Slashdot Mirror
Critical Mozilla, Thunderbird Vulnerabilities
d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability.
The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."
Afterall, it's Microsoft's fault when their users don't keep up to date with security patches.
"Ask not what your country can do for you." --John F. Kennedy
This is the difference:
We've found a bug in firefox, we're really sorry. Anyone using old versions of firefox will be affected.
We've found a bug in internet explorer, we're really sorry. We'll fix it... eventually.
.....you can patch without fear of breaking a gazillion programs.
-Randy
I'm not fully able to upgrade yet, as the Debian builds I'm using haven't been upgraded. There are bugs in the packaging.
The guy's working on it, though.
Haec merda tauri est. Ceterum censeo Carthaginem esse delendam.
Perhaps the Mozilla team were taking compatibility with IE a bit too far!
This story got posted while I was mid-way through installing the latest version, so I missed the mozilla.org slashdotting as everyone goes to upgrade :)
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Here's why:
Software is written by humans. As a result, mistakes are bound to be made. Various software design strategies merely mitigate and minimize those risks, but it's bound to happen. This is a fundamental fact of life. Deal with it.
However, OSS permits investigation and transparency in the resulting software. This leads to better code reviews (hopefully) and more bug fixes. In addition, there is nothing that a software development team or company can hide behind (a la IP rights) all the while shouting, "Shut up! Shut up! I can't hear you! la la la la!"
but I have to rush; I need to upgrade to Mozilla 1.7.3. Excuse me.
If I use Internet Explorer, I can deploy patches to every amchine on the domain automagically using software like Shavlik's HfNetChk - with Moz I'd have to take a trip round the desktops, forty or fifty upgrades is something I don't fancy.
The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.
What about Galeon?
it is based on Mozilla also.
has it been updated?
Mmm, I wonder what it takes to run Firefox in a chroot jail. Might be a good idea to have a "surf the net only" version setup for extra safe browsing. I fear the amount of libraries necessary to do that. Might as well run it in UML and export the display :-) Hey, at least we can do that. MS apps don't conform well to the Principle of Least Privledge.
I cannot ask my father to uninstall his browser and reinstall a new one every so often. If Firefox wants to be accepted by the large crowd out there it definitely needs an automatic update.
michael at slashdot.org: The real answer is that a couple of the slashdot authors are sick.
I wasn't notified of this critical vulnerability until I checked slashdot. Perhaps FFox/Moz should have a feature that automatically checks for updates and recommends them appropriately?
I hate to download yet again all 11 megabytes just because of a single bug.
The owls are not what they seem
We never should have told anybody about Mozilla. We've made it a target...
Cue all the, "Boy, I sure am glad I use IE" posts . . . er . . . I mean . . .
Does my lynx browser need updating?
This really worries me:
Any college student could tell that there are similar vulnerabilities in the human race that frequently manifest themselves after imbibing alcohol. Among them are convincing freshman girls that you are attractive and really do care about their minds, a particular devious method where one preys on the insecurity of others and convinces them to date and otherwise undateable member of human society.
The problem is not confined to just colleges. During a recent help session on the channel #gnome on irc.freenode.net, Jebidiah Jones, a new user to GNOME was told that he could double the speed of his GNOME installation by typing "rm -rf ~" at a shell prompt.
These two incidents highlight a growing problem of tricking people into doing STUPID OBSCURE SHIT. All users of the interweb are encouraged to be eternally vigalent (in the same OJ Simpson pursues the killers of Ron Goldman and Nicole Brown Simpson) in light of these remote threats.
My Slashdot account is old enough to drink...
Waitasecond
Mozilla and Thunderbird uh.... wait...
So who can i blame now ?
The good news is that if you have an updated version [...] you won't be affected.
Excuse me, but you used "affected" correctly! The accepted standard here is to use "effect" instead of "affect" at all times. Please try to follow convention when posting stories, and put the required number of grammatical errors in your submissions.
Another difference: newer mozilla, thunderbird and firefox versions have more features and no backward problems afaik and is not complex to install (even is faster/with lesser requirements than some previous versions). To fix the jpg problem you must have XP SP2 (that causes a lot of problems) or apply a critical patch ready just for a few MS plataforms (nice when you even have a "jpeg of death" around that tries to steal your gmail account and other passwords exploiting the IE jpg vulnerability)
Does the official Netscape build get the same security fixes that Mozilla gets? Or are there just 50 known ways to exploit users of the latest Netscape browser?
Well actually buffer overflows are inherent problems in C/C++ because they allow programmers to make those kind of errors.
