Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Issues in Mozilla

Posted by michael on from the better-than-IE dept.

paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

20 of 454 comments (clear)

  1. Even then.... by Gentlewhisper · · Score: 1, Insightful

    Inspite of these security flaws, Firefox is still a lot better than the incumbent IE.. no?

    --
    Online backup with Mozy, sounds like Ozzie, but more!
    1. Re:Even then.... by frankthechicken · · Score: 5, Insightful

      Why?

      Both will have flaws, some major, some minor. And, for me, there seems no real evidence that the Firefox community corrects problems quicker than MS. Both appear to me to fix major problems relatively quickly.

      The only real difference is the experience a user gains from using an individual browser. And for me, I personally prefer the FF experience, as I should, having configuring it until it fits like a glove.

  2. Umm.... by Oxy+the+moron · · Score: 4, Insightful

    The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird)

    Can't the same be said of IE or any program that stores information in %SYSTEMROOM%\Documents and Settings\%USERNAME% ? I mean, it's possible for me to see anyone's "habits" that way, right?

    --

    Proudly supporting the Libertarian Party.

  3. Buffer overflow? by mattgreen · · Score: 3, Insightful

    Weak. They should know better than that. It's not like it is hard to prevent a buffer overflow. They're using C++ for crying out loud.

    1. Re:Buffer overflow? by deadlinegrunt · · Score: 4, Insightful

      I have not looked at the latest code base so my response may very well be wrong, however you may want to keep this in mind when making such a statment:

      Perhaps one reason is they are not really using C++ to its fullest extent like here as an example.

      --
      BSD is designed. Linux is grown. C++ libs
  4. Updates by harlingtoxad · · Score: 5, Insightful

    Most viruses are exploits of things MS has patched months earlier. If Firefox becomes mainstream can we count on the average user to update or will an out of date Firefox become nearly as bad as IE?

    --
    Gravity is not just a law, it's also a good idea.
  5. Sounds like good news to me by I.M.O.G. · · Score: 3, Insightful

    Perhaps it will serve as a reality check for those who have the wrong (idealistic) conception about this browser... Average users are so quick to jump on a bandwagon. People tend to think entities like Google and Firefox are lights in the harbor or signs from God. They are just implementations which are better than what others are doing, and they are not as perfect as many like to imply. Firefox is no doubt an improvement over the many other options out there, but as it gains popularity, it will also gain more status as a target - much like IE has been for years now. The fact there there are still vulnerabilities should come as a surprise to no one.

    --
    Overclockers
    1. Re:Sounds like good news to me by 0123456 · · Score: 4, Insightful

      "The fact there there are still vulnerabilities should come as a surprise to no one."

      Of course not. But, unlike IE, these aren't 'You open a web page and your machine is taken over as a spam zombie' vulnerabilities. They should be fixed, but are less serious than the usual IE bugs... and they'll likely be fixed a lot faster.

  6. And.... by maztuhblastah · · Score: 2, Insightful

    Undoubtedly, proponents of MS will point to this and say "See...told you so..."

    The difference between Mozilla/other OSS and MS software is that while a bug in IE will remain unfixed for months (unless it's such a glaring error that the media grills them for it,) a bug in Moz/Firefox won't last very long. So the real issue that we need to remember is not that three bugs were found, but that unlike MS three bugs will be fixed.

    Cheers,
    -maztuh

    --
    The real litigious bastards...
  7. The reality... by eastshores · · Score: 2, Insightful

    Is that Firefox, and most likely ANY product that attempts to compete with an established Microsoft product will have to face two issues that Microsoft constantly faces: 1) Features take precedence in the development lifecycle forcing security to become an after-thought. 2) As popularity increases, so does visibility which is currently one of the primary factors in determining scrutiny for such issues.

    I still prefer Firefox for it's usability features. It wasn't long ago that they got in place a "Software Update Available" mechanism for just these types of circumstances. In turn, people that think Firefox is immune from security issues should look at the past and come back down from their orbit ;)

  8. So we have by hattig · · Score: 4, Insightful

    Problem One: A String Formatting Issue, URLs should be shown as "http://www.blah.com/.../www.spoof.com/register.ph p" rather than ".../www.spoof.com/register.php" and users should be shot if they can't recognise a valid URL.

    Problem Two: Beta Firefox? That's not an issue then. Otherwise, who let a buffer overflow get into the codebase?

    Problem Three: Surely this is more of a problem with Windows' Security model? if an OS is used essentially as a single user machine (e.g., 9x) then there is little that can be done between profiles.

