Slashdot Mirror
Security Issues in Mozilla
paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"
==========
All Mozilla users should upgrade to the latest version:
Says the site, implying at least a partial fix is available.
I guess they are not drinking the water from Redmond!
Oh no! Time to switch back to IE.
The tragedy, the inhumanity!!
Bet Gates is grinning today hoping everyone will forget his laptop crash.
Don't Tech all day and night, visit:
WillingtonKarateClub.org Training Tips and more
The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird)
Can't the same be said of IE or any program that stores information in %SYSTEMROOM%\Documents and Settings\%USERNAME% ? I mean, it's possible for me to see anyone's "habits" that way, right?
Proudly supporting the Libertarian Party.
All of these security issues are fixed in the latest releases of Firefox/Thunderbird/Seamonkey. They have all been fixed for quite some time now.
It would have been helpful for this information to be included in the story. Thanks, Slashdot.
Weak. They should know better than that. It's not like it is hard to prevent a buffer overflow. They're using C++ for crying out loud.
that I can still wipe my Linux box, buy a copy of XP, install, activate, update, reboot, update, reboot, get SP1 & 2, reboot, update, reboot and I'll be able to use Internet Explorer, a safe alternative to....oh wait...
Most viruses are exploits of things MS has patched months earlier. If Firefox becomes mainstream can we count on the average user to update or will an out of date Firefox become nearly as bad as IE?
Gravity is not just a law, it's also a good idea.
"spotted before rollout"?
Dude, the article says that only versions before Firefox 1.0 are vulnerable, and 1.0 has been out for 2 months already. What are you talking about?
Note that it appears from what I read that these issues only affect the beta versions of FireFox. Who uses a beta once a released version is out???
Basically this is a non issue as everyone should have upgraded to v1.0 as soon as it came out.
Perhaps it will serve as a reality check for those who have the wrong (idealistic) conception about this browser... Average users are so quick to jump on a bandwagon. People tend to think entities like Google and Firefox are lights in the harbor or signs from God. They are just implementations which are better than what others are doing, and they are not as perfect as many like to imply. Firefox is no doubt an improvement over the many other options out there, but as it gains popularity, it will also gain more status as a target - much like IE has been for years now. The fact there there are still vulnerabilities should come as a surprise to no one.
Overclockers
Undoubtedly, proponents of MS will point to this and say "See...told you so..."
The difference between Mozilla/other OSS and MS software is that while a bug in IE will remain unfixed for months (unless it's such a glaring error that the media grills them for it,) a bug in Moz/Firefox won't last very long. So the real issue that we need to remember is not that three bugs were found, but that unlike MS three bugs will be fixed.
Cheers,
-maztuh
The real litigious bastards...
This only applies to Windows platforms. Linux and Unix versions maintain all user information in the homedir, preventing access to ordinary users.
As the article clearly state, all three have been fixed. Simply use the latest versions of the software.
The Slashdot article, not security focus. In plain text, at the top, it says these were FIXED in the latest versions.
.9, and Mozilla BEFORE 1.7.5.
They affect Firefox versions BEFORE 1.0, Thunderbird BEFORE
This article was posted by some MS shill who is hoping the because Slashdot is spidered by Google news they will get some mainstream journalism about Firefoxes bugs!
This is TOTAL crap! Let the MS Smear campaign begin!
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Guys, wake up, old news. According to the article, all bugs were fixed in Mozilla 1.7.5 and Firefox 1.0.
Move on people,nothing to see here!
Why?
Both will have flaws, some major, some minor. And, for me, there seems no real evidence that the Firefox community corrects problems quicker than MS. Both appear to me to fix major problems relatively quickly.
The only real difference is the experience a user gains from using an individual browser. And for me, I personally prefer the FF experience, as I should, having configuring it until it fits like a glove.
Is that Firefox, and most likely ANY product that attempts to compete with an established Microsoft product will have to face two issues that Microsoft constantly faces: 1) Features take precedence in the development lifecycle forcing security to become an after-thought. 2) As popularity increases, so does visibility which is currently one of the primary factors in determining scrutiny for such issues.
;)
I still prefer Firefox for it's usability features. It wasn't long ago that they got in place a "Software Update Available" mechanism for just these types of circumstances. In turn, people that think Firefox is immune from security issues should look at the past and come back down from their orbit
Problem One: A String Formatting Issue, URLs should be shown as "http://www.blah.com/.../www.spoof.com/register.ph p" rather than ".../www.spoof.com/register.php" and users should be shot if they can't recognise a valid URL.
Problem Two: Beta Firefox? That's not an issue then. Otherwise, who let a buffer overflow get into the codebase?
Problem Three: Surely this is more of a problem with Windows' Security model? if an OS is used essentially as a single user machine (e.g., 9x) then there is little that can be done between profiles.
If I read TFA correctly, they're fixed already: Mozilla is listed as unaffected in >=1.7.5, Firefox unaffected in >=1.0, and Thunderbird unaffected in >=0.9.
Interestingly, the original bug report came from the Gentoo security people - is there anyone running Gentoo with anything other that the very latest apps?!
This is where the serious fun begins.
