Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

U.S. CERT Cyber Security Alert SA04-261A Multiple vulnerabilities in Mozilla products
United States Computer Emergency Readiness Team ^ | September 17, 2004 | U.S. -CERT (Computer Emergency Readiness Team)

Posted on 09/17/2004 4:02:07 PM PDT by Stoat

US-CERT

National Cyber Alert System
Cyber Security Alert SA04-261A archive

Multiple vulnerabilities in Mozilla products

Original release date: September 17, 2004
Last revised: --
Source: US-CERT


Systems Affected

  • Mozilla Suite (Mozilla web browser, Mozilla Mail)
  • Firefox web browser
  • Thunderbird email client


Overview

By taking advantage of one or more vulnerabilities in Mozilla products, an attacker may be able to take control of your computer.


Solution

Upgrade to the latest version

Mozilla has released updated versions of the affected products. You can download the latest versions:


Description

There are vulnerabilities in various features of Mozilla's web browsers and email clients. Some of the vulnerabilities are connected to the way the application handles URLs or images. In one instance, an attacker could cause an application to crash or could take control of your computer by convincing you to view a malicious web site or email message.

For more technical information, see US-CERT Technical Alert TA04-261A.


References



Feedback can be directed to US-CERT.


Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

September 17, 2004: Initial release

Last updated September 17, 2004



TOPICS: Announcements; Business/Economy; Technical
KEYWORDS: browser; computer; computing; firefox; internet; mozilla; secruity; thunderbird; uscert
Navigation: use the links below to view more comments.
first previous 1-2021-4041-58 next last
To: asgardshill
"They said that only Microsoft products have vulnerabilities and that"

Whoever "they" are, they're pretty ignorant and silly. Mozilla is certainly many steps above Internet Explorer and Outlook/OE in just about every way (security, standards compliance, functionality, expandability, etc), but it's not perfect. Recruit God to code for the Mozilla project and you'll get perfect code. Otherwise, you'll just end up with some of the best code modern humans have written for a web browser/email client.
21 posted on 09/17/2004 4:55:53 PM PDT by NJ_gent (Conservatism begins at home. Security begins at the border. Please, someone, secure our borders.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: aft_lizard
Sorry but the fact remains that if Mozilla was the number one software we would all be bitching about security problems, popups and other annoyances.

Mozilla blocks popups no matter how many people are using it. You figure it's some kind of giant cluster thing?

So tell me again why its safer other than it has fewer users?

It's safer because:

1. It's a cleaner, more modern design. IE's code problems (mostly design problems) go back to it's original code base nearly 10 years ago. Mozilla's code is mostly new. The vast majority of the Netscape code was jettisoned because it was such a mess.

2. It's not integrated into the OS. A vulnerability of the browser doesn't affect the mail client, file manager, update system, help pages, etc.

3. It was built by a group that sees security as a design problem, not a marketing problem. Microsoft still hasn't understood the lesson.

4. It allows users a much finer control of what content to allow and what to reject. Popups, java, javascript, and other contect can be excluded either completely or site-by-site with a few simple clicks.

5. It has safe and sane defaults.

Seriously you cant buy the anti-argument that its simply the program and not the amount of users.

It's not an anti-argument. It's a provable fact. Shall we examine the security of Apache and Sendmail against IIS and Exchange? IIS and Exchange should be successfully attacked much less according to your theory, since IIS and Exchange have a much smaller user base than Apache and Sendmail. That's provably not true.

Question to you. If you were a hacker looking to cause great amount of damage to the internet, would you choose Opera? Mozilla or IE?

I'd look for the most easily exploited code and then use it as a jump-off point. And that would be IE. The fact that IE is also the most used code is a nice benefit, but not really necessary.

Try not to confuse correlation and causation.

22 posted on 09/17/2004 5:02:06 PM PDT by Knitebane
[ Post Reply | Private Reply | To 13 | View Replies]

To: Stoat

Thanks for posting this.


23 posted on 09/17/2004 5:03:03 PM PDT by DB (©)
[ Post Reply | Private Reply | To 1 | View Replies]

To: aft_lizard

"its hard not to argue that since the coding is open that it is easier to crack and infect. "

Then why is all the cracking and infecting done to CLOSED source code, and none to OPEN source code??

Because the code is Open, the vast majority of bugs and just plain sloppy code are found because millions of eyes are looking at it.

That's the beauty of open source, it quickly migrates to perfection. Its innards are all right there in plain sight yet it STILL can't be cracked. That is the definition of quality - you can see exactly how it works but you still can't break in.

Its a well known addage in information technology that "Security by obscurity is no security at all".
Keeping your code secret does not make it secure.

Microsoft is secret - yet it is totally insecure.

Vastly more is to be gained by breaking into web servers than into Joe Sixpack's computer. Yet the only web servers routinely broken into are those running Microsoft IIS (closed source), and it accounts for less than 20% of all servers on the web - but 98% of all breakins.

If I was a hacker looking to break in, I would pick the SOFTEST TARGET. Not the most PLENTIFUL TARGET. Ask any thief.

I can't believe after 5 years of Microsoft's CLOSED source software inflicting billions of dollars of damage on the net and business that there is STILL someone who believe the Micorsoft B.S. that insecurity comes with popularity.

You really need to upgrade your education on this issue.


24 posted on 09/17/2004 5:03:18 PM PDT by konaice
[ Post Reply | Private Reply | To 13 | View Replies]

To: Stoat

bookmark


25 posted on 09/17/2004 5:09:22 PM PDT by WestCoastGal (Jr" I dunno what happened, it just felt like the hand of God came over and hit me real hard")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Knitebane

Jiminy christmas you guys DID NOT ANSWER MY Fn QUESTION.

If Firefox was the number one browser with 95% of the market would it or would it not have as many issues as IE when it comes to ceratain security problems ie; pop-ups, spy-ware,mal-ware,hijack-ware? If you were a person looking to cause massive world wide internet propblems would you or would you not target the largest company out there?

Mozilla blocks popups no matter how many people are using it. You figure it's some kind of giant cluster thing?>>>>

Where in the world did you come up with that nonsense, seriously. Popups and hijackers, spy ware and others are specifically coded towards IE, of course IE is going to have more problems there. What does the amount of users have to do with it? Its all about what they are geared at. I cant believe I am having this argument.

Look I use firefox, I like it and will continue to use it. I just dont buy into the theory that IE is a totally inferior product because you say so, its inferior because its the target of the world community. And if Firefox ever got that big it would fallter also.


26 posted on 09/17/2004 5:12:28 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 22 | View Replies]

To: konaice

Then why is all the cracking and infecting done to CLOSED source code, and none to OPEN source code?? >>>

Because open source makes up less than 5% of the market. Why bother with it. Your question is similar to asking somebody why most drownings are caused by water, could it be because most people swim in water, bathe in it, drink it?


Lets not forget on your other argument here about closed source, remember they are a company, they are in it to make money.They can do it only at the expense of its consumer for so long.


27 posted on 09/17/2004 5:16:48 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 24 | View Replies]

To: aft_lizard
Jiminy christmas you guys DID NOT ANSWER MY Fn QUESTION.

I did answer your question. I'm sorry it wasn't the answer you wanted.

If Firefox was the number one browser with 95% of the market would it or would it not have as many issues as IE when it comes to ceratain security problems ie; pop-ups, spy-ware,mal-ware,hijack-ware?

The answer is NO.

Just like Apache, the number one web server, doesn't have as many issues as ISS.

Just like Sendmail, the number one mail server, doesn't have as many issues as Exchange.

Popups and hijackers, spy ware and others are specifically coded towards IE, of course IE is going to have more problems there.

No, they aren't, and I begin to see the problem here. You don't understand how the underlying technology works, so you don't understand why Mozilla works differently.

And if Firefox ever got that big it would fallter also.

And once again:

WRONG

28 posted on 09/17/2004 5:41:20 PM PDT by Knitebane
[ Post Reply | Private Reply | To 26 | View Replies]

To: Knitebane
I did answer your question. I'm sorry it wasn't the answer you wanted.>> You did not. <> So now I can compare a motorcycle to a car? Or my apple here to that orange in the fridge? ITs browser to browser you cant extrapolate because Apache is better than ISS then Firefox therefore will be better than IE. <<>> Ever tried to install google toolbar on firefox? or yahoos toolbar? Its funny because it wont on mine, I wonder why that is? (did you know alot of mal-ware uses the same technology as them but they involuntary install it on your computer) Just curious since you say I dont understand the way it works. I am sure this is somehow making your case, but it doesnt. <>> And there you go again, predicting the future, unequivicolly.
29 posted on 09/17/2004 5:56:07 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Knitebane

I did answer your question. I'm sorry it wasn't the answer you wanted.>>

You did not.

The answer is NO.

Just like Apache, the number one web server, doesn't have as many issues as ISS.

Just like Sendmail, the number one mail server, doesn't have as many issues as Exchange. >>

So now I can compare a motorcycle to a car? Or my apple here to that orange in the fridge? ITs browser to browser you cant extrapolate because Apache is better than ISS then Firefox therefore will be better than IE.

No, they aren't, and I begin to see the problem here. You don't understand how the underlying technology works, so you don't understand why Mozilla works differently.>>>

Ever tried to install google toolbar on firefox? or yahoos toolbar? Its funny because it wont on mine, I wonder why that is? (did you know alot of mal-ware uses the same technology as them but they involuntary install it on your computer) Just curious since you say I dont understand the way it works. I am sure this is somehow making your case, but it doesnt.

and once again:

WRONG>>>

And there you go again, predicting the future, unequivicolly.


30 posted on 09/17/2004 5:58:13 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 28 | View Replies]

To: aft_lizard
Please learn to format. Poor formatting makes it a lot of work to find your comments.

That said...

Ts browser to browser you cant extrapolate because Apache is better than ISS then Firefox therefore will be better than IE.

Your argument is that the popularity of a particular piece of software is related to the amount of security problems that it has.

I have offered two examples of how that argument is not valid, yet you continue to go way around the issue in an effort to keep from having to see the truth.

Ever tried to install google toolbar on firefox? or yahoos toolbar?

I fail to see how software add-ons have any relevance to the security of the software itself. Perhaps you can dig down deep into your programming or security experience and explain it to me.

(did you know alot of mal-ware uses the same technology as them but they involuntary install it on your computer)

I did know that. I also know that the more integrated the browser is into the operating system, the easier it is to exploit the computer at a lower level.

I also know that the idea that malware can be installed without the user knowing is a design flaw common to Microsoft software.

And I also know that the history of exploits and the seriousness of those exploits indicate that your position on the popularity of a bit of software having anything to do with it being exploited is silly.

31 posted on 09/17/2004 6:07:27 PM PDT by Knitebane
[ Post Reply | Private Reply | To 29 | View Replies]

To: DB
"Thanks for posting this" You're welcome! I hope that it has been of some help :-)
32 posted on 09/17/2004 6:23:12 PM PDT by Stoat
[ Post Reply | Private Reply | To 23 | View Replies]

To: Knitebane
I fail to see how software add-ons have any relevance to the security of the software itself. Perhaps you can dig down deep into your programming or security experience and explain it to me.>> It goes like this: YOU ANSWERED IT IN YOUR FOLLOWING ANSWER! did you know alot of mal-ware uses the same technology as them but they involuntary install it on your computer) I did know that. I also know that the more integrated the browser is into the operating system, the easier it is to exploit the computer at a lower level.
Now let me make this one last case too you, because after this I am iggying this thread. The reason why IE has more problems is because it is bigger, simple but not accepted by you, fine. OK the reason why having a bigger more broadly accepted browser is more dangerous is because the number of vendors and programs out there are targeted towards it, fine you dont buy that either. OK Now the more programmers and users of said item the more different the programs, ok. Now let me continue on with my bad "formatting". The more there are different programs out there such as yahoo bar, integrated video, java scripted mail clients etc the more people out there get to know the script and the flaws. When you have had literally billions of reviews of software that goes out and works with said browser flaws will be found and exploited. Mozilla hasnt had that sort of exposure with FireFox, it will eventually and it will possibly stand up to the test of time or it wont that remains to be seen.
This argument is over and is quickly going go down to the level of apes tossing shit at each other. So I will leave it at that, if you cant see or understand that view then so be it. But try and keep the insulting out of it.
33 posted on 09/17/2004 7:16:12 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Knitebane

I know I said I was ending this argument.

But I must apoligize I reread my posts, and it seems to me that I am the one being an a**. I dont mean to be on this, sometimes I get flustered.

I stand by my arguments though in either case, just my language can change.


34 posted on 09/17/2004 8:00:56 PM PDT by aft_lizard (I actually voted for John Kerry before I voted against him)
[ Post Reply | Private Reply | To 31 | View Replies]

To: NJ_gent
It is - but there's a difference between more secure and perfect. If and when God starts coding, we'll get some perfect software. Until then, I'd rather be exposed to Mozilla's handfull of security flaws per year than Internet Explorer's flood of security flaws per week.

Good point. I moved over to Firefox in January and have been very happy with it.

Cheers!

35 posted on 09/17/2004 8:52:58 PM PDT by Buford T. Justice
[ Post Reply | Private Reply | To 19 | View Replies]

To: Stoat

Updated, and thankee kindly for the headsup!


36 posted on 09/17/2004 9:38:17 PM PDT by Titan Magroyne (Uniform of the day: Freepajamas)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Titan Magroyne
You're quite welcome! I am happy that this has been of some help.
37 posted on 09/17/2004 9:58:09 PM PDT by Stoat
[ Post Reply | Private Reply | To 36 | View Replies]

To: Stoat

I just downloaded firefox. Can any other users out there tell me how you like it or dislike it.


38 posted on 09/18/2004 1:41:17 AM PDT by rdl6989 (<fontface="Rather Not">)
[ Post Reply | Private Reply | To 37 | View Replies]

To: RhoTheta

Ping.


39 posted on 09/18/2004 7:30:34 AM PDT by Egon (I will quit this post only when properly relieved.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Stoat

thanks for the tip.


40 posted on 09/20/2004 12:39:00 AM PDT by AmericanVictory (Should we be more like them, or they like us?)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-58 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson