MozillaZine

Flaws in Mozilla's Handling of Security Certificates Discovered and Fixed

Tuesday July 27th, 2004

CNET News.com is reporting that two new flaws in the way Mozilla handles security certificates have been discovered. The more serious vulnerability allows a site to appear to have a security certificate when it does not (bug 253121). The other hole makes it possible for an attacker to overwrite the root certificate authority certificates, causing an error message to appear whenever the user tries to access a (genuine) secure site (bug 249004). Both bugs have now been fixed, but updated end-user releases of Mozilla products are not yet available.


#10 Re: no xpi

by CNeb96 <cneb96@hotmail.com>

Wednesday July 28th, 2004 6:07 AM

You are replying to this message

>AFIAK, XPIs cannot fix these bugs.

But why can't they? XPI's are basically specially packaged executables which can do ANYTHING any other executable can do. The only reasons I can think of for binary patches not being useful is that in practice they might be a sizeable percentage of the size of just downloading a whole new version. (The Windows version for download is only ~4 Megs after all.) Also, I don't know if code is place for Firefox to patch/replace its own files on a restart. (What if it needs the files its patching to run the patching program?.)

When/if a Firefox 0.9.2 comes out I'm going to do a binary diff of all the unziped chrome and DLL's and find out if the size of the diff is really small enough to consider writiting an upgrade XPI.