[PLUG] Upgrade to Mozilla 1.7.3 *now*

[Keith Lofstrom]

Please check out the Mozilla site for more information.  Here's a 
summary of what is happening.  This is a Big Thing.

Early in September, we started seeing notices about buffer overflow
vulnerabilities in the decoders for common graphics formats used by
Microsoft products.  Unfortunately, the vulnerability is apparently
in the common DLLs used by the Microsoft compilers, so it affects
vast swaths of applications, like anything that can display a JPEG
or a PNG, for example.  It probably goes all the way back to the
public algorithms originally proposed to parse these formats.  

So about 10PM Eastern Time Monday night, we started getting reports
of JPEG trojans being observed on some of the major servers.  There
are windoze machines getting with this exploit now.  I misreported it,
it is not a virus, yet, but that is only because the uploaded rootkit
does not automatically propagate itself.  That is merely a matter of
changing the uploaded payload (with no change in the penetrator),
so essentially the virus storm begins as soon as some cracker
changes the payload from a known rootkit to a known propagator.

We are not exempt.  Mozilla and libgtk are two examples of open
source applications with the very same vulnerability - again, they
grew from the same public algorithms.  While there were no exploits as
of late last night, a new exploit may be propagating as you read this.

How does this affect you?  If you use Mozilla or any other web
browser to look at any websites anywhere that contain any pictures
or graphics, or use an email app to look at pictures, and you have
not upgraded those apps in the last week, then you are vulnerable.
This vulnerability is at the user level;  a cracked Mozilla or
Evolution or w3m can do anything you can do as a user, such as fire
up processes that spew virus email, or change any web pages you have
write permission for.  And of course if you have any vulnerabilities
accessable from the user level (and there are hundreds), then you
WILL be rooted.

The graphics exploit does require that you actively read the email or
visit a potentially cracked website (say, CNN.com);  it is not a worm
and cannot penetrate your passive machine.  Nor can it do anything if
you run no graphical applications on Internet-sourced data.  But most
of us use web browsers with images turned on, and many of us use
graphics-enabled mail readers.   Libgtk drives most Gnome programs,
so anything that interprets graphics is at risk, if those graphics
can come from elsewhere, or can be gotten onto your machine by some
means.  You are dependent on a very thin eggshell right now.

I do not know about libgtk, but these vulnerabilities have been
addressed in the very latest Firefox, and the very latest Mozilla,
version 1.7.3, which was released in mid-September 2004.  I am
running the new Mozilla now.  Mozilla versions 1.7.2 or earlier
(and corresponding Firefoxen) do NOT have the fix and ARE vulnerable. 

These changes have not propagated to the distros, yet;  unless you
use up2date or apt-get, those CDs and packaged distros will have 
the old versions and the existing vulnerability.  The 3.6 Knoppix
disks I have been passing out, for example, use Mozilla 1.7, and
are August 2004 packagings of early-2004 versions.  These are all 
vulnerable applications, and I expect them all to be thoroughly
exploited within a few weeks.

If you are running Mozilla, please download the new version Right Now 
Only.  It may not be safe to use an older Mozilla to download this
replacement in a day or two.  And if libgtk (and the KDE equivalent)
are exploited, then Opera and Konqueror and Galeon and others are
not safe alternatives, though as a practical matter they will
probably be exploited later than Mozilla and Firefox will be.  

Download those upgraded versions of Mozilla and Firefox NOW.  If you
have questions, ask here.  And when an improved libgtk or libkde(?)
appears, download that, too.   And if you have any Windoze machines
around, update those, of course, and assume that no graphics apps are
safe to use on internet data until they are vetted in some other way.

This is not business as usual.  Hurricane JPEG is 100 miles offshore
and coming in fast.  Have a *nice* day.

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs