Hugo Vanwoerkom wrote:
The following appeared yesterday on vulnerabilities in Mozilla products:
<snip>
Overview Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.
<snip>
VU#592425 - Mozilla-based products fail to validate user input to the attribute name in "XULDocument.persist" A vulnerability in some Mozilla products that could allow a remote attacker to execute Javascript commands with the permissions of the user running the affected application. (CVE-2006-0296) VU#759273 - Mozilla QueryInterface memory corruption vulnerability Mozilla Firefox web browser and Thunderbird mail client contain a memory corruption vulnerability that may allow a remote attacker to execute arbitrary code.
Notice the phrase "with the permissions of the user running the affected application".
*That's* why you never run as root.Yes, even open source has bugs. But notice how quickly these bugs got fixed. The first bug did not exist in older versions of the apps; got introduced on the way to FF 1.5 and SM 1.0, and then got fixed in FF 1.5.01 and SM 1.0. (The second bug report does not provide these details, only saying that the problem is fixed in FF 1.5.01 and SM 1.0).
Also, Thunderbird (and SM Mail) is not vulnerable to these bugs in its default configuration. You have to turn on Javascript within Thunderbird to make it vulnerable.
Neither the CERT advisory nor the Mozilla reports make it clear if this is a cross-platform issue; I would guess that it is. The first CERT adisory specifically "Redhat" and "Fedora Project" while the Mozilla version of that advisory mentions "Linux". The second advisory (from CERT and from Mozilla) do not mention an OS.
In either case, turning off Javascript is a workaround "fix" until you can upgrade to the newer versions.
Short response: all apps have bugs. What matters is how quickly they get fixed and what the repurcussions of those bugs are. I'd much rather run FF and TBird as non-root on a system that makes a well-demarcated distinction between those apps and the underlying OS than to run a browser/email client on an OS that is inseparably entangled with those apps, on which OS bug fixes don't get released until the next official Patch Tuesday, and on which OS one is fairly-well forced to run as Administrator full-time in order for many of his programs to function properly. But that's just me.
-- Kent