Slashdot Mirror


Critical Mozilla, Thunderbird Vulnerabilities

d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability. The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."

34 of 596 comments (clear)

  1. So will it be Mozilla's fault... by goldspider · · Score: 5, Insightful
    ...when people don't upgrade to versions that aren't vulnerable?

    Afterall, it's Microsoft's fault when their users don't keep up to date with security patches.

    --
    "Ask not what your country can do for you." --John F. Kennedy
    1. Re:So will it be Mozilla's fault... by Nos. · · Score: 5, Insightful

      That's right... of course a lot of use Geeks are also at fault since a good number of us have told friends, families, even clients that "no, you can't get a virus from a picture".

    2. Re:So will it be Mozilla's fault... by Chess_the_cat · · Score: 3, Insightful

      Hope not because Firefox makes it extremely difficult to upgrade if you want to keep your extensions. Hmmm, security or TabbedBrowser Preferences. Hard to choose really.

      --
      Support the First Amendment. Read at -1
    3. Re:So will it be Mozilla's fault... by Kobayashi+Maru · · Score: 4, Insightful

      Maybe you could argue such a point for the suite, but I don't see how you could do so for Firefox and Thunderbird. Those packages can still claim pre-1.0 innocence. Note that I'm not judging the validity of these charges, just where they should, and should not, apply.

    4. Re:So will it be Mozilla's fault... by dj42 · · Score: 5, Insightful

      If you don't go get your gas tank valved fixed in an official manufacturer recall from your car company, and your car blows up, whose fault is it?

      --
      We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
    5. Re:So will it be Mozilla's fault... by DogDude · · Score: 5, Insightful

      So will it be Mozilla's fault... when people don't upgrade to versions that aren't vulnerable?

      No. Then it'll be the stupid user's fault. Only MS is at fault for not actively coming to each users' house and business and physically installing the update for them, even though MS's Automatic Update feature works great. Even though Firefox/Thunderbird/SunBird's manual "check for updates" feature doesn't even work, it's definitely the *stupid* user's problem when it comes to any non-MS program.

      --
      I don't respond to AC's.
    6. Re:So will it be Mozilla's fault... by digitallife · · Score: 3, Insightful

      Come on lets be serious here, it's not that MS programs have bugs or security problems (all software does), it's their companies attitude and power that bothers people. Is MS 'evil' for a company? Ignoring that companies really can't be evil or good, they don't seem to be dramatically worse than many other companies. The problem is that they have WAY more power than other companies! They are like 'the man'. Well, that and their browser sucks ass. Their company attitude is a disgrace to the computer industry. IE was stagnant for years simply because of lack of competition. OSS isn't perfect, but at least it is by the people for the people, and changes as the people want (somewhat :)). MS has a corporate agenda, and corporate agendas are not moral, nor are they necessarily good for anything or anyone (sometimes they aren't even good for the company!). Anyways, it's funner to kick the big guy than the little guy :) (especially when the big guy is an ass)

    7. Re:So will it be Mozilla's fault... by Anonymous Coward · · Score: 5, Insightful

      Not true. I installed Firefox 1.0PR, and my Qute theme stopped working. I installed Firefox 0.93 and my search bar stopped working. After 0.92, I couldn't uninstall any of my old extensions.

      Mozilla has the same problems as Microsoft as far as breaking things. The reason you notice it more in Microsoft's code is that they write things like operating systems, which tens of thousands of different applications run on top of. Only a handful of things run on top of your web browser.

    8. Re:So will it be Mozilla's fault... by CTho9305 · · Score: 5, Insightful

      That's a really pathetic excuse - Mozilla is at 1.7.x (1.8 for trunk development), and the bugs are shared. Justifying holes with "oh, we haven't reached 1.0 yet" will just come back to bite you when 1.0 is released and more holes are discovered. Heck, Netscape is at version 7.2 and it is likely to share these holes.

      Justify them as "we try hard to find them and fix them quickly", but not "they'll go away when we reach 1.0".

    9. Re:So will it be Mozilla's fault... by tonyr60 · · Score: 5, Insightful

      "1) Software designers should be more careful when using buffers"
      "2) OS designers should do more through checking to make sure data pages are never executed"

      Great idea. Now minor problem, how do you make sure your software and OS designers are 100% competent, never have a bad day, never arrive with a hangover, never have a bitter argument with spouse/partner.

      I see no evidence that this is possible with the current crop of earth's inhabitants.

    10. Re:So will it be Mozilla's fault... by kcbrown · · Score: 3, Insightful
      Ignoring that companies really can't be evil or good

      Really? Tell me, what exactly is the difference between someone who is greedy and is willing to do anything at all (as long as they either don't get caught or don't lose anything significant when they do) in order to satisfy that greed, and someone who is evil?

      I don't think there's any real difference at all.

      And since the behavior of many corporations (Diebold, Microsoft, many RIAA members, etc., etc.) is almost exactly described by the above, I think it's perfectly reasonable to call them "evil". Certainly if you were to evaluate their behavior as if they were people, you'd conclude without a doubt that they're psychopaths.

      --
      Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
  2. The beauty of a non-integrated browser........ by ARRRLovin · · Score: 5, Insightful

    .....you can patch without fear of breaking a gazillion programs.

    --
    -Randy
  3. OSS suffers the same problem as commercial sw... by grape+jelly · · Score: 4, Insightful

    Here's why:

    Software is written by humans. As a result, mistakes are bound to be made. Various software design strategies merely mitigate and minimize those risks, but it's bound to happen. This is a fundamental fact of life. Deal with it.

    However, OSS permits investigation and transparency in the resulting software. This leads to better code reviews (hopefully) and more bug fixes. In addition, there is nothing that a software development team or company can hide behind (a la IP rights) all the while shouting, "Shut up! Shut up! I can't hear you! la la la la!"

  4. Automated Upgrading by Albanach · · Score: 4, Insightful
    This is going to be an ever bigger problem for small businesses that adopt Mozilla.

    If I use Internet Explorer, I can deploy patches to every amchine on the domain automagically using software like Shavlik's HfNetChk - with Moz I'd have to take a trip round the desktops, forty or fifty upgrades is something I don't fancy.

    The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.

    1. Re:Automated Upgrading by nate1138 · · Score: 5, Insightful

      If you use login scripts, you can just drop the patch in the script and have it install automagically. I do this all the time with our non-MS applications. Works pretty well, but if the patch doesn't have a silent mode, you will need to let your users know to expect it at login.

      --
      Where's my lobbyist? Right here.
    2. Re:Automated Upgrading by omicronish · · Score: 3, Insightful

      Seriously dude, if you don't know how to write a simple script to copy files to all user's machines without the help of another program, what are you doing administering systems?

      Of course it can be done, but then there are what I consider superior solutions when you already have an Active Directory network on Windows, where software upgrades and propagation of configuration settings can be controlled from a central place (Group Policies). Using scripts to upgrade would be like writing a script to download and patch on Gentoo even though emerge is already available.

  5. Re:One of the reasons i love firefox by Rallion · · Score: 4, Insightful

    Except the similar MS bug is already patched. And yet people were still quite pissed about it a few hours ago.

  6. Auto update anyone? by Arthur+Dent+75 · · Score: 5, Insightful
    So when will Firefox get an option to perform automatic updates like e.g. Windows Update allows?

    I cannot ask my father to uninstall his browser and reinstall a new one every so often. If Firefox wants to be accepted by the large crowd out there it definitely needs an automatic update.

    --
    michael at slashdot.org: The real answer is that a couple of the slashdot authors are sick.
  7. Update notification methods by grape+jelly · · Score: 5, Insightful

    I wasn't notified of this critical vulnerability until I checked slashdot. Perhaps FFox/Moz should have a feature that automatically checks for updates and recommends them appropriately?

  8. Re:OS is better! by October_30th · · Score: 4, Insightful
    If only they provided binary patches.

    I hate to download yet again all 11 megabytes just because of a single bug.

    --
    The owls are not what they seem
  9. Re:One of the reasons i love firefox by Politburo · · Score: 5, Insightful

    And here's the additional difference:

    We're going to fix this Firefox bug, and it doesn't matter if it wipes your preferences and breaks your extensions. Your loss for using beta software.

