Mozilla has been cracked

[Drakkon]

just got this CERT advisory so for all you's with mozilla take a look:

Technical Cyber Security Alert TA04-261A
Multiple vulnerabilities in Mozilla products

Original release date: September 17, 2004
Last revised: --
Source: US-CERT

Systems Affected

Mozilla software, including the following:

* Mozilla web browser, email and newsgroup client
* Firefox web browser
* Thunderbird email client

Overview

Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system.

I. Description

Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes:

VU#414240 - Mozilla Mail vulnerable to buffer overflow via
writeGroup() function in nsVCardObj.cpp

Mozilla Mail contains a stack overflow vulnerability in the display
routines for VCards. By sending an email message with a crafted VCard,
a remote attacker may be able to execute arbitrary code on the
victim's machine with the privileges of the current user. This can be
exploited in the preview mode as well.

VU#847200 - Mozilla contains integer overflows in bitmap image decoder

A vulnerability in the way Mozilla and its derived programs handle
certain bitmap images could allow a remote attacker to execute
arbitrary code on a vulnerable system.

VU#808216 - Mozilla contains heap overflow in UTF8 conversion of
hostname portion of URLs

A vulnerability in the way Mozilla and its derived programs handle
certain malformed URLs could allow a remote attacker to execute
arbitrary code on a vulnerable system.

VU#125776 - Multiple buffer overflows in Mozilla POP3 protocol handler

There are multiple buffer overflow vulnerabilities in the Mozilla POP3
protocol handler that could allow a malicious POP3 server to execute
arbitrary code on the affected system.

VU#327560 - Mozilla "send page" feature contains a buffer overflow
vulnerability

There is a buffer overflow vulnerability in the Mozilla "send page"
feature that could allow a remote attacker to execute arbitrary code.

VU#651928 - Mozilla allows arbitrary code execution via link dragging

A vulnerability affecting Mozilla web browsers may allow violation of
cross-domain scripting policies and possibly execute code originating
from a remote source.

II. Impact

These vulnerabilities could allow a remote attacker to execute
arbitrary code with the privileges of the user running the affected
application.

VU#847200 could also allow a remote attacker to crash an affected
application.

III. Solution

Upgrade to a patched version

Mozilla has released versions of the affected software that contain
patches for these issues:

* Mozilla 1.7.3
* Firefox Preview Release
* Thunderbird 0.8

Users are strongly encouraged to upgrade to one of these versions.

Appendix A. References

* Mozilla Security Advisory -
<http://www.mozilla.org/project...own-vulnerabilities.ht
ml>
* Mozilla 1.7.2 non-ascii hostname heap overrun, Gael Delalleau -
<http://www.zencomsec.com/advis...1.7.2-UTF8link.txt>
* Security Audit of Mozilla's .bmp image parsing, Gael Delalleau -
<http://www.zencomsec.com/advis...illa-1.7.2-BMP.txt>
* Security Audit of Mozilla's POP3 client protocol, Gael Delalleau -
<http://www.zencomsec.com/advis...lla-1.7.2-POP3.txt>
* US-CERT Vulnerability Note VU#414240 -
<http://www.kb.cert.org/vuls/id/414240>
* US-CERT Vulnerability Note VU#847200 -
<http://www.kb.cert.org/vuls/id/847200>
* US-CERT Vulnerability Note VU#808216 -
<http://www.kb.cert.org/vuls/id/808216>
* US-CERT Vulnerability Note VU#125776 -
<http://www.kb.cert.org/vuls/id/125776>
* US-CERT Vulnerability Note VU#327560 -
<http://www.kb.cert.org/vuls/id/327560>
* US-CERT Vulnerability Note VU#651928 -
<http://www.kb.cert.org/vuls/id/651928>
_________________________________________________________________

Mozilla has assigned credit for reporting of these issue to the
following:

* VU#414240: Georgi Guninski
* VU#847200: Gael Delalleau
* VU#808216: Gael Delalleau and Mats Palmgren
* VU#125776: Gael Delalleau
* VU#327560: Georgi Guninski
* VU#651928: Jesse Ruderman
_________________________________________________________________

Feedback can be directed to the US-CERT Technical Staff.
_________________________________________________________________

This document is available from:

<http://www.us-cert.gov/cas/tec...rts/TA04-261A.html>

_________________________________________________________________

Copyright 2004 Carnegie Mellon University.

Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

Sept 17, 2004: Initial release

 

[blurredvision]

Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

 

[nycxandy]

:thumbsdown:

 

[Sundog]

Originally posted by: blurredvision
IE is superior anyhow.

BS

 

[Anubis]

Opera > *

 

[beer]

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

Notice how that it is already fixed.

 

[mpitts]

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

Whatever.

Mozilla security holes - few
IE security holes - limitless

If you were fixing people's spyware issues all day long, you would realize what a piece of crap IE is.

 

[NikPreviousAcct]

Is this just for winders? Or does this effect the Linux version as well?

 

[Drakkon]

Originally posted by: beer

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

Notice how that it is already fixed.

Ummm I'm not 100% on the IE bandwagon but whenever IE has a flaw Microsoft always has a fix ready...at least whenever I get CERT advisories there always are...

 

[NikPreviousAcct]

Originally posted by: Drakkon

Originally posted by: beer

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

Notice how that it is already fixed.

Ummm I'm not 100% on the IE bandwagon but whenever IE has a flaw Microsoft always has a fix ready...at least whenever I get CERT advisories there always are...

IE's got an exploit that's more than two years old that hasn't been taken care of.

 

[blurredvision]

Originally posted by: Nik

Originally posted by: Drakkon

Originally posted by: beer

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

Notice how that it is already fixed.

Ummm I'm not 100% on the IE bandwagon but whenever IE has a flaw Microsoft always has a fix ready...at least whenever I get CERT advisories there always are...

IE's got an exploit that's more than two years old that hasn't been taken care of.

And what would this be? I refuse to believe that you know what you are talking about, because if there is a well-known exploit, Microsoft will know about it and will have fixed it already.

 

[daniel1113]

Originally posted by: Nik

Originally posted by: Drakkon

Originally posted by: beer

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

Notice how that it is already fixed.

Ummm I'm not 100% on the IE bandwagon but whenever IE has a flaw Microsoft always has a fix ready...at least whenever I get CERT advisories there always are...

IE's got an exploit that's more than two years old that hasn't been taken care of.

Oh no!

 

[n0cmonkey]

Are these new, or are these just the same ones posted yesterday?

EDIT: They're the same ones posted the other day. 🙁

 

[TitanDiddly]

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

*hands blurredvision an asbestos jock strap

 

[n0cmonkey]

Originally posted by: blurredvision

Originally posted by: Nik

Originally posted by: Drakkon

Originally posted by: beer

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

Notice how that it is already fixed.

Ummm I'm not 100% on the IE bandwagon but whenever IE has a flaw Microsoft always has a fix ready...at least whenever I get CERT advisories there always are...

IE's got an exploit that's more than two years old that hasn't been taken care of.

And what would this be? I refuse to believe that you know what you are talking about, because if there is a well-known exploit, Microsoft will know about it and will have fixed it already.

BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!

Oh that's rich.

Wait, wait.

BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!

 

[Klixxer]

Originally posted by: n0cmonkey
Are these new, or are these just the same ones posted yesterday?

Latest fix i can find for the official versions is dated 9/07

 

[n0cmonkey]

Originally posted by: Klixxer

Originally posted by: n0cmonkey
Are these new, or are these just the same ones posted yesterday?

Latest fix i can find for the official versions is dated 9/07

I followed one of the (broken) links in the OP, they're the same old vulnerabilities. *yawn*

 

[Klixxer]

Originally posted by: blurredvision

Originally posted by: Nik

Originally posted by: Drakkon

Originally posted by: beer

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

Notice how that it is already fixed.

Ummm I'm not 100% on the IE bandwagon but whenever IE has a flaw Microsoft always has a fix ready...at least whenever I get CERT advisories there always are...

IE's got an exploit that's more than two years old that hasn't been taken care of.

And what would this be? I refuse to believe that you know what you are talking about, because if there is a well-known exploit, Microsoft will know about it and will have fixed it already.

8/10 😀

 

[NikPreviousAcct]

Originally posted by: n0cmonkey

Originally posted by: blurredvision

Originally posted by: Nik

Originally posted by: Drakkon

Originally posted by: beer

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

Notice how that it is already fixed.

Ummm I'm not 100% on the IE bandwagon but whenever IE has a flaw Microsoft always has a fix ready...at least whenever I get CERT advisories there always are...

IE's got an exploit that's more than two years old that hasn't been taken care of.

And what would this be? I refuse to believe that you know what you are talking about, because if there is a well-known exploit, Microsoft will know about it and will have fixed it already.

BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!

Oh that's rich.

Wait, wait.

BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!

Some AT member sent me a link a few months ago that crashed IE and he said that exploit's been active for years.

 

[konakona]

strangely i never had any problem with IE (or maybe its just that i never noticed? either case it really doesnt matter if it didnt bother me). i still like firefox for tab browsing and stuff so i use both - many sites i am frequent on dont really get along with firefox (cant login 🙁) hell, whats the worst that can happen if you get some spywares? run some adaware, i ghost regularly anyway...

 

[n0cmonkey]

Ok, so we know software isn't perfect. IE is far from perfect. Mozilla is far from perfect. Can't we all get over that fact now?

Let's debate who is doing less about security: Microsoft or Linux

 

[radiocore]

Originally posted by: blurredvision
Now, I want to hear nothing more about IE having flaws. IE is superior anyhow.

:thumbsdown:

 

[Klixxer]

Originally posted by: n0cmonkey
Ok, so we know software isn't perfect. IE is far from perfect. Mozilla is far from perfect. Can't we all get over that fact now?

Let's debate who is doing less about security: Microsoft or Linux

That will be an awfully short debate.

MS

/debate over

😉

 

[n0cmonkey]

Originally posted by: Klixxer

Originally posted by: n0cmonkey
Ok, so we know software isn't perfect. IE is far from perfect. Mozilla is far from perfect. Can't we all get over that fact now?

Let's debate who is doing less about security: Microsoft or Linux

That will be an awfully short debate.

MS

/debate over

😉

Nah, it would be a bit more involved than that. Think of the Linux and Microsoft camps. There would be s and "nuh uh"s all over the place.

 

[Klixxer]

Originally posted by: n0cmonkey

Originally posted by: Klixxer

Originally posted by: n0cmonkey
Ok, so we know software isn't perfect. IE is far from perfect. Mozilla is far from perfect. Can't we all get over that fact now?

Let's debate who is doing less about security: Microsoft or Linux

That will be an awfully short debate.

MS

/debate over

😉

Nah, it would be a bit more involved than that. Think of the Linux and Microsoft camps. There would be s and "nuh uh"s all over the place.

LOL, you're right, the question is if this forum needs another vs thread. 😛