Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Issues in Mozilla

Posted by michael on from the better-than-IE dept.

paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

32 of 454 comments (clear)

  1. A fix? by Blapto · · Score: 5, Informative
    Resolution
    ==========

    All Mozilla users should upgrade to the latest version:

    Says the site, implying at least a partial fix is available.

    1. Re:A fix? by Anonymous Coward · · Score: 3, Funny

      I'm tired of all these upgrades every once in a while.. Now, I'm using telnet to port 80 to read slashdot. It took me 4 hours to post this though..

    2. Re:A fix? by vk2 · · Score: 3, Funny

      You could have reduced it to 2 hours if you had used both your hands to type.

      --
      No Sig for you.!
    3. Re:A fix? by The+Spoonman · · Score: 5, Insightful

      Why is everyone saying these are fixed?

      I'm more curious as to why they aren't fixed YET? We've been hearing for years that Open Source software is better because any problem is fixed within 24-48 hours. Well, it's been almost 51 hours since that issue was released on SecurityFocus, and I'm sure significantly longer since it was first discovered. Firefox is still not telling me there's an update available. What gives?

      For those incapable of grasping the sarcasm, let me spell it out for you: rhetoric gets stale for a reason.

      --
      Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
      http://www.workorspoon.com
    4. Re:A fix? by LnxAddct · · Score: 4, Informative

      Did you read the security alerts? They only affect Firefox 0.9.3 and earlier. They have been fixed since 1.0 ( not sure if it was intentional or not, but whatever code caused this no longer causes it).
      Regards,
      Steve

  2. Only THREE? by w1r3sp33d · · Score: 3, Funny

    I guess they are not drinking the water from Redmond!

  3. Security by Anonymous Coward · · Score: 5, Funny

    Oh no! Time to switch back to IE.

  4. Not Mozilla!! by 53cur!ty · · Score: 5, Funny

    The tragedy, the inhumanity!!

    Bet Gates is grinning today hoping everyone will forget his laptop crash.

    Don't Tech all day and night, visit:
    WillingtonKarateClub.org Training Tips and more

  5. Umm.... by Oxy+the+moron · · Score: 4, Insightful

    The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird)

    Can't the same be said of IE or any program that stores information in %SYSTEMROOM%\Documents and Settings\%USERNAME% ? I mean, it's possible for me to see anyone's "habits" that way, right?

    --

    Proudly supporting the Libertarian Party.

    1. Re:Umm.... by fitten · · Score: 5, Funny

      You mean I gotta walk all the way down to the systemroom to get my information? Crap, no wonder I haven't been able to find it in my office lately...

  6. Misleading Article by Asacarny · · Score: 3, Informative

    All of these security issues are fixed in the latest releases of Firefox/Thunderbird/Seamonkey. They have all been fixed for quite some time now.

    It would have been helpful for this information to be included in the story. Thanks, Slashdot.

    1. Re:Misleading Article by northcat · · Score: 4, Funny

      How can his post be rated informatve when it isn't true?

      You must be new here.

  7. Buffer overflow? by mattgreen · · Score: 3, Insightful

    Weak. They should know better than that. It's not like it is hard to prevent a buffer overflow. They're using C++ for crying out loud.

    1. Re:Buffer overflow? by deadlinegrunt · · Score: 4, Insightful

      I have not looked at the latest code base so my response may very well be wrong, however you may want to keep this in mind when making such a statment:

      Perhaps one reason is they are not really using C++ to its fullest extent like here as an example.

      --
      BSD is designed. Linux is grown. C++ libs
  8. 3 Whole Security Issues! Thank God... by codesurfer · · Score: 5, Funny

    that I can still wipe my Linux box, buy a copy of XP, install, activate, update, reboot, update, reboot, get SP1 & 2, reboot, update, reboot and I'll be able to use Internet Explorer, a safe alternative to....oh wait...

  9. Updates by harlingtoxad · · Score: 5, Insightful

    Most viruses are exploits of things MS has patched months earlier. If Firefox becomes mainstream can we count on the average user to update or will an out of date Firefox become nearly as bad as IE?

    --
    Gravity is not just a law, it's also a good idea.
  10. Sounds like good news to me by I.M.O.G. · · Score: 3, Insightful

    Perhaps it will serve as a reality check for those who have the wrong (idealistic) conception about this browser... Average users are so quick to jump on a bandwagon. People tend to think entities like Google and Firefox are lights in the harbor or signs from God. They are just implementations which are better than what others are doing, and they are not as perfect as many like to imply. Firefox is no doubt an improvement over the many other options out there, but as it gains popularity, it will also gain more status as a target - much like IE has been for years now. The fact there there are still vulnerabilities should come as a surprise to no one.

    --
    Overclockers
    1. Re:Sounds like good news to me by 0123456 · · Score: 4, Insightful

      "The fact there there are still vulnerabilities should come as a surprise to no one."

      Of course not. But, unlike IE, these aren't 'You open a web page and your machine is taken over as a spam zombie' vulnerabilities. They should be fixed, but are less serious than the usual IE bugs... and they'll likely be fixed a lot faster.

    2. Re:Sounds like good news to me by Anonymous+Brave+Guy · · Score: 4, Interesting
      But, unlike IE, these aren't 'You open a web page and your machine is taken over as a spam zombie' vulnerabilities. They should be fixed, but are less serious than the usual IE bugs...

      If you can have buffer over-run vulnerabilities in your C++ app, then you are potentially vulnerable to absolutely anything. The fact that even one exists, even in a beta development, betrays fundamentally flawed coding standards and/or QA procedures. These things should never happen in a C++ app, and the coding techniques to prevent them are trivial.

      and they'll likely be fixed a lot faster.

      Easy, tiger. As others have pointed out, most exploits of Windows/IE systems use vulnerabilities that MS patched months ago, and when critical ones do come up, patches usually do appear (with much hype) PDQ.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  11. Third item... by Anonymous Coward · · Score: 5, Informative

    This only applies to Windows platforms. Linux and Unix versions maintain all user information in the homedir, preventing access to ordinary users.

  12. Jeebus Kriced by killmenow · · Score: 5, Funny
    So sayeth the submitter:
    Let's hope that these will be fixed soon!
    Slashdot has gotten so bad, now the submitters don't even RTFA!
  13. This article is BOGUS! by WhiteWolf666 · · Score: 5, Informative

    The Slashdot article, not security focus. In plain text, at the top, it says these were FIXED in the latest versions.

    They affect Firefox versions BEFORE 1.0, Thunderbird BEFORE .9, and Mozilla BEFORE 1.7.5.

    This article was posted by some MS shill who is hoping the because Slashdot is spidered by Google news they will get some mainstream journalism about Firefoxes bugs!

    This is TOTAL crap! Let the MS Smear campaign begin!

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  14. Re:Even then.... by frankthechicken · · Score: 5, Insightful

    Why?

    Both will have flaws, some major, some minor. And, for me, there seems no real evidence that the Firefox community corrects problems quicker than MS. Both appear to me to fix major problems relatively quickly.

    The only real difference is the experience a user gains from using an individual browser. And for me, I personally prefer the FF experience, as I should, having configuring it until it fits like a glove.

  15. So we have by hattig · · Score: 4, Insightful

    Problem One: A String Formatting Issue, URLs should be shown as "http://www.blah.com/.../www.spoof.com/register.ph p" rather than ".../www.spoof.com/register.php" and users should be shot if they can't recognise a valid URL.

    Problem Two: Beta Firefox? That's not an issue then. Otherwise, who let a buffer overflow get into the codebase?

    Problem Three: Surely this is more of a problem with Windows' Security model? if an OS is used essentially as a single user machine (e.g., 9x) then there is little that can be done between profiles.

  16. Re:I bet they will be fixed within 24hours! by I+confirm+I'm+not+a · · Score: 4, Informative

    If I read TFA correctly, they're fixed already: Mozilla is listed as unaffected in >=1.7.5, Firefox unaffected in >=1.0, and Thunderbird unaffected in >=0.9.

    Interestingly, the original bug report came from the Gentoo security people - is there anyone running Gentoo with anything other that the very latest apps?!

