are reported (particularly but not exclusively by a technical user/coder) get fixed with alacrity.
Lots of people do get paid to work on OSS, you know.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
What, you don't think that Microsoft's vulnerabilities have been there forever? Bugs like this can (and do) hide for a very long time. When they are discovered they either get fixed promptly or they don't. In this case, they did.
If you don't think IE has security holes that are several years old, you are dreaming.
Give me a break. Java has had quite a few security issues itself. And although we might be free of one set of exploit, we'd just switch to a new common bug.
How about we write everything in perl? It would be faster than java, and wouldn't suffer from the same security problems.
Oh, I'm sorry, you were astroturfing for Java, not perl... My mistake.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
This is nothing but a sinister marketing stunt of Firefoxs new PR department.
;-)
All they want is even more Fireofx downloads to reach 1 million so now they are trying to force those users who already use it to download the latest version.
It will be much easier for me to write an exploit for these Firefox vulnerabilities since I have the source code. None of that disassembling and reverse engineering stuff I have to do with IE. The other cool thing is that some of these vulnerabilities were posted in bugzilla a full month before they were fixed. All kinds of detail to help me build the exploit before the fix was even released. I usually have to wait until after the fix is released with IE before I find out about the vulnerability.
The same comments, and the same responses, are posted over and over and over again every time Slashdot reports a bug in Mozilla/Firefox/whatever. These are no longer insightful(even if you thought they were at one time).
you are a dumbass
1) "...specially crafted e-mail is forwarded"
- I'm shakin - I never use moz email 2) "by sending an e-mail containing a specially crafted vcard"
- see comment 1 3) "handles POP3 mail communication, can be exploited..."
- this is getting old, and sounds like the same exploit 4) "...exploited by tricking a user on a malicious website to drag a specially crafted javascript link to another window."
- oh yea, I often drag specially crafted javascript links to other windows 5) "Some files installed with the Linux installer..."
- not really a problem on my win xp install 6) "Many files and directories in the Linux install..."
- see above And here I thought it was going to be a real problem. So let me get this straight - I really have to be careful of... BMPs?! if IE only has to worry about one O/S, and it still can't get it right, what chance does moz/firebird really have?
Most C/C++ coders are oblivious to the problems posed by it's syntax. If it's set up in a way that promotes mistakes, it's always just "well the programmer shouldn't fuck up!".
I'm not advocating Java, but there are a few good ways to fix the inherent problems. Some solutions would allow C to continue to be used (pascal strings, for example), and others, such as radical shifts in thinking like Java and C#, try to change the language to make the code more stable.
I'm not going to say which I prefer(either one could have prevented this bug), since there are perks and downsides to both approaches, but this bug could have been prevented, and the langage is to blame in at least one way, so I definitely wouldn't quickly come to the defense of C or C++ on this issue unless some facts were being seriously distorted.
It's been a long time.
Yeah, you can do it with sudo. It's painful. Not so much sudo itself, but supporting generalised X11 authentication methods is.
Not that big a waste of CPU. In particular, if you are using a web browser, it's most likely a desktop, with spare CPU anyway. At time when CPU usage peaks, it tends to be opposite from when you want to use the browser. In other words, typical useage says the CPU is spare, most of the time. And I didn't start with the caveat 'if you have CPU to burn'. [0]
As for lag, I don't notice anything parceptable, on an Athlon 1.3 GHz. Maybe 100ms or so additional, when I change tabs.
If you don't forward X11 over ssh by default (my bad, I do it by default, due to it being a staple task), then it's not 'a few setup steps' - it's a -X switch, so the command line becomes "ssh -X dummy@localhost riskyapp".
Note also that the ssh hack above works transparently if you are running on a remote server (which, personally, I often am). Concerns about CPU useage have more validity here.
If you really want to go the sudo route, then you need three step - set up X11 authentication, run the app, and then tear down the authentication.
Unfortunatly, the tear down step is complicated by the problem of lanching two apps - if you tear it down whilst another app is running, that's going to cause problems. On the other hand, leaving the authentication after it's needed, for a UID that's intended for sandboxing, is not desireable. I can see no clear solution, short of sophisticated coding.
Anyway, the following should work, but not fully tested:
put the following line in
user ALL=(dummy) NOPASSWD:
where user is your username, and dummy is the sandpit username. Replace specific programs with 'ALL' if you want acess to all programs.
Each time, run the following:
xauth extract localhost/unix:0 | (HOME=~dummy; sudo -u dummy xauth merge -)
HOME=~dummy; sudo -u dummy mozilla
replacing localhost with the machine name. That is likely to work, but there are a few gotchas:
If your not using xauth, I dunno. If you're only using xhost [2], then it's trivial. Other authentication methods, see the manual.
There are complex interactions with paths, and permissions here. It's brittle.
Tear down is simple to do:
HOME=~dummy; sudo -u dummy xauth delete localhost/unix:0
Deciding when to run that is left as an excercise for the reader.
In closing, it should be clear why I recommended the ssh hack - much simpler, it takes care of all the tough bits, and I've not noticed any perceptable lag in general. Still, there's the outline. Feel free to test and improve.
[0] If you really want to, you can configure ssh and sshd to support the 'none' cipher. Every single deployment I've seen doesn't allow it, but it does have it's occasional uses. That would be the ideal situation here, if not for setup complexity (compile your own), and the fact is allows accidental security gaps.
[1] Use visudo as root.
[2] I laugh at you. There is no point using a sand pit if you use only xhost.
If Microsoft Made Cars
At a recent computer expo, Bill Gates reportedly compared the computer industry with the auto industry and stated: "If GM had kept up with technology like the computer industry has, we would all be driving twenty-five dollar cars that got 1000 miles to the gallon." In response to Bill's comments General Motors issued a press release stating the following: "If GM had developed technology like Microsoft, we would be driving cars with the following characteristics:
1. The radio would be computerized, but you'd need to install 64 Meg of RAM, a new sound card, a game card, a new video driver, a CD drive, and type C:\radio\talk\rush*.* to get it to play.
2. The entire engine wouldn't be in the bay at once, and the car would have to keep stopping and starting to load in the relevant parts.
3. The speedometer would read 70 even though you are only doing 50.
4. You would have to have a full service every 500 miles.
5. Your car would refuse to start with a message "Abort, Retry, Fail?"
6. For some reason the engine controller would need a 1G hard disc and would take 5 minutes to boot up.
7. The steering wheel would be replaced with a mouse and you'd need to memorize the keyboard short-cut for "Brake".
8. A particular model year of car wouldn't be available until after that year- instead of before it.
9. They wouldn't build their own engines but form a cartel with their engine supplier. The latest engine would have 16 cylinders, multi-point fuel injection and 4 turbos, but it would be a side-valve design so you could use Model-T Ford parts on it. There would be an "Engium Pro" with bigger turbos, but it would be slower on most existing roads.
10. The air bag system would say "Are you sure?" before going off.
11. New seats would require everyone to have the same butt size.
12. We would all have to switch to Microsoft Gas.
13. The U.S. government would be forced to rebuild all of the roads for Microsoft cars; they will drive on the old roads, but they run very slowly.
14. The oil, alternator, gas and engine warning lights would be replaced by a single 'General Car Fault' warning light.
15. Sun MotorSystems would make a car that was solar-powered, twice as reliable and five times as fast, but would run on only 5% of the roads.
16. You would be constantly pressured to upgrade your car.
17. You could have only one person in the car at a time, unless you bought a Car95 or CarNT -- but then you would have to buy ten more seats and a new engine.
18. Occasionally, your car would die for NO apparent reason and you would have to restart it. Strangely, you would just accept this as normal.
18b. Occasionally, executing a maneuver would cause your car to stop and fail to restart and you'd have to re-install the engine. For some strange reason, you'd just accept this, too.
19. Every time the lines of the road were repainted, you would have to buy a new car.
20. People would get excited about the new features of the latest Microsoft cars, forgetting that these same features had been available from other car makers for years.
Installed, got this error: "Java Plug-in for Netscape Navigator should not be used in Microsoft Internet Explorer. Please use Java Plug-in for Microsoft Internet Explorer instead." And it wouldn't run. So I copied by profile folder, grabbed 0.9.3 again, copied over my profiles, and it's back to normal.
I direct you to Peter van der Linden's Expert C Programming, specifically the part where he says you're an idiot.
The local public library doesn't have it, and I can't earn $40+S&H and wait for delivery before you expect an answer, so I'll continue to allegedly talk out of my ass:
I direct you to Design By Contract. Prove that each small section of the VM meets its pre- and post-conditions, either through comprehensive unit testing or through a formal proof, and a compiler modified for DBC can ensure that the rest of the program lines up. Eiffel isn't the only language for which a compile-time assertion verifier exists.
With web browsers more than anything else, anything other than MS is more secure. Whether it's because of market share, or because they're bad coders, or because the planets aligned when the coder had to write a few of the critical lines of code and he botched it is irrelevant. I can give firefox to mostly technically illiterate people(literate enough to surf, illiterate enough that they still use IE, obviously. :) ) and they will see an immediate improvement in tangible ways, such as immunity from most spyware, elimination of virus attack vectors, and immunization against browser homepage hijackings.
It's been a long time.
If you don't forward X11 over ssh by default (my bad, I do it by default, due to it being a staple task), then it's not 'a few setup steps' - it's a -X switch, so the command line becomes "ssh -X dummy@localhost riskyapp".
I would just add to your excellent post, the -T option, from the ssh man page:
-T Disable pseudo-tty allocation.
so you would have:
"ssh -T -X dummy@localhost riskyapp". I don't see a reason to allocate a tty if my intent is to run a specific app and then tear down the session when the command completes. Of course maybe there is something that will break, but for the graphical apps I've used there's no problem.
In a perfect world, there shouldn't be any wars. Rapists should be able to get off on porn and hungry people should just grow their own food. It's really a quite simple concept. Who cares? People shouldn't be giving advice on what should happen. We have to plan for the worst. Because the worst is just as possible. Noone should be promising that something isn't possible when it is.
It's been done.
Some people are doing it, obviously
... Do you have names? (yes I'm sarcastic)
Obviously? Really?
Take a look at SourceForce... You will find 50 projects doing the same thing the same way, but none is complete and "progress" goes very slow. Nobody wants to work on someone else's code. There could be 50 billion people on the planet and it would still be the same thing.
bugs that are reported get fixed with alacrity
No they don't. Some bugs in OpenOffice are 2 or 3 years old and nobody is fixing them. The address book problem with Mozilla is there since 1.0 and nobody is fixing it. A quick look showed that KDE still has 7497 bugs, but they still prefer to add new shiny things. Do you want me to go on?
The number one rule with OSS should be : no new feature until all know bugs are fixed (alphas excluded of course). Can you name a single project with this philosophy?
Lots of people do get paid to work on OSS, you know
I think "a few" would be a little closer to reality than "lots of".
I see many posts saying, "See? See? Mozilla is just as insecure as IE!"
So can somebody post a breakdown of the number of vulnerabilities found in Mozilla vs. IE?
Retired from software... maybe. Sort of.
Now if that feature actually worked..
True. But in practice, that sort of thing doesn't happen.
Yes, C/C++ compilers are free to do all sorts of bounds checking and other defensive measures and safeguards. But those take time. People generally use C and C++ mainly because they're fast, so in production code they disable those sorts of features to get the best performance.
The lack of bounds checking might not be a criticism of the language per se but it's certainly a criticism of the language as it's used.
Ceterum censeo subscriptionem esse delendam.
Because any exploits for this will be for the Windows versions.
It appears at the bottom of the screen and if you are not looking for it ( ie looking for the normal popup window ) then you don't find the find. Lets talk about bad UI design okay?
Only 'flamers' flame!
Does slashdot hate my posts?
It is open source, so it is the users fault that he didn't make or get somebody to make a code review before installing it.
Since it is free, he has paid noone else to take responsibility.
This raises a question I was wondering about. I am still using 0.9.2, and I'm curious how 'critical' this vulnerability is. Would code that would exploit these holes work on IE or other browsers, or would a page or email have to specifically target Mozilla/FF users? If the latter, what's the likelihood of encountering such an attack, one that would only affect 5-10% of users, and a group who's typically computer literate enough to deal with it? The reason I ask is, I'm pretty happy with how 0.9.2 performs, and I'd kinda like to wait till 1.0 final comes out before I upgrade and break everything.
Stasis is death. Embrace change.