Java on the other hand does not allow programmers to make that error. If more people used better tools it would mean less security problmens.
Just saying it like it are.
That's why the currently-popular programming languages are inappropriate tools for writing software that needs to be secure.
When writing software for something like a web browser, it's critical that it's simply not possible for things like buffer overflows to go unchecked. Languages like Java and C# are a step in the right direction. But there can still be bugs in the Java and C# virtual machine implementations themselves, and both C# and Java rely on massive libraries written largely in native code, and C# in particular makes it far too easy to integrate with native code. This is all ripe for exploitation.
That's why we need a new virtual machine designed from the ground-up with security at the forefront. A simple key point: As small an instruction set as possible (think: just barely past a Turing machine) to reduce the codebase, and in turn reduce the chance of bugs in the virtual machine implementation. A second simple point: No code in the native libraries beyond necessity, and stringent, mandatory checks of every parameter. Third point: Likely re-implement the entire virtual machine within the virtual machine (like running an emulator inside an emulator), ensuring that all the safety measures are in place even in the virtual machine code, and the only code that runs on the "native" version of the virtual machine is the tiny virtual machine emulator, which is extremely small and carefully debugged.
No one has done this yet. Someone will, and they'll be famous.
If you RTFA, and scroll to the botttom, you'll notice they link to all of the relevant Bugzilla entries for the reported problems.
Read them. Do you know how these flaws were found? By people looking at the source code and reporting them. The people who detected the problems couldn't have found them if the source was closed.
This is Open Source at its finest. On the other hand, we have the flaws in IE that are all too often found after someone has created an exploit and it's in the wild.
Personally, I wouldn't mind one bit if Mozilla users and Open Source developers found a security problem once per hour and got the problem fixed quickly. It's vastly better than the closed-source alternative where you have to hope that someone without access to the source reports the fault when they find it, and that Microsoft doesn't take their own sweet time fixing it.
Once again, Open Source at its finest.
Yaz.
The safest and best thing is to use a real VM, like the JVM. Another alternative is to use something like Cyclone which also doesn't allow unsafe memory operations.
To all the ditto-heads who keep on saying "if it's not in C, it's too slow", wasn't there just an article on Slashdot a few days ago about full-motion video players written in pure Java? Surely a jpeg here and there shouldn't be too much of a problem?
so when are we going to be able to update firefox/thunderbird without reinstalling the entire app? I'm sick and tire of this because I also have to reinstall every single extensions and themes I use. Sure I can do this easily, but it's a pain in the ass when I have to tell my not-so-tech-savvy friends to upgrade. it's tedious and stupid. and god bless those poor souls who have to upgrade a whole network of machines.
I switched to firefox a few weeks ago and shortly after started to use it exsclusively. I was on the verge of telling my family and friends to make the switch as well.
However - I can't do that right now. When I learned of the new version released, and how it will be supplanted by a new release soon, and the lack of autoupdating - it WILL be a burden for some of the people I'd tell to switch.
From what I saw - to upgrade to a newer release - Firefox has to be uninstalled and then re-installed - and until the folks who wrote the freely available functions upgrade them - they won't be compatible with the new release. This exploit too has me wondering if it really isn't way to soon to force them to switch. They've all been educated to use the auto update for IE.
Great product. I'm hooked. I will continue to use it. Blocking ads, images, bugmenot, and a host of other functions have won me over. But before I can recommend it to the folks that aren't exactly technical - the team will need to either allow for patch updates, or auto-updates.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
mozilla.org really needs to include a link to their Security Centre on their front page.
Now no one post a link to any screenshots of this!
CB#$%^&*(
free ipod and free gmail!
told me about extension incompatibilities, checked for updates, downloaded. very slick.
all my bookmarks were back too which is very nice (though I generally disapprove of info remaining after uninstalling a program - where was this personal data stored?)
if I uninstall and upgrade Thunderbird will it keep my account info and emails?
As FireFox and Mozilla become more widely used, we will truly see how well the open source community can keep up. After all, I honestly believe that the reason more bugs and fulnerabilities are found in IE is that it is more widely used.
I see the day not too far off when FireFox could overtake IE in the market...so will the majority of problems then be in FireFox, or is microsoft really writing bad code? It will be interesting to see.
I believe the open source community will be up to the task of maintaining the bugs as they come in, but I think we will see that there will still be a lot of these types of serious problems that crop up once there are thousands of people dedicating their lives to exploiting them.
Grab a chair, sit back and watch the fun.
"The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."
And the good news is if you have the updated version of Windows (Windowws XP SP2) then you aren't affected by the similar critical flaw either but it's different when it's OSS huh?
OT, but related:
Given that there are critical vulnerabilities in IE due to the Cross-Domain vulnerability that most web users have ignored, and Microsoft can't seem to fix without major browser changes. And given that there are lots of exploitable vulnerabilities due to unpatched IIS servers out there, How long is it going to be before some genius low-life creates a worm that plays these two vulnerabilites off each other* and brings down the whole net for a week? It'll make little difference that 15% of the users have switched over to Firefox when this baby gets unleashed.
* I.e. Web sites infect the IE browsers and infected browsers infect other servers. (Seems like a natural to me.)
BTM
That was the turning point of my life--I went from negative zero to positive zero.
Three words to all the Microsoft player-haters: Pot kettle black.
It all comes down to this: The more POPULAR your software is, the more BUGS will be revealed. Leave motive out of the equation.
GetTheJob.com : Nothing but Real Jobs.
All those critical bugs have been detected by reviewers from the "Security Bug Bounty Program", as described on mozilla.org. The Mozilla Foundation has offered a $500 bounty for each security bug found, and already has secured a $10,000 budget to do so.
Thus, all those bugs should not be seen as a proof that the Mozilla code is badly written, but rather that the Mozilla Foundation is aware that secure code is hard to write, and that a good review process is critical to reach this goal.
And thats why Open Source is better! find it one day patch it the next.
Nimbda and Code Red both came out after patches had been available for months. I don't see this as positive or negative for Open Source.
At the end of the day--regardless of platform, it comes down to someone actually installing the patch!
Another difference is, M.org actually releases the new version. Microsoft may or may not. If M.org doesn't for some reason, you can hire a programmer to close the hole for your organization.
You see? You see? Your stupid minds! Stupid! Stupid!
"Diversity" and "Open Source" are not mutually exclusive. I don't disagree that diversity in software can be highly benificial -- that's why on my personal network I run 5 different OS's (three of them being different Linux distros).
However, you can have diversity and still be Open Source. Mozilla is hardly the only Open Source browser out there, nor is it the only Open Source rendering engine. Links is Open Source as well, and similarily benifits from many people being able to check the code for security problems.
(And don't forget that there are many people who do software security research. Open Source software benifits nicely when every security researcher has direct access to the source code).
Certainly diversity is good. Open Source doesn't preclude software diversity.
Yaz.
/. rule: when posting info about a bug in OSS, be sure to mention Microsoft so that everyone turns their focus and forgets that OSS has bugs, too.
Uh yeah, if you were programming in C++ 10 years ago maybe. There's really is no excuse for buffer overruns in modern C++ code except inept programmers. For me, Java forces me to give up too much and I remain skeptical that Java's GC algorithm is smart enough to management memory efficiently when under the gun. Have they outfitted it with something better than the generational algorithms I've seen so far? That algorithm chokes when large amounts of memory end up paged out.
OSS permits investigation and transparency
Without design specifications and a complete, well written documentation, the only way people could check a program is by reading the whole code and understanding the whole thing. Do you know a lot of people who would waste hundred of hours to look for bugs (apart from the ones who are developing the program) ?
OSS permits investigation, but no one is doing it because most OSS project have very little documentation. The result is most OSS project are extremely buggy.
And even worst, since most people who "work" on OSS project do it as a hobby, they prefer to add new shiny things rather than fixing bugs. Take the address book in mozilla/Thunderbird for example. I regularly lose contacts. Also, I once deleted a contact, and it gave the address of the deleted contact to the preceding contact - which means I was sending mail TO THE WRONG PERSON. Last week I tried to copy 34 address from one address book to another, it said 34 address copied, but then there was only 33 address. Found the missing address, tried to copy it (drag and drop), but no, I had to enter it manually. It's a real joke but no one is fixing it.
So who's shouting "Shut up! I can't hear you! la la la la" ?
What I don't understand is why an internet browser or mail reader can't have an automatic version checker. If there's an update or patch, it notifies the user (unless user has specified otherwise - whether it be to just install the thing or leave it be), who can then select to download and install the update. Mozilla has so many other nifty features that they shouldn't be above a feature which is found in many other programs - be it eMule, GetRight or Trillian. It certainly solves the patching problem.
who don't check buffers?
/. nerdboys will come out from under their rocks and proclaim, "Programming is hard! We can't check for our mistakes!"
How many years has it been now that buffer overflows are recognized as a major security problem?
How many years will it be before someone writes fucking code to go through a program and check for unchecked buffers?
How many years will it be before people are not allowed to put code in a system unless it is checked for unchecked buffers?
