Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Mozilla, Thunderbird Vulnerabilities

Posted by timothy on from the you-do-have-a-recent-one-right dept.

d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability. The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."

32 of 596 comments (clear)

  1. Still waiting on Debian builds by thephotoman · · Score: 3, Informative

    I'm not fully able to upgrade yet, as the Debian builds I'm using haven't been upgraded. There are bugs in the packaging.

    The guy's working on it, though.

    --
    Haec merda tauri est. Ceterum censeo Carthaginem esse delendam.
  2. Re:The beauty of a non-integrated browser........ by DogDude · · Score: 2, Informative

    Not really. If you update any Mozilla programs, they say very clearly that you should not install on top of an existing install because it will probably break. And in fact, every time you try to update any Mozilla program, the extensions break, too.

    --
    I don't respond to AC's.
  3. Re:One of the reasons i love firefox by gordgekko · · Score: 4, Informative

    I wanted to mod you down but I figured I'd just correct you. As a /.er showed yesterday, in the vast majority of cases Microsoft releases security patches either before a vulnerability has been announced or on a 0-day basis. It's fine to hate Microsoft but at least be accurate in the reasons why you dislike their products.

    --
    You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
  4. Re:So will it be Mozilla's fault... by Jerph · · Score: 5, Informative

    This is generally fixed in 1.0PR - you can safely upgrade over a previous installation, and extensions are updated when possible. They even made it easier for extension writers to simply update the compatability number for their extensions without requiring you to download again.

  5. Re:The beauty of a non-integrated browser........ by glenrm · · Score: 2, Informative

    Nope, just installed 1.7 on top of 1.4 and did not have problem. My extensions were cleaned out so I have to get them again no big deal and is working great. I run Mozilla and Thunderbird on Windows XP and if it weren't for Direct X games...

    --
    Onward to the Aether Sphere!
  6. Re:The beauty of a non-integrated browser........ by ARRRLovin · · Score: 2, Informative

    I've broken Oracle and web-based administration packages with IE patches. Luckily, these patches never reached the end users, otherwise my PC techs would be really busy. hehe

    --
    -Randy
  7. As a former IE user by the_Bionic_lemming · · Score: 3, Informative

    I switched to firefox a few weeks ago and shortly after started to use it exsclusively. I was on the verge of telling my family and friends to make the switch as well.

    However - I can't do that right now. When I learned of the new version released, and how it will be supplanted by a new release soon, and the lack of autoupdating - it WILL be a burden for some of the people I'd tell to switch.

    From what I saw - to upgrade to a newer release - Firefox has to be uninstalled and then re-installed - and until the folks who wrote the freely available functions upgrade them - they won't be compatible with the new release. This exploit too has me wondering if it really isn't way to soon to force them to switch. They've all been educated to use the auto update for IE.

    Great product. I'm hooked. I will continue to use it. Blocking ads, images, bugmenot, and a host of other functions have won me over. But before I can recommend it to the folks that aren't exactly technical - the team will need to either allow for patch updates, or auto-updates.

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  8. Re:Auto update anyone? by lpangelrob2 · · Score: 4, Informative

    1.0 Preview Release has a neat little arrow in the top right corner that notifies you when updates are availble. I can't confirm that it works the way it's supposed to, i.e. uninstalling and reinstalling / upgrading Firefox for you. Or if it automatically installs patches. There haven't been any versions of new browsers or any patches yet. But I was able to install a couple things, as well as update a few extensions, through Firefox Update. It's in Tools --> Options... --> Advanced --> Software Update. Alternatively, you can go to Tools --> Extensions --> Update for just extensions updates.

    --
    -Rob
    Marriage doesn't have to suck!
  9. Re:Automated Upgrading by pe1chl · · Score: 3, Informative

    Fortunately Mozilla can be silent-installed quite easily.
    Indeed, when using a loginscript it poses no problems.

    There are many apps that are much harder to silently install.

  10. Re:Automated Upgrading by omicronish · · Score: 3, Informative

    The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.

    I completely agree (but from a Firefox standpoint; I haven't used Mozilla in ages). There needs to be serious consideration of usage in corporate settings on Windows desktops. Features such as an MSI package to ease in deployment across Active Directory networks is needed. Yes, you can create your own MSI packages, but it'd be nice if one was provided. For those who don't know what I'm talking about with AD, it basically means that with a few mouse clicks (seriously), I can install Firefox on all computers on my network. You could probably replicate that with logon scripts, but this method provides automatic uninstallation of old versions when upgrading Firefox, as well as installation repairing if files are corrupted (but I'm not sure how useful that is, since it might point to more serious hardware problems).