    --
    This is where the serious fun begins.
  17. I'm concerned about 0-Day by IcEMaN252 · · Score: 4, Insightful

    The really important thing as far as I'm concerned is the length of time needed to fix newly discovered bugs, not the number, and this is where the open source development model works so much better.

    I'm also concerned about those nasty 0-Day vulnerabilites that are out there but we don't know about. The problem with open source is that the code is out there, so its easier to find the bugs. The saving grace is that the code is generally better, and there are usually more white hats looking for the problem than black hats.

    I still think FF is safer than IE, but I also think its just as important to be wary of the bugs we don't know about as the ones we do. The same goes for any software product.

    --
    CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
  18. Re:Does no one read anymore? by BenjyD · · Score: 5, Informative

    Apart from the first issue, of course, which reads:

    "The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected."

    So it's actually just one spoofing vulnerability. It's probably a result of fixing the bug in 0.9.something where an overly long (>4kb, IIRC) URL in the address bar could cause firefox to lock up the x-server.

  19. Long URL? by discordja · · Score: 3, Funny
    This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox).

    is this long enough?
    http://hugeurl.com/?MjYzODBkMDE2ZTI1M2Q3ODQ5ZThlYm Q1YjRhMjMxMjgmMTImVm0wd2QyUXlVWGxXYTJoV1YwZG9WVll3 Wkc5alJsWjBUVlpPV0Zac2JETlhhMUpUVmpGYWMySkVUbGhoTW sweFZqQmFTMk15U2tWVWJHaG9UVmhDVVZadGVGWmxSbGw1Vkd0 c2FsSnRhRzlVVjNOM1pVWmFkR05GZEZSTlZUVkpWbTEwYTFkSF NrZGpTRUpYVFVad1NGUlVSbUZqVmtaMFVteFNUbUY2UlRGV1ZF b3dWakZhV0ZOcmJGSmlSMmhZV1d4b2IwMHhXbGRYYlVaclVsUk dXbGt3WkRSVk1rcElaSHBHVjJFeVVYZFpWRVpyVTBaT2NscEhj RlJTVlhCWlZrWldhMVV5VW5OalJtUllZbFZhY1ZscldtRmxWbV J5VjI1a1YwMUVSa1pWYkZKRFZqQXhkVlZ1V2xaaGExcFlXa1Zh VDJOdFNrZFRiV3hYVWpOb1dGWnRNSGRsUjBsNFUydGthVk5GV2 xSWmJHaFRWMVpXY1ZKcmRGUldiRm93V2xWb2ExWXdNVVZTYTFw WFlrZG9jbFpxU2tabFZsWlpXa1prYUdFeGNGaFhiRnBoVkRKT2 RGSnJhR2hTYXpWeldXeG9iMWRHV25STlNHaFBVbTE0VjFSVmFH OVhSMHBJVld4c1dtSkhhRlJXTUZwVFZqRmtkRkp0ZUZkaWEwcE lWbXBKZUUxR1dsaFRhMlJxVWtWYVYxWnFUbTlsYkZweFUydGth bUpWVmpaWlZWcHJZVWRGZUdOSGFGaGlSbkJvVmtSS1QyUkdTbk poUjJoVFlrVndWVlp0ZUc5Uk1XUlhWMWhvV0dKWVVrOVZha1pI VGxaYVdFNVZPVmhTTUhCNVZHeGFjMWR0U2toaFJsSlhUVlp3V0 ZreFdrdGtSa3B6Vld4a2FXRXdjRWxXYlhCTFpXczFWMWRzYUZS aE1sSndWV3RhUzFZeFVsaE9WemxzWWtad2VGVXlkR0ZpUmxwel UyeHdXbFpXY0hKV2FrWkxWMVpHY2sxV1pGZE5NRXBKVm10U1Iy RXhXWGxVYTFwaFVqSm9WRlJYTlc5a2JGcEhWbTA1VWsxWFVucF dNV2h2VjBkS1JrNVdWbFZXYkhCWVZGUkdVMk15UmtaUFYyaHBV bGhDV1ZacVNqUlZNV1IwVTJ0a1dHSlhhRmhaVkVaM1pXeHJlV1 ZJWkZOV2ExcDVWREZrYzFVd01IbGhSbXhYWWxoQ1RGUnJaRVps Um1SellVWlNhVkp1UW5oV1YzaHJWVEZzVjJKR2FHcGxhMXB4V1 d0YWQyVkdWblJOVldSV1RXdHdWMWx1Y0V0V2JGbDZZVWRvV21F eVVrZGFWV1JQVWpKS1IxcEhiRmhTVlhCS1ZqRmFVMU14VVhsVV dHaGhVMFphVmxscldrdGpSbFp4VW10MFYxWnNjRWhXVjNSTFlU QXhSVkpzVGxaU2JFWXpWVVpGT1ZCUlBUMD0=
    --
    I stole this .sig
  20. Wrong! by the_mighty_$ · · Score: 4, Informative