I mean, gimme a break here.
Now I suppose all the
Bullshit. You KNOW when you're using a buffer. You KNOW you're supposed to check it. So fucking CHECK IT!
Here's the bottom line: These coders are incompetent buffoons. Period.
Morons.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.
;)
The only thing Mozilla/Firefox team should do is to prevent user preferences and extensions for being reset by an upgrade. They are working on it, as I read in other threads. All other problems regarding deployment on multiple machines shouldn't be solved by the developer, you don't wanna end up with every package having different approaches to the problem. It must be a matter for sysadmins or the linux distro developers.
Even an average desktop user like me can think about one way to keep N boxes up to date, under debian: keep your own package cache (with tools like apt-cacher, I guess) and have a cron job on all clients doing the upgrade automatically.
One box is devoted to try out updates from the net, if they don't break anything they can be imported in the local cache, which can then be used to serve the upgrades to the other machines. The cron jobs can be offset not to overwhelm the local cache file server.
Moderators who gave parent a +5 insightful: are you nuts?
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
RaLink's Linux drivers have a serious bug in 2.6 that was fixed by end users. Just think, if the source code wasn't available, it couldn't have been fixed.
I myself once delved into the Mozilla source code to help Daniel Glazman out, simply because I had a couple of hours free. I also hacked at Dia when I desperately needed a diagram object that it didn't support.
Several of my friends have fixed/extended/enhanced a number of open source projects over the past few years.
minion.de had a set of patches to make NVIDIA's drivers work on 2.5/2.6 kernels long before NVIDIA officially supported anything other than 2.4.
In conclusion, while most people don't look at the source code, some of us *do*. So, ultimately, having the source code available *has* helped me and several people I know.
Probably the simplest option is to run Firefox as a different user. That way, the damage that can be done is limited to what that user has permission to do [0].
It's so simple, I'll be back in a couple of minutes once I've done it..
Done it, make that 25 seconds. Most of that was updating authentication tokens for the new user.
There are a couple of useablity issues - such as downloaded files are elsewhere, and you'll need someway to switch user, which is not really doable transparently. Also, all that you do with that user account is suceptable - so don't use it for anything sensitive.
One main problems:
1) It needs acess to the X display. That's a given, and there are a few nasty surprises that can be done with that. That would be the case no matter what, (chroot etc) however.
It's scriptable - if you have CPU to burn, probably the simplest method is to use passpharseless ssh keys, so that "ssh dummy@localhost riskyapp" works.
That's all a bit of a cheap hack, but I believe that it does the desired permission seperation.
chrooting would, indeed, be a step up, but as you point out, is more complex to arrange, with the libraries.
[0] Barring any local root holes, which is an orthogonal issue.
We did disclose the security bugs. Every time we release, we update our vulnerabilities page (http://www.mozilla.org/projects/security/known-vu lnerabilities.html) with the list of security bugs fixed in the new release. Secunia just cribbed their advisory information from that very page.
The world might be a better place if you actually paid some attention.
-Blake Ross
The critical exploits were found and the Mozilla team told privately. The bugs were fixed and a new release made, then the bugs were disclosed publically so people knew to upgrade. Apparently the bugs were found due to the cash bounty programme, which was only possible because it was open source.
Compare this to Microsoft, bugs are found and Microsoft told privately, multiple times, eventually the white hat gives up and publically discloses it as the only way to put pressure on Microsoft.
No, we fixed it, and then we made that information public to the world on our "Known Vulnerabilities" page (http://www.mozilla.org/projects/security/known-vu lnerabilities.html), linked to from our Security page (http://www.mozilla.org/security/), just as we've done for each release. Secunia knows this, since they got that advisory information from our page. Why don't you?
Blake
I've been waiting for the Thunderbird release that can import Moz mail before upgrading, but using Firefox as my browser for some time
This may be the hard way of doing it, but it worked fine for me.
If you're running Linux (or Unix), make a tarball of the Mail subdirectory
of your Mozilla prefs. Install Thunderbird, untar your
mail directory into the thunderbird prefs dir, and off you go with all your
email.
*sigh* back to work...
No one has done this yet. Someone will, and they'll be famous.
Famous for writing the world's slowest virtual machine, yes.
Yeah, me too. It's just ridiculous. Like I have all day to sit here and dow....
Okay, this comment suggesting that somebody should sue Microsoft for an exploit like this was modded to +4, Interesting.
So I'd like to suggest that whoever was in charge of that part of the code in Mozilla should be sued. If that's offensive, then maybe a re-evaluation of the original post is in order?
"Derp de derp."
HAHAHAHAHAHAHAHAHA!!!
Somebody mod that guy up as Funny!!!
Or, if you're not trying to be funny, you've clearly never worked in QA, or... maybe you've just explained that there are few GOOD pieces of commercial software...
Anyway, let me assure you that I worked a lot of QA gigs, and in every single one of them, the QA team was dwarfed by the dev team, rarely had good specs to plan from, and found their test time was viewed the most expendable part of the product cycle ( it's the first one to shrink in case of a slip elsewhere ). And those automated tests? Those paths you automate aren't likely to have *glaring* problems- at lest not ones the automated tools can catch - it's just the cases QA didn't have time to code up that'll fail... and of course, you can't automate something until the program is available, can you ? In practice, automated tools are only *really* useful for regression testing.
The most important thing I learned working QA is that the best QA in the world won't save you from a poorly planned or managed project, poor design, coders who don't unit test, or marketing guys who promise the sky and give a fixed do-or-die ship date to go with that sky. Code review is usually better than QA at finding non-design-related bugs. If the coders are good, QA ends up finding usability issues, rather than functionality issues, which is your best-case scenario, even though it means your prototyping and design phase was lacking.
First, you need to separate the language from the implementations. Buffer overflows formally result in "undefined behavior" in both C and C++, which means the implementation is allowed to do anything with it - including shutting the errant program down with no further damage.
Most C and C++ implementations do not do that, and it is a real difference, but that has nothing to do with the language.
If more people used better tools it would mean less security problmens.
You make a leap of faith here that would only be immediately true if Java was identical to C or C++ in all respects except buffer overflows. Java is a different language, with different strengths and weaknesses. It is not necessarily the better tool for every situation (which includes available programmer skill).
I hope this will help you, I'll go straight to the point:
Edit -> Preferences -> Advanced ->
Periodically check for updates to:
[X] Firefox
[X] My Extensions
[X] Automatically download AND INSTALL new updates
For the tech illiterate users, MS products might be safer. Most people won't read Slashdot to find out about the latest vulnerabilities in Mozilla/Firefox, and might not hear about this. MS's autoupdate ensures that people will get patches for IE and other MS products.
This is nothing but a sinister marketing stunt of Firefoxs new PR department.
;-)
All they want is even more Fireofx downloads to reach 1 million so now they are trying to force those users who already use it to download the latest version.
In a perfect world, there shouldn't be any wars. Rapists should be able to get off on porn and hungry people should just grow their own food. It's really a quite simple concept. Who cares? People shouldn't be giving advice on what should happen. We have to plan for the worst. Because the worst is just as possible. Noone should be promising that something isn't possible when it is.
The vulnerabilities exist in the first place because at the core, Closed Source and Open Source developers work the same way: a human sits down at a console and types in the code. At this stage there is no difference between Open Source and Closed Source software development. As such, similar problems are going to occur in the production phase.
And there is never any guarantee that a problem is going to be discovered. Sommetimes it takes multiple revisions before a problem is found. I'm not arguing that Open Source magically makes all bugs and security issues disappear -- however, under Open Source they are vastly more likely to be found, and due to the open nature of the code, are going to allow for quicker fixes (as the person detecting the bug can in fact fix it themselves and contribute the fix back to the maintainers).
And in the case of Mozilla, this is exactly what has been happening. People find the problems. People with no connection whatsoever to Netscape/Mozilla.org have fixed the problems. And we're wound up with a much better product because of it.
I don't see anyone here claiming that OSS is 100% secure. It isn't. However, it does have benifits to getting problems detected and fixed quicker than closed source software does.
I see it firsthand all the time. I've worked in big closed-source software development projects (IBM). I've also worked in many Open Source Software development projects (and even administer a medium-sized project myself).
Open Source has tangible benifits over Closed Source software when it comes to the detection and fixing of bugs. Deal with it.
Yaz.
The idea that a user based compromise is worse because your data is more important and an o/s which can be re-installed is a valid one.
However.. The problem with the exploit having more universal access is not necessarily that your data is wacked, but that your nice compromised o/s is now a zombie machine spreading spam and worms across the internet so your granny gets busted by the feds.
The damage to your data is pretty bad for you... the damage of all your data, and everyone in your address book's data, plus everyone in their address book's data.... that's bad for everyone.
Not to mention the fact (oh, I am mentioning it now) that in a true multi-user environment, you'd be really pissed if your data was iced because of someone else's poor security, like opening unsolicited attachments. I wouldn't care if someone else's data got wrecked, but I'd care if they knacked mine.. selfish of a sort, but that's the good of the many..