LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

New Mozilla troubles

[Posted April 18, 2006 by corbet]

The Mozilla Foundation has owned up to a new list of vulnerabilities in its code; these holes open up the frightening prospect of arbitrary code execution by remote attackers. Any system running Firefox, Thunderbird, SeaMonkey, or anything based on the underlying Mozilla components (RSS aggregators) may be vulnerable, and should be looking for updates. Here's what has been turned up:

  • There is a long list of JavaScript-related vulnerabilities, including problems with crypto.generateCRMFRequest() (CVD-2006-1728), a security restrictions bypass vulnerability (CVE-2006-1726), a "cloned parent" access restriction failure (CVE-2006-1734), and a regular expression memory corruption bug (apparently no CVE number at the moment).

  • Cascading style sheets account for a couple of problems, including an integer overflow bug (CVE-2006-1730) and an array overflow vulnerability (CVS-2006-1739).

  • The Extensible Binding Language (XBL) facility has an access restriction failure (CVE-2006-1733) and a privilege escalation vulnerability (CVE-2006-1735).

  • Other troubles include "memory corruption via a particular sequence of HTML tags" (CVE-2006-0749), a DHTML memory corruption bug (CVE-2006-1724), and "an unspecified vulnerability" in how display styles are handled.

Disabling JavaScript should protect against the first set of vulnerabilities, but will do nothing for the rest of them. The only way to protect against the full set is to update the software; new versions are available from Mozilla. For distributor updates, see the LWN vulnerability entry.

A list of remotely-exploitable vulnerabilities this long is worrisome, especially when it refers to a package as popular as Firefox. This browser has gained millions of users; its reputation for better security is one of the reasons for this success. But a single, widespread exploit of a Firefox vulnerability could set things back in a hurry.

Unfortunately, it would seem that such an exploit is bound to happen, sooner or later. A web browser is a seriously complex piece of code which is simultaneously exposed to potentially hostile input from the net and used for tasks requiring a high degree of trust - working with financial sites, for example. Why should an attacker bother with phishing when a browser vulnerability can enable the installation of a keystroke logging "extension"? There can be no doubt that attackers will be tempted by a potential payoff of that magnitude. We must hope that the security fixes will continue to reach us ahead of the attackers.

(See also: the CERT advisory for these vulnerabilities).

(Log in to post comments)

New Mozilla troubles

Posted Apr 20, 2006 15:24 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

> A list of remotely-exploitable vulnerabilities this long is worrisome

Is it? It would be if it weren't accompanied by an immediate updated fixed
version, perhaps... It certainly would be if they said that a fixed version
wouldn't be released until sometime next month (like MS often seems to do),
and until then you'll just have to live with being vulnerable... But, as it
stands, it just looks to ME like a normal development process: some bugs
were found, they were fixed, and a new version was released along with
details of the bugs... So, what's so worrisome about software development
proceeding as it normally should?? Surely you wouldn't prefer that they
failed to fix such bugs, or to notify people that they did so? Presumably,
you'd prefer that they had no such bugs in the first place, I'm guessing...
Sure, that'd be great... But, unfortunately reality interferes with that
lovely fantasy... I can say with almost certainty that every piece of
software that you're running right now has some security vulnerability in
it... It's just that no one has discovered it yet... (If you're lucky; if
you're unlucky, someone has and simply hasn't told anyone else...) But,
that doesn't make the software any more secure, or necessarily make you any
safer... (Just because no one knows about it now, doesn't mean they won't
discover it tomorrow, and then silently go around exploiting it before it
becomes widely known...) In fact, it's silence that scares me, not loud
notification of fixed security holes... The latter indicates to me that
people are actively looking for security holes and finding them and fixing
them, which is a very GOOD thing... But, silence doesn't tell you anything
of value; it COULD mean that lots of people have actively looked for holes
in it, but failed to find any, OR it could instead mean that no one is
looking at all... And, even if it meant the former, that really isn't all
that reassuring, either... Just because that particular group of people
didn't spot anything doesn't mean no one else might... And, it definitely
doesn't mean that no security holes are present... So, no, I personally
find complete lack of security announcements for any product somewhat
suspicious and "worrisome", while I find things like this Mozilla announcement
rather comforting and reassuring, actually... It's good to know people are
looking for such things, find them, and fixing them... It can only make
for better and more secure software... So, what's not to like??

New Mozilla troubles

Posted Apr 20, 2006 16:14 UTC (Thu) by cventers (subscriber, #31465) [Link]

I'm a happy Konqueror user. I was a Firefox user, briefly, two years ago
before I moved from Windows to Linux.

I seem to remember a temporary 'falling out' the KHTML developers had
with the Safari developers, when the Apple guys suggested KDE drop KHTML
and accept the Webcore fork as the work of God. It bugged a lot of KHTML
people because often the Safari 'fixes' were poorly thought out cruft.

And around that same time, one of the lead Firefox folks made a blog
entry harshly criticizing the KHTML team for not keeping up with the
times, or something along those lines.

Most projects have security bugs from time to time. Konqueror is no
exception. But given the frequency, severity and sometimes even the
blatant obviousness of Mozilla's security problems (I seem to remember a
Linux Thunderbird bug whereby unescaped data was passed into the
system(3) library call), I think their time would be better spent
scraping over their own messy code for problems and memory leaks, rather
than criticizing KDE (whose browser is more secure, faster, and far more
standards compliant).

Of course, this whole thing happened some time ago -- to some degree,
it's water under the bridge. But I call it poetic justice.

There's been talk for a while about Konqueror eventually making it onto
Windows, around KDE 4, due to Qt4. I think that would be fantastic --
another high-quality, lightning fast open source browser on the Windows
desktop would provide the competition the Mozilla guys need to get their
act together.

Konq doesn't do the whole XUL GUI / extensions thing, but the reality is
that most "normal" (ie, non-techie) users simply don't need it. It's
overweight window dressing, and it comes with its consequences.

New Mozilla troubles

Posted Apr 20, 2006 18:05 UTC (Thu) by mightyduck (guest, #23760) [Link]

Well spoken!

New Mozilla troubles

Posted Apr 20, 2006 20:47 UTC (Thu) by jospoortvliet (subscriber, #33164) [Link]

indeed. i did see the comment from the firefox-guy too, and really - he
said the one thing that really seperates Free Software, quality-wise, from
non-free software is the fact OSS hackers work for their pleasure, not for
money. which leeds to them being able to make harsh but good decisions
about code - without a manager forcing them to make consessions to quality
of code, design, style or readability.

New Mozilla troubles

Posted Apr 20, 2006 20:53 UTC (Thu) by jospoortvliet (subscriber, #33164) [Link]

wow, don't read that. i should have proof-read it... that's what the
preview is for...

so, lets fix it:

indeed. i did see the comment from the firefox-guy too, and really - he
said the ONE thing that really seperates Free Software, quality-wise, from
non-free software. was utterly bullshit.

that one thing is the fact OSS hackers work for their
pleasure, not for money. which allows them to be able to make harsh but
good decisions about code - without a manager forcing them to do
consessions to quality of code, design, style or readability.

guess firefox makes consessions to these, and that's what leads to
problems. like we see now. i wouldn't say eg konqueror is PERFECT, no
way - but attention to design, and making decisions for sound, TECHNICAL
reasons make better software, yeah, i think so.

(no idea how i had it in mind last time, i wanted to write all this in one
sentence. guess, as i honour my nick ATM, its the weed...)

New Mozilla troubles

Posted Apr 20, 2006 18:07 UTC (Thu) by ametlwn (subscriber, #10544) [Link]

Afaict the original mozilla suite (1.7.12) is also vulnerable to at least a couple of these problems, e.g CVE-2006-1734. However there is no fix yet. Mozilla.org's advisories mention "Mozilla Suite 1.7.13", and there seems to be a pending release.

Mozilla 1.7.13 released

Posted Apr 22, 2006 7:07 UTC (Sat) by ametlwn (subscriber, #10544) [Link]

1.7.13 has been released and indeed fixes a couple of bugs.

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds