Slashdot Mirror


Critical Mozilla, Thunderbird Vulnerabilities

d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability. The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."

4 of 596 comments (clear)

  1. chroot and UML by KidSock · · Score: 4, Interesting

    Mmm, I wonder what it takes to run Firefox in a chroot jail. Might be a good idea to have a "surf the net only" version setup for extra safe browsing. I fear the amount of libraries necessary to do that. Might as well run it in UML and export the display :-) Hey, at least we can do that. MS apps don't conform well to the Principle of Least Privledge.

  2. Re:Question by glsunder · · Score: 4, Interesting

    Does my lynx browser need updating?

    2004-04-01 (2.8.5rel.2)
    * fix for buffer in jpeg2ascii render code -BS

    2004-02-04 (2.8.5rel.1)
    * build fixes for MINGW32 -DK
    * build fixes for OS/2 (reported by IZ) -TD

  3. Re:So will it be Mozilla's fault... by bonkedproducer · · Score: 4, Interesting

    Amazing how many asshats come out of the woodwork with these kinds of comments... Microsoft's IE has exploits that still exsist three months after public discovery. Mozilla's developers already fixed this yesterday. BIG FSKING DIFF!

    Also, in Wired a short time ago, they tried to claim that Firefox had a vulnerability that had to be patched (which it did 0.9 - 0.9.1) but the vulnerability was with the Windows OS, and blocking access to a Windows OS function was what was required to fix it.

    FF is still a better browser - no question about it.

    --
    Clothes make the man. Naked people have little or no influence in society - M. Twain
  4. Easy! by marcello_dl · · Score: 4, Interesting

    The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.

    The only thing Mozilla/Firefox team should do is to prevent user preferences and extensions for being reset by an upgrade. They are working on it, as I read in other threads. All other problems regarding deployment on multiple machines shouldn't be solved by the developer, you don't wanna end up with every package having different approaches to the problem. It must be a matter for sysadmins or the linux distro developers.

    Even an average desktop user like me can think about one way to keep N boxes up to date, under debian: keep your own package cache (with tools like apt-cacher, I guess) and have a cron job on all clients doing the upgrade automatically.
    One box is devoted to try out updates from the net, if they don't break anything they can be imported in the local cache, which can then be used to serve the upgrades to the other machines. The cron jobs can be offset not to overwhelm the local cache file server.

    Moderators who gave parent a +5 insightful: are you nuts? ;)

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol