The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Mozilla issue patch for security hole
Time: 09:15 EST/14:15 GMT | News Source: E-Mail | Posted By: Brian Kvalheim

Just as everyone was about ready to ditch Internet Explorer in favour of the less popular but theoretically less bug prone alternatives from Mozilla, a patch was issued to fix a recently discovered security hole in Mozilla, Firefox and Thunderbird. The bug, which only affects users running one of the above products on a Microsoft Windows platform, may allow an attacker to cause a machine to freeze. Although not necessarily hugely damaging to the client machine, this is still a blow to the Mozilla Foundation, as it will cause confidence in their products to drop.

Write Comment
Return to News

  Displaying 1 through 25 of 335
Last | Next
  The time now is 6:53:16 AM ET.
Any comment problems? E-mail us
#1 By 116 (24.173.215.234) at 7/9/2004 9:50:27 AM
Yeah too bad they knew about his since 2002 and changed the status of the bug to WONTFIX.

Open Source Visibility is great. I can log in to bugzilla and pick from a number of known bugs to exploit. They make the script kiddies job EASY!

Peace,
RA

#2 By 37 (67.37.29.142) at 7/9/2004 10:02:14 AM
Sorry esc, but 2 years isn't fast.

This post was edited by AWBrian on Friday, July 09, 2004 at 10:03.

#3 By 37 (67.37.29.142) at 7/9/2004 11:26:10 AM
"Better yet, we see that when an exploit appears for moz, and most other OSS projects, a fix is ready within days/weeks, rather than years. "

Unfortunately, this has taken not days or weeks, but years. This hole has been in Mozilla since 2002.

#4 By 13030 (198.22.121.120) at 7/9/2004 11:26:30 AM
#2: "By making sure you spend all your free time uninstalling, downloading and then installing the newest version of Firefox/Mozilla instead of actually surfing the net."

Actually, the shell security patch is performed via a Firefox Extension which means you click on the extension to download it and install--no uninstall/reinstall or restart of Firefox is necessary. Much cleaner in execution than nearly every single IE patch.

#2: "Firefox ... slowly working its way to a weekly security release schedule."

And, when you consider that Firefox is still a beta product the number of flaws is remarkably low.

#2: "Security by obscurity only gets you so far."

I thought that was Microsoft's plan...

#5 By 7797 (63.76.44.15) at 7/9/2004 11:27:44 AM
http://software.newsforge.com/article.pl?sid=04/07/08/2327246&mode=nested&tid=78&tid=82

some excerpts:

"The kicker is that this isn't even a problem with Mozilla; it's a problem with Windows Explorer. Windows XP Service Pack 1 was supposed to have closed this hole, but apparently it is still functioning and leaving Windows systems open to remote attack. So the Mozilla team worked to patch a hole that had little to do with their project."

"Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows."

"So we had a fix in less than 24 hours, and the exploit wasn't that bad to begin with.

Let's compare this to Microsoft's handling of a recent Internet Explorer exploit that was taken advantage of by the Scob trojan, which sought to steal sensitive personal and financial information from its unknowing victims. The trojan attacked on June 25, and Microsoft had a patch released a quick and speedy seven days later, on July 2. So for seven days a serious hole remained in Internet Explorer, and even then the vulnerability remained!"

#6 By 7797 (63.76.44.15) at 7/9/2004 11:36:11 AM
" Does anyone here think Apple or Linux OS will ever be "popular enough... for people to attack them?""

who says Linux isn't already popular enough?

ZONE-H TODAYS VERIFIED ATTACKS
2 single IP
62 mass defacements
Linux (76.6%)
Win 2000 (12.5%)
Win 2003 (4.7%)
FreeBSD (3.1%)
BSDOS (1.6%)
Unknown (1.6%)

http://www.zone-h.org/

#7 By 7797 (63.76.44.15) at 7/9/2004 11:39:01 AM
"Unfortunately, this has taken not days or weeks, but years. This hole has been in Mozilla since 2002."

Really? 2 years for them to become convinced that they should disable a feature that grants access to a component of windows which has a flaw? So how long has this hole existed in windows? And when is microsoft going to patch it so mozilla can re-enable the feature.

I'm not going to hold my breath.

This post was edited by tgnb on Friday, July 09, 2004 at 11:39.

#8 By 37 (67.37.29.142) at 7/9/2004 12:12:26 PM
"The trojan attacked on June 25, and Microsoft had a patch released a quick and speedy seven days later, on July 2. So for seven days a serious hole remained in Internet Explorer, and even then the vulnerability remained!"

Lets see. 96% of the browsers today in use are Internet Explorer browsers. Internet Explorer is bundled in Windows. Testing and regression is of extreme importance and shouldn't be pushed out for the sake of being fast. The regression issues can be deadly destructive compared to a browser (mozilla/firefox) which barely even registers on the browser population. In addition, the mozilla browser is in no fashion bundled with the Windows coding, meaning regression would be little to none, and since there are very few users, testing is much faster and easier.

#9 By 37 (67.37.29.142) at 7/9/2004 12:13:50 PM
"Really? 2 years for them to become convinced that they should disable a feature that grants access to a component of windows which has a flaw?"

Yup. And it's a good thing we didn't hold our breath to have that hole addressed by the mozilla team. Won't fix? Well, how about we fix 2 years later.

#10 By 7797 (63.76.44.15) at 7/9/2004 12:24:15 PM
"Yup. And it's a good thing we didn't hold our breath to have that hole addressed by the mozilla team. Won't fix? Well, how about we fix 2 years later."

So wait. Mozilla refused to disable this feature because its a Microsoft problem .. for 2 years and you say thats a bad thing. But at the same time you don't seem to have a problem with the fact that Microsoft hasn't fixed the problem that is the root cause here to begin with. What kind of logic is that?

This post was edited by tgnb on Friday, July 09, 2004 at 12:28.

#11 By 7797 (63.76.44.15) at 7/9/2004 12:29:46 PM
"Why on earth would a programmer pass a file onto the shell to execute if he wasn't sure what would happen? "

Why would windows allow a program to do this in the first place! THAT my friend, is junk programming.

#12 By 7797 (63.76.44.15) at 7/9/2004 12:40:12 PM
"You mean if I write an app that needs to call Microsoft Word I shouldn't be allowed to call Word and point it at a document? Are you suggesting I would have to write my own word processor to read a word document instead of calling the shell to deal with it?"

Did I say this? No. But why why is there no security mechanism? Why is this wide open.

"Why would Firefox/Mozilla/Junk just download a file and pass it onto the shell by DEFAULT????????? Without the user being prompted!!!!!!!!!!!!"

Because this is a security mechanism thats supposed to be in Windows. NOT a 3rd party app. Windows shouln't be wide open like that. Thats just not a secure OS if it allows a 3rd party app to open up the entire system.

This post was edited by tgnb on Friday, July 09, 2004 at 12:41.

#13 By 1643 (69.68.165.71) at 7/9/2004 12:46:11 PM
I think this shows that all software has bugs, and that some of the anti-ms folks need to agree that coding is a very complicated matter that has human error.

#9 We deal a lot more in facts than the /. folks. BTW - IE CSS support sucks.

#11
"Actually, the shell security patch is performed via a Firefox Extension which means you click on the extension to download it and install--no uninstall/reinstall or restart of Firefox is necessary. Much cleaner in execution than nearly every single IE patch. "

That's because IE is part of the OS and you can't patch an open file now can you. I don't understand how that makes Firefox better with the exception that I need to restart my computer once a month while Windows autoupdates itself.

"And, when you consider that Firefox is still a beta product the number of flaws is remarkably low. "
Most OSS is in Beta for years...it's an easy excuse to proclaim it's greatness...but if an error is found...just say "it's in beta".

#12
"Let's compare this to Microsoft's handling of a recent Internet Explorer exploit that was taken advantage of by the Scob trojan, which sought to steal sensitive personal and financial information from its unknowing victims. The trojan attacked on June 25, and Microsoft had a patch released a quick and speedy seven days later, on July 2. So for seven days a serious hole remained in Internet Explorer, and even then the vulnerability remained!" "

Well Microsoft can't break millions of computers rendering engine if the fix doesn't work just right. The testing matrix is huge and takes time to verify (you wouldn't want them to put out buggy patches now do you? Of course, with firefox if you break something..."it's in beta".

"The kicker is that this isn't even a problem with Mozilla; it's a problem with Windows Explorer. Windows XP Service Pack 1 was supposed to have closed this hole, but apparently it is still functioning and leaving Windows systems open to remote attack. So the Mozilla team worked to patch a hole that had little to do with their project."

It's not a hole, but allows applications (if the developers choose to allow) to run shell programs from the browser (just like writing an application that calls another)...this is not a hole in Windows.

humor

#14 By 7797 (63.76.44.15) at 7/9/2004 12:56:19 PM
" I read somewhere that only Windows is effected. So, if it is a Firefox or Mozilla thing, how come the other OSes are not effected?"

Because its a windows flaw!

#15 By 37 (67.37.29.142) at 7/9/2004 2:11:38 PM
"I read somewhere that only Windows is effected. So, if it is a Firefox or Mozilla thing, how come the other OSes are not effected?"

Because code written for one OS differs from another. Mozilla code differs from platform to platform.

#16 By 37 (67.37.29.142) at 7/9/2004 2:15:47 PM
Er, no. It's 2 years old. This was known WAY back in early development. Maybe you should do more research.

"This is IE you're talking about. The rendering engine doesn't work correctly in the first place."

Bawahahhhahaaha. If you believe that is true, I got a bridge to sell ya. ROFLMAO

#17 By 2332 (66.228.91.12) at 7/9/2004 2:17:19 PM
#27 - The only significant part of Firefox that came from Mozilla was the rendering engine. Everything else is new.

#18 By 135 (209.180.28.6) at 7/9/2004 2:21:51 PM
From the tgnb Hall of Shame - "Why would windows allow a program to do this in the first place! THAT my friend, is junk programming. "

An OS is designed to run programs, that's is its job. The OS only did what it was instructed to do by Mozilla.

Halcyon - "So again Firefox issues a patch on time before a problem happens. "

Ok, that's a lie. The Mozilla team listed this bug as 'WONTFIX' for 2 years and only decided to fix it after an exploit had been released into the wild.


I justed wanted to highlight this to both zealots like tgnb and Halcyon... This is the problem with ideology, you end up making ridiculous defenses when the frying pan of reality smacks you upside the head.

This crap that you guys were spewing last week that Mozilla was obviously better and had no security holes was going to bite you in the behind. We all knew that, I just think it's amazing that it took less than a week for evidence to arrive.

What did I say last week? use whatever browser has the features you like and need. But don't pretend to make a decision based on security, there is no way you can guarantee Mozilla is perfect.

#19 By 2960 (68.101.39.180) at 7/9/2004 2:46:14 PM
Ok, parkker. What's the IE vs. Mozilla security exploit score?

Like 2 to 87,999?

TL

#20 By 8556 (12.217.173.227) at 7/9/2004 2:50:21 PM
Just for fun I downloaded and instaled Mozilla Firefox 0.9.2. Its slower than expected and has other minor annoyances. Overall, its usable and better than expected. However, I still prefer NetCaptor which uses IE's engine but with home-made bug fixes and many improvements over IE. Opera is decent also, which I should mention before you Opera fanatics get upset..

It's fun reading how emotional people get about OS's, browsers, open source, etc. Take a chill pill kids.

#21 By 37 (67.37.29.142) at 7/9/2004 2:56:49 PM
"Ok, parkker. What's the IE vs. Mozilla security exploit score?

Like 2 to 87,999?"

Probably similar to it's user base:

Like 2 to 1,000,000,000

#22 By 135 (209.180.28.6) at 7/9/2004 5:27:24 PM
reboot - New around here,

Nice to have you on board!

but this "The OS only did what it was instructed to do by Mozilla." shows a truly uneducated knowledge of what an OS job is.

Oh dear, you mean ComSci 454 Operating System Design was all wrong? What's an OS supposed to do then facilitate the execution of programs and interface with the hardware?

That's like saying I can write a batch file to delete everything in your system, cause the OS only did what it was instruted to do.

Do this the next time you are on a Unix host

login as root
rm -rf /

You shall be greatly enlightened.

Is everyone on this same level of wisdom around here???

Obviously not, but then you are new around here.

#23 By 135 (209.180.28.6) at 7/9/2004 5:45:05 PM
#39 - The old bug was only part of the equation and fixing that wouldn't have prevented this. Read the 2 year old bug for yourself: http://bugzilla.mozilla.org/show_bug.cgi?id=167475 Do you see anything at all about the shell: URI handler?

I don't think you understand. The bug 167475 is talking about the trust model. How do they handle something they don't know how to render. By default Mozilla was just passing it to the OS. Read comment #9(from bugzilla) to see the flowchart.

IE behaves differently, and would pass it to the OS if it came from a local web page, but not if it came from a remote web page. This is because IE has the notion of Security Zones, something which is not implemented in Mozilla. This allows IE to be used in a very robust manner locally, yet still be secure when hitting remote sites.

But this argument is silly, because quite clearly the bug was in Mozilla in that it was taking instructions from a remote website and passing them on to the OS. It shouldn't do that, and it is the responsibility of the browser to know what to trust.

the Security Zones have been one area in which IE has had problems, as there were ways to access sites that misidentified them in the wrong zone. Using the decimal representation of the IP address rather than the dot notation, for example was a bug fixed back in like '99.


This post was edited by sodablue on Friday, July 09, 2004 at 18:00.

#24 By 135 (209.180.28.6) at 7/9/2004 6:00:05 PM
#43 - Windows pretty much enables this behaviour by default.

In what way?

In Linux, you have to expressly give the permissions to do something like that, or give the application permissions to perform certain actions.

The rm command is an application. It's out in the /bin folder. You do not need to give it special permissions, it uses the permissions of the currently logged in user.

You are outlining the exact same problem as above. Do you realize that you are indirectly agreeing with all of this?

I don't think you understand, or are purposefully being obtuse. You are apparently claiming that Windows should implement Mandatory Access Control security features and then at the OS level define what level of trust to give a particular application.

This is not a common(or even niche) feature for consumer level systems.

#25 By 7797 (63.76.44.15) at 7/9/2004 6:20:45 PM
"I justed wanted to highlight this to both zealots like tgnb and Halcyon... This is the problem with ideology, you end up making ridiculous defenses when the frying pan of reality smacks you upside the head. "

You people can judge for yourself who's the zealot!

The sodablue Hall of Shame:

"This is the catch-22 of Linux. There's no technical reason to use it, it's solely about the fact that it's free."

"No, I'm saying Linux is a piece of crap."

"Keep in mind that for Redhat to become profitable, they had to move away from the GPL and adopt a proprietary subscription/support model."

"Because Linux is K-K00l RAD333ZZZZ!"

"Linux versions are so boring, they offer no new innovations or any real features that people would care about. Just not worth upgrading to."

"Granted, my main issue with Linux is it's old technology and not very fun to work with."

"It's funny, but actually Linux is too bloated to be used for embedded devices."

"Linux which is motivated entirely from hatred of Microsoft products"

"OSS development is cheaper... partly true, but since it's unreliable and slower you position yourself with a competitive disadvantage."

"The large problem is really that most open source zealots do not have any understanding of the computer world."

"The US should start investigating on whether Linux exists because of illegal dumping by foreign companies."

"most GPL code is of dubius quality"

"I don't have a problem with Linux but I do have a problem with the community's general lack of respect for other peoples work."

Write Comment
Return to News
  Displaying 1 through 25 of 335
Last | Next
  The time now is 6:53:16 AM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *