×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Issues in Mozilla

michael posted more than 9 years ago | from the better-than-IE dept.

Mozilla 454

paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

454 comments

A fix? (5, Informative)

Blapto (839626) | more than 9 years ago | (#11287787)

Resolution
==========

All Mozilla users should upgrade to the latest version:

Says the site, implying at least a partial fix is available.

Re:A fix? (1, Informative)

Anonymous Coward | more than 9 years ago | (#11287863)

"Firefox versions before 1.0"

Just upgrade to 1.0 and no more problems. You really should have upgraded a while ago...

Re:A fix? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11287865)

And here's the upgrade [pogmania.com].

Even then.... (1, Insightful)

Gentlewhisper (759800) | more than 9 years ago | (#11287788)

Inspite of these security flaws, Firefox is still a lot better than the incumbent IE.. no?

Re:Even then.... (0, Troll)

IcEMaN252 (579647) | more than 9 years ago | (#11287858)

Are you new here? IE is a MS product and therefore is evil, rotten, and sucks.

Re:Even then.... (0, Troll)

recursiv (324497) | more than 9 years ago | (#11287931)

Wrong. That's not why IE sucks. IE sucks purely on its own merits.

I know you were kidding, but it sounds like you are suggesting that IE doesn't suck, and that is what I'm addressing.

Re:Even then.... (5, Insightful)

frankthechicken (607647) | more than 9 years ago | (#11287914)

Why?

Both will have flaws, some major, some minor. And, for me, there seems no real evidence that the Firefox community corrects problems quicker than MS. Both appear to me to fix major problems relatively quickly.

The only real difference is the experience a user gains from using an individual browser. And for me, I personally prefer the FF experience, as I should, having configuring it until it fits like a glove.

Re:Even then.... (1, Funny)

Anonymous Coward | more than 9 years ago | (#11287916)

Could you tell me where you have downloaded your version of IE for FreeBSD, Linux, OpenBSD and NetBSD ?

These flaws are a real problem but Firefox, YES, is still better than IE. Besides, the first flaw is not a flaw: you must ALWAYS download stuff from people you trust (and even then , you have to check the sources with a GnuPG key ring).

Trolling first post (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11287793)

FP FP FP FP

YEah Now you wankers can bash Opensource!!

Suck up to M$!!!

Troll!!!

Security (5, Funny)

Anonymous Coward | more than 9 years ago | (#11287800)

Oh no! Time to switch back to IE.

Re:Security (1)

mirko (198274) | more than 9 years ago | (#11287887)

Come on, mopds : This is not a troll, it's definitely the funniest post in this thread :D

FP (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11287802)

Frost Pist

More the users (0)

Anonymous Coward | more than 9 years ago | (#11287804)

bigger are the chances this will happen

I bet they will be fixed within 24hours! (0)

xutopia (469129) | more than 9 years ago | (#11287805)

quote me! :)

Re:I bet they will be fixed within 24hours! (1, Funny)

Anonymous Coward | more than 9 years ago | (#11287852)

"quote me! :)"
-- xutopia

It *is* already fixed! (2, Informative)

Freggy (825249) | more than 9 years ago | (#11287904)

Guys, wake up, old news. According to the article, all bugs were fixed in Mozilla 1.7.5 and Firefox 1.0.

Move on people,nothing to see here!

Re:I bet they will be fixed within 24hours! (4, Informative)

I confirm I'm not a (720413) | more than 9 years ago | (#11287967)

If I read TFA correctly, they're fixed already: Mozilla is listed as unaffected in >=1.7.5, Firefox unaffected in >=1.0, and Thunderbird unaffected in >=0.9.

Interestingly, the original bug report came from the Gentoo security people - is there anyone running Gentoo with anything other that the very latest apps?!

Not Mozilla!! (5, Funny)

53cur!ty (588713) | more than 9 years ago | (#11287809)

The tragedy, the inhumanity!!

Bet Gates is grinning today hoping everyone will forget his laptop crash.