  9. I'm concerned about 0-Day by IcEMaN252 · · Score: 4, Insightful

    The really important thing as far as I'm concerned is the length of time needed to fix newly discovered bugs, not the number, and this is where the open source development model works so much better.

    I'm also concerned about those nasty 0-Day vulnerabilites that are out there but we don't know about. The problem with open source is that the code is out there, so its easier to find the bugs. The saving grace is that the code is generally better, and there are usually more white hats looking for the problem than black hats.

    I still think FF is safer than IE, but I also think its just as important to be wary of the bugs we don't know about as the ones we do. The same goes for any software product.

    --
    CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
  10. Re:So what about. . . by Anonymous Coward · · Score: 1, Insightful

    Whatever you do, don't tell an Opera user about security issues with their browser. Hell, don't criticise it at all... They're more rabid & fanboy than Apple's worst. You'll lose body parts.

  11. Re:A fix? by The+Spoonman · · Score: 5, Insightful

    Why is everyone saying these are fixed?

    I'm more curious as to why they aren't fixed YET? We've been hearing for years that Open Source software is better because any problem is fixed within 24-48 hours. Well, it's been almost 51 hours since that issue was released on SecurityFocus, and I'm sure significantly longer since it was first discovered. Firefox is still not telling me there's an update available. What gives?

    For those incapable of grasping the sarcasm, let me spell it out for you: rhetoric gets stale for a reason.

    --
    Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
    http://www.workorspoon.com
  12. Re:Difference ... actually by dioscaido · · Score: 2, Insightful

    Actually, a buffer overflow can result in the execution of arbitrary code. I'm confident in asserting that all IE6 vulnerabilities need IE to be executing in Administrator context to affect the OS, although it would be instructional to be proven wrong. Given this fact, a buffer overflow in Mozilla as Administrator threatens the OS just as much as an IE vulnerability.

    Moral of the story: run Mozilla for the features, run as Limited user to be truly secure.

  13. I wouldn't lose any sleep over this. by Lodragandraoidh · · Score: 4, Insightful
    Create a long URL and the downloading box will only display its ending (Mozilla and Firefox).

    Click 'cancel' if you are not sure about what you are downloading; Addtionally, you should be able to hover the mouse over a link and see the actual URL in the display bar at the bottom of the window. I do this all the time because I want to be sure where my browser will be connecting when I click anything. Of course, if you go to sites that don't use standard HTML for their links, you could be scammed. Generally speaking, unless you are running IE, downloading a trojan isn't going to be that bad - as long as you don't then try to run it. If you were expecting a picture, or a zip file, and got an executable instead, that could also tip you off. This is probably the worse problem of the three - but nothing to lose sleep over.

    The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0).

    If you aren't using the latest version of the browser - you are wrong. Additionally, who reads news groups anymore? I gave up wading through all the spam and flame wars long ago...

    The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!
    chmod 700 -R /directory/path/where/mozilla/keeps/the/files/*
    - should do the trick on most unix/linux systems. I can't see this breaking the browser, because presumably it is being run by you as you. This is irrelevant on a Windoze machine because it is not truely multi-user (and I can slap a knoppix disk into your windows machine, reboot linux, and read all your files provided I have physical access anyway - which is how most people 'share' a windows box).
    --

    Lodragan Draoidh
    The more you explain it, the more I don't understand it. - Mark Twain
  14. Re:A fix? by xarak · · Score: 2, Insightful


    I agree FF1.0 is the best one to have. First non-beta version &c.

    However, I worry if we get into the same "upgrade-or-die" frenzy as with IE. No-one wants to be told that their navigator which has worked fine for 6 months has suddenly become a security hole. I was hoping Mozilla could steer clear of this

    --
    Atheism is a non-prophet organisation
  15. Re:A fix? by m50d · · Score: 2, Insightful

    However, surely any link from a non-trusted site could contain a virus just as easily if it was in the location it appears? I mean, if a hack^H^H^H^Hcracker has access to www.nicesite.com, does it matter if he makes a fake link that really downloads from www.nastysite.com or just replaces the file at www.nicesite.com?

    --
    I am trolling
  16. Re:A fix? by XMyth · · Score: 2, Insightful

    No one says that about their beta software (which is what Firefox 0.9.3 is)

  17. Re:A fix? by Anonymous Coward · · Score: 1, Insightful

    Because upgrading Open Source software is free, MS wants you to pay...