« Tom O’Malley-Finkel-Harris-Smith
More Google changes »

Security advisories for old versions of Firefox

Dan Veditz has updated the Mozilla Foundation Security Advisories page with information about holes that were fixed for Firefox 1.0, Thunderbird 0.9 and 1.0, and Mozilla 1.7.5.

None of the holes were arbitrary-code-execution holes, which surprised me. The worst hole fixed for Firefox 1.0 was the javascript: Live Bookmarks hole, which required some user cooperation and allowed attackers to steal cookies and sometimes execute arbitrary code. In contrast, many previous Mozilla and Firefox releases included new fixes for memory management holes such as buffer overflows. Exploits for memory management holes are harder to write, but they allow attackers to execute arbitrary code without getting any cooperation from users.

This entry was posted on Tuesday, January 25th, 2005 at 9:45 pm and is filed under Mozilla, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

10 Responses to “Security advisories for old versions of Firefox”

  1. Abdulkadir Topal Says:
    January 26th, 2005 at 1:36 am

    Why is that? Do you know more then we?

  2. Jesse Ruderman Says:
    January 26th, 2005 at 2:44 am

    Many arbitrary-code-execution holes had been fixed between 1.6 and 1.7.3, as you can see on that page. Several releases included multiple fixes. Assuming a constant rate of hole reports and fixes, it seemed likely that an arbitrary-code-execution hole would be discovered in any given two-month period, such as the period between 1.0PR and 1.0.

  3. Jan! Says:
    January 26th, 2005 at 7:36 am

    The Live Bookmarks javascript: vulnerability could potentially lead to chrome privileges and therefore arbitrary code execution. Or did I misunderstand that?

  4. Brant Gurganus Says:
    January 26th, 2005 at 8:10 am

    The less-than sign in your heading is causing the RSS 2.0 feed from planet.mozilla.org to be invalid. It should be syndicated as < instead of the symbol itself.

  5. Jesse Ruderman Says:
    January 26th, 2005 at 12:31 pm

    I’m pretty sure that’s Planet’s fault. My RSS feed is valid.

  6. Jesse Ruderman Says:
    January 26th, 2005 at 12:32 pm

    Oops, I meant “my RSS feed is well-formed XML”. I don’t know whether it’s valid.

  7. Jesse Ruderman Says:
    January 26th, 2005 at 1:51 pm

    Jan, you’re right. The Live Bookmarks javascript: vulnerability requires some user cooperation, but now that I think about it, it isn’t hard to convince some users to add an RSS feed, and those users tend to be advanced users.

  8. Jesse Ruderman Says:
    January 26th, 2005 at 6:16 pm

    Since tor didn’t jump up to fix the bug in Planet, I removed the < from the title of this post. I hope the bug in Planet eventually gets fixed because it is likely to cause similar problems again and because it could be a security hole.

  9. byron Says:
    January 26th, 2005 at 10:52 pm

    fyi i reported the planet issue list time it broke.

    https://bugzilla.mozilla.org/show_bug.cgi?id=278515

  10. michaell Says:
    January 27th, 2005 at 3:19 am

    “Since tor didn’t jump up to fix the bug in Planet”

    Has anyone hassled him about it? This is the third time I’ve seen it broken recently – it got broken twice by different blogs covering the Blake Ross Q&A.

    As for the security issue, I guess it’d only be Mozilla bloggers that could exploit it, and one would hope that they could be trusted :)