A Security Bug In Mozilla - The Human Perspective

xslf writes "Alex Vincent, the reporter of the data-loss security bug 259708, writes about the behind the scene process of reporting it, casting light on the problems of dealing with security related bugs reported by the community, which isn't always aware of the security implications of the bugs reported. The issues with the FLOSS process shown in this bug might get worse, once more and more people use FLOSS and add to the process, without being full fledged coders, and rely on binary releases of software." (Note, you'll have to copy and paste that link to view the bug report, or click through from the linked story.)

Looking for blame in all the wrong places

[thewldisntenuff]

"Well, some smarty-pants decided to repost my entire blog entry about bug 259708 as a comment on one of my entries, with an e-mail address of "fulldisclosure@netsys.com". Word for word, no changes, and no commentary either.
This annoyed the hell out of me. On the one side, I could see this anonymous poster's point: the bug was already in the public domain when it disappeared very suddenly."

What are you complaining about? Isn't this your fault for taking the entry down to begin with?

I'm going to troll a bit here, but doesn't this essay/blog entry just bitch about how he feels things weren't handled in a manner to his liking? And shouldn't he be faulted for how he initially handled the bug? (Noted below-)

"Losing data is horrendous, yes, but not as bad as losing it to someone else. That just wasn't happening here. So I decided not to ask for a security group review. That was my first mistake.

Lesson Number One: The very instant you start to wonder if a bug might cause a security concern, stop wondering and ask the security group to review. Don't try to do the security group's job by trying to decide if it really is one or not."

I think the bigger concern here was whether or not the bug got fixed, and once it was properly classified, it was indeed fixed. There probably could have been a faster fix for this bug, but I think most of what happened in this case can be directly faulted to him.....

-thewldisntenuff

Re:My experience reporting bugs..

[Politburo]

Not sure if anyone noticed.. but this post happens to support some of the anti-Linux talking points:

Linux developers are lazy and/or fickle. They will work only on what they want to work on.

"...only makes me more likely to remove myself from the CC list and forget about it."

There is little/no money to be made from developing Open Source

"Many of the people who fix bugs (for example, me) aren't paid."

Re:3.5-year-old information disclosure and DoS

It is a remote-data-access opportunity: Javascript can check whether an image loads correctly, and if it loads, you can get its dimensions. This could be used to figure out paths on the remote system. For example, you could figure out where the Windows system directory on the target machine is by looking for images in typical paths. You could also look for certain installed software.

Give us CHROOT!

[freelunch]

Running Mozilla or Firefox in a chroot environment would greatly enhance security.

I recently tried to get this working but didn't have much luck (haven't given up yet). There isn't much info on the web.

I currently run Firefox under a separate user ID, which is better than the default.

Any suggestions to get chroot working with Firefox?

Re:3.5-year-old information disclosure and DoS

[RWerp]

I might lose my $HOME, but not the use of my computer or applications.

I know that you'll say "backups", but for me $HOME is the most precious part of my Linux system. I don't backups every hour, and sometimes the loss of an hour's worth of programming/writing hurts a lot.

Re:3.5-year-old information disclosure and DoS

[geomon]

How quickly does this descend into The Two-Step Plan for Denying All Problems With Open Source While Also Ignoring Them Because They Hurt

It doesn't have to. You just seem to have an anger management issue that needs attention.

I used to be a rabid Microsoft advocate in the early 80's because they were freeing computer enthusiasts from terminal-based mini-computers. I was happy as hell to run my MSDOS-based applications and was freely describing the benefits of the Microsoft-Intel platform vs. Apple due primarily to the fact that the combination of the two companies meant most folks could get a PC on their desks cheaply.

But then the bullshit began about "no bugs" and the Microsoft denials that they were crippling their competitors software in favor of their own until finally I couldn't stand to take one more marketing turd in my software.

As far as Microsoft is concerned, I could care less whether they run tractor-trailer rig size security holes in their software. I don't use their stuff any longer. If they had been straight up and admitted their problems, I might have stayed in the Microsoft camp.

What it comes down to is how you treat your customer. Microsoft was paid to give me good customer service. Instead they chose to lie to me. You may think this is Microsoft vs. open source when it is actually Microsoft vs. themseleves.

or as a different user.

If you care for your HOME data then create a dummy user to run Mozilla and other 'unsafe' programs.
Sudo or ssh can give you the rights to execute those programs on the dummy user account without having to give a password.

