Tuesday, May 10, 2005

Mozilla Vulnerablilities

Two vulnerabilities were found in Mozilla Firefox that combined allow an attacker to run arbitrary code. The Mozilla Suite is only partially vulnerable.

By causing a frame to navigate back to a previous javascript: url an attacker can inject script into any site. This could be used to steal cookies or sensitive data from that site, or to perform actions on behalf of that user. (Affects Firefox and the Suite).

A separate vulnerability in the Firefox install confirmation dialog allows an attacker to execute arbitrary code by using a javascript: URL as the package icon. By default only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability described above enables this to be exploited from any malicious site.
Read the rest to see what to do.

>[May 12] Update by Scott:
As I said in the comments to this post when you first put it up, the true test of the quality of a pice of software is not whether or not the software has vulnerabilities (all software has holes), but how quickly a patch is released once vulnerabilities have been disclosed.

Mozilla did not fail me. Firefox 1.04 has just been released, patching the vulnerabilities announced May 8. Four days -- not too shabby. Just click the red arrow in the top left corner of the Firefox window to begin the Update process, or click Tools | Options... | Advanced | Software Update | Check Now.

Blair Wins, the Media Spins

Evan Coyne Maloney puts the British election results in a little better context:
Britain's Labour Party won re-election in Parliament, which ensures that Tony Blair will continue on as Prime Minister. Already, the media is spinning the election as a terrible rebuke for Blair over the Iraq war. Setting aside the fact that this terrible rebuke resulted in Labour winning its third consecutive election for the first time in history, the numbers simply don't bear out the media's contention.

As of this writing, the election results show that the Conservatives have gained 33 seats in Parliament, while the Labor Party lost a total of 47 seats. In other words, over 70% of the seats lost by Labour were picked up by the other major party that supported the overthrow of Saddam Hussein. This hardly seems like a stunning victory for the anti-war side.