    We're going to fix this IE bug and try to make sure it doesn't break existing installs.

    I use Firefox, but haven't upgraded from 0.8. I got tired of having to reset my preferences and extensions with each update. I'll take the time to upgrade when it gets to 1.0.

  10. Re:One of the reasons i love firefox by skiflyer · · Score: 4, Insightful

    Yeah, that is a loss of using beta software. If you're using firefox you're a beta tester, which comes with all sorts of drawbacks like that.

    They're at the stage where they make large sweeping changes quickly. Once they hit production they should no longer do that... but until then, it comes with the terroritory... personally I'm amazed, and think it speaks greatly to the quality of Firefox and the lack of quality of IE that Firefox has such a showing in a beta state.

  11. Re:OSS suffers the same problem as commercial sw.. by a_n_d_e_r_s · · Score: 3, Insightful

    Well actually buffer overflows are inherent problems in C/C++ because they allow programmers to make those kind of errors.

    Java on the other hand does not allow programmers to make that error. If more people used better tools it would mean less security problmens.

    --
    Just saying it like it are.
  12. Re:Reminds me... by Yaztromo · · Score: 4, Insightful
    I'm so glad this happened, which it would happen hourly so that those annoying FSF/OSS brats shut up.

    If you RTFA, and scroll to the botttom, you'll notice they link to all of the relevant Bugzilla entries for the reported problems.

    Read them. Do you know how these flaws were found? By people looking at the source code and reporting them. The people who detected the problems couldn't have found them if the source was closed.

    This is Open Source at its finest. On the other hand, we have the flaws in IE that are all too often found after someone has created an exploit and it's in the wild.

    Personally, I wouldn't mind one bit if Mozilla users and Open Source developers found a security problem once per hour and got the problem fixed quickly. It's vastly better than the closed-source alternative where you have to hope that someone without access to the source reports the fault when they find it, and that Microsoft doesn't take their own sweet time fixing it.

    Once again, Open Source at its finest.

    Yaz.

  13. A sense of deja-vu! by ChiralSoftware · · Score: 3, Insightful
    As I said in an earlier thread, we will get burned again and again and again, and then we will get burned some more, until we stop processing unsafe data (data from the net or untrusted sources) using code written in unsafe languages. By unsafe language I mean any language that allows unsafe memory access. By unsafe memory access I mean any language that lets your code manipulate arbitrary memory locations in arbitrary ways, and then jump to arbitrary locations.

    The safest and best thing is to use a real VM, like the JVM. Another alternative is to use something like Cyclone which also doesn't allow unsafe memory operations.

    To all the ditto-heads who keep on saying "if it's not in C, it's too slow", wasn't there just an article on Slashdot a few days ago about full-motion video players written in pure Java? Surely a jpeg here and there shouldn't be too much of a problem?

  14. Update Without Reinstall?? by NanoGriever · · Score: 3, Insightful

    so when are we going to be able to update firefox/thunderbird without reinstalling the entire app? I'm sick and tire of this because I also have to reinstall every single extensions and themes I use. Sure I can do this easily, but it's a pain in the ass when I have to tell my not-so-tech-savvy friends to upgrade. it's tedious and stupid. and god bless those poor souls who have to upgrade a whole network of machines.

  15. Mozilla Security Centre by prandal · · Score: 4, Insightful

    mozilla.org really needs to include a link to their Security Centre on their front page.

  16. Now we will see... by jmcmunn · · Score: 3, Insightful

    As FireFox and Mozilla become more widely used, we will truly see how well the open source community can keep up. After all, I honestly believe that the reason more bugs and fulnerabilities are found in IE is that it is more widely used.

    I see the day not too far off when FireFox could overtake IE in the market...so will the majority of problems then be in FireFox, or is microsoft really writing bad code? It will be interesting to see.

    I believe the open source community will be up to the task of maintaining the bugs as they come in, but I think we will see that there will still be a lot of these types of serious problems that crop up once there are thousands of people dedicating their lives to exploiting them.

    Grab a chair, sit back and watch the fun.

  17. The good news?!?! by stubear · · Score: 4, Insightful

    "The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."

    And the good news is if you have the updated version of Windows (Windowws XP SP2) then you aren't affected by the similar critical flaw either but it's different when it's OSS huh?

  18. Re:One of the reasons i love firefox by Jugalator · · Score: 3, Insightful

    We've found a bug in firefox, we're really sorry. Anyone using old versions of firefox will be affected.

    We've found a bug in internet explorer, we're really sorry. We'll fix it... eventually.


    The only difference here is when they decided to announce the flaw.
    Mozilla decided to keep it secret until a new version was released. Don't you find that at least slightly scary?

    Look when this security exploit was filed: #226669.

    --
    Beware: In C++, your friends can see your privates!
  19. Mozilla Bug Bounty Program by romiz · · Score: 5, Insightful

    All those critical bugs have been detected by reviewers from the "Security Bug Bounty Program", as described on mozilla.org. The Mozilla Foundation has offered a $500 bounty for each security bug found, and already has secured a $10,000 budget to do so.

    Thus, all those bugs should not be seen as a proof that the Mozilla code is badly written, but rather that the Mozilla Foundation is aware that secure code is hard to write, and that a good review process is critical to reach this goal.

  20. Re:OS is better! by iCharles · · Score: 4, Insightful

    And thats why Open Source is better! find it one day patch it the next.

    Nimbda and Code Red both came out after patches had been available for months. I don't see this as positive or negative for Open Source.

    At the end of the day--regardless of platform, it comes down to someone actually installing the patch!

  21. Re:OSS suffers the same problem as commercial sw.. by William+Baric · · Score: 3, Insightful

    OSS permits investigation and transparency

    Without design specifications and a complete, well written documentation, the only way people could check a program is by reading the whole code and understanding the whole thing. Do you know a lot of people who would waste hundred of hours to look for bugs (apart from the ones who are developing the program) ?

    OSS permits investigation, but no one is doing it because most OSS project have very little documentation. The result is most OSS project are extremely buggy.

    And even worst, since most people who "work" on OSS project do it as a hobby, they prefer to add new shiny things rather than fixing bugs. Take the address book in mozilla/Thunderbird for example. I regularly lose contacts. Also, I once deleted a contact, and it gave the address of the deleted contact to the preceding contact - which means I was sending mail TO THE WRONG PERSON. Last week I tried to copy 34 address from one address book to another, it said 34 address copied, but then there was only 33 address. Found the missing address, tried to copy it (drag and drop), but no, I had to enter it manually. It's a real joke but no one is fixing it.

    So who's shouting "Shut up! I can't hear you! la la la la" ?

  22. Re:OSS suffers the same problem as commercial sw.. by javaxman · · Score: 4, Insightful
    Good commercial software (emphasis on GOOD) has a large, dedicated testing team that has put a lot of time and effort into developing various tools, well-documented test plans, huge suites of test cases, regular automated test runs that catch introduced bugs quickly, and so in.

    HAHAHAHAHAHAHAHAHA!!!

    Somebody mod that guy up as Funny!!!

    Or, if you're not trying to be funny, you've clearly never worked in QA, or... maybe you've just explained that there are few GOOD pieces of commercial software...

    Anyway, let me assure you that I worked a lot of QA gigs, and in every single one of them, the QA team was dwarfed by the dev team, rarely had good specs to plan from, and found their test time was viewed the most expendable part of the product cycle ( it's the first one to shrink in case of a slip elsewhere ). And those automated tests? Those paths you automate aren't likely to have *glaring* problems- at lest not ones the automated tools can catch - it's just the cases QA didn't have time to code up that'll fail... and of course, you can't automate something until the program is available, can you ? In practice, automated tools are only *really* useful for regression testing.

    The most important thing I learned working QA is that the best QA in the world won't save you from a poorly planned or managed project, poor design, coders who don't unit test, or marketing guys who promise the sky and give a fixed do-or-die ship date to go with that sky. Code review is usually better than QA at finding non-design-related bugs. If the coders are good, QA ends up finding usability issues, rather than functionality issues, which is your best-case scenario, even though it means your prototyping and design phase was lacking.