Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Issues in Mozilla

Posted by michael on from the better-than-IE dept.

paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

4 of 454 comments (clear)

  1. A fix? by Blapto · · Score: 5, Informative
    Resolution
    ==========

    All Mozilla users should upgrade to the latest version:

    Says the site, implying at least a partial fix is available.

  2. Third item... by Anonymous Coward · · Score: 5, Informative

    This only applies to Windows platforms. Linux and Unix versions maintain all user information in the homedir, preventing access to ordinary users.

  3. This article is BOGUS! by WhiteWolf666 · · Score: 5, Informative

    The Slashdot article, not security focus. In plain text, at the top, it says these were FIXED in the latest versions.

    They affect Firefox versions BEFORE 1.0, Thunderbird BEFORE .9, and Mozilla BEFORE 1.7.5.

    This article was posted by some MS shill who is hoping the because Slashdot is spidered by Google news they will get some mainstream journalism about Firefoxes bugs!

    This is TOTAL crap! Let the MS Smear campaign begin!

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  4. Re:Does no one read anymore? by BenjyD · · Score: 5, Informative

    Apart from the first issue, of course, which reads:

    "The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected."

    So it's actually just one spoofing vulnerability. It's probably a result of fixing the bug in 0.9.something where an overly long (>4kb, IIRC) URL in the address bar could cause firefox to lock up the x-server.