Multiple vulnerabilities that could allow an attacker to install malicious code or steal personal data have been discovered in the Mozilla Suite and the Firefox open-source browser.
Details of the nine flaws were published on Mozilla's security Web site over the weekend.
Ian Latter, senior security consultant at Internet security specialist Pure Hacking, said most of the vulnerabilities are based on the way the applications handle JavaScript.
"There are some permission issues related to running JavaScript at an escalated privilege level. They remove some of the security measures used to keep JavaScript sandboxed and allow it to potentially do malicious things to your computer," Latter said.
Another issue could allow malicious scripts to gain access to random pieces of memory, he said.
"This random memory may or may not contain pieces of information about where you have been browsing. The worst-case scenario is that it could contain some personal or login information," said Latter.
On Monday, security advisory firm Secunia issued a "highly critical" rating on the flaws found in Mozilla Firefox 0.x and 1.x versions. Secunia posted its advisory on eight of the flaws.
According to the French Security Incident Response Team, attackers could run malicious code on a user's system because of a flaw in the Mozilla browser's pop-up blocker.
An advisory from the French group said, "When a pop-up is blocked, the user is given the ability to open that one pop-up...If the pop-up URL were JavaScript: selecting 'Show JavaScript:...' from the infobar or pop-up blocking status bar icon menus would run the JavaScript with elevated privileges, which could be used to install malicious software."
Another of the Firefox flaws can be exploited when a user visits a Web page that requires a plug-in that has not already been installed. The French advisory claims that if the browser's Plug-in Finder Service is used to automatically locate an appropriate plug-in, the "manual install" function can be used to "launch arbitrary code capable of stealing local data or installing malicious code."
All versions of Mozilla Suite prior to version 1.7.7 and all versions of Firefox prior to 1.0.3 are vulnerable.
Pure Hacking's Latter advises users to either disable JavaScript or download a patched version from Mozilla's Web site.
Whadya mean flaws were found in Mozilla Suite and FireFox? How did those wily MS guys sneak their bugs into these fine products? This can't be true. They took out an ad in the New York Times and everything. Well, at least I have *some* comfort knowing the flaws are all safely covered by the magical GPL so anyone can use them if they want to.
I demand that the EU punish Gates for this cowardly act! Maybe they can fine MS another 100 Billion dollars or something fun like that. Oh, and the folks over at News.com should be punished, too. Didn't they get the super-duper secret memo about keeping Open Source flaws quiet? Tsk. Tsk.
Now where did I put that naughty little toy penguin? He's gonna face the fury of my nerd-boy wrath for this incomprehensible act of injustice!
Right here. This is a serious flaw in Mozilla products. I'll freely admit that. As serious as some holes in IE? Arguably, but not necessarily. I haven't read the descriptions of everything, but all the ones I did read required some sort of manual intervention on the part of the user, as opposed to the "I'll just install this software for you behind your back." kind of flaws that IE seems to have.
But that's rather irrelevant, really, as any flaw that can allow arbitrary code execution is bad, as far as I'm concerned.
Let's see how the flaw was handled though:
1. First bug reported to Mozilla crew on April 1st, 2005. 2. Bug discussed on Bugzilla, various suggestions and workarounds proposed. 3. Patch produced. 4. Update released on April 15th, 2005.
Total time: Two weeks plus a day for the whole process, beginning to end. Not bad.
Compare this to Microsoft's approach:
1. Bug reported to Microsoft. 2. Microsoft ignores bug report for several weeks. 3. Bug reported again to Microsoft. 4. Microsoft again ignores bug report. 5. Bug discoverer goes public with report. 6. Microsoft complains about bug reporter disclosing bug before a patch was developed. Mentions "irresponsible" bug reporting. 7. Microsoft PR machine kicks in, spewing crap about "mitigating factors", "we don't know of any customer's compromised by this bug", and generally trying to downplay the bug's seriousness. 8. Microsoft develops patch, released during their regular monthly patch cycle, possibly as much as 4 weeks after patch development. 9. Microsoft crows about how they are proactive about security.
