Security advisories for old versions of Firefox
Dan Veditz has updated the Mozilla Foundation Security Advisories page with information about holes that were fixed for Firefox 1.0, Thunderbird 0.9 and 1.0, and Mozilla 1.7.5.
None of the holes were arbitrary-code-execution holes, which surprised me. The worst hole fixed for Firefox 1.0 was the javascript: Live Bookmarks hole, which required some user cooperation and allowed attackers to steal cookies and sometimes execute arbitrary code. In contrast, many previous Mozilla and Firefox releases included new fixes for memory management holes such as buffer overflows. Exploits for memory management holes are harder to write, but they allow attackers to execute arbitrary code without getting any cooperation from users.
January 26th, 2005 at 1:36 am
Why is that? Do you know more then we?
January 26th, 2005 at 2:44 am
Many arbitrary-code-execution holes had been fixed between 1.6 and 1.7.3, as you can see on that page. Several releases included multiple fixes. Assuming a constant rate of hole reports and fixes, it seemed likely that an arbitrary-code-execution hole would be discovered in any given two-month period, such as the period between 1.0PR and 1.0.
January 26th, 2005 at 7:36 am
The Live Bookmarks javascript: vulnerability could potentially lead to chrome privileges and therefore arbitrary code execution. Or did I misunderstand that?
January 26th, 2005 at 8:10 am
The less-than sign in your heading is causing the RSS 2.0 feed from planet.mozilla.org to be invalid. It should be syndicated as < instead of the symbol itself.
January 26th, 2005 at 12:31 pm
I’m pretty sure that’s Planet’s fault. My RSS feed is valid.
January 26th, 2005 at 12:32 pm
Oops, I meant “my RSS feed is well-formed XML”. I don’t know whether it’s valid.
January 26th, 2005 at 1:51 pm
Jan, you’re right. The Live Bookmarks javascript: vulnerability requires some user cooperation, but now that I think about it, it isn’t hard to convince some users to add an RSS feed, and those users tend to be advanced users.
January 26th, 2005 at 6:16 pm
Since tor didn’t jump up to fix the bug in Planet, I removed the < from the title of this post. I hope the bug in Planet eventually gets fixed because it is likely to cause similar problems again and because it could be a security hole.
January 26th, 2005 at 10:52 pm
fyi i reported the planet issue list time it broke.
https://bugzilla.mozilla.org/show_bug.cgi?id=278515
January 27th, 2005 at 3:19 am
“Since tor didn’t jump up to fix the bug in Planet”
Has anyone hassled him about it? This is the third time I’ve seen it broken recently – it got broken twice by different blogs covering the Blake Ross Q&A.
As for the security issue, I guess it’d only be Mozilla bloggers that could exploit it, and one would hope that they could be trusted :)