Security Issues in Mozilla

paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

A fix?

[Blapto]

Resolution
==========

All Mozilla users should upgrade to the latest version:

Says the site, implying at least a partial fix is available.

Re:A fix?

"Firefox versions before 1.0"

Just upgrade to 1.0 and no more problems. You really should have upgraded a while ago...

Re:A fix?

[recursiv]

Go to http://secunia.com/advisories/13599 and it says: Solution Status: Unpatched

Why is everyone saying these are fixed?

Re:A fix?

[hviezda14]

"Why is everyone saying these are fixed?" In the two links first, second is written, that they do not affect 1.7.5. Maybe because of that :-)

Re:A fix?

I'm tired of all these upgrades every once in a while.. Now, I'm using telnet to port 80 to read slashdot. It took me 4 hours to post this though..

Re:A fix?

offtopic, certainly, but that is not a troll.

Re:A fix?

[stupidfoo]

That was only for the second issue

The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0).

The first issue was for all versions (for Firefox and Mozilla), as was the third (for Firefox and Thunderbird).

Re:A fix?

[recursiv]

Those both refer to the nntp issue. I'm talking about the link I gave, which was the second link in the story.

Re:A fix?

[ZorinLynx]

The easiest fix for the third one is:

cd
chmod 700 .mozilla .thunderbird .firefox

I am surprised Mozilla software doesn't set profiles non-world readable by default...

-Z

Re:A fix?

[vk2]

You could have reduced it to 2 hours if you had used both your hands to type.

Re:A fix?

[The+Spoonman]

Why is everyone saying these are fixed?

I'm more curious as to why they aren't fixed YET? We've been hearing for years that Open Source software is better because any problem is fixed within 24-48 hours. Well, it's been almost 51 hours since that issue was released on SecurityFocus, and I'm sure significantly longer since it was first discovered. Firefox is still not telling me there's an update available. What gives?

For those incapable of grasping the sarcasm, let me spell it out for you: rhetoric gets stale for a reason.

Re:A fix?

[adriantam]

Ummm.....Let me see....
First one...I don't care where the download is from but just what it is. So it is not a problem.
Second one...usually I don't open any news:// links, so it is not a problem either.
Third one...My home is 700, so it is also not a problem
So, why I need a fix?

Re:A fix?

[swv3752]

That is not the problem, it is an issue with how files are stored in /tmp, and most likely specificaly how it passes thes files off to a third program. The work around would be to save the file instead of open.

But the first link shows that they are all fixed with the latest releases so not an issue.

Re:A fix?

[ichimunki]

I don't think that does much to help protect the temporary files stored in /tmp, does it? The problem is files in /tmp with the wrong permissions as I understand it. Which, if we're really being paranoid, the files shouldn't even be in /tmp in the first place, because even exposing the knowledge that there is a file is a security lapse (if you can `ls /tmp` you can see that there is a file, even if you can't read it).

Frankly I think the third warning is mostly hype. On many multi-user machines and even multi-system LANs, simply using a tool like tcpdump is going to expose a lot of web traffic to anyone who wants to listen. But because there are ways to be paranoid in such situations, the browser shouldn't casually discard your efforts at security.

Re:A fix?

"First one...I don't care where the download is from but just what it is. So it is not a problem."

It's a problem if you download a virus from a spoofed URL. So it is a problem.

"Second one...usually I don't open any news:// links, so it is not a problem either."

Usually or never? If you open those links, than it IS a problem.

"Third one...My home is 700, so it is also not a problem"

What?

Re:A fix?

[xarak]

I agree FF1.0 is the best one to have. First non-beta version &c.

However, I worry if we get into the same "upgrade-or-die" frenzy as with IE. No-one wants to be told that their navigator which has worked fine for 6 months has suddenly become a security hole. I was hoping Mozilla could steer clear of this

Re:A fix?

[recursiv]

the 700 refers to a unix style permission in which the owner gets complete access, and no one else gets any access, at the level of the filesystem, thereby nullifying any bugs at the application level. at least that's the claim. i think.

Re:A fix?

[AviLazar]

To expect a program to not have flaws is to expect the programmer to be perfect - people are not perfect. Mozilla will have security holes, errors, bugs, etc just like any other program. To hope Mozilla will avoid any of these issues is like hoping Bill Gates will announce the removal of IE and the incorporation of Mozilla into all of his Windows versions (w/o gov't prodding).

Re:A fix?

this is the best thing i've ever seen linked to on slashdot

Re:A fix?

[hummassa]

The "unpatched" issue (the spoofing of the address of the download) is not really an issue... you can resize the progress dialog and the downloads box to get it right.

Re:A fix?

[m50d]

However, surely any link from a non-trusted site could contain a virus just as easily if it was in the location it appears? I mean, if a hack^H^H^H^Hcracker has access to www.nicesite.com, does it matter if he makes a fake link that really downloads from www.nastysite.com or just replaces the file at www.nicesite.com?

Re:A fix?

I've informed everyone I know to switch back to Internet Explorer until these problems are fixed. Pffffft, yea right.

Re:A fix?

#1 ain't really a security bug and there are quite a few similar UI issues with mozilla and derivatives

#2 is a pain in the butt they still haven't twigged that even reading the filename under /tmp can give alot of info away (I put this as a bug like years ago - better to have /tmp/mozilla/user directories with only access to the user)

i ain't saying these are fixed...

Re:A fix?

[LnxAddct]

Did you read the security alerts? They only affect Firefox 0.9.3 and earlier. They have been fixed since 1.0 ( not sure if it was intentional or not, but whatever code caused this no longer causes it).
Regards,
Steve

Re:A fix?

Excellent post.

Re:A fix?

[Minna+Kirai]

However, surely any link from a non-trusted site could contain a virus just as easily if it was in the location it appears?

Nope. Today, many websites include features like "forums" and "message boards" that allow untrusted users to insert HTML code and links, without the priviledge to upload binaries.

Consider the page you're reading now- it would be basically plausible for someone to post with a link to "Fixed Firefox installer for Windows XP" which appears to be on mozilla.org or slashdot.org, but is really on r00tkit.net.

Re:A fix?

[The+Spoonman]

They only affect Firefox 0.9.3 and earlier.

So? Why is it that when a flaw is found in a MS product that hasn't even been on the market for 4 years everyone jumps up and down and says "SEE! SEE!! They want to keep you on a constant upgrade cycle!!", but when it happens in the open source community, the reaction is "Eh, just upgrade"?

Re:A fix?

Its because you keep listening to the same 4 illiterate 13year olds

Re:A fix?

[DarkTempes]

firefox also wasn't even a 1.0 product when those vulns were released IE is now at...6.x or something? even 4 years ago it was a alot higher version number wise...at least 4, mabye 5. even without the 'security' issue debate firefox is a better browser than IE, especially given all the extensions. i promise you, the first couple of IE vulns that came out weren't causing web crazes of "SEE SEE! They want to keep you on a constant upgrade cycle!", it was after about the billionth one ;p

Re:A fix?

[XMyth]

No one says that about their beta software (which is what Firefox 0.9.3 is)

Re:A fix?

Because upgrading Open Source software is free, MS wants you to pay...

Re:A fix?

maybe because it was fixed before the article was released?

Re:A fix?

[cypher_soundz]

Firefox was still in beta when all these exploits were found, i think the question is why are you giving firefox [BETA] such a hard time? there is a reason why its beta ;) 1.0 fixes every issue.
Firefox 1.0 has been out for a while and we are hearing now about an out of date verison that can be exploited? I'm not sure exactly why you can't see the diference between this beta release and Internet explorer that has been around for a while and still has exploits being found daily.

Re:A fix?

[aichpvee]

When these aren't fixed in 6 months to 4 years we'll talk. Until then it's a little hard to see where the problem is.

Re:A fix?

[detmark]

so what most software vendors take at least a week to patch a problem, 24 Hour 7 Days a week 365 Days per year is the service i get with Mandrake. if i try to get through to a Windows App Vendor i either have to chew my leg off to keep me alive or put my 2 year old niece on the line to keep them entertained while i go feed

Even then....

[Gentlewhisper]

Inspite of these security flaws, Firefox is still a lot better than the incumbent IE.. no?

Re:Even then....

[IcEMaN252]

Are you new here? IE is a MS product and therefore is evil, rotten, and sucks.

Re:Even then....

[frankthechicken]

Why?

Both will have flaws, some major, some minor. And, for me, there seems no real evidence that the Firefox community corrects problems quicker than MS. Both appear to me to fix major problems relatively quickly.

The only real difference is the experience a user gains from using an individual browser. And for me, I personally prefer the FF experience, as I should, having configuring it until it fits like a glove.

Re:Even then....

Could you tell me where you have downloaded your version of IE for FreeBSD, Linux, OpenBSD and NetBSD ?

These flaws are a real problem but Firefox, YES, is still better than IE. Besides, the first flaw is not a flaw: you must ALWAYS download stuff from people you trust (and even then , you have to check the sources with a GnuPG key ring).

Re:Even then....

[Zate]

*claps* He gets it ! YaY !!

Re:Even then....

[recursiv]

Wrong. That's not why IE sucks. IE sucks purely on its own merits.

I know you were kidding, but it sounds like you are suggesting that IE doesn't suck, and that is what I'm addressing.

Re:Even then....

[Squatchman]

Thou shalt not defame the Holy Mozilla's name !!!

Re:Even then....

[IcEMaN252]

I would never suggest anything of the sort. You must work for SCO or something to suggest that I was suggesting that.

<Quasi-seriousness>
IE does suck all on its own, but this is /. and serious reflection on situation is seldom the norm.
</Quasi-seriousness>

Re:Even then....

Don't cry!

Re:Even then....

[spac3manspiff]

IE is 25 MB Firefox is 4.7MB thats why ie also sucks

Re:Even then....

MSDOS is ~10mb
Fedora core 3 is up to ~2GB

Re:Even then....

[theVP]

Despite these security flaws, Firefox doesn't integrate itself with the OPERATING SYSTEM, and therefore despite its security flaws, it can't do near the damage that IE can. Not only that, since this is an open source program, I wouldn't doubt that a fix will appear much much faster than it would for IE. Need I also point out that more people still use IE than Firefox, and as a result, IE users are still the more targeted? Firefox is still safer to use, hands down.

Re:Even then....

[spac3manspiff]

well there is a 900K linux distro

Re:Even then....

Forgive me ignorance, but why was this modded as a troll? It sounds like an honest answer to the question.

Re:Even then....

[northcat]

And, for me, there seems no real evidence that the Firefox community corrects problems quicker than MS.

Please don't make statements with incomplete knowledge.

Re:Even then....

[LnxAddct]

Yes especially considering that these flaws are a few months too late. They don't affect 1.0,only 0.9.3 and before.
Regards,
Steve

Re:Even then....

Never heard of derrida, have we?

Only THREE?

[w1r3sp33d]

I guess they are not drinking the water from Redmond!

Re:Only THREE?

[goldspider]

Only three... that were found this time.

Re:Only THREE?

Not to mention that one is already fixed.

Security

Oh no! Time to switch back to IE.

Re:Security

[mirko]

Come on, mopds : This is not a troll, it's definitely the funniest post in this thread :D

Re:Security

Yes it is true... as the CIO of a Fortune 500 company I believe that this truly shows the shortcomings of open source and as such I have completely scrapped our 5 year open source migration project. Consequentially we will be permanently renewing our Select licensing agreement with Microsoft, and I hope that they will be gentle in the negotiations.

Re:Security

"Consequentially we will be permanently renewing our Select licensing agreement with Microsoft, and I hope that they will be gentle in the negotiations"

Gentle, Rough... either way you're going to get fucked.

Re:Security

[Creepy]

Yeah! #3 is a UNIX permissions bug that shouldn't affect Windows at all, and I thankfully still have a copy of IE on my Solaris box.

I worry about the fact that Microsoft hasn't updated it in about 5 years, but I should at least get some security through obscurity!

More the users

bigger are the chances this will happen

I bet they will be fixed within 24hours!

[xutopia]

quote me! :)

Re:I bet they will be fixed within 24hours!

"quote me! :)"
-- xutopia

Re:I bet they will be fixed within 24hours!

[I+confirm+I'm+not+a]

If I read TFA correctly, they're fixed already: Mozilla is listed as unaffected in >=1.7.5, Firefox unaffected in >=1.0, and Thunderbird unaffected in >=0.9.

Interestingly, the original bug report came from the Gentoo security people - is there anyone running Gentoo with anything other that the very latest apps?!

Re:I bet they will be fixed within 24hours!

[Cap'n+Steve]

And I bet they've been sitting on the bugtracker for months. The developers seem to do a good job of fixing stuff once a way has been found to exploit it, but not before.

Re:I bet they will be fixed within 24hours!

[fwitness]

"...is there anyone running Gentoo with anything other that the very latest apps?!"

Yep. I have two Gentoo machines and although I frequently sync with portage, I view the changelogs and only update when a bugfix or feature enhancement sounds reasonable. Especially since the second Gentoo machine runs my MythTv, something I am very careful about hastily installing new software on.

Re:I bet they will be fixed within 24hours!

Hmm, well. It's called making priorities, I guess. You can also vote for bugs to be fixes. Not a bad service for a free browser, right?

Re:I bet they will be fixed within 24hours!

Already fixed in Debian.
BTW, if I wanted a to read Bugtraq I would have gone to securityfocus or osvdb.org.

Re:I bet they will be fixed within 24hours!

[eggfellow]

so he wins the bet. pay up...

Re:I bet they will be fixed within 24hours!

is there anyone running Gentoo with anything other that the very latest apps?!

No but I will be any minute now!

Re:I bet they will be fixed within 24hours!

[I+confirm+I'm+not+a]

so he wins the bet. pay up...

Whoa, not so fast, eggfellow! The original poster bet that the bugs would be fixed within 24 hours! S/he's in with a chance, but until the (remaining) bugs get fixed, my wallet's staying firmly in my pocket!

(Maybe this could be a new bounty scheme for Mozilla bugs - fix quickly to make dumb saps like me pay up on wagers...)

Re:I bet they will be fixed within 24hours!

[I+confirm+I'm+not+a]

> > is there anyone running Gentoo with anything other that the very latest apps?!

> No but I will be any minute now!

I'm a user of, and great admirer of, Gentoo, but using phrases like "any minute now" in relation to "emerge", well, that's just inviting trouble!

Re:I bet they will be fixed within 24hours!

If you are running gentoo and assumably running stable, then no you may not have the very latest apps. Gentoo does not spit stuff out of portage 30 seconds after it is released, it can take a while before the package is no longer masked. I know one version of firefox (think it was .8 to .9) seemed to take a month before I saw it unmasked in portage. Gimp 2 seemed to be even longer.

Re:I bet they will be fixed within 24hours!

[I+confirm+I'm+not+a]

Aye, I should probably have said "the latest apps from portage...

Not Mozilla!!

[53cur!ty]

The tragedy, the inhumanity!!

Bet Gates is grinning today hoping everyone will forget his laptop crash.

Don't Tech all day and night, visit:
WillingtonKarateClub.org Training Tips and more

Re:Not Mozilla!!

It was an Xbox first of all, not a laptop that crashed at CES.

Also. It was not the system that crashed but rather the camera and an unfished game.

nice misrepresentation of the facts though.

Re:Not Mozilla!!

There is a reason I have sigs off, you fucking cockmaster.

Re:Not Mozilla!!

[53cur!ty]

>nice misrepresentation of the facts though.

Thanks!:)

Re:Not Mozilla!!

[53cur!ty]

sigs off?

Pretty smart coming from an Anonymous Coward!!

Umm....

[Oxy+the+moron]

The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird)

Can't the same be said of IE or any program that stores information in %SYSTEMROOM%\Documents and Settings\%USERNAME% ? I mean, it's possible for me to see anyone's "habits" that way, right?

Re:Umm....

[danheskett]

I am not sure what about Firefox and Thunderbird allows users to bypass permissions checking. On a normal Win2k/XP system regular users cannot view another users "home" directory. It's been a while since I used Thunderbird, but last time I did mail was stored in a sub-directory from the program location. This would allow any user to see what other users did.

Re:Umm....

[ratpack91]

only administrators can look in other user's "Documents and Settings\%USERNAME%" folder. I can't get the article at the mo so I don't understand how firefox is different since its settings are stored there.

Re:Umm....

[fitten]

You mean I gotta walk all the way down to the systemroom to get my information? Crap, no wonder I haven't been able to find it in my office lately...

Re:Umm....

[SomeoneGotMyNick]

Partially related to that concept, I was using an XP system (no SP2 installed) where I didn't have admin rights. I was looking for a file that was in another user's documents folder. The operating system prevented me from browsing the folder through Explorer.

When I did a Search for the file, the search window gladly displayed the file in question (from their documents folder) and allowed me to copy it to my documents folder.

Re:Umm....

[IcEMaN252]

I'll admit to not doing exhaustive research before making my commentary.

I believe that the Docs & Settings folder is owned by the user in question and has the permissions set to keep other users out. But, thanks to the way the Windows runs, everyone pretty much need to be an Administrator to do things like, idk, run a CD-Burning app, so a knowledgable user could change the permissions and look inside.

But, this is a generic Windows problem, most users are Administrators, and they can therefore see other users files. This might not be true in corporate enviornments, but at home its usually the case.

Remember what your mother said, and do not take the name of root in vain.

Re:Umm....

[plover]

Actually, I'm not quite understanding that one myself. Both Mozilla/Firefox and IE store the user's cached data in the user's personal folder. Frankly, I don't know where else you should put it on a Windows box.

You can set up your NTFS security such that only %USERNAME% can see the data in %USERNAME%'s folder. Very few home users do this, of course, and most wouldn't want to. Typical users wouldn't be able to function if Mom couldn't view the family pictures that Dad downloaded from the family's digital camera. But if you did change your security, this "problem" is "fixed."

Perhaps they are suggesting the cache should be encrypted on a by-user basis? Sure, my browsing is too fast already ...

Re:Umm....

Arrrrgh... me and my bad speeling. ;]

Re:Umm....

Not really. If I remember correctly, "Limited" users cannot see the contents of other user's %USERNAME% folder. However, since most Windows users are Admins (well, their login is an Admin :) this is irrelevant.

-David

Re:Umm....

[Politburo]

I cannot replicate this. I get "Access is Denied" when I try to search in someone else's home directory. Win XP SP1.

Searching for * in C:\Documents and Settings returns the folders in D&S, all the files/folders in my home directory, and all the files/folders in the "All Users" directory. I cannot use the search results dialog to access another user's home directory.

I call shennanigans.

Re:Umm....

[rikkards]

Only if you have admin privileges on the machine. If you are joe normal user you don't have access to other user profiles.

Re:Umm....

[SmilingBoy]

You need to make sure that your permissions are set correctly. Make sure that the subfolders inherit the permissions of the main folder. It seems like you did not have the permission to do anything with the UserName folder itself, but you had the permissions for the subfolders and their containing files. You need to right-click the UserName folder, then go to the permission settings, advanced and tick the bottom-most tick box to reset all permissions on files below the folder and update them with the same permissions as the folder itself. In WinXP, the permission tab may be deactivated, you need to activate it first in Explorer -> Tools -> Options -> View. (I may have got some of the wording wrong as I don't have an English Windows)

Re:Umm....

[parkrrrr]

But, thanks to the way the Windows runs, everyone pretty much need to be an Administrator to do things like, idk, run a CD-Burning app...

I've had everyone on my XP SP2 machine running as a "limited" user for quite a while, and so far the only application I've seen that didn't work properly was the latest version of Palm Desktop. (it has to be installed by an admin, but puts all of its settings in HKEY_CURRENT_USER. So it has to be installed by whoever needs to run it. So you have to promote any user who needs it to admin, log on as that user, install the application, then demote the user back to limited. God help you if you have more than a couple users. And we wonder why PalmOS is losing ground to WinCE.)

I know it was an off-the-cuff example, but Nero's BurnRights handles the CD-burning problem for Nero users. Users of other commercial software should consult their software vendor. Users of the Microsoft CD-burning "solution" are part of the problem. Users of cdrecord and cdrdao should look into the available documentation on Windows services and gin up something equivalent to BurnRights on their coffee break.

... so a knowledgable user could change the permissions and look inside.

You can prevent administrators from changing the permissions on your files. Administrators can still take ownership of your files, giving themselves "full control" permissions along the way, but they can't give them back so there's a fairly obvious audit trail if they go that route. I have a particularly pernicious piece of spyware on my machine that none of the usual tools seem to be able or willing to get rid of (the existence of which is why all of my normal users, including myself, are limited.) I've disabled it by denying all permissions on its directory to everybody, thus prohibiting it from running and even from reinstalling itself if another copy of it should happen to run if some idiot admin (me) should happen to go insane, run IE, and go to an infe[cs]ted website.
</rant>

Re:Umm....

[stolen.identity]

While it doesn't explicitly say so, the report seems to be talking about Linux.

They refer to /tmp in the directory listings. In Un*x, /tmp is can be read/written by all, so files in that directory must have appropriate permissions to be "private".

It looks like most of the time, FireFox sets the permissions correctly (600), but in certain cases, it sets them incorrectly (644) so that other readers can view them.

As well, most of the time it obfuscates the filename, but in those same cases, it leaves the filename untouched. Anyone can get a directory listing of /tmp, even if they can't read the individual files.

Re:Umm....

[someonewhois]

I use Thunderbird (1.0), and it's got my profile in C:\Documents and Settings\Nathan Wong\Application Data\Thunderbird. Likewise, Firefox is in C:\Documents and Settings\Nathan Wong\Application Data\Mozilla\Firefox and Sunbird in C:\Documents and Settings\Nathan Wong\Application Data\Mozilla\Sunbird.

I sure would like to know why Thunderbird isn't in the Mozilla directory, but who knows. All I know is that if there was another user on this computer, they wouldn't be able to see my files. Not entirely sure.

Re:Umm....

[Thundersnatch]

Can't the same be said of IE or any program that stores information in %SYSTEMROOM%\Documents and Settings\%USERNAME% ? I mean, it's possible for me to see anyone's "habits" that way, right?

Wrong. IE and almost all other well-behaved Windows applications store their temporary data in %USERPROFILE%. Which for IE generally means "C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files". All directories under Documents and Settings have user-specific permissions by default. Even the machine or domain admin does not have read access to those directories (although an admin can take ownership and change the perms).

One should also note that this sort of user-specific behavior (i.e. you don't write to HKEY_LOCAL_MACHINE in the registry, or %SYSTREMROOT%, or %PROGRAMFILES%) is required for getting the official Windows 2000 or Windows XP compatibility logo. Unfortunately, a great deal of popular non-MS software does not qualify for this logo, even though the programs are still marketed as "Windows 2000/XP compatible." This is why so many lazy corporate Windows administrators punt and give their users administrative rights to their machines, when that is not the default.

Re:Umm....

[justsomebody]

Last time you checked it was TB 0.5:) (until then mail was stored under thunderbird program directory)

Now everything is stored under Documents and Settings/user/Application Data/thunderbird

or something like that.

Re:Umm....

%APPDATA% is a shorter way of specifying that.

Re:Umm....

[rwise2112]

Thanks.

I didn't know about Nero BurnRights! My wife will appreciate it.

Re:Umm....

[megarich]

Dunno but ie can let a million and one spyware in and they'll through their own means steal all of your information.....

Re:Umm....

[Bachus9000]

Then the copies of WinXP in the university computer labs are broken, as every user (or at least I :)) can access any other user's data. Perhaps it's a setting somewhere in the registry?

Re:Umm....

[UNCfan4life]

IN XP, unless you specifically tell it otherwise, every user can access the Documents and Settings folder of every other user with equal or lesser permissions. So, if everyone in the lab is set up as a power user, you can see each other's information, you just can't see the Administrator's info.

Re:Umm....

[marcosdumay]

It may be a long time ago... I never used Firefox or Thunderbird with suid, but never had permission to modify it's instalation directory and it always worked fine (talking about 2002 to now).

Re:Umm....

[danheskett]

That sounds right.. it was a long, long time ago. Glad to know they fixed that.. it was a major problem!

Re:Umm....

[drinkypoo]

Nero CD has a tool called burnrights that allows you to create a Nero group that has permission to burn CDs. If you use software that doesn't suck, windows is fine for most purposes. Yes, users own their own documents and settings directories, within which should be any user-specific data. (NT has had user profile directories for ages but they used to live in the winnt directory, which was stupid.)

Administrators cannot see properly-permissioned files belonging to other users any more than root can on Linux, though granted not everyone is root by default. Still, it's not Microsoft's fault if you use Windows improperly. NT's ACLs are very powerful, as are its group policies. To use them properly you need training. You know, kind of like Unix.

Re:Umm....

[Foolhardy]

I'm suprised nobody has done a Google search for site:microsoft.com "user profile" security default
Default Access Control Settings in Windows 2000, which haven't changed in XP. Power Users can read (but not modify) everyone's profiles by default while normal Users cannot. The Power Users group is there mainly for compatibility. Maybe you are a Power User? Also, these are the defaults and can be modified.
Security Recommendations for Roaming User Profiles Shared Folders: this is for roaming profiles but it's the same idea.
How to disable simplified sharing and set permissions on a shared folder in Windows XP, which may be affecting your ability to see/modify the current ACLs.
See also HOW TO: Restore a User Profile in Windows 2000
Also see Security Templates overview; apply a standard template (included in XP) or create your own for tighter security.

Re:Umm....

Not on a machine with separate user accounts. That would be the entire POINT of storing it their
documents and settings directory. It has inherited permissions that make normal users unable to access one another's files.

Let me guess, you're an MCSE, right? /sigh

Re:Umm....

[eMartin]

Palm Desktop. (it has to be installed by an admin, but puts all of its settings in HKEY_CURRENT_USER. So it has to be installed by whoever needs to run it. So you have to promote any user who needs it to admin, log on as that user, install the application, then demote the user back to limited. God help you if you have more than a couple users.

You mean that the stuff it puts in HKCU when installing has to be there before running it the first time?

If so, you could have just installed Plam Desktop once, exported its keys from under HKCU to a .reg file, and then had each user just double click on that file before using it the first time.

Re:Umm....

[Myen]

Really?
I'm Power User but can't see (restricted) User accounts... I'm pretty sure it's just the Administrators group having read permissions in everyone's profile.

Re:Umm....

[Myen]

setowner lets you assign arbitary owners (via the Backup Operators' ability to set owners for restoring backups). It can be useful. IIRC, Norton thinks it's a trojan or something...

Re:Umm....

[drsmithy]

Then the copies of WinXP in the university computer labs are broken, as every user (or at least I :)) can access any other user's data. Perhaps it's a setting somewhere in the registry?

More likely the machines are using FAT32.

Misleading Article

[Asacarny]

All of these security issues are fixed in the latest releases of Firefox/Thunderbird/Seamonkey. They have all been fixed for quite some time now.

It would have been helpful for this information to be included in the story. Thanks, Slashdot.

Re:Misleading Article

[wolf31o2]

Slashdot screws up all of our stories, too.

Re:Misleading Article

[smc13]

Wrong. The first issue affects the current version. If you clicked on the link you would have noticed this:

Software: Mozilla 1.7.x
Mozilla Firefox 1.x

How can his post be rated informatve when it isn't true?

Re:Misleading Article

[Naikrovek]

This is not News for Nerds, this is Rumors for Nerds.

It is well known, as you know.

Re:Misleading Article

[banzai51]

It would have been even more useful to have this information out when it was vulnerable, so I could have made a more informed choice. Of course, that would have hampard FF rollout. Et tu, Burtu?

Re:Misleading Article

lol, tell that to the IE development team and make a choice (:

Re:Misleading Article

[recursiv]

Go to http://secunia.com/advisories/13599 (linked in post) and it says: Solution Status: Unpatched

Why is everyone saying these are fixed?

Re:Misleading Article

[maelstrom]

Its getting to the point where I'm about to stop reading after being an extremely long time reader. Slashdot has always been a bit of a rumor mill, but lately it seems to have gotten worse. It used to be Taco and crew would respond to the users, but they haven't even gotten rid of this horrible color scheme, much less done anything else for the users.

Re:Misleading Article

[killmenow]

The article is misleading. It first states that Security Focus has issued a release of three vulnerabilities effecting all platforms. But in reality, the linked SecurityFocus release only applies to Gentoo and not one of the issues is still an issue with the current releases on that platform. In fact, not one of these issues is an actual issue in any of the latest versions on any platform except possibly the first issue on Windows only.

So, instead of being misleading, the submitter could have said, "SecurityFocus released a warning about old versions of Mozilla, Thunderbird, and Firefox for Linux users...but since most Linux users are probably on the current versions, since they've been out several months now, it hardly effects them. Seperately, one of these issues is apparently still an issue on the Windows platform...switch to Linux now."

Re:Misleading Article

[Asacarny]

Actually, the submitter screwed up. The Securityfocus advisory that inspired his/her post referenced three potential holes, all of which are fixed in the current release. That link explains that if you upgrade to the latest releases, you will be safe from these security bugs.

The story then links to a *different* Secunia advisory, claiming this is the "first issue" in the Securityfocus advisory. It's not. That's the problem.

That said, this new vulnerability has to get fixed.

Re:Misleading Article

[mobets]

I like this color scheme

Re:Misleading Article

[smc13]

You need to work on your reading skills.

"The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected."

Notice it doesn't state firefox for windows. That implies it is vulnerable for all versions of firefox.

The article isn't misleading. It clearly states that the second issue effects firefox versions before 1.0.

Stop being mindless zealots.

Re:Misleading Article

[Megaweapon]

So, instead of being misleading, the submitter could have said

Actually, "So, instead of being misleading, the Slashdot editor should have confirmed that...".

Re:Misleading Article

[GoodbyeBlueSky1]

#638, huh? It'd be a shame if you left now.

Anyhoo, regarding color schemes, I ran across this the other day...
http://forums.mozillazine.org/viewtopic.php?t=1853 93
Haven't tried it, but it looks pretty basic.

As for the crew, I'm currently working on an extension to replace michael's rants with underscores.

Well, not really.

Re:Misleading Article

[smc13]

I agree that the submitter made a mistake with the post when they state securityfocus as their source but post a secunia link, but, there is a vulnerability in the current version of firefox.

Re:Misleading Article

[killmenow]

Stop being mindless zealots.

Wah!

You need to brush up on your comprehension skills. The article is misleading because it states very clearly that SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. Criminetly, it's the first freaking sentence of the submission. Everything that follows is in reference to that. But the funny thing is, the SecurityFocus release has nothing to do with any platform other than Gentoo. It's not even a general release for Linux, but specific to a distro. Now, I assume it applies to other Linux distros as well. But the SecurityFocus release very clearly states these issues are already fixed in the latest versions.

The link to secunia says this is still a potential issue for Mozilla on Windows. OK. That's one issue.

The link to isec.pl (even as the submitter noted in the not-misleading part) does not effect current versions on any platform.

The link to ptraced.net mentions problems with older versions on Debian only (again, I'll assume it effects all Linux distros) but not "on all platforms" as the submitter suggested. It also gives no indication of whether this is fixed in the current releases...maybe not, but given the Gentoo release says the latest versions fix this on Gentoo Linux, odds are good it's fixed for all Linux versions. And, remember, there's no evidence this issue EVER EXISTED on Windows.

So, what we have is one issue effecting the current version of Mozilla (and perhaps Firefox) on Windows. Yet, the submitter says "three problems...on all platforms" and then ends his misleading submission with "Let's hope that these will be fixed soon!"

That, dear sir, is fairly misleading in my book. I don't attribute it to malice. Hanlon's Razor applies.

Re:Misleading Article

[killmenow]

Slashdot doesn't have editors. They have clickers. They read a submission and make a hasty decision: click approve or click reject.

This isn't a news source. It's an aggregator and it's often wrong. It's been a long time since /. clickers clicked the links submitters provide and actually read them. Heck, sometimes articles are approved with broken links. The clicker who clicked approve didn't even click the links to see if they 404-ed or not.

Re:Misleading Article

[mydigitalself]

Ok, so I have Firefox 1.0 with the following info in the Help->About:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Am I ok? If not - I went to use the Check Updates feature and it told me there were no updates, which would be a big problem.

Re:Misleading Article

[Megaweapon]

Slashdot doesn't have editors.

That's funny, the "editors" seem to like the term.

Re:Misleading Article

Et tu, Burtu?

Oh, man. That's sad. It's:
Et tu, Brute?

Where "Brute" is of course Latin, so it's got two syllables: brew-tay

Re:Misleading Article

[kkovach]

Can I have your stuff? Er, ID?

- Kevin

Re:Misleading Article

[aeinome]

Well, actually, it seems as though only the second and third issues were fixed -- if you look at the Bugzilla link mentioned in the first article, https://bugzilla.mozilla.org/show_bug.cgi?id=27541 7 (copy 'n paste) shows the bug as NEW, and the comments do show that this hasn't been fixed yet. I tried it with my FF1.0 on Linux and the bug was present.

Re:Misleading Article

Google for "effect" versus "affect". Hint: You used the wrong one.

Re:Misleading Article

[megarich]

Sensationlism my friend. All press does it and it looks like slashdot is following suite of the masses :(

Re:Misleading Article

[northcat]

How can his post be rated informatve when it isn't true?

You must be new here.

Re:Misleading Article

[geminidomino]

Uh huh. Just like "Trash collectors" like the term "sanitation engineers."

People like titles that make them seen more important.

Re:Misleading Article

[Megaweapon]

So perhaps the title "Poor Spelling, Opinionated Yet Oblivious, Infinite Mod Point Mod Nazi, Unnecessary Editorializing, Anti-Dupe And Anti-Verification Story Posting Monkeys" would be a better title for them.

Re:Misleading Article

[normal_guy]

You're fine. Here's a link for you.

Re:Misleading Article

[normal_guy]

You're fine. Here's a link for you.

Buffer overflow?

[mattgreen]

Weak. They should know better than that. It's not like it is hard to prevent a buffer overflow. They're using C++ for crying out loud.

Re:Buffer overflow?

[Emperor+Shaddam+IV]

Why? You can hose up memory just as easy in C++ as in C. Nothing stops you from using malloc() in C++. And nothing prevents you from using pointers instead of references. And nothing prevents you from going past the end of an array. Besides, the bug was from the old beta versions, which makes this posting old news and not even worth being on Slashdot.

Re:Buffer overflow?

so is ms, and how many buffer issues do they have?

Re:Buffer overflow?

[deadlinegrunt]

I have not looked at the latest code base so my response may very well be wrong, however you may want to keep this in mind when making such a statment:

Perhaps one reason is they are not really using C++ to its fullest extent like here as an example.

Re:Buffer overflow?

[Anonymous+Brave+Guy]

Perhaps one reason is they are not really using C++ to its fullest extent like here as an example.

It's always depressing to see portability guides that say that sort of thing. (For those who didn't follow the link, it basically says don't use standard libs like iostreams.) C++ has been standardised since '98, with most players knowing the basic rules well before that. That's nearly a decade ago!

We have similar rules at work, where we do work with some seriously old compilers on a very portable code base. Even there, most of the rules restricting the use of certain language features that remain are anachronisms.

Bottom line: No-one should be using raw arrays without very careful scrutiny in C++ today. Coding standards should mandate the use of range-checked array indexing by default, which would probably have avoided this unfortunate mess.

Re:Buffer overflow?

[mattgreen]

You can also code up enough abstractions to protect you from ever hosing up memory unintentionally in C++.

Re:Buffer overflow?

> C++ has been standardised since '98

Mozilla's been in development since 1998, which meant that they were realistically targeting a development/runtime environment from 1996 or so. VC6, GCC 2.7, that sort of thing.

Plus they were/are wanting for volunteer developers, which pretty much precluded any sort of exotic/payware environment (think Debian Stable from 7 years ago).

Re:Buffer overflow?

[graphicsguy]

Wow! That portability document originates from 1998 and hasn't been updated since 2001. I think most C++ compilers have come a long way since then.

As an aside, Mozilla won't run on my old laptop running Windows 95 with 40 MB memory anyway (it's too big -- only modern browser that would run is Opera). So Mozilla is implicitly targetting newer machines than circa 1998 anyway.

Re:Buffer overflow?

You can also do the same in C for that matter. See the lack of buffer overflow possibilities in vsftpd, written in plain old vanilla C.

Re:Buffer overflow?

[oliverthered]

I wonder what what platforms the 'older' compilers are on, and if they can really run Moz.

I say dropping support for the BBC Micro until someone writes a gcc arch for the BBC isn't going to hurt too much.

Re:Buffer overflow?

[Anonymous+Brave+Guy]

That's a fair point, but even then the use of things like range-checked container classes rather than raw arrays was the norm amongst competent programmers, and the standard library vector class (which includes a range-checked indexing function) was widely known.

It may sound harsh, but I would describe any C++ programmer who (today) relies on raw arrays other than in very specific circumstances as "incompetent", assuming of course that their project's coding standards give them a better choice. Doing so demonstrates a fundamental misunderstanding about how to use the various tools C++ provides, which goes way beyond overlooking a simple buffer over-run somewhere.

Yes, this does mean that most C++ programmers are incompetent. If you think about it, that's why languages like Java, which offer similar mainstream features but enforce more safety, have become so popular. To uebergeek L337 Hax0rz, the limitations of these languages can be annoying, but to everyday project managers with everyday developers on their teams, the extra safety and reliability is worth more than the lost power tools.

Re:Buffer overflow?

[deadlinegrunt]

Your post is right on for every level it addresses including the obvious one which will still probably be overlooked by the majority of people that do read it. Shame really...

3 Whole Security Issues! Thank God...

[codesurfer]

that I can still wipe my Linux box, buy a copy of XP, install, activate, update, reboot, update, reboot, get SP1 & 2, reboot, update, reboot and I'll be able to use Internet Explorer, a safe alternative to....oh wait...

Re:3 Whole Security Issues! Thank God...

[slide-rule]

> buy a copy of XP, install, activate, update, reboot, update, reboot, get SP1 & 2

Nice little roll, there. I probably oughtn't point out that if you're actually buying a copy of XP these days that it'll have SP2 applied to it already. At least, all the stores around here sell it this way.

Re:3 Whole Security Issues! Thank God...

I got an official XP + SP2 CD from Microsoft with a SP1 serial which didn't work, obviously. Grrr!

Re:3 Whole Security Issues! Thank God...

I realize you're trying to be funny. First off, you should stop trying so hard, since you're just wasting your time.

In any case, Service Packs roll up the previous updates, so if you happened to buy an old copy of XP that didn't already have SP2 integrated, you should first find a new store, and then you would 'install, activate, get SP2, reboot, update, reboot'.

Re:3 Whole Security Issues! Thank God...

Really? When I redid my windows box last week, I had to reboot at least 6 times. Maybe it should have read install, activate, reboot, patch, reboot, install driver a, reboot, install driver b, reboot, install driver c, reboot, install driver d, reboot, continue until done.

I don't think the original poster was trying to be funny. I think he was being fairly accurate. Now, if you have some magical solution that keeps Windoze from having to reboot everytime a new piece of hardware is activated, then let us in on the secret.

Re:3 Whole Security Issues! Thank God...

and not to mention that those three security issues were ALREADY fixed in firefox 1.0.

In the article it says "To fix upgrade to the latest version...."

In the article it also says all versions of firefox greater than or equal to 1.0 are NOT affected.

Re:3 Whole Security Issues! Thank God...

[carambola5]

Silly rabbit, you can't apply SP1 & 2 without rebooting between them.

Re:3 Whole Security Issues! Thank God...

[limabone]

That install procedure for XP has many unnecessary steps and at least one is in the wrong place.

Instead of using this opportunity to bash Microsoft, we should realize that open source is susceptible to the same types of security issues that they are, but the open source community seems to have a model which is for the most part much better at dealing with them in a timely fashion.

Re:3 Whole Security Issues! Thank God...

I do have a solution. Choose 'I will restart later', or don't click 'ok' when it says 'System will now restart' (minimize the install or dialog and start the next one). You don't need to restart after installing your sound card to install your network card, despite what Windows tells you. All these things are doing are copying new files to the system directory to be loaded on next restart.

I avoid restarting as much as possible and while there are cases where restarting is absolutely necessary before applying the next patch (usually SPs), in most cases it is simply because Windows wants the new code to be loaded (want!=need). If you're applying a bunch of drivers/patches at once, you can restart once after everything's done.

I also don't remember having to reboot after activation, but I haven't done that recently so I could be wrong.

Re:3 Whole Security Issues! Thank God...

[bushidocoder]

I think you missed an extra reboot in there. Sadly, not kidding.

Re:3 Whole Security Issues! Thank God...

There would be no need to. SP2 includes everything in SP1. It's nice to see the bullshit that flies around here. Yes, I know it was a joke, but therein lies an actual problem. This guy has a huge beef with XP, but doesn't really know everything he's talking about. Which is fine, so long as he doesn't start giving people advice on which OS to use.

Updates

[harlingtoxad]

Most viruses are exploits of things MS has patched months earlier. If Firefox becomes mainstream can we count on the average user to update or will an out of date Firefox become nearly as bad as IE?

Re:Updates

[rainman_bc]

AFAIK Firefox [ on win ] checks for updates itself. It should never be out of date.

On linux, you have stuff like apt / yum / portage to keep computers up to date.

Mac version probably updates itself too, but don't quote me on that.

Re:Updates

I agree, who will "centralize" the fixes anyway? Now I go to the distributor where I downloaded the browser, seems to work ok.

I'm sure as the browser becomes more popular with joe six pack, more vulnerabilites will come to light. So it goes...

Re:Updates

[Anonymous+Brave+Guy]

If Firefox becomes mainstream can we count on the average user to update or will an out of date Firefox become nearly as bad as IE?

No and yes, respectively.

Herein lies the fallacy behind much of the MS-bashing on threads like this.

Re:Updates

[coolcold]

I personally would trust firefox autoupdate since at least it won't break things. In the worse case, I can uninstall the whole thing or reinstall. My window box is still in SP1 since I am not confident my hardware drivers would work under SP2

Re:Updates

[adeydas]

Most probably it will be nearly as bad as IE. Loopholes get discovered only when you start actually using the product.

Re:Updates

[Ced_Ex]

Exactly!

Then there are the slashdotters that suggest Firefox updates "secretly" so joe sixpack doesn't know about it, yet when MS has an auto-update feature, the same asses are crying foul, "Oh, I want to have full control over what goes on my system."

Is anyone listening to themselves?

Re:Updates

[Peldor]

...can we count on the average user to update...

The answer to this is always NO!

Re:Updates

"will an out of date Firefox become nearly as bad as IE?"

not unless the web becomes a monoculture of firefox. a large part of the problem with IE is not just that it is vulnerable, but that it's vulnerabilities affect the majority of users on the net. If firefox got 20% market share, for example, an exploit would be bad for you personally if you got affected, but would still not be the disaster that a software monopoly creates (at this time MS, in the future, who know...)

Re:Unacceptable

[PommeFritz]

"spotted before rollout"?
Dude, the article says that only versions before Firefox 1.0 are vulnerable, and 1.0 has been out for 2 months already. What are you talking about?

Older versions only

[martin_b1sh0p]

Note that it appears from what I read that these issues only affect the beta versions of FireFox. Who uses a beta once a released version is out???

Basically this is a non issue as everyone should have upgraded to v1.0 as soon as it came out.

Re:Older versions only

[d_jedi]

Well, MS flaws that affect only pre-SP2 XP versions of Windows seem to be an issue.. so it's only fair :->

Re:Older versions only

[m50d]

When you have to pay to upgrade, it's a different matter.

Sounds like good news to me

[I.M.O.G.]

Perhaps it will serve as a reality check for those who have the wrong (idealistic) conception about this browser... Average users are so quick to jump on a bandwagon. People tend to think entities like Google and Firefox are lights in the harbor or signs from God. They are just implementations which are better than what others are doing, and they are not as perfect as many like to imply. Firefox is no doubt an improvement over the many other options out there, but as it gains popularity, it will also gain more status as a target - much like IE has been for years now. The fact there there are still vulnerabilities should come as a surprise to no one.

Re:Sounds like good news to me

[deitel99]

The fact there there are still vulnerabilities should come as a surprise to no one.

Indeed, however the hope is that the security problems will be fixed quickly, and that the developers wont ignore them, pretending they don't exist.

The really important thing as far as I'm concerned is the length of time needed to fix newly discovered bugs, not the number, and this is where the open source development model works so much better.

Re:Sounds like good news to me

[0123456]

"The fact there there are still vulnerabilities should come as a surprise to no one."

Of course not. But, unlike IE, these aren't 'You open a web page and your machine is taken over as a spam zombie' vulnerabilities. They should be fixed, but are less serious than the usual IE bugs... and they'll likely be fixed a lot faster.

Re:Sounds like good news to me

[Ieshan]

"The fact there there are still vulnerabilities should come as a surprise to no one."

The only reason it's surprising to me, is that these are bugs that have been already fixed.

It wouldn't be a slashdot story if it read, "the Bugzilla for the Firefox project notes that in version .8 and .9, it was possible to spoof a URL by doing some nasty tricks. Here's the technical data." Or, "old release notes indicate bugs were fixed. If you want some demonstrations of these old bugs, click here!"

Right?

Re:Sounds like good news to me

Do the world a favor and just fucking kill yourself.

Why the fuck you would post such a pathetic troll under your real account dumbshit?

Re:Sounds like good news to me

[bigbadunix]

Not only are 'average' users quick to jump on a bandwagon, the slashdot/oss crew (i.e. me!!)tends to be even more evangelical about such matters.

You're absolutely correct in that it's just a different (albeit better) implementation of a model which, as we all know, will theoretically -never- be perfect.

We work our asses off creating software that, to the best of our knowledge, is bug-free..but, c'mon...there is no such beast.

Bug-Free software is just software for which a bug has not yet been found...whether the bug lies in the OS, libraries, the code itself, ...

It's time for all software engineers to dismiss the utopian vision of this bug-free world, and look a bit beneath the surface...

I'm just gonna keep rockin and rollin makin better films...Er, Um...I mean code!!

Re:Sounds like good news to me

[GoofyBoy]

I believe you missed the point of the OP.

These are not serious Mozilla bugs, yet. IE didn't have these problems right away. Just like Mozilla are not having these problems, right away.

Re:Sounds like good news to me

Stupid fucking mods!!!

Looks at the fucking post history dipshits! Is there some sort of basic intelligence test that you have to flunk to accumulate mod points???

Re:Sounds like good news to me

[That's+Unpossible!]

I believe you don't understand the IE is embedded into the operating system, and Firefox is not.

There are security advantages to the latter.

Re:Sounds like good news to me

Dude, shut the fuck up.

Every pathetic little shit who thinks they're clever by spouting the "IE is a security nightmare only cuz it's so darn popular!" shit should be have their asses kicked by the whole computing world.

IE's security problems have been widely know from the very first version idiot. Or are you so fucking stupid that you think the world just noticed this past year the endless security nightmares Active-X creates in a Net enabled app?

???????

Re:Sounds like good news to me

[Anonymous+Brave+Guy]

But, unlike IE, these aren't 'You open a web page and your machine is taken over as a spam zombie' vulnerabilities. They should be fixed, but are less serious than the usual IE bugs...

If you can have buffer over-run vulnerabilities in your C++ app, then you are potentially vulnerable to absolutely anything. The fact that even one exists, even in a beta development, betrays fundamentally flawed coding standards and/or QA procedures. These things should never happen in a C++ app, and the coding techniques to prevent them are trivial.

and they'll likely be fixed a lot faster.

Easy, tiger. As others have pointed out, most exploits of Windows/IE systems use vulnerabilities that MS patched months ago, and when critical ones do come up, patches usually do appear (with much hype) PDQ.

Re:Sounds like good news to me

[I.M.O.G.]

I completely understand that IE is an integral part of the OS. However perhaps you misperceived my post. My comment was speaking towards the social perception of the browsers much more than the technical. People should look at software for what it is, and in doing so, they should rightfully appreciate firefox for its advantages, but at the same time they should avoid the "z0mg, all j00 b4se R bel0ng 2 firef0x" mantra. While the article itself was technically lacking slightly, the slashdot post cleared up some critical version information - so there really isn't much of a story here... My sentiment was that hopefully it will atleast serve as a wake up call to the zombie worship that gets so tired.

Re:Sounds like good news to me

[huge+colin]

Please see this post, and all the others like it on this story.

Mods: Please go ahead and slap a big 'ol "-1, Wrong" on parent.

Re:Sounds like good news to me

[dioscaido]

Rank parent up. Execution of arbitrary code is no more dangerous in IE or Mozilla. Run either browser as Administrator and your are toast. Run as Limited user, and limit the damage to your just the browser process (IE or Mozilla).

Re:Sounds like good news to me

[I.M.O.G.]

Thanks for your comment. Please see this post of mine, from 9 minutes before your post for further clarification. I was stating that issues will still propagate however, in contrast to beliefs of those common users who think firefox doesn't have (had) any issues - the ones who don't follow https://bugzilla.mozilla.org/. That said, there is nothing incorrect about my post, other than the fact that it may be misinterpreted.

Re:Sounds like good news to me

[maryjanecapri]

you see - i always thought (and maybe this is me being star-crossed) that the majority of virus/spoof/worm writers were simply targeting Microsoft because it was/is an evil empire. what's the deal? are hackers no longer content with having a cause? or are they like the younger generations of today and the "me" cause is the only cause that matters? i've been using Linux for nearly 10 years now. all the while i've had to deal with people saying "you just wait until Linux gets popular - then you'll see all sorts of viruses and worms". well Linux is popular and i've yet to see this rise of nasties. could it be that the majority of hackers DO have a conscious and are still content with wreaking havoc on MS?

Re:Sounds like good news to me

>>If you can have buffer over-run vulnerabilities in your C++ app, then you are potentially vulnerable to absolutely anything.

True! So why does C/C++ make it so easy to do this?

Wll, I can understand why C does, it's nothing more than a portable assembler language, but C++ (being somwhat more geared to mainstream application development) should have a 'safe' mode where bounds checking code is implemented in the compiler.

Re:Sounds like good news to me

[UnknowingFool]

Firefox is no doubt an improvement over the many other options out there, but as it gains popularity, it will also gain more status as a target - much like IE has been for years now. The fact there there are still vulnerabilities should come as a surprise to no one.

True, no one should view Firefox as some sort of shining white knight. It has many improvements over IE, but I disagree with you on future vulnerabilities. There will be future vulnerabilities no doubt, but I think that they will tend to be less severe and fewer in number than IE even if firefox comes to be the dominant browser.

There are parallels in other open source projects that run counter to your argument. Currently Apache is the #1 web server in the world with about 2/3s of web servers worldwide. Yet, it has fewer and less severe vulnerabilitites than IIS.

The main problem with IE and IIS is that MS has chosen to integrate them into the OS very tightly so that when problems do occur, they are more likely to be serious. If a problem with Firefox or Apache happens, it is usually isolated to the program not the OS.

Re:Sounds like good news to me

Yes - 100 new mod points to you.

Re:Sounds like good news to me

[dioscaido]

The vulnerability exists in any language that allows pointer manipulation. You can't bound check memory access that is dynamic at runtime.

Re:Sounds like good news to me

[roca]

> If you can have buffer over-run vulnerabilities
> in your C++ app, then you are potentially
> vulnerable to absolutely anything.

Not really true.

1) If it's a *read* overrun, it's probably not exploitable. Could possibly be an information leak.

2) If it's a write overrun by at most 1 byte, it probably won't be exploitable.

3) A variety other restrictions may apply that make it not exploitable.

4) The browser might have a buffer overrun bug that cannot be triggered by a remote Web page unless the user does some other actions than just viewing the page (e.g., save an image). Although this is still technically exploitable, it's much a less dangerous bug than something that leads to a "view this page and you're 0wned" attack.

Re:Sounds like good news to me

[huge+colin]

Maybe I'm just very sick of people implying that FireFox isn't the best there is by a wide margin.

Re:Sounds like good news to me

[m50d]

But can't you use -Wpointer-arith etc?

Re:Sounds like good news to me

[Lehk228]

You can't bound check memory access that is dynamic at runtime.

Yes you can. just make sure your data structures have some part that keeps track of how many objects and what sizes they are supposed to be and compares read/write requests against them.

Re:Sounds like good news to me

[Negativeions101]

you nigger

Re:Sounds like good news to me

[http]

Not sure if you spotted this tidbit
Mozilla project recommends avoiding c++ libraries.
almost 20 minutes before you posted. so here's the question: is mozilla a "C++ app"?

Re:Sounds like good news to me

[Anonymous+Brave+Guy]

Thanks, but I had indeed spotted that. In fact, I already made a fairly damning comment on that particular coding standard elsewhere in the thread.

To answer your question, yes, Mozilla is a C++ app, but one which by design fails to take advantage of many of the safety and reliability benefits that C++ brings over C. :-(

It's fulfilling its prophecy

[mOoZik]

As it becomes more and more popular, more and more bugs will be discovered. There is no inherently secure piece of software: it's only a matter of problems / volume.

Re:It's fulfilling its prophecy

errr, these bugs were fixed BEFORE firefox 1.0, hence before the huge surge in usage. This more popular stuff is a load of crap as well, does Apache get a proverbial shit load more bugs exploited than IIS? No.

And....

[maztuhblastah]

Undoubtedly, proponents of MS will point to this and say "See...told you so..."

The difference between Mozilla/other OSS and MS software is that while a bug in IE will remain unfixed for months (unless it's such a glaring error that the media grills them for it,) a bug in Moz/Firefox won't last very long. So the real issue that we need to remember is not that three bugs were found, but that unlike MS three bugs will be fixed.

Cheers,
-maztuh

Re:And....

[WhiteWolf666]

The REAL news is they three bugs in firefox were fixed....

Oh wait, that wouldn't be news, that would be business as usual.

Read The Article. These are fixed.

Re:And....

[maztuhblastah]

I did read the article. That was my point. ;)

Re:And....

[BenjyD]

Proponents of IE would be very stupid to point people to Secunia. After all, Secunia currently says:

"Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Extremely critical"

...and has 21 (out of 75) unpatched vulnerabilities, compared to Firefox's 4 low threat vulnerabilities.

The first one should be easy to fix

The first one should be easy to fix.

It's more important to see from where you're downloading (the source) that what you are downloading (the content).

Hackers can emulate the ending of a URL but not the begining!

Re:Unacceptable

[WhiteWolf666]

According to the article, all firefoxes less than 1.0, and mozilla pre-1.7.5.

They were spotted and corrected before rollout :)

So what about. . .

[smooth+wombat]

the 75 outstanding Secunia security advisories for IE or the 33 security advisories for Opera? Don't they get equal billing?

Re:So what about. . .

haha you gotta be new to /.

Re:So what about. . .

Whatever you do, don't tell an Opera user about security issues with their browser. Hell, don't criticise it at all... They're more rabid & fanboy than Apple's worst. You'll lose body parts.

Re:So what about. . .

Yes, but look how serious these bugs are:

1. I download a file and it might not come off the server that it says in the download dialog!!! OMG. I always pay attention to that, fer sure. I might think I'm getting a free copy of XP directly from Microsoft and it will turn out to be a virus-laden clop from some russkie hacker. Boy was I duped by that email.

2. Click on a news: link. Hunh? When was the last time I saw a news: link? That's that usenet pr0n thing, right? I only click on links that say http://, https://, telnet:// or virus://.

3. All of the other people using my computer may be able to see my browser history. Oh wait, they're all sitting in this chair right now!

Re:So what about. . .

Whats to tell? Yeah theres 33 advisories, but 30 of them have been patched.. And 1 of the 3 unpatched ones only apply to Linux, I use the windows client.

The other 2 unpatched ones involve stupid users to produce (being tricking to think a popup from 1 site is for another.. But wait.. Didn't this effect ie and firefox also?)

Re:So what about. . .

[m50d]

Sorry, but 2. is a serious bug. Just because you don't go on usenet, doesn't mean no-one does. Any link should be safe.

Re:So what about. . .

No, because those are all redundant stories. How many days it it take for a new IE hole to be found? Firefox didn't spend years in development and open-beta for no reason. The FF team redoubled their efforts.

Re:So what about. . .

> The other 2 unpatched ones involve stupid users to produce
> (being tricking to think a popup from 1 site is for another.. But
> wait.. Didn't this effect ie and firefox also?

Lucky it affects ie and firefox, cos you know, if a vulnerability affects another program then it's not a problem on yours, but may as well use it to take a dig at those others!

Third item...

This only applies to Windows platforms. Linux and Unix versions maintain all user information in the homedir, preventing access to ordinary users.

Re:Third item...

[shis-ka-bob]

Please read the third item. This is clearly describling a Unix-like system with a /tmp directory and xpdf as a pdf viewer. This isn't what you find on Windows. This whole issue is a tempest in a teapot. All of these issues are closed and the 'fix' is simply to run the current package. Just 'portupgrade' or whatever your system uses to update packages and ignore this warning.

Re:Third item...

Assuming what you said was true, this relies on security permissions for the home dir being correctly configured. If Windows was also correctly configured (i.e. nobody runnning as admin, NTFS, and correct security permissions) the exact same is true of Firefox on Windows.

Re:Third item...

[swv3752]

Actaully it was demonstrated on Linux. However, it is only applicable to downloaded files that you select to open rather than save. So say you do not have the acrobat reader plugin, you download a pdf file, rather than select save, you choose open with xpdf.

Doing this leaves a world readable file in /tmp. A minor security issue, but nothing to get worked about and leaves a very easy work around. Save the file and nothing is left in /tmp, or manually clean /tmp after your browsing if you are that paranoid.

Also consider, just how many files are you opening from within a web browser that are not being handled directly by a pluggin orjust saved to disk? Maybe *.pdf if you do not have acrobat, maybe a few *.docs, but not terribly many. Basically, it means that someone might be able to see the manuals and whitepapers you read. Social engineering would get better data than this "exploit".

Re:Third item...

[the+pickle]

Thank you, AC. I was going to point out that this had NEVER been a problem on OS X at all.

The real root of this issue is that Windows was not designed from the ground up to be a multi-user OS, and the atrocious hacking that Redmond has done to make it one has given us the security nightmare that we have now. Yes, Mozilla could have done something about it, but without the privilege nightmare that is individual XP "Users," this wouldn't have been an issue in the first place!

p

Re:Third item...

False. The old Windows codebase was not designed to be multi-user. NT was and all modern variants of Windows are based off NT. By the way, the NT security model is arguably much better than the UNIX one. The implementation on the other hand has been sloppy. But implementation != design.

Re:Third item...

[JimRay]

Not only that, but if you're on OS X and you , you can surf truly worry free.

And correct me if I'm wrong on this, but doesn't Windows even have a user-level documents and settings directory? Seems like a logical enough place to store something like a browser cache.

This strikes me not so much as a browser issue, but as a filesystem issue. It's kind of like saying that BBEdit is insecure because anyone can read the docs you write. Well...yeah, unless you put them in an encrypted folder or some other such thing.

Jeebus Kriced

[killmenow]

So sayeth the submitter:

Let's hope that these will be fixed soon!

Slashdot has gotten so bad, now the submitters don't even RTFA!

Re:Jeebus Kriced

[Euphorea]

So true... but then, can the same not also be said about the "staff" member who approved the article? I suppose there would be quips on that comment though that those who approve the postings hardly ever seem to read the actual postings they're approving, nevermind the article referred to in the post.

Re:Jeebus Kriced

[killmenow]

Well, I figured it's a given that /. "editors" (more like "fake news moderators") don't check links. This is the first time I can recall a submitter didn't even check his own links.

But then, I'm more of the opinion now that I think about it that said submitter meant to do that.

RTFA - Answers await

As the article clearly state, all three have been fixed. Simply use the latest versions of the software.

Re:RTFA - Answers await

[Gizmhail]

Shouldn't an update be posted to this news....It's quite biased, or false, for now. A simple "Update : This has been fixed in the last versions. " would do, no?

This article is BOGUS!

[WhiteWolf666]

The Slashdot article, not security focus. In plain text, at the top, it says these were FIXED in the latest versions.

They affect Firefox versions BEFORE 1.0, Thunderbird BEFORE .9, and Mozilla BEFORE 1.7.5.

This article was posted by some MS shill who is hoping the because Slashdot is spidered by Google news they will get some mainstream journalism about Firefoxes bugs!

This is TOTAL crap! Let the MS Smear campaign begin!

Re:This article is BOGUS!

[WhatAmIDoingHere]

Wait, begin?

Re:This article is BOGUS!

[Stevyn]

I think this article is just as relevant:

http://www.bugnet.com/analysis/reports/win98_1.htm l

Re:This article is BOGUS!

[elecngnr]

How did this pass muster? The article clearly states:

Various vulnerabilities were found and fixed [emphasis added] in Mozilla-based products, ranging from a potential buffer overflow and temporary files disclosure to anti-spoofing issues.

While I recognize the article does state in the middle of it that it was for releases prior to the current ones, why not say that in the title or somewhere in the first sentence. Saying something like, "People using older versions of.....may be vulnerable to security flaws." At first glance, this article is a little misleading.

Re:This article is BOGUS!

[Muttonhead]

MS shill? Yeah, Slashdot itself.

Re:This article is BOGUS!

[qpgmr]

The same stories were widely distributed by both Computerworld and Infoworld newsletters yesterday to the business IT community - the same managers who are wrestling with idea of trying firefox.
Awfully convenient for microsoft.

Re:This article is BOGUS!

[alphakappa]

If you read TFA it says that Firefox versions 1.x are affected.

It *is* already fixed!

[Freggy]

Guys, wake up, old news. According to the article, all bugs were fixed in Mozilla 1.7.5 and Firefox 1.0.

Move on people,nothing to see here!

Re:It *is* already fixed!

[generic-man]

Guys, wake up. According to the first advisory, Mozilla 1.7.5 and Firefox 1.0 are still vulnerable.

who uses xpdf?

xpdf was so buggy years ago that I switched to Adobe Acrobat and never looked back.

Re:who uses xpdf?

[m50d]

I do, because my mousewheel doesn't work in Adobe Acrobat and I can't read long texts very well without my wheel.

Re:Unacceptable

[Col.+Klink+(retired)]

> I haven't read TFA all the way through yet

And now you know why people always say RTFA...

These vulnerabilities will be fixed in three...

[bshroyer]

two...

What, they're fixed already?

Never mind.

I love open source.

Let's stick to issues within the current version

[jtapper]

The news:// link issue reported is for "Mozilla 1.7.5 and below, Firefox versions before 1.0".
Firefox 1.0 has been out for weeks already and most extensions have been updated to work with this new version.
The mozilla 1.7.5 is the current version, but if these are the 3 biggest security issues that can be found, then that only cements my position as a long-time firefox user.
I'd hate to see a post on slashdot everytime there are 3 issues of this severity found for IE.

The reality...

[eastshores]

Is that Firefox, and most likely ANY product that attempts to compete with an established Microsoft product will have to face two issues that Microsoft constantly faces: 1) Features take precedence in the development lifecycle forcing security to become an after-thought. 2) As popularity increases, so does visibility which is currently one of the primary factors in determining scrutiny for such issues.

I still prefer Firefox for it's usability features. It wasn't long ago that they got in place a "Software Update Available" mechanism for just these types of circumstances. In turn, people that think Firefox is immune from security issues should look at the past and come back down from their orbit ;)

Re:The reality...

RTFA please.

You're speculating based on a bad summary where the submitter didn't RTFA or misconstrued the A.

You're participating in the same thing.

Re:The reality...

Is that Firefox, and most likely ANY product that attempts to compete with an established Microsoft product will have to face two issues that Microsoft constantly faces: 1) Features take precedence in the development lifecycle forcing security to become an after-thought. 2) As popularity increases, so does visibility which is currently one of the primary factors in determining scrutiny for such issues.

I still prefer Firefox for it's usability features.

Just as hiting the Submit button in the post reply cycle forces grammar to become an afterthought?

Re:The reality...

[Politburo]

2) As popularity increases, so does visibility which is currently one of the primary factors in determining scrutiny for such issues.

I don't think this is exactly it. I think the problem that popularity brings is that it means there are more people out there using the software. With more people using the software, you're going to have more 'old installs'. As we know from some MS/IE exploits, it doesn't matter if the latest version is patched when your userbase is running an old version.

As with most things, it comes back to user education.

So we have

[hattig]

Problem One: A String Formatting Issue, URLs should be shown as "http://www.blah.com/.../www.spoof.com/register.ph p" rather than ".../www.spoof.com/register.php" and users should be shot if they can't recognise a valid URL.

Problem Two: Beta Firefox? That's not an issue then. Otherwise, who let a buffer overflow get into the codebase?

Problem Three: Surely this is more of a problem with Windows' Security model? if an OS is used essentially as a single user machine (e.g., 9x) then there is little that can be done between profiles.

Re:So we have

[Timesprout]

Problem 4: Slashdot poster pontificates about windows security without RTFA and makes bizarre claim that the windows security model causes vulnerabilities with thunderbird on debian unstable.

Re:So we have

How can someone read someone else's settings and data on Debian unless the administrator has set all the user directories to world readable? Last time I checked, Firefox, Mozilla, Thunderbird, etc, all stored their data, caches, etc, in the user's home directory, under .mozilla, etc.

Or is Debian one of the Linux variants with a single group for users. Might merely have all the user directories group readable in that case.

Re:So we have

[Dorothy+86]

Problem Three: Surely this is more of a problem with Windows' Security model? if an OS is used essentially as a single user machine (e.g., 9x) then there is little that can be done between profiles.

Even if it is an OS problem, you can't see the caches, etc, of another user in IE. The software should compensate for the poor design of the OS (in this instance anyways; as it could be a security risk.)

Joe and Jane user probably aren't too worried that their wife or husband can see their emails... what average user digs around in the file structure anyhow?

Re:So we have

How does having the software compensate for poor OS design handle the case when the user bypasses using the software? Unless you are advocating the software spend valuable CPU cycles running an encrypted cache! Which would even lock the information from the legitimate user!

User Security is an OS level thing.

Re:So we have

[MikeBabcock]

The spoofing vulnerability is only partly an issue in my mind.

Personally, I'd love Firefox to try and catch obvious spoof attempts and warn the user immediately that the link looks like an attempt to spoof a source, but this again will just be worked around eventually.

A mouse-over showing the actual source host for the link in question would be nice but wait, there's already an extension for Firefox that does that.

Re:So we have

[Frank+T.+Lofaro+Jr.]

Problem 3 on UNIX (TM) and UNIX-based systems means files are chmoded 644 instead of 600 when it is running an external viewer. That is quite serious.

Re:So we have

[zcat_NZ]

Your suggestion is broken already; I use a link of http://www.windowsdownload.microsoft.com.mysite.or g/ or similar, and if the name is sufficiently long it'll get truncated to "http://www.windowsdownload.microsoft.com..."

My solution would be to put elipses (...) in the download window so that it's clear the name has been truncated, and show the full URL in the status bar when the user hovers over the link. Which means AFAIC this is a complete non-issue.

Re:So we have

pplz just use internet explorer

Open Source/Security

[Rick+and+Roll]

I noticed that the news protocol hole is one part of the source that few developers are interested in. Because of this, bugs like this are less likely to get discovered.

The UI hole (right-aligning the URL) is also in an unexpected place.

I always hear talk about the problem with Open Source is people only do the fun stuff. Well, for different people, different things are fun. For some people a security review is very fun. Of course, not as fun as doing a security review on the otherwise most interesting part of the codebase, but fun nonetheless.

So if you enjoy doing security reviews, help Mozilla out. Discovering one of these hidden bugs could definitely help out the I'm sure they could use a couple of eyes in the parts of the code currently not subject to scrutiny. Also, it could help you to become a security expert.

Now that I think about it, that may be just what the people that discovered the hole were doing. It certainly will be good for their career.

Re:Open Source/Security

[jesser]

The UI hole (right-aligning the URL) is also in an unexpected place.

Security-related dialogs are actually a major source of security holes in web browsers.

Does no one read anymore?

[GweeDo]

Affected packages
=================

Package / Vulnerable / Unaffected
1 mozilla / < 1.7.5 / >= 1.7.5
2 mozilla-bin / < 1.7.5 / >= 1.7.5
3 mozilla-firefox / < 1.0 / >= 1.0
4 mozilla-firefox-bin / < 1.0 / >= 1.0
5 mozilla-thunderbird / < 0.9 / >= 0.9
6 mozilla-thunderbird-bin / < 0.9 / >= 0.9

So, lets try reading this data. If you are running version 1.0 of Firefox, version 1.0 of Thunderbird or version 1.7.5 of Mozilla (all the latest versions) you have NONE of these issues. Geez....

Re:Does no one read anymore?

[BenjyD]

Apart from the first issue, of course, which reads:

"The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected."

So it's actually just one spoofing vulnerability. It's probably a result of fixing the bug in 0.9.something where an overly long (>4kb, IIRC) URL in the address bar could cause firefox to lock up the x-server.

Re:Does no one read anymore?

[bonch]

I see articles posted on Windows vulnerabilities affecting pre-SP2 installs all the time. I didn't realize Slashdot wasn't supposed to talk about security flaws that affected recent versions but not the absolute latest version of something. If that's true, it's a waste of time looking to this place for security news.

The important thing is how quickly they get fixed.

[seanyboy]

It's obvious that the more mainstream Firefox becomes, the more exploits are going to be found / used. It was inevitable that there would be exploits, but the test of Open Source vs Closed Source is how quickly the problems are fixed and rolled out. I think the next year is going to be an interesting one for Firefox developers.

Re:The important thing is how quickly they get fix

[WhiteWolf666]

Eh? They ARE fixed....

These affected firefox beta, not release. Check the article..
By my calculations, fixed over 2 months ago.

In my opinion, thats a much more serious issue

Than some string formatting issue!

I mean what you describe circumvents the whole issue of having a multi-user system and security model.

I'm concerned about 0-Day

[IcEMaN252]

The really important thing as far as I'm concerned is the length of time needed to fix newly discovered bugs, not the number, and this is where the open source development model works so much better.

I'm also concerned about those nasty 0-Day vulnerabilites that are out there but we don't know about. The problem with open source is that the code is out there, so its easier to find the bugs. The saving grace is that the code is generally better, and there are usually more white hats looking for the problem than black hats.

I still think FF is safer than IE, but I also think its just as important to be wary of the bugs we don't know about as the ones we do. The same goes for any software product.

Re:I'm concerned about 0-Day

[dustinbarbour]

Here's a tip.. User education is more important than anything! I'm a fairly educated user and I haven't received a virus in years. I haven't seen porn spam in months. I haven't seen nasty popups or ads in a long time. I haven't been caught by phishers. I haven't clicked on any malformed news:// links. Education, education, education.. education is the key!

Re:I'm concerned about 0-Day

[_Sprocket_]

The problem with open source is that the code is out there, so its easier to find the bugs. The saving grace is that the code is generally better, and there are usually more white hats looking for the problem than black hats.

Of course, you don't have to have source code to find exploitable bugs. So closed or secret source doesn't entirely solve the 0-day issue.

The double-edge sword to open source is that it lowers the boundaries to looking for bugs. The hope is that this lower boundary will mean that more people interested in fixing bugs will join the effort than those motivated by malicious intent.

Re:I'm concerned about 0-Day

[IcEMaN252]

Of course, you don't have to have source code to find exploitable bugs. So closed or secret source doesn't entirely solve the 0-day issue.

You are exactly right. But, it does generally help to have the code, but, yes, its not needed at all.

Still I agree, open source is still generally more secure. I don't usually check the code for backdoors, trojans, etc. But, with open source you can look at the code and inspect it for yourself. For all we know, Windows has some sort of series of passwords that will backdoor you in. It probably doesn't, but its far harder to check without access to the code.

Re:I'm concerned about 0-Day

How the heck can you be wary of bugs (or anyting else for that matter) that you don't know about?

Re:I'm concerned about 0-Day

[_Sprocket_]

There are things that you know.

There are things that you don't know.

Then there are things that you know you don't know. And there are things that you don't know you don't know. ;)

Re:I'm concerned about 0-Day

Can you please substantiate those claims? Specifically:

1) The code of open source software is "generally better."
2) There are more white hats looking for problems than black hats.

As far as I know, these are just hopes that the Slashdot crowd treat as facts.

Re:I'm concerned about 0-Day

[IcEMaN252]

1) Please compare IIS and Apache. Rate both products on efficiency and security. Factor in the usage base and number of people served.

2a) Look at the number of software developers working on a project. Add a percentage of total users to representing those who are of sufficiently advanced skill to understand the code with a desire to review it. Compare to the percentage of black hat hackers who would target the application.

2b) In any case, open source will usually have a better ratio of white hats examing and fixing the code to black hats attacking it. The pool of white hats for closed source is limited, while the pool o f white hats for open source is theoritically unlimited.

Consider that a thought experiment, because I at least don't have those figures. You can still make reasonable estimates and infer the liklihood of truth to my claims.

Not all good arguments are deductive, a lot can be learned from induction.

(Yes, I know that wasn't an inductive argument.)

Fell free to shoot me down.

Obligatory fix...

[pctainto]

Download Firefox!

Seriously, all of these are fixed in the current version. The poster even says it with regards to the buffer overflow problem!

Yipee

So, let's see...Mozilla is touted as the best browser to replace IE, yet we get the same thing all over again (buffer overflows, security issues, etc.)

Ok, sure, they claimed the issues will be fixed very quickly and here are my concerns:
1. Is there a patch or do I have to download the whole browser and reinstall?

2. How often does this happen? One patch/reinstall every few weeks? Do you guys seriously expect an Admin to roll out new installs/patches every few weeks? Are you even remotely aware of the full cycle testing/QA effort that's involved to make sure your corporate app still works properly with the new versions?

Face it. Mozilla will encounter the same issues as IE no matter what.

Oh, a side note. If I have Windows and I want to use Mozilla, why do I have to use IE first to download mozilla?? I already have IE installed, why do I need to download yet another browser and install it?

Re:Yipee

[TychoCelchuuu]

But the problems are fixed. Your point is moot. MOOT!

Re:Yipee

[dajak]

Oh, a side note. If I have Windows and I want to use Mozilla, why do I have to use IE first to download mozilla?? I already have IE installed, why do I need to download yet another browser and install it?

Never download Mozilla with IE or any other insecure product! Only download Mozilla with Mozilla!

If you download it with IE you may not be downloading the REAL Mozilla. That's what I tell people who report Mozilla crashing and stuff like that. The real Mozilla is flawless. How do you know you are using the real Mozilla?

Also never let someone else install Mozilla from a storage device. They may have tampered with it.

Remember: It's an open source product, so anyone can recompile it with his own malware embedded!

1. Is there a patch or do I have to download the whole browser and reinstall?

See Tools>Options>Software Updates

Re:Yipee

You don't have to use IE to download mozilla. There is a thing called FTP. And windows comes with a command line FTP client. Yipee!!

ftp://ftp.mozilla.org

Re:The important thing is how quickly they get fix

They're ALREADY fixed!

When will people read the damn articles and when will the slashdot editors check the content of the damn stories they post

There's a Shared Documents folder for that.

That everyone has access to, it's in the All Users profile, as Shared Documents (instead of My/Username Documents).

Pretty trivial to direct your storage of photos/documents that everyone needs access to, to that folder.

Quick! Somebody submit a story!

[WhiteWolf666]

Anyone good at writing up story submissions?

Time to troll Slashdot! Seriously...Given that all three bugs are ALREADY fixed, it shouldn't be too hard to sneak a 'troll' story by about how the Mozilla foundation responded instanteously to these bug reports.

Use this urlhttp://www.mozillazine.org/talkback.html?articl e=5844 for the nntp flaw, and link to the same security focus article regarding the other two.

Why? Because the security article tells you to update your mozilla based software to the latest version to avoid these no-longer-existing.

And excellent opportunity to troll the story submission queue, and given the cluelessness of slashdot editors, it should be pretty easy to sneak it by.

News Headline: FireFox vulnerable to attack

[NoelWeb]

I'm switching to IE, a browser made by a company who cares about ME.

IE more Secure than Mozzilla and Fire Fox?

Say it isn't so! *rolles eyes*

[Fe]how can a program that is cobbled together by people with no eye to security and will give the source code to any passing stranger who wants it, be more secure than a bunch of paraniod security freaks who jealously gaurd their source code?[/Fe]

And the response from Redmond is...

[fisheye1969]

...here is absolute proof that Mozilla-based browsers are as full of holes as IE: "Three exploits in one day! Open source just doesn't work!"

I can't wait for this to be, ahem, exploited.

Sadly, then will begin a new round of "your analysis methods are crap" ad infinitum, ad nauseum.

I bet you didn't bother to RTFA

quote me! :)

Nothin to worry about

[DarkLox]

If this is the worse "exploits" they could find with mozilla...>I think we'll be JUUUST fine.

Funny

[Maleix]

I find this ironically humorous.

These are silly!

[Szaman2]

While the news:// bug seems to be preaty serious, please note that it has been fixed in the newest versions of the software. So this is mostly just a back-version issue which wont affect the new users, and those who updated their software.

It needs to be fixed, but it is not the "OMFG we are all screwed - let's switch to IE NOW!" situation". The remaining two vounerabilities don't seem that bad. The solution for the long url problem should be merly cosmetic - just put a scrollbar there and you're done (maybe add a function call which will parse url and escape funky characters to prevent spoofing - if one is not there already - but I think Moz always had that working as it should as opposed to IE team).

File storage thing seems to simply be a design problem which is not unique to Mozilla. Moz products store temp files in the default temp directory for the system. BFD! So does almost every piece of software out there which has to deal with lots of temp files. And we are not talking about browser cashe - that is stored in yur home. These are temp files for plugins and 3rd party viewers...

I'm actually not sure if that problem is actually a mozilla bug or unintended xpdf side effect...

So I would say 1 vounerability, one possible spoofing riskk and one possible mild privacy related concern. Not bad compared to all the unpatched IE issues

fhqwhgads, is that you?!!!

"Come on, mopds" ?!!!

i love u!

Long URL?

[discordja]

This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox).

is this long enough?

http://hugeurl.com/?MjYzODBkMDE2ZTI1M2Q3ODQ5ZThlYm Q1YjRhMjMxMjgmMTImVm0wd2QyUXlVWGxXYTJoV1YwZG9WVll3 Wkc5alJsWjBUVlpPV0Zac2JETlhhMUpUVmpGYWMySkVUbGhoTW sweFZqQmFTMk15U2tWVWJHaG9UVmhDVVZadGVGWmxSbGw1Vkd0 c2FsSnRhRzlVVjNOM1pVWmFkR05GZEZSTlZUVkpWbTEwYTFkSF NrZGpTRUpYVFVad1NGUlVSbUZqVmtaMFVteFNUbUY2UlRGV1ZF b3dWakZhV0ZOcmJGSmlSMmhZV1d4b2IwMHhXbGRYYlVaclVsUk dXbGt3WkRSVk1rcElaSHBHVjJFeVVYZFpWRVpyVTBaT2NscEhj RlJTVlhCWlZrWldhMVV5VW5OalJtUllZbFZhY1ZscldtRmxWbV J5VjI1a1YwMUVSa1pWYkZKRFZqQXhkVlZ1V2xaaGExcFlXa1Zh VDJOdFNrZFRiV3hYVWpOb1dGWnRNSGRsUjBsNFUydGthVk5GV2 xSWmJHaFRWMVpXY1ZKcmRGUldiRm93V2xWb2ExWXdNVVZTYTFw WFlrZG9jbFpxU2tabFZsWlpXa1prYUdFeGNGaFhiRnBoVkRKT2 RGSnJhR2hTYXpWeldXeG9iMWRHV25STlNHaFBVbTE0VjFSVmFH OVhSMHBJVld4c1dtSkhhRlJXTUZwVFZqRmtkRkp0ZUZkaWEwcE lWbXBKZUUxR1dsaFRhMlJxVWtWYVYxWnFUbTlsYkZweFUydGth bUpWVmpaWlZWcHJZVWRGZUdOSGFGaGlSbkJvVmtSS1QyUkdTbk poUjJoVFlrVndWVlp0ZUc5Uk1XUlhWMWhvV0dKWVVrOVZha1pI VGxaYVdFNVZPVmhTTUhCNVZHeGFjMWR0U2toaFJsSlhUVlp3V0 ZreFdrdGtSa3B6Vld4a2FXRXdjRWxXYlhCTFpXczFWMWRzYUZS aE1sSndWV3RhUzFZeFVsaE9WemxzWWtad2VGVXlkR0ZpUmxwel UyeHdXbFpXY0hKV2FrWkxWMVpHY2sxV1pGZE5NRXBKVm10U1Iy RXhXWGxVYTFwaFVqSm9WRlJYTlc5a2JGcEhWbTA1VWsxWFVucF dNV2h2VjBkS1JrNVdWbFZXYkhCWVZGUkdVMk15UmtaUFYyaHBV bGhDV1ZacVNqUlZNV1IwVTJ0a1dHSlhhRmhaVkVaM1pXeHJlV1 ZJWkZOV2ExcDVWREZrYzFVd01IbGhSbXhYWWxoQ1RGUnJaRVps Um1SellVWlNhVkp1UW5oV1YzaHJWVEZzVjJKR2FHcGxhMXB4V1 d0YWQyVkdWblJOVldSV1RXdHdWMWx1Y0V0V2JGbDZZVWRvV21F eVVrZGFWV1JQVWpKS1IxcEhiRmhTVlhCS1ZqRmFVMU14VVhsVV dHaGhVMFphVmxscldrdGpSbFp4VW10MFYxWnNjRWhXVjNSTFlU QXhSVkpzVGxaU2JFWXpWVVpGT1ZCUlBUMD0=

Re:Long URL?

[youngerpants]

Heh, now thats actually funeeeee

Re:Long URL?

email the webaster
Johann@Gambolputty_devonAusfern-schplend en-schlitt er-crasscrenbon-fried-digger-dingle-dangle-dongle- dungle-burstein-vonknacker-thrasher-apple-banger-h orowitz-ticolensic-grander-knotty-spelltinkle-gran dlich-grumblemeyer-spelterwasser-kurstlich-himblee isen-bahnwagen-gutenabend-bitte-ein-nürnburger-bra twustle-gerspurten-mitz-weimache-luber-hundsfut-gu mberaber-shönedanker-kalbsfleisch-mittler-aucher_v on_Hautkopft_of_Ulm.de
if you have any problems.

Re:Long URL?

Must be compensating for something.

What's next from security focus?

[ZipR]

Announcements of security vulnerabilities in Netscape 4 or Mosiac?

I'll start my stop watch.

[bi_boy]

Considering how much OSS freaks rake MicroSoft over the coals over how long it takes them to fix their security problems, I'd expect to see these fixed later today.

... Not to say that's what the good people at Mozilla are like, damn fine product Firefox for Windows is.

Re:I'll start my stop watch.

even better than that, they were fixed quite some time ago. how is that from promptness, fixed before the bug report.

Re:I'll start my stop watch.

Considering how much OSS freaks rake MicroSoft over the coals over how long it takes them to fix their security problems, I'd expect to see these fixed later today.

I guess the fact that they're already fixed makes you feel like a bit of a cock then, no?

Also, with a name like "bi-boy" I would suggest that you're not really in a position to be calling anyone else a freak, you filthy deviant.

Re:I'll start my stop watch.

I can't believe so many people don't RTFA...

THEY'RE FIXED!

Re:The important thing is how quickly they get fix

[seanyboy]

I wasn't talking about these particular exploits, I was talking about possible future exploits. This story isn't news because there's the possibility of three minor issues, it's news because Firefox isn't the completely safe browser people have been trumpeting it as. My point is that we shouldn't be concentrating on how bomb proof the software is, we should be concentrating on the response given to threats, and how these are better (or worse) than the response given by Microsoft.

I use mozilla...

and I am a fag. You know I use to hate the GNAA but I can see why such rampant trolls frequent /. I love watching self righteous open source zealots try to defend themselves.

MS already learned this lesson...

[lowe0]

Most people won't update unless you do it for them. Unfortunately, when MS first suggested this, the tinfoil-hat crowd made all kinds of noise about MS taking over their systems.

Hopefully, Firefox is set by default to update itself automatically. Joe Sixpack isn't even aware it needs to be done.

Re:MS already learned this lesson...

[rainman_bc]

Firefox checks for updates on windows and asks you if you want to updated. If you're stupid enough to click no, then it's your own damn fault if you get burned.

Re:MS already learned this lesson...

Must remember, though, that Joe Sixpack has been told over and over to "Never click 'Yes' when a web page asks you about installing/updating".

Craig.

Re:MS already learned this lesson...

[rainman_bc]

The Firefox one is pretty obvious.

And if joe sixpack is using firefox, he's already among the enlightened ones anyway. He might take a moment and actually read what's in front of him...

Alternative headline.

"Three security flaws ALREADY fixed in Mozilla"

I mean, come on, for Pete's sake. A FUD story about flaws that already have been fixed? Sheeeesh..

Re:The important thing is how quickly they get fix

[seanyboy]

When will people read the damn articles
I don't know. When will people start reading the comments properly. I wasn't talking about the highlighted exploits, I was talking about exploits in GENERAL.

Bill was right!

[fromme]

Commies are doomed to failure!

My karma ran over my dogma

Re:The important thing is how quickly they get fix

The title of your post says 'how quickly they get fixed' implying that you're talking about the three flaws the story is talking about

Only the third is not fixed...?

[Gizmhail]

The news is pretty confusing. After reading carefully the articles, I think that in fact only the last problem hasn't be fixed....But the author comment "Let's hope that these will be fixed soon" let people think that the 3 of them are still present.... I was wrong saying before that everything is fixed, but shouldn't we at last add something explaining that only ONE issue is not fixed....? Do not know : does it deserve an update?

Wrong!

[the_mighty_$]

Only the buffer overflow issue has been fixed! This article on the Register should clear things up:

http://www.theregister.co.uk/2005/01/07/mozilla_fl aws/

Re:Wrong!

That's strange, I just tested the first issue on Firefox 1.0 on OS X and didn't have the problem. Maybe the problem is too subtle for me to have noticed it.

Re:The important thing is how quickly they get fix

[seanyboy]

I wasn't.

Is this perhaps the Firefox problem?

[spitzak]

So could this be the bug, is Firefox setting the permission on the files it creates wrong? Could be it, in which case shame on them, especially if they are doing something other than what Windows does by default.

Like other readers here, I am confused about what Firefox could possibly be doing that is different than other programs. This could be it.

Re:Is this perhaps the Firefox problem?

[Politburo]

I don't have FF installed here to verify. I seem to recall that the profiles are not kept in user directories, but are kept under the FF directory, which would make them world readable.

Although, I could be recalling an old version and this may have changed.

Re:Is this perhaps the Firefox problem?

[Martin+Blank]

On Windows at least, Mozilla has been keeping profiles in the user's directory (at least by default) since long before the Phoenix/Firebird/Firefox line came out. The normal location is under Application Data\Mozilla. I believe it has had a similar setup on Linux, though I don't have a Linux installation with Firefox available to me right now.

Re:Is this perhaps the Firefox problem?

[Lordrashmi]

On my machine, both FF and TB install to the users directory.

Re:Is this perhaps the Firefox problem?

[justsomebody]

~/.mozilla or ~/.firefox on linux

chmod 700 ~/.mozilla ~/.firefox

Now your mom can't see which pr0n sites you visit.

Mandrake woes...

[willCode4Beer.com]

Well, the latest stable version of Firefox distributed by Mandrake is 0.8 so, some of us have a bit more to worry about.

I guess its time to bite the bullet and visit the cooker....

Re:Mandrake woes...

What?

I'm typing this in Firefox under Mandrake 10.1. The version is: 1.0RC2.

Re:Mandrake woes...

[willCode4Beer.com]

How did you get it? Cooker?

There's no newer version on the update sites for 10.1 Official.

Not as critical as they appear in the submission

[Spy+der+Mann]

Issue 1: Spoofing, unpatched (yet). Moderately critical.

Issue 2: Fixed (Affected Versions: Mozilla Browser
This bug is fixed in Mozilla 1.7.5. (Bug 264388)
Mozilla developer Dan Veditz claims that it cannot be exploitable:
"A '\' on the end will certainly trash memory, but at that point you're no
longer reading attacker-supplied data;".
So, at most it would be a DOS attack, not a true "hack into your computer". And from the Security focus link:

Affected packages
=================
mozilla < 1.7.5
mozilla-bin < 1.7.5
mozilla-firefox < 1.0
mozilla-firefox-bin < 1.0
mozilla-thunderbird < 0.9
mozilla-thunderbird-bin < 0.9

So Firefox 1.0 is indeed safe.

Issue #3:From the link:

This exact issue affects Mozilla Firefox 0.9.3. I haven't tested
older/newer versions, and all of this was tested under Debian Unstable.

In other words, 1 outdated, another unconfirmed, and the first one real, but it's moderately critical.

So the Mozilla guys have only to fix ONE bug, and CONFIRM another. Issue #2 is fixed already.

Re:Unacceptable

If you haven't read it yet, then why are you commenting with "unacceptable?" I think the fact that you'd say this is unacceptable without knowing the whole story is unacceptable. Read it - you'll find these are all very minor issues.

The first is tantamount to an opinion on how long-ass urls should be displayed, and is hardly a security issue.

The second issue is fixed in the latest stable releases. You update, right? If Mozilla had a time machine, I guess they could go back and fix it in other releases too.

The third issue sounds more like an xpdf isssue, and is not out of line with how many programs create files on Unix under /tmp.

This story seems like a setup to me. Astroturfing, anyone?

Difference

[Steamhead]

You can see the difference between FireFox and IE:

These only affect Firefox nothing else in the operating system, and one is fixed in a prior release.

Also, don't forget:

The stagnant development of Slashcode, the pile of Perl that spews invalid HTML for this site. Also, abused "bitchslap" script used by the editors to punish users that have unpopular opinions. Oh, then there's the "Slashvertisements" that get front page'd that have little value to anyone except for the submitter. Then there's the broken moderation system, the pointless 20 second post delay, and the general hivemind mentality of the moderators. Netcraft now confirms: Slashdot is dying.

The main reason for the advisory

[fswsysop]

Obviously the advisory is simply to inform people who haven't upgraded that it might be prudent to do so. Of course software will always have bugs, and for every one bug you kill, a few more will rise in its place until you get everything right. That is a long and arduous process, especially given the complexity involved in providing the functionality of today's software. Thankfully, the folks who wrote the Mozilla line of software seem to fix their problems rather quickly, so I'm sure that if they haven't already been fixed (as is rumored to have been done in Firefox 1.0 and the newest Mozilla) they will be sometime in the very near future. Patience, grasshopper.

Re:Unacceptable

[generic-man]

Dude, read. At least one of the advisories states that 1.0 is still vulnerable.

Re:Unacceptable

[generic-man]

Mozilla 1.7.5 and Firefox 1.0 are still vulnerable.

MICHAEL, RTFAs!!!!!!!

Don't be a victim of astroturfing- RTFAs.

Sheesh.

Another fair objective article....

[jmcmunn]

Notice how every bug report about IE starts by saying how bad IE is, then saying MS sucks, and Mozilla doesn't have this bug because it's so great.

Now read the post about a Mozilla bug. No mention that IE does not have the bug. No mention that the coders who left this bug are crappy, and no mention that you could switch to IE to avoid this bug.

I know, IE has its bugs too, but it seems like we could be a bit more fair around here and at least either treat both browsers as if they suck, or treat them both with respect.

Just my personal observations.

Re:Another fair objective article....

[Kent+Recal]

it seems like we could be a bit more fair around here and at least either treat both browsers as if they suck, or treat them both with respect.

I'm touched by your call for humanity.
But they're friggin browsers. That's software, not people, mmkay?

The reason why people treat IE and Mozilla so differently is because IE does indeed suck bad and Mozilla does indeed suck far less. People are stunned that a multi-billion dollar company constantly refuses to apply proper QA to their software but instead sells expensive packages that are so bug-ridden that many real developers would be ashamed to only call it a "beta".

Back on topic:
These three "bugs" in the story (two of which have been fixed long ago, before v1.0) are pretty ridiculous compared to what MS comes up with every couple weeks. None of these Moz-bugs would allow a remote attacker to execute code on your box. Most remote IE-exploits that I have seen allow an attacker to do just that.

Therefor, the IE codebase (and the company responsible for it) deserve
no respect whatsoever.

Just my personal observations.

Re:Another fair objective article....

[jmcmunn]

But they're friggin browsers. That's software, not people, mmkay?

So the people who write the code for both places deserve no respect for the work they do? The software is a product of the "hard work" of the programmers. So yeah, it bothers me when some ass on Slashdot forgets that. mmkay? Yeah, there are bugs in both programs, and yes both of them have serious bugs at times. There is no perfect software out there, it all has bugs. The important thing is how the bugs are resolved, and both IE and Firefox have been doing ok lately at getting patches for them. And SP2, with its improved security, at least helps a little in making sure your machine is safe if you're running Windows.

Don't think I am an IE fan, I use Firefox whenever possible. I just think Slashdot posters need to treat the two browsers objectively as browsers, and not based on the company they come from.

And I have never seen a price tag on IE, but they do have to pay the people working on it so if the price of Windows is $1 higher because it has IE, then so be it.

Re:Another fair objective article....

[Kent+Recal]

So the people who write the code for both places deserve no respect for the work they do?

That's the exact problem. I highly doubt that anyone at MS feels personally responsible for the IE mess. The emberassment would hardly be bearable for a single person anyways...

Yeah, there are bugs in both programs, and yes both of them have serious bugs at times.

At times? Let me think, the number of critical IE bugs certainly goes in the mid 2-digit range (maybe they've even hit 3 digits already?).
How many remotely exploitable Mozilla bugs have there been? I don't remember a single one so if there were any it must have been few. Now compare the developement models of the two. IE is backed up by a multi-billion dollar company that could very well afford proper Q/A... need I say more?

both IE and Firefox have been doing ok lately at getting patches for them

Gimme a break.
Compare this to this.
And be sure to look past the pretty pie charts for the actual vulnerability descriptions.

And SP2, with its improved security

Ok, nevermind. Why am I even talking...

Re:Another fair objective article....

[jmcmunn]

That's the exact problem. I highly doubt that anyone at MS feels personally responsible for the IE mess. The emberassment would hardly be bearable for a single person anyways...

You're making a very broad statement there. Just because a company is large it doesn't mean they don't take pride and responsibility in their code. I know a lot of people personally who work at MS, Google, Apple, Motorola etc who all take pride in what they do and work hard to do the best damn job they can. Just because it's not open source, doesn't mean it is bad, and I am guessing there are a lot of programmers working hard at fixing the bugs and security issues in both IE and Mozilla.

Gimme a break.
Compare this to this.
And be sure to look past the pretty pie charts for the actual vulnerability descriptions.

I checked both links...both programs have about 1/3 of their bugs left unpatched. Yes, IE has more bugs, that's no secret. There are more linux fanboy hackers out there trying to destroy MS, also a fact. I expect more bugs in a more widely used program with a known contingency of "enemies". The interesting thing to me is that both programs have 1/3 of the vulnerabilities unptched. While you're at it, take a look at the Firefox one as well. FireFox Nice job Firefox 1.X, only on the market for a few months and already 4/5 security flaws are unfixed? Cleary this is not an appropriate measure.


And SP2, with its improved security

Ok, nevermind. Why am I even talking...

You're a linux fanboy, why am I even talking...

Seriously though, SP2 is a security improvement for the people previously running with no firewall. I don't think you can logically argue against that. Those of us behind a firewall already, also running antivirus are probably not in any better situation, I agree.

Re:Another fair objective article....

[Kent+Recal]

You're making a very broad statement there. Just because a company is large it doesn't mean they don't take pride and responsibility in their code. I know a lot of people personally who work at MS, Google, Apple, Motorola etc who all take pride in what they do and work hard to do the best damn job they can. Just because it's not open source, doesn't mean it is bad, and I am guessing there are a lot of programmers working hard at fixing the bugs and security issues in both IE and Mozilla.

I'm making that broad statement by my past expirience with the (lack of) quality in MS products, their own public relation (press releases, advertising, FUD) and what I've read in a number of articles by different ex-MS employees. By all that I know about their corporate culture and developement process from these sources I'm in no way surprised that the outcome is what it is. I could be all mistaken (no first-hand expirience) but the pieces match up pretty well...

I checked both links...both programs have about 1/3 of their bugs left unpatched. Yes, IE has more bugs, that's no secret. There are more linux fanboy hackers out there trying to destroy MS, also a fact. I expect more bugs in a more widely used program with a known contingency of "enemies". The interesting thing to me is that both programs have 1/3 of the vulnerabilities unptched. While you're at it, take a look at the Firefox one as well. FireFox Nice job Firefox 1.X, only on the market for a few months and already 4/5 security flaws are unfixed? Cleary this is not an appropriate measure.

See, I knew something like this would come out. That's why I told you to look beyond the pretty pie charts and actually read the bug descriptions. If you had done that you'd know that most bugs listed for Mozilla are spoofing vulnerabilities (display a wrong URL in status-bar and such) while most bugs listed for IE are actual remote code execution vulnerabilities.

Seriously though, SP2 is a security improvement for the people previously running with no firewall. I don't think you can logically argue against that. Those of us behind a firewall already, also running antivirus are probably not in any better situation, I agree.

Yes, I can logically argue against that. The "security improvement" is a bunch of long overdue bugfixes (some of which broke other things) and a half-baked implementation of a desktop firewall that, among other problem, even kicks in too late (machines were reported to be infected during OS-install).

Wake me up when MS stops the patchworking and actually overhauls their developement process in order to stop at least the most humiliating bugs from happening. Tools and frameworks to automatically avoid whole classes of buffer overflows have been available for quite a while. I can only guess why MS isn't implementing these and my guess would be that they tried but stepped back from it because the tools have likely marked whole components as "throw away and try again". The other option (just as likely) would be that they have never tried and just don't care.

Wrong!

[the_mighty_$]

Only the buffer overflow issue has been fixed! This article on the Register should clear things up:

http://www.theregister.co.uk/2005/01/07/mozilla_fl aws/

Re:Unacceptable

[theVP]

while I agree with the others that you were wrong in your statement, I don't understand why you got marked as a troll.....

Third problem

[Anonymous+Custard]

Third problem (users can see other users profile info, history, etc.) should be easy enough to fix, or at least easy enough to leave it to the OS to determine user access. Just place the files in user-owned private folders, like the documents and settings folder in windows or the user/home folders in linux. Mozilla shouldn't be responsible for user-level file access info.

Re:Third problem

[swv3752]

that is not it. RTFA. If you open a file instead of save it, someone else can read the file from the temp $DIR. Pretty minor, but if you are concerned just save the file first, instead of use the open feature (which was aded because pople clamored for it even though it was considered a mild risk).

Re:Third problem

[pe1chl]

Still the use of the Windows-standard profile directory would solve that problem, because the user's temp dir is inside the profile and only accessible to the user.
That Unix has a globally-shared temp dir is a Unix problem, not a Mozilla problem. Windows does not have that problem.

Re:Third problem

[Anonymous+Custard]

Still the use of the Windows-standard profile directory would solve that problem, because the user's temp dir is inside the profile and only accessible to the user.
That Unix has a globally-shared temp dir is a Unix problem, not a Mozilla problem. Windows does not have that problem.

Thank you.

No fix is available - please stop lying

There is NOT a fix for these three issues.

Once again, Internet Explorer rules. As usual.

Or Opera for those of you that want a real browser.

Re:Difference ... actually

[dioscaido]

Actually, a buffer overflow can result in the execution of arbitrary code. I'm confident in asserting that all IE6 vulnerabilities need IE to be executing in Administrator context to affect the OS, although it would be instructional to be proven wrong. Given this fact, a buffer overflow in Mozilla as Administrator threatens the OS just as much as an IE vulnerability.

Moral of the story: run Mozilla for the features, run as Limited user to be truly secure.

Gates seems to have other sorrows...