    Only the buffer overflow issue has been fixed! This article on the Register should clear things up:

    http://www.theregister.co.uk/2005/01/07/mozilla_fl aws/

    --
    VI VI VI - the editor of the beast!
  21. Not as critical as they appear in the submission by Spy+der+Mann · · Score: 3, Informative
    Issue 1: Spoofing, unpatched (yet). Moderately critical.

    Issue 2: Fixed (Affected Versions: Mozilla Browser
    This bug is fixed in Mozilla 1.7.5. (Bug 264388)
    Mozilla developer Dan Veditz claims that it cannot be exploitable:
    "A '\' on the end will certainly trash memory, but at that point you're no
    longer reading attacker-supplied data;".
    So, at most it would be a DOS attack, not a true "hack into your computer". And from the Security focus link:

    Affected packages
    =================
    mozilla < 1.7.5
    mozilla-bin < 1.7.5
    mozilla-firefox < 1.0
    mozilla-firefox-bin < 1.0
    mozilla-thunderbird < 0.9
    mozilla-thunderbird-bin < 0.9

    So Firefox 1.0 is indeed safe.

    Issue #3:From the link:

    This exact issue affects Mozilla Firefox 0.9.3. I haven't tested
    older/newer versions, and all of this was tested under Debian Unstable.


    In other words, 1 outdated, another unconfirmed, and the first one real, but it's moderately critical.

    So the Mozilla guys have only to fix ONE bug, and CONFIRM another. Issue #2 is fixed already.
  22. Why is it... by cagliost · · Score: 3, Interesting

    That when Mozilla (or anything not by Microsoft) has a bug, people say "Let's hope that these will be fixed soon!", but when IE (or anything by Microsoft) has a bug, people say (")Hahahahaha!(")?

  23. I wouldn't lose any sleep over this. by Lodragandraoidh · · Score: 4, Insightful
    Create a long URL and the downloading box will only display its ending (Mozilla and Firefox).

    Click 'cancel' if you are not sure about what you are downloading; Addtionally, you should be able to hover the mouse over a link and see the actual URL in the display bar at the bottom of the window. I do this all the time because I want to be sure where my browser will be connecting when I click anything. Of course, if you go to sites that don't use standard HTML for their links, you could be scammed. Generally speaking, unless you are running IE, downloading a trojan isn't going to be that bad - as long as you don't then try to run it. If you were expecting a picture, or a zip file, and got an executable instead, that could also tip you off. This is probably the worse problem of the three - but nothing to lose sleep over.

    The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0).

    If you aren't using the latest version of the browser - you are wrong. Additionally, who reads news groups anymore? I gave up wading through all the spam and flame wars long ago...

    The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!
    chmod 700 -R /directory/path/where/mozilla/keeps/the/files/*
    - should do the trick on most unix/linux systems. I can't see this breaking the browser, because presumably it is being run by you as you. This is irrelevant on a Windoze machine because it is not truely multi-user (and I can slap a knoppix disk into your windows machine, reboot linux, and read all your files provided I have physical access anyway - which is how most people 'share' a windows box).
    --

    Lodragan Draoidh
    The more you explain it, the more I don't understand it. - Mark Twain