Don't Tech all day and night, visit:
WillingtonKarateClub.org Training Tips and more

Unacceptable (-1, Troll)

goldspider (445116) | more than 9 years ago | (#11287814)

While I wouldn't say that these vulnerabilities are exactly obvious, they are major enough that (IMHO) they should have been spotted and corrected before rollout.

I haven't read TFA all the way through yet, but how long (how many versions) have these been an issue?

Re:Unacceptable (2, Informative)

PommeFritz (70221) | more than 9 years ago | (#11287835)

"spotted before rollout"?
Dude, the article says that only versions before Firefox 1.0 are vulnerable, and 1.0 has been out for 2 months already. What are you talking about?

Re:Unacceptable (1)

WhiteWolf666 (145211) | more than 9 years ago | (#11287857)

According to the article, all firefoxes less than 1.0, and mozilla pre-1.7.5.

They were spotted and corrected before rollout :)

Umm.... (4, Insightful)

Oxy the moron (770724) | more than 9 years ago | (#11287821)

The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird)

Can't the same be said of IE or any program that stores information in %SYSTEMROOM%\Documents and Settings\%USERNAME% ? I mean, it's possible for me to see anyone's "habits" that way, right?

Re:Umm.... (1, Interesting)

danheskett (178529) | more than 9 years ago | (#11287875)

I am not sure what about Firefox and Thunderbird allows users to bypass permissions checking. On a normal Win2k/XP system regular users cannot view another users "home" directory. It's been a while since I used Thunderbird, but last time I did mail was stored in a sub-directory from the program location. This would allow any user to see what other users did.

Re:Umm.... (1)

ratpack91 (698171) | more than 9 years ago | (#11287883)

only administrators can look in other user's "Documents and Settings\%USERNAME%" folder. I can't get the article at the mo so I don't understand how firefox is different since its settings are stored there.

Re:Umm.... (5, Funny)

fitten (521191) | more than 9 years ago | (#11287892)

You mean I gotta walk all the way down to the systemroom to get my information? Crap, no wonder I haven't been able to find it in my office lately...

Re:Umm.... (0)

Anonymous Coward | more than 9 years ago | (#11287951)

Arrrrgh... me and my bad speeling. ;]

Re:Umm.... (2, Interesting)

SomeoneGotMyNick (200685) | more than 9 years ago | (#11287901)

Partially related to that concept, I was using an XP system (no SP2 installed) where I didn't have admin rights. I was looking for a file that was in another user's documents folder. The operating system prevented me from browsing the folder through Explorer.

When I did a Search for the file, the search window gladly displayed the file in question (from their documents folder) and allowed me to copy it to my documents folder.

In my opinion, thats a much more serious issue (0)

Anonymous Coward | more than 9 years ago | (#11288006)

Than some string formatting issue!

I mean what you describe circumvents the whole issue of having a multi-user system and security model.

Re:Umm.... (1)

Politburo (640618) | more than 9 years ago | (#11288014)

I cannot replicate this. I get "Access is Denied" when I try to search in someone else's home directory. Win XP SP1.

Searching for * in C:\Documents and Settings returns the folders in D&S, all the files/folders in my home directory, and all the files/folders in the "All Users" directory. I cannot use the search results dialog to access another user's home directory.

I call shennanigans.

Re:Umm.... (2, Informative)

IcEMaN252 (579647) | more than 9 years ago | (#11287945)

I'll admit to not doing exhaustive research before making my commentary.

I believe that the Docs & Settings folder is owned by the user in question and has the permissions set to keep other users out. But, thanks to the way the Windows runs, everyone pretty much need to be an Administrator to do things like, idk, run a CD-Burning app, so a knowledgable user could change the permissions and look inside.

But, this is a generic Windows problem, most users are Administrators, and they can therefore see other users files. This might not be true in corporate enviornments, but at home its usually the case.

Remember what your mother said, and do not take the name of root in vain.

Re:Umm.... (1)

plover (150551) | more than 9 years ago | (#11287946)

Actually, I'm not quite understanding that one myself. Both Mozilla/Firefox and IE store the user's cached data in the user's personal folder. Frankly, I don't know where else you should put it on a Windows box.

You can set up your NTFS security such that only %USERNAME% can see the data in %USERNAME%'s folder. Very few home users do this, of course, and most wouldn't want to. Typical users wouldn't be able to function if Mom couldn't view the family pictures that Dad downloaded from the family's digital camera. But if you did change your security, this "problem" is "fixed."

Perhaps they are suggesting the cache should be encrypted on a by-user basis? Sure, my browsing is too fast already ...

There's a Shared Documents folder for that. (0)

Anonymous Coward | more than 9 years ago | (#11288034)

That everyone has access to, it's in the All Users profile, as Shared Documents (instead of My/Username Documents).

Pretty trivial to direct your storage of photos/documents that everyone needs access to, to that folder.

Re:Umm.... (0)

Anonymous Coward | more than 9 years ago | (#11287960)

Not really. If I remember correctly, "Limited" users cannot see the contents of other user's %USERNAME% folder. However, since most Windows users are Admins (well, their login is an Admin :) this is irrelevant.

-David

Linux needs IE (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11287825)

Linux needs a reliable Browser.... How about IE ? It sets industry standards in rendering, showing pages and is world wide used and prefered....

Misleading Article (3, Informative)

Asacarny (244586) | more than 9 years ago | (#11287826)

All of these security issues are fixed in the latest releases of Firefox/Thunderbird/Seamonkey. They have all been fixed for quite some time now.

It would have been helpful for this information to be included in the story. Thanks, Slashdot.

Re:Misleading Article (1, Interesting)

smc13 (762065) | more than 9 years ago | (#11287935)

Wrong. The first issue affects the current version. If you clicked on the link you would have noticed this:

Software: Mozilla 1.7.x
Mozilla Firefox 1.x

How can his post be rated informatve when it isn't true?

Re:Misleading Article (1)

banzai51 (140396) | more than 9 years ago | (#11287978)

It would have been even more useful to have this information out when it was vulnerable, so I could have made a more informed choice. Of course, that would have hampard FF rollout. Et tu, Burtu?

Re:Misleading Article (0)

Anonymous Coward | more than 9 years ago | (#11288013)

lol, tell that to the IE development team and make a choice (:

Illuminative (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11287827)

See it's reasons like this you liberals shouldn't use Mozilla, privately owned coporations do a much better job making software than a ragtag committee of well intentioned people who each try to get their pet idea into the final product. IE ain't broke, don't try to fix it.

Buffer overflow? (3, Insightful)

mattgreen (701203) | more than 9 years ago | (#11287831)

Weak. They should know better than that. It's not like it is hard to prevent a buffer overflow. They're using C++ for crying out loud.

Re:Buffer overflow? (0)

Emperor Shaddam IV (199709) | more than 9 years ago | (#11288000)

Why? You can hose up memory just as easy in C++ as in C. Nothing stops you from using malloc() in C++. And nothing prevents you from using pointers instead of references. And nothing prevents you from going past the end of an array. Besides, the bug was from the old beta versions, which makes this posting old news and not even worth being on Slashdot.

Re:Buffer overflow? (0)

Anonymous Coward | more than 9 years ago | (#11288017)

so is ms, and how many buffer issues do they have?

Re:Buffer overflow? (4, Insightful)

deadlinegrunt (520160) | more than 9 years ago | (#11288046)

I have not looked at the latest code base so my response may very well be wrong, however you may want to keep this in mind when making such a statment:

Perhaps one reason is they are not really using C++ to its fullest extent like here [mozilla.org] as an example.

3 Whole Security Issues! Thank God... (5, Funny)

codesurfer (786910) | more than 9 years ago | (#11287833)

that I can still wipe my Linux box, buy a copy of XP, install, activate, update, reboot, update, reboot, get SP1 & 2, reboot, update, reboot and I'll be able to use Internet Explorer, a safe alternative to....oh wait...

Re:3 Whole Security Issues! Thank God... (1)

slide-rule (153968) | more than 9 years ago | (#11287963)

> buy a copy of XP, install, activate, update, reboot, update, reboot, get SP1 & 2

Nice little roll, there. I probably oughtn't point out that if you're actually buying a copy of XP these days that it'll have SP2 applied to it already. At least, all the stores around here sell it this way.

