Slashdot Mirror


Critical Mozilla, Thunderbird Vulnerabilities

d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability. The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."

13 of 596 comments (clear)

  1. So will it be Mozilla's fault... by goldspider · · Score: 5, Insightful
    ...when people don't upgrade to versions that aren't vulnerable?

    Afterall, it's Microsoft's fault when their users don't keep up to date with security patches.

    --
    "Ask not what your country can do for you." --John F. Kennedy
    1. Re:So will it be Mozilla's fault... by Nos. · · Score: 5, Insightful

      That's right... of course a lot of use Geeks are also at fault since a good number of us have told friends, families, even clients that "no, you can't get a virus from a picture".

    2. Re:So will it be Mozilla's fault... by dj42 · · Score: 5, Insightful

      If you don't go get your gas tank valved fixed in an official manufacturer recall from your car company, and your car blows up, whose fault is it?

      --
      We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
    3. Re:So will it be Mozilla's fault... by DogDude · · Score: 5, Insightful

      So will it be Mozilla's fault... when people don't upgrade to versions that aren't vulnerable?

      No. Then it'll be the stupid user's fault. Only MS is at fault for not actively coming to each users' house and business and physically installing the update for them, even though MS's Automatic Update feature works great. Even though Firefox/Thunderbird/SunBird's manual "check for updates" feature doesn't even work, it's definitely the *stupid* user's problem when it comes to any non-MS program.

      --
      I don't respond to AC's.
    4. Re:So will it be Mozilla's fault... by Anonymous Coward · · Score: 5, Insightful

      Not true. I installed Firefox 1.0PR, and my Qute theme stopped working. I installed Firefox 0.93 and my search bar stopped working. After 0.92, I couldn't uninstall any of my old extensions.

      Mozilla has the same problems as Microsoft as far as breaking things. The reason you notice it more in Microsoft's code is that they write things like operating systems, which tens of thousands of different applications run on top of. Only a handful of things run on top of your web browser.

    5. Re:So will it be Mozilla's fault... by CTho9305 · · Score: 5, Insightful

      That's a really pathetic excuse - Mozilla is at 1.7.x (1.8 for trunk development), and the bugs are shared. Justifying holes with "oh, we haven't reached 1.0 yet" will just come back to bite you when 1.0 is released and more holes are discovered. Heck, Netscape is at version 7.2 and it is likely to share these holes.

      Justify them as "we try hard to find them and fix them quickly", but not "they'll go away when we reach 1.0".

    6. Re:So will it be Mozilla's fault... by tonyr60 · · Score: 5, Insightful

      "1) Software designers should be more careful when using buffers"
      "2) OS designers should do more through checking to make sure data pages are never executed"

      Great idea. Now minor problem, how do you make sure your software and OS designers are 100% competent, never have a bad day, never arrive with a hangover, never have a bitter argument with spouse/partner.

      I see no evidence that this is possible with the current crop of earth's inhabitants.

  2. The beauty of a non-integrated browser........ by ARRRLovin · · Score: 5, Insightful

    .....you can patch without fear of breaking a gazillion programs.

    --
    -Randy
  3. Auto update anyone? by Arthur+Dent+75 · · Score: 5, Insightful
    So when will Firefox get an option to perform automatic updates like e.g. Windows Update allows?

    I cannot ask my father to uninstall his browser and reinstall a new one every so often. If Firefox wants to be accepted by the large crowd out there it definitely needs an automatic update.

    --
    michael at slashdot.org: The real answer is that a couple of the slashdot authors are sick.
  4. Update notification methods by grape+jelly · · Score: 5, Insightful

    I wasn't notified of this critical vulnerability until I checked slashdot. Perhaps FFox/Moz should have a feature that automatically checks for updates and recommends them appropriately?

  5. Re:One of the reasons i love firefox by Politburo · · Score: 5, Insightful

    And here's the additional difference:

    We're going to fix this Firefox bug, and it doesn't matter if it wipes your preferences and breaks your extensions. Your loss for using beta software.

    We're going to fix this IE bug and try to make sure it doesn't break existing installs.

    I use Firefox, but haven't upgraded from 0.8. I got tired of having to reset my preferences and extensions with each update. I'll take the time to upgrade when it gets to 1.0.

  6. Re:Automated Upgrading by nate1138 · · Score: 5, Insightful

    If you use login scripts, you can just drop the patch in the script and have it install automagically. I do this all the time with our non-MS applications. Works pretty well, but if the patch doesn't have a silent mode, you will need to let your users know to expect it at login.

    --
    Where's my lobbyist? Right here.
  7. Mozilla Bug Bounty Program by romiz · · Score: 5, Insightful

    All those critical bugs have been detected by reviewers from the "Security Bug Bounty Program", as described on mozilla.org. The Mozilla Foundation has offered a $500 bounty for each security bug found, and already has secured a $10,000 budget to do so.

    Thus, all those bugs should not be seen as a proof that the Mozilla code is badly written, but rather that the Mozilla Foundation is aware that secure code is hard to write, and that a good review process is critical to reach this goal.