[stiebing.ja]

Like the german Tagesschau (http://www.tagesschau.de/aktuell/meldungen/0,1185 ,OID3948600,00.html) reports Gates 'imputes sticklers for a more relaxed copyright of reactionist aspirations'.
Those who wanted to reform the handling of intellectual properties were 'a new kind of communists' trying to 'disestablish the things which make the incentive for musicians, directors and software developers' told Gates ZDnet (where I wasn't able to find anything about this). They (the reformer) 'would not believe that these kind of incentive was allowed to exist'. There 'were some things to improve at copyright legislation, but the intellectual property would be the impulsion to develop the products of tomorrow'. That 'would also secure and create new [US-] American employment'.

Well Gates, we all knew that you are a fan of proprietary software and also keen of software patents - but being a political right winger is at least new to me.

You can think about communism in its different forms what you like - but it surely hasn't to do anything with the discussion about copyrights.

Mom: Biiill!
Bill: ~ Yes mom? ~
Mom: What are you talking again!
Bill: ~ But mom! ~
Mom: Shut up! You go to bed now.

Re:Gates seems to have other sorrows...

"- but being a political right winger is at least new to me."

There is an old addage that goes something like this...

Any man who is not a liberal in his youth is a heartless monster and any man who is not conservative by middle age in an idiot.

I tend to agree with it. When we are young we want to save the whole world. We want to make a difference and honestly want to make the world a better place for all of gods creatures.

By the time we have grown up a bit we start to realize that while we still want to help the sick and suffering of the world we also want to protect what is ours. It is human nature man. Despite our best effoerts we are all still just animals and are looking out for our own welfare. People like Biil G. just have a bigger den to "protect" then you and me.

Why is it...

[cagliost]

That when Mozilla (or anything not by Microsoft) has a bug, people say "Let's hope that these will be fixed soon!", but when IE (or anything by Microsoft) has a bug, people say (")Hahahahaha!(")?

Re:Why is it...

[Eraser_]

Because the people at Microsoft say the same thing reversed? Your competitors problem is your advantage in the open market. Our by-line is fast patches and open acknowledgement they exist, if people knew of these problems, and from what I've seen the current release versions are clear of these, then they should be fixed. The URL spoofing one is only minor at best, and FireFox seems to come default to pester you about upgrading itself. The other issue is when Microsoft has a problem, is it's oh look, one of 5 or 6 this month, the problem goes back to some core foundation that should never have been there, or it turns out someone told MS about it ages ago and they still havn't released a patch.

Lord knows *I* have never, in my high and mighty existence, taken amusement in the pain of others.

Re:Why is it...

[marcosdumay]

Because there is no hope

Re:Why is it...

Why is it... That when Mozilla (or anything not by Microsoft) has a bug, people say "Let's hope that these will be fixed soon!"

Because it generally is.

... but when IE (or anything by Microsoft) has a bug, people say (")Hahahahaha!(")?

Because it generally isn't.

Re:Why is it...

[m50d]

Because we've given up hoping for MS to fix things soon. Sad but true.

Re:Why is it...

That when Mozilla (or anything not by Microsoft) has a bug, people say "Let's hope that these will be fixed soon!", but when IE (or anything by Microsoft) has a bug, people say (")Hahahahaha!(")?

Because:

$ sudo apt-get dist-upgrade
Reading Package Lists... Done
Building Dependency Tree... Done
Calculating Upgrade... Done
The following packages will be upgraded:
[...]
mozilla mozilla-browser
mozilla-chatzilla mozilla-dev mozilla-dom-inspector mozilla-js-debugger
mozilla-mailnews mozilla-psm
[...]
40 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 39.7MB of archives.
After unpacking 938kB of additional disk space will be used.
Do you want to continue? [Y/n]

They are fixed soon.

Re:Why is it...

As a matter of fact, some of the more serious problems with FF have NOT been fixed and they've been known about for a couple of months now! /. is nothing more than one giant open source foot and mouth, the two of which are firmly and forever wedged topgeather.

Re:Why is it...

[Shadowlore]

That when Mozilla (or anything not by Microsoft) has a bug, people say "Let's hope that these will be fixed soon!", but when IE (or anything by Microsoft) has a bug, people say (")Hahahahaha!(")?

Perhaps because they know it won't get fixed soon?
BTW, what's with wrapping your quote symbols in parens?!

Now where is that sarcasm tag ....?

Mozilla outfoxed

[Doc+Ruby]

"Mozilla 1.7.5 and below, Firefox versions before 1.0"

Wait, I thought the reason to still use Mozilla instead of Firefox is that bugfixes make it to Mozilla releases first. Now it looks like the only reason is that Mozilla integrates Google/search into the same UI field as "Go to URL".

Re:Not as critical as they appear in the submissio

[GrimReality]

If I did not misunderstand your post, No. 3 is unconfirmed.

I think you are right. Although I don't know if it is unconfirmed or not, but it does not seem to affect Mozilla 1.7.5.

I just checked my personal mozilla configuration directories created fresh by a new Mozilla 1.7.5 [official mozilla.org binaries on Debian stable (3.0 'woody')], installation. They are created with permission rwx------ (i.e., groups and others do not have any privileges) and of course, the execute bit is only for directories.

Of course, if some crackpot spoofed my download dialog and made me download a compromised binary.... :-)

Cross Platform?

[codeguy007]

Well the first two issues are definitely cross platform but the last isn't.

OT: Gentoo

[I+confirm+I'm+not+a]

Dammit, knew someone would! I've not long caught the Gentoo bug, and I'm "emerge --sync", etc pretty much every two days! Not yet got around to installing Gentoo on the "real" boxes yet, so your advice is pretty timely.

Re:OT: Gentoo

[djplurvert]

So it finishes compiling just in time for you to "emerge --sync".

Re:OT: Gentoo

[fireman+sam]

Line from inittab:

em:12345:respawn:emerge --sync

Misleading article summary -- the real story

[Old+Man+Kensey]

The problem is not with the way Firefox and Thunderbird "store user's files". The problem has to do with the way they temporarily open files in helper apps for viewing -- on *nix, at least, they use the global /tmp directory, which means anyone can see what files you have open, and because of the way it sets up permissions on them (makes them world-readable), anybody may be able to read them while you have them open.

I'm not too worried about the third one. For one thing, it is easily worked around by setting your $TMP or $TEMP environment variable. Really the global visibility of the files isn't a "bug" in Firefox/Thunderbird or any other app that does this. They're just following the standard system practice of using whatever directory is specified by TMP/TEMP to open their temporarily files in. The issue is that common practice on that score is moderately insecure and may expose info to other users, but there's nothing application authors should do about that.

The permissions issue is the only real "security" problem, but I would bet they did it that way to allow viewers that may be running setuid nobody to still view the file for the user. Perhaps the answer is simply to have documentation about viewers running setuid nobody (or other restricted users) and a configurable list of such viewers that the user can add to. After that, files destined for ordinary viewers should be permissioned 500, and files destined for setuid restricted-user viewers could be permissioned 544 or something else appropriate.

Re:Misleading article summary -- the real story

[mattyrobinson69]

the /tmp problem could be solved by creating a directory of the users name in /tmp and doing chmod 700 /tmp/$user

then using /tmp/$user as the $temp environment variable

a script below could be used for opening firefox which would fix the problem (administration issue as you say, not an application issue)

This below (if it works, not tested, but it gives a general idea)

#!/bin/bash
export me=`whoami`
mkdir /tmp/firefox-$me
chmod 700 /tmp/firefox-$me
TEMP=/tmp/firefox-$me firefox

or even better (for all apps) put it in ~/.bash_profile:
#!/bin/bash
export me=`whoami`
mkdir /tmp/firefox-$me >> /dev/null
chmod 700 /tmp/firefox-$me
expoty TEMP="/tmp/firefox-$me"

(ignore the generally bad scripting and the fact it probably doesn't work as it is, im just showing that its an administration issue, like the pairent poster said above). also i know this would break apps that run suid nobody.

I wouldn't lose any sleep over this.

[Lodragandraoidh]

Create a long URL and the downloading box will only display its ending (Mozilla and Firefox).

Click 'cancel' if you are not sure about what you are downloading; Addtionally, you should be able to hover the mouse over a link and see the actual URL in the display bar at the bottom of the window. I do this all the time because I want to be sure where my browser will be connecting when I click anything. Of course, if you go to sites that don't use standard HTML for their links, you could be scammed. Generally speaking, unless you are running IE, downloading a trojan isn't going to be that bad - as long as you don't then try to run it. If you were expecting a picture, or a zip file, and got an executable instead, that could also tip you off. This is probably the worse problem of the three - but nothing to lose sleep over.

The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0).

If you aren't using the latest version of the browser - you are wrong. Additionally, who reads news groups anymore? I gave up wading through all the spam and flame wars long ago...

The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!

chmod 700 -R /directory/path/where/mozilla/keeps/the/files/*

- should do the trick on most unix/linux systems. I can't see this breaking the browser, because presumably it is being run by you as you. This is irrelevant on a Windoze machine because it is not truely multi-user (and I can slap a knoppix disk into your windows machine, reboot linux, and read all your files provided I have physical access anyway - which is how most people 'share' a windows box).

Re:I wouldn't lose any sleep over this.

[meestaplu]

Seeing as I can slap a Knoppix disk into any Linux machine to which I have physical access, reboot into Knoppix, and have access to all the files on the system, I don't see how the last part is relevant.

Unless the file system is using some form of encryption, it's going to be accessible from any other OS.

Re:I wouldn't lose any sleep over this.

[alphakappa]

Click 'cancel' if you are not sure about what you are downloading

In which case I wouldn't be able to download anything. How can I be sure unless I can see the URL? (looking at the status bar doesn't help since in many websites, the link you click is not a direct link to a file - it generates the download from some other place)

downloading a trojan isn't going to be that bad - as long as you don't then try to run it.

If I knew it was a trojan, I wouldn't download it in the first place. Additionally, who reads news groups anymore?

That is not a fix. There are people who read newsgroups.

This is irrelevant on a Windoze machine because it is not truely multi-user

How exactly is that going to help me not lose any sleep?

Re:I wouldn't lose any sleep over this.

[Lodragandraoidh]

What average windoze user encrypts his filesystem? (show of hands!)

I didn't think so. Divide the small number of users who probably encrypt their filesystem, lets say 20,000, by the count of the total number of Windows users (all operating system versions in use, a number hear infinity - lets say several billion).

20,000/2,000,000,000 = 2/200,000 = 1/100,000 ~ 0 (an approximation of zero)

And, I was being generous with the number of windows 'encrypters'.

Re:I wouldn't lose any sleep over this.

[twitter]

Yeah, that's about what I thought. One big yawn.

The download dialog box is trivial for all the reasons you mentioned and one more, wget. Wget is a better utility for downloading than most dialogs. Anyone who's not sure about what they are going to get can and should copy the link location and then paste it into a terminal. If you are really paranoid, you can download as a different user or even to another computer. You will clearly see the name of the file on the command line and you can then launch the downloaded file and watch for error messages. One of the primary strengths of free software is always having another option.

The discouraging thing about the exploit is that it's going to get the average user, regardless of what browser they use. The average user is going to be confronted by a bank or other institution that insists on huge names and downloads. They soon get used to ignoring the link names and will be caught regardless of which browser they use. The flaw in IE, which allowed falsification of the hover and status bar was worse and could catch even wary users, if there were any wary users that trusted Windows left.

Re:I wouldn't lose any sleep over this.

[Politburo]

A +5 'insightful' post that contains nothing but excuses and hand waving. Typical.

Your first excuse basically says 'user must be knowledgeable', and contains the ridiculous statement "unless you are running IE, downloading a trojan isn't going to be that bad." Right. I've gotten trojan adware using Firefox. How? Stupidity. I stupidly ran a 'start.exe' that was in a zip file. The zip file contained a key (in a .nfo) as well. How does using IE make it any more likely that this trojan will work? (Especially considering that it was winRAR that ultimately executed the .exe)

Your 2nd excuse is "who reads news groups anymore?"

And your 3rd excuse doesn't even work for the problem, and then contains a bunch of inanity about using a knoppix disk to get access. Guess what: a knoppix disk is equally effective at accessing windows and linux installations.

Re:I wouldn't lose any sleep over this.

[Kythe]

You can see the URL in the download dialog box. The trouble appears to be that the URL can be structured such that it appears right, unless you click on the URL and scroll right to see the whole thing.

And the problem is that the dialog box, by default, shows the beginning of the URL, not the end. Thus, a URL can be created that looks complete and accurate, but has more to it (the true domain isn't displayed).

For example, the download dialog box might display:

http://citibank-software-server.new-netbank.citi bank.com

But the actual URL is:

http://citibank-software-server.new-netbank.citi bank.com .secunia.com/temp/

(example borrowed from Bugzilla)

I'm running Firefox 1.0, and just confirmed the bug from the demo on Bugzilla. It's not a huge deal, but you could be fooled into downloading something other than what you thought you were getting.

Re:I wouldn't lose any sleep over this.

[Sri+Lumpa]

"chmod 700 -R /directory/path/where/mozilla/keeps/the/files/*"

shouldn't that be 600?

Re:I wouldn't lose any sleep over this.

[oliverthered]

It's easy to encrypt /etc and /home under linux I don't know why distributions more don't do it as standard. 25% extra CPU for loading apache.conf isn't going to kill anyone.

Re:I wouldn't lose any sleep over this.

[Lodragandraoidh]

How does using IE make it any more likely that this trojan will work?

Because if someone has enabled unsecured (ActiveX) scipting technology on their IE browser, malicious code can execute the trojan after it is on disk. Not so for the Firefox browser - which has no means of accessing the disk via Jscript/Java, etc...

My 2nd point holds: an approximation of zero can in effect be zero for all intents and purposes.

My 3rd point holds: the point was made that a user on a multiuser machine could read the files created by your browser; my answer was to change the permissions on the file to only allow the user to access said files. Why doesn't that work?

Re:I wouldn't lose any sleep over this.

[Lodragandraoidh]

I always give myself execute permissions on all of my files - no telling if one is a script or not... (I've seen utility scripts embedded in application folders that contained cache/state and other configuration data).

Additionally, it really doesn't matter for yourself, because if someone manages to login as you, they will be able to change all of the permissions to anything they want anyway. Irrelevant.

Re:I wouldn't lose any sleep over this.

Yes, few Windows users could handle the additional effort of checking the box marked "Encrypt contents." I also like how you started with completely made up numbers and still attempted to derive some sort of results from them. The rounding to zero was also a nice touch.

There's That Euphemism Again

[John+Hasler]

> The first issue...

It isn't an "issue". It is a bug or a problem.

I use 0.8 on Linux at home, here's why

[Old+Man+Kensey]

Bug 239415. You'll note that it's marked as a duplicate now. Firefox on Linux still has a LOT of these "Firefox segfaults as soon as you open a page" bugs in Bugzilla. I started noticing it occasionally with 0.9; 1.0 did it even more. I've wiped my profile and recreated it more times than I can count, still does no good. And even if that fixed it, it's still a bug, because browser-generated data should never cause later versions of the browser to crash. If later versions need to recompose that data to suit themselves, fine, but it shouldn't be the user's job to.

Ironically, at work it's rock-solid... on Windows XP.

Bug free code

[immortalpob]

Of course the is bug free code for instance

void main (void){}

does just what it is supposed to do, nothing. you mean no useful codes is bug free. :)

Seriously though what I think is the most telling is how worked up everyone is getting, really when was the last time someone got suprised because "IE has 493 unpached critical vulnerabilities that allow a malicious hacker full control of you machine"?

Re:Bug free code

[m50d]

Erm, your code has a bug. Main needs to return int, not void. Try compiling it and you'll get a warning.

Re:Bug free code

[immortalpob]

Damn I knew posting something like that would have a bug... however it will compile, it just shouldn't.

management speak

This intro is the best example I've seen of the abuse of the word "issue." In every instance it should be substituted with the word "problem."

Sorry this is my pet peave. Go ahead and mod as off topic, that's why it's anonymous.

Have a nice day :)

You have to install drivers and software too...

Oh no, you forgot to install display driver, printer driver, scanner driver, photo camera driver, and lots of software...

And... don't forget to update EVERY software you have!

Read People

Synopsis: Heap overflow in Mozilla Browser = 1.7.3 NNTP code.
Product: Mozilla Browser
Version: = 1.7.3

Well, I may not be a programmer but I know the less than, equal too symbol. So, mark this for 2 issues.

Who says the /. crowed doesn't read the articles.

This probably will get mod'd down for snottiness... Is there a mod factor for it? Nope, get coding and make a snot factor.

Re:Unacceptable

[ultranova]

While I wouldn't say that these vulnerabilities are exactly obvious, they are major enough that (IMHO) they should have been spotted and corrected before rollout.

Well, my Firefox 1.0 doesn't seems to have no problems with exploit number three:

-rw------- 1 xxxxxx xxxxxx 71K Jan 7 19:16 /tmp/dmca.pdf

So I'd say that at least that problem was corrected before rollout.

Now, if you want to complain about a really stupid thing that should have been corrected before rollout, then complain about the fact that the stupid download window pops up when saving images - try it: right-click on the red dinosaur icon of this story, choose "Save Image As", and watch the download window pop up (with about a secondo of delay, at least in my machine).

Really fun when you're visiting a web gallery...

Re:Unacceptable

[swv3752]

Dude, Read, at least one linked article says that they are all fixed in the latest version.

Now it is actually still a problem with the download spoofing, but it is more of an annoyance. With the way the download manger parses urls, it is possible to misrepresent where something is being downloaded. If you can't trust the site then don't download. There will be "..." in the middle of the url for the file you are downloading so it is not like the url spoofs in IE. So you have a warning something may be fishy.

Average? That's some mighty fine crack...

[gosand]

Perhaps it will serve as a reality check for those who have the wrong (idealistic) conception about this browser... Average users are so quick to jump on a bandwagon.

Methinks you have never met an average person who uses a computer. Unless you think the average Slashdotter is an average person...

How is URL spoofing still possible?

[gblues]

How hard is it to parse the URL and include the actual domain in the status bar/hover window? Then you'd know where the link went no matter how long they made it.

Nathan

Design flaw

[northcat]

The third one is not a bug, but a design flaw.

Re:Design flaw

[pe1chl]

Right.
Especially on the Windows platform, Mozilla should be aware of the user profile and store its information there (and the tempfiles in the Local Settings\Temp folder). Then this problem does not arise, and it is also much easier to support roaming profiles on a Windows network.
The way it is done now is not Windows-compliant and causes administrator headaches, plus security issues to boot.

How about this *real* new security issue?

[francisew]

A few days ago I realized that the whole Mozilla family has some serious issues with applets and tabbed browsing.

An applet in a non-active tab can take control of a forground window, actually absorbing mouseactions, and also repainting the foreground.

After looking at a bunch of other older bug reports, I submitted my own (which was java applet related), and have had no response. The entire set of problems appears to date back more than a year.

It's dissapointing to see serious issues like that not being actively worked on.

I'm even thinking I might get involved to fix exactly that bug (feature?). I'd even think that eliminating tabbed browsing is a good idea until a fix is released.

Re:How about this *real* new security issue?

Yes, eliminate one of the most popular feature of firefox (tabbed browsing), because you're annoyed that a java applet is drawing incorrectly

It seems like you're willing to use Firefox without tabbed browsing, so why dont you just NOT USE IT

Re:How about this *real* new security issue?

[John+Hasler]

> I'd even think that eliminating tabbed browsing
> is a good idea until a fix is released.

I'd even think that eliminating applets is a good idea until a fix is released.

Re:How about this *real* new security issue?

[francisew]

Something like that, although I think that more functionality would be lost in eliminating applets than in getting rid of tabbed browsing (mind you, I use tabs more often than applets, but that's just me).

Interesting that such a major security hole can last for so long... it's a lot like the scary mozilla security story that was posted here about a month (or two?) ago. I consider Mozilla to be far more safe than IE, but some things seem to slide by.

I think the real fix would be to have bugzilla fixed, because in it's current state, it's very, very hard to search through bug reports to look for duplication. It's also very hard to determine whether or not the bug is filed into the correct category to get real attention from the developers.

Re:How about this *real* new security issue?

[francisew]

Dude, it's not about convenience of having screen painting defects, it a security concern. One could easily re-create login boxes for major sites, and take password info from another tab.

If you don't understand the implications of security concerns, don't bash those who have some clue (not that I'm a guru).

I'm definitely not thrilled at the idea of losing tabbed browsing, but until this is fixed, it's a *major* concern to me.

Re:How about this *real* new security issue?

*shrug* Tabbed browsing is sort of irritating. Gaim does it, too, by default. I disabled it in that and in Moz.

Opera Browser

[TheJavaGuy]

Time to try Opera ;-)

Re:Difference ... actually

[salesgeek]

Given this fact, a buffer overflow in Mozilla as Administrator threatens the OS just as much as an IE vulnerability.

Problem with XP is that so much software just doesn't run unless you are an admin. This is no big deal if you run a non redmond os.

Here's the fix everybody

[jamesgriff]

You were looking for a fix

here it is


Note to self: I wonder whether this will be modded "-1, Troll" or "+5, Funny"

Re:Here's the fix everybody

[sabernet]

trade in your 1 buffer overflow error for hundreds of prettier ones

Re:Here's the fix everybody

Well I could write a page about how ignorant resorting to Microsoft IE would be.

>>"The first issue allows the source of a download to be spoofed, generating a fake URL"

-First off, this is not a security hole, it is a "layer 8" problem, the user would have to click the link in order for this phishing attack to be deployed.
Create a link:

http://www.trusted_site.com%01%00@malicious_site .c om/malicious.html label it www.trusted_site.com, and there you go, IE eats that right up.

-As stated in above threads create user permissions chmod your mozilla profiles....

This just in...

[Yekrats]

Security vulnerabilities for Internet Explorer 5.1 announced...

Bugzilla numbers

[egoots]

I know you cant link to Bugzilla directly from Slashdot, but for those of you who are interested the relevant Bugzilla bug numbers to look at for these are:

• 273699
• 275417

Re:Difference ... actually

[dioscaido]

Problem with XP or problem with the software?

If you run app in linux, the app attempts to write to /root, and faults on protection error, is your response "gosh linux sucks!!!".

Apps that don't run do so because they are shoddily programmed. The user protection concept has been around since NT4, maybe it's time we ask developers to actually follow secure coding practices?

At the very least all the apps I run work as expected. Office, Mozilla, Visual Studio, Nero, Adobe products, Macromedia products, etc... Those that don't work should get their acts together, because Longhorn defaults to Limited User (finally!).

Re:Unacceptable

[generic-man]

You linked to the second issue out of three.

The first issue out of three is not fixed in Firefox 1.0.

The third issue out of three might not be fixed in Firefox 1.0; the article does not mention this version with any certainty.

Firefox 0.9 has three vulnerabilities. Firefox 1.0 has one vulnerability. The only way to be secure is to use a different browser, no matter how crappy it may be.

-1: High Standards for OSS

Why is it that Slashbots jump at every chance to trash Microsoft for their (supposed) low security standards, yet apparently don't hold open source projects particularly high standards? And why do they silence (through moderation) those who DO hold OSS to high standards?

fix the main post

[demon411]

good thing i went through and read some comments and the article to see that all three issues have been fixed and only people with mozilla-firefox 1.0 are vunerable. otherwise i would have gone on thinking that my firefox version was vunerable and stop surfing the net and actually get some work done. but for people using the rss feed or who just read the post on the main page, some clarification to the post is necessary. Any ops around to add, all items are fixed.

Operaaaaa!!!!

[OSUJoe]

And this is exactly why I stick with Opera. It's just incompatible and unpopular enough to go below the security exploit finders' radars.

RTFA

[scarolan]

Slashdot has gotten so bad, now the submitters don't even RTFA!

You must be new here. Welcome to Slashdot!

Four unpatched vulns in 5 months

[MarkByers]

Since Firefox went 1.0 about 5 months ago, it has received 5 security warnings from Secunia, and none of them have been fixed yet. http://secunia.com/product/4227/ I hope this rate of fixing security problems will improve soon.

Re:Four unpatched vulns in 5 months

[egoots]

Since Firefox went 1.0 about 5 months ago, it has received 5 security warnings from Secunia, and none of them have been fixed yet.

I dont know about you, but I just checked my FireFox 1.0 release string and it read:

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

The embedded date string of 20041107 means it was cut on November 7th, 2004. By my calculations, that means it was released 2 months, not 5!

Re:Four unpatched vulns in 5 months

[MarkByers]

Let me rephrase that....

There have been four security bugs found in Firefox in five months. These bugs were in the PR version, and they still exist in Firefox 1.0. These bugs have been known about for months and they still have not been fixed.

http://secunia.com/product/4227/

Many people go on about how Firefox will fix the bugs within 48 hours or whatever, but according to the statistics at Secunia, this does not appear to be the case.

OBJECTION!!!

[geminidomino]

The "editors" are obviously NOT "Anti-dupe"

Re:OBJECTION!!!

[Megaweapon]

Heh, I meant to say "Anti-Dupe Checking". My brain is only running at about 70% today.

You're still "Wrong!"

The thread parent is right on the basis that the story write-up was misleading. It IS misleading.

Re:Difference ... actually

[salesgeek]

Apps that don't run do so because they are shoddily programmed. The user protection concept has been around since NT4, maybe it's time we ask developers to actually follow secure coding practices?

This has less to do with coding and more to do with your instal system. Regardless, I still don't have this problem with nn redmond Oses because user rights aren't a recent addition.

Dont flip out

[crazy_pikachu]

Dont flip out people it is just a little problem that mozilla will have fixed in about a day if not less. so there will be a few people affected by it but who cares as long as there are computers there will be people affected by vires's trojens and all that other crap out there so just bite your lip and dont surf stupidly on the internet. they will fix the problem and look on the bright side of things atleast we are not using IE

Wouln't this be a dupe?

[NoMercy]

I'm sure all 3 security problems have come up seperately when they were actually first found, I seem to remember checking when they were fixed and I think 1.0 shiped with all 3 fixed, or at least the nightly builds don't suffer from the bugs which arn't deadly serious in most situations.

irony (noun)

The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow

I think it's funny that I keep reading all this stuff about hackers v. crackers, and then see this on the front page of Slashdot. Just an observation.

what kind of crap is this?

[unixbugs]

this is newsworthy? the regular development cycle of an open source product is as such. bugs are found, made public, and FIXED ASAP.

the submitting party is either involved with microsoft, needs glasses, or a swift kick in the ass.

moron.. it says right ON THE PAGE that this has been fixed.

Help! I got an error message

[commodoresloat]

chmod: /directory/path/where/mozilla/keeps/the/files/*: No such file or directory

Re:Help! I got an error message

[Lodragandraoidh]

commodoresloat,

On the off chance that you are not pulling my leg, I will explain why you got the error message.

I didn't mean for you to literally enter the path I listed in the chmod command. I thought it was obvious what I meant, but let me explain anyway:

In the command, "chmod 700 /directory/path/where/mozilla/keeps/the/files/*" you need to replace the "/directory/path/where/mozilla/keeps/the/files/" part with the actual directory path to the files used by Mozilla Firefox.

I used this shorthand because a) the files can be in different locations depending on how you installed your browser, and b) I didn't have time to actually research the details and present a full 'howto' document in these forums - I left that as an exersize for the user.

I appologize if I wasn't clear enough on that. However most application documentation, howtos, and computer books use similar methodology - so my assumption that it would be understandable without further explanation.

Re:Help! I got an error message

[commodoresloat]

LOL....

sorry, I was in fact pulling your leg ;)

Thanks for the explanation though!

Re:Help! I got an error message

[Lodragandraoidh]

Just for that - I will have to put you on my friends list... :p

but why in tmp in the first place

[Sark666]

Personally I don't like web browsing using tmp at all. Why is this not in my home's mozilla cache? Is there a techincal reason why it goes to /tmp?

Hm. IE users should wait to crow. . .

[Fantastic+Lad]

until something serious comes up.

The concerns pointed out are extremely minor ones which will be gone soon enough. --And from reading the posts here, it seems that a couple of them may already be history. (I've not checked this though, and probably won't since I never use Newsgroups, do not have multiple users on my system and don't download things unless I know what the heck they are. Frankly, I probably won't bother patching any of these problems, and will just wait around until the next version of Mozilla comes along.)

So wake me up when by connecting to the web or checking my email somebody can enslave my entire OS or download all my passwords or delete my hard drive or hit me with any one of a couple dozen nightmare scenarios IE users have had to face in the past.

The only reason I can think that people who know better still continue support their broken Microsoft products is that they happened to be using them when it was pointed out that those products were for chumps. --Jeez. Just change products. Don't play at denial crying, "NO! IE is a good product! I define myself through the products I use! So you MUST be wrong, otherwise I'll feel bad! I'm not a chump! I'm NOT! --And I'm going to keep on using my broken software just to prove it to you! Mozila sucks! I LIKE having zero control over the images displayed on my browser! If it weren't for pop-up ads, how would I know which things I'm supposed to buy?"

Low self-esteem makes people pick the dumbest and most un-worthy battles to fight.

-FL

Re:Difference ... actually

[dioscaido]

This has less to do with coding and more to do with your instal system.

This makes no sense to me, please explain.

Who says it's not fixed?

[raehl]

Just because you don't know who fixed it and they may not have pushed back their fixes doesn't mean it ain't fixed.

And, worse case, you could always fix it yourself if it's such a big deal to you.

Bound to happen

I think Mozilla users (myself included!) have been enjoying a lot of "security through obscurity", since up to this point, no one really cared to find all the (likely numerous) exploits in our favourite browser. With all the recent media coverage, there are going to be a lot more people trying to find the "holes" (for variuos reasons, reporting, exploiting, etc.). I hope this leads us all to examine the security aspect a bit more closely, there is a long way to go before we can truly browse "safely".

That said, I wouldn't switch back to IE if you paid me...

To be fair..

[raehl]

If you buy a copy of XP, you'll get SP2 included now.

While they're at it...

[Trogre]

...perhaps they could fix the horrible bug that causes both firefox and mozilla proper to stall indefinitely when trying to connect to a random site.

It's embarrasing as much as anything else giving a windows-using friend Firefox to replace IE, only to find that 1 out of 10 page loads fail, and they go back to "good old" IE, oblivious to the security hole he's just let himself in for.

not exactly

You didn't read *all* TFA correctly. From the Secundia site about the "less critical" download issue:

The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected.

Hopefully a mod will raise one of the posts correcting yours to the same "Score 5 Informative" soon. Or an editor will add the Register summary to the article and save quite a few people some anxious reading through these threads.

Big deal!

[solafide]

The problem with #3? I want to see other user's browsing habits and if they don't like it, tough.

No, you can't be scammed...

[SanityInAnarchy]

Edit->Preferences
Web Features
Advanced
uncheck "Change status bar text"

Yes, you can be scammed

[jesser]

Unchecking "allow web sites to... change status bar text" only prevents one method of making a link take you to a different URL than what is shown in the status bar. The other method is to change the link's target as soon as you click on the link. You might have to disable JS to prevent web sites from doing that.

Re:Illuminative

I think you'll find that's the case with Linux, not Mozilla.

Re:Impossible

I think you meant Linux not Mozilla.

Mozilla is actually quite a decent, well-managed, and guided project, unlike Linux.

licensing is a difference

[mrbuttboy]

One difference that jumps right to mind is licensing.

I know the with an update that firefox asks me to do it wont change the license in any meaning full way. I have zero reassurance of this from MS. If Joe Six-pack sees his computer tell him that he needs to update, he isnt going to read the license and even if he DOES may not understand that MS has bought his soul.

Re:licensing is a difference

[Anonymous+Brave+Guy]

I know the with an update that firefox asks me to do it wont change the license in any meaning full way.

But do you actually know that, or do you simply trust that it is true?

Re:licensing is a difference

[mrbuttboy]

I suppose that trust is the real answer. But the sentence

I trust that with an update that firefox asks me to do it wont change the license in any meaning full way.

is one I am HAPPY to see. MS has no reason for my trust,they are a company and thats not their job. their job is to make money. Firefox is made by the public for the public - it IS their job for them not to screw me.

It's the general problem that worries me

[Anonymous+Brave+Guy]

I wrote:

If you can have buffer over-run vulnerabilities in your C++ app, then you are potentially vulnerable to absolutely anything.

roca replied:

Not really true.

I don't disagree with your comments about this specific vulnerability. My argument is more that if your development processes allow one buffer overflow, then you could allow any number of others, and potentially never notice.

The key point is that buffer over-runs really should never happen in C++, ever. The language provides a wide range of programming tools, and the kind of really low-level stuff that can achieve buffer over-runs -- pointer arithmetic or unchecked array indexing being the most likely culprits -- really should be confined to a small amount of very heavily tested library code.

That means if a buffer over-runs is ever detected, even once and even in beta code, then there is a serious flaw in the coding standards/code review processes/QA of the project. It implies that either unsafe tools are being used at too high a level, or that the reviews and standards for the low-level code are seriously deficient. In either case, if that's the project ethos, you can never trust that there aren't other over-runs that might be more exploitable elsewhere in the project. (It's also a bit of a killer for the "many eyes" theory of greater reliability for OSS projects, but perhaps that's best left for another discussion.)

Personally, I've always been quite impressed with the Mozilla browser/Firefox code quality. They seem to achieve a remarkably correct and reliable application. In this particular area, though, they clearly suck as much as many other projects (and even document that they do).

Re:Mozilla isnt open source....

[macewank]

flamebait? how the hell is that flamebait? the guy asked why people tout open source software for its "quick response" to bugs, and i pointed out that in the case of the OT, the software in question was not open source.