Affected packages
=================
Package / Vulnerable / Unaffected
1 mozilla / < 1.7.5 / >= 1.7.5
2 mozilla-bin / < 1.7.5 / >= 1.7.5
3 mozilla-firefox / < 1.0 / >= 1.0
4 mozilla-firefox-bin / < 1.0 / >= 1.0
5 mozilla-thunderbird / < 0.9 / >= 0.9
6 mozilla-thunderbird-bin / < 0.9 / >= 0.9
So, lets try reading this data. If you are running version 1.0 of Firefox, version 1.0 of Thunderbird or version 1.7.5 of Mozilla (all the latest versions) you have NONE of these issues. Geez....
Unstable Apps: Our Android Apps Don't Suck
The really important thing as far as I'm concerned is the length of time needed to fix newly discovered bugs, not the number, and this is where the open source development model works so much better.
I'm also concerned about those nasty 0-Day vulnerabilites that are out there but we don't know about. The problem with open source is that the code is out there, so its easier to find the bugs. The saving grace is that the code is generally better, and there are usually more white hats looking for the problem than black hats.
I still think FF is safer than IE, but I also think its just as important to be wary of the bugs we don't know about as the ones we do. The same goes for any software product.
CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
is this long enough?
I stole this
Only the buffer overflow issue has been fixed! This article on the Register should clear things up:
http://www.theregister.co.uk/2005/01/07/mozilla_fl aws/
Issue 2: Fixed (Affected Versions: Mozilla Browser
This bug is fixed in Mozilla 1.7.5. (Bug 264388)
Mozilla developer Dan Veditz claims that it cannot be exploitable:
"A '\' on the end will certainly trash memory, but at that point you're no
longer reading attacker-supplied data;".
So, at most it would be a DOS attack, not a true "hack into your computer". And from the Security focus link:
So Firefox 1.0 is indeed safe.
Issue #3:From the link:
In other words, 1 outdated, another unconfirmed, and the first one real, but it's moderately critical.
So the Mozilla guys have only to fix ONE bug, and CONFIRM another. Issue #2 is fixed already.
Actually, a buffer overflow can result in the execution of arbitrary code. I'm confident in asserting that all IE6 vulnerabilities need IE to be executing in Administrator context to affect the OS, although it would be instructional to be proven wrong. Given this fact, a buffer overflow in Mozilla as Administrator threatens the OS just as much as an IE vulnerability.
Moral of the story: run Mozilla for the features, run as Limited user to be truly secure.
Oh, a side note. If I have Windows and I want to use Mozilla, why do I have to use IE first to download mozilla?? I already have IE installed, why do I need to download yet another browser and install it?
Never download Mozilla with IE or any other insecure product! Only download Mozilla with Mozilla!
If you download it with IE you may not be downloading the REAL Mozilla. That's what I tell people who report Mozilla crashing and stuff like that. The real Mozilla is flawless. How do you know you are using the real Mozilla?
Also never let someone else install Mozilla from a storage device. They may have tampered with it.
Remember: It's an open source product, so anyone can recompile it with his own malware embedded!
1. Is there a patch or do I have to download the whole browser and reinstall?
See Tools>Options>Software Updates
That when Mozilla (or anything not by Microsoft) has a bug, people say "Let's hope that these will be fixed soon!", but when IE (or anything by Microsoft) has a bug, people say (")Hahahahaha!(")?
I'm not too worried about the third one. For one thing, it is easily worked around by setting your $TMP or $TEMP environment variable. Really the global visibility of the files isn't a "bug" in Firefox/Thunderbird or any other app that does this. They're just following the standard system practice of using whatever directory is specified by TMP/TEMP to open their temporarily files in. The issue is that common practice on that score is moderately insecure and may expose info to other users, but there's nothing application authors should do about that.
The permissions issue is the only real "security" problem, but I would bet they did it that way to allow viewers that may be running setuid nobody to still view the file for the user. Perhaps the answer is simply to have documentation about viewers running setuid nobody (or other restricted users) and a configurable list of such viewers that the user can add to. After that, files destined for ordinary viewers should be permissioned 500, and files destined for setuid restricted-user viewers could be permissioned 544 or something else appropriate.
-- Old Man Kensey
Click 'cancel' if you are not sure about what you are downloading; Addtionally, you should be able to hover the mouse over a link and see the actual URL in the display bar at the bottom of the window. I do this all the time because I want to be sure where my browser will be connecting when I click anything. Of course, if you go to sites that don't use standard HTML for their links, you could be scammed. Generally speaking, unless you are running IE, downloading a trojan isn't going to be that bad - as long as you don't then try to run it. If you were expecting a picture, or a zip file, and got an executable instead, that could also tip you off. This is probably the worse problem of the three - but nothing to lose sleep over.
The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0).
If you aren't using the latest version of the browser - you are wrong. Additionally, who reads news groups anymore? I gave up wading through all the spam and flame wars long ago...
The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon! - should do the trick on most unix/linux systems. I can't see this breaking the browser, because presumably it is being run by you as you. This is irrelevant on a Windoze machine because it is not truely multi-user (and I can slap a knoppix disk into your windows machine, reboot linux, and read all your files provided I have physical access anyway - which is how most people 'share' a windows box).
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
I know you cant link to Bugzilla directly from Slashdot, but for those of you who are interested the relevant Bugzilla bug numbers to look at for these are: