Critical Mozilla, Thunderbird Vulnerabilities

← Back to Stories (view on slashdot.org)

Critical Mozilla, Thunderbird Vulnerabilities

Posted by timothy on Wednesday September 15, 2004 @06:34AM from the you-do-have-a-recent-one-right dept.

d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability. The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."

26 of 596 comments (clear)

So will it be Mozilla's fault... by goldspider · 2004-09-15 06:37 · Score: 5, Insightful

...when people don't upgrade to versions that aren't vulnerable?
Afterall, it's Microsoft's fault when their users don't keep up to date with security patches.

--
"Ask not what your country can do for you." --John F. Kennedy
1. Re:So will it be Mozilla's fault... by duffbeer703 · 2004-09-15 06:38 · Score: 5, Funny
  
  No, it will still be Microsoft's fault.
  
  --
  Conformity is the jailer of freedom and enemy of growth. -JFK
2. Re:So will it be Mozilla's fault... by Nos. · 2004-09-15 06:38 · Score: 5, Insightful
  
  That's right... of course a lot of use Geeks are also at fault since a good number of us have told friends, families, even clients that "no, you can't get a virus from a picture".
3. Re:So will it be Mozilla's fault... by dj42 · 2004-09-15 06:40 · Score: 5, Insightful
  
  If you don't go get your gas tank valved fixed in an official manufacturer recall from your car company, and your car blows up, whose fault is it?
  
  --
  We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
4. Re:So will it be Mozilla's fault... by DogDude · 2004-09-15 06:40 · Score: 5, Insightful
  
  So will it be Mozilla's fault... when people don't upgrade to versions that aren't vulnerable?
  
  No. Then it'll be the stupid user's fault. Only MS is at fault for not actively coming to each users' house and business and physically installing the update for them, even though MS's Automatic Update feature works great. Even though Firefox/Thunderbird/SunBird's manual "check for updates" feature doesn't even work, it's definitely the *stupid* user's problem when it comes to any non-MS program.
  
  --
  I don't respond to AC's.
5. Re:So will it be Mozilla's fault... by Jerph · 2004-09-15 06:47 · Score: 5, Informative
  
  This is generally fixed in 1.0PR - you can safely upgrade over a previous installation, and extensions are updated when possible. They even made it easier for extension writers to simply update the compatability number for their extensions without requiring you to download again.
6. Re:So will it be Mozilla's fault... by Chess_the_cat · 2004-09-15 06:47 · Score: 5, Funny
  
  Microsoft's?
  
  --
  Support the First Amendment. Read at -1
7. Re:So will it be Mozilla's fault... by Anonymous Coward · 2004-09-15 06:56 · Score: 5, Funny
  
  Dear Humpty,
  
  But Mozilla and Firefox are so much better than IE! Isn't that what you fuckers claim everytime there's an IE vunerability?
  
  So now that the tables are turned little baby Firefox/Moz is just a beta so it doesn't matter.
  
  Stay on the fence or fall the fuck off.
  
  Sincerely,
  
  Kings Men.
8. Re:So will it be Mozilla's fault... by Anonymous Coward · 2004-09-15 06:59 · Score: 5, Insightful
  
  Not true. I installed Firefox 1.0PR, and my Qute theme stopped working. I installed Firefox 0.93 and my search bar stopped working. After 0.92, I couldn't uninstall any of my old extensions.
  
  Mozilla has the same problems as Microsoft as far as breaking things. The reason you notice it more in Microsoft's code is that they write things like operating systems, which tens of thousands of different applications run on top of. Only a handful of things run on top of your web browser.
9. Re:So will it be Mozilla's fault... by Junior+J.+Junior+III · 2004-09-15 07:03 · Score: 5, Funny
  
  MS saw security geeks making this claim and their head of development saw this as a clear challenge. 2GB of binary code later, Windows XP proved at last that the impossible could be achieved, despite naysaying open-source geeks: .jpg can be a exploit vector!
  
  --
  You see? You see? Your stupid minds! Stupid! Stupid!
10. Re:So will it be Mozilla's fault... by CTho9305 · 2004-09-15 07:15 · Score: 5, Insightful
  
  That's a really pathetic excuse - Mozilla is at 1.7.x (1.8 for trunk development), and the bugs are shared. Justifying holes with "oh, we haven't reached 1.0 yet" will just come back to bite you when 1.0 is released and more holes are discovered. Heck, Netscape is at version 7.2 and it is likely to share these holes.
  
  Justify them as "we try hard to find them and fix them quickly", but not "they'll go away when we reach 1.0".
  
  --
  My server
11. Re:So will it be Mozilla's fault... by twofidyKidd · 2004-09-15 07:23 · Score: 5, Funny
  
  He was referring to MS's history of throwing your mother's vase against the wall, cutting the brakelines on your car, and kicking your dog.
  
  To my knowledge, Mozilla has never done that.
  
  --
  
  Hades, PoD: Official Advocate
12. Re:So will it be Mozilla's fault... by mschiller · 2004-09-15 07:51 · Score: 5, Informative
  
  Well it shouldn't be possible to be infected with a virus from a picture... Because Data Memory should never EVER be able to be executed without specific privledge elevation [yeah, maybe root can do this, or perhaps only the deepest dark section of the kernel].
  
  1) Software designers should be more careful when using buffers, so that over runs don't occur is it really that hard to keep a counter around to make sure your don't overrun? I guess developers want their code to run fast and I suppose it doesn't help that C offers absolutely no protection from such problems. [Pascal and other strongly typed languages sure help in this regard it's alot harder to make this type of mistake].
  
  2) OS designers should do more through checking to make sure data pages are never executed. [and a data write can't write into an application memeory page!]. While it SHOULD be caught above, the OS should be looking out for requests to write into pages not assigned as data for a particular application.
  
  3) Hardware designers should implement features to optimize #1 and #2. [eg. noexecute flags. Harvard Architecture, etc. I can easily see a architecture that looks like a Harvard in normal mode and then turns into our traditional von neumann architecture in privledged mode.]
  
  It's really quite simple concept to have a no execute flag associated with a memory page that can only be changed in privledged mode. And such coding techniques should work fine for day to day computer use [self modifying code could be problem , etc].
13. Re:So will it be Mozilla's fault... by TheDormouse · 2004-09-15 07:51 · Score: 5, Informative
  
  Why is this so hard for people:
  
  Upgrade Firefox.
  Your extensions will get disabled because they have a MaxVersion lower than the Firefox version.
  Let it happen. DON'T FREAK OUT.
  
  Go to the extension manager.
  Right click all the disabled extensions and select Enable.
  Restart Firefox.
  
  Woo hoo. Barring any changes in the code that genuinely make your old extensions incompatible, your world keeps on turning.
14. Re:So will it be Mozilla's fault... by brokenwndw · 2004-09-15 08:25 · Score: 5, Informative
  
  There's a new workaround for this here (no direct link allowed, sorry, you're stuck with copy paste):
  
  http://bugzilla.mozilla.org/show_bug.cgi?id=2586 79
  
  The summary: put this in your userChrome.css.
  
  /* Make the Search box flex wider */ #search-container { -moz-box-flex: 200 !important; } #searchbar { -moz-box-flex: 200 !important; }
  Hope this works for you!
15. Re:So will it be Mozilla's fault... by tonyr60 · 2004-09-15 09:48 · Score: 5, Insightful
  
  "1) Software designers should be more careful when using buffers"
  "2) OS designers should do more through checking to make sure data pages are never executed"
  
  Great idea. Now minor problem, how do you make sure your software and OS designers are 100% competent, never have a bad day, never arrive with a hangover, never have a bitter argument with spouse/partner.
  
  I see no evidence that this is possible with the current crop of earth's inhabitants.
The beauty of a non-integrated browser........ by ARRRLovin · 2004-09-15 06:38 · Score: 5, Insightful

.....you can patch without fear of breaking a gazillion programs.

--
-Randy
Auto update anyone? by Arthur+Dent+75 · 2004-09-15 06:44 · Score: 5, Insightful

So when will Firefox get an option to perform automatic updates like e.g. Windows Update allows?
I cannot ask my father to uninstall his browser and reinstall a new one every so often. If Firefox wants to be accepted by the large crowd out there it definitely needs an automatic update.

--
michael at slashdot.org: The real answer is that a couple of the slashdot authors are sick.
Update notification methods by grape+jelly · 2004-09-15 06:44 · Score: 5, Insightful

I wasn't notified of this critical vulnerability until I checked slashdot. Perhaps FFox/Moz should have a feature that automatically checks for updates and recommends them appropriately?
Here They Come by TheLetterPsy · 2004-09-15 06:45 · Score: 5, Funny

Cue all the, "Boy, I sure am glad I use IE" posts . . . er . . . I mean . . .
Question by Anonymous Coward · 2004-09-15 06:45 · Score: 5, Funny

Does my lynx browser need updating?
affect != effect by iso · 2004-09-15 06:47 · Score: 5, Funny

The good news is that if you have an updated version [...] you won't be affected.

Excuse me, but you used "affected" correctly! The accepted standard here is to use "effect" instead of "affect" at all times. Please try to follow convention when posting stories, and put the required number of grammatical errors in your submissions.
Re:One of the reasons i love firefox by Politburo · 2004-09-15 06:48 · Score: 5, Insightful

And here's the additional difference:

We're going to fix this Firefox bug, and it doesn't matter if it wipes your preferences and breaks your extensions. Your loss for using beta software.

We're going to fix this IE bug and try to make sure it doesn't break existing installs.

I use Firefox, but haven't upgraded from 0.8. I got tired of having to reset my preferences and extensions with each update. I'll take the time to upgrade when it gets to 1.0.
Re:Automated Upgrading by nate1138 · 2004-09-15 06:55 · Score: 5, Insightful

If you use login scripts, you can just drop the patch in the script and have it install automagically. I do this all the time with our non-MS applications. Works pretty well, but if the patch doesn't have a silent mode, you will need to let your users know to expect it at login.

--
Where's my lobbyist? Right here.
Mozilla Bug Bounty Program by romiz · 2004-09-15 07:10 · Score: 5, Insightful

All those critical bugs have been detected by reviewers from the "Security Bug Bounty Program", as described on mozilla.org. The Mozilla Foundation has offered a $500 bounty for each security bug found, and already has secured a $10,000 budget to do so.
Thus, all those bugs should not be seen as a proof that the Mozilla code is badly written, but rather that the Mozilla Foundation is aware that secure code is hard to write, and that a good review process is critical to reach this goal.
Re:coverup by mozilla team by blakeross · 2004-09-15 08:03 · Score: 5, Informative

We did disclose the security bugs. Every time we release, we update our vulnerabilities page (http://www.mozilla.org/projects/security/known-vu lnerabilities.html) with the list of security bugs fixed in the new release. Secunia just cribbed their advisory information from that very page. The world might be a better place if you actually paid some attention. -Blake Ross