Total time: 4 weeks to several years, sometimes approaching infinity.
What I mean by that last statement is this: There are known security holes in Windows 95 that Microsoft has known about since it's release or shortly thereafter, which have never been fixed, and which now never will be, because that product has been EOL'd.
The article title and text are very misleading. It should have made more clear that all the listed vulnerabilities are ALREADY fixed in the current version of Firefox.
Download Firefox sources, search for 'sprintf', and behold the wonders of buffer overflows! Pick any 'sprintf' call and figure out how to exploit it. I haven't even looked for 'strcpy' and 'strcat' flaws yet.
Many of the largest worm/virus outbreaks on the Window's platform came from flaws that had already been patched. For several of them, the patches had been out for months. It wasn't an excuse for MS, why should that be an excuse for FireFox?
Story mistitled -- should be "Mozilla patches flaws"
This kind of reporting is irresponsible. The reporter has actually withheld information vital to the readers: that a patch has been in existence for days.
Then, at the very end of the article it alludes in the weakest possible terms to the existence of a patch. Readers who get googly-eyed by the techincal stuff in the body of the article will miss it entirely, possibly causing them to run unpatched and vulnerable.
CNet, why don't you try and HELP the computing community sometime?
The only mention of a patch in this whole report is "vulnerable in versions previous to 1.0.3 / 1.7.7), which have been available for days. This report makes it sound like it's the end of the world, when it has already been patched.
6 Years in Making (from a failed project's source codes aka netscape & mozilla) and Still Does not Work! :) Stallman & CO, said its will be flawless, solid, best, what happend ?
It doesn't matter which browser you use, the finding of a flaw in it is envitable. Software is written by humans and humans make mistakes. Firefox has only been around since late 2002 (called Phoenix then). There have been some significate changes made since Mozilla branched off Netscape and even more changes for Firefox. When make changes to code there is risk of introducing new bugs.
Best you check this: - <a class="jive-link-external" href="http://secunia.com/product/11/#advisories" target="_newWindow">http://secunia.com/product/11/#advisories</a>
Scott Graham for his link. I went over to Secunia to view the 3 non critical Firefox bugs and stayed to view the many more unfixed non critical and critical bugs that IE has left unpatched. I would suggest anybody who wants to learn more go on over there and take a look
oh so true that IE has many more advisories than Firefox but to keep things in perspective lest you give the impression that firefox is bulletproof...
Firefox advisories on Secunia since launch - 15 IE6 advisories in the same period - 22
Firefox advisories in 2005 - 11 IE6 advisories in 2005 - 5
Again, as FF gains in popularity, it will gain the attention of those that would look for ways to do some bad. IE's just got a longer head start than FF in which to point out its flaws so it seems easier. The reality is that all software is flawed and no one can perfectly develop complex software...period.
If people don't update, maybe it's because (a) they don't realize it's important, and (b) they don't realize the fix is available. Stories like this have the opportunity to inform people on both counts. But this story actually manages to *hide* the fact that the update is available. Even allowing for sensationalism, something like "Firefox Security Holes Found, Fixed" with a sidebar pull-out of "Update to 1.0.3 to be protected" could succeed at both sensationalism and responsible reporting.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
We've got an itch to touch us some Super Stars and get all Mario on some poor unfortunate bitmappy baddies. Looks like Converse is set to hand us just the footwear for the job.
Whadya mean flaws were found in Mozilla Suite and FireFox? How did those wily MS guys sneak their bugs into these fine products? This can't be true. They took out an ad in the New York Times and everything. Well, at least I have *some* comfort knowing the flaws are all safely covered by the magical GPL so anyone can use them if they want to.
I demand that the EU punish Gates for this cowardly act! Maybe they can fine MS another 100 Billion dollars or something fun like that. Oh, and the folks over at News.com should be punished, too. Didn't they get the super-duper secret memo about keeping Open Source flaws quiet? Tsk. Tsk.
Now where did I put that naughty little toy penguin? He's gonna face the fury of my nerd-boy wrath for this incomprehensible act of injustice!
Right here. This is a serious flaw in Mozilla products. I'll freely admit that. As serious as some holes in IE? Arguably, but not necessarily. I haven't read the descriptions of everything, but all the ones I did read required some sort of manual intervention on the part of the user, as opposed to the "I'll just install this software for you behind your back." kind of flaws that IE seems to have.
But that's rather irrelevant, really, as any flaw that can allow arbitrary code execution is bad, as far as I'm concerned.
Let's see how the flaw was handled though:
1. First bug reported to Mozilla crew on April 1st, 2005.
2. Bug discussed on Bugzilla, various suggestions and workarounds proposed.
3. Patch produced.
4. Update released on April 15th, 2005.
Total time: Two weeks plus a day for the whole process, beginning to end. Not bad.
Compare this to Microsoft's approach:
1. Bug reported to Microsoft.
2. Microsoft ignores bug report for several weeks.
3. Bug reported again to Microsoft.
4. Microsoft again ignores bug report.
5. Bug discoverer goes public with report.
6. Microsoft complains about bug reporter disclosing bug before a patch was developed. Mentions "irresponsible" bug reporting.
7. Microsoft PR machine kicks in, spewing crap about "mitigating factors", "we don't know of any customer's compromised by this bug", and generally trying to downplay the bug's seriousness.
8. Microsoft develops patch, released during their regular monthly patch cycle, possibly as much as 4 weeks after patch development.
9. Microsoft crows about how they are proactive about security.
Total time: 4 weeks to several years, sometimes approaching infinity.
What I mean by that last statement is this:
There are known security holes in Windows 95 that Microsoft has known about since it's release or shortly thereafter, which have never been fixed, and which now never will be, because that product has been EOL'd.
The article title and text are very misleading. It should have made more clear that all the listed vulnerabilities are ALREADY fixed in the current version of Firefox.
Step 2: write article
Step 3: profit!
Download Firefox sources, search for 'sprintf', and behold the wonders of buffer overflows! Pick any 'sprintf' call and figure out how to exploit it.
I haven't even looked for 'strcpy' and 'strcat' flaws yet.
I seriously doubt that an open source project whose code has been seen by thousands has these types of freshman level errors.
Then, at the very end of the article it alludes in the weakest possible terms to the existence of a patch. Readers who get googly-eyed by the techincal stuff in the body of the article will miss it entirely, possibly causing them to run unpatched and vulnerable.
CNet, why don't you try and HELP the computing community sometime?
Agreed, very irresponsible reporting (again) by CNET. :-(
It's about crappy code, which can easily exist on any OS, in any programming language, under any model - despite the hype!
As an industry we should focus more on writing solid code, and less on whether or not software is "Open".
- - -
"Beneath the noble birth, between the proudest words, behind the beauty, cracks appear..." - Rush
Get Life, Get IE.
www.microsoft.com/windows/IE
Get a life, drop the fanboy attitude.
- <a class="jive-link-external" href="http://secunia.com/product/11/#advisories" target="_newWindow">http://secunia.com/product/11/#advisories</a>
...and make some comparisons first.
<a class="jive-link-external" href="http://www.secunia.com" target="_newWindow">http://www.secunia.com</a>
Firefox advisories on Secunia since launch - 15
IE6 advisories in the same period - 22
Firefox advisories in 2005 - 11
IE6 advisories in 2005 - 5
Again, as FF gains in popularity, it will gain the attention of those that would look for ways to do some bad. IE's just got a longer head start than FF in which to point out its flaws so it seems easier. The reality is that all software is flawed and no one can perfectly develop complex software...period.