Firefox Corruption Vulnerability

Discussion in 'other security issues & news' started by ronjor, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Description:
    Marcel Boesch has reported a vulnerability in Mozilla and Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service).

    Arbitrary root certificates are imported silently without presenting users with a import dialog box when the MIME type is specified as: "application/x-x509-email-cert".

    Due to another problem, this can e.g be exploited by malicious websites or HTML-based emails to prevent users from accessing valid SSL sites by placing invalid root certificates with the same DN (Distinguished Name) as a valid root certificate in a user's certificate store.

    Successful exploitation prevents access to SSL-based sites that use a trusted root certificate with the same DN as a malicious root certificate in the user's certificate store.

    The vulnerability has been reported in Mozilla 1.6, 1.7, and 1.7.1 for Windows and Linux, and in Mozilla Firefox 0.8 and 0.9.2. Other versions may also be affected

    http://secunia.com/advisories/12076/
     
  2. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Damn.

    Think they'll have a patch by the end of next week?
     
  3. Ronin

    Ronin Guest

    Looks pretty minor on the scheme of things.
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Oh c'mon, just a minor problem. I don't have to worry when i have my sygate personal firewall PRO around. The firewall can detect and stop DOS attacks before they strike. ;)
     
  5. tenyrsgone

    tenyrsgone Guest

    Seems like Firefox has had a few hits lately. I wonder if we'll be seeing more problems, with FF, now that it seems everyone is recommending FF over IE.
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    You can always use opera ;)
     
  7. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Opera has gotten 27 Secunia warnings and costs money. (Unless you're willing to tolerate ads, of course, which I am not ;) ) Mozilla has gotten all of 6 Secunia warnings, last I checked, is totally free (unless you want to make a donation, of course :cool: ), and is quite fast enough for me, thank you. :D
     
  8. tenyrsgone

    tenyrsgone Guest

    Good idea Bigc, i have been looking into Opera. I have heard good things about it, and so far it looks very promising. I will just use the ad blocking feature in my firewall, to block the ads.
     
  9. Ronin

    Ronin Guest

    I doubt sygate can stop ones of these nature.
     
  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Well, i think my firewall may be able to stop some parts of the DOS attack.
    And anyway, the firefox development team is very serious about this type of problems. I have confidence in them, and i believe they will be able to fix the problem ASAP.
    On the firefox/mozilla website there is a sentence which says: Built with your Security in mind, Firefox keeps your computer safe from malicious spyware by not loading harmful ActiveX controls.
    I don't think Microsoft had security/ users' privacy in mind when they first started IE. From the day i started using IE, which was a few years back, the number of holes, exploits and problems just became more and more worse.
    And if you take a good clear look, Microsoft's attitude and dedication to fix the IE problems is damn horrid. I also heard that Microsoft had FAILED to fix a problem with IE for 6 whole years! Since then, I have given up my hope on IE, and switched to firefox. They, the people at Microsoft, failed to fix a problem for 6 whole years! From this, I think it is very obvious to everybody how Microsoft's behaviour towards IE is.
    Microsoft, it is ultimately your attitude and behaviour that you have to change if you really want IE to be a good and successful internet browser. If you can make Windows XP such a huge success, why can't you make IE the same way too?
     
  11. Ronin

    Ronin Guest

    Well , actually the mozilla team is very secertive about exploits discovered and those are kept password protected and hidden from public view.

    In the case of the shell exploit that was fixed in so called 24 hours, it was actually a known problem pointed out from 2 years ago . Granted the problem then pointed out was a more generic one, but if they had fixed that problem then, it wouldn't have surfaced now.

    I conclude from this espiode that much like many software developers, the Mozilla team will tend to sit on their hands unless they are given sufficent motivation (IE someone releasing their exploit publicly). But unlike MS they do have certain advanatages of course.

    I hope you don't just believe in hype. Otherwise you would also buy the line that XP SP 2 being also built with security in mind :)

    In their defence, MS as it's much harder than Mozilla. They have to make sure that their patch is stable, and this takes a lot of testing. The intergretion with the OS doesn't make it easier either.

    Because to be successful you don't need to be secure. Let's face it , how many people really care about security? Of those who claim they do (eg presumably everyone in this forum), how many are really capable of cutting through all the hype and deciding which browser is really more secure? No, looking at secania and counting the number listed there doesn't count.

    Ironically, the dozens of security warnings about IE, might actually make users doubt whether they are important. I know of lots of fairly skilled computer users who tell me, they don't think such exploits are really a big deal, after all if they were really that serious they would have being hacked a million times? Everytime the press trumpets some critical exploit, and nothing happens, the more the user concludes it's all hype.
     
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Until something like Blaster comes along to convince people to patch their systems that is.
     
  13. Ronin

    Ronin Guest

    Sure, these people I'm talking about are smart enough to patch their systems yes. With autoupdate it's even easier.

    But that doesn't mean they will switch to another browser, much less another OS.
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Until they get hit and come running into my shop :D Even this still does not fix everyone, there are those that like to be hit more than once, for pleasure or pain, who knows :rolleyes: Usually find with the second category that forking out further money to fix their mess for a 2nd time, wakes their senses...

    Good post Ronin...

    Cheers :D
     
  15. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Well, no single computer program made by anybody is 100% perfect. Like the saying goes: Nothing is perfect in this world.
     
  16. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Has anyone reported this vulnerability to Mozilla yet?

    What about the phishing business - that sounds like it could be fairly easy to fix...
     
Loading...
Thread Status:
Not open for further replies.