Flaws in Mozilla's Handling of Security Certificates Discovered and Fixed

Tuesday July 27th, 2004

CNET is reporting that two new flaws in the way Mozilla handles security certificates have been discovered. The more serious vulnerability allows a site to appear to have a security certificate when it does not (bug 253121). The other hole makes it possible for an attacker to overwrite the root certificate authority certificates, causing an error message to appear whenever the user tries to access a (genuine) secure site (bug 249004). Both bugs have now been fixed, but updated end-user releases of Mozilla products are not yet available.

#1 CNet article inaccurate. Get it corrected

by danielwang

Tuesday July 27th, 2004 8:22 PM

To repeat what I said in

The article recommends that "Web surfers eyeing ... might want to wait a week before making the switch." Note that the IE vulnerabilities that caused US-CERT to recommend browser switching is rated EXTREMELY CRITICAL, whereas the recent shell: vulnerability and the two Mozilla bugs are either "moderately critical" or "less critical."

btw, an Opera phishing bug was also announced yesterday in Full Disclosure

Everyone, please send the author an e-mail to recommand "switching to alternative browsers despite minor security bugs". Also get him to update the article on bug fixes.

#22 Don't bother. They biased against Mozilla.

by DP3_001

Thursday July 29th, 2004 3:03 AM

They've never cared about "getting it right" when it comes to anything created by the Mozilla Foundation. This is just the latest example of it.

#2 Binary Patches?

by CNeb96

Tuesday July 27th, 2004 8:45 PM

When is firefox going to start binary patches? Especially through their auto update feature.

#3 Re: Binary Patches?

by CNeb96

Tuesday July 27th, 2004 9:01 PM

I’m sorry for the poor grammar. I'll re-ask the questions.

Are there plans for to start creating and distributing binary patches? Will they be pushed through Firefox's update feature?

#7 Re: Re: Binary Patches?

by MvD

Wednesday July 28th, 2004 1:00 AM

Hopefully firefox will be secure enough so that there wil be no need to to strat a firefox security bulletin, but I see you point. On another note, this should be done IMO only via the update feature as binary patches are just a pain for the average user (well none of my friends run any binary patches provided by MS).

#14 Re: Re: Re: Binary Patches?

by arsa

Wednesday July 28th, 2004 9:10 AM

So, does MS provide source patches? ;-)

#4 Patches

by martrootamm

Tuesday July 27th, 2004 11:14 PM

I think that if there's a patch, should have an .xpi available for download and installation. Anoter thing is that Firefox should be more thoroughly tested before the 1.0 release, so that it would be even more secure.

#5 no xpi

by danielwang

Tuesday July 27th, 2004 11:32 PM

If there's any patch, it won't be an XPI. The fix to shell: vulnerability only involves a preference change. These two are deeper and involve backend code change. AFIAK, XPIs cannot fix these bugs.

#8 Patch or point-release?

by martrootamm

Wednesday July 28th, 2004 3:25 AM

So should I expect a separate patch that overwrites some files and changes something else a little bit or a 0.9.3?

#10 Re: no xpi

by CNeb96

Wednesday July 28th, 2004 6:07 AM

>AFIAK, XPIs cannot fix these bugs.

But why can't they? XPI's are basically specially packaged executables which can do ANYTHING any other executable can do. The only reasons I can think of for binary patches not being useful is that in practice they might be a sizeable percentage of the size of just downloading a whole new version. (The Windows version for download is only ~4 Megs after all.) Also, I don't know if code is place for Firefox to patch/replace its own files on a restart. (What if it needs the files its patching to run the patching program?.)

When/if a Firefox 0.9.2 comes out I'm going to do a binary diff of all the unziped chrome and DLL's and find out if the size of the diff is really small enough to consider writiting an upgrade XPI.

#11 Re: Re: no xpi

by mlefevre

Wednesday July 28th, 2004 7:14 AM

Last time I saw binary patches discussed, it was about Seamonkey. A binary patch between major versions (e.g. 1.6 and 1.7) was well over half the 13MB download size, so not really worth the effort. However, differences between 1.7.0 and 1.7.1 would be smaller. I don't know what would happen with Firefox.

The main problem is finding someone with the time and knowledge to implement a binary patch structure (which would need to be an open-source solution). So, if you have the time to test and/or implement, it might be interesting.

#6 Should we switch to IE meanwhile?

by robdogg

Wednesday July 28th, 2004 12:29 AM


#9 Re: Should we switch to IE meanwhile?

by tve

Wednesday July 28th, 2004 6:05 AM

Sure. If you don't like how Mozilla fixes its very sporadic security holes within hours or days and would rather have a browser with several new security holes per week that remain unpatched for months, IE is the right thing for you... ;)

#13 But it's not hours or days

by guanxi

Wednesday July 28th, 2004 7:40 AM

For end users, which are most of the users, the fix takes months -- until the next end user release. And what about corporate installations? Should they reinstall Mozilla system wide and implement a nightly build?

Sure, most people in this forum can download a nightly, but we specifically discourage end users from doing so (with good reason).

Mozilla is very good, and far superior to IE in this respect, but perfectly secure software is impossible. The only solution is a patch system. It's a necessity, I think, before Moz is ready for the corporate world.

#15 Re: Re: Should we switch to IE meanwhile?

by robdogg

Wednesday July 28th, 2004 10:28 AM

Ok, wiseguy. You got a method to update 10,000 desktops? With IE, there is a multitude of tools to push out an update. Windows Update is one.

#20 Re: Re: Re: Should we switch to IE meanwhile?

by roseman

Wednesday July 28th, 2004 4:53 PM

windows update ONLY uses the patches that microsoft has already developed *duh*; so if you are still waiting for a patch a MONTH after an exploit is out in the wild and microsoft still has not yet developed a patch, then windows update will fix ZERO (0.0) of those 10,000 computers.

#21 Re: Re: Re: Re: Should we switch to IE meanwhile?

by mlefevre

Wednesday July 28th, 2004 5:23 PM

Of course. The point is that Mozilla hasn't yet got a solution for anyone except nightly build users and people that compile their own builds. So if you've got those 10,000 computers with Mozilla on them, there's no way of fixing them.

Remains to be seen what's going to happen with this one, but generally with Mozilla stuff the only way to fix security problems is to do a full installation of a new version.

#24 Re: Re: Re: Re: Re: Should we switch to IE meanwhi

by roseman

Thursday July 29th, 2004 7:12 AM

the only way to fix many problems with MS-IE is to scrap the browser - even US-CERT says this. once again, install mozilla; get used to it :)

#12 Re: Should we switch to IE meanwhile?

by raiph

Wednesday July 28th, 2004 7:32 AM

I think it is an excellent meme to put out there, from both service-to-public and service-to-mozilla-marketing perspectives, that being able and prepared to switch back and forth between browsers is smart. It takes very little effort. I have both Firefox and IE icons on my desktop, and use whichever is appropriate. For the last few months I've never clicked on the IE icon, but it's there if I feel I need it.

#23 Re: Re: Should we switch to IE meanwhile?

by plagiats

Thursday July 29th, 2004 3:44 AM

dude no ! you should take a look at to understand that hey in one hand we got 2 security issues already fixed wich will be patched in the next few hours and in the other hand you got 24 security issues, publicly avaible, that have not yet been fixed at all.

#16 So, is this fixed in the nightlies ?

by _mf_

Wednesday July 28th, 2004 11:07 AM

Can we assume the nightlies incorporate these bugfixes ?

#17 1.7.2 build

by kguru

Wednesday July 28th, 2004 1:31 PM

I downloaded today's 1.7 latest nightly build of Mozilla. When I go to About Mozilla, it says it is version 1.7.2. Would I be correct in assuming that these bug fixes are in this build (build id #20040728) I guess I would expect a 1.7.2 release to be occuring soon.

#18 Re: 1.7.2 build

by mlefevre

Wednesday July 28th, 2004 1:55 PM

Yes, both the fixes were checked into the 1.7 branch in the evening of the 27th, so the 20040728 1.7 builds will have the fixes.

I don't know if they're planning to do a 1.7.2 release which is 1.7.1 plus just these fixes, or if they'll actually release 1.7.2 with all the fixes that have gone onto the branch since 1.7. Either way, shouldn't be too far off.

#19 Re: Re: 1.7.2 build

by kguru

Wednesday July 28th, 2004 2:53 PM

I would think 1.7.2 would include any other branch fixes from the 1.7 branch. Changes on the trunk won't be seen until the next alpha or beta release of 1.8 (or on a trunk nightly build).

#25 Will there be a 1.7.2 ?

by sphealey

Thursday July 29th, 2004 8:33 AM

Does this mean will be releasing a 1.7.2, given that 1.7 is the stable branch? Or will the fix be to go to 1.8?

I personally think that more point releases on the stable branch would be a Good Thing (tm).


#26 Re: Will there be a 1.7.2 ?

by roseman

Thursday July 29th, 2004 10:07 AM


#27 Didn't see it in the bug

by sphealey

Thursday July 29th, 2004 2:35 PM

Read through the bug. The usual disturbing statements/arguments. But I didn't see a definitive statement that there would be a 1.7.2 (or a 1.4.3). Perhaps I missed it in the zargon though.


#28 Re: Didn't see it in the bug

by roseman

Thursday July 29th, 2004 3:26 PM

not clear, but i see promising notes in there: (KEYWORDS: fixed-aviary1.0, fixed1.4.3, fixed1.7.2, fixed1.7.3) looks encouraging... then later i see: ( ------- Additional Comment #47 From Johnny Stenback 2004-07-29 14:55 PDT [reply] -------Fixed on the 1.7.2 *branch* now too.) -- also encouraging...