Backing up every hour...

[xeno-cat]

I use the following shell script to create hourly backups using rsync. It was taken from a very nice tutorial called something like "easy automated backups using rsync". Google should find it.

Ad the script to an hourly cron cycle. All the backups will take only ORIGINAL_SIZE + CHANGED_FILES_SIZE. This script does 9 backups spanning nine hours into the past. Or days, or weeks or whatever you set your cron cycle to.

You can restore from backups simply by copying the desired file from one of the bak.n dirs. Of course, subversion or CVS will give you nice backups as well but this is pretty easy to do.

If anyone has any suggestions for improving the script, please reply! :)

#!/bin/bash
SOURCE=/home/someuser
DEST=/some/o ther/dir/partition/or/system

rm -rf $DEST/bak.9

mv $DEST/bak.8 $DEST/bak.9
mv $DEST/bak.7 $DEST/bak.8
mv $DEST/bak.6 $DEST/bak.7
mv $DEST/bak.5 $DEST/bak.6
mv $DEST/bak.4 $DEST/bak.5
mv $DEST/bak.3 $DEST/bak.4
mv $DEST/bak.2 $DEST/bak.3
mv $DEST/bak.1 $DEST/bak.2
mv $DEST/bak.0 $DEST/bak.1

rsync -a --delete --link-dest=$DEST/bak.1 $SOURCE $DEST/bak.0

# End script

Re:3.5-year-old information disclosure and DoS

[Osty]

Open source software exists because of Microsoft.

Way to revise history, pal! Neither RMS nor Linus had Microsoft as a target when they developed their free software and ideas. Apache wasn't created in response to Microsoft's IIS, nor was Sendmail created because of Exchange (and Postfix, Qmail, Exim, etc were developed in response to Sendmail, not Exchange). Of all of the highly successful and visible open source projects, I can only think of two that were started with Microsoft in mind: The Mozilla project, and OpenOffice.org. In both cases, the software itself started out as a proprietary product in direct competition with Microsoft that failed in the proprietary market for one reason or another. Are there any other successful, visible projects that were designed and developed in direct response to Microsoft? Linux wasn't, nor emacs, vim, apache, sendmail, XFree, gcc, etc. I could maybe see a case made for KDE and GNOME, but they're not direct competitors (can't run KDE or GNOME on Windows).

Re:3.5-year-old information disclosure and DoS

[aldoman]

Sadly, this is an issue of manpower (and money, obviously).

At the moment there just isn't enough full time mozilla developers. Moz Foundation just doesn't have enough cash to stump up for a few dozen full time, good programmers.

However, I do agree with you somewhat. I have seen too many bugs that have done the rollercoaster of being assigned to 'M18' (which is pre1.0), then go to '1.0', 1.2', '1.4', '1.5', '1.7', then finally '1.9alpha' (which is a mile off in itself)).

I wonder how much time people spend triaging bugs compared to actually fixing them.

Someone mentioned the XUL spoofing bug. Sadly, I wouldn't class that as a bug. It's a bit like saying a full screen flash movie that looked and acted like a windows desktop was a bug of internet explorer. I wouldn't agree with that.

I think (sadly) that Mozilla Foundation is going to have real issues after the AOL money runs dry. Not sure if donations can keep it up. We haven't really noticed the effects because all the attention has been shifted to Firefox, which is just a rewrite of the UI, and doesn't require the sort of engineering that writing a browser core does.

I'm going to be very interested to see if the foundation can fully implement a brand new, complex standard. I don't think they'll be able to with their current money situation, which sucks :(.

Re:IAAPST (I am a professional software tester)

[jesser]

Allowing votes might encourage "advocating" bugs, but at least the noise is in forums and in vote counts, not in bug comments. And since I seem to be the only person working on Firefox who looks at vote counts, noise in vote counts isn't a big deal. (I use vote counts to speed up searches for common/popular bugs, and sometimes to decide what to work on.)

Re:3.5-year-old information disclosure and DoS

[geomon]

The vast majority of people involved in free software do it because they like doing cool stuff, they like writing software, and they like doing as part of a community which appreciates what they do and gives them free reign to play and contribute.

Just as I said: personal interest.

Why do people use open source software?

Because they are tired of the other stuff they've been using.

No matter how many times I write that statement, someone will fire back that I just don't understand why people write open source software.

Re:My experience reporting bugs..

