- Related Stories
-
Flaw found in Firefox
April 5, 2005 -
Mozilla fixes risky Firefox flaw
March 23, 2005 -
Spyware takes aim at Mozilla browsers
February 9, 2005 -
Phishing flaw a danger to alternative browsers
February 7, 2005 -
Firefox: When is a flaw not a flaw?
January 7, 2005
Details of the nine flaws were published on Mozilla's security Web site over the weekend.
Ian Latter, senior security consultant at Internet security specialist Pure Hacking, said most of the vulnerabilities are based on the way the applications handle JavaScript.
"There are some permission issues related to running JavaScript at an escalated privilege level. They remove some of the security measures used to keep JavaScript sandboxed and allow it to potentially do malicious things to your computer," Latter said.
Another issue could allow malicious scripts to gain access to random pieces of memory, he said.
"This random memory may or may not contain pieces of information about where you have been browsing. The worst-case scenario is that it could contain some personal or login information," said Latter.
On Monday, security advisory firm Secunia issued a "highly critical" rating on the flaws found in Mozilla Firefox 0.x and 1.x versions. Secunia posted its
According to the French Security Incident Response Team, attackers could run malicious code on a user's system because of a flaw in the Mozilla browser's pop-up blocker.
An advisory from the French group said, "When a pop-up is blocked, the user is given the ability to open that one pop-up...If the pop-up URL were JavaScript: selecting 'Show JavaScript:...' from the infobar or pop-up blocking status bar icon menus would run the JavaScript with elevated privileges, which could be used to install malicious software."
Another of the Firefox flaws can be exploited when a user visits a Web page that requires a plug-in that has not already been installed. The French advisory claims that if the browser's Plug-in Finder Service is used to automatically locate an appropriate plug-in, the "manual install" function can be used to "launch arbitrary code capable of stealing local data or installing malicious code."
All versions of Mozilla Suite prior to version 1.7.7 and all versions of Firefox prior to 1.0.3 are vulnerable.
Pure Hacking's Latter advises users to either disable JavaScript or download a patched version from Mozilla's Web site.
Munir Kotadia of ZDNet Australia reported from Sydney.
See more CNET content tagged:
JavaScript, flaw, Mozilla Corp., advisory, malicious code
Whadya mean flaws were found in Mozilla Suite and FireFox? How did those wily MS guys sneak their bugs into these fine products? This can't be true. They took out an ad in the New York Times and everything. Well, at least I have *some* comfort knowing the flaws are all safely covered by the magical GPL so anyone can use them if they want to.
I demand that the EU punish Gates for this cowardly act! Maybe they can fine MS another 100 Billion dollars or something fun like that. Oh, and the folks over at News.com should be punished, too. Didn't they get the super-duper secret memo about keeping Open Source flaws quiet? Tsk. Tsk.
Now where did I put that naughty little toy penguin? He's gonna face the fury of my nerd-boy wrath for this incomprehensible act of injustice!
Right here. This is a serious flaw in Mozilla products. I'll freely admit that. As serious as some holes in IE? Arguably, but not necessarily. I haven't read the descriptions of everything, but all the ones I did read required some sort of manual intervention on the part of the user, as opposed to the "I'll just install this software for you behind your back." kind of flaws that IE seems to have.
But that's rather irrelevant, really, as any flaw that can allow arbitrary code execution is bad, as far as I'm concerned.
Let's see how the flaw was handled though:
1. First bug reported to Mozilla crew on April 1st, 2005.
2. Bug discussed on Bugzilla, various suggestions and workarounds proposed.
3. Patch produced.
4. Update released on April 15th, 2005.
Total time: Two weeks plus a day for the whole process, beginning to end. Not bad.
Compare this to Microsoft's approach:
1. Bug reported to Microsoft.
2. Microsoft ignores bug report for several weeks.
3. Bug reported again to Microsoft.
4. Microsoft again ignores bug report.
5. Bug discoverer goes public with report.
6. Microsoft complains about bug reporter disclosing bug before a patch was developed. Mentions "irresponsible" bug reporting.
7. Microsoft PR machine kicks in, spewing crap about "mitigating factors", "we don't know of any customer's compromised by this bug", and generally trying to downplay the bug's seriousness.
8. Microsoft develops patch, released during their regular monthly patch cycle, possibly as much as 4 weeks after patch development.
9. Microsoft crows about how they are proactive about security.
Total time: 4 weeks to several years, sometimes approaching infinity.
What I mean by that last statement is this:
There are known security holes in Windows 95 that Microsoft has known about since it's release or shortly thereafter, which have never been fixed, and which now never will be, because that product has been EOL'd.
The article title and text are very misleading. It should have made more clear that all the listed vulnerabilities are ALREADY fixed in the current version of Firefox.
Step 2: write article
Step 3: profit!
Download Firefox sources, search for 'sprintf', and behold the wonders of buffer overflows! Pick any 'sprintf' call and figure out how to exploit it.
I haven't even looked for 'strcpy' and 'strcat' flaws yet.
I seriously doubt that an open source project whose code has been seen by thousands has these types of freshman level errors.
Then, at the very end of the article it alludes in the weakest possible terms to the existence of a patch. Readers who get googly-eyed by the techincal stuff in the body of the article will miss it entirely, possibly causing them to run unpatched and vulnerable.
CNet, why don't you try and HELP the computing community sometime?
Agreed, very irresponsible reporting (again) by CNET. :-(
It's about crappy code, which can easily exist on any OS, in any programming language, under any model - despite the hype!
As an industry we should focus more on writing solid code, and less on whether or not software is "Open".
- - -
"Beneath the noble birth, between the proudest words, behind the beauty, cracks appear..." - Rush
Get Life, Get IE.
www.microsoft.com/windows/IE
Get a life, drop the fanboy attitude.
- http://secunia.com/product/11/#advisories
...and make some comparisons first.
http://www.secunia.com
Firefox advisories on Secunia since launch - 15
IE6 advisories in the same period - 22
Firefox advisories in 2005 - 11
IE6 advisories in 2005 - 5
Again, as FF gains in popularity, it will gain the attention of those that would look for ways to do some bad. IE's just got a longer head start than FF in which to point out its flaws so it seems easier. The reality is that all software is flawed and no one can perfectly develop complex software...period.
- So why not focus on the fix instead of the risk?
- by Kelson April 19, 2005 2:11 PM PDT
- If people don't update, maybe it's because (a) they don't realize it's important, and (b) they don't realize the fix is available. Stories like this have the opportunity to inform people on both counts. But this story actually manages to *hide* the fact that the update is available. Even allowing for sensationalism, something like "Firefox Security Holes Found, Fixed" with a sidebar pull-out of "Update to 1.0.3 to be protected" could succeed at both sensationalism and responsible reporting.
- Reply to this comment
-
-
- That was supposed to be a rely to "JUST LIKE MS"...
- by Kelson April 19, 2005 2:13 PM PDT
- I must've clicked on the wrong link or something.
-
-
(42 Comments)