Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Issues in Mozilla

Posted by michael on from the better-than-IE dept.

paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

12 of 454 comments (clear)

  1. A fix? by Blapto · · Score: 5, Informative
    Resolution
    ==========

    All Mozilla users should upgrade to the latest version:

    Says the site, implying at least a partial fix is available.

    1. Re:A fix? by The+Spoonman · · Score: 5, Insightful

      Why is everyone saying these are fixed?

      I'm more curious as to why they aren't fixed YET? We've been hearing for years that Open Source software is better because any problem is fixed within 24-48 hours. Well, it's been almost 51 hours since that issue was released on SecurityFocus, and I'm sure significantly longer since it was first discovered. Firefox is still not telling me there's an update available. What gives?

      For those incapable of grasping the sarcasm, let me spell it out for you: rhetoric gets stale for a reason.

      --
      Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
      http://www.workorspoon.com
  2. Security by Anonymous Coward · · Score: 5, Funny

    Oh no! Time to switch back to IE.

  3. Not Mozilla!! by 53cur!ty · · Score: 5, Funny

    The tragedy, the inhumanity!!

    Bet Gates is grinning today hoping everyone will forget his laptop crash.

    Don't Tech all day and night, visit:
    WillingtonKarateClub.org Training Tips and more

  4. 3 Whole Security Issues! Thank God... by codesurfer · · Score: 5, Funny

    that I can still wipe my Linux box, buy a copy of XP, install, activate, update, reboot, update, reboot, get SP1 & 2, reboot, update, reboot and I'll be able to use Internet Explorer, a safe alternative to....oh wait...

  5. Updates by harlingtoxad · · Score: 5, Insightful

    Most viruses are exploits of things MS has patched months earlier. If Firefox becomes mainstream can we count on the average user to update or will an out of date Firefox become nearly as bad as IE?

    --
    Gravity is not just a law, it's also a good idea.
  6. Third item... by Anonymous Coward · · Score: 5, Informative

    This only applies to Windows platforms. Linux and Unix versions maintain all user information in the homedir, preventing access to ordinary users.

  7. Jeebus Kriced by killmenow · · Score: 5, Funny
    So sayeth the submitter:
    Let's hope that these will be fixed soon!
    Slashdot has gotten so bad, now the submitters don't even RTFA!
  8. This article is BOGUS! by WhiteWolf666 · · Score: 5, Informative

    The Slashdot article, not security focus. In plain text, at the top, it says these were FIXED in the latest versions.

    They affect Firefox versions BEFORE 1.0, Thunderbird BEFORE .9, and Mozilla BEFORE 1.7.5.

    This article was posted by some MS shill who is hoping the because Slashdot is spidered by Google news they will get some mainstream journalism about Firefoxes bugs!

    This is TOTAL crap! Let the MS Smear campaign begin!

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  9. Re:Umm.... by fitten · · Score: 5, Funny

    You mean I gotta walk all the way down to the systemroom to get my information? Crap, no wonder I haven't been able to find it in my office lately...

  10. Re:Even then.... by frankthechicken · · Score: 5, Insightful

    Why?

    Both will have flaws, some major, some minor. And, for me, there seems no real evidence that the Firefox community corrects problems quicker than MS. Both appear to me to fix major problems relatively quickly.

    The only real difference is the experience a user gains from using an individual browser. And for me, I personally prefer the FF experience, as I should, having configuring it until it fits like a glove.

  11. Re:Does no one read anymore? by BenjyD · · Score: 5, Informative

    Apart from the first issue, of course, which reads:

    "The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected."

    So it's actually just one spoofing vulnerability. It's probably a result of fixing the bug in 0.9.something where an overly long (>4kb, IIRC) URL in the address bar could cause firefox to lock up the x-server.