[dvdeug]

Spamming a bug with comments like "why isn't this fixed?", "this bug still annoys me", "don't wontfix this bug" and "this bug is really old and annoying, you guys suck and don't care" doesn't help fix the bug

On the flip side, each program has its own bug tracking system, with its own specialized demands for information that I have to hunt up and assemble in its own specialized manner. Furthermore, I have to localize the bug and provide a reasonable testcase. And after spending that time to help you find a bug in your program, to be told that "nobody uses that feature", or worse yet just ignored, isn't amusing and encourages me, in the future, to work around bugs instead of reporting them, since we know you aren't going to fix them.

Re:Hypocrisy

[The+Bungi]

Now, this is a problem because many Windows users use versions of Windows which are obsolete: 98SE, ME, 2000. When Longhorn comes, this trend will of course hold true: people don't rush to the stores to buy the newest Operating System version. This means that people will be using still old versions of MSIE long after IE7 comes, which will, of course, be unsupported by MS because they don't want to trail support for 5 or 10 different versions of a single product

I don't contest what you're saying, and personally I think it's a bad idea from Microsoft, assuming it actually happens. But I find this argument quite interesting.

Let's assume for a second that Mozilla becomes the most widely used browser in the world (for whatever operating system). 100 million people download and install it. And then someone finds another serious vulnerability with it. The Mozilla folks patch it. Then what? 20 million people upgrade, and 80 million don't. What then? The exploits come. How does Mozilla handle this? Because they're going to have exactly the same type of problem Microsoft has today: people who just don't give a damn if their computers are turned into spam zombies or get bogged down with malware. These are the people from whose machines you and I still get those stupid mass-mailing worm messages, and of course spam.

Mozilla can very well damn rewrite the entire Gecko codebase and it will do them absolutely no good. Just like Microsoft with IE. With the small distinction that Microsoft does still support three versions of IE, while Mozilla likely won't even go there.

Today you can find thousands of Linux machines out there that have year-old holes in Sendmail, SSH and the kernel itself. It's just that very few of them are being run off Comcast cable modems and virus writers just don't see much value in taking them over. It's no different from Windows.

Even if Microsoft decided to bite the bullet and support seven versions of IE, I doubt it would do much good. What they can do is "force" users to upgrade to minimize the problem, which is what people around here call "the upgrade train" and is exactly what RedHat started doing with their corporate customers because support costs are prohibitive. And that's what Mozilla will have to do ("we don't support version X anymore, sorry. Upgrade to Y now!") because there's no other way to approach it.

And BTW, the fact that some obscure company decided to "support" older versions of RHEL means nothing in the desktop/home user space, so "having the source" is useless.

The people who write free software seem to think they can engineer all these problems away by writing "cool code" and making it "absolutely secure" from the get-go. That's not going to happen. They're still finding bufer overflows in Sendmail, for crying out loud. No, they're going to be in the same situation as Microsoft is today and they're going to get the same beatings left and right. I really hope I get to see that, if only for the chuckles.

How to earn canconfirm

[tepples]

You're seeing the effect of bug 179944 ( http://bugzilla.mozilla.org/show_bug.cgi?id=179944 ). To learn how to apply for the "canconfirm" privilege on bugzilla.mozilla.org, which grants the ability to file NEW bugs or to change UNCONFIRMED bugs to NEW, read Bug Triagers' Guide and Before you mail Gerv. If you're good at reducing examples of Gecko misbehavior to test cases, you may want to apply for "editbugs" as well.

Re:My impressions of the Mozilla project

[0x0d0a]

First off, if someone reports a bug, it should be ASSUMED that there is a potential security issue there, until proven otherwise.

Okay, just a moment. Consider the feasibility of this. Even small FLOSS projects may have a hundred bugs open.

I mean, you *could* consider it a "security hole", but if you take such a policy, you won't be able to actually do much about "security holes".

Re:Yes, you are...

[ElvenMonkey]

In my opinion, if you put an entry up on a blog, you've made them public domain, effectively saying "Hey, world, I've got no secrets here, come and take a peek."
How is that different from some other guy then having taken a peek, posted it on? Sure, the guy might have asked, but he didn't do anything particularly wrong. Its still the same access rights as before, only its in a different place. Frankly, if you don't want people to copy your comments / views, don't shove them onto the internet in an easily accessible format.

Too many people put blogs up on the internet these days that contain information that if they thought about it for more than the a second they'd realise they didn't really want to tell the world, or they did but not quite in those words.