Critical Mozilla, Thunderbird Vulnerabilities

← Back to Stories (view on slashdot.org)

Critical Mozilla, Thunderbird Vulnerabilities

Posted by timothy on Wednesday September 15, 2004 @06:34AM from the you-do-have-a-recent-one-right dept.

d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability. The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."

11 of 596 comments (clear)

Min score:

Reason:

Sort:

Re:One of the reasons i love firefox by gordgekko · 2004-09-15 06:46 · Score: 4, Informative

I wanted to mod you down but I figured I'd just correct you. As a /.er showed yesterday, in the vast majority of cases Microsoft releases security patches either before a vulnerability has been announced or on a 0-day basis. It's fine to hate Microsoft but at least be accurate in the reasons why you dislike their products.

--
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
Re:So will it be Mozilla's fault... by Jerph · 2004-09-15 06:47 · Score: 5, Informative

This is generally fixed in 1.0PR - you can safely upgrade over a previous installation, and extensions are updated when possible. They even made it easier for extension writers to simply update the compatability number for their extensions without requiring you to download again.
Re:Auto update anyone? by lpangelrob2 · 2004-09-15 06:59 · Score: 4, Informative

1.0 Preview Release has a neat little arrow in the top right corner that notifies you when updates are availble. I can't confirm that it works the way it's supposed to, i.e. uninstalling and reinstalling / upgrading Firefox for you. Or if it automatically installs patches. There haven't been any versions of new browsers or any patches yet. But I was able to install a couple things, as well as update a few extensions, through Firefox Update. It's in Tools --> Options... --> Advanced --> Software Update. Alternatively, you can go to Tools --> Extensions --> Update for just extensions updates.

--
-Rob
Marriage doesn't have to suck!
Re:Automated Upgrading by asa · 2004-09-15 07:14 · Score: 4, Informative

If you look around some, you'll see that people are already doing exactly what you are concerned about. See this Zenworks example

--Asa
Re:Update notification methods by asa · 2004-09-15 07:20 · Score: 4, Informative

Firefox 0.10 (PR) can now check for critical security updates and install them. This is our first release with that feature working as expected. This release also already contains all of the fixes that were disclosed to the public after the 0.10 release.

If a new vulnerability is found and patched, Firefox 0.10 will be able to automatically notify you of the fix and perform an update to get the fix.

--Asa
Doing it as a different user by DarkMan · 2004-09-15 07:50 · Score: 4, Informative

Probably the simplest option is to run Firefox as a different user. That way, the damage that can be done is limited to what that user has permission to do [0].

It's so simple, I'll be back in a couple of minutes once I've done it..

Done it, make that 25 seconds. Most of that was updating authentication tokens for the new user.

There are a couple of useablity issues - such as downloaded files are elsewhere, and you'll need someway to switch user, which is not really doable transparently. Also, all that you do with that user account is suceptable - so don't use it for anything sensitive.

One main problems:
1) It needs acess to the X display. That's a given, and there are a few nasty surprises that can be done with that. That would be the case no matter what, (chroot etc) however.

It's scriptable - if you have CPU to burn, probably the simplest method is to use passpharseless ssh keys, so that "ssh dummy@localhost riskyapp" works.

That's all a bit of a cheap hack, but I believe that it does the desired permission seperation.

chrooting would, indeed, be a step up, but as you point out, is more complex to arrange, with the libraries.

[0] Barring any local root holes, which is an orthogonal issue.
Re:So will it be Mozilla's fault... by mschiller · 2004-09-15 07:51 · Score: 5, Informative

Well it shouldn't be possible to be infected with a virus from a picture... Because Data Memory should never EVER be able to be executed without specific privledge elevation [yeah, maybe root can do this, or perhaps only the deepest dark section of the kernel].

1) Software designers should be more careful when using buffers, so that over runs don't occur is it really that hard to keep a counter around to make sure your don't overrun? I guess developers want their code to run fast and I suppose it doesn't help that C offers absolutely no protection from such problems. [Pascal and other strongly typed languages sure help in this regard it's alot harder to make this type of mistake].

2) OS designers should do more through checking to make sure data pages are never executed. [and a data write can't write into an application memeory page!]. While it SHOULD be caught above, the OS should be looking out for requests to write into pages not assigned as data for a particular application.

3) Hardware designers should implement features to optimize #1 and #2. [eg. noexecute flags. Harvard Architecture, etc. I can easily see a architecture that looks like a Harvard in normal mode and then turns into our traditional von neumann architecture in privledged mode.]

It's really quite simple concept to have a no execute flag associated with a memory page that can only be changed in privledged mode. And such coding techniques should work fine for day to day computer use [self modifying code could be problem , etc].
Re:So will it be Mozilla's fault... by TheDormouse · 2004-09-15 07:51 · Score: 5, Informative

Why is this so hard for people:

Upgrade Firefox.
Your extensions will get disabled because they have a MaxVersion lower than the Firefox version.
Let it happen. DON'T FREAK OUT.

Go to the extension manager.
Right click all the disabled extensions and select Enable.
Restart Firefox.

Woo hoo. Barring any changes in the code that genuinely make your old extensions incompatible, your world keeps on turning.
Re:coverup by mozilla team by blakeross · 2004-09-15 08:03 · Score: 5, Informative

We did disclose the security bugs. Every time we release, we update our vulnerabilities page (http://www.mozilla.org/projects/security/known-vu lnerabilities.html) with the list of security bugs fixed in the new release. Secunia just cribbed their advisory information from that very page. The world might be a better place if you actually paid some attention. -Blake Ross
Re:Spin by blakeross · 2004-09-15 08:07 · Score: 4, Informative

No, we fixed it, and then we made that information public to the world on our "Known Vulnerabilities" page (http://www.mozilla.org/projects/security/known-vu lnerabilities.html), linked to from our Security page (http://www.mozilla.org/security/), just as we've done for each release. Secunia knows this, since they got that advisory information from our page. Why don't you?

Blake
Re:So will it be Mozilla's fault... by brokenwndw · 2004-09-15 08:25 · Score: 5, Informative

There's a new workaround for this here (no direct link allowed, sorry, you're stuck with copy paste):

http://bugzilla.mozilla.org/show_bug.cgi?id=2586 79

The summary: put this in your userChrome.css.

/* Make the Search box flex wider */ #search-container { -moz-box-flex: 200 !important; } #searchbar { -moz-box-flex: 200 !important; }
Hope this works for you!