Slashdot Mirror
Critical Mozilla, Thunderbird Vulnerabilities
d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability.
The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."
I'm not fully able to upgrade yet, as the Debian builds I'm using haven't been upgraded. There are bugs in the packaging.
The guy's working on it, though.
Haec merda tauri est. Ceterum censeo Carthaginem esse delendam.
I wanted to mod you down but I figured I'd just correct you. As a /.er showed yesterday, in the vast majority of cases Microsoft releases security patches either before a vulnerability has been announced or on a 0-day basis. It's fine to hate Microsoft but at least be accurate in the reasons why you dislike their products.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
This is generally fixed in 1.0PR - you can safely upgrade over a previous installation, and extensions are updated when possible. They even made it easier for extension writers to simply update the compatability number for their extensions without requiring you to download again.
I switched to firefox a few weeks ago and shortly after started to use it exsclusively. I was on the verge of telling my family and friends to make the switch as well.
However - I can't do that right now. When I learned of the new version released, and how it will be supplanted by a new release soon, and the lack of autoupdating - it WILL be a burden for some of the people I'd tell to switch.
From what I saw - to upgrade to a newer release - Firefox has to be uninstalled and then re-installed - and until the folks who wrote the freely available functions upgrade them - they won't be compatible with the new release. This exploit too has me wondering if it really isn't way to soon to force them to switch. They've all been educated to use the auto update for IE.
Great product. I'm hooked. I will continue to use it. Blocking ads, images, bugmenot, and a host of other functions have won me over. But before I can recommend it to the folks that aren't exactly technical - the team will need to either allow for patch updates, or auto-updates.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
1.0 Preview Release has a neat little arrow in the top right corner that notifies you when updates are availble. I can't confirm that it works the way it's supposed to, i.e. uninstalling and reinstalling / upgrading Firefox for you. Or if it automatically installs patches. There haven't been any versions of new browsers or any patches yet. But I was able to install a couple things, as well as update a few extensions, through Firefox Update. It's in Tools --> Options... --> Advanced --> Software Update. Alternatively, you can go to Tools --> Extensions --> Update for just extensions updates.
-Rob
Marriage doesn't have to suck!
Fortunately Mozilla can be silent-installed quite easily.
Indeed, when using a loginscript it poses no problems.
There are many apps that are much harder to silently install.
The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.
I completely agree (but from a Firefox standpoint; I haven't used Mozilla in ages). There needs to be serious consideration of usage in corporate settings on Windows desktops. Features such as an MSI package to ease in deployment across Active Directory networks is needed. Yes, you can create your own MSI packages, but it'd be nice if one was provided. For those who don't know what I'm talking about with AD, it basically means that with a few mouse clicks (seriously), I can install Firefox on all computers on my network. You could probably replicate that with logon scripts, but this method provides automatic uninstallation of old versions when upgrading Firefox, as well as installation repairing if files are corrupted (but I'm not sure how useful that is, since it might point to more serious hardware problems).
Firefox settings in Group Policy would also be awesome, although that would require either placing Firefox settings in the registry or writing a Group Policy plugin to handle settings. What this would mean is that Firefox configuration settings for an entire network can be controlled from a central location.
There are other minor problems (such as placement of Firefox cache in Application Data instead of Local Settings\Application Data, causing the entire cache to be synchronized with the domain server on logon and logoff), so if they aren't already, Firefox developers should be sure to test on machines with multiple user profiles with reduced privileges. These things, although inconsequential to regular users at home, are quite important for acceptance in corporate Windows networks.
Also, apologies if you can already do all of these, but if that's the case, a page discussing these things for network administrators would also be nice.
Actually there is a nasty problem in Mozilla and Firefox: the language files must be of the same version as the program. And the version number of the program is updated even for security fixes.
Result: when you or your users do not use the default English-US language, you cannot update to fixed versions as they are announced, but are forced to wait until the translation volunteer finds time to update the language package.
The Dutch language for 1.7.2 was released on September 10th, 5 weeks after that security fix had been released. And just a week later, another fix appears.
This way, users of the Dutch language will never be able to run recently fixed versions.
Hopefully something will be done about this. It should be possible to run a security-fixed release with the original language pack, or at least the language packs should be automatically updated and released whenever a security related fix appears.
If you look around some, you'll see that people are already doing exactly what you are concerned about. See this Zenworks example
--Asa
Firefox 0.10 (PR) can now check for critical security updates and install them. This is our first release with that feature working as expected. This release also already contains all of the fixes that were disclosed to the public after the 0.10 release.
If a new vulnerability is found and patched, Firefox 0.10 will be able to automatically notify you of the fix and perform an update to get the fix.
--Asa
Probably the simplest option is to run Firefox as a different user. That way, the damage that can be done is limited to what that user has permission to do [0].
It's so simple, I'll be back in a couple of minutes once I've done it..
Done it, make that 25 seconds. Most of that was updating authentication tokens for the new user.
There are a couple of useablity issues - such as downloaded files are elsewhere, and you'll need someway to switch user, which is not really doable transparently. Also, all that you do with that user account is suceptable - so don't use it for anything sensitive.
One main problems:
1) It needs acess to the X display. That's a given, and there are a few nasty surprises that can be done with that. That would be the case no matter what, (chroot etc) however.
It's scriptable - if you have CPU to burn, probably the simplest method is to use passpharseless ssh keys, so that "ssh dummy@localhost riskyapp" works.
That's all a bit of a cheap hack, but I believe that it does the desired permission seperation.
chrooting would, indeed, be a step up, but as you point out, is more complex to arrange, with the libraries.
[0] Barring any local root holes, which is an orthogonal issue.
Well it shouldn't be possible to be infected with a virus from a picture... Because Data Memory should never EVER be able to be executed without specific privledge elevation [yeah, maybe root can do this, or perhaps only the deepest dark section of the kernel].
1) Software designers should be more careful when using buffers, so that over runs don't occur is it really that hard to keep a counter around to make sure your don't overrun? I guess developers want their code to run fast and I suppose it doesn't help that C offers absolutely no protection from such problems. [Pascal and other strongly typed languages sure help in this regard it's alot harder to make this type of mistake].
2) OS designers should do more through checking to make sure data pages are never executed. [and a data write can't write into an application memeory page!]. While it SHOULD be caught above, the OS should be looking out for requests to write into pages not assigned as data for a particular application.
3) Hardware designers should implement features to optimize #1 and #2. [eg. noexecute flags. Harvard Architecture, etc. I can easily see a architecture that looks like a Harvard in normal mode and then turns into our traditional von neumann architecture in privledged mode.]
It's really quite simple concept to have a no execute flag associated with a memory page that can only be changed in privledged mode. And such coding techniques should work fine for day to day computer use [self modifying code could be problem , etc].
Why is this so hard for people:
Upgrade Firefox.
Your extensions will get disabled because they have a MaxVersion lower than the Firefox version.
Let it happen. DON'T FREAK OUT.
Go to the extension manager.
Right click all the disabled extensions and select Enable.
Restart Firefox.
Woo hoo. Barring any changes in the code that genuinely make your old extensions incompatible, your world keeps on turning.
We did disclose the security bugs. Every time we release, we update our vulnerabilities page (http://www.mozilla.org/projects/security/known-vu lnerabilities.html) with the list of security bugs fixed in the new release. Secunia just cribbed their advisory information from that very page.
The world might be a better place if you actually paid some attention.
-Blake Ross
The critical exploits were found and the Mozilla team told privately. The bugs were fixed and a new release made, then the bugs were disclosed publically so people knew to upgrade. Apparently the bugs were found due to the cash bounty programme, which was only possible because it was open source.
Compare this to Microsoft, bugs are found and Microsoft told privately, multiple times, eventually the white hat gives up and publically discloses it as the only way to put pressure on Microsoft.
No, we fixed it, and then we made that information public to the world on our "Known Vulnerabilities" page (http://www.mozilla.org/projects/security/known-vu lnerabilities.html), linked to from our Security page (http://www.mozilla.org/security/), just as we've done for each release. Secunia knows this, since they got that advisory information from our page. Why don't you?
Blake
There's a new workaround for this here (no direct link allowed, sorry, you're stuck with copy paste):
6 79
/* Make the Search box flex wider */
http://bugzilla.mozilla.org/show_bug.cgi?id=258
The summary: put this in your userChrome.css.
#search-container {
-moz-box-flex: 200 !important;
}
#searchbar {
-moz-box-flex: 200 !important;
}
Hope this works for you!
I hope this will help you, I'll go straight to the point:
Edit -> Preferences -> Advanced ->
Periodically check for updates to:
[X] Firefox
[X] My Extensions
[X] Automatically download AND INSTALL new updates