    Firefox settings in Group Policy would also be awesome, although that would require either placing Firefox settings in the registry or writing a Group Policy plugin to handle settings. What this would mean is that Firefox configuration settings for an entire network can be controlled from a central location.

    There are other minor problems (such as placement of Firefox cache in Application Data instead of Local Settings\Application Data, causing the entire cache to be synchronized with the domain server on logon and logoff), so if they aren't already, Firefox developers should be sure to test on machines with multiple user profiles with reduced privileges. These things, although inconsequential to regular users at home, are quite important for acceptance in corporate Windows networks.

    Also, apologies if you can already do all of these, but if that's the case, a page discussing these things for network administrators would also be nice.

  11. Re:One of the reasons i love firefox by pe1chl · · Score: 3, Informative

    Actually there is a nasty problem in Mozilla and Firefox: the language files must be of the same version as the program. And the version number of the program is updated even for security fixes.

    Result: when you or your users do not use the default English-US language, you cannot update to fixed versions as they are announced, but are forced to wait until the translation volunteer finds time to update the language package.

    The Dutch language for 1.7.2 was released on September 10th, 5 weeks after that security fix had been released. And just a week later, another fix appears.
    This way, users of the Dutch language will never be able to run recently fixed versions.

    Hopefully something will be done about this. It should be possible to run a security-fixed release with the original language pack, or at least the language packs should be automatically updated and released whenever a security related fix appears.

  12. Re:Automated Upgrading by asa · · Score: 4, Informative

    If you look around some, you'll see that people are already doing exactly what you are concerned about. See this Zenworks example

    --Asa

  13. Re:Update notification methods by asa · · Score: 4, Informative

    Firefox 0.10 (PR) can now check for critical security updates and install them. This is our first release with that feature working as expected. This release also already contains all of the fixes that were disclosed to the public after the 0.10 release.

    If a new vulnerability is found and patched, Firefox 0.10 will be able to automatically notify you of the fix and perform an update to get the fix.

    --Asa

  14. Re:Automated Upgrading by tarvin · · Score: 2, Informative

    As far as I remember, Mozilla-like software has not problem with being run from a network share. So if you're talking stationary PCs, then just have them run Mozilla from the network.

  15. Re:OSS suffers the same problem as commercial sw.. by Darren+Winsper · · Score: 2, Informative

    RaLink's Linux drivers have a serious bug in 2.6 that was fixed by end users. Just think, if the source code wasn't available, it couldn't have been fixed.

    I myself once delved into the Mozilla source code to help Daniel Glazman out, simply because I had a couple of hours free. I also hacked at Dia when I desperately needed a diagram object that it didn't support.

    Several of my friends have fixed/extended/enhanced a number of open source projects over the past few years.

    minion.de had a set of patches to make NVIDIA's drivers work on 2.5/2.6 kernels long before NVIDIA officially supported anything other than 2.4.

    In conclusion, while most people don't look at the source code, some of us *do*. So, ultimately, having the source code available *has* helped me and several people I know.

  16. Doing it as a different user by DarkMan · · Score: 4, Informative

    Probably the simplest option is to run Firefox as a different user. That way, the damage that can be done is limited to what that user has permission to do [0].

    It's so simple, I'll be back in a couple of minutes once I've done it..

    Done it, make that 25 seconds. Most of that was updating authentication tokens for the new user.

    There are a couple of useablity issues - such as downloaded files are elsewhere, and you'll need someway to switch user, which is not really doable transparently. Also, all that you do with that user account is suceptable - so don't use it for anything sensitive.

    One main problems:
    1) It needs acess to the X display. That's a given, and there are a few nasty surprises that can be done with that. That would be the case no matter what, (chroot etc) however.

    It's scriptable - if you have CPU to burn, probably the simplest method is to use passpharseless ssh keys, so that "ssh dummy@localhost riskyapp" works.

    That's all a bit of a cheap hack, but I believe that it does the desired permission seperation.

    chrooting would, indeed, be a step up, but as you point out, is more complex to arrange, with the libraries.

    [0] Barring any local root holes, which is an orthogonal issue.

  17. Re:So will it be Mozilla's fault... by mschiller · · Score: 5, Informative

    Well it shouldn't be possible to be infected with a virus from a picture... Because Data Memory should never EVER be able to be executed without specific privledge elevation [yeah, maybe root can do this, or perhaps only the deepest dark section of the kernel].

    1) Software designers should be more careful when using buffers, so that over runs don't occur is it really that hard to keep a counter around to make sure your don't overrun? I guess developers want their code to run fast and I suppose it doesn't help that C offers absolutely no protection from such problems. [Pascal and other strongly typed languages sure help in this regard it's alot harder to make this type of mistake].

    2) OS designers should do more through checking to make sure data pages are never executed. [and a data write can't write into an application memeory page!]. While it SHOULD be caught above, the OS should be looking out for requests to write into pages not assigned as data for a particular application.

    3) Hardware designers should implement features to optimize #1 and #2. [eg. noexecute flags. Harvard Architecture, etc. I can easily see a architecture that looks like a Harvard in normal mode and then turns into our traditional von neumann architecture in privledged mode.]

    It's really quite simple concept to have a no execute flag associated with a memory page that can only be changed in privledged mode. And such coding techniques should work fine for day to day computer use [self modifying code could be problem , etc].

  18. Re:So will it be Mozilla's fault... by TheDormouse · · Score: 5, Informative

    Why is this so hard for people:

    Upgrade Firefox.
    Your extensions will get disabled because they have a MaxVersion lower than the Firefox version.
    Let it happen. DON'T FREAK OUT.

    Go to the extension manager.
    Right click all the disabled extensions and select Enable.
    Restart Firefox.

    Woo hoo. Barring any changes in the code that genuinely make your old extensions incompatible, your world keeps on turning.

  19. Re:One of the reasons i love firefox by tshak · · Score: 2, Informative

    It's already been mentioned that the patch for the IE bug was out before the announcement. However, XP SP2 users were not vulnerable to begin with. So it's more like, "we've found a bug in IE, and if you haven't applied the recommended upgrades, here's a patch".

    --

    There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
  20. Re:coverup by mozilla team by blakeross · · Score: 5, Informative

    We did disclose the security bugs. Every time we release, we update our vulnerabilities page (http://www.mozilla.org/projects/security/known-vu lnerabilities.html) with the list of security bugs fixed in the new release. Secunia just cribbed their advisory information from that very page. The world might be a better place if you actually paid some attention. -Blake Ross

  21. Re:What? bugs/security problems in Open Source .. by Antony.S · · Score: 3, Informative

    The critical exploits were found and the Mozilla team told privately. The bugs were fixed and a new release made, then the bugs were disclosed publically so people knew to upgrade. Apparently the bugs were found due to the cash bounty programme, which was only possible because it was open source.

    Compare this to Microsoft, bugs are found and Microsoft told privately, multiple times, eventually the white hat gives up and publically discloses it as the only way to put pressure on Microsoft.

  22. Re:Spin by blakeross · · Score: 4, Informative

    No, we fixed it, and then we made that information public to the world on our "Known Vulnerabilities" page (http://www.mozilla.org/projects/security/known-vu lnerabilities.html), linked to from our Security page (http://www.mozilla.org/security/), just as we've done for each release. Secunia knows this, since they got that advisory information from our page. Why don't you?

    Blake

  23. Re:Not so independent, though... by Dan+Ost · · Score: 2, Informative

    I've been waiting for the Thunderbird release that can import Moz mail before upgrading, but using Firefox as my browser for some time

    This may be the hard way of doing it, but it worked fine for me.
    If you're running Linux (or Unix), make a tarball of the Mail subdirectory
    of your Mozilla prefs. Install Thunderbird, untar your
    mail directory into the thunderbird prefs dir, and off you go with all your
    email.

    --

    *sigh* back to work...
  24. Re:So will it be Mozilla's fault... by brokenwndw · · Score: 5, Informative

    There's a new workaround for this here (no direct link allowed, sorry, you're stuck with copy paste):

    http://bugzilla.mozilla.org/show_bug.cgi?id=2586 79

    The summary: put this in your userChrome.css.

    /* Make the Search box flex wider */
    #search-container {
    -moz-box-flex: 200 !important;
    }

    #searchbar {
    -moz-box-flex: 200 !important;
    }
    Hope this works for you!

  25. Re:OSS suffers the same problem as commercial sw.. by GlassHeart · · Score: 2, Informative
    buffer overflows are inherent problems in C/C++ [...] Java on the other hand does not allow programmers to make that error.

    First, you need to separate the language from the implementations. Buffer overflows formally result in "undefined behavior" in both C and C++, which means the implementation is allowed to do anything with it - including shutting the errant program down with no further damage.

    Most C and C++ implementations do not do that, and it is a real difference, but that has nothing to do with the language.

    If more people used better tools it would mean less security problmens.

    You make a leap of faith here that would only be immediately true if Java was identical to C or C++ in all respects except buffer overflows. Java is a different language, with different strengths and weaknesses. It is not necessarily the better tool for every situation (which includes available programmer skill).

  26. Re:OS is better! by loginx · · Score: 3, Informative

    I hope this will help you, I'll go straight to the point:

    Edit -> Preferences -> Advanced ->
    Periodically check for updates to:
    [X] Firefox
    [X] My Extensions
    [X] Automatically download AND INSTALL new updates

  27. Re:One of the reasons i love firefox by kelnos · · Score: 2, Informative

    While I do agree that mozilla.org should be more up-front about Firefox's beta nature, they _have_ been calling it a "Technology Preview" for quite a while, and the current release is advertised as a "Preview Release". The fact that it's had a 0.x version number should be enough to clue people in that it's beta. Then again, as it's become more mainstream, I suppose there may be people that don't understand version number schemes too well.

    --
    Xfce: Lighter than some, heavier than others. Just right.
  28. Re:So will it be Mozilla's fault... by Anonymous Coward · · Score: 1, Informative

    Er... buffer overruns have zilch to do with typing, strong or otherwise. They have to do with bounds checking, which can be implemented in any language.

  29. Re:One of the reasons i love firefox by Anonymous Coward · · Score: 1, Informative

    Look when this security exploit was filed: #226669.

    Filed: 2003-11-24.
    Fixed: 2004-3-12.

    3 1/2 months to fix a minor non-security-related glitch. Not bad. So what was your point again?

  30. Re:So will it be Mozilla's fault... by gad_zuki! · · Score: 2, Informative

    We're already seeing the start of this in SP2 and I think NX and other DEP technologies are going to be a basic feature in all OSs. I wish AMD and Intel went out of their way to make Athlons and P4s with their NX technologies instead of just adding it to their next-gen chips.

    My previous post of DEP is here.

  31. Re:So will it be Mozilla's fault... by mschiller · · Score: 2, Informative

    Scripts are not executable code.. You load them as data and they run as data. This isn't to say the script can't do something nasty like rm -rf / or rm -rf ~.. The point of NX type operations is to make sure whatever the processor does is intended [or at least is what the user said to do, even if the user didn't mean to do it]... If you WANT to run a script you can run it, but your computer shouldn't run a script when you ask it to open a .jpg!

    Typically scripts are interpreted rather then compiled and executed.. So NX type functionality is not really a problem. There is some strangeness because a script determines the flow of executable code, but it does not allow you to run arbitrary code per se. [I suppose if you've given the script language enough flexibility to read and write memory directly etc, you could potentially have a problem, and of course most scripts have access to the filesystem which can cause all kinds of problems if the OS doesn't have a permission scheme in place... ie normal users and root users]. The point is for a scripting language you've deliberately given permission to execute something that was only data a minute ago. So there can be mechanisms to do what ever you need to do... But for JPG's or regular text processing, you shouldn't be able to run arbitrary code. It should not be able to, for example, run "rm -rf /"
    or start a keyboard sniffer when I open a txt file in nano....

    Admittedly things get a little more interesting if your scripting langauge is compiled. Then your generating real machine executable code, rather then use machine executable code to interpret non machine executable code. Here a kernel level machanism needs to be used to "flip" a data page to an exectable page. By being deliberate like this you get control, so that only runtime compilers for example can do this. [perhaps a bit that only root can set/clr on the program much like setuid..]. For runtime compilers that run on untrusted source [i.e. automatically for java etc] a sandbox or other security precautions must be taken to protect the host system...

  32. Re:How long's it going to be? by j_stirk · · Score: 2, Informative

    You mean something similar to this where compromised IIS servers are going arround infecting IE???

    Yes, it's a worry - it really is... All someone needs to do is make IE infect the IIS servers (presumably a fairly simple task, considering the initial exploitation of the servers was probably scripted anyway) and your dastardly plan will come to fruition.

    --
    [root@GRIFFIN root]# rpm -e coffee-1.22.3-1a.i386.rpm
    error: removing these packages would break dependencies: