Hugo Vanwoerkom wrote:
The following appeared yesterday on vulnerabilities in Mozilla products:
<snip>
Overview
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system.
<snip>
VU#592425 - Mozilla-based products fail to validate user input to the
attribute name in "XULDocument.persist"
A vulnerability in some Mozilla products that could allow a remote
attacker to execute Javascript commands with the permissions of the
user running the affected application.
(CVE-2006-0296)
VU#759273 - Mozilla QueryInterface memory corruption vulnerability
Mozilla Firefox web browser and Thunderbird mail client contain a
memory corruption vulnerability that may allow a remote attacker to
execute arbitrary code.
Notice the phrase "with the permissions of the user running the affected
application".
*That's* why you never run as root.
Yes, even open source has bugs. But notice how quickly these bugs got
fixed. The first bug did not exist in older versions of the apps; got
introduced on the way to FF 1.5 and SM 1.0, and then got fixed in FF
1.5.01 and SM 1.0. (The second bug report does not provide these
details, only saying that the problem is fixed in FF 1.5.01 and SM 1.0).
Also, Thunderbird (and SM Mail) is not vulnerable to these bugs in its
default configuration. You have to turn on Javascript within Thunderbird
to make it vulnerable.
Neither the CERT advisory nor the Mozilla reports make it clear if this
is a cross-platform issue; I would guess that it is. The first CERT
adisory specifically "Redhat" and "Fedora Project" while the Mozilla
version of that advisory mentions "Linux". The second advisory (from
CERT and from Mozilla) do not mention an OS.
In either case, turning off Javascript is a workaround "fix" until you
can upgrade to the newer versions.
Short response: all apps have bugs. What matters is how quickly they get
fixed and what the repurcussions of those bugs are. I'd much rather run
FF and TBird as non-root on a system that makes a well-demarcated
distinction between those apps and the underlying OS than to run a
browser/email client on an OS that is inseparably entangled with those
apps, on which OS bug fixes don't get released until the next official
Patch Tuesday, and on which OS one is fairly-well forced to run as
Administrator full-time in order for many of his programs to function
properly. But that's just me.
--
Kent
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]