Re:3 Whole Security Issues! Thank God... (0)

Anonymous Coward | more than 9 years ago | (#11288044)

I got an official XP + SP2 CD from Microsoft with a SP1 serial which didn't work, obviously. Grrr!

Updates (5, Insightful)

harlingtoxad (798873) | more than 9 years ago | (#11287834)

Most viruses are exploits of things MS has patched months earlier. If Firefox becomes mainstream can we count on the average user to update or will an out of date Firefox become nearly as bad as IE?

Older versions only (2, Informative)

martin_b1sh0p (673005) | more than 9 years ago | (#11287837)

Note that it appears from what I read that these issues only affect the beta versions of FireFox. Who uses a beta once a released version is out???

Basically this is a non issue as everyone should have upgraded to v1.0 as soon as it came out.

Re:Older versions only (1)

d_jedi (773213) | more than 9 years ago | (#11287971)

Well, MS flaws that affect only pre-SP2 XP versions of Windows seem to be an issue.. so it's only fair :->

Sounds like good news to me (3, Insightful)

I.M.O.G. (811163) | more than 9 years ago | (#11287838)

Perhaps it will serve as a reality check for those who have the wrong (idealistic) conception about this browser... Average users are so quick to jump on a bandwagon. People tend to think entities like Google and Firefox are lights in the harbor or signs from God. They are just implementations which are better than what others are doing, and they are not as perfect as many like to imply. Firefox is no doubt an improvement over the many other options out there, but as it gains popularity, it will also gain more status as a target - much like IE has been for years now. The fact there there are still vulnerabilities should come as a surprise to no one.

Re:Sounds like good news to me (1)

deitel99 (533532) | more than 9 years ago | (#11287929)

The fact there there are still vulnerabilities should come as a surprise to no one.

Indeed, however the hope is that the security problems will be fixed quickly, and that the developers wont ignore them, pretending they don't exist.

The really important thing as far as I'm concerned is the length of time needed to fix newly discovered bugs, not the number, and this is where the open source development model works so much better.

I'm concerned about 0-Day (4, Insightful)

IcEMaN252 (579647) | more than 9 years ago | (#11288018)

The really important thing as far as I'm concerned is the length of time needed to fix newly discovered bugs, not the number, and this is where the open source development model works so much better.

I'm also concerned about those nasty 0-Day vulnerabilites that are out there but we don't know about. The problem with open source is that the code is out there, so its easier to find the bugs. The saving grace is that the code is generally better, and there are usually more white hats looking for the problem than black hats.

I still think FF is safer than IE, but I also think its just as important to be wary of the bugs we don't know about as the ones we do. The same goes for any software product.

Re:Sounds like good news to me (4, Insightful)

0123456 (636235) | more than 9 years ago | (#11287930)

"The fact there there are still vulnerabilities should come as a surprise to no one."

Of course not. But, unlike IE, these aren't 'You open a web page and your machine is taken over as a spam zombie' vulnerabilities. They should be fixed, but are less serious than the usual IE bugs... and they'll likely be fixed a lot faster.

Re:Sounds like good news to me (1)

Ieshan (409693) | more than 9 years ago | (#11288008)

"The fact there there are still vulnerabilities should come as a surprise to no one."

The only reason it's surprising to me, is that these are bugs that have been already fixed.

It wouldn't be a slashdot story if it read, "the Bugzilla for the Firefox project notes that in version .8 and .9, it was possible to spoof a URL by doing some nasty tricks. Here's the technical data." Or, "old release notes indicate bugs were fixed. If you want some demonstrations of these old bugs, click here!"

Right?

Re:Sounds like good news to me (0)

Anonymous Coward | more than 9 years ago | (#11288012)

Do the world a favor and just fucking kill yourself.

Why the fuck you would post such a pathetic troll under your real account dumbshit?

Re:Sounds like good news to me (1)

bigbadunix (662724) | more than 9 years ago | (#11288024)



Not only are 'average' users quick to jump on a bandwagon, the slashdot/oss crew (i.e. me!!)tends to be even more evangelical about such matters.

You're absolutely correct in that it's just a different (albeit better) implementation of a model which, as we all know, will theoretically -never- be perfect.

We work our asses off creating software that, to the best of our knowledge, is bug-free..but, c'mon...there is no such beast.

Bug-Free software is just software for which a bug has not yet been found...whether the bug lies in the OS, libraries, the code itself, ...

It's time for all software engineers to dismiss the utopian vision of this bug-free world, and look a bit beneath the surface...

I'm just gonna keep rockin and rollin makin better films...Er, Um...I mean code!!

It's fulfilling its prophecy (1, Redundant)

mOoZik (698544) | more than 9 years ago | (#11287839)

As it becomes more and more popular, more and more bugs will be discovered. There is no inherently secure piece of software: it's only a matter of problems / volume.

And.... (2, Insightful)

maztuhblastah (745586) | more than 9 years ago | (#11287847)

Undoubtedly, proponents of MS will point to this and say "See...told you so..."

The difference between Mozilla/other OSS and MS software is that while a bug in IE will remain unfixed for months (unless it's such a glaring error that the media grills them for it,) a bug in Moz/Firefox won't last very long. So the real issue that we need to remember is not that three bugs were found, but that unlike MS three bugs will be fixed.

Cheers,
-maztuh

Re:And.... (1)

WhiteWolf666 (145211) | more than 9 years ago | (#11287921)

The REAL news is they three bugs in firefox were fixed....

Oh wait, that wouldn't be news, that would be business as usual.

Read The Article. These are fixed.

The first one should be easy to fix (0)

Anonymous Coward | more than 9 years ago | (#11287849)

The first one should be easy to fix.

It's more important to see from where you're downloading (the source) that what you are downloading (the content).

Hackers can emulate the ending of a URL but not the begining!

So what about. . . (1)

smooth wombat (796938) | more than 9 years ago | (#11287859)

the 75 outstanding Secunia security advisories for IE or the 33 security advisories for Opera? Don't they get equal billing?

Re:So what about. . . (0)

Anonymous Coward | more than 9 years ago | (#11287920)

haha you gotta be new to /.

Impossible (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11287860)

The whole article is a hoax.

Security problems cannot exist in Mozilla or Firefox. They must mean IE.
Even if it were true, it's irrelevant. We run those browsers because they are are not Microsoft. It's the feeling I am superior than you just because I run a superior browser that's the only important thing here. Nobody can take that away from me. I don't care about the facts, the only thing I care about is the truth, that bugs cannot exist in those browsers because they are perfect and superior. Slashdot itself says so.

What No Trojans.... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11287866)

...or AdWare, or SpyWare... I'm disappointed. Internet Explorer has much more satisfying hacks

Third item... (5, Informative)

Anonymous Coward | more than 9 years ago | (#11287867)

This only applies to Windows platforms. Linux and Unix versions maintain all user information in the homedir, preventing access to ordinary users.

Jeebus Kriced (5, Funny)

killmenow (184444) | more than 9 years ago | (#11287872)

So sayeth the submitter:
Let's hope that these will be fixed soon!
Slashdot has gotten so bad, now the submitters don't even RTFA!

RTFA - Answers await (2, Informative)

Anonymous Coward | more than 9 years ago | (#11287876)

As the article clearly state, all three have been fixed. Simply use the latest versions of the software.

Re:RTFA - Answers await (1)

Gizmhail (821391) | more than 9 years ago | (#11287985)

Shouldn't an update be posted to this news....It's quite biased, or false, for now. A simple "Update : This has been fixed in the last versions. " would do, no?

This article is BOGUS! (5, Informative)

WhiteWolf666 (145211) | more than 9 years ago | (#11287885)

The Slashdot article, not security focus. In plain text, at the top, it says these were FIXED in the latest versions.

They affect Firefox versions BEFORE 1.0, Thunderbird BEFORE .9, and Mozilla BEFORE 1.7.5.

This article was posted by some MS shill who is hoping the because Slashdot is spidered by Google news they will get some mainstream journalism about Firefoxes bugs!

This is TOTAL crap! Let the MS Smear campaign begin!

Re:This article is BOGUS! (2, Informative)

elecngnr (843285) | more than 9 years ago | (#11288007)

How did this pass muster? The article clearly states:

Various vulnerabilities were found and fixed [emphasis added] in Mozilla-based products, ranging from a potential buffer overflow and temporary files disclosure to anti-spoofing issues.

While I recognize the article does state in the middle of it that it was for releases prior to the current ones, why not say that in the title or somewhere in the first sentence. Saying something like, "People using older versions of.....may be vulnerable to security flaws." At first glance, this article is a little misleading.

who uses xpdf? (0)

Anonymous Coward | more than 9 years ago | (#11287905)

xpdf was so buggy years ago that I switched to Adobe Acrobat and never looked back.

These vulnerabilities will be fixed in three... (1)

bshroyer (21524) | more than 9 years ago | (#11287928)

two...

What, they're fixed already?

Never mind.

I love open source.

Let's stick to issues within the current version (1)

jtapper (461531) | more than 9 years ago | (#11287941)

The news:// link issue reported is for "Mozilla 1.7.5 and below, Firefox versions before 1.0".
Firefox 1.0 has been out for weeks already and most extensions have been updated to work with this new version.
The mozilla 1.7.5 is the current version, but if these are the 3 biggest security issues that can be found, then that only cements my position as a long-time firefox user.
I'd hate to see a post on slashdot everytime there are 3 issues of this severity found for IE.

The reality... (2, Insightful)

eastshores (459180) | more than 9 years ago | (#11287959)

Is that Firefox, and most likely ANY product that attempts to compete with an established Microsoft product will have to face two issues that Microsoft constantly faces: 1) Features take precedence in the development lifecycle forcing security to become an after-thought. 2) As popularity increases, so does visibility which is currently one of the primary factors in determining scrutiny for such issues.

I still prefer Firefox for it's usability features. It wasn't long ago that they got in place a "Software Update Available" mechanism for just these types of circumstances. In turn, people that think Firefox is immune from security issues should look at the past and come back down from their orbit ;)

So we have (4, Insightful)

hattig (47930) | more than 9 years ago | (#11287962)

Problem One: A String Formatting Issue, URLs should be shown as "http://www.blah.com/.../www.spoof.com/register.ph p" rather than ".../www.spoof.com/register.php" and users should be shot if they can't recognise a valid URL.

Problem Two: Beta Firefox? That's not an issue then. Otherwise, who let a buffer overflow get into the codebase?

Problem Three: Surely this is more of a problem with Windows' Security model? if an OS is used essentially as a single user machine (e.g., 9x) then there is little that can be done between profiles.

Open Source/Security (1)

Rick and Roll (672077) | more than 9 years ago | (#11287966)

I noticed that the news protocol hole is one part of the source that few developers are interested in. Because of this, bugs like this are less likely to get discovered.

The UI hole (right-aligning the URL) is also in an unexpected place.

I always hear talk about the problem with Open Source is people only do the fun stuff. Well, for different people, different things are fun. For some people a security review is very fun. Of course, not as fun as doing a security review on the otherwise most interesting part of the codebase, but fun nonetheless.

So if you enjoy doing security reviews, help Mozilla out. Discovering one of these hidden bugs could definitely help out the I'm sure they could use a couple of eyes in the parts of the code currently not subject to scrutiny. Also, it could help you to become a security expert.

Now that I think about it, that may be just what the people that discovered the hole were doing. It certainly will be good for their career.

Does no one read anymore? (2, Informative)

GweeDo (127172) | more than 9 years ago | (#11287972)

Affected packages
=================

Package / Vulnerable / Unaffected
1 mozilla / < 1.7.5 / >= 1.7.5
2 mozilla-bin / < 1.7.5 / >= 1.7.5
3 mozilla-firefox / < 1.0 / >= 1.0
4 mozilla-firefox-bin / < 1.0 / >= 1.0
5 mozilla-thunderbird / < 0.9 / >= 0.9
6 mozilla-thunderbird-bin / < 0.9 / >= 0.9

So, lets try reading this data. If you are running version 1.0 of Firefox, version 1.0 of Thunderbird or version 1.7.5 of Mozilla (all the latest versions) you have NONE of these issues. Geez....

Re:Does no one read anymore? (5, Informative)

BenjyD (316700) | more than 9 years ago | (#11288031)

Apart from the first issue, of course, which reads:

"The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected."

So it's actually just one spoofing vulnerability. It's probably a result of fixing the bug in 0.9.something where an overly long (>4kb, IIRC) URL in the address bar could cause firefox to lock up the x-server.

The important thing is how quickly they get fixed. (1)

seanyboy (587819) | more than 9 years ago | (#11287984)

It's obvious that the more mainstream Firefox becomes, the more exploits are going to be found / used. It was inevitable that there would be exploits, but the test of Open Source vs Closed Source is how quickly the problems are fixed and rolled out. I think the next year is going to be an interesting one for Firefox developers.

Re:The important thing is how quickly they get fix (1)

WhiteWolf666 (145211) | more than 9 years ago | (#11287996)

Eh? They ARE fixed....

These affected firefox beta, not release. Check the article..
By my calculations, fixed over 2 months ago.

Re:The important thing is how quickly they get fix (0)

Anonymous Coward | more than 9 years ago | (#11288033)

They're ALREADY fixed!

When will people read the damn articles and when will the slashdot editors check the content of the damn stories they post

Obligatory fix... (1)

pctainto (325762) | more than 9 years ago | (#11288021)

Download Firefox!

Seriously, all of these are fixed in the current version. The poster even says it with regards to the buffer overflow problem!

Yipee (0)

Anonymous Coward | more than 9 years ago | (#11288026)

So, let's see...Mozilla is touted as the best browser to replace IE, yet we get the same thing all over again (buffer overflows, security issues, etc.)

Ok, sure, they claimed the issues will be fixed very quickly and here are my concerns:
1. Is there a patch or do I have to download the whole browser and reinstall?

2. How often does this happen? One patch/reinstall every few weeks? Do you guys seriously expect an Admin to roll out new installs/patches every few weeks? Are you even remotely aware of the full cycle testing/QA effort that's involved to make sure your corporate app still works properly with the new versions?

Face it. Mozilla will encounter the same issues as IE no matter what.

Oh, a side note. If I have Windows and I want to use Mozilla, why do I have to use IE first to download mozilla?? I already have IE installed, why do I need to download yet another browser and install it?

Quick! Somebody submit a story! (1)

WhiteWolf666 (145211) | more than 9 years ago | (#11288038)

Anyone good at writing up story submissions?

Time to troll Slashdot! Seriously...Given that all three bugs are ALREADY fixed, it shouldn't be too hard to sneak a 'troll' story by about how the Mozilla foundation responded instanteously to these bug reports.

Use this urlhttp://www.mozillazine.org/talkback.html?articl e=5844 [mozillazine.org] for the nntp flaw, and link to the same security focus article regarding the other two.

Why? Because the security article tells you to update your mozilla based software to the latest version to avoid these no-longer-existing.

And excellent opportunity to troll the story submission queue, and given the cluelessness of slashdot editors, it should be pretty easy to sneak it by.

News Headline: FireFox vulnerable to attack (1)

NoelWeb (797393) | more than 9 years ago | (#11288039)

I'm switching to IE, a browser made by a company who cares about ME.

IE more Secure than Mozzilla and Fire Fox? (0)

Anonymous Coward | more than 9 years ago | (#11288040)

Say it isn't so! *rolles eyes*

[Fe]how can a program that is cobbled together by people with no eye to security and will give the source code to any passing stranger who wants it, be more secure than a bunch of paraniod security freaks who jealously gaurd their source code?[/Fe]

And the response from Redmond is... (1)

fisheye1969 (842355) | more than 9 years ago | (#11288045)

...here is absolute proof that Mozilla-based browsers are as full of holes as IE: "Three exploits in one day! Open source just doesn't work!"

I can't wait for this to be, ahem, exploited.

Sadly, then will begin a new round of "your analysis methods are crap" ad infinitum, ad nauseum.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...