The UK security research company, Secunia said that it has found a critical security flaw in Firefox web-browser that could put users at risk of information disclosure attacks. In other security news, a variant of the Cabir mobile virus, which was developed at first to prove it is possible, called Mabir, has been targeting mobile phones using Symbian Series 60 operating systems.
At least this doesn’t work in Opera, this I can tell!
http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/
https://bugzilla.mozilla.org/show_bug.cgi?id=288688
Firefox 1.0.3 which is released in a few hours fixes this problem (as well as an installer problem for the windows version and a couple of crasher bugs)
In the example it looks like the random memory heap data is only visible locally.
Is it possible for a remote computer to see it, or is this like the ‘contents of your c drive’ thing some sites used to try to con windows users with? (It just opened a local window listing c:, there was no remote access.)
A site could read the memory and redirect to a page which logs such memory. It could even try to filter out readable strings first. This is a BAD vulnerability.
and will be fixed shortly…
That seems a little premeture.
Out of the contents of the first page that you posted, the only one that could possibly effect me was the firefox one, and that appears to be fixed. The rest were for software I don’t use. (I’m the only ‘local’ user on my computer.)
On the second link, it was a mix of Windows and AIX and all kinds of weird webservery stuff.
I don’t consider myself a computer expert, but I think people should ask themselves – ‘What is MY experience with this OS?.’ rather than ‘What did I read today on the internet?’.
I stopped using Linux when I realized it was less secure than Windows.
Ah, so you switched to FreeBSD, then?
Actually, if you look at securityfocus, the Linux kernel alone has somewhere around 23 vulnerabilities in the last week. Some advisories have multiple, so you have to view them to see how mean those have.
Fixed on trunk, AVIARY_1_0_1_20050124_BRANCH, and MOZILLA_1_7_BRANCH.
Thanks for the report, I hope that’s the last bug from 1997 left ;-).
every time i post it goes missing what gives?
…post from Dr.BooBooGone has been moderated down. Moreover, he posted a couple of useful links. His post didn’t look offensive in any way nor it looked like a trolling post.
Or should we ALL agree that Linux is more secure than anything which has been created before?
You only have to look at the OSNews editor profiles to figure out why. All state OSS as an interest but very few (one from memory) says he has experience with Windows
Sure, now go look at Security Focus’s page for Microsoft, it’s just the same. What do we learn from this? A standard install of either Windows or Linux is going to be basically completely vulnerable to local DoS and privilege escalation (which make up a good 90% of the vulnerabilities listed for each, by a casual eyeball), therefore, very important security concept – don’t allow remote login (*definitely* not a shell), use strong passwords, don’t allow untrusted users. Yes, that’s earth-shatteringly new information!
If you’re going to run a system with multiple local users who need to be properly secured, you’re going to need to do some _heavy_ security work, no matter what OS you run. If you’re not going to run such a system, a lot of the vulnerabilities listed for both products are not going to affect you.
Any nightly build from mozilla has no problems with this leak.
I agree completely. It was just an attempt to more even the playing field in Windows vs. Linux as far as security goes. Neither has a good track record as far as I’m concerned.
Not that its very important, but I was under the impression that Secunia is danish – Or have they been bought up recently?
From their website:
Secunia
Toldbodgade 37B
1253 Copenhagen K
Denmark