I found two of those holes. I did not find them by looking at the source code. So you're wrong :)
I nForm". I raised my hand and asked "Are those actual greater-than characters in the keys?". He said yes. I asked "Isn't that a security hole?" He said he didn't think it was, because then there would just be too many greater-thans. After the lecture, we worked together on an exploit, and then he fixed the bug.
:)
Of the 62 security holes I have found in Mozilla and Firefox, I only found four (217195,162409,249332,87980) by looking at the source. Even then, I didn't find all the holes by reading through large amounts of source. I found 87980 by investigating an error I saw in the JS console during normal use.
I found 162409 during John Keiser's presentation about a feature he maintained. His slide said something like "Session history uses keys to recognize form controls when you return to a page:
Tagname>InputName>InputType>FormName>Index
I'd probably find more code-level holes if I spent more time looking at source code
The shareholder is always right.
Nevermind the fact that I'm a consultant who specializes in cross-platform software development, that that I tend to need all these platforms to do my work.
Some people here are like those monkeys at the zoo that do nothing more than fling their own feces at passers-by. Personally, I just ignore them.
Yaz.
cant those self righteous arrogant programmers at Moz and co even program properly? Going around telling USERS to fix the bugs themselves or shut up, and they cant even be bothered to check for overflows?
I admit that DBC is no magic bullet. It's possible for a not-so-perfectly-tested module to have a defect such that it does not fulfill its contract. However, Sun has a vested economic interest in making the Java platform more reliable than the Windows platform alone; to this end, its developers most likely use elements of several software defect control methodologies in the JVM.
Let's try the empirical route. When and where have you learned of a critical bug in the Java platform's type safety as implemented, other than one caused by a hardware fault?
I don't understand this Windows autoupdate. I have it turned on, but still it doesn't tell me about the updates available. Both in Windows XP and Windows 2000. And yes, I am not using the systems with administrator rights. I tested, once I logged in as admnistrator, the autoupdate popped up. So, yeah, the autoupdate is crap.
First off, my hearty thanks for your vigilence. You're the type of person who makes Mozilla's products safer and better for the rest of us, and I applaud your efforts.
Obviously not every bug or security issue is going to need source access to discover. I'm certainly not claiming that -- lots of peeople find bugs in closed-source code all the time! :).
However, with all due respect, you're only one link in the chain of getting a security issue fixed. Looking at a number of the issues you've reported (some of which are highly creative I must say -- I got a bit of a kick out of this one for example), I've noticed the number of other people involved in getting the problems you've found and reported fixed, and how many of them are not (former) Netscape employees. They are Open Source developers who are looking at the source and coming up with solutions, providing patches and testcases, etc. And you yourself at least have the option of looking at the souce of Mozilla if you so decide that it helps you to detect and fix the problems you find (which can be important if you rely on a project which isn't as actively maintained as Mozilla is).
Regardless, i thank you for making the web safer for the rest of us :).
Yaz.
The vulnerabilities exist in the first place because at the core, Closed Source and Open Source developers work the same way: a human sits down at a console and types in the code. At this stage there is no difference between Open Source and Closed Source software development. As such, similar problems are going to occur in the production phase.
And there is never any guarantee that a problem is going to be discovered. Sommetimes it takes multiple revisions before a problem is found. I'm not arguing that Open Source magically makes all bugs and security issues disappear -- however, under Open Source they are vastly more likely to be found, and due to the open nature of the code, are going to allow for quicker fixes (as the person detecting the bug can in fact fix it themselves and contribute the fix back to the maintainers).
And in the case of Mozilla, this is exactly what has been happening. People find the problems. People with no connection whatsoever to Netscape/Mozilla.org have fixed the problems. And we're wound up with a much better product because of it.
I don't see anyone here claiming that OSS is 100% secure. It isn't. However, it does have benifits to getting problems detected and fixed quicker than closed source software does.
I see it firsthand all the time. I've worked in big closed-source software development projects (IBM). I've also worked in many Open Source Software development projects (and even administer a medium-sized project myself).
Open Source has tangible benifits over Closed Source software when it comes to the detection and fixing of bugs. Deal with it.
Yaz.
How, exactly, does Microsoft take it's sweet time? As far as I can tell, when a security issue is found, it's fixed pretty damn fast, plus it's auto-updated, so the user doesn't have to deal with it.
Don't get me wrong, I love Firefox, I've been using it for 2 years now, but it's not because Microsoft is 3V1L!!11!one!! It's because I like the way Firefox works better than IE. I tried to get my dad to use FF, but he didn't like it; he was used to IE and saw no reason to switch, as he wouldn't be using any of the improved things.
Don't just insult Microsoft for the hell of it, actually have an argument. In fact, of the OSS supporters didn't bitch about Microsoft over non-existant things so often, the general public might accept it more. I know I would.
I use Windows, and I'm proud of it.
Remember kids, tin foil doesn't work, so use LeadHat.
The idea that a user based compromise is worse because your data is more important and an o/s which can be re-installed is a valid one.
However.. The problem with the exploit having more universal access is not necessarily that your data is wacked, but that your nice compromised o/s is now a zombie machine spreading spam and worms across the internet so your granny gets busted by the feds.
The damage to your data is pretty bad for you... the damage of all your data, and everyone in your address book's data, plus everyone in their address book's data.... that's bad for everyone.
Not to mention the fact (oh, I am mentioning it now) that in a true multi-user environment, you'd be really pissed if your data was iced because of someone else's poor security, like opening unsolicited attachments. I wouldn't care if someone else's data got wrecked, but I'd care if they knacked mine.. selfish of a sort, but that's the good of the many..
You have a point, but i guess people prefer performance over security or elegance, else we'd all be coding with smalltalk since the early nineties.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
You are right dude...
Is there anything in this world that has never gone wrong/wont go wrong?
bUt i think FF shouldhav patches to adjust these vulnerabilities.
Firefox should understand the plight of dial up users,and others in BB for whom amount of data transfered in MB's counts to bill.
FF should get a human face,that will help more ppl get FF
Why does yahoo do this
Then you should use one of the many third party libraries available. Rarely should you come across something that needs a hand roled container.
Your use of the term "heavyweight" is interesting, as I've found them to be fairly lightweight compared to the Java and C# counterparts, at least in terms of speed and footprint, though code wise there's a higher cost.
No, you misunderstand. I'm talking about the fact that SSHD has X11 forwarding disabled by default... So you have to modify the system-wide config file.
You've worked out a decent system there. The only thing I would add is to put all those commands in a single script, which is all the user would need to run.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Just as I was plainly stating in an earlier article, (http://slashdot.org/comments.pl?sid=121868&cid=10 258829) this is going to be a long, up-hill battle for the FireFox/Mozilla browser. The Mozilla team needs to be careful in what features they provide, the options they give the user, layout, and most importantly, the security of the application itself!
And for those of you who think slower, I'm still recommending FireFox and Thunderbird to all my friends and clients.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
If you have them to do your job thats one thing.
:) ).
/. at work, because I need to do something other than work here).
The way your origional post was worded it sounded like you had them for philisophical reasons.
Though you're still a huge nerd (there's no getting around that, sorry
(ps, I only post at
No they don't. Some bugs in OpenOffice are 2 or 3 years old and nobody is fixing them. The address book problem with Mozilla is there since 1.0 and nobody is fixing it. A quick look showed that KDE still has 7497 bugs, but they still prefer to add new shiny things. Do you want me to go on?
Hey, I reported a Java bug to Sun 7 years ago, it has hundreds of votes in their bug database, and it *still* hasn't been fixed. Large software projects entail a large number of bugs, that's just a fact of life. The question is, how rapidly is the software progressing generally? That's a factor not of open source vs. closed source, but of the number of people working on the problems, and the complexity of the code.
The number one rule with OSS should be : no new feature until all know bugs are fixed (alphas excluded of course). Can you name a single project with this philosophy?
You mean like TeX?
There are very few projects, open or closed, that have that philosophy, I'm afraid.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Correct, but it would be a mistake to propose a replacement of the language for another (and throwing away a lot of valuable experience) just because it is commonly misused. If the language is not fundamentally flawed, then the answer might be to find a better implementation of it. GCC, for example, optionally supports bounds-checking for both heap and stack objects.
Size is not exactly an issue.
Firefox is 4.5 MB and it took me 13 seconds to download.
Patches from Windows Update average 2 MB.
True some people have modem, and they are in trouble too. Other than that, the real issue is automatic updates for the ill prepared.
Who says that text-based browsing is